commit acee7c3d83f42947575662e45596743e12d7b068
author James E. Blair <jeblair@redhat.com> Mon Feb 10 11:09:32 2020 -0800
committer James E. Blair <jeblair@redhat.com> Mon Feb 10 11:09:32 2020 -0800
tree a95d6bb61806ea81156fcf266a9252faaa2813aa
parent 672a42ba151207f972615bebed017a7351c7d0b2

Update zuul-executor user

The zuul-executor user id has changed from 1000 to 10001, so update
the deployment config to match.

Also reference deployment files via the work directory path rather
than via relative paths to the playbook (which is outside the work
dir and therefore subject to access restrictions).

Change-Id: Iee194a460056a392050bd65cf6e9d14a2726d1ae

k8s/zuul.yaml

diff --git a/k8s/zuul.yaml b/k8s/zuul.yaml
index ed4eda8..be2244c 100644
--- a/k8s/zuul.yaml
+++ b/k8s/zuul.yaml
@@ -180,8 +180,8 @@
         app.kubernetes.io/component: zuul-executor
     spec:
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        runAsUser: 10001
+        runAsGroup: 10001
       containers:
       - name: executor
         image: jeblair/zuul-executor:latest

playbooks/deploy.yaml

diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index 87cfb3e..1664b62 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -1,5 +1,7 @@
 - name: Deploy Zuul
   hosts: localhost
+  vars:
+    root: "{{ (zuul is defined) | ternary(zuul.project.src_dir, '..') }}"
   tasks:
     - name: Make kube directory
       file:
@@ -15,12 +17,12 @@
     - name: Update Letsencrypt configuration
       k8s:
         state: present
-        src: ../k8s/letsencrypt.yaml
+        src: "{{ root }}/k8s/letsencrypt.yaml"
 
     - name: Update authdaemon configuration
       k8s:
         state: present
-        src: ../k8s/authdaemon.yaml
+        src: "{{ root }}/k8s/authdaemon.yaml"
 
     - name: Update Nodepool config
       k8s:
@@ -37,7 +39,7 @@
               app.kubernetes.io/part-of: nodepool
           stringData:
             clouds.yaml: ""
-            nodepool.yaml: "{{ lookup('file', '../nodepool/nodepool.yaml') }}"
+            nodepool.yaml: "{{ lookup('file', root + '/nodepool/nodepool.yaml') }}"
 
     - name: Update Zuul/Nodepool private key
       k8s:
@@ -72,7 +74,7 @@
               app.kubernetes.io/instance: zuul
               app.kubernetes.io/part-of: zuul
           stringData:
-            main.yaml: "{{ lookup('template', '../zuul/zuul.conf') }}"
+            main.yaml: "{{ lookup('template', root + '/zuul/zuul.conf') }}"
       register: zuul_config
       # Set no_log because we are templating passwords into the config
       no_log: true
@@ -91,18 +93,18 @@
               app.kubernetes.io/instance: zuul
               app.kubernetes.io/part-of: zuul
           stringData:
-            main.yaml: "{{ lookup('file', '../zuul/main.yaml') }}"
+            main.yaml: "{{ lookup('file', root + '/zuul/main.yaml') }}"
       register: tenant_config
 
     - name: Update Nodepool deployment
       k8s:
         state: present
-        src: ../k8s/nodepool.yaml
+        src: "{{ root }}/k8s/nodepool.yaml"
 
     - name: Update Zuul deployment
       k8s:
         state: present
-        src: ../k8s/zuul.yaml
+        src: "{{ root }}/k8s/zuul.yaml"
 
     - name: Reconfigure Zuul
       when: tenant_config.changed or zuul_config.changed