diff --git a/templates/configMap.yml b/templates/configMap.yml index e5a183f..d43d39a 100644 --- a/templates/configMap.yml +++ b/templates/configMap.yml @@ -32,7 +32,7 @@ data: KOHA_PASS: {{ .Values.global.pass }} KOHA_USER: {{ .Values.global.user }} MANA_URL: {{ .Values.global.mana }} - MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-db" {{ end }} + MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "db" {{ end }} MYSQL_ROOT_USER: {{ .Values.db.root_user }} MYSQL_DATABASE: {{ with .Values.db.database }} {{ . | quote }} {{ else }} "koha_{{ .Values.instance }}" {{ end }} MYSQL_ROOT_PASSWORD: {{ .Values.db.root_pass }} @@ -41,9 +41,9 @@ data: ZEBRA_MARC_FORMAT: {{ .Values.zebra.marc_format }} {{ if .Values.elasticsearch.enabled }} OVERRIDE_SYSPREF_SearchEngine: "Elasticsearch" - KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-es" {{ end }} + KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "es" {{ end }} {{ end }} {{ if .Values.memcached.enabled }} - MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-memcached:11211" {{ end }} + MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "memcached:11211" {{ end }} {{ end }} - KOHA_PLACK_NAME: "{{ .Values.instance }}-plack" \ No newline at end of file + KOHA_PLACK_NAME: "koha" \ No newline at end of file diff --git a/templates/deploy.yml b/templates/deploy.yml index b3253a8..ddbd0fb 100644 --- a/templates/deploy.yml +++ b/templates/deploy.yml @@ -21,6 +21,17 @@ spec: containers: - name: koha image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} + securityContext: + runAsUser: 0 # Set root user + allowPrivilegeEscalation: true + privileged: true + seccompProfile: + type: Unconfined + capabilities: + add: + - SETUID + - SETGID + - SYS_ADMIN env: - name: USE_PLACK value: "1" @@ -68,7 +79,7 @@ spec: initContainers: - name: init-wait image: alpine - command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"] + command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 koha 5000 && exit 0 || sleep 3; done; exit 1"] securityContext: allowPrivilegeEscalation: false capabilities: @@ -82,9 +93,17 @@ spec: - name: apache image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} securityContext: + runAsUser: 0 # Set root user + #fsGroup: 1000 # www-data group + allowPrivilegeEscalation: true + privileged: true + seccompProfile: + type: Unconfined capabilities: add: - - NET_BIND_SERVICE + - SETUID + - SETGID + - SYS_ADMIN env: - name: USE_APACHE2 value: "1" @@ -100,9 +119,9 @@ spec: - name: koha-pv mountPath: /tmp/libshare subPath: lib - ports: - - containerPort: {{ .Values.opac.port }} - - containerPort: {{ .Values.staff.port }} +# ports: +# - containerPort: {{ .Values.opac.port }} +# - containerPort: {{ .Values.staff.port }} volumes: - name: koha-pv persistentVolumeClaim: @@ -135,6 +154,17 @@ spec: containers: - name: db image: mariadb:10.3 + securityContext: + runAsUser: 999 # Set root user + allowPrivilegeEscalation: true + privileged: true + seccompProfile: + type: Unconfined + capabilities: + add: + - SETUID + - SETGID + - SYS_ADMIN envFrom: - configMapRef: name: koha-map @@ -174,13 +204,16 @@ spec: - name: es image: koha/elasticsearch-icu securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL + runAsUser: 0 # Set root user + allowPrivilegeEscalation: true + privileged: true seccompProfile: - type: RuntimeDefault + type: Unconfined + capabilities: + add: + - SETUID + - SETGID + - SYS_ADMIN env: - name: cluster.name value: "docker-cluster" @@ -196,12 +229,16 @@ spec: - name: set-max-map-count image: alpine securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 + runAsUser: 0 # Set root user + allowPrivilegeEscalation: true + privileged: true + seccompProfile: + type: Unconfined capabilities: - drop: - - ALL + add: + - SETUID + - SETGID + - SYS_ADMIN seccompProfile: type: RuntimeDefault command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"] @@ -231,5 +268,16 @@ spec: containers: - name: memcached image: memcached + securityContext: + runAsUser: 497 # Set root user + allowPrivilegeEscalation: true + privileged: true + seccompProfile: + type: Unconfined + capabilities: + add: + - SETUID + - SETGID + - SYS_ADMIN command: [ "memcached", "-m", "64m" ] {{ end }} \ No newline at end of file diff --git a/templates/ingress.yml b/templates/ingress.yml index 313398e..e198133 100644 --- a/templates/ingress.yml +++ b/templates/ingress.yml @@ -27,7 +27,7 @@ spec: paths: - backend: service: - name: {{ .Values.instance }}-koha + name: apache2 port: number: {{ .Values.staff.port }} pathType: ImplementationSpecific @@ -36,7 +36,7 @@ spec: paths: - backend: service: - name: {{ .Values.instance }}-koha + name: apache2 port: number: {{ .Values.opac.port }} pathType: ImplementationSpecific \ No newline at end of file diff --git a/templates/service.yml b/templates/service.yml index 502b857..c450cf0 100644 --- a/templates/service.yml +++ b/templates/service.yml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Values.instance }}-koha + name: apache2 namespace: koha labels: run: {{ .Values.instance }}-koha @@ -21,7 +21,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.instance }}-plack + name: koha namespace: koha labels: run: {{ .Values.instance }}-plack @@ -38,7 +38,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.instance }}-es + name: es namespace: koha labels: run: {{ .Values.instance }}-es @@ -56,7 +56,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.instance }}-db + name: db namespace: koha labels: run: {{ .Values.instance }}-db @@ -74,7 +74,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.instance }}-memcached + name: memcached namespace: koha labels: run: {{ .Values.instance }}-memcached diff --git a/values.yaml b/values.yaml index 52e2ffa..2b43c6d 100644 --- a/values.yaml +++ b/values.yaml @@ -35,7 +35,7 @@ docker: # image path will be # registry.gilab.com/thekesolutions/koha/myclient:19.11.08-5 registry: registry.gitlab.com/koha-community/docker/koha-docker - tag: latest + tag: 24.05 storage: storageClassName: csi-cephfs-sc