From 2e39487bd30504dbbd0ade061b22bd83ed631c0a Mon Sep 17 00:00:00 2001
From: Kevin Christen <kevin.christen@grabx.ch>
Date: Thu, 14 Mar 2024 12:35:50 +0100
Subject: [PATCH] squash: add securitycontext and missing volumeMounts

---
 k8s/squest_k8s/tasks/05-django.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/k8s/squest_k8s/tasks/05-django.yml b/k8s/squest_k8s/tasks/05-django.yml
index 65986e3bb..0f4959f40 100644
--- a/k8s/squest_k8s/tasks/05-django.yml
+++ b/k8s/squest_k8s/tasks/05-django.yml
@@ -229,6 +229,8 @@
               service: django
           spec:
             serviceAccountName: squest-sa
+            securityContext:
+              fsGroup: 999
             dnsConfig:
               options:
                 - name: ndots
@@ -260,6 +262,11 @@
                 envFrom:
                   - configMapRef:
                       name: django-env
+                volumeMounts:
+                  - mountPath: /app/media
+                    name: django-media
+                  - mountPath: /app/Squest/ldap_config.py
+                    name: ldap-config
               - name: nginx
                 image: nginx:1.23.4-alpine
                 command: ["nginx", "-c", "/etc/nginx/squest/nginx.conf"]
@@ -268,10 +275,13 @@
                 volumeMounts:
                   - name: nginx-config
                     mountPath: /etc/nginx/squest
+                    readOnly: true
                   - mountPath: /app/static
                     name: django-static
-                  - mountPath: /app/Squest/ldap_config.py
-                    name: ldap-config
+                    readOnly: true
+                  - name: django-media
+                    mountPath: /app/media
+                    readOnly: true
             restartPolicy: Always
             volumes:
               - name: django-media