diff --git a/stable/yugaware/templates/init-container-script.yaml b/stable/yugaware/templates/init-container-script.yaml index 3acd0f14ed..4e5a4dec3f 100644 --- a/stable/yugaware/templates/init-container-script.yaml +++ b/stable/yugaware/templates/init-container-script.yaml @@ -15,33 +15,35 @@ data: set -xe -o pipefail data_directory="/opt/yugabyte/yugaware/data" - pemfiles=$(find "${data_directory}/keys/" -name "*.pem" -exec stat -c "%a" {} + | uniq | tr '\n' ',') - IFS="," read -r -a pemfile_perms <<< "${pemfiles}" - - trigger=false - echo "Finding pem files with permissions different than 400, and setting their permissions to 400." - - for pemfile in "${pemfile_perms[@]}"; do - if [[ "${pemfile}" != *400* ]]; then - echo "Found a pem file with permissions ${pemfile}" - trigger=true - break + if [[ -d "${data_directory}/keys/" ]]; then + pemfiles=$(find "${data_directory}/keys/" -name "*.pem" -exec stat -c "%a" {} + | uniq | tr '\n' ',') + IFS="," read -r -a pemfile_perms <<< "${pemfiles}" + + trigger=false + echo "Finding pem files with permissions different than 400, and setting their permissions to 400." + + for pemfile in "${pemfile_perms[@]}"; do + if [[ "${pemfile}" != *400* ]]; then + echo "Found a pem file with permissions ${pemfile}" + trigger=true + break + fi + done + + if ${trigger}; then + echo "Creating copy of data/keys directory" + cp -r "${data_directory}/keys" "${data_directory}/new_keys" + + echo "Setting permission of all pem files to 400" + find "${data_directory}/new_keys/" -name "*.pem" -exec chmod 400 {} + + + echo "Renaming existing keys directory" + mv "${data_directory}/keys" "${data_directory}/keys-$(date +%s)" + + echo "Renaming new keys directory" + mv "${data_directory}/new_keys" "${data_directory}/keys" + else + echo "All pem files already have permission set to 400" fi - done - - if ${trigger}; then - echo "Creating copy of data/keys directory" - cp -r "${data_directory}/keys" "${data_directory}/new_keys" - - echo "Setting permission of all pem files to 400" - find "${data_directory}/new_keys/" -name "*.pem" -exec chmod 400 {} + - - echo "Renaming existing keys directory" - mv "${data_directory}/keys" "${data_directory}/keys-$(date +%s)" - - echo "Renaming new keys directory" - mv "${data_directory}/new_keys" "${data_directory}/keys" - else - echo "All pem files already have permission set to 400" fi {{- end }} \ No newline at end of file diff --git a/stable/yugaware/templates/statefulset.yaml b/stable/yugaware/templates/statefulset.yaml index f8cabdf577..26ec32eedc 100644 --- a/stable/yugaware/templates/statefulset.yaml +++ b/stable/yugaware/templates/statefulset.yaml @@ -96,9 +96,8 @@ spec: command: - 'bash' - '-c' - - > - cp /default_prometheus_config/prometheus.yml /prometheus_configs/prometheus.yml; - bash /init-container/init-permissions.sh; + - | + cp /default_prometheus_config/prometheus.yml /prometheus_configs/prometheus.yml && /bin/bash /init-container/init-permissions.sh; securityContext: runAsUser: {{ .Values.securityContext.runAsUser }} runAsGroup: {{ .Values.securityContext.runAsGroup }} diff --git a/stable/yugaware/values.yaml b/stable/yugaware/values.yaml index 6fc105b217..7048cb88ac 100644 --- a/stable/yugaware/values.yaml +++ b/stable/yugaware/values.yaml @@ -117,8 +117,8 @@ securityContext: ## fsGroup related values are set at the pod level. fsGroup: 10001 fsGroupChangePolicy: "OnRootMismatch" - ## The following values are set for yugaware and prometheus - ## containers. + ## The following values are set for yugaware and prometheus containers. + ## Setting runAsUser other than 10001 will fail the VM universe deployment flow. runAsUser: 10001 runAsGroup: 10001 runAsNonRoot: true