Skip to content

Commit 59899ee

Browse files
anandfanandf
authored
feat: Added ReadOnlyRootFileSystem to the Argo CD components (argoproj-labs#1659)
* Adding readOnlyRootFileSystem to all components and mounting required volumes Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * Removed reposerver tls secret volume mount for appset Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * Fixed failing e2e tests Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * Adjusted the ordering of RunAsUser Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * Make root FS writeable for Keycloak Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * removed runasuser for redis deployment Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> * Handle write failures post upgrade for Dex component Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com> --------- Signed-off-by: Anand Francis Joseph <anjoseph@redhat.com>
1 parent 876225a commit 59899ee

File tree

13 files changed

+384
-38
lines changed

13 files changed

+384
-38
lines changed

config/default/manager_webhook_patch.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,4 @@ spec:
2121
secret:
2222
defaultMode: 420
2323
secretName: webhook-server-cert
24+
optional: true

controllers/argocd/deployment.go

Lines changed: 66 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,10 @@ func getArgoImportVolumeMounts() []corev1.VolumeMount {
169169
Name: "secret-storage",
170170
MountPath: "/secrets",
171171
})
172+
mounts = append(mounts, corev1.VolumeMount{
173+
Name: "tmp",
174+
MountPath: "/tmp",
175+
})
172176

173177
return mounts
174178
}
@@ -204,6 +208,12 @@ func getArgoImportVolumes(cr *argoprojv1alpha1.ArgoCDExport) []corev1.Volume {
204208
},
205209
})
206210

211+
volumes = append(volumes, corev1.Volume{
212+
Name: "tmp",
213+
VolumeSource: corev1.VolumeSource{
214+
EmptyDir: &corev1.EmptyDirVolumeSource{},
215+
},
216+
})
207217
return volumes
208218
}
209219

@@ -492,7 +502,8 @@ func (r *ReconcileArgoCD) reconcileRedisDeployment(cr *argoproj.ArgoCD, useTLS b
492502
"ALL",
493503
},
494504
},
495-
RunAsNonRoot: boolPtr(true),
505+
ReadOnlyRootFilesystem: boolPtr(true),
506+
RunAsNonRoot: boolPtr(true),
496507
SeccompProfile: &corev1.SeccompProfile{
497508
Type: "RuntimeDefault",
498509
},
@@ -695,7 +706,8 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
695706
"ALL",
696707
},
697708
},
698-
RunAsNonRoot: boolPtr(true),
709+
ReadOnlyRootFilesystem: boolPtr(true),
710+
RunAsNonRoot: boolPtr(true),
699711
SeccompProfile: &corev1.SeccompProfile{
700712
Type: "RuntimeDefault",
701713
},
@@ -735,7 +747,8 @@ func (r *ReconcileArgoCD) reconcileRedisHAProxyDeployment(cr *argoproj.ArgoCD) e
735747
"ALL",
736748
},
737749
},
738-
RunAsNonRoot: boolPtr(true),
750+
ReadOnlyRootFilesystem: boolPtr(true),
751+
RunAsNonRoot: boolPtr(true),
739752
SeccompProfile: &corev1.SeccompProfile{
740753
Type: "RuntimeDefault",
741754
},
@@ -965,7 +978,8 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
965978
"ALL",
966979
},
967980
},
968-
RunAsNonRoot: boolPtr(true),
981+
ReadOnlyRootFilesystem: boolPtr(true),
982+
RunAsNonRoot: boolPtr(true),
969983
SeccompProfile: &corev1.SeccompProfile{
970984
Type: "RuntimeDefault",
971985
},
@@ -1076,7 +1090,8 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
10761090
"ALL",
10771091
},
10781092
},
1079-
RunAsNonRoot: boolPtr(true),
1093+
ReadOnlyRootFilesystem: boolPtr(true),
1094+
RunAsNonRoot: boolPtr(true),
10801095
SeccompProfile: &corev1.SeccompProfile{
10811096
Type: "RuntimeDefault",
10821097
},
@@ -1411,6 +1426,18 @@ func (r *ReconcileArgoCD) reconcileServerDeployment(cr *argoproj.ArgoCD, useTLSF
14111426
Name: common.ArgoCDRedisServerTLSSecretName,
14121427
MountPath: "/app/config/server/tls/redis",
14131428
},
1429+
{
1430+
Name: "plugins-home",
1431+
MountPath: "/home/argocd",
1432+
},
1433+
{
1434+
Name: "argocd-cmd-params-cm",
1435+
MountPath: "/home/argocd/params",
1436+
},
1437+
{
1438+
Name: "tmp",
1439+
MountPath: "/tmp",
1440+
},
14141441
}
14151442

14161443
if cr.Spec.Server.VolumeMounts != nil {
@@ -1458,7 +1485,8 @@ func (r *ReconcileArgoCD) reconcileServerDeployment(cr *argoproj.ArgoCD, useTLSF
14581485
"ALL",
14591486
},
14601487
},
1461-
RunAsNonRoot: boolPtr(true),
1488+
ReadOnlyRootFilesystem: boolPtr(true),
1489+
RunAsNonRoot: boolPtr(true),
14621490
SeccompProfile: &corev1.SeccompProfile{
14631491
Type: "RuntimeDefault",
14641492
},
@@ -1506,6 +1534,35 @@ func (r *ReconcileArgoCD) reconcileServerDeployment(cr *argoproj.ArgoCD, useTLSF
15061534
},
15071535
},
15081536
},
1537+
{
1538+
Name: "plugins-home",
1539+
VolumeSource: corev1.VolumeSource{
1540+
EmptyDir: &corev1.EmptyDirVolumeSource{},
1541+
},
1542+
},
1543+
{
1544+
Name: "argocd-cmd-params-cm",
1545+
VolumeSource: corev1.VolumeSource{
1546+
ConfigMap: &corev1.ConfigMapVolumeSource{
1547+
LocalObjectReference: corev1.LocalObjectReference{
1548+
Name: "argocd-cmd-params-cm",
1549+
},
1550+
Optional: boolPtr(true),
1551+
Items: []corev1.KeyToPath{
1552+
{
1553+
Key: "server.profile.enabled",
1554+
Path: "profiler.enabled",
1555+
},
1556+
},
1557+
},
1558+
},
1559+
},
1560+
{
1561+
Name: "tmp",
1562+
VolumeSource: corev1.VolumeSource{
1563+
EmptyDir: &corev1.EmptyDirVolumeSource{},
1564+
},
1565+
},
15091566
}
15101567

15111568
if cr.Spec.Server.Volumes != nil {
@@ -1778,6 +1835,9 @@ func getRolloutInitContainer() []corev1.Container {
17781835
"ALL",
17791836
},
17801837
},
1838+
ReadOnlyRootFilesystem: boolPtr(true),
1839+
RunAsNonRoot: boolPtr(true),
1840+
RunAsUser: int64Ptr(999),
17811841
SeccompProfile: &corev1.SeccompProfile{
17821842
Type: "RuntimeDefault",
17831843
},

controllers/argocd/deployment_test.go

Lines changed: 47 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1301,7 +1301,8 @@ func TestReconcileArgoCD_reconcileServerDeployment(t *testing.T) {
13011301
"ALL",
13021302
},
13031303
},
1304-
RunAsNonRoot: boolPtr(true),
1304+
ReadOnlyRootFilesystem: boolPtr(true),
1305+
RunAsNonRoot: boolPtr(true),
13051306
SeccompProfile: &corev1.SeccompProfile{
13061307
Type: "RuntimeDefault",
13071308
},
@@ -1745,7 +1746,8 @@ func TestReconcileArgoCD_reconcileServerDeploymentWithInsecure(t *testing.T) {
17451746
"ALL",
17461747
},
17471748
},
1748-
RunAsNonRoot: boolPtr(true),
1749+
ReadOnlyRootFilesystem: boolPtr(true),
1750+
RunAsNonRoot: boolPtr(true),
17491751
SeccompProfile: &corev1.SeccompProfile{
17501752
Type: "RuntimeDefault",
17511753
},
@@ -1852,7 +1854,8 @@ func TestReconcileArgoCD_reconcileServerDeploymentChangedToInsecure(t *testing.T
18521854
"ALL",
18531855
},
18541856
},
1855-
RunAsNonRoot: boolPtr(true),
1857+
ReadOnlyRootFilesystem: boolPtr(true),
1858+
RunAsNonRoot: boolPtr(true),
18561859
SeccompProfile: &corev1.SeccompProfile{
18571860
Type: "RuntimeDefault",
18581861
},
@@ -2317,6 +2320,35 @@ func serverDefaultVolumes() []corev1.Volume {
23172320
},
23182321
},
23192322
},
2323+
{
2324+
Name: "plugins-home",
2325+
VolumeSource: corev1.VolumeSource{
2326+
EmptyDir: &corev1.EmptyDirVolumeSource{},
2327+
},
2328+
},
2329+
{
2330+
Name: "argocd-cmd-params-cm",
2331+
VolumeSource: corev1.VolumeSource{
2332+
ConfigMap: &corev1.ConfigMapVolumeSource{
2333+
LocalObjectReference: corev1.LocalObjectReference{
2334+
Name: "argocd-cmd-params-cm",
2335+
},
2336+
Optional: boolPtr(true),
2337+
Items: []corev1.KeyToPath{
2338+
{
2339+
Key: "server.profile.enabled",
2340+
Path: "profiler.enabled",
2341+
},
2342+
},
2343+
},
2344+
},
2345+
},
2346+
{
2347+
Name: "tmp",
2348+
VolumeSource: corev1.VolumeSource{
2349+
EmptyDir: &corev1.EmptyDirVolumeSource{},
2350+
},
2351+
},
23202352
}
23212353
return volumes
23222354
}
@@ -2336,6 +2368,18 @@ func serverDefaultVolumeMounts() []corev1.VolumeMount {
23362368
Name: common.ArgoCDRedisServerTLSSecretName,
23372369
MountPath: "/app/config/server/tls/redis",
23382370
},
2371+
{
2372+
Name: "plugins-home",
2373+
MountPath: "/home/argocd",
2374+
},
2375+
{
2376+
Name: "argocd-cmd-params-cm",
2377+
MountPath: "/home/argocd/params",
2378+
},
2379+
{
2380+
Name: "tmp",
2381+
MountPath: "/tmp",
2382+
},
23392383
}
23402384
return mounts
23412385
}

controllers/argocd/dex.go

Lines changed: 52 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -282,15 +282,22 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
282282
"ALL",
283283
},
284284
},
285-
RunAsNonRoot: boolPtr(true),
285+
ReadOnlyRootFilesystem: boolPtr(true),
286+
RunAsNonRoot: boolPtr(true),
286287
SeccompProfile: &corev1.SeccompProfile{
287288
Type: "RuntimeDefault",
288289
},
289290
},
290-
VolumeMounts: []corev1.VolumeMount{{
291-
Name: "static-files",
292-
MountPath: "/shared",
293-
}},
291+
VolumeMounts: []corev1.VolumeMount{
292+
{
293+
Name: "static-files",
294+
MountPath: "/shared",
295+
},
296+
{
297+
Name: "dexconfig",
298+
MountPath: "/tmp",
299+
},
300+
},
294301
}}
295302

296303
deploy.Spec.Template.Spec.InitContainers = []corev1.Container{{
@@ -312,24 +319,38 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
312319
"ALL",
313320
},
314321
},
315-
RunAsNonRoot: boolPtr(true),
322+
ReadOnlyRootFilesystem: boolPtr(true),
323+
RunAsNonRoot: boolPtr(true),
316324
SeccompProfile: &corev1.SeccompProfile{
317325
Type: "RuntimeDefault",
318326
},
319327
},
320-
VolumeMounts: []corev1.VolumeMount{{
321-
Name: "static-files",
322-
MountPath: "/shared",
323-
}},
328+
VolumeMounts: []corev1.VolumeMount{
329+
{
330+
Name: "static-files",
331+
MountPath: "/shared",
332+
},
333+
{
334+
Name: "dexconfig",
335+
MountPath: "/tmp",
336+
}},
324337
}}
325338

326339
deploy.Spec.Template.Spec.ServiceAccountName = fmt.Sprintf("%s-%s", cr.Name, common.ArgoCDDefaultDexServiceAccountName)
327-
deploy.Spec.Template.Spec.Volumes = []corev1.Volume{{
328-
Name: "static-files",
329-
VolumeSource: corev1.VolumeSource{
330-
EmptyDir: &corev1.EmptyDirVolumeSource{},
340+
deploy.Spec.Template.Spec.Volumes = []corev1.Volume{
341+
{
342+
Name: "static-files",
343+
VolumeSource: corev1.VolumeSource{
344+
EmptyDir: &corev1.EmptyDirVolumeSource{},
345+
},
331346
},
332-
}}
347+
{
348+
Name: "dexconfig",
349+
VolumeSource: corev1.VolumeSource{
350+
EmptyDir: &corev1.EmptyDirVolumeSource{},
351+
},
352+
},
353+
}
333354

334355
existing := newDeploymentWithSuffix("dex-server", "dex-server", cr)
335356
if argoutil.IsObjectFound(r.Client, cr.Namespace, existing.Name, existing) {
@@ -409,6 +430,22 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
409430
explanation += "container security context"
410431
changed = true
411432
}
433+
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Containers[0].VolumeMounts, existing.Spec.Template.Spec.Containers[0].VolumeMounts) {
434+
existing.Spec.Template.Spec.Containers[0].VolumeMounts = deploy.Spec.Template.Spec.Containers[0].VolumeMounts
435+
if changed {
436+
explanation += ", "
437+
}
438+
explanation += "container volume mounts"
439+
changed = true
440+
}
441+
if !reflect.DeepEqual(deploy.Spec.Template.Spec.Volumes, existing.Spec.Template.Spec.Volumes) {
442+
existing.Spec.Template.Spec.Volumes = deploy.Spec.Template.Spec.Volumes
443+
if changed {
444+
explanation += ", "
445+
}
446+
explanation += "volumes"
447+
changed = true
448+
}
412449

413450
if changed {
414451
argoutil.LogResourceUpdate(log, existing, "updating", explanation)

0 commit comments

Comments
 (0)