Giter VIP home page Giter VIP logo

Comments (6)

gnieser avatar gnieser commented on July 17, 2024 1

I created a distinct issue #990 for this.

from acs-deployment.

gionn avatar gionn commented on July 17, 2024 1

Thanks, I am going to close this then. 👍🏻

from acs-deployment.

gionn avatar gionn commented on July 17, 2024

Hello, unfortunately the current way to add custom properties is to override JAVA_OPTS entirely via values (make sure to keep default one for better compatibility)

There is an ongoing effort to simplify this common use case for the next release, which will provide support for providing a custom configmap/secret as a source for properties.

Let me know if you have additional concerns.

from acs-deployment.

gnieser avatar gnieser commented on July 17, 2024

Thank you for the swift response! I'll look at overriding JAVA_OPTS.

Additional concerns are unrelated to alfresco-global.properties. My first deployment failed because:

  • several Ingress resources have an annotation to set their class to nginx. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread as nginx.
  • several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default restricted-v2 [1] profile.

[1] https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html

from acs-deployment.

gionn avatar gionn commented on July 17, 2024
  • several Ingress resources have an annotation to set their class to nginx. This annotationNot all of them can change the value. I would rather have the annotation completely optional, at least the class name should be configurable because the IngressClass is a cluster resource and not bound to a namespace, so conflicts are to be expected especially with a name as widespread as nginx.

that's another concern we are trying to address soon, right know we are not really supporting any other ingress than ingress-nginx

  • several Pods require higher privileges to run. I'm forced to relax some Security Context Constraints to allow them to run. It would be much easier to adopt Alfresco in our clusters if it runs with something like OpenShift default restricted-v2 [1] profile.

we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.

from acs-deployment.

gnieser avatar gnieser commented on July 17, 2024

we are aware of this issue with the share image/pod, but I don't recall for any others, could help if you can provide additional details for them.

Sure. With default SCC settings, an attempt to deploy the Helm chart of Code Ready Container / OpenShift local 4.13 results in the following issues.

W0821 07:57:17.613177    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": runAsNonRoot != true (container "alfresco-content-services" must not set securityContext.runAsNonRoot=false)
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "activemq" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635153    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635572    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "alfresco-control-center" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or container "alfresco-control-center" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.639977    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.655524    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-search" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.782326    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "wait-db-ready", "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.841770    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "postgresql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "postgresql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "postgresql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "postgresql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

from acs-deployment.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.