From 125b844060f262111be0ef2c22fb2e47f2df639e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 21 Mar 2026 16:55:35 +1100 Subject: [PATCH] chore: tidy initContainers - make initcontainers easier to read/follow --- apps/base/puppet/deployment_puppetdb.yaml | 39 +++++++++++-------- .../deployment_puppetserver-compiler.yaml | 32 ++++++++------- .../deployment_puppetserver-master.yaml | 35 +++++++++-------- 3 files changed, 57 insertions(+), 49 deletions(-) diff --git a/apps/base/puppet/deployment_puppetdb.yaml b/apps/base/puppet/deployment_puppetdb.yaml index 84551bd..20482f7 100644 --- a/apps/base/puppet/deployment_puppetdb.yaml +++ b/apps/base/puppet/deployment_puppetdb.yaml @@ -84,12 +84,8 @@ spec: command: - sh - -c + args: - mkdir -p /opt/puppetlabs/server/data/puppetdb/logs && chown 999:999 /opt/puppetlabs/server/data/puppetdb/logs - volumeMounts: - - mountPath: /opt/puppetlabs/server/data/puppetdb - name: puppetdb-storage - securityContext: - runAsUser: 0 resources: limits: cpu: 20m @@ -97,18 +93,25 @@ spec: requests: cpu: 20m memory: 32Mi - - command: + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /opt/puppetlabs/server/data/puppetdb + name: puppetdb-storage + + - name: pgchecker + image: docker.io/busybox:1.37 + imagePullPolicy: IfNotPresent + command: - sh - -c + args: - | echo 'Waiting for PostgreSQL to become ready...' until printf "." && nc -z -w 2 puppet-postgres-pooler 5432; do sleep 2; done; echo 'PostgreSQL OK ✓' - image: docker.io/busybox:1.37 - imagePullPolicy: IfNotPresent - name: pgchecker resources: limits: cpu: 20m @@ -117,22 +120,24 @@ spec: cpu: 20m memory: 32Mi securityContext: - allowPrivilegeEscalation: false + runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 - - command: + allowPrivilegeEscalation: false + + - name: wait-puppetserver + image: curlimages/curl:8.11.1 + imagePullPolicy: IfNotPresent + command: - sh - -c + args: - | echo 'Waiting for puppetserver to become ready...' until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do sleep 2; done; echo 'Puppetserver OK ✓' - image: curlimages/curl:8.11.1 - imagePullPolicy: IfNotPresent - name: wait-puppetserver resources: limits: cpu: 20m @@ -141,10 +146,10 @@ spec: cpu: 20m memory: 32Mi securityContext: - allowPrivilegeEscalation: false + runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + allowPrivilegeEscalation: false volumes: - name: puppetdb-storage persistentVolumeClaim: diff --git a/apps/base/puppet/deployment_puppetserver-compiler.yaml b/apps/base/puppet/deployment_puppetserver-compiler.yaml index af6e651..4a0a08c 100644 --- a/apps/base/puppet/deployment_puppetserver-compiler.yaml +++ b/apps/base/puppet/deployment_puppetserver-compiler.yaml @@ -128,25 +128,26 @@ spec: - mountPath: /configmaps/autosign.conf name: compiler-autosign-conf subPath: autosign.conf - - args: - - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; - mkdir -p /etc/puppetlabs/code/environments; - mkdir -p /etc/puppetlabs/puppet/manifests; - chown -R puppet:puppet /etc/puppetlabs; - chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml; - mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; - touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; - chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/; + + - name: perms-and-dirs + image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main + imagePullPolicy: IfNotPresent command: - sh - -c + args: + - | + mkdir -p /etc/puppetlabs/puppet/eyaml/keys + mkdir -p /etc/puppetlabs/code/environments + mkdir -p /etc/puppetlabs/puppet/manifests + chown -R puppet:puppet /etc/puppetlabs + chown puppet:puppet /etc/puppetlabs/puppet/r10k.yaml + mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/ + touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde + chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/ env: - name: PUPPETSERVER_JAVA_ARGS value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false - envFrom: null - image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main - imagePullPolicy: IfNotPresent - name: perms-and-dirs resources: limits: cpu: 300m @@ -155,6 +156,8 @@ spec: cpu: 200m memory: 128Mi securityContext: + runAsUser: 0 + runAsNonRoot: false capabilities: add: - CAP_CHOWN @@ -171,13 +174,12 @@ spec: - FOWNER drop: - all - runAsNonRoot: false - runAsUser: 0 volumeMounts: - mountPath: /etc/puppetlabs/code/ name: puppet-code-volume - mountPath: /etc/puppetlabs/puppet/ name: puppet-puppet-volume + - name: setup-shared-bins image: git.unkin.net/unkin/almalinux9-base:20260308 command: diff --git a/apps/base/puppet/deployment_puppetserver-master.yaml b/apps/base/puppet/deployment_puppetserver-master.yaml index ca1275a..a2a1230 100644 --- a/apps/base/puppet/deployment_puppetserver-master.yaml +++ b/apps/base/puppet/deployment_puppetserver-master.yaml @@ -99,27 +99,28 @@ spec: name: vault-ca-cert subPath: ca.crt initContainers: - - args: - - mkdir -p /etc/puppetlabs/puppet/eyaml/keys; - cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh; - chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh; - chmod +x /etc/puppetlabs/puppet/check_for_masters.sh; - bash /etc/puppetlabs/puppet/check_for_masters.sh; - mkdir -p /etc/puppetlabs/code/environments; - mkdir -p /etc/puppetlabs/puppet/manifests; - chown -R puppet:puppet /etc/puppetlabs; - mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/; - touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde; - chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/; + - name: perms-and-dirs + image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main + imagePullPolicy: IfNotPresent command: - sh - -c + args: + - | + mkdir -p /etc/puppetlabs/puppet/eyaml/keys + cp /tmp/puppet/configmap/check_for_masters.sh /etc/puppetlabs/puppet/check_for_masters.sh + chown puppet:puppet /etc/puppetlabs/puppet/check_for_masters.sh + chmod +x /etc/puppetlabs/puppet/check_for_masters.sh + bash /etc/puppetlabs/puppet/check_for_masters.sh + mkdir -p /etc/puppetlabs/code/environments + mkdir -p /etc/puppetlabs/puppet/manifests + chown -R puppet:puppet /etc/puppetlabs + mkdir -p /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/ + touch /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde + chown puppet:puppet -R /opt/puppetlabs/server/data/puppetserver/ envFrom: - configMapRef: name: puppetserver-init-config - image: ghcr.io/openvoxproject/openvoxserver:8.8.0-main - imagePullPolicy: IfNotPresent - name: perms-and-dirs resources: limits: cpu: 300m @@ -128,6 +129,8 @@ spec: cpu: 200m memory: 128Mi securityContext: + runAsUser: 0 + runAsNonRoot: false capabilities: add: - CAP_CHOWN @@ -144,8 +147,6 @@ spec: - FOWNER drop: - all - runAsNonRoot: false - runAsUser: 0 volumeMounts: - mountPath: /etc/puppetlabs/puppet/ name: puppet-puppet-storage