Resolving PR comments

Author: yitzhaktal

charts/lightrun-agents/Chart.yaml

@@ -15,4 +15,4 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.2
+version: 0.0.1

charts/lightrun-agents/templates/java-agent-cr.yaml

@@ -18,7 +18,9 @@ spec:
   secretName: {{ .name }}-secret
   {{- end }}
   serverHostname: {{ .serverHostname }}
+  {{- if .useSecretAsEnvVars }}
   useSecretAsEnvVars: {{ .useSecretAsEnvVars | default true }}
+  {{- end }}
   agentEnvVarName: {{ .agentEnvVarName | default "JAVA_TOOL_OPTIONS" }}
   {{- if .agentConfig }}
   agentConfig: {{ toYaml .agentConfig | nindent 4 }}

internal/controller/patch_funcs.go

@@ -70,10 +70,6 @@ func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1
 	if err != nil {
 		return err
 	}
-	deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
-		corev1ac.PodSecurityContext().
-			WithFSGroup(1000),
-	)
 	return nil
 }
 
@@ -157,10 +153,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap
 			WithEnv(envVars...).
 			WithSecurityContext(
 				corev1ac.SecurityContext().
-					WithReadOnlyRootFilesystem(true).
-					WithAllowPrivilegeEscalation(false).
+					WithCapabilities(
+						corev1ac.Capabilities().
+							WithDrop(corev1.Capability("ALL")),
+					).
 					WithRunAsNonRoot(true).
-					WithRunAsUser(1000),
+					WithAllowPrivilegeEscalation(false).
+					WithReadOnlyRootFilesystem(true).
+					WithSeccompProfile(
+						corev1ac.SeccompProfile().
+							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					),
 			).
 			WithResources(
 				corev1ac.ResourceRequirements().
@@ -359,10 +362,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 			WithEnv(envVars...).
 			WithSecurityContext(
 				corev1ac.SecurityContext().
-					WithReadOnlyRootFilesystem(true).
-					WithAllowPrivilegeEscalation(false).
+					WithCapabilities(
+						corev1ac.Capabilities().
+							WithDrop(corev1.Capability("ALL")),
+					).
 					WithRunAsNonRoot(true).
-					WithRunAsUser(1000),
+					WithAllowPrivilegeEscalation(false).
+					WithReadOnlyRootFilesystem(true).
+					WithSeccompProfile(
+						corev1ac.SeccompProfile().
+							WithType(corev1.SeccompProfileTypeRuntimeDefault),
+					),
 			).
 			WithResources(
 				corev1ac.ResourceRequirements().
@@ -392,7 +402,7 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
 						WithName(container.Name).
 						WithImage(container.Image).
 						WithVolumeMounts(
-							corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath),
+							corev1ac.VolumeMount().WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath).WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName),
 						),
 				)
 			}

lightrun-init-agent/Dockerfile

@@ -3,7 +3,7 @@ ARG base_image_tag=alpine-3.20.0-r1
 FROM lightruncom/prod-base:${base_image_tag}
 ARG FILE
 
-COPY $FILE /tmp/$FILE
+COPY lightrun-init-agent/$FILE /tmp/$FILE
 
 RUN unzip -o /tmp/$FILE -d /agent ;\
     rm -rf /tmp/$FILE && \
@@ -13,13 +13,10 @@ RUN unzip -o /tmp/$FILE -d /agent ;\
     # In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
     chgrp -R 0 /agent && \
     chmod -R g=u /agent && \
-    # Set proper permissions for the agent directory
-    chown -R 1000:1000 /agent && \
-    chmod -R 750 /agent && \
-    # Create secret directory with proper permissions
+    # Create secret directory
     mkdir -p /etc/lightrun/secret && \
-    chown -R 1000:1000 /etc/lightrun/secret && \
-    chmod -R 700 /etc/lightrun/secret
+    chgrp -R 0 /etc/lightrun/secret && \
+    chmod -R g=u /etc/lightrun/secret
 
 # Copy and set permissions for update_config.sh before switching user
 COPY update_config.sh /update_config.sh