Doc: Harmonize doc across Dockerfile

clemlesne · Jun 19, 2023 · 28b8f1d · 28b8f1d
1 parent d1897c2
commit 28b8f1d
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 14 deletions.
diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm
@@ -177,7 +177,9 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 

diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye
@@ -174,7 +174,9 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 

diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal
@@ -173,10 +173,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script

diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy
@@ -181,10 +181,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script

diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8
@@ -172,10 +172,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script

diff --git a/src/helm/azure-pipelines-agent/templates/_helpers.tpl b/src/helm/azure-pipelines-agent/templates/_helpers.tpl
@@ -74,6 +74,18 @@ Create the name of the Secret to use.
 {{- end }}
 {{- end }}
 
+{{/*
+Default PodSecurytyContext object to apply to containers.
+
+Can be overriden by setting ".Values.podSecurityContext".
+
+See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core
+*/}}
+{{- define "azure-pipelines-agent.defaultPodSecurityContext" -}}
+# All volumes are owned bu group 0 (root), same as the default user
+fsGroup: 0
+{{- end }}
+
 {{/*
 Default SecurytyContext object to apply to containers.
 
@@ -112,10 +124,8 @@ imagePullSecrets:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 serviceAccountName: {{ include "azure-pipelines-agent.serviceAccountName" . }}
-{{- with .Values.podSecurityContext }}
 securityContext:
-  {{- toYaml . | nindent 2 }}
-{{- end }}
+  {{- toYaml (mustMergeOverwrite (include "azure-pipelines-agent.defaultPodSecurityContext" . | fromYaml) .Values.podSecurityContext) | nindent 2 }}
 {{- with .Values.initContainers }}
 initContainers:
   {{- toYaml . | nindent 2 }}