Is it required that the helm-operator Pod runs as root?

[lianmakesthings]

Describe the bug

It seems that the Flux Helm Operator has to run as root inside the container. The reasoning for this is not documented and it's unclear to me why this requirement exists. It would be nice if running the operator in a non-privileged security context was possible.

To Reproduce

Steps to reproduce the behaviour:

1. Have an Openshift 3.11. cluster
2. Install Flux Helm Operator via YAML
3. The operator cannot do anything, because the user 500 does not exist

Expected behavior

The reasoning for why the operator needs to run as root and a possible workaround is documented.

Logs

ts=2020-07-15T13:26:37.494439012Z caller=release.go:81 component=release release=flux-matomo targetNamespace=flux resource=flux:helmrelease/matomo helmVersion=v3 error="failed to prepare chart for release: chart not ready: git clone --mirror: fatal: Could not read from remote repository., full output:\n Cloning into bare repository '/tmp/flux-gitclone354344891'...\nNo user exists for uid 500\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"

ssh -vv ssh://[email protected]:7999/platformcd/helmcharts.git

No user exists for uid 500

Additional context

• Helm Operator version: 1.1.0
• Kubernetes version: 1.11
• Git provider: Bitbucket (self-hosted)
• Helm repository provider: Bitbucket (self-hosted)

[Gui13]

We face the same issue on restricted Kubernetes environments.

Helm operator mounts everything in /root so even if you manage "runAsUser" and "fsGroup" you still are limited because /root belongs to uid 0 and cannot be traversed by anybody else.

[stefansedich]

I had done a POC some time ago and left some findings here https://github.com/fluxcd/helm-operator/issues/233 I have not had the time to ever get back to it but would be great if someone could pick it up!

[kingdonb]

Sorry if your issue remains unresolved. The Helm Operator is in maintenance mode, we recommend everybody upgrades to Flux v2 and Helm Controller.

A new release of Helm Operator is out this week, 1.4.4.

We will continue to support Helm Operator in maintenance mode for an indefinite period of time, and eventually archive this repository.

Please be aware that Flux v2 has a vibrant and active developer community who are actively working through minor releases and delivering new features on the way to General Availability for Flux v2.

In the mean time, this repo will still be monitored, but support is basically limited to migration issues only. I will have to close many issues today without reading them all in detail because of time constraints. If your issue is very important, you are welcome to reopen it, but due to staleness of all issues at this point a new report is more likely to be in order. Please open another issue if you have unresolved problems that prevent your migration in the appropriate Flux v2 repo.

Helm Operator releases will continue as possible for a limited time, as a courtesy for those who still cannot migrate yet, but these are strongly not recommended for ongoing production use as our strict adherence to semver backward compatibility guarantees limit many dependencies and we can only upgrade them so far without breaking compatibility. So there are likely known CVEs that cannot be resolved.

We recommend upgrading to Flux v2 which is actively maintained ASAP.

I am going to go ahead and close every issue at once today, Thanks for participating in Helm Operator and Flux! 💚 💙