From 32880c9ca5f2d7e5ba8488406f6bcbddfb92c06c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Wed, 29 May 2024 12:56:08 +0200 Subject: [PATCH] fix --- apps/taiga/taiga_ConfigMap.tf | 31 +++++++++++++++---------------- apps/taiga/taiga_Job.tf | 26 +++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 17 deletions(-) diff --git a/apps/taiga/taiga_ConfigMap.tf b/apps/taiga/taiga_ConfigMap.tf index 6d76da4..ae55277 100644 --- a/apps/taiga/taiga_ConfigMap.tf +++ b/apps/taiga/taiga_ConfigMap.tf @@ -25,6 +25,8 @@ resource "kubectl_manifest" "cm_env_back" { OPENID_USER_URL: "${module.oauth2.sso_userinfo_url}" WEBHOOKS_ALLOW_PRIVATE_ADDRESS: "${var.webhook.allow_private_addr?"True":"False"}" WEBHOOKS_ALLOW_REDIRECTS: "${var.webhook.allow_private_addr?"True":"False"}" + DJANGO_SUPERUSER_USERNAME: "admin" + DJANGO_SUPERUSER_EMAIL: "admin@${var.domain_name}" EOF } @@ -72,22 +74,19 @@ resource "kubectl_manifest" "cm_scripts" { else export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt fi - postconfig.py: |- - #!/usr/bin/env python - import time - import requests - import subprocess - - print('Waiting for backend ...') - while requests.get('http://${kubectl_manifest.svc_back.name}/api/v1/').status_code != 200: - print('...') - time.sleep(2) - - if len(str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'projects.projecttemplate']))) < 5: - print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_project_templates'])) - - if str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'users.user'], cwd='/taiga-back')).find('\"is_superuser\": true') == -1: - print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_user'], cwd='/taiga-back')) + postconfig.sh: |- + #!/usr/bin/env bash + export PATH="/opt/venv/bin/:$PATH" TAIGA_URL="http://${module.service.name}" TAIGA_SITES_DOMAIN="${module.service.name}" TAIGA_SITES_SCHEME=http + if [ $(python manage.py dumpdata projects.projecttemplate|wc -c) -lt 1000 ];then + python manage.py loaddata initial_project_templates + else + echo "skipping loading initial templates : already here" + fi + if ! python 'manage.py' 'dumpdata' users.user|grep -q '"is_superuser": true';then + python manage.py createsuperuser --noinput + else + python 'manage.py' 'dumpdata' users.user + fi EOF } diff --git a/apps/taiga/taiga_Job.tf b/apps/taiga/taiga_Job.tf index 0dc8feb..a560ffb 100644 --- a/apps/taiga/taiga_Job.tf +++ b/apps/taiga/taiga_Job.tf @@ -12,11 +12,26 @@ resource "kubectl_manifest" "Job_taiga-createinitialtemplates" { template: spec: restartPolicy: Never + initContainers: + - name: wait-for-svc + image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" + imagePullPolicy: ${var.images.back.pull_policy} + command: ["/bin/bash", "-c"] + args: ["set -o pipefail;for i in {1..200};do (echo > /dev/tcp/${module.service.name}/80) && exit 0; sleep 2;done; exit 1"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: postconfig image: "${var.images.back.registry}/${var.images.back.repository}:${var.images.back.tag}" imagePullPolicy: ${var.images.back.pull_policy} - command: ["/scripts/postconfig.py"] + command: ["/scripts/postconfig.sh"] env: - name: POSTGRES_PASSWORD valueFrom: @@ -31,6 +46,15 @@ resource "kubectl_manifest" "Job_taiga-createinitialtemplates" { volumeMounts: - name: scripts mountPath: /scripts + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault volumes: - name: scripts configMap: