From e860294486b7702f5c55fd98567859c07dc731d9 Mon Sep 17 00:00:00 2001 From: Francisco de Paz Galan Date: Tue, 24 Jan 2023 19:20:29 +0100 Subject: [PATCH] [bitnami/*] Improve Goss' user-info test to avoid incompatibilities (#14398) * [bitnami/*] Improve Goss' user-info test to avoid incompatibilities Signed-off-by: FraPazGal * Apply suggestions Signed-off-by: FraPazGal Signed-off-by: FraPazGal --- .vib/apache/goss/goss.yaml | 9 +++++---- .vib/appsmith/goss/goss.yaml | 9 +++++---- .vib/argo-cd/goss/goss.yaml | 9 +++++---- .vib/cassandra/goss/goss.yaml | 9 +++++---- .vib/cert-manager/goss/goss.yaml | 9 +++++---- .vib/clickhouse/goss/goss.yaml | 9 +++++---- .vib/concourse/goss/web/goss.yaml | 9 +++++---- .vib/concourse/goss/worker/goss.yaml | 9 +++++---- .vib/contour/goss/goss.yaml | 9 +++++---- .vib/drupal/goss/goss.yaml | 9 +++++---- .vib/ejbca/goss/goss.yaml | 9 +++++---- .vib/etcd/goss/goss.yaml | 9 +++++---- .vib/ghost/goss/goss.yaml | 11 ++++++----- .vib/gitea/goss/goss.yaml | 9 +++++---- .vib/grafana-loki/goss/promtail/goss.yaml | 9 +++++---- .vib/grafana-loki/goss/querier/goss.yaml | 9 +++++---- .vib/grafana-operator/goss/goss.yaml | 9 +++++---- .vib/grafana-tempo/goss/goss.yaml | 9 +++++---- .vib/grafana/goss/goss.yaml | 9 +++++---- .vib/haproxy/goss/goss.yaml | 9 +++++---- .vib/influxdb/goss/goss.yaml | 11 ++++++----- .vib/jaeger/goss/goss.yaml | 9 +++++---- .vib/jasperreports/goss/goss.yaml | 9 +++++---- .vib/jupyterhub/goss/goss.yaml | 9 +++++---- .vib/kafka/goss/goss.yaml | 9 +++++---- .vib/kibana/goss/goss.yaml | 9 +++++---- .vib/kong/goss/goss.yaml | 7 ++++--- .vib/kube-prometheus/goss/goss.yaml | 9 +++++---- .vib/kube-state-metrics/goss/goss.yaml | 9 +++++---- .vib/kubeapps/goss/goss.yaml | 9 +++++---- .vib/kubernetes-event-exporter/goss/goss.yaml | 9 +++++---- .vib/logstash/goss/goss.yaml | 9 +++++---- .vib/mariadb-galera/goss/goss.yaml | 9 +++++---- .vib/mastodon/goss/goss.yaml | 9 +++++---- .vib/mediawiki/goss/goss.yaml | 9 +++++---- .vib/memcached/goss/goss.yaml | 9 +++++---- .vib/metallb/goss/goss.yaml | 9 +++++---- .vib/metrics-server/goss/goss.yaml | 7 ++++--- .vib/minio/goss/goss.yaml | 9 +++++---- .vib/mongodb-sharded/goss/goss.yaml | 9 +++++---- .vib/mongodb/goss/goss.yaml | 9 +++++---- .vib/moodle/goss/goss.yaml | 9 +++++---- .vib/mxnet/goss/goss.yaml | 9 +++++---- .vib/nats/goss/goss.yaml | 9 +++++---- .vib/nginx-ingress-controller/goss/goss.yaml | 9 +++++---- .vib/nginx/goss/goss.yaml | 9 +++++---- .vib/node-exporter/goss/goss.yaml | 9 +++++---- .vib/oauth2-proxy/goss/goss.yaml | 9 +++++---- .vib/opencart/goss/goss.yaml | 9 +++++---- .vib/osclass/goss/goss.yaml | 9 +++++---- .vib/parse/goss/dashboard/goss.yaml | 9 +++++---- .vib/parse/goss/server/goss.yaml | 9 +++++---- .vib/phpmyadmin/goss/goss.yaml | 9 +++++---- .vib/postgresql-ha/goss/pgpool/goss.yaml | 9 +++++---- .vib/postgresql-ha/goss/repmgr/goss.yaml | 9 +++++---- .vib/postgresql/goss/goss.yaml | 9 +++++---- .vib/prestashop/goss/goss.yaml | 11 ++++++----- .vib/pytorch/goss/goss.yaml | 9 +++++---- .vib/rabbitmq/goss/goss.yaml | 9 +++++---- .vib/redis-cluster/goss/goss.yaml | 9 +++++---- .vib/redis/goss/goss.yaml | 9 +++++---- .vib/solr/goss/goss.yaml | 9 +++++---- .vib/sonarqube/goss/goss.yaml | 9 +++++---- .vib/spring-cloud-dataflow/goss/goss.yaml | 9 +++++---- .vib/suitecrm/goss/goss.yaml | 9 +++++---- .vib/tensorflow-resnet/goss/goss.yaml | 9 +++++---- .vib/tomcat/goss/goss.yaml | 11 ++++++----- .../goss/goss.yaml | 9 +++++---- .vib/wavefront/goss/goss.yaml | 9 +++++---- .vib/wordpress/goss/goss.yaml | 9 +++++---- 70 files changed, 352 insertions(+), 282 deletions(-) diff --git a/.vib/apache/goss/goss.yaml b/.vib/apache/goss/goss.yaml index f5dcb1e368..c568e102e7 100644 --- a/.vib/apache/goss/goss.yaml +++ b/.vib/apache/goss/goss.yaml @@ -14,9 +14,10 @@ file: {{ end }} {{ end }} command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/appsmith/goss/goss.yaml b/.vib/appsmith/goss/goss.yaml index 63283c40a2..b5e2c2004d 100644 --- a/.vib/appsmith/goss/goss.yaml +++ b/.vib/appsmith/goss/goss.yaml @@ -1,10 +1,11 @@ command: + {{- $uid := .Vars.client.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.client.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.client.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.client.podSecurityContext.fsGroup }}/ file: /var/run/secrets/kubernetes.io/serviceaccount: exists: {{ .Vars.serviceAccount.automountServiceAccountToken }} diff --git a/.vib/argo-cd/goss/goss.yaml b/.vib/argo-cd/goss/goss.yaml index 7aaac8a393..6366699b61 100644 --- a/.vib/argo-cd/goss/goss.yaml +++ b/.vib/argo-cd/goss/goss.yaml @@ -36,9 +36,10 @@ command: - "CapEff: 0000000000000000" - "CapBnd: 0000000000000000" - "CapAmb: 0000000000000000" + {{- $uid := .Vars.server.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.server.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.server.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.server.podSecurityContext.fsGroup }}/ diff --git a/.vib/cassandra/goss/goss.yaml b/.vib/cassandra/goss/goss.yaml index 7951ddfe06..15486417d2 100644 --- a/.vib/cassandra/goss/goss.yaml +++ b/.vib/cassandra/goss/goss.yaml @@ -29,9 +29,10 @@ command: exec: if [ "$(nodetool status | grep {{ .Vars.cluster.numTokens }} | wc -l)" -ne {{ $nodes }} ]; then exit 1; fi exit-status: 0 timeout: 20000 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/cert-manager/goss/goss.yaml b/.vib/cert-manager/goss/goss.yaml index 2210bad410..f14ea734d2 100644 --- a/.vib/cert-manager/goss/goss.yaml +++ b/.vib/cert-manager/goss/goss.yaml @@ -4,9 +4,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.controller.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.controller.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.controller.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.controller.podSecurityContext.fsGroup }}/ diff --git a/.vib/clickhouse/goss/goss.yaml b/.vib/clickhouse/goss/goss.yaml index af8678b17a..b92929765a 100644 --- a/.vib/clickhouse/goss/goss.yaml +++ b/.vib/clickhouse/goss/goss.yaml @@ -21,12 +21,13 @@ http: body: - Ok command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ check-cluster-status: exec: clickhouse-client --port {{ .Vars.containerPorts.tcp }} --user '{{ .Vars.auth.username }}' --password '{{ .Vars.auth.password }}' --query='SELECT COUNT(*) FROM system.clusters;' exit-status: 0 diff --git a/.vib/concourse/goss/web/goss.yaml b/.vib/concourse/goss/web/goss.yaml index 9a326d0123..061fcb819d 100644 --- a/.vib/concourse/goss/web/goss.yaml +++ b/.vib/concourse/goss/web/goss.yaml @@ -21,9 +21,10 @@ command: check-ports-config: exec: $(echo $CONCOURSE_BIND_PORT | grep -q {{ .Vars.web.containerPorts.http }}) && $(echo $CONCOURSE_TSA_BIND_PORT | grep -q {{ .Vars.web.containerPorts.tsa }}) && $(echo $CONCOURSE_TSA_DEBUG_BIND_PORT | grep -q {{ .Vars.web.containerPorts.pprof }}) exit-status: 0 + {{- $uid := .Vars.web.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.web.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.web.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.web.podSecurityContext.fsGroup }}/ diff --git a/.vib/concourse/goss/worker/goss.yaml b/.vib/concourse/goss/worker/goss.yaml index 3034fa917a..458d49c1ce 100644 --- a/.vib/concourse/goss/worker/goss.yaml +++ b/.vib/concourse/goss/worker/goss.yaml @@ -21,9 +21,10 @@ command: check-ports-config: exec: $(echo $CONCOURSE_BIND_PORT | grep -q {{ .Vars.worker.containerPorts.garden }}) && $(echo $CONCOURSE_HEALTHCHECK_BIND_PORT | grep -q {{ .Vars.worker.containerPorts.health }}) && $(echo $CONCOURSE_BAGGAGECLAIM_BIND_PORT | grep -q {{ .Vars.worker.containerPorts.baggageclaim }}) && $(echo $CONCOURSE_BAGGAGECLAIM_DEBUG_BIND_PORT | grep -q {{ .Vars.worker.containerPorts.pprof }}) exit-status: 0 + {{- $uid := .Vars.worker.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.worker.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.worker.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.worker.podSecurityContext.fsGroup }}/ diff --git a/.vib/contour/goss/goss.yaml b/.vib/contour/goss/goss.yaml index 2915eb0f39..07fe56b956 100644 --- a/.vib/contour/goss/goss.yaml +++ b/.vib/contour/goss/goss.yaml @@ -15,9 +15,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.contour.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.contour.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.contour.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.contour.podSecurityContext.fsGroup }}/ diff --git a/.vib/drupal/goss/goss.yaml b/.vib/drupal/goss/goss.yaml index af7e6fe129..b67abc0874 100644 --- a/.vib/drupal/goss/goss.yaml +++ b/.vib/drupal/goss/goss.yaml @@ -3,12 +3,13 @@ http: status: 200 allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/drupal: exists: true diff --git a/.vib/ejbca/goss/goss.yaml b/.vib/ejbca/goss/goss.yaml index 4a4ae2f61d..97f80e35ba 100644 --- a/.vib/ejbca/goss/goss.yaml +++ b/.vib/ejbca/goss/goss.yaml @@ -30,9 +30,10 @@ command: exec: cd /opt/bitnami/ejbca && ejbca.sh ra addendentity --username '{{ $user }}' --caname '{{ $caName}}' --dn '{{ $dn }}' --type {{ $identityType }} --token P12 --password '{{ $pass }}' && ejbca.sh ra setclearpwd '{{ $user }}' '{{ $pass }}' && ejbca.sh batch && ls ./p12/{{ $user }}.p12 exit-status: 0 timeout: 20000 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/etcd/goss/goss.yaml b/.vib/etcd/goss/goss.yaml index d176310714..f62f8d9e1f 100644 --- a/.vib/etcd/goss/goss.yaml +++ b/.vib/etcd/goss/goss.yaml @@ -25,9 +25,10 @@ command: stdout: - {{ $key }} {{- end }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/ghost/goss/goss.yaml b/.vib/ghost/goss/goss.yaml index 7515081354..fef85176e8 100644 --- a/.vib/ghost/goss/goss.yaml +++ b/.vib/ghost/goss/goss.yaml @@ -9,12 +9,13 @@ command: check-db-config: exec: ($dbCheck) && ($userCheck) && ($passCheck) exit-status: 0 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/ghost: exists: true @@ -24,4 +25,4 @@ file: /var/run/secrets/kubernetes.io/serviceaccount: exists: {{ .Vars.serviceAccount.automountServiceAccountToken }} filetype: directory - mode: "3777" \ No newline at end of file + mode: "3777" diff --git a/.vib/gitea/goss/goss.yaml b/.vib/gitea/goss/goss.yaml index 44dd91005f..213f4b7835 100644 --- a/.vib/gitea/goss/goss.yaml +++ b/.vib/gitea/goss/goss.yaml @@ -6,12 +6,13 @@ addr: reachable: true timeout: 500 command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /var/run/secrets/kubernetes.io/serviceaccount: exists: {{ .Vars.serviceAccount.automountServiceAccountToken }} diff --git a/.vib/grafana-loki/goss/promtail/goss.yaml b/.vib/grafana-loki/goss/promtail/goss.yaml index fa3cfa101b..ec684aa9b2 100644 --- a/.vib/grafana-loki/goss/promtail/goss.yaml +++ b/.vib/grafana-loki/goss/promtail/goss.yaml @@ -16,9 +16,10 @@ http: body: - /log_level.*{{ .Vars.promtail.logLevel }}/ command: + {{- $uid := .Vars.promtail.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.promtail.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.promtail.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.promtail.podSecurityContext.fsGroup }}/ diff --git a/.vib/grafana-loki/goss/querier/goss.yaml b/.vib/grafana-loki/goss/querier/goss.yaml index f3da87fe43..6bed5cc7c3 100644 --- a/.vib/grafana-loki/goss/querier/goss.yaml +++ b/.vib/grafana-loki/goss/querier/goss.yaml @@ -34,9 +34,10 @@ command: check-logcli: exec: logcli instant-query --addr=http://grafana-loki-querier:{{ .Vars.querier.service.ports.http }} '{app="grafana-loki"}' exit-status: 0 + {{- $uid := .Vars.querier.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.querier.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.querier.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.querier.podSecurityContext.fsGroup }}/ diff --git a/.vib/grafana-operator/goss/goss.yaml b/.vib/grafana-operator/goss/goss.yaml index 2b835d7eae..0eb46469a7 100644 --- a/.vib/grafana-operator/goss/goss.yaml +++ b/.vib/grafana-operator/goss/goss.yaml @@ -7,9 +7,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.operator.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.operator.containerSecurityContext.runAsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.operator.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.operator.containerSecurityContext.runAsGroup }}/ diff --git a/.vib/grafana-tempo/goss/goss.yaml b/.vib/grafana-tempo/goss/goss.yaml index 24ec60b7f2..2ffb2597ed 100644 --- a/.vib/grafana-tempo/goss/goss.yaml +++ b/.vib/grafana-tempo/goss/goss.yaml @@ -33,9 +33,10 @@ command: exit-status: 0 stdout: - "vulture" + {{- $uid := .Vars.compactor.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.compactor.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.compactor.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.compactor.podSecurityContext.fsGroup }}/ diff --git a/.vib/grafana/goss/goss.yaml b/.vib/grafana/goss/goss.yaml index 2194f1c53f..7e01d67767 100644 --- a/.vib/grafana/goss/goss.yaml +++ b/.vib/grafana/goss/goss.yaml @@ -13,9 +13,10 @@ command: exit-status: 0 stdout: - /datasources.*already encrypted/ + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/haproxy/goss/goss.yaml b/.vib/haproxy/goss/goss.yaml index 455e682ce5..44ccff75ea 100644 --- a/.vib/haproxy/goss/goss.yaml +++ b/.vib/haproxy/goss/goss.yaml @@ -4,9 +4,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/influxdb/goss/goss.yaml b/.vib/influxdb/goss/goss.yaml index eae30bc15a..975115669e 100644 --- a/.vib/influxdb/goss/goss.yaml +++ b/.vib/influxdb/goss/goss.yaml @@ -9,12 +9,13 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.influxdb.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.influxdb.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.influxdb.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.influxdb.podSecurityContext.fsGroup }}/ {{- $org := .Vars.auth.user.org }} {{- $bucket := .Vars.auth.user.bucket }} {{- $port := .Vars.influxdb.service.ports.http }} @@ -25,4 +26,4 @@ command: exec: export INFLUX_TOKEN='{{ $adminToken }}' && influx write --host http://influxdb:{{ $port }} --org {{ $org }} --bucket {{ $bucket }} 'cpu_error,host=bitnami-server value="{{ $msg }}"' && export INFLUX_TOKEN=$(influx auth list | grep {{ $user }} | awk '{print $2}') && influx query --host http://influxdb:{{ $port }} --org {{ $org }} 'from(bucket:"{{ $bucket }}") |> range(start:-2m)' exit-status: 0 stdout: - - {{ $msg }} \ No newline at end of file + - {{ $msg }} diff --git a/.vib/jaeger/goss/goss.yaml b/.vib/jaeger/goss/goss.yaml index 71c82ca4d9..9a4113c867 100644 --- a/.vib/jaeger/goss/goss.yaml +++ b/.vib/jaeger/goss/goss.yaml @@ -25,9 +25,10 @@ command: check-cassandra-auth: exec: \[ $CASSANDRA_USERNAME = {{ .Vars.cassandra.dbUser.user }} ] && [ $CASSANDRA_PASSWORD = {{ .Vars.cassandra.dbUser.password }} ] && [ $CASSANDRA_KEYSPACE = {{ .Vars.cassandra.keyspace }} ]; exit-status: 0 + {{- $uid := .Vars.agent.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.agent.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.agent.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.agent.podSecurityContext.fsGroup }}/ diff --git a/.vib/jasperreports/goss/goss.yaml b/.vib/jasperreports/goss/goss.yaml index 648bbc669c..9a681439c4 100644 --- a/.vib/jasperreports/goss/goss.yaml +++ b/.vib/jasperreports/goss/goss.yaml @@ -1,10 +1,11 @@ command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /opt/bitnami/jasperreports/META-INF/context.xml: exists: true diff --git a/.vib/jupyterhub/goss/goss.yaml b/.vib/jupyterhub/goss/goss.yaml index 1bd335ab6b..bdc823efab 100644 --- a/.vib/jupyterhub/goss/goss.yaml +++ b/.vib/jupyterhub/goss/goss.yaml @@ -31,9 +31,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.hub.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.hub.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.hub.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.hub.podSecurityContext.fsGroup }}/ diff --git a/.vib/kafka/goss/goss.yaml b/.vib/kafka/goss/goss.yaml index 354f68e5fa..9d75dae53a 100644 --- a/.vib/kafka/goss/goss.yaml +++ b/.vib/kafka/goss/goss.yaml @@ -28,9 +28,10 @@ command: exec: kafka-topics.sh --create --topic quickstart-events{{randAlpha 5}} --bootstrap-server kafka:{{ .Vars.service.ports.client }} exit-status: 0 timeout: 20000 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/kibana/goss/goss.yaml b/.vib/kibana/goss/goss.yaml index ecb8878814..0a4d66279e 100644 --- a/.vib/kibana/goss/goss.yaml +++ b/.vib/kibana/goss/goss.yaml @@ -21,9 +21,10 @@ file: contains: - "csp.strict: {{ .Vars.extraConfiguration.csp_strict }}" command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/kong/goss/goss.yaml b/.vib/kong/goss/goss.yaml index 0582e25c21..d4ac0772f7 100644 --- a/.vib/kong/goss/goss.yaml +++ b/.vib/kong/goss/goss.yaml @@ -26,8 +26,9 @@ file: - /listen.*{{ .Vars.kong.containerPorts.proxyHttps }}.*ssl/ - /listen.*{{ .Vars.kong.containerPorts.adminHttps }}.*ssl/ command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} \ No newline at end of file diff --git a/.vib/kube-prometheus/goss/goss.yaml b/.vib/kube-prometheus/goss/goss.yaml index 7233f6d32d..3b16c32cd2 100644 --- a/.vib/kube-prometheus/goss/goss.yaml +++ b/.vib/kube-prometheus/goss/goss.yaml @@ -13,9 +13,10 @@ command: - "CapEff: 0000000000000000" - "CapBnd: 0000000000000000" - "CapAmb: 0000000000000000" + {{- $uid := .Vars.operator.podSecurityContext.runAsUser }} + {{- $gid := .Vars.operator.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.operator.podSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.operator.podSecurityContext.fsGroup }}/ diff --git a/.vib/kube-state-metrics/goss/goss.yaml b/.vib/kube-state-metrics/goss/goss.yaml index a97fed1c82..187b698021 100644 --- a/.vib/kube-state-metrics/goss/goss.yaml +++ b/.vib/kube-state-metrics/goss/goss.yaml @@ -11,9 +11,10 @@ file: mode: "3777" owner: root command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ \ No newline at end of file diff --git a/.vib/kubeapps/goss/goss.yaml b/.vib/kubeapps/goss/goss.yaml index 299744d00f..6e1e997c1c 100644 --- a/.vib/kubeapps/goss/goss.yaml +++ b/.vib/kubeapps/goss/goss.yaml @@ -24,9 +24,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.kubeappsapis.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.kubeappsapis.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.kubeappsapis.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.kubeappsapis.podSecurityContext.fsGroup }}/ diff --git a/.vib/kubernetes-event-exporter/goss/goss.yaml b/.vib/kubernetes-event-exporter/goss/goss.yaml index 3b80b80623..d35ac89070 100644 --- a/.vib/kubernetes-event-exporter/goss/goss.yaml +++ b/.vib/kubernetes-event-exporter/goss/goss.yaml @@ -20,9 +20,10 @@ command: - "CapEff: 0000000000000000" - "CapBnd: 0000000000000000" - "CapAmb: 0000000000000000" + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/logstash/goss/goss.yaml b/.vib/logstash/goss/goss.yaml index a70703ad88..f76303031e 100644 --- a/.vib/logstash/goss/goss.yaml +++ b/.vib/logstash/goss/goss.yaml @@ -30,9 +30,10 @@ command: - /status_code.*200/ - /referrer.*{{ $rnd_address }}/ timeout: 30000 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/mariadb-galera/goss/goss.yaml b/.vib/mariadb-galera/goss/goss.yaml index 837672373d..1c83a786f7 100644 --- a/.vib/mariadb-galera/goss/goss.yaml +++ b/.vib/mariadb-galera/goss/goss.yaml @@ -34,9 +34,10 @@ command: - {{ $testValue }} timeout: 9000 {{- end }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/mastodon/goss/goss.yaml b/.vib/mastodon/goss/goss.yaml index 617a048909..039c14281e 100644 --- a/.vib/mastodon/goss/goss.yaml +++ b/.vib/mastodon/goss/goss.yaml @@ -1,10 +1,11 @@ command: + {{- $uid := .Vars.web.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.web.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.web.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.web.podSecurityContext.fsGroup }}/ check-no-capabilities: exec: cat /proc/1/status exit-status: 0 diff --git a/.vib/mediawiki/goss/goss.yaml b/.vib/mediawiki/goss/goss.yaml index d1b2874165..8c7b17f875 100644 --- a/.vib/mediawiki/goss/goss.yaml +++ b/.vib/mediawiki/goss/goss.yaml @@ -21,12 +21,13 @@ http: no-follow-redirects: true allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ check-db-credentials: exec: env exit-status: 0 diff --git a/.vib/memcached/goss/goss.yaml b/.vib/memcached/goss/goss.yaml index d1824decb5..f01c792265 100644 --- a/.vib/memcached/goss/goss.yaml +++ b/.vib/memcached/goss/goss.yaml @@ -13,9 +13,10 @@ command: stdout: - STORED - {{ $value }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/metallb/goss/goss.yaml b/.vib/metallb/goss/goss.yaml index a5f46b1430..bead0b1f99 100644 --- a/.vib/metallb/goss/goss.yaml +++ b/.vib/metallb/goss/goss.yaml @@ -13,9 +13,10 @@ command: - "CapEff: 0000000000000000" - "CapBnd: 0000000000000000" - "CapAmb: 0000000000000000" + {{- $uid := .Vars.controller.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.controller.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.controller.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.controller.podSecurityContext.fsGroup }}/ diff --git a/.vib/metrics-server/goss/goss.yaml b/.vib/metrics-server/goss/goss.yaml index ae39a1aec3..0c2bb63558 100644 --- a/.vib/metrics-server/goss/goss.yaml +++ b/.vib/metrics-server/goss/goss.yaml @@ -11,8 +11,9 @@ file: mode: "1777" owner: root command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} diff --git a/.vib/minio/goss/goss.yaml b/.vib/minio/goss/goss.yaml index c13998f69a..a68493a99a 100644 --- a/.vib/minio/goss/goss.yaml +++ b/.vib/minio/goss/goss.yaml @@ -17,12 +17,13 @@ command: stdout: - /Network.*OK/ - /Drives.*OK/ + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: {{ .Vars.persistence.mountPath }}: diff --git a/.vib/mongodb-sharded/goss/goss.yaml b/.vib/mongodb-sharded/goss/goss.yaml index b8c0b51cab..4a3d8a7dfe 100644 --- a/.vib/mongodb-sharded/goss/goss.yaml +++ b/.vib/mongodb-sharded/goss/goss.yaml @@ -26,12 +26,13 @@ command: {{ end }} {{ end }} timeout: 20000 + {{- $uid := .Vars.mongos.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.mongos.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.mongos.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.mongos.podSecurityContext.fsGroup }}/ file: /opt/bitnami/mongodb/conf/keyfile: mode: "0600" diff --git a/.vib/mongodb/goss/goss.yaml b/.vib/mongodb/goss/goss.yaml index 9842120d3b..5a0b3753e5 100644 --- a/.vib/mongodb/goss/goss.yaml +++ b/.vib/mongodb/goss/goss.yaml @@ -26,9 +26,10 @@ command: exit-status: 0 stdout: - {{ $testCollection }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ \ No newline at end of file diff --git a/.vib/moodle/goss/goss.yaml b/.vib/moodle/goss/goss.yaml index 10dd97b7af..525f1c30ee 100644 --- a/.vib/moodle/goss/goss.yaml +++ b/.vib/moodle/goss/goss.yaml @@ -8,9 +8,10 @@ http: status: 200 allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/mxnet/goss/goss.yaml b/.vib/mxnet/goss/goss.yaml index af913064da..de2e5f7a43 100644 --- a/.vib/mxnet/goss/goss.yaml +++ b/.vib/mxnet/goss/goss.yaml @@ -8,9 +8,10 @@ command: run-git-example: exec: python {{ .Vars.entrypoint.workDir }}/example/memcost/inception_memcost.py exit-status: 0 + {{- $uid := .Vars.standalone.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.standalone.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.standalone.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.standalone.podSecurityContext.fsGroup }}/ \ No newline at end of file diff --git a/.vib/nats/goss/goss.yaml b/.vib/nats/goss/goss.yaml index 194e8b1a74..c08c2c0224 100644 --- a/.vib/nats/goss/goss.yaml +++ b/.vib/nats/goss/goss.yaml @@ -33,9 +33,10 @@ command: - {{ $msg }} timeout: 20000 {{ end }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ $running_user }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/nginx-ingress-controller/goss/goss.yaml b/.vib/nginx-ingress-controller/goss/goss.yaml index 13beba389e..6be0dc6983 100644 --- a/.vib/nginx-ingress-controller/goss/goss.yaml +++ b/.vib/nginx-ingress-controller/goss/goss.yaml @@ -8,12 +8,13 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ check-capabilities: exec: capsh --print exit-status: 0 diff --git a/.vib/nginx/goss/goss.yaml b/.vib/nginx/goss/goss.yaml index 8bdf273855..f1a372c009 100644 --- a/.vib/nginx/goss/goss.yaml +++ b/.vib/nginx/goss/goss.yaml @@ -12,9 +12,10 @@ file: contains: - /listen.*{{ .Vars.containerPorts.http }}/ command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/node-exporter/goss/goss.yaml b/.vib/node-exporter/goss/goss.yaml index 0d45dcfdcc..1e690199d8 100644 --- a/.vib/node-exporter/goss/goss.yaml +++ b/.vib/node-exporter/goss/goss.yaml @@ -14,9 +14,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/oauth2-proxy/goss/goss.yaml b/.vib/oauth2-proxy/goss/goss.yaml index 9dbe13a1e1..12633b77d1 100644 --- a/.vib/oauth2-proxy/goss/goss.yaml +++ b/.vib/oauth2-proxy/goss/goss.yaml @@ -10,9 +10,10 @@ command: check-redis-auth: exec: \[ $OAUTH2_PROXY_REDIS_PASSWORD = {{ .Vars.redis.auth.password }} ] exit-status: 0 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/opencart/goss/goss.yaml b/.vib/opencart/goss/goss.yaml index 02b4c20547..90206b21ed 100644 --- a/.vib/opencart/goss/goss.yaml +++ b/.vib/opencart/goss/goss.yaml @@ -3,12 +3,13 @@ http: status: 200 allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/opencart: exists: true diff --git a/.vib/osclass/goss/goss.yaml b/.vib/osclass/goss/goss.yaml index bd6bb38f02..90f79ef1ef 100644 --- a/.vib/osclass/goss/goss.yaml +++ b/.vib/osclass/goss/goss.yaml @@ -4,12 +4,13 @@ http: allow-insecure: true timeout: 70000 command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/osclass/config.php: exists: true diff --git a/.vib/parse/goss/dashboard/goss.yaml b/.vib/parse/goss/dashboard/goss.yaml index d755aa5d8b..90f000c18c 100644 --- a/.vib/parse/goss/dashboard/goss.yaml +++ b/.vib/parse/goss/dashboard/goss.yaml @@ -17,9 +17,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.dashboard.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.dashboard.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.dashboard.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.dashboard.podSecurityContext.fsGroup }}/ diff --git a/.vib/parse/goss/server/goss.yaml b/.vib/parse/goss/server/goss.yaml index ff504c7860..97c2afbbc0 100644 --- a/.vib/parse/goss/server/goss.yaml +++ b/.vib/parse/goss/server/goss.yaml @@ -16,9 +16,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.server.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.server.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.server.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.server.podSecurityContext.fsGroup }}/ \ No newline at end of file diff --git a/.vib/phpmyadmin/goss/goss.yaml b/.vib/phpmyadmin/goss/goss.yaml index 3129846fc5..353b874d30 100644 --- a/.vib/phpmyadmin/goss/goss.yaml +++ b/.vib/phpmyadmin/goss/goss.yaml @@ -14,9 +14,10 @@ http: status: 200 allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/postgresql-ha/goss/pgpool/goss.yaml b/.vib/postgresql-ha/goss/pgpool/goss.yaml index 6ab474c471..26a5fa70af 100644 --- a/.vib/postgresql-ha/goss/pgpool/goss.yaml +++ b/.vib/postgresql-ha/goss/pgpool/goss.yaml @@ -14,9 +14,10 @@ command: {{ range $e, $i := until $nodes }} - /postgresql-ha-postgresql-{{ $i }}/ {{ end }} + {{- $uid := .Vars.pgpool.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.pgpool.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.pgpool.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.pgpool.podSecurityContext.fsGroup }}/ diff --git a/.vib/postgresql-ha/goss/repmgr/goss.yaml b/.vib/postgresql-ha/goss/repmgr/goss.yaml index ba7c4ff1cf..644543d577 100644 --- a/.vib/postgresql-ha/goss/repmgr/goss.yaml +++ b/.vib/postgresql-ha/goss/repmgr/goss.yaml @@ -29,9 +29,10 @@ command: xargs -I '{}' psql -U {{ $repmgr_user }} -d {{ $repmgr_database }} -h '{}'.postgresql-ha-postgresql-headless -p {{ $repmgr_port }} -c "CREATE DATABASE {{ $database }};" && sleep 5 \ {{ range $e, $i := until $nodes }}&& psql -U {{ $repmgr_user }} -d {{ $repmgr_database }} -h postgresql-ha-postgresql-{{ $i }}.postgresql-ha-postgresql-headless -p {{ $repmgr_port }} -c "SELECT datname FROM pg_database" | grep {{ $database }}{{ end }} exit-status: 0 + {{- $uid := .Vars.postgresql.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.postgresql.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.postgresql.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.postgresql.podSecurityContext.fsGroup }}/ diff --git a/.vib/postgresql/goss/goss.yaml b/.vib/postgresql/goss/goss.yaml index 919bc1f13c..6ab5c92878 100644 --- a/.vib/postgresql/goss/goss.yaml +++ b/.vib/postgresql/goss/goss.yaml @@ -22,12 +22,13 @@ command: exit-status: 0 stdout: - '2' + {{- $uid := .Vars.primary.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.primary.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.primary.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.primary.podSecurityContext.fsGroup }}/ file: {{ .Vars.primary.persistence.mountPath }}: exists: true diff --git a/.vib/prestashop/goss/goss.yaml b/.vib/prestashop/goss/goss.yaml index 403d8346ce..3391006af5 100644 --- a/.vib/prestashop/goss/goss.yaml +++ b/.vib/prestashop/goss/goss.yaml @@ -12,12 +12,13 @@ command: exit-status: 0 stdout: - /PS_COOKIE_CHECKIP={{ (eq .Vars.prestashopCookieCheckIP "yes") | int }}/ + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /etc/hosts: exists: true @@ -41,4 +42,4 @@ file: contains: - /database_name.*{{ .Vars.mariadb.auth.database }}/ - /database_user.*{{ .Vars.mariadb.auth.username }}/ - - /database_password.*{{ .Vars.mariadb.auth.password }}/ \ No newline at end of file + - /database_password.*{{ .Vars.mariadb.auth.password }}/ diff --git a/.vib/pytorch/goss/goss.yaml b/.vib/pytorch/goss/goss.yaml index 069a792fcd..f57c3648e2 100644 --- a/.vib/pytorch/goss/goss.yaml +++ b/.vib/pytorch/goss/goss.yaml @@ -8,9 +8,10 @@ command: run-git-example: exec: python /app/beginner_source/examples_tensor/polynomial_tensor.py exit-status: 0 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/rabbitmq/goss/goss.yaml b/.vib/rabbitmq/goss/goss.yaml index 22f6398c70..7948c89831 100644 --- a/.vib/rabbitmq/goss/goss.yaml +++ b/.vib/rabbitmq/goss/goss.yaml @@ -38,9 +38,10 @@ command: exit-status: 0 stdout: - {{ .Vars.extraPlugins }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/redis-cluster/goss/goss.yaml b/.vib/redis-cluster/goss/goss.yaml index 60b52ae6ea..b209538ecc 100644 --- a/.vib/redis-cluster/goss/goss.yaml +++ b/.vib/redis-cluster/goss/goss.yaml @@ -27,12 +27,13 @@ command: stdout: - "role:master" - "connected_slaves:{{ .Vars.cluster.replicas }}" + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: {{ .Vars.persistence.path }}: filetype: directory diff --git a/.vib/redis/goss/goss.yaml b/.vib/redis/goss/goss.yaml index 7065b27798..d1371d6fb9 100644 --- a/.vib/redis/goss/goss.yaml +++ b/.vib/redis/goss/goss.yaml @@ -28,12 +28,13 @@ command: exit-status: 0 stdout: - slave + {{- $uid := .Vars.master.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.master.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.master.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.master.podSecurityContext.fsGroup }}/ file: {{ .Vars.master.persistence.path }}: filetype: directory diff --git a/.vib/solr/goss/goss.yaml b/.vib/solr/goss/goss.yaml index 6d696b9834..9037653bde 100644 --- a/.vib/solr/goss/goss.yaml +++ b/.vib/solr/goss/goss.yaml @@ -14,12 +14,13 @@ command: - /solr-{{ $i }}/ {{ end }} timeout: 30000 + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: {{ .Vars.persistence.mountPath }}: filetype: directory diff --git a/.vib/sonarqube/goss/goss.yaml b/.vib/sonarqube/goss/goss.yaml index a9631d954f..cb4dc792c5 100644 --- a/.vib/sonarqube/goss/goss.yaml +++ b/.vib/sonarqube/goss/goss.yaml @@ -18,9 +18,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/spring-cloud-dataflow/goss/goss.yaml b/.vib/spring-cloud-dataflow/goss/goss.yaml index ad370d64c1..69b3982940 100644 --- a/.vib/spring-cloud-dataflow/goss/goss.yaml +++ b/.vib/spring-cloud-dataflow/goss/goss.yaml @@ -23,9 +23,10 @@ file: mode: "3777" owner: root command: + {{- $uid := .Vars.server.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.server.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.server.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.server.podSecurityContext.fsGroup }}/ diff --git a/.vib/suitecrm/goss/goss.yaml b/.vib/suitecrm/goss/goss.yaml index 1e9d8488ef..060493b6b4 100644 --- a/.vib/suitecrm/goss/goss.yaml +++ b/.vib/suitecrm/goss/goss.yaml @@ -3,12 +3,13 @@ http: status: 200 allow-insecure: true command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/suitecrm: exists: true diff --git a/.vib/tensorflow-resnet/goss/goss.yaml b/.vib/tensorflow-resnet/goss/goss.yaml index 619b6ead5b..d31b7bec88 100644 --- a/.vib/tensorflow-resnet/goss/goss.yaml +++ b/.vib/tensorflow-resnet/goss/goss.yaml @@ -13,9 +13,10 @@ file: mode: "2777" owner: root command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/tomcat/goss/goss.yaml b/.vib/tomcat/goss/goss.yaml index d62b9f96fb..0ceaf7d674 100644 --- a/.vib/tomcat/goss/goss.yaml +++ b/.vib/tomcat/goss/goss.yaml @@ -1,13 +1,14 @@ command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ file: /bitnami/tomcat: exists: true filetype: directory mode: "2775" - owner: root \ No newline at end of file + owner: root diff --git a/.vib/wavefront-prometheus-storage-adapter/goss/goss.yaml b/.vib/wavefront-prometheus-storage-adapter/goss/goss.yaml index 6a3ccaf986..a7574f7809 100644 --- a/.vib/wavefront-prometheus-storage-adapter/goss/goss.yaml +++ b/.vib/wavefront-prometheus-storage-adapter/goss/goss.yaml @@ -2,9 +2,10 @@ http: http://localhost:{{ .Vars.containerPorts.http }}/health: status: 200 command: + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/ diff --git a/.vib/wavefront/goss/goss.yaml b/.vib/wavefront/goss/goss.yaml index 6d8bcb7d8c..b3593d6d01 100644 --- a/.vib/wavefront/goss/goss.yaml +++ b/.vib/wavefront/goss/goss.yaml @@ -7,9 +7,10 @@ file: filetype: directory mode: "3777" command: + {{- $uid := .Vars.proxy.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.proxy.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.proxy.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.proxy.podSecurityContext.fsGroup }}/ diff --git a/.vib/wordpress/goss/goss.yaml b/.vib/wordpress/goss/goss.yaml index d38531ec03..55ec99a90e 100644 --- a/.vib/wordpress/goss/goss.yaml +++ b/.vib/wordpress/goss/goss.yaml @@ -20,9 +20,10 @@ command: exit-status: 0 stdout: - {{ .Vars.wordpressEmail }} + {{- $uid := .Vars.containerSecurityContext.runAsUser }} + {{- $gid := .Vars.podSecurityContext.fsGroup }} check-user-info: - exec: id + # The UID and GID should always be either the one specified as vars (always a bigger number that the default) + # or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value. + exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi exit-status: 0 - stdout: - - uid={{ .Vars.containerSecurityContext.runAsUser }} - - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/