Added the option for a peristed config volume

idsvr/README.md

@@ -91,6 +91,9 @@ In the table below you can find information about the parameters that are config
 | `curity.admin.logging.image` | The image that will be used to create the logging containers | `busybox:latest` |
 | `curity.admin.logging.resources` | Resource limits applied in logging containers. When set overrides `logging.resources` settings only on the admin node. | `{}` |
 | `curity.admin.resources` | Resource limits applied in admin deployment. When set overrides `resources` settings only on the admin node. | `{}` |
+| `curity.admin.securityContext.runAsUser` | The user the container in the pod will run as. | `10001` |
+| `curity.admin.securityContext.runAsGroup` | The group the container in the pod will run as. | `10000` |
+| `curity.admin.securityContext.runAsUser` | The file system group for mounted volumes. | `10000` |
 | `curity.runtime.role` | The role of the runtime servers | `default` |
 | `curity.runtime.annotations` | Extra annotations to add to the runtime deployment | `default` |
 | `curity.runtime.podLabels` | Extra labels to add to the runtime pod | `{}` |
@@ -127,6 +130,9 @@ In the table below you can find information about the parameters that are config
 | `curity.runtime.terminationGracePeriodSeconds` | Sets the termination grace period for runtime pods spawned by the Kubernetes Deployment. | `30` |
 | `curity.runtime.affinity` | Affinity for runtime pod assignment. | `{}` |
 | `curity.runtime.topologySpreadConstraints` | Topology spread constraints for runtime pod assignment (requires Kubernetes >= 1.19). | `[]` |
+| `curity.runtime.securityContext.runAsUser` | The user the container in the pod will run as. | `10001` |
+| `curity.runtime.securityContext.runAsGroup` | The group the container in the pod will run as. | `10000` |
+| `curity.runtime.securityContext.runAsUser` | The file system group for mounted volumes. | `10000` |
 | `curity.config.uiEnabled` | Flag to enable/disable the service for Admin UI and Admin REST API, ignored if `ingress.admin.enabled=true` | `false` |
 | `curity.config.password` | The administrator password. Required if `curity.config.skipInstall` is `true` or `curity.config.environmentVariableSecrets` and `curity.config.configuration`is not set | `null` |
 | `curity.config.skipInstall` | If set to `true` the installer script will not run<sup>[3](#f3)</sup> | `false`|
@@ -142,6 +148,11 @@ In the table below you can find information about the parameters that are config
 | `curity.config.postCommitScripts` | The array of post-commit scripts are mounted as a volume | `[]` |
 | `curity.config.convertKeystore` | The array of secrets containing tls certificates that will be converted to Curity format | `[]` |
 | `curity.config.backup` | If `true`, the configuration will be backed up in a secret in each commit| `false` |
+| `curity.config.persistentConfigVolume.enabled` | If `true` a persisted volume will be mounted in the admin node to persist config during deployment upgrades | `false` |
+| `curity.config.persistentConfigVolume.storageClass` | The `StorageClass` of the volume | `default` | 
+| `curity.config.persistentConfigVolume.existingClaim` | If set, an existing persisted volume claim will be used instead of a new one beeing generated. | `""` |
+| `curity.config.persistentConfigVolume.accessMode` | The access mode of the volume | `ReadWriteOnce` |
+| `curity.config.persistentConfigVolume.size` | The size of the persisted volume | `800Mi` |
 | `ingress.annotations` | Extra annotations for the Ingress resource | `{}` |
 | `ingress.runtime.enabled` | Flag to enable/disable the Ingress resource for runtime nodes | `false` |
 | `ingress.runtime.annotations` | Extra annotations for the Ingress resource for the runtime nodes, overrides `ingress.annotations` if set | `{}` |
@@ -232,6 +243,17 @@ curity:
 helm upgrade <release-name> curity/idsvr -f myValues.xml
 ``` 
 
+## Enabling the peristed configuration volume 
+
+It is possible to set the `curity.config.persistentConfigVolume.enabled` which will create a `PersistedVolumeClaim` using the defined `StorageClass`, `AccessMode` and `size`. 
+The volume will be mounted to the admin Pod under `/opt/idsvr/var/cdb`. 
+
+When this is enabled, the cluster keys are not rotated between deployment upgrades. Instead only a single key is generated during installation and will be kept for the lifetime of the deployment. 
+Also, any configuration that is stored in `/opt/idsvr/etc/init` either by `curity.config.configuration` or by included files in the image will be ignored for subsequent upgrades except the first installation. 
+
+Although enabling this setting is perfect for experimenting with the Curity Identity Server, it is not something that we suggest to be used in production as it can lead to issues that are difficult to overcome.
+
+
 ## Sending all logs to stdout
 
 If `curity.admin.logging.stdout` is `true`, the Chart will add extra containers in the pods, that will tail any

idsvr/templates/cluster-conf.yaml

@@ -1,3 +1,4 @@
+{{- if eq .Release.Revision 1 }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -41,8 +42,9 @@ data:
 
     $REQUEST_CONTENT
     EOF
-
+{{- end }}
 ---
+{{- if or (not .Values.curity.config.persistentConfigVolume.enabled) (eq .Release.Revision 1) }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -92,4 +94,5 @@ spec:
           configMap:
             name: {{ include "curity.fullname" . }}-cluster-conf-map
       serviceAccountName: {{ include "curity.fullname" . }}-service-account
-      restartPolicy: Never
+      restartPolicy: Never
+  {{- end }}

idsvr/templates/deployment-admin.yaml

@@ -34,6 +34,10 @@ spec:
               {{- .Values.curity.admin.podAnnotations | toYaml | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        runAsUser: {{ .Values.curity.admin.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.curity.admin.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.curity.admin.securityContext.fsGroup }}
       containers:
         - name: {{ .Chart.Name }}-admin
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -127,14 +131,20 @@ spec:
             periodSeconds: {{ .Values.curity.admin.readinessProbe.periodSeconds }}
             initialDelaySeconds: {{ .Values.curity.admin.readinessProbe.initialDelaySeconds }}
           volumeMounts:
+            {{- if .Values.curity.config.persistentConfigVolume.enabled }}
+            - mountPath: /opt/idsvr/var/cdb
+              name: persistent-config
+            {{- end }}
             {{- if .Values.curity.admin.logging.stdout }}
             - mountPath: /opt/idsvr/var/log/
               name: log-volume
             {{- end }}
+            {{- if or (not .Values.curity.config.persistentConfigVolume.enabled) (eq .Release.Revision 1) }}
             - mountPath: /opt/idsvr/etc/init/cluster.xml
               subPath: cluster.xml
               name: cluster-xml
               readOnly: true
+            {{- end  }}
             {{- if .Values.curity.config.backup }}
             - mountPath: /opt/idsvr/usr/bin/post-commit-scripts/backupConfig.sh
               subPath: backupConfig.sh
@@ -211,16 +221,23 @@ spec:
         - name: {{ .Values.image.pullSecret}}
       {{- end }}
       volumes:
+        {{- if .Values.curity.config.persistentConfigVolume.enabled }}
+        - name: persistent-config
+          persistentVolumeClaim:
+            claimName: {{ .Values.curity.config.persistentConfigVolume.existingClaim | default (include "curity.fullname" .) }}
+        {{- end }}
         {{- if .Values.curity.admin.logging.stdout }}
         - name: log-volume
           emptyDir: {}
         {{- end }}
+        {{- if or (not .Values.curity.config.persistentConfigVolume.enabled) (eq .Release.Revision 1) }}
         - name: cluster-xml
           secret:
             secretName: {{ include "curity.fullname" . }}-cluster-config-xml
             items:
               - key: cluster-{{ .Release.Revision }}.xml
                 path: cluster.xml
+        {{- end }}
         {{- if .Values.curity.config.configurationSecret }}
         - name: config
           secret:

idsvr/templates/deployment-runtime.yaml

@@ -36,6 +36,10 @@ spec:
               {{- .Values.curity.runtime.podAnnotations | toYaml | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        runAsUser: {{ .Values.curity.runtime.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.curity.runtime.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.curity.runtime.securityContext.fsGroup }}
       containers:
         - name: {{ .Chart.Name }}-runtime
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -202,7 +206,7 @@ spec:
           secret:
             secretName: {{ include "curity.fullname" . }}-cluster-config-xml
             items:
-              - key: cluster-{{ .Release.Revision }}.xml
+              - key: cluster-{{ ternary "1" .Release.Revision .Values.curity.config.persistentConfigVolume.enabled }}.xml
                 path: cluster.xml
         {{- if .Values.curity.config.configurationSecret }}
         - name: config

idsvr/templates/pvc.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.curity.config.persistentConfigVolume.enabled (not .Values.curity.config.persistentConfigVolume.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "curity.fullname" . }}
+  labels:
+   {{- include "curity.labels" . | nindent 4 }}
+spec:
+  storageClassName: {{ .Values.curity.config.persistentConfigVolume.storageClass }}
+  accessModes:
+    - {{ .Values.curity.config.persistentConfigVolume.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.curity.config.persistentConfigVolume.size | quote }}
+ {{- end }}

idsvr/values.yaml

@@ -31,6 +31,10 @@ curity:
     annotations: {}
     podLabels: {}
     podAnnotations: {}
+    securityContext:
+      runAsUser: 10001
+      runAsGroup: 10000
+      fsGroup: 10000
     initContainers: []
     extraVolumes: []
     extraVolumeMounts: []
@@ -81,6 +85,10 @@ curity:
     annotations: {}
     podLabels: {}
     podAnnotations: {}
+    securityContext:
+      runAsUser: 10001
+      runAsGroup: 10000
+      fsGroup: 10000
     initContainers: []
     extraVolumes: []
     extraVolumeMounts: []
@@ -153,6 +161,12 @@ curity:
     backup: false
     password:
     skipInstall: false
+    persistentConfigVolume:
+      enabled: false
+      storageClass: "default"
+      existingClaim: ""
+      accessMode: ReadWriteOnce
+      size: 800Mi
     encryptionKey:
     environmentVariableSecrets: []
     environmentVariableConfigMaps: []