search

windmill-labs / windmill-helm-charts

50 stars 34 forks source link

Helm Chart rendering RunAsUser at the wrong indent #63

Open avo-sepp opened 8 months ago

avo-sepp commented 8 months ago

Screenshot 2024-02-27 at 10 46 58

See image. runAsUser is not being saved to Kubernetes because it is being rendered one tier above SecurityContext. It should be nested under SecurityContext.

avo-sepp commented 8 months ago

More info, this problem is seen on native and default worker groups. I don't think we're running any other worker groups, so I cannot confirm/deny those.

rubenfiszel commented 8 months ago

@avo-sepp can you share the values you are using ?

avo-sepp commented 8 months ago 
windmill:
  baseDomain: "redacted"
  baseProtocol: "https"
  databaseUrlSecretName: "redacted"
  databaseUrlSecretKey: url
postgresql:
  enabled: false
ingress:
  enabled: true
  className: "nginx"
  tls:
    - hosts:
        - "redacted"
      secretName: redacted 
  annotations:
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 10m
avo-sepp commented 8 months ago

The Helm chart is being rendered and applied by ArgoCD. When rendered on the CLI the indenting is off. It looks like...

      containers:
      - name: windmill-worker

        securityContext:

            runAsNonRoot: false
            runAsUser: 0

        image: ghcr.io/windmill-labs/windmill:1.278.5

        imagePullPolicy: Always
        ports:
        - containerPort: 8001
rubenfiszel commented 8 months ago

This should be fixed on latest commit normally (indent 12 -> indent 10 of the securityContext block body)

rubenfiszel commented 8 months ago

@avo-sepp I also tested on the CLI/dry-run that the indentation was correct. We advise to pass HOME=/tmp as env variable if you use non root users.

avo-sepp commented 8 months ago

Thank you. That's good information. Is there anything mounted in /tmp? If I overwrite that directory with an ephemeral/empty volume will any important data be blown away?

rubenfiszel commented 8 months ago

Crucial data required for the operation of windmill is located at /tmp/windmill so would recommend using /tmp/home and mounting that instead

rubenfiszel commented 8 months ago

To note, if you can mount /tmp/windmill/cache you will benefit from hot cache all the time, and on the EE we have superior tier of caching for python at scale that is distributed on S3.