chmod secrets in an emptyDir (avoiding need for root to chown to running user)

bpow · bpow · commit a4abe35674e4 · 2024-07-02T21:05:21.000-04:00
This relies on the fact that an emptyDir is set up with appropriate permissions for whichever userid is running in the pod. The prior solution required running chown/chmod by root in the init container. This obviates the need for root, which is not permitted in many kubernetes installs as a security precaution. Fixes zitadel#177 and also fixes zitadel#178 (since there is no chown anymore).
diff --git a/charts/zitadel/templates/_helpers.tpl b/charts/zitadel/templates/_helpers.tpl
@@ -72,7 +72,7 @@ Create copy command or empty string
 */}}
 {{- define "zitadel.makecpcommand" -}}
 {{- if .value -}}
-{{ printf "cp -r %s /chowned-secrets/" .path }}
+{{ printf "cp -rL %s /copied-secrets/" .path }}
 {{- end -}}
 {{- end -}}
 
diff --git a/charts/zitadel/templates/debug_replicaset.yaml b/charts/zitadel/templates/debug_replicaset.yaml
@@ -63,8 +63,9 @@ spec:
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
+          - name: copied-secrets
             mountPath: /.secrets
+            readOnly: true
       {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }}
       initContainers:
         - args:
@@ -73,16 +74,16 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
-              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
+              )) }} find /copied-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
           - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
+          image: "{{ .Values.copySecretsImage.repository }}:{{ .Values.copySecretsImage.tag }}"
+          imagePullPolicy: {{ .Values.copySecretsImage.pullPolicy }}
+          name: copy-secrets
           volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+          - name: copied-secrets
+            mountPath: /copied-secrets
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
@@ -99,9 +100,6 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
       {{- end }}
       volumes:
       - name: zitadel-config-yaml
@@ -132,7 +130,7 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
       {{- end }}
-      - name: chowned-secrets
+      - name: copied-secrets
         emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
diff --git a/charts/zitadel/templates/deployment.yaml b/charts/zitadel/templates/deployment.yaml
@@ -154,8 +154,9 @@ spec:
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
+          - name: copied-secrets
             mountPath: /.secrets
+            readOnly: true
           {{- if .Values.zitadel.selfSignedCert.enabled }}
           - name: tls
             mountPath: /etc/tls
@@ -165,6 +166,7 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 14 }}
+      {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }}
       initContainers:
         - args:
           - "{{ include "zitadel.joincpcommands" (dict "commands" (list
@@ -173,16 +175,16 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" ))
-              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
+              )) }} find /copied-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
           - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
+          image: "{{ .Values.copySecretsImage.repository }}:{{ .Values.copySecretsImage.tag }}"
+          imagePullPolicy: {{ .Values.copySecretsImage.pullPolicy }}
+          name: copy-secrets
           volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+          - name: copied-secrets
+            mountPath: /copied-secrets
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
@@ -203,9 +205,6 @@ spec:
           - name: server-ssl-crt
             mountPath: /server-ssl-crt
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
         {{- if .Values.zitadel.selfSignedCert.enabled }}
         - name: generate-self-signed-cert
           image: alpine/openssl
@@ -229,8 +228,8 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             privileged: false
-            runAsUser: 1000
         {{- end }}
+      {{- end }}
       volumes:
       - name: zitadel-config-yaml
         configMap:
@@ -265,7 +264,7 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.serverSslCrtSecret }}
       {{- end }}
-      - name: chowned-secrets
+      - name: copied-secrets
         emptyDir: {}
       {{- if .Values.zitadel.selfSignedCert.enabled }}
       - name: tls
diff --git a/charts/zitadel/templates/initjob.yaml b/charts/zitadel/templates/initjob.yaml
@@ -92,8 +92,9 @@ spec:
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
+          - name: copied-secrets
             mountPath: /.secrets
+            readOnly: true
           {{- with .Values.extraVolumeMounts }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
@@ -111,16 +112,16 @@ spec:
             (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslAdminCrtSecret "path" "/db-ssl-admin-crt/" ))
             (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
             (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
-          )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
+          )) }} find /copied-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
           - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
+          image: "{{ .Values.copySecretsImage.repository }}:{{ .Values.copySecretsImage.tag }}"
+          imagePullPolicy: {{ .Values.copySecretsImage.pullPolicy }}
           name: chown
           volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+          - name: copied-secrets
+            mountPath: /copied-secrets
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
@@ -141,9 +142,6 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
       {{- end}}
       volumes:
       - name: zitadel-config-yaml
@@ -179,7 +177,7 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
       {{- end }}
-      - name: chowned-secrets
+      - name: copied-secrets
         emptyDir: {}
       {{- with .Values.extraVolumes }}
       {{- toYaml . | nindent 6 }}
diff --git a/charts/zitadel/templates/setupjob.yaml b/charts/zitadel/templates/setupjob.yaml
@@ -95,8 +95,9 @@ spec:
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
+          - name: copied-secrets
             mountPath: /.secrets
+            readOnly: true
           {{- if include "deepCheck" (dict "root" .Values "path" (splitList "." "zitadel.configmapConfig.FirstInstance.Org.Machine")) }}
           - name: machinekey
             mountPath: "/machinekey"
@@ -138,16 +139,16 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
-              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
+              )) }} find /copied-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
           - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
+          image: "{{ .Values.copySecretsImage.repository }}:{{ .Values.copySecretsImage.tag }}"
+          imagePullPolicy: {{ .Values.copySecretsImage.pullPolicy }}
+          name: copy-secrets
           volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+          - name: copied-secrets
+            mountPath: /copied-secrets
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
@@ -164,9 +165,6 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
       {{- end }}
       volumes:
       - name: zitadel-config-yaml
@@ -201,7 +199,7 @@ spec:
       - name: machinekey
         emptyDir: { }
       {{- end }}
-      - name: chowned-secrets
+      - name: copied-secrets
         emptyDir: {}
       {{- with .Values.extraVolumes }}
       {{- toYaml . | nindent 6 }}
diff --git a/charts/zitadel/values.yaml b/charts/zitadel/values.yaml
@@ -82,7 +82,7 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
-chownImage:
+copySecretsImage:
   repository: alpine
   pullPolicy: IfNotPresent
   tag: "3.19"
@@ -119,9 +119,9 @@ podAdditionalLabels: {}
 
 podSecurityContext:
   runAsNonRoot: true
-  runAsUser: 1000
 
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
 
 # Additional environment variables
 env:
