add runAs selection

2026-04-14 10:40:31 +08:00 · 2023-11-03 17:01:37 +02:00
parent 103f2043f2
commit 842597ea3a
5 changed files with 74 additions and 3 deletions
--- a/library/ix-dev/community/mealie/ci/extra-values.yaml
+++ b/library/ix-dev/community/mealie/ci/extra-values.yaml
@@ -8,6 +8,10 @@ mealieConfig:
  defaultAdminPassword: supersecret
  baseURL: http://localhost:31000

+mealieRunAs:
+  user: 1000
+  group: 1000
+
 mealieStorage:
  pgData:
    type: pvc
--- a/library/ix-dev/community/mealie/metadata.yaml
+++ b/library/ix-dev/community/mealie/metadata.yaml
@@ -0,0 +1,13 @@
+runAsContext:
+  - userName: mealie
+    groupName: mealie
+    gid: 568
+    uid: 568
+    description: Mealie can runs as any non-root user.
+  - userName: postgres
+    groupName: postgres
+    gid: 999
+    uid: 999
+    description: Postgres runs as a non-root user.
+capabilities: []
+hostMounts: []
--- a/library/ix-dev/community/mealie/templates/_configuration.tpl
+++ b/library/ix-dev/community/mealie/templates/_configuration.tpl
@@ -0,0 +1,49 @@
+{{- define "mealie.configuration" -}}
+  {{- $fullname := (include "ix.v1.common.lib.chart.names.fullname" $) -}}
+
+  {{- $dbHost := (printf "%s-postgres" $fullname) -}}
+  {{- $dbUser := "mealie" -}}
+  {{- $dbName := "mealie" -}}
+
+  {{- $dbPass := (randAlphaNum 32) -}}
+  {{- with (lookup "v1" "Secret" .Release.Namespace (printf "%s-postgres-creds" $fullname)) -}}
+    {{- $dbPass = ((index .data "POSTGRES_PASSWORD") | b64dec) -}}
+  {{- end -}}
+
+  {{- $dbURL := (printf "postgres://%s:%s@%s:5432/%s?sslmode=disable" $dbUser $dbPass $dbHost $dbName) -}}
+  {{/* Temporary set dynamic db details on values,
+  so we can print them on the notes */}}
+  {{- $_ := set .Values "mealieDbPass" $dbPass -}}
+  {{- $_ := set .Values "mealieDbHost" $dbHost -}}
+
+secret:
+  mealie:
+    enabled: true
+    data:
+      DB_ENGINE: postgres
+      POSTGRES_USER: {{ $dbUser }}
+      POSTGRES_PASSWORD: {{ $dbPass }}
+      POSTGRES_SERVER: {{ $dbHost }}
+      POSTGRES_PORT: "5432"
+      POSTGRES_DB: {{ $dbName }}
+
+  postgres-creds:
+    enabled: true
+    data:
+      POSTGRES_USER: {{ $dbUser }}
+      POSTGRES_DB: {{ $dbName }}
+      POSTGRES_PASSWORD: {{ $dbPass }}
+      POSTGRES_HOST: {{ $dbHost }}
+      POSTGRES_URL: {{ $dbURL }}
+
+configmap:
+  mealie:
+    enabled: true
+    data:
+      API_PORT: {{ .Values.mealieNetwork.webPort | quote }}
+      BASE_URL: {{ .Values.mealieConfig.baseURL | quote }}
+      ALLOW_SIGNUP: {{ .Values.mealieConfig.allowSignup | quote }}
+      DEFAULT_GROUP: {{ .Values.mealieConfig.defaultGroup | quote }}
+      DEFAULT_EMAIL: {{ .Values.mealieConfig.defaultAdminEmail | quote }}
+      DEFAULT_PASSWORD: {{ .Values.mealieConfig.defaultAdminPassword | quote }}
+{{- end -}}
--- a/library/ix-dev/community/mealie/templates/_mealie.tpl
+++ b/library/ix-dev/community/mealie/templates/_mealie.tpl
@@ -12,10 +12,11 @@ workload:
          primary: true
          imageSelector: image
          securityContext:
-            # TODO: Check if we can use arbitrary user IDs
-            runAsUser: 911
-            runAsGroup: 911
+            runAsUser: {{ .Values.mealieRunAs.user }}
+            runAsGroup: {{ .Values.mealieRunAs.group }}
            readOnlyRootFilesystem: false
+          fixedEnv:
+            PUID: {{ .Values.mealieRunAs.user }}
          envFrom:
            - secretRef:
                name: mealie
--- a/library/ix-dev/community/mealie/values.yaml
+++ b/library/ix-dev/community/mealie/values.yaml
@@ -16,6 +16,10 @@ mealieConfig:
  baseURL: ''
  additionalEnvs: []

+mealieRunAs:
+  user: 568
+  group: 568
+
 mealieNetwork:
  webPort: 31001
  hostNetwork: false