The ConfigMap template for gitlab-pages causes the configure initContainer to fail
Summary
When I enable pages in my helm chart values, the ConfigMap generated for gitlab-pages appears to be incorrect, and the configure initContainer for the gitlab-pages Deployment fails:
'/init-config/pages/./secret' -> '/init-secrets/pages/./secret' │
│ cp: cannot create regular file '/init-secrets/pages/./secret': Permission deniedI think this is the result of the gitlab-pages ConfigMap template specifies "pages" as both a required and an optional entry:
{{- include "gitlab.scripts.configure.secrets" (dict "required" "pages" "optional" "pages") | nindent 4 -}}It seems like an obvious defect to list "pages" as both required and optional.
This results in the following configure script:
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in pages ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in pages ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
fi
doneIf I edit this ConfigMap to not have the extraneous for loop it works fine:
set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in pages ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r -L "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
doneHere are the volumeMounts and volumes for the configure container:
volumeMounts:
- mountPath: /config
name: pages-config
readOnly: true
- mountPath: /init-config
name: init-pages-secrets
readOnly: true
- mountPath: /init-secrets
name: pages-secrets volumes:
- configMap:
defaultMode: 420
name: gitlab-gitlab-pages
name: pages-config
- name: init-pages-secrets
projected:
defaultMode: 256
sources:
- secret:
items:
- key: shared_secret
path: pages/secret
name: gitlab-gitlab-pages-secret
- secret:
items:
- key: accesskey
path: minio/accesskey
- key: secretkey
path: minio/secretkey
name: gitlab-minio-secret
- emptyDir:
medium: Memory
name: pages-secretsI suspect that the reason I'm hitting this is the defaultMode: 256 used for the config files being copied, and the fact that the cp command prompts for user input when it is asked to overwrite a read only file:
[root@testapp-deployment-848cbb97fb-nv4cc var]# cp -v -r -L "/var/config/huh/." "/var/dest/huh/"
'/var/config/huh/.' -> '/var/dest/huh/'
'/var/config/huh/./test.txt' -> '/var/dest/huh/test.txt'
[root@testapp-deployment-848cbb97fb-nv4cc var]# cp -v -r -L "/var/config/huh/." "/var/dest/huh/"
cp: overwrite '/var/dest/huh/./test.txt'?Steps to reproduce
Enable pages with an otherwise vanilla configuration using Minio
Configuration used
I'm currently installing GitLab as part of BigBang (see its GitLab Chart). My configuration is quite complex but I think it should be irrelevant based on the apparent defect.
Current behavior
(What you're experiencing happening)
Expected behavior
(What you're expecting to happen)
Versions
- Chart: 6.0.1
- Platform:
- Cloud: EKS
- Kubernetes: (
kubectl version)- Client: v1.24.1
- Server: v1.21.13-eks-84b4fe6
- Helm: (
helm version)- Client:
- Server: v0.31.2
Relevant logs
'/init-config/pages/./secret' -> '/init-secrets/pages/./secret' │
│ cp: cannot create regular file '/init-secrets/pages/./secret': Permission denied