Added pvc permissions chart

Author: sachingade20

cloudbees-cd/kubernetes/storage/nfs-permissions/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cloudbees-cd/kubernetes/storage/nfs-permissions/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: nfs-permissions
+description: TODO
+version: 0.1.0
+appVersion: N/A

cloudbees-cd/kubernetes/storage/nfs-permissions/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Cloudbees Flow Public Repos
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

cloudbees-cd/kubernetes/storage/nfs-permissions/README.md

@@ -0,0 +1,36 @@
+Install Chart to update nfs permissions. 
+
+   This chart creates Persistent Volume and Persistent Volume claim with given nfs host and nfs path with storage.
+   Updated User/Group/Mode permissions for NFS . This chart runs a job which updates permission for NFS using command 
+   chown and chmod
+
+##  Common Configuration
+
+The following table lists the configurable parameters with their default values.
+
+|             Parameter   |                     Description                                                 |  Default Value  |
+|-------------------------|---------------------------------------------------------------------------------|-----------------|
+| `permissions.user`      |  Filesystem user for permission updates using command `chown user:group /path`  | None            |                                                 
+| `permissions.group`     |  Filesystem group for permission updates using command `chown user:group /path` | None            |                                                  
+| `permissions.mode`      |  Filesystem accessMode for permission updates using command `chmod 770 /path`   |  770            |                                                               
+| `nfs.host`              |  Required NFS Host.IP or DNS. Append port if not using default NFS port  `2049` | None            |                                                      
+| `nfs.path`              |  NFS path  to mount. e.g /                                                      |     /           |                                                      
+| `nfs.storage`           |  Storage size to mount for nfs. e.g 5Gi                                         |   5Gi           |                                                      
+| `nfs.accessMode`        |  Filesystem accessMode to create PV . ReadWriteOnce, ReadWriteMany              |   ReadWriteMany |                                                      
+-------------------------------------------------------------------------------------------------------------------------------
+
+
+helm install your-release-name nfs-permissions -f values-input.yaml
+
+e.g values-input.yaml
+```
+permissions:
+  mode: 770
+
+nfs:
+  storage: 5Gi
+  host: "10.141.161.42"
+  path: "/ocp"
+  accessMode: ReadWriteMany
+
+```

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/NOTES.txt

@@ -0,0 +1 @@
+Kernel parameters should now be tuned.

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/_helpers.tpl

@@ -0,0 +1,3 @@
+{{/*
+TODO add any required helper functions here
+*/}}

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/nfs-job.yaml

@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: nfs-volume-permission-updates-{{ .Release.Name }}
+  labels:
+    app: nfs-volume-permission-updates
+    chart: {{ .Chart.Name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      labels:
+        app: nfs-permission-update
+        release: {{ .Release.Name }}
+    spec:
+{{- if .Values.podSecurityPolicy.enabled }}
+      serviceAccount: {{ .Release.Name }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+          - name: tune
+            image: busybox:stable
+            securityContext:
+              privileged: true
+              runAsUser: 0
+            resources:
+              requests:
+                cpu: 1m
+                memory: 1Mi
+            command:
+            - sh
+            - -c
+            - |
+              set -ex
+              {{- if and .Values.permissions.user .Values.permissions.group }}
+              chown -R {{ .Values.permissions.user }}:{{ .Values.permissions.group }} /temp-pvc-path
+              {{- end }}
+              chmod -R {{  .Values.permissions.mode }} /temp-pvc-path/
+              sleep 1000
+            volumeMounts:
+            - name: nfs-pvc-mount
+              mountPath: /temp-pvc-path
+      volumes:
+        - name: nfs-pvc-mount
+          persistentVolumeClaim:
+            claimName: nfs-permission-update-pvc-{{ .Release.Name }}

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/nfs-pv.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-permission-update-pv-{{ .Release.Name }}
+spec:
+  capacity:
+    storage: {{ .Values.nfs.storage | default "5Gi" }}
+  accessModes:
+  - ReadWriteMany
+  nfs: 
+    path: {{ .Values.nfs.path | default "/" }}
+    server: {{ required ".nfs.host is required " .Values.nfs.host  }}

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/nfs-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-permission-update-pvc-{{ .Release.Name }}
+spec:
+  accessModes:
+  - {{ .Values.nfs.accessMode | default "ReadWriteMany" }}
+  storageClassName: ""
+  volumeName: nfs-permission-update-pv-{{ .Release.Name }}
+  resources:
+    requests:
+      storage: {{ .Values.nfs.storage | default "5Gi" }}

cloudbees-cd/kubernetes/storage/nfs-permissions/templates/psp.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: privileged-{{ .Release.Namespace }}-{{ .Release.Name }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  volumes:
+  - '*'
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  hostIPC: true
+  hostPID: true
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+{{- end }}