🐛 Update PVC permissions (#395)

Signed-off-by: Jason Montleon <[email protected]>
(cherry picked from commit a09410d)

Author: jmontleon

bundle/manifests/konveyor-operator.clusterserviceversion.yaml

@@ -103,7 +103,7 @@ metadata:
     categories: Modernization & Migration
     certified: "false"
     containerImage: quay.io/konveyor/tackle2-operator:latest
-    createdAt: "2024-10-09T15:56:59Z"
+    createdAt: "2024-11-07T18:19:51Z"
     description: Konveyor is an open-source application modernization platform that
       helps organizations safely and predictably modernize applications to Kubernetes
       at scale.
@@ -331,6 +331,14 @@ spec:
           - '*'
           verbs:
           - '*'
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - anyuid
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
         serviceAccountName: tackle-hub
       - rules:
         - apiGroups:

helm/templates/rbac/hub_role.yaml

@@ -12,3 +12,11 @@ rules:
   - '*'
   verbs:
   - '*'
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - anyuid
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use

roles/tackle/tasks/main.yml

@@ -3,6 +3,15 @@
   set_fact:
     api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
 
+- name: Gather Facts
+  ansible.builtin.gather_facts:
+    gather_subset:
+      - user_uid
+
+- name: "Retrieve UID"
+  set_fact:
+    hub_uid: "{{ ansible_facts['user_uid'] }}"
+
 - name: "Transfer rwx_storage_class setting if hub_bucket_storage_class is not defined"
   set_fact:
     hub_bucket_storage_class: "{{ rwx_storage_class }}"
@@ -562,6 +571,37 @@
     definition: "{{ lookup('template', 'route-ui.yml.j2') }}"
   when: openshift_cluster|bool
 
+- name: "Check if Cache PersistentVolumeClaim exists"
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: PersistentVolumeClaim
+    namespace: "{{ app_namespace }}"
+    name: "{{ cache_data_volume_claim_name }}"
+  register: cache_pvc
+
+- name: "Delete cache PVC if non-root label is missing so it can be recreated"
+  when: cache_pvc.resources|length > 0 and cache_pvc.resources[0].metadata.labels['non-root'] is not defined
+  block:
+    - name: Scale down Hub
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'deployment-hub.yml.j2') }}"
+        merge_type: merge
+      vars:
+        hub_deployment_replicas: 0
+
+    - name: Delete cache PVC
+      k8s:
+        state: absent
+        definition: "{{ lookup('template', 'persistentvolumeclaim-cache.yml.j2') }}"
+        wait: true
+
+    - name: Scale up Hub
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'deployment-hub.yml.j2') }}"
+        merge_type: merge
+
 - name: "Setup Cache PersistentVolumeClaim"
   k8s:
     state: present

roles/tackle/templates/deployment-hub.yml.j2

@@ -204,6 +204,8 @@ spec:
             requests:
               cpu: {{ hub_container_requests_cpu }}
               memory: {{ hub_container_requests_memory }}
+          securityContext:
+            runAsUser: {{ hub_uid }}
 # TODO: Add liveness and readiness probes
           volumeMounts:
             - name: {{ hub_database_volume_name }}
@@ -218,6 +220,23 @@ spec:
             - name: {{ hub_tls_secret_name }}
               mountPath: /var/run/secrets/{{ hub_tls_secret_name }}/tls.crt
 {% endif %}
+      initContainers:
+        - command:
+            - chown
+            - -R
+            - {{ hub_uid }}:root
+            - {{ hub_database_volume_path }}
+            - {{ hub_bucket_volume_path }}
+          image: "{{ hub_image_fqin }}"
+          imagePullPolicy: "{{ image_pull_policy }}"
+          name: update-perms
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - mountPath: {{ hub_database_volume_path }}
+              name: {{ hub_database_volume_name }}
+            - mountPath: {{ hub_bucket_volume_path }}
+              name: {{ hub_bucket_volume_name }}
       volumes:
 {% if rwx_supported|bool %}
         - name: {{ cache_data_volume_name }}

roles/tackle/templates/persistentvolumeclaim-cache.yml.j2

@@ -8,6 +8,7 @@ metadata:
     app.kubernetes.io/name: {{ cache_name }}
     app.kubernetes.io/part-of: {{ app_name }}
     volume: {{ cache_data_volume_name }}
+    non-root: "true"
 spec:
   accessModes:
     - "{{ cache_data_volume_claim_mode }}"