rootless api

library/ix-dev/community/vikunja/Chart.yaml

@@ -5,7 +5,7 @@ annotations:
 type: application
 version: 1.0.0
 apiVersion: v2
-appVersion: latest
+appVersion: 0.21.0
 kubeVersion: '>=1.16.0-0'
 maintainers:
   - name: truenas

library/ix-dev/community/vikunja/ci/extra-values.yaml

@@ -0,0 +1,23 @@
+vikunjaNetwork:
+  webPort: 31000
+
+vikunjaConfig:
+  url: http://localhost:31000
+  maxFileSize: 20
+
+vikunjaRunAs:
+  user: 1000
+  group: 1000
+
+vikunjaStorage:
+  data:
+    type: pvc
+  pgData:
+    type: pvc
+  pgBackup:
+    type: emptyDir
+  additionalStorages:
+  - type: pvc
+    mountPath: /data1
+  - type: pvc
+    mountPath: /data2

library/ix-dev/community/vikunja/metadata.yaml

@@ -1,9 +1,9 @@
 runAsContext:
-  - userName: root
-    groupName: root
-    gid: 0
-    uid: 0
-    description: Vikunja API runs as root user.
+  - userName: vikunja
+    groupName: vikunja
+    gid: 568
+    uid: 568
+    description: Vikunja API can run as any non-root user
   - userName: nginx
     groupName: nginx
     gid: 101
@@ -19,11 +19,5 @@ runAsContext:
     gid: 999
     uid: 999
     description: Postgres runs as a non-root user.
-capabilities:
-  - name: CHOWN
-    description: Vikunka API is able to chown files.
-  - name: SETGID
-    description: Vikunka API is able to set group ID for it's sub-processes.
-  - name: SETUID
-    description: Vikunka API is able to set user ID for it's sub-processes.
+capabilities: []
 hostMounts: []

library/ix-dev/community/vikunja/questions.yaml

@@ -1,6 +1,8 @@
 groups:
   - name: Vikunja Configuration
     description: Configure Vikunja
+  - name: User and Group Configuration
+    description: Configure User and Group for Vikunja
   - name: Network Configuration
     description: Configure Network for Vikunja
   - name: Storage Configuration
@@ -77,6 +79,29 @@ questions:
                         type: string
                         required: true
 
+  - variable: vikunjaRunAs
+    label: ""
+    group: User and Group Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: user
+          label: User ID
+          description: The user id that Vikunja will run as.
+          schema:
+            type: int
+            min: 2
+            default: 568
+            required: true
+        - variable: group
+          label: Group ID
+          description: The group id that Vikunja will run as.
+          schema:
+            type: int
+            min: 2
+            default: 568
+            required: true
+
   - variable: vikunjaNetwork
     label: ""
     group: Network Configuration

library/ix-dev/community/vikunja/templates/_vikunja_api.tpl

@@ -12,15 +12,14 @@ workload:
           primary: true
           imageSelector: image
           securityContext:
-            runAsUser: 0
-            runAsGroup: 0
+            runAsUser: {{ .Values.vikunjaRunAs.user }}
+            runAsGroup: {{ .Values.vikunjaRunAs.group }}
             runAsNonRoot: false
-            readOnlyRootFilesystem: false
-            capabilities:
-              add:
-                - CHOWN
-                - SETGID
-                - SETUID
+
+          env:
+            # Make vikunja skip user creation
+            PUID: ""
+            PGID: ""
           envFrom:
             - secretRef:
                 name: vikunja-creds

library/ix-dev/community/vikunja/values.yaml

@@ -21,6 +21,10 @@ vikunjaConfig:
   maxFileSize: 20
   additionalEnvs: []
 
+vikunjaRunAs:
+  user: 568
+  group: 568
+
 vikunjaNetwork:
   webPort: 31002