chore(helm): stop writing on root file system

Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Substra · Jun 30, 2023 · 2638505 · 2638505
1 parent ae7352c
commit 2638505
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 18 deletions.
diff --git a/charts/substra-backend/CHANGELOG.md b/charts/substra-backend/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## 22.6.0
+
+### Changed
+
+- Components now avoid writing on the root file system, allowing this chart to run under `readOnlyRootFilesystem: true`
+- Created role no longer requests the `extensions` API group
+
+### Fixed
+
+- Missing dash in some created Kubernetes objects
+
 ## [22.5.2] - 2023-06-27
 
 ### Changed

diff --git a/charts/substra-backend/Chart.yaml b/charts/substra-backend/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 22.5.2
+version: 22.6.0
 appVersion: 0.39.0
 kubeVersion: ">= 1.19.0-0"
 description: Main package for Substra

diff --git a/charts/substra-backend/templates/configmap-settings.yaml b/charts/substra-backend/templates/configmap-settings.yaml
@@ -8,6 +8,7 @@ data:
   ORG_NAME: {{ .Values.organizationName | quote }}
   MEDIA_ROOT: /var/substra/medias/
   SERVERMEDIAS_ROOT: /var/substra/servermedias/
+  SECRET_KEY_PATH: /var/substra/runtime-secrets/SECRET_KEY
   SUBTUPLE_DIR: /var/substra/medias/subtuple/
   DEFAULT_DOMAIN: {{ .Values.server.defaultDomain | quote }}
   COMMON_HOST_DOMAIN: {{ .Values.server.commonHostDomain | quote }}

diff --git a/charts/substra-backend/templates/deployment-registry-prepopulate.yaml b/charts/substra-backend/templates/deployment-registry-prepopulate.yaml
@@ -26,15 +26,19 @@ spec:
         command: ['dockerize', '-wait', 'tcp://{{ $.Release.Name }}-docker-registry:5000']
       - name: kaniko
         image: {{ include "common.images.name" $.Values.kaniko.image }}
-        args: ["--context=/docker-context",
-                {{- if .dstImage }}
-                "--destination={{ $.Release.Name }}-docker-registry:5000/{{ .dstImage }}",
-                {{- else }}
-                "--destination={{ $.Release.Name }}-docker-registry:5000/{{ .image }}",
-                {{ end }}
-                "--insecure",
-                "--verbosity=debug"]
+        args:
+          - "--context=/docker-context"
+          {{- if .dstImage }}
+          - "--destination={{ $.Release.Name }}-docker-registry:5000/{{ .dstImage }}"
+          {{- else }}
+          - "--destination={{ $.Release.Name }}-docker-registry:5000/{{ .image }}"
+          {{- end }}
+          - "--insecure"
+          - "--verbosity=debug"
+          - "--kaniko-dir=/kaniko-dir"
         volumeMounts:
+          - name: kaniko-dir
+            mountPath: /kaniko-dir
           - name: dockerfile
             mountPath: /docker-context
           {{- if .dockerConfigSecretName }}
@@ -45,6 +49,8 @@ spec:
       - image: gcr.io/google-containers/pause:3.2
         name: pause
       volumes:
+      - name: kaniko-dir
+        emptyDir: {}
       - name: dockerfile
         configMap:
           name: {{ template "substra.fullname" $ }}-registry-prepopulate-dockerfile-{{ $index }}

diff --git a/charts/substra-backend/templates/deployment-scheduler.yaml b/charts/substra-backend/templates/deployment-scheduler.yaml
@@ -42,7 +42,7 @@ spec:
           image: {{ include "substra-backend.images.name" (dict "img" .Values.scheduler.image "defaultTag" $.Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.scheduler.image.pullPolicy }}
           command: ["/bin/bash"]
-          args: ["-c", "celery -A backend beat -l debug"]
+          args: ["-c", "celery -A backend beat -l debug --schedule /var/substra/runtime-db/celerybeat-scheduler"]
           envFrom:
             - configMapRef:
                 name: {{ include "substra.fullname" . }}-orchestrator
@@ -70,6 +70,8 @@ spec:
             - name: DJANGO_SETTINGS_MODULE
               value: backend.settings.celery.{{ .Values.settings }}
           volumeMounts:
+            - name: runtime-db
+              mountPath: /var/substra/runtime-db
             {{ if .Values.orchestrator.tls.enabled }}
             - name: orchestrator-tls-cacert
               mountPath: /var/substra/orchestrator/tls/server
@@ -81,6 +83,8 @@ spec:
           resources:
             {{- toYaml .Values.scheduler.resources | nindent 12 }}
       volumes:
+      - name: runtime-db
+        emptyDir: {}
       {{ if.Values.orchestrator.tls.enabled }}
       - name: orchestrator-tls-cacert
         configMap:

diff --git a/charts/substra-backend/templates/deployment-server.yaml b/charts/substra-backend/templates/deployment-server.yaml
@@ -73,6 +73,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: status.podIP
+          - name: SECRET_KEY_LOAD_AND_STORE
+            value: "True"
           {{- if .Values.server.metrics.enabled }}
           - name: ENABLE_METRICS
             value: "True"
@@ -96,6 +98,8 @@ spec:
             mountPath: /usr/src/app/uwsgi.ini
             subPath: uwsgi.ini
             readOnly: true
+          - name: runtime-secrets
+            mountPath: /var/substra/runtime-secrets
           {{- if .Values.privateCa.enabled }}
           - mountPath: /etc/ssl/certs
             name: ssl-certs
@@ -227,6 +231,8 @@ spec:
           claimName: {{ .Values.server.persistence.servermedias.existingClaim | default (print (include "substra.fullname" $) "-servermedias") }}
       - name: statics
         emptyDir: {}
+      - name: runtime-secrets
+        emptyDir: {}
       - name: uwsgi
         configMap:
           name: {{ include "substra.fullname" . }}-server-uwsgi

diff --git a/charts/substra-backend/templates/rbac.yaml b/charts/substra-backend/templates/rbac.yaml
@@ -20,9 +20,12 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "watch", "list", "create", "update", "patch"]
   - apiGroups: [""]
-    resources: ["pods", "pods/log", "pods/status", "pods/exec"]
+    resources: ["pods/log", "pods/status"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/exec"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: ["batch", "extensions"]
+  - apiGroups: ["batch"]
     resources: ["jobs"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
@@ -79,7 +82,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "substra.fullname" . }}worker-event
+  name: {{ template "substra.fullname" . }}-worker-event
   labels:
     {{ include "substra.labels" . | nindent 4 }}
     app.kubernetes.io/name: {{ template "substra.name" . }}
@@ -88,15 +91,15 @@ subjects:
     name: {{ include "substra.worker.events.serviceAccountName" . }}
 roleRef:
   kind: Role
-  name: {{ template "substra.fullname" . }}worker-event
+  name: {{ template "substra.fullname" . }}-worker-event
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- if .Values.api.events.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "substra.fullname" . }}api-event
+  name: {{ template "substra.fullname" . }}-api-event
   labels:
     {{ include "substra.labels" . | nindent 4 }}
     app.kubernetes.io/name: {{ template "substra.name" . }}
@@ -106,7 +109,7 @@ metadata:
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "substra.fullname" . }}api-event
+  name: {{ template "substra.fullname" . }}-api-event
   labels:
     {{ include "substra.labels" . | nindent 4 }}
     app.kubernetes.io/name: {{ template "substra.name" . }}
@@ -118,7 +121,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "substra.fullname" . }}api-event
+  name: {{ template "substra.fullname" . }}-api-event
   labels:
     {{ include "substra.labels" . | nindent 4 }}
     app.kubernetes.io/name: {{ template "substra.name" . }}
@@ -127,6 +130,6 @@ subjects:
     name: {{ include "substra.api.events.serviceAccountName" . }}
 roleRef:
   kind: Role
-  name: {{ template "substra.fullname" . }}api-event
+  name: {{ template "substra.fullname" . }}-api-event
   apiGroup: rbac.authorization.k8s.io
 {{- end }}