From 302d8b29b6c02c2b0887d74521edbdb0da757746 Mon Sep 17 00:00:00 2001
From: Phillip <phillip.wirth@dataport.de>
Date: Thu, 18 Jul 2024 12:24:27 +0200
Subject: [PATCH] BC-7676 Updated k8s jobs to run as non-root users where
 easily possible (#5116)

---
 .../templates/api-h5p-library-management-cronjob.yml.j2      | 5 +++++
 .../templates/api-delete-s3-files-cronjob.yml.j2             | 5 +++++
 .../templates/data-deletion-trigger-cronjob.yml.j2           | 5 +++++
 .../schulcloud-server-core/templates/migration-job.yml.j2    | 5 +++++
 .../templates/tldraw-delete-files-cronjob.yml.j2             | 5 +++++
 .../roles/schulcloud-server-init/templates/job_init.yml.j2   | 2 +-
 6 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2 b/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2
index a3290e08f3e..e369044ea85 100644
--- a/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2
+++ b/ansible/roles/h5p-library-management/templates/api-h5p-library-management-cronjob.yml.j2
@@ -30,6 +30,11 @@ spec:
             git.branch: {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
             git.repo: {{ SCHULCLOUD_SERVER_REPO_NAME }}
         spec:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            runAsNonRoot: true
           volumes:
             - name: libraries-list
               configMap:
diff --git a/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2
index 84d6f11e4fb..95443ef537b 100644
--- a/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2
+++ b/ansible/roles/schulcloud-server-core/templates/api-delete-s3-files-cronjob.yml.j2
@@ -20,6 +20,11 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            runAsNonRoot: true
           containers:
           - name: delete-s3-files-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
diff --git a/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2
index 7f350b86c97..a8c02d02769 100644
--- a/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2
+++ b/ansible/roles/schulcloud-server-core/templates/data-deletion-trigger-cronjob.yml.j2
@@ -29,6 +29,11 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            runAsNonRoot: true
           containers:
           - name: data-deletion-trigger-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
diff --git a/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2 b/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2
index f9b76dc34a7..42edd22f4a0 100644
--- a/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2
+++ b/ansible/roles/schulcloud-server-core/templates/migration-job.yml.j2
@@ -11,6 +11,11 @@ spec:
       labels:
         app: api-migration
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       containers:
       - name: api-migration-job
         image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
diff --git a/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2 b/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2
index 80b8e5e5e41..3f702e42e72 100644
--- a/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2
+++ b/ansible/roles/schulcloud-server-core/templates/tldraw-delete-files-cronjob.yml.j2
@@ -20,6 +20,11 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            runAsNonRoot: true
           containers:
           - name: tldraw-delete-files-cronjob
             image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
diff --git a/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2 b/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2
index b6c777a1ef2..ffd8bc98ae5 100644
--- a/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2
+++ b/ansible/roles/schulcloud-server-init/templates/job_init.yml.j2
@@ -27,7 +27,7 @@ spec:
           mountPath: /update.sh
           subPath: update.sh
         command: ['/bin/sh','-c']
-        args: ['cp /update.sh /update.run.sh && chmod +x /update.run.sh &&./update.run.sh']
+        args: ['cp /update.sh /update.run.sh && chmod +x /update.run.sh && ./update.run.sh']
         resources:
           limits:
             cpu: "3000m"