diff --git a/bitnami/node/Chart.yaml b/bitnami/node/Chart.yaml index 55da1890b9..842a3c0284 100644 --- a/bitnami/node/Chart.yaml +++ b/bitnami/node/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: node -version: 9.0.0 +version: 9.1.0 appVersion: 10.16.0 description: Event-driven I/O server-side JavaScript environment based on V8 keywords: diff --git a/bitnami/node/README.md b/bitnami/node/README.md index 00d100c05b..718669f444 100644 --- a/bitnami/node/README.md +++ b/bitnami/node/README.md @@ -50,52 +50,58 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the Node chart and their default values. -| Parameter | Description | Default | -|-----------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------| -| `global.imageRegistry` | Global Docker image registry | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `image.registry` | NodeJS image registry | `docker.io` | -| `image.repository` | NodeJS image name | `bitnami/node` | -| `image.tag` | NodeJS image tag | `{TAG_NAME}` | -| `image.pullPolicy` | NodeJS image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `nameOverride` | String to partially override node.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override node.fullname template with a string | `nil` | -| `git.registry` | Git image registry | `docker.io` | -| `git.repository` | Git image name | `bitnami/git` | -| `git.tag` | Git image tag | `{TAG_NAME}` | -| `git.pullPolicy` | Git image pull policy | `IfNotPresent` | -| `repository` | Repo of the application | `https://github.com/bitnami/sample-mean.git` | -| `revision` | Revision to checkout | `master` | -| `replicas` | Number of replicas for the application | `1` | -| `applicationPort` | Port where the application will be running | `3000` | -| `extraEnv` | Any extra environment variables to be pass to the pods | `{}` | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the container | `1001` | -| `securityContext.runAsUser` | User ID for the container | `1001` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | Kubernetes Service port | `80` | -| `service.annotations` | Annotations for the Service | {} | -| `service.loadBalancerIP` | LoadBalancer IP if Service type is `LoadBalancer` | `nil` | -| `service.nodePort` | NodePort if Service type is `LoadBalancer` or `NodePort` | `nil` | -| `persistence.enabled` | Enable persistence using PVC | `false` | -| `persistence.path` | Path to persisted directory | `/app/data` | -| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` | -| `persistence.size` | PVC Storage Request | `1Gi` | -| `mongodb.install` | Wheter to install or not the MongoDB chart | `true` | -| `externaldb.secretName` | Secret containing existing database credentials | `nil` | -| `externaldb.type` | Type of database that defines the database secret mapping | `osba` | -| `externaldb.broker.serviceInstanceName` | The existing ServiceInstance to be used | `nil` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.hosts[0].name` | Hostname to your Node installation | `node.local` | -| `ingress.hosts[0].path` | Path within the url structure | `/` | -| `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` | -| `ingress.hosts[0].certManager` | Add annotations for cert-manager | `false` | -| `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `node.local-tls-secret` | -| `ingress.hosts[0].annotations` | Annotations for this host's ingress record | `[]` | -| `ingress.secrets[0].name` | TLS Secret Name | `nil` | -| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` | -| `ingress.secrets[0].key` | TLS Secret Key | `nil` | +| Parameter | Description | Default | +| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `image.registry` | NodeJS image registry | `docker.io` | +| `image.repository` | NodeJS image name | `bitnami/node` | +| `image.tag` | NodeJS image tag | `{TAG_NAME}` | +| `image.pullPolicy` | NodeJS image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `nameOverride` | String to partially override node.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override node.fullname template with a string | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `latest` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.resources` | Init container resource requests/limit | `nil` | +| `git.registry` | Git image registry | `docker.io` | +| `git.repository` | Git image name | `bitnami/git` | +| `git.tag` | Git image tag | `{TAG_NAME}` | +| `git.pullPolicy` | Git image pull policy | `IfNotPresent` | +| `repository` | Repo of the application | `https://github.com/bitnami/sample-mean.git` | +| `revision` | Revision to checkout | `master` | +| `replicas` | Number of replicas for the application | `1` | +| `applicationPort` | Port where the application will be running | `3000` | +| `extraEnv` | Any extra environment variables to be pass to the pods | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1001` | +| `securityContext.runAsUser` | User ID for the container | `1001` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | Kubernetes Service port | `80` | +| `service.annotations` | Annotations for the Service | {} | +| `service.loadBalancerIP` | LoadBalancer IP if Service type is `LoadBalancer` | `nil` | +| `service.nodePort` | NodePort if Service type is `LoadBalancer` or `NodePort` | `nil` | +| `persistence.enabled` | Enable persistence using PVC | `false` | +| `persistence.path` | Path to persisted directory | `/app/data` | +| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` | +| `persistence.size` | PVC Storage Request | `1Gi` | +| `mongodb.install` | Wheter to install or not the MongoDB chart | `true` | +| `externaldb.secretName` | Secret containing existing database credentials | `nil` | +| `externaldb.type` | Type of database that defines the database secret mapping | `osba` | +| `externaldb.broker.serviceInstanceName` | The existing ServiceInstance to be used | `nil` | +| `ingress.enabled` | Enable ingress controller resource | `false` | +| `ingress.hosts[0].name` | Hostname to your Node installation | `node.local` | +| `ingress.hosts[0].path` | Path within the url structure | `/` | +| `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` | +| `ingress.hosts[0].certManager` | Add annotations for cert-manager | `false` | +| `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `node.local-tls-secret` | +| `ingress.hosts[0].annotations` | Annotations for this host's ingress record | `[]` | +| `ingress.secrets[0].name` | TLS Secret Name | `nil` | +| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` | +| `ingress.secrets[0].key` | TLS Secret Key | `nil` | The above parameters map to the env variables defined in [bitnami/node](http://github.com/bitnami/bitnami-docker-node). For more information please refer to the [bitnami/node](http://github.com/bitnami/bitnami-docker-node) image documentation. @@ -130,6 +136,15 @@ The [Bitnami Node](https://github.com/bitnami/bitnami-docker-node) image stores Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the [Configuration](#configuration) section to configure the PVC or to disable persistence. +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. + +You can enable this initContainer by setting `volumePermissions.enabled` to `true`. + ## Set up an Ingress controller First install the nginx-ingress controller via helm: diff --git a/bitnami/node/templates/_helpers.tpl b/bitnami/node/templates/_helpers.tpl index fee010851d..06b7146fd9 100644 --- a/bitnami/node/templates/_helpers.tpl +++ b/bitnami/node/templates/_helpers.tpl @@ -110,7 +110,7 @@ imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} -{{- else if or .Values.image.pullSecrets .Values.git.pullSecrets }} +{{- else if or .Values.image.pullSecrets .Values.git.pullSecrets .Values.volumePermissions.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }} - name: {{ . }} @@ -118,8 +118,11 @@ imagePullSecrets: {{- range .Values.git.pullSecrets }} - name: {{ . }} {{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} {{- end -}} -{{- else if or .Values.image.pullSecrets .Values.git.pullSecrets }} +{{- else if or .Values.image.pullSecrets .Values.git.pullSecrets .Values.volumePermissions.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }} - name: {{ . }} @@ -127,6 +130,9 @@ imagePullSecrets: {{- range .Values.git.pullSecrets }} - name: {{ . }} {{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} {{- end -}} {{- end -}} @@ -141,3 +147,26 @@ WARNING: Rolling tag detected ({{ .Values.git.repository }}:{{ .Values.git.tag } +info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ {{- end }} {{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "node.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} diff --git a/bitnami/node/templates/deployment.yaml b/bitnami/node/templates/deployment.yaml index 8d58a51760..0f2f9d7f87 100644 --- a/bitnami/node/templates/deployment.yaml +++ b/bitnami/node/templates/deployment.yaml @@ -46,6 +46,18 @@ spec: volumeMounts: - name: app mountPath: /app + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: "{{ template "node.volumePermissions.image" . }}" + imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }} + command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.persistence.path }}"] + securityContext: + runAsUser: 0 + resources: {{ toYaml .Values.volumePermissions.resources | nindent 10 -}} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.path }} + {{- end }} containers: - name: {{ template "node.fullname" . }} image: "{{ template "node.image" . }}" diff --git a/bitnami/node/values.yaml b/bitnami/node/values.yaml index ff5245d067..52bbfa7e62 100644 --- a/bitnami/node/values.yaml +++ b/bitnami/node/values.yaml @@ -34,6 +34,24 @@ image: ## # fullnameOverride: + ## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: latest + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + ## Bitnami git image version ## ref: https://hub.docker.com/r/bitnami/git/tags/ ##