jasonwitty
6915079e5c
- Add init container to set up config files with correct ownership - Run main container as socktop user (UID 100, GID 101) from the start - Use fsGroup to ensure proper volume permissions - Add emptyDir volume for /var/lib/socktop to avoid permission issues - Create docker-entrypoint.sh wrapper to detect root vs non-root execution - Root mode: uses init-config.sh for Docker/docker-compose - Non-root mode: directly runs entrypoint.sh for K8s - Update deployment command format to work with new entrypoint This resolves 'Operation not permitted' errors when running in K8s with security contexts that restrict user switching and ownership changes.
182 lines
5.6 KiB
YAML
182 lines
5.6 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: socktop-webterm
|
|
labels:
|
|
app: socktop-webterm
|
|
spec:
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: socktop-webterm
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: socktop-webterm
|
|
spec:
|
|
# Use standard pod networking
|
|
hostNetwork: false
|
|
dnsPolicy: ClusterFirst
|
|
|
|
# Security context for the pod
|
|
securityContext:
|
|
runAsUser: 100
|
|
runAsGroup: 101
|
|
fsGroup: 101
|
|
|
|
# Init container to set up configuration
|
|
initContainers:
|
|
- name: init-config
|
|
image: gt.wittyoneoff.com/jason/socktop-webterm:0.2.2
|
|
imagePullPolicy: Always
|
|
command: ["/bin/bash", "-c"]
|
|
args:
|
|
- |
|
|
set -e
|
|
echo "Setting up configuration directories..."
|
|
mkdir -p /var/lib/socktop/.config/socktop/certs
|
|
mkdir -p /var/lib/socktop/.config/alacritty
|
|
|
|
if [ -f "/home/socktop/.config/socktop/profiles.json" ]; then
|
|
cp /home/socktop/.config/socktop/profiles.json /var/lib/socktop/.config/socktop/profiles.json
|
|
echo "Copied profiles.json"
|
|
fi
|
|
|
|
if [ -f "/home/socktop/.config/alacritty/alacritty.toml" ]; then
|
|
cp /home/socktop/.config/alacritty/alacritty.toml /var/lib/socktop/.config/alacritty/alacritty.toml
|
|
echo "Copied alacritty.toml"
|
|
fi
|
|
|
|
if [ -f "/home/socktop/.config/alacritty/catppuccin-frappe.toml" ]; then
|
|
cp /home/socktop/.config/alacritty/catppuccin-frappe.toml /var/lib/socktop/.config/alacritty/catppuccin-frappe.toml
|
|
echo "Copied catppuccin-frappe.toml"
|
|
fi
|
|
|
|
if [ -d "/home/socktop/.config/socktop/certs" ]; then
|
|
cp /home/socktop/.config/socktop/certs/*.pem /var/lib/socktop/.config/socktop/certs/ 2>/dev/null || true
|
|
echo "Copied certificates"
|
|
fi
|
|
|
|
# Fix paths in profiles.json
|
|
if [ -f "/var/lib/socktop/.config/socktop/profiles.json" ]; then
|
|
sed -i 's|/home/socktop/.config/socktop/rpi-|/var/lib/socktop/.config/socktop/certs/rpi-|g' /var/lib/socktop/.config/socktop/profiles.json
|
|
echo "Updated certificate paths"
|
|
fi
|
|
|
|
echo "Configuration setup complete"
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /home/socktop/.config/socktop/profiles.json
|
|
subPath: profiles.json
|
|
- name: config
|
|
mountPath: /home/socktop/.config/alacritty/alacritty.toml
|
|
subPath: alacritty.toml
|
|
- name: config
|
|
mountPath: /home/socktop/.config/alacritty/catppuccin-frappe.toml
|
|
subPath: catppuccin-frappe.toml
|
|
- name: certs
|
|
mountPath: /home/socktop/.config/socktop/certs
|
|
readOnly: true
|
|
- name: socktop-home
|
|
mountPath: /var/lib/socktop
|
|
securityContext:
|
|
runAsUser: 100
|
|
runAsGroup: 101
|
|
|
|
containers:
|
|
- name: webterm
|
|
image: gt.wittyoneoff.com/jason/socktop-webterm:0.2.2
|
|
imagePullPolicy: Always
|
|
|
|
command: ["/docker-entrypoint.sh"]
|
|
args:
|
|
[
|
|
"webterm-server",
|
|
"--host",
|
|
"0.0.0.0",
|
|
"--port",
|
|
"8082",
|
|
"--command",
|
|
"/usr/local/bin/restricted-shell.sh",
|
|
]
|
|
|
|
ports:
|
|
- name: http
|
|
containerPort: 8082
|
|
protocol: TCP
|
|
- name: agent
|
|
containerPort: 3001
|
|
protocol: TCP
|
|
|
|
env:
|
|
- name: TERM
|
|
value: "xterm-256color"
|
|
- name: TZ
|
|
value: "America/New_York"
|
|
- name: RUST_LOG
|
|
value: "info"
|
|
|
|
resources:
|
|
limits:
|
|
cpu: "2000m"
|
|
memory: "1Gi"
|
|
requests:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 8082
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 8082
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 3
|
|
failureThreshold: 3
|
|
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /home/socktop/.config/socktop/profiles.json
|
|
subPath: profiles.json
|
|
- name: config
|
|
mountPath: /home/socktop/.config/alacritty/alacritty.toml
|
|
subPath: alacritty.toml
|
|
- name: config
|
|
mountPath: /home/socktop/.config/alacritty/catppuccin-frappe.toml
|
|
subPath: catppuccin-frappe.toml
|
|
- name: certs
|
|
mountPath: /home/socktop/.config/socktop/certs
|
|
readOnly: true
|
|
- name: socktop-home
|
|
mountPath: /var/lib/socktop
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: false
|
|
runAsUser: 100
|
|
runAsGroup: 101
|
|
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: socktop-webterm-config
|
|
- name: certs
|
|
secret:
|
|
secretName: socktop-webterm-certs
|
|
optional: true
|
|
- name: socktop-home
|
|
emptyDir: {}
|
|
|
|
restartPolicy: Always
|