Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure alfresco-global.properties file using helm #989

Closed
gnieser opened this issue Aug 18, 2023 · 6 comments
Closed

Configure alfresco-global.properties file using helm #989

gnieser opened this issue Aug 18, 2023 · 6 comments
Labels
question Further information is requested

Comments

@gnieser
Copy link

gnieser commented Aug 18, 2023

Hello,

I'm trying to deploy Alfresco on Kubernetes using the Helm charts.
There are many properties to configure in alfresco-global.properties.

Unfortunately, it's not clear tome how I can set them my own alfresco-global.properties through helm charts.

From what I see, the alfresco-global.properties is mounted from a volume

volumeMounts:
{{- if and (index .Values "alfresco-search" "enabled") (eq .Values.global.tracking.auth "secret") }}
- name: repository-properties
  mountPath: /usr/local/tomcat/shared/classes/alfresco-global.properties
  subPath: alfresco-global.properties
{{- end }}

The volume comes from the alfresco-repository-properties-secret secret

{{- if and (index .Values "alfresco-search" "enabled") (eq .Values.global.tracking.auth "secret") }}
  - name: repository-properties
    secret:
      secretName: {{ template "alfresco.shortname" . }}-repository-properties-secret
      defaultMode: 0400
      items:
        - key: alfresco-global.properties
          path: alfresco-global.properties
{{- end }}

But the secret is not extensible, it only defines the solr-sharedSecret.

{{- if and (index .Values "alfresco-search" "enabled") (eq .Values.global.tracking.auth "secret") }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "alfresco.shortname" . }}-repository-properties-secret
  labels:
    {{- include "repository.labels" . | nindent 4 }}
type: Opaque
data:
  alfresco-global.properties: {{ printf "%s%s" "solr.sharedSecret=" (include "tracking-shared-secret" .) | b64enc | quote }}
{{- end }}

I'm looking at configuring properties such as authentication.chain, identity-service.*. It works fine if I manually edit the created secret after deployment but this defeats the purpose of Helm charts and GitOps.

Could you please point me towards a solution?
Thanks

@gionn
Copy link
Member

gionn commented Aug 18, 2023

Hello, unfortunately the current way to add custom properties is to override JAVA_OPTS entirely via values (make sure to keep default one for better compatibility)

There is an ongoing effort to simplify this common use case for the next release, which will provide support for providing a custom configmap/secret as a source for properties.

Let me know if you have additional concerns.

@gionn gionn added the question Further information is requested label Aug 18, 2023
@gnieser
Copy link
Author

gnieser commented Aug 18, 2023

Thank you for the swift response! I'll look at overriding JAVA_OPTS.

Additional concerns are unrelated to alfresco-global.properties. My first deployment failed because:

  • several Ingress resources have an annotation to set their class to nginx. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread as nginx.
  • several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default restricted-v2 [1] profile.

[1] https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html

@gionn
Copy link
Member

gionn commented Aug 18, 2023

  • several Ingress resources have an annotation to set their class to nginx. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread as nginx.

that's another concern we are trying to address soon, right know we are not really supporting any other ingress than ingress-nginx

  • several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default restricted-v2 [1] profile.

we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.

@gnieser
Copy link
Author

gnieser commented Aug 21, 2023

we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.

Sure. With default SCC settings, an attempt to deploy the Helm chart of Code Ready Container / OpenShift local 4.13 results in the following issues.

W0821 07:57:17.613177    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": runAsNonRoot != true (container "alfresco-content-services" must not set securityContext.runAsNonRoot=false)
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "activemq" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635153    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635572    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "alfresco-control-center" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or container "alfresco-control-center" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.639977    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.655524    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-search" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.782326    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "wait-db-ready", "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.841770    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "postgresql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "postgresql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "postgresql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "postgresql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

@gnieser
Copy link
Author

gnieser commented Aug 21, 2023

I created a distinct issue #990 for this.

@gionn
Copy link
Member

gionn commented Aug 21, 2023

Thanks, I am going to close this then. 👍🏻

@gionn gionn closed this as completed Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants