Dbp 0000 minor cronjob improvements

charts/dbildungs-iam-server/cron/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine:3.19
 
+ENV LOG_FILE_PATH=/var/log/cron.log
+
 # Install necessary packages
 RUN apk update && \
     apk add --no-cache bash cronie jq openssl vim wget

charts/dbildungs-iam-server/cron/scripts/get_access_token.sh

@@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
   # JWKS_FILE_PATH is set, use the file
   jwks=$(cat "$JWKS_FILE_PATH")
 else
-  echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
+  echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
 # Check if environment variables are set
 if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
-    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
+    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
     exit 1
 fi
 
@@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')
 
 # Check if key_json is empty
 if [[ -z "$key_json" ]]; then
-  echo "Error: No keys found in JWKS." >> /var/log/cron.log
+  echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
   exit 1
 fi
 
@@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
 qi=INTEGER:0x$qi_dec
 EOF
 
-echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Generate the PEM-formatted private key
 temp_key_file=$(mktemp)
 openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1
 
-echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
+echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
 
 # Remove temporary files
 rm "$asn1_structure" "$temp_key_file"
@@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
 # Combine header and payload
 header_payload="$header_base64.$payload_base64"
 
-echo "Payload created" >> /var/log/cron.log
+echo "Payload created" >> "${LOG_FILE_PATH}"
 
 # Sign the JWT
 signature=$(echo -n "$header_payload" | \
   openssl dgst -sha256 -sign "$temp_key_file.pem" | \
   openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')
 
-echo "Signed the JWT" >> /var/log/cron.log
+echo "Signed the JWT" >> "${LOG_FILE_PATH}"
 
 # Remove the temporary PEM key file
 rm "$temp_key_file.pem"
@@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
   --header "Content-Type: application/x-www-form-urlencoded" \
   "$kc_token_url")
 
-echo "Access token requested" >> /var/log/cron.log
+echo "Access token requested" >> "${LOG_FILE_PATH}"
 
 # Check if the response contains an access token
 if echo "$response" | grep -q '"access_token"'; then
   # Extract the access token from the response
   access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
   echo "$access_token"
 else
-  echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
-  echo "$response" >> /var/log/cron.log
+  echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
+  echo "$response" >> "${LOG_FILE_PATH}"
   exit 1
 fi

charts/dbildungs-iam-server/templates/cronjob.yaml

@@ -17,15 +17,14 @@
             cron: {{ $job_name }}
         spec:
           automountServiceAccountToken: false
           containers:
           - name: {{ $job_name }}
             image: "{{ $.Values.cronjobs.image.repository }}:{{ $.Values.cronjobs.image.tag }}"
             imagePullPolicy: {{ $.Values.cronjobs.image.pullPolicy | default "Always"}}
             securityContext:
-              # not yet possible since we need to install some tools
-              # privileged: false
-              # runAsUser: 1000
-              # runAsNonRoot: true
+              privileged: false
+              runAsUser: 1000
+              runAsNonRoot: true
               capabilities:
                 drop:
                   - ALL
@@ -41,7 +40,9 @@
                   value: "https://{{ $.Values.backendHostname }}{{ $job_options.endpoint }}"
                 - name: HTTP_METHOD
                   value: "{{ $job_options.httpMethod }}"
+                - name: LOG_FILE_PATH
+                  value: "/tmp/log/cron.log"
             resources:
               limits:
                 memory: "128Mi"
                 cpu: "200m"
@@ -52,11 +53,9 @@
               - "sh"
               - "-c"
               - |
-                  mkdir /scripts &&
-                  cp /scripts_tmp/*.sh /scripts/ &&
-                  chmod +x /scripts/*.sh &&
-                  touch /var/log/cron.log &&
-                  chmod 644 /var/log/cron.log &&
+                  mkdir /tmp/log/ &&
+                  touch /tmp/log/cron.log &&
+                  chmod 644 /tmp/log/cron.log &&
                   cd {{ $.Values.cronjobs.scriptDir }} &&
                   bash {{ $job_options.script }}
             volumeMounts:
@@ -65,7 +64,7 @@
                 subPath: jwks.json
                 readOnly: true
               - name: script-volume
-                mountPath: /scripts_tmp
+                mountPath: /scripts
                 readOnly: false
             ports:
             - containerPort: {{ $.Values.cronjobs.port }}
@@ -74,6 +73,7 @@
           - name: script-volume
             configMap:
               name: {{ template "common.names.name" $ }}-cronjob-scripts-configmap
+              defaultMode: 0555
           - name: secret-volume-jwks
             secret:
               secretName: dbildungs-iam-server

charts/dbildungs-iam-server/values.yaml

@@ -172,8 +172,8 @@ status:
 cronjobs:
   enabled: true
   image:
-    tag: DBP-1083-latest
-    repository: ghcr.io/hpi-schul-cloud/cron-tools
+    tag: '1.1.0'
+    repository: docker.io/schulcloud/cron-tools
     pullPolicy: IfNotPresent
   port: 5656
   keycloakTokenUrl: '/realms/SPSH/protocol/openid-connect/token'