windmill-helm-charts
windmill-helm-charts copied to clipboard
windmill-labs
Helm Chart rendering RunAsUser at the wrong indent
See image. runAsUser is not being saved to Kubernetes because it is being rendered one tier above SecurityContext. It should be nested under SecurityContext.
More info, this problem is seen on native and default worker groups. I don't think we're running any other worker groups, so I cannot confirm/deny those.
windmill:
baseDomain: "redacted"
baseProtocol: "https"
databaseUrlSecretName: "redacted"
databaseUrlSecretKey: url
postgresql:
enabled: false
ingress:
enabled: true
className: "nginx"
tls:
- hosts:
- "redacted"
secretName: redacted
annotations:
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/affinity-mode: "persistent"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 10m
The Helm chart is being rendered and applied by ArgoCD. When rendered on the CLI the indenting is off. It looks like...
containers:
- name: windmill-worker
securityContext:
runAsNonRoot: false
runAsUser: 0
image: ghcr.io/windmill-labs/windmill:1.278.5
imagePullPolicy: Always
ports:
- containerPort: 8001
This should be fixed on latest commit normally (indent 12 -> indent 10 of the securityContext block body)
@avo-sepp I also tested on the CLI/dry-run that the indentation was correct. We advise to pass HOME=/tmp as env variable if you use non root users.
Thank you. That's good information. Is there anything mounted in /tmp? If I overwrite that directory with an ephemeral/empty volume will any important data be blown away?
Crucial data required for the operation of windmill is located at /tmp/windmill so would recommend using /tmp/home and mounting that instead
To note, if you can mount /tmp/windmill/cache you will benefit from hot cache all the time, and on the EE we have superior tier of caching for python at scale that is distributed on S3.