codefresh-io · mikhail-klimko · Nov 18, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
diff --git a/.gitignore b/.gitignore
@@ -42,10 +42,10 @@ venona/venona
 **/*.tgz
 **/charts/**/charts
 **/dry-run.yaml
-**/values-dev.yaml
+**/values-dev**.yaml
 
 # coverage
 **/cover
 
 # debug
-**/debug
+**/.debug
@@ -0,0 +1,36 @@
+volumeProvisioner:
+  env:
+    IS_ROOTLESS: true
+  dind-lv-monitor:
+    image:
+      tag: 1.30.0-rootless
+      digest: ""
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    volumePermissions:
+      enabled: true
+
+runtime:
+  dindDaemon:
+    hosts:
+      - unix:///run/user/1000/docker.sock
+      - tcp://0.0.0.0:1300
+  dind:
+    image:
+      tag: 26.1.4-1.28.9-rootless
+      digest: ""
+    userVolumeMounts:
+      dind:
+        name: dind
+        mountPath: /home/rootless/
+    containerSecurityContext:
+      privileged: true
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    volumePermissions:
+      enabled: true
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.0.1
+version: 7.1.0
 keywords:
   - codefresh
   - runner
@@ -17,8 +17,10 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: security
-      description: "updating k8s-agent"
+    - kind: changed
+      description: "(rootless runtime) Update dind-volume-provisioner and dind-volume-utils"
+    - kind: added
+      description: "(rootless runtime) Add values-rootless.yaml example "
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts

@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 7.0.1](https://img.shields.io/badge/Version-7.0.1-informational?style=flat-square)
+![Version: 7.1.0](https://img.shields.io/badge/Version-7.1.0-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -715,14 +715,45 @@ volumeProvisioner:
 ### Rootless DinD
 
 DinD pod runs a `priviliged` container with **rootfull** docker.
-To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+To run the docker daemon as non-root user (**rootless** mode), refer to `values-rootless.yaml`:
 
-`values.yaml`
 ```yaml
+volumeProvisioner:
+  env:
+    IS_ROOTLESS: true
+  dind-lv-monitor:
+    image:
+      tag: 1.30.0-rootless
+      digest: ""
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    volumePermissions:
+      enabled: false
+
 runtime:
+  dindDaemon:
+    hosts:
+      - unix:///run/user/1000/docker.sock
+      - tcp://0.0.0.0:1300
   dind:
     image:
-      tag: rootless
+      tag: 26.1.4-1.28.9-rootless
+      digest: ""
+    userVolumeMounts:
+      dind:
+        name: dind
+        mountPath: /home/rootless/
+    containerSecurityContext:
+      privileged: true
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    volumePermissions:
+      enabled: false
 ```
 
 ### ARM
@@ -1143,7 +1174,7 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"digest":"sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"digest":"sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:2995c82e8e723d9a5c8585cb8e901d1c50e3c2759031027d3bff577449435157","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true}` | Set additional env vars. |
 | runtime.dind.image | object | `{"digest":"sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"}` | Set dind image. |
@@ -1234,7 +1265,7 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | volumeProvisioner.dind-lv-monitor | object | See below | `dind-lv-monitor` DaemonSet parameters (local volumes cleaner) |
 | volumeProvisioner.enabled | bool | `true` | Enable volume-provisioner |
 | volumeProvisioner.env | object | `{}` | Add additional env vars |
-| volumeProvisioner.image | object | `{"digest":"sha256:c036ad717391debdf43f8da337b81b5df0e79de274d2d9af1425c675b0296dda","registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.0"}` | Set image |
+| volumeProvisioner.image | object | `{"digest":"sha256:ede6f663c912a08b7d335b5ec5518ccc266b27c431d0854d22971005992adc5d","registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.2"}` | Set image |
 | volumeProvisioner.nodeSelector | object | `{}` | Set node selector |
 | volumeProvisioner.podAnnotations | object | `{}` | Set pod annotations |
 | volumeProvisioner.podSecurityContext | object | See below | Set security context for the pod |

@@ -717,14 +717,45 @@ volumeProvisioner:
 ### Rootless DinD
 
 DinD pod runs a `priviliged` container with **rootfull** docker.
-To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+To run the docker daemon as non-root user (**rootless** mode), refer to `values-rootless.yaml`:
 
-`values.yaml`
 ```yaml
+volumeProvisioner:
+  env:
+    IS_ROOTLESS: true
+  dind-lv-monitor:
+    image:
+      tag: 1.30.0-rootless
+      digest: ""
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    volumePermissions:
+      enabled: false
+
 runtime:
+  dindDaemon:
+    hosts:
+      - unix:///run/user/1000/docker.sock
+      - tcp://0.0.0.0:1300
   dind:
     image:
-      tag: rootless
+      tag: 26.1.4-1.28.9-rootless
+      digest: ""
+    userVolumeMounts:
+      dind:
+        name: dind
+        mountPath: /home/rootless/
+    containerSecurityContext:
+      privileged: true
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    volumePermissions:
+      enabled: false
 ```
 
 ### ARM

@@ -183,6 +183,34 @@ dockerDaemonScheduler:
       secret:
         secretName: codefresh-certs-server
   {{- end }}
+  {{- with $dindContext.podSecurityContext }}
+  podSecurityContext: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.containerSecurityContext }}
+  containerSecurityContext: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.volumePermissions.enabled }}
+  initContainers:
+  - name: volume-permissions
+    image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.volumePermissions.image "context" .) }}
+    imagePullPolicy: {{ $dindContext.volumePermissions.image.pullPolicy | default "Always" }}
+    command:
+      - /bin/sh
+    args:
+      - -ec
+      - |
+        chown -R {{ $dindContext.podSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/
+    volumeMounts:
+    - mountPath: /home/rootless/
+      name: dind
+    {{- if eq ( toString ( $dindContext.volumePermissions.securityContext.runAsUser )) "auto" }}
+    securityContext: {{- omit $dindContext.volumePermissions.securityContext "runAsUser" | toYaml | nindent 6 }}
+    {{- else }}
+    securityContext: {{- $dindContext.volumePermissions.securityContext | toYaml | nindent 6 }}
+    {{- end }}
+    resources:
+      {{- toYaml $dindContext.volumePermissions.resources | nindent 6 }}
+  {{- end }}
 extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
   {{- if .Values.runtime.description }}
 description: {{ .Values.runtime.description }}

@@ -4,21 +4,15 @@ values:
   - ../values.yaml
   - ../values-private-registry.yaml
 templates:
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runner/deployment.yaml
-  - templates/volume-provisioner/deployment.yaml
-  - templates/volume-provisioner/daemonset.yaml
-  - templates/volume-provisioner/cronjob.yaml
-  - templates/monitor/deployment.yaml
-  - templates/app-proxy/deployment.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
-chart:
-  version: 1.0.0
-  appVersion: 1.0.0
+# chart:
+#   version: 1.0.0
+#   appVersion: 1.0.0
 tests:
   - it: Test private registry in runtime spec
     template: templates/hooks/post-install/cm-update-runtime.yaml

@@ -3,16 +3,13 @@ suite: runner test
 values:
   - ../values.yaml
 templates:
-  - templates/runner/deployment.yaml
-  - templates/runner/rbac.yaml
-  - templates/runner/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test runner default metadata
@@ -24,14 +21,12 @@ tests:
           of: Deployment
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: runner
       - equal:
           path: metadata.name

@@ -1,16 +1,13 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/quintush/helm-unittest/master/schema/helm-testsuite.json
 suite: runtime onprem test
 templates:
-  - templates/hooks/post-install/job-update-runtime.yaml
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runtime/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test default runtime spec metadata

@@ -3,16 +3,13 @@ suite: runtime test
 values:
   - ../values.yaml
 templates:
-  - templates/hooks/post-install/job-update-runtime.yaml
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runtime/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test default runtime spec metadata

@@ -3,15 +3,13 @@ suite: dind-volume-cleanup test
 values:
   - ../values.yaml
 templates:
-  - templates/volume-provisioner/cronjob.yaml
-  - templates/volume-provisioner/storageclass.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test dind-volume-cleanup default metadata
@@ -25,14 +23,12 @@ tests:
           of: CronJob
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: pv-cleanup
       - equal:
           path: metadata.name

@@ -3,14 +3,13 @@ suite: dind-lv-monitor test
 values:
   - ../values.yaml
 templates:
-  - templates/volume-provisioner/daemonset.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test dind-lv-monitor default metadata
@@ -24,14 +23,12 @@ tests:
           of: DaemonSet
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: lv-monitor
       - equal:
           path: metadata.name