ci: run rabbitmq as non-root (#7362)

* ci: securityContext for rabbitmq

* ci: logs from rabbitmq as json to console

* ci: tmp volume for rabbitmq

Needed since rootfs is now read-only

* ci: fix permissions on /var/lib/rabbitmq vol

Rabbitmq needs to be able to write to the fs at
/var/lib/rabbitmq. It may be possible to get rid
of the initContainer and use fsGroup in the pod
securityContext to manage this, but that does not
work for the hostVolume mounts I use for dev.
The solution here moves the actual mount to the
rabbitmq/ directory in the rabbitmq-data volume
and uses an initContainer to set the permissions
on that. That should work for any volume type.

helm/templates/configmap.yaml

@@ -61,3 +61,9 @@ data:
     # absolute number because relative will be proprtional to the full machine
     # memory.
     vm_memory_high_watermark.absolute = 1600MB
+    
+    # Logging
+    log.file = false
+    log.console = true
+    log.console.level = info
+    log.console.formatter = json

helm/templates/statefulsets/rabbitmq.yaml

@@ -26,6 +26,20 @@ spec:
       serviceAccountName: {{ include "datatracker.serviceAccountName.rabbitmq" . }}
       securityContext:
         {{- toYaml $podValues.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: init-rabbitmq
+          image: busybox:stable
+          command:
+            - "sh"
+            - "-c"
+            - "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: "rabbitmq-data"
+              mountPath: "/mnt"
       containers:
         - name: {{ .Chart.Name }}
           securityContext:

helm/values.yaml

@@ -405,7 +405,6 @@ rabbitmq:
     repository: "ghcr.io/ietf-tools/datatracker-mq"
     pullPolicy: IfNotPresent
     tag: "3.12-alpine"
-
   imagePullSecrets: []
   nameOverride: ""
   fullnameOverride: ""
@@ -419,9 +418,6 @@ rabbitmq:
   podAnnotations: {}
   podLabels: {}
 
-  podSecurityContext: {}
-    # fsGroup: 2000
-
   replicaCount: 1
 
   resources: {}
@@ -436,13 +432,18 @@ rabbitmq:
     #   cpu: 100m
     #   memory: 128Mi
 
-  securityContext: {}
+  podSecurityContext:
-    # capabilities:
+    runAsNonRoot: true
-    #   drop:
+
-    #   - ALL
+  securityContext:
-    # readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
-    # runAsNonRoot: true
+    capabilities:
-    # runAsUser: 1000
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    # rabbitmq image sets up uid/gid 100/101
+    runAsUser: 100
+    runAsGroup: 101
 
   service:
     type: ClusterIP
@@ -476,6 +477,9 @@ rabbitmq:
     - name: "rabbitmq-config"
       configMap:
         name: "rabbitmq-configmap"
+    - name: "rabbitmq-tmp"
+      emptyDir:
+        sizeLimit: 50Mi
     # - name: foo
     #   secret:
     #     secretName: mysecret
@@ -484,12 +488,12 @@ rabbitmq:
     # Additional volumeMounts on the output Deployment definition.
   volumeMounts:
     - name: "rabbitmq-data"
-      mountPath: "/var/lib/rabbitmq/mnesia"
+      mountPath: "/var/lib/rabbitmq"
+      subPath: "rabbitmq"
     - name: "rabbitmq-config"
       mountPath: "/etc/rabbitmq"
-    # - name: foo
+    - name: "rabbitmq-tmp"
-    #   mountPath: "/etc/foo"
+      mountPath: "/tmp"
-    #   readOnly: true
 
   tolerations: []
 
@@ -531,8 +535,6 @@ memcached:
 
   podSecurityContext:
     runAsNonRoot: true
-    runAsUser: 11211
-    runAsGroup: 11211
 
   securityContext:
     allowPrivilegeEscalation: false
@@ -540,6 +542,9 @@ memcached:
       drop:
       - ALL
     readOnlyRootFilesystem: true
+    # memcached image sets up uid/gid 11211
+    runAsUser: 11211
+    runAsGroup: 11211
 
   service:
     type: ClusterIP