Merge pull request #219 from cognifloyd/stanley_rsa-permissions

Fix stanley_rsa permissions via postStart pod lifecycle hook

Author: arm4b

CHANGELOG.md

@@ -14,6 +14,7 @@
 * Add advanced pod placment (nodeSelector, affinity, tolerations) to specs for batch Jobs pods. (#193) (by @cognifloyd)
 * Allow adding dnsPolicy and/or dnsConfig to all pods. (#201) (by @cognifloyd)
 * Move st2-config-vol volume definition and list of st2-config-vol volumeMounts to helpers to reduce duplication (#198) (by @cognifloyd)
+* Fix permissions for /home/stanley/.ssh/stanley_rsa using the postStart lifecycle hook (#219) (by @cognifloyd)
 
 ## v0.60.0
 * Switch st2 version to `v3.5dev` as a new latest development version (#187)

templates/configmaps_post-start-script.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $.Release.Name }}-st2actionrunner-post-start-script
+  annotations:
+    description: Custom postStart lifecycle event handler script for st2actionrunner
+  labels:
+    app: st2
+    tier: backend
+    vendor: stackstorm
+    chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
+data:
+  # k8s calls this script in parallel with starting st2actionrunner (ie the same time as ENTRYPOINT)
+  # The pod will not be marked as "running" until this script completes successfully.
+  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
+  post-start.sh: |
+    #!/bin/bash
+    mkdir -p /home/stanley/.ssh
+    cp -L /home/stanley/.ssh{-key-vol,}/stanley_rsa
+    chown -R stanley:stanley /home/stanley/.ssh/
+    chmod 400 /home/stanley/.ssh/stanley_rsa
+    chmod 500 /home/stanley/.ssh

templates/deployments.yaml

@@ -1020,8 +1020,7 @@ spec:
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-ssh-key-vol
-          mountPath: /home/stanley/.ssh/
-          readOnly: true
+          mountPath: /home/stanley/.ssh-key-vol/
         {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
@@ -1035,6 +1034,13 @@ spec:
           mountPath: /opt/stackstorm/virtualenvs
           readOnly: true
         {{- end }}
+        - name: st2-post-start-script-vol
+          mountPath: /post-start.sh
+          subPath: post-start.sh
+        lifecycle:
+          postStart:
+            exec:
+              command: ["/bin/bash", "/post-start.sh"]
         resources:
           {{- toYaml .Values.st2actionrunner.resources | nindent 10 }}
     {{- if .Values.st2actionrunner.serviceAccount.attach }}
@@ -1061,6 +1067,9 @@ spec:
         {{- if .Values.st2.packs.images }}
 {{- include "packs-volumes" . | indent 8 }}
         {{- end }}
+        - name: st2-post-start-script-vol
+          configMap:
+            name: {{ .Release.Name }}-st2actionrunner-post-start-script
     {{- if .Values.dnsPolicy }}
       dnsPolicy: {{ .Values.dnsPolicy }}
     {{- end }}
@@ -1259,8 +1268,7 @@ spec:
         - name: st2client-config-vol
           mountPath: /root/.st2/
         - name: st2-ssh-key-vol
-          mountPath: /home/stanley/.ssh/
-          readOnly: true
+          mountPath: /home/stanley/.ssh-key-vol/
         {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
@@ -1274,10 +1282,17 @@ spec:
           mountPath: /opt/stackstorm/virtualenvs
           readOnly: true
         {{- end }}
+        - name: st2-post-start-script-vol
+          mountPath: /post-start.sh
+          subPath: post-start.sh
         command:
           - 'bash'
           - '-ec'
           - 'while true; do sleep 999; done'
+        lifecycle:
+          postStart:
+            exec:
+              command: ["/bin/bash", "/post-start.sh"]
         resources:
           requests:
             memory: "5Mi"
@@ -1320,6 +1335,9 @@ spec:
         {{- if .Values.st2.packs.images }}
 {{- include "packs-volumes" . | indent 8 }}
         {{- end }}
+        - name: st2-post-start-script-vol
+          configMap:
+            name: {{ .Release.Name }}-st2actionrunner-post-start-script
 
 {{ if .Values.st2chatops.enabled -}}
 ---

tests/st2tests.sh

@@ -52,6 +52,18 @@ load "${BATS_HELPERS_DIR}/bats-file/load.bash"
   assert_line --partial 'succeeded: true'
 }
 
+@test 'stanley_rsa file has correct permissions and ownership' {
+  local ssh_dir="/home/stanley/.ssh"
+  local private_key="${ssh_dir}/stanley_rsa"
+  run st2 run core.local cmd="find ${ssh_dir} -printf '%p: %u %g %m\n'"
+  assert_success
+  assert_line --partial 'return_code: 0'
+  assert_line --partial "stderr: ''"
+  assert_line --partial "${ssh_dir}: stanley stanley 500"
+  assert_line --partial "${private_key}: stanley stanley 400"
+  assert_line --partial 'succeeded: true'
+}
+
 @test 'st2 chatops core rule is loaded' {
   run st2 rule list
   assert_success