build: add securityContext and fix rabbitMQ cookie

deployment/README.md

@@ -80,6 +80,26 @@ curl -X POST \
 The helm chart utilizes scheduled TLS certificate fetching from [Let's
 Encrypt](https://letsencrypt.org/).
 
+## Security context
+Many clusters feature security policy that forbids various actions in cluster. Usually, security policy includes requirement that resources must be deployed under non-root user. The requirement is satisfied by setting `securityContext` section in resources. 
+
+`Values.yaml` offer setting security context only for Kubernetes clusters. It is set on three places:
+- `mongodb.initContainer.runAsRoot` for settings related to mongoDB init container
+- `mongodb.securityContext` for settings related to mongoDB
+- `securityContext` for all other resources supporting security context
+
+If you wish to run all your deployments under root, leave `securityContext`, set `mongodb.securityContext.runAsUser` to `0`, `mongodb.securityContext.runAsNonRoot` to `false` and `mongodb.initContainer.runAsRoot` to `true`. 
+
+[MongoDB deployment](https://github.com/elixir-cloud-aai/cwl-WES/blob/dev/deployment/templates/mongodb/mongodb-deployment.yaml#L17) includes init container that runs only as root. If you can't run deployments under root, you should set `securityContext` and `mongodb.securityContext` sections to your needs and `mongodb.initContainer.runAsRoot` to `false` (leads to disabling root initContainer). `securityContext` is map of key value pairs that are directly translated to Kubernetes security context so you can set all key-value pairs allowed in the section, e.g.:
+```
+securityContext:                                                                
+  runAsUser: 1000
+  runAsNonRoot: true
+  fsGroup: 1001
+```
+
+If you don't want to run under root but you are not forced to run non-root, you can set security contexts as you wish where e.g. the `securityContext` and  `mongodb.securityContext` will be set to non-root and `mongodb.initContainer.runAsRoot` to `true` to keep the init container (chown can be done only under root user). 
+
 ## To do
 
 - Test autocert with vanilla Kubernetes
@@ -111,6 +131,7 @@ See [`values.yaml`](values.yaml) for default values.
 | mongodb.databasePassword | string | user password for MongoDB |
 | mongodb.databaseUser | string | username for MongoDB |
 | mongodb.image | string | container image to be used to run MongoDB |
+| mongodb.initContainer.runAsRoot | bool | whether run init container under root user, see section `Security Context` for more information |
 | mongodb.mountPath| string | for K8S, where to mount the PVC |
 | mongodb.pullPolicy | string | pull Policy for container image |
 | mongodb.securityContext.enabled | string | for K8S, whether security is enabled (to solve issues with newly created PVC) |
@@ -121,6 +142,7 @@ See [`values.yaml`](values.yaml) for default values.
 | rabbitmq.appName | string | name of RabbitMQ app on Kubernetes cluster |
 | rabbitmq.image | string | container image to be used to run RabbitMQ |
 | rabbitmq.volumeSize | string | size of volume reserved for RabbitMQ broker |
+| securityContext | map | for K8s, if uncommented the section is used as Kubernetes `securityContext`, see section `Security Context` |
 | storageAccessMode | string | access mode for MongoDB and RabbitMQ PVC |
 | tlsSecret | string | secret for TLS encryption |
 | wes.appName | string | name of the main application on Kubernetes cluster |

deployment/templates/flower/flower-deployment.yaml

@@ -19,4 +19,7 @@ spec:
         command: ['flower']
         args: ['--broker=amqp://guest:guest@rabbitmq:5672//', '--port=5555', '--basic_auth={{ .Values.flower.basicAuth }}']
         name: flower
-
+{{- if .Values.securityContext }}
+      securityContext:
+{{- toYaml .Values.securityContext | nindent 8 -}} 
+{{- end }}

deployment/templates/mongodb/mongodb-deployment.yaml

@@ -14,7 +14,7 @@ spec:
       labels:
         app: {{ .Values.mongodb.appName }}
     spec:
-      {{ if eq .Values.clusterType "kubernetes" }}
+      {{- if and (eq .Values.clusterType "kubernetes") .Values.mongodb.initContainer.runAsRoot }}
       initContainers:
         - name: volume-permissions
           image: busybox
@@ -25,7 +25,7 @@ spec:
           volumeMounts:
             - name: mongodb-data
               mountPath: {{ .Values.mongodb.mountPath }}
-      {{ end }}
+      {{- end }}
       containers:
         - env:
           - name: MONGODB_USER
@@ -79,11 +79,11 @@ spec:
           resources:
             limits:
               memory: 512Mi
-          {{ if eq .Values.clusterType "kubernetes" }}
+          {{- if eq .Values.clusterType "kubernetes" }}
           securityContext:
             runAsNonRoot: {{ .Values.mongodb.securityContext.runAsNonRoot }}
             runAsUser: {{ .Values.mongodb.securityContext.runAsUser }}
-          {{ end }}
+          {{- end }}
           volumeMounts:
             - mountPath: /var/lib/mongodb/data
               name: mongodb-data

deployment/templates/rabbitmq/rabbitmq-deployment.yaml

@@ -17,11 +17,21 @@ spec:
       containers:
       - name: rabbitmq
         image: {{ .Values.rabbitmq.image }}
+        command:
+          - /bin/sh
+          - -c
+          - |
+            chmod g-rw /var/lib/rabbitmq/.erlang.cookie;    # If rabbitMQ deployment is restarted (e.g. cluster failure) cookie has incorrect permissions
+            /opt/rabbitmq/sbin/rabbitmq-server              # Solved by chmod before calling rabbitmq (https://github.com/elixir-cloud-aai/cwl-WES/issues/232)
         volumeMounts:
         - mountPath: /var/lib/rabbitmq
           name: rabbitmq-volume
       volumes:
       - name: rabbitmq-volume
         persistentVolumeClaim:
           claimName: {{ .Values.rabbitmq.appName }}-volume
+{{- if .Values.securityContext }}
+      securityContext:
+{{- toYaml .Values.securityContext | nindent 8 -}}
+{{- end }}
 

deployment/templates/wes/celery-deployment.yaml

@@ -82,4 +82,7 @@ spec:
           items:
           - key: netrc
             path: .netrc
-
+{{- if .Values.securityContext }}
+      securityContext:
+{{- toYaml .Values.securityContext | nindent 8 -}} 
+{{- end }}

deployment/templates/wes/wes-configmap.yaml

@@ -22,5 +22,9 @@ spec:
           value: {{ .Values.wes.appName }}
       restartPolicy: Never
       serviceAccountName: {{ .Values.wes.appName }}-autoadmin
+{{- if .Values.securityContext }}
+      securityContext:
+{{- toYaml .Values.securityContext | nindent 8 -}} 
+{{- end }}
 status: {}
 

deployment/templates/wes/wes-deployment.yaml

@@ -86,7 +86,6 @@ spec:
       - name: wes-volume
         persistentVolumeClaim:
           claimName: {{ .Values.wes.appName }}-volume
-
       - name: wes-netrc-secret
         secret:
           secretName: netrc
@@ -97,4 +96,7 @@ spec:
           defaultMode: 420
           name: app-config
         name: app-config
-
+{{- if .Values.securityContext }}
+      securityContext:
+{{- toYaml .Values.securityContext | nindent 8 -}}
+{{- end }}

deployment/values.yaml

@@ -7,6 +7,11 @@ clusterType: openshift  # either 'kubernetes' or 'openshift'
 tlsSecret: mytls-secret  # put name of tlsSecret
 storageAccessMode: ReadWriteOnce  # mongodb-pvc.yaml/rabbitmq-pvc.yaml, change to ReadWriteMany if storageClass can do RWX
 
+# If cluster has security policy enabled, this security context will be propagated
+# Uncomment whole section to take effect, see README for more details
+#securityContext:
+#  runAsUser: 1000
+
 extra_config:
   folder: /etc/app_config
   file: app_config.yaml
@@ -50,6 +55,8 @@ mongodb:
   databaseUser: cwlwes-user
   volumeSize: 1Gi
   image: centos/mongodb-36-centos7
+  initContainer:
+    runAsRoot: false
   mountPath: /var/lib/mongodb/data
   pullPolicy: Always
   securityContext:  # only for K8S