feat: use security contexts and mount configs instead of chown init containers

[bpow]

This implements several changes to allow the pods to run as arbitrary user id
throughout all of the lifecycle stages. Primarily this is by avoiding the need to
chown for certificates, etc., instead copying them to an emptyDir which gives them
appropriate ownership for the pod's securityContext.

The postgres cert job example also needed modification because the prior version
required root to be able to install additional packages for cert creation. Instead
I used an alpine/openssl image to create the certs in an initContainer, then
alpine/curl to store the certs in relevant secrets. The middle commit (currently
6256125 if it doesn't get rebased) just prevents writing certain potentially-sensitive
information to logs in case those aren't locked down as well as you'd like. I'd be
OK rebasing without that commit if desired.

Relevant "user story" is in #177

I'm not familiar with the testing mechanisms provided by helm, but for "verification",
I have deployed to two different clusters (one kubernetes and one openshift) that do
not permit containers to run as root (optionally defining runAsUser in relevant
securityContext to provide a specific userId rather than the runtime-assigned id).

In both cases, I was able to exec a shell in the zitadel-debug replicaset
container and verify that the files created had ownership of the running userId
and mode of 400.

Definition of Ready

• I am happy with the code
• Short description of the feature/issue is added in the pr description
• PR is linked to the corresponding user story
• Acceptance criteria are met
• All open todos and follow ups are defined in a new ticket and justified
• Deviations from the acceptance criteria and design are agreed with the PO and documented.
• No debug or dead code
• My code has no repetitions
• Documentation/examples are up-to-date
• All non-functional requirements are met
• If possible, the test configuration is adjusted so acceptance tests cover my changes

[eliobischof]

Thanks for this great PR 🥳
I actually don't see a need anymore for the chown/copy init container altogether.
The defaults fsGroup 1000 and runAsUser 1000 with readOnly volume mounts are good enough IMO.
I committed my suggestions directly to this PR.
What do you think @bpow and @stebenz?

[bpow]

Thanks for looking over this! I agree that it's much cleaner to just use fsGroup and avoid the copying altogether. I think if going with that, though, it's probably safer to explicitly set defaultMode for the involved volumes (at least on the cluster I checked on, without doing so you end up with rw-r--r--).

I've pushed an additional commit with that change (and cleaning up an emptyDir volume in the debug replicaSet which is not needed if not copying secrets).

[eliobischof]

hey @bpow thanks for your help to make the chart more secure 🥳

If you'd like to have a small gift in return, please send us a mail to [email protected]. We will send you a form with questions about your address and shirt size.