SKIP UPGRADE #155: Add correct pod security context values to pass kyverno tests for postgresql
General MR
Summary
This corrects the postgresql pod securitycontext configuration to pass kyverno tests, discovered during mergeback of the previous MR on #155 into the bigbang umbrella chart.
Relevant logs/screenshots
Before
0s (x17 over 6m2s) Warning FailedCreate StatefulSet/mattermost-postgresql create Pod mattermost-postgresql-0 in StatefulSet mattermost-postgresql failed error: admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/mattermost/mattermost-postgresql-0 was blocked due to the following policies
require-non-root-group:
run-as-group: 'validation failure: validation error: runAsGroup must be set to an
id > 0 in either spec.securityContext.runAsGroup or (spec.containers[*].securityContext.runAsGroup,
spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup).
rule run-as-group[0] failed at path /securityContext/runAsGroup/'
restrict-host-path-write:
require-readonly-hostpath: rule skipped
After, mattermost works and tests pass
Linked Issue
Upgrade Notices
BREAKING CHANGE If using the sub-chart Postgres database for Mattermost, you will be required to perform a pg_dump before upgrading and then restore the database and data to the new pod in order to keep data. There is no clean upgrade path from prior PostgreSQL versions to the new version. This sub-chart in-cluster database is NOT a production setup/recommended installation.
BREAKING CHANGE If you are setting a custom username, password or database for the sub-chart Postgres database for mattermost, the credential settings have moved.
| Old setting | New setting |
|---|---|
postgresql.postgresqlUsername |
postgresql.auth.username |
postgresql.postgresqlPassword |
postgresql.auth.password |
postgresql.postgresqlDatabase |
postgresql.auth.database |