Merge pull request #508 from galaxyproject/uid

nuwang · web-flow · commit 6cae19c1ad5d · 2025-01-23T23:12:52.000+05:30
Updates for a different default galaxy user system uid
diff --git a/galaxy/templates/deployment-nginx.yaml b/galaxy/templates/deployment-nginx.yaml
@@ -29,7 +29,7 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "galaxy.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.securityContext | nindent 8 }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
       {{- if .Values.webHandlers.podSpecExtra -}}
         {{- tpl (toYaml .Values.webHandlers.podSpecExtra) . | nindent 6 }}
       {{- end }}
diff --git a/galaxy/templates/deployment-tusd.yaml b/galaxy/templates/deployment-tusd.yaml
@@ -32,7 +32,9 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "galaxy.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.tusd.securityContext | nindent 8 }}
+        runAsUser: {{ default .Values.securityContext.runAsUser .Values.tusd.securityContext.runAsUser }}
+        runAsGroup: {{ default .Values.securityContext.runAsGroup .Values.tusd.securityContext.runAsGroup }}
+        fsGroup: {{ default .Values.securityContext.fsGroup .Values.tusd.securityContext.fsGroup }}
       {{- if .Values.tusd.podSpecExtra -}}
         {{- tpl (toYaml .Values.webHandlers.podSpecExtra) . | nindent 6 }}
       {{- end }}
diff --git a/galaxy/templates/jobs-init.yaml b/galaxy/templates/jobs-init.yaml
@@ -19,7 +19,9 @@ spec:
         checksum/galaxy_extras: {{ include (print $.Template.BasePath "/configmap-extra-files.yaml") . | sha256sum }}
     spec:
       securityContext:
-        {{- toYaml .Values.setupJob.securityContext | nindent 8 }}
+        runAsUser: {{ default .Values.securityContext.runAsUser .Values.setupJob.securityContext.runAsUser }}
+        runAsGroup: {{ default .Values.securityContext.runAsGroup .Values.setupJob.securityContext.runAsGroup }}
+        fsGroup: {{ default .Values.securityContext.fsGroup .Values.setupJob.securityContext.fsGroup }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -29,7 +31,7 @@ spec:
         - name: {{ .Chart.Name }}-wait-postgres
           image: {{ .Values.jobs.init.image.repository }}:{{ .Values.jobs.init.image.tag }}
           imagePullPolicy: {{ .Values.jobs.init.image.pullPolicy }}
-          command: ['sh', '-c', 'echo Chown mount path; chown 101:101 {{ .Values.persistence.mountPath }}; echo Begin waiting for postgres; until nc -z -w3 {{ template "galaxy-postgresql.servicename" . }} 5432; do echo waiting for galaxy-postgres service; sleep 1; done; echo done;']
+          command: ['sh', '-c', 'echo Chown mount path; chown {{ .Values.securityContext.fsUser}}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}; echo Begin waiting for postgres; until nc -z -w3 {{ template "galaxy-postgresql.servicename" . }} 5432; do echo waiting for galaxy-postgres service; sleep 1; done; echo done;']
           volumeMounts:
             - name: galaxy-data
               mountPath: {{ .Values.persistence.mountPath }}
diff --git a/galaxy/values.yaml b/galaxy/values.yaml
@@ -180,8 +180,12 @@ rbac:
   enabled: true
 
 securityContext:
+  #- UID of the system user used by jobs. This user must exist in the container.
+  runAsUser: 10001
+  #- GID of the system group used by jobs. This group must exist in the container.
+  runAsGroup: 10001
   #- Security context and file system group used by jobs.
-  fsGroup: 101
+  fsGroup: 10001
 
 #- Configure the PVC used by Galaxy for local storage.
 persistence:
@@ -211,13 +215,7 @@ extraVolumeMounts: []
 setupJob:
   #- create the database
   createDatabase: true
-  securityContext:
-    #- the setup jobs will run as this user
-    runAsUser: 101
-    #- the `runAsUser` will belong to this group.
-    runAsGroup: 101
-    #- the filesystem group
-    fsGroup: 101
+  securityContext: {}
   ttlSecondsAfterFinished: 300
   downloadToolConfs:
     enabled: true
@@ -482,8 +480,8 @@ configs:
           {{- end }}
         k8s_namespace: "{{ .Release.Namespace }}"
         k8s_galaxy_instance_id: "{{ .Release.Name }}"
-        k8s_fs_group_id: "101"
-        k8s_supplemental_group_id: "101"
+        k8s_fs_group_id: "{{ .Values.securityContext.fsGroup }}"
+        k8s_supplemental_group_id: "{{ .Values.securityContext.fsGroup }}"
         k8s_pull_policy: IfNotPresent
         k8s_cleanup_job: onsuccess
         k8s_job_ttl_secs_after_finished: 90
@@ -766,10 +764,7 @@ tusd:
   annotations: {}
   podAnnotations: {}
   podSpecExtra: {}
-  securityContext:
-    runAsUser: 101
-    runAsGroup: 101
-    fsGroup: 101
+  securityContext: {}
   image:
     repository: tusproject/tusd
     tag: v1.13.0
