Draft: Fix 'permission denied' in Self-Signed Certificates Job (!371) · Merge requests · GitLab.org / Cloud Native / GitLab Operator

Mitchell Nielsen requested to merge 103-fix-selfsigned-job-permissions into master Jan 28, 2022

Summary

Unsets the securityContext.runAsUser and securityContext.runAsGroup on the Self Signed Certificates Job, allowing the defaults from the GitLab Helm Charts to be used:

runAsUser: 65534
fsGroup: 65534

Before this, the values were set to an empty map, meaning that the initContainer runs as root when generating the certificates, and the container runs as 65534, meaning it doesn't have permissions to read the files created by root when using kubectl to create the secrets.

Closes #103 (closed)

Testing

apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
spec:
  chart:
    version: "5.7.0"
    values:
      global:
        ingress:
          configureCertmanager: false # to trigger Self Signed Certs
        hosts:
          domain: yourdomain.com
          externalIP: yourExternalIP # optional if you use 'external-dns' or connect manually

Confirm that Self-Signed Certificates job passes
Confirm that $RELEASE_NAME-wildcard-tls Secret is created

Edited Feb 04, 2022 by Mitchell Nielsen

Draft: Fix 'permission denied' in Self-Signed Certificates Job

Summary

Testing

Merge request reports