Update fence to run nginx as sidecar

uc-cdis · Nov 21, 2023 · b5f5d91 · b5f5d91
1 parent 5cf550a
commit b5f5d91
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 21 deletions.
diff --git a/helm/fence/README.md b/helm/fence/README.md
@@ -163,10 +163,10 @@ A Helm chart for gen3 Fence
 | serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `nil` | The Amazon Resource Name (ARN) of the role to associate with the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"fence-sa"` | The name of the service account |
-| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx","pullPolicy":"Always","tag":"master"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
-| sidecar.image | string | `"quay.io/cdis/nginx"` | The Docker image repository for nginx |
-| sidecar.pullPolicy | string | `"Always"` | When to pull the image. |
-| sidecar.tag | string | `"master"` | Image tag. |
+| sidecar | map | `{"enabled":true,"image":"quay.io/cdis/nginx-sidecar","pullPolicy":"IfNotPresent","tag":"nginx-sidecar-feat_nginx-sidecar"}` | Configuration for Nginx sidecar container to be deployed with gunicorn. |
+| sidecar.image | string | `"quay.io/cdis/nginx-sidecar"` | The Docker image repository for nginx |
+| sidecar.pullPolicy | string | `"IfNotPresent"` | When to pull the image. |
+| sidecar.tag | string | `"nginx-sidecar-feat_nginx-sidecar"` | Image tag. |
 | tolerations | list | `[]` | Tolerations for the pods |
 | usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","secrets":{"awsAccessKeyId":"","awsSecretAccessKey":""},"slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false}` | Configuration options for usersync cronjob. |
 | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml |

diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml
@@ -28,11 +28,10 @@ spec:
     spec:
       enableServiceLinks: false
       serviceAccountName: {{ include "fence.serviceAccountName" . }}
-      # TODO: Fix nginx image so it runs as non-root
-      # securityContext:
-      #   runAsUser: 1000
-      #   runAsGroup: 1000
-      #   fsGroup: 1000
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       volumes:
         {{- toYaml .Values.volumes | nindent 8 }}
       containers:
@@ -77,10 +76,11 @@ spec:
             {{- toYaml .Values.volumeMounts | nindent 12 }}
         {{- if .Values.sidecar.enabled }}
         - name: sidecar-nginx
-          image: {{ .Values.sidecar.image }}
+          image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}
+          imagePullPolicy: {{ .Values.sidecar.pullPolicy }}
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
           readinessProbe:
             httpGet:
               path: /_status

diff --git a/helm/fence/templates/nginx-config.yaml b/helm/fence/templates/nginx-config.yaml
@@ -5,7 +5,7 @@ metadata:
 data:
   default.conf: |
       server {
-          listen 80;
+          listen 8080;
           server_name localhost;
           location / {
               proxy_pass http://127.0.0.1:8000;  # Gunicorn binds to this address

diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml
@@ -21,11 +21,10 @@ spec:
         app: presigned-url-fence 
     spec:
       serviceAccountName: {{ include "fence.serviceAccountName" . }}
-      # TODO: Fix nginx image so it runs as non-root
-      # securityContext:
-      #   runAsUser: 1000
-      #   runAsGroup: 1000
-      #   fsGroup: 1000
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       volumes:
         {{- toYaml .Values.volumes | nindent 8 }}
       containers:
@@ -71,7 +70,8 @@ spec:
             {{- toYaml .Values.volumeMounts | nindent 12 }}
         {{- if .Values.sidecar.enabled }}
         - name: sidecar-nginx
-          image: {{ .Values.sidecar.image }}
+          image: {{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}
+          imagePullPolicy: {{ .Values.sidecar.pullPolicy }}
           ports:
             - name: http
               containerPort: 80

diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml
@@ -122,11 +122,11 @@ image:
 sidecar:
   enabled: true
   # -- (string) The Docker image repository for nginx
-  image: quay.io/cdis/nginx
+  image: quay.io/cdis/nginx-sidecar
   # -- (string) When to pull the image.
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   # -- (string) Image tag.
-  tag: "master"
+  tag: "nginx-sidecar-feat_nginx-sidecar"
 
 # -- (list) Docker image pull secrets.
 imagePullSecrets: []