MLE-12272: Rootless Image Changes to Helm Charts

sumanthravipati · sumanthravipati · web-flow · commit 9208b2e5f20f · 2024-02-14T11:19:19.000-08:00
Co-authored-by: sumanthravipati &lt;sumanth.ravipati@progress.com&gt;
diff --git a/charts/templates/NOTES.txt b/charts/templates/NOTES.txt
@@ -2,6 +2,16 @@ Thank you for installing {{ .Chart.Name }}.
 
 Your release is named {{ .Release.Name }}.
 
+{{- if eq (include "marklogic.imageType" .) "rootless" }}
+{{- if .Values.containerSecurityContext.allowPrivilegeEscalation }}
+WARNING
+   ***********************************************************************************************************
+   Setting "containerSecurityContext.allowPrivilegeEscalation" is set to true.
+   This is not recommended and is not a secure configuration while using rootless MarkLogic images.
+   ***********************************************************************************************************
+{{- end }}
+{{- end }}
+
 FQDN is {{ include "marklogic.fqdn" . }}
 {{- if gt (len (include "marklogic.fqdn" .)) 64 }}
 WARNING:    The hostname is greater than 64 characters
diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl
@@ -108,3 +108,14 @@ Validate values file
 {{- end }}
 {{- end }}
 
+{{/*
+Name to distinguish marklogic image whether root or rootless
+*/}}
+{{- define "marklogic.imageType" -}}
+{{- if .Values.image.tag | contains "rootless" }}
+{{- printf "rootless" }}
+{{- else }}
+{{- printf "root" }}
+{{- end }}
+{{- end }}
+
diff --git a/charts/templates/configmap.yaml b/charts/templates/configmap.yaml
@@ -24,6 +24,7 @@ data:
   MARKLOGIC_JOIN_CLUSTER: "true"
   MARKLOGIC_GROUP: {{ .Values.group.name }}
   XDQP_SSL_ENABLED: {{ quote .Values.group.enableXdqpSsl }}
+  MARKLOGIC_IMAGE_TYPE: {{ include "marklogic.imageType" . }}
 ---
 {{- if .Values.logCollection.enabled }}
 apiVersion: v1
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -338,7 +338,11 @@ spec:
                         if [[ -n ${TIMESTAMP} ]]; then
                           restart_check ${TIMESTAMP}
                         fi
-                        sudo sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
+                        if [[ $MARKLOGIC_IMAGE_TYPE == "rootless" ]]; then
+                          sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
+                        else
+                          sudo sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
+                        fi
                         log "Info: [poststart] ${GROUP_CFG} saved"
                       else
                         log "Error: [poststart] Failed to configure properties for $MARKLOGIC_GROUP group.
