Draft: Fix 'permission denied' in Self-Signed Certificates Job

Mitchell Nielsenrequested to merge
103-fix-selfsigned-job-permissions into master

Summary

Unsets the securityContext.runAsUser and securityContext.runAsGroup on the Self Signed Certificates Job, allowing the defaults from the GitLab Helm Charts to be used:

  • runAsUser: 65534
  • fsGroup: 65534

Before this, the values were set to an empty map, meaning that the initContainer runs as root when generating the certificates, and the container runs as 65534, meaning it doesn't have permissions to read the files created by root when using kubectl to create the secrets.

Closes #103 (closed)

Testing

apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
spec:
  chart:
    version: "5.7.0"
    values:
      global:
        ingress:
          configureCertmanager: false # to trigger Self Signed Certs
        hosts:
          domain: yourdomain.com
          externalIP: yourExternalIP # optional if you use 'external-dns' or connect manually
  1. Confirm that Self-Signed Certificates job passes
  2. Confirm that $RELEASE_NAME-wildcard-tls Secret is created
Edited by Mitchell Nielsen

Merge request reports