Skip to content

Commit 6bfc828

Browse files
committed
Resolving PR comments
1 parent d4efd4d commit 6bfc828

File tree

4 files changed

+28
-19
lines changed

4 files changed

+28
-19
lines changed

charts/lightrun-agents/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,4 +15,4 @@ type: application
1515
# This is the chart version. This version number should be incremented each time you make changes
1616
# to the chart and its templates, including the app version.
1717
# Versions are expected to follow Semantic Versioning (https://semver.org/)
18-
version: 0.0.2
18+
version: 0.0.1

charts/lightrun-agents/templates/java-agent-cr.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,9 @@ spec:
1818
secretName: {{ .name }}-secret
1919
{{- end }}
2020
serverHostname: {{ .serverHostname }}
21+
{{- if .useSecretAsEnvVars }}
2122
useSecretAsEnvVars: {{ .useSecretAsEnvVars | default true }}
23+
{{- end }}
2224
agentEnvVarName: {{ .agentEnvVarName | default "JAVA_TOOL_OPTIONS" }}
2325
{{- if .agentConfig }}
2426
agentConfig: {{ toYaml .agentConfig | nindent 4 }}

internal/controller/patch_funcs.go

Lines changed: 21 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,6 @@ func (r *LightrunJavaAgentReconciler) patchDeployment(lightrunJavaAgent *agentv1
7070
if err != nil {
7171
return err
7272
}
73-
deploymentApplyConfig.Spec.Template.Spec.WithSecurityContext(
74-
corev1ac.PodSecurityContext().
75-
WithFSGroup(1000),
76-
)
7773
return nil
7874
}
7975

@@ -157,10 +153,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap
157153
WithEnv(envVars...).
158154
WithSecurityContext(
159155
corev1ac.SecurityContext().
160-
WithReadOnlyRootFilesystem(true).
161-
WithAllowPrivilegeEscalation(false).
156+
WithCapabilities(
157+
corev1ac.Capabilities().
158+
WithDrop(corev1.Capability("ALL")),
159+
).
162160
WithRunAsNonRoot(true).
163-
WithRunAsUser(1000),
161+
WithAllowPrivilegeEscalation(false).
162+
WithReadOnlyRootFilesystem(true).
163+
WithSeccompProfile(
164+
corev1ac.SeccompProfile().
165+
WithType(corev1.SeccompProfileTypeRuntimeDefault),
166+
),
164167
).
165168
WithResources(
166169
corev1ac.ResourceRequirements().
@@ -359,10 +362,17 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
359362
WithEnv(envVars...).
360363
WithSecurityContext(
361364
corev1ac.SecurityContext().
362-
WithReadOnlyRootFilesystem(true).
363-
WithAllowPrivilegeEscalation(false).
365+
WithCapabilities(
366+
corev1ac.Capabilities().
367+
WithDrop(corev1.Capability("ALL")),
368+
).
364369
WithRunAsNonRoot(true).
365-
WithRunAsUser(1000),
370+
WithAllowPrivilegeEscalation(false).
371+
WithReadOnlyRootFilesystem(true).
372+
WithSeccompProfile(
373+
corev1ac.SeccompProfile().
374+
WithType(corev1.SeccompProfileTypeRuntimeDefault),
375+
),
366376
).
367377
WithResources(
368378
corev1ac.ResourceRequirements().
@@ -392,7 +402,7 @@ func (r *LightrunJavaAgentReconciler) patchStatefulSetAppContainers(lightrunJava
392402
WithName(container.Name).
393403
WithImage(container.Image).
394404
WithVolumeMounts(
395-
corev1ac.VolumeMount().WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName).WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath),
405+
corev1ac.VolumeMount().WithMountPath(lightrunJavaAgent.Spec.InitContainer.SharedVolumeMountPath).WithName(lightrunJavaAgent.Spec.InitContainer.SharedVolumeName),
396406
),
397407
)
398408
}

lightrun-init-agent/Dockerfile

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ ARG base_image_tag=alpine-3.20.0-r1
33
FROM lightruncom/prod-base:${base_image_tag}
44
ARG FILE
55

6-
COPY $FILE /tmp/$FILE
6+
COPY lightrun-init-agent/$FILE /tmp/$FILE
77

88
RUN unzip -o /tmp/$FILE -d /agent ;\
99
rm -rf /tmp/$FILE && \
@@ -13,13 +13,10 @@ RUN unzip -o /tmp/$FILE -d /agent ;\
1313
# In openshift UID will be dynamic per project, hence procide permissions to root group (defualt in k8s)
1414
chgrp -R 0 /agent && \
1515
chmod -R g=u /agent && \
16-
# Set proper permissions for the agent directory
17-
chown -R 1000:1000 /agent && \
18-
chmod -R 750 /agent && \
19-
# Create secret directory with proper permissions
16+
# Create secret directory
2017
mkdir -p /etc/lightrun/secret && \
21-
chown -R 1000:1000 /etc/lightrun/secret && \
22-
chmod -R 700 /etc/lightrun/secret
18+
chgrp -R 0 /etc/lightrun/secret && \
19+
chmod -R g=u /etc/lightrun/secret
2320

2421
# Copy and set permissions for update_config.sh before switching user
2522
COPY update_config.sh /update_config.sh

0 commit comments

Comments
 (0)