From a07f6f45b395c102bb50868a7164faaff29ff3dd Mon Sep 17 00:00:00 2001 From: Marco De Luca Date: Fri, 13 Feb 2026 13:22:54 +0100 Subject: [PATCH] Set Nextcloud cronjob securityContext to run as www-data The cronjob was failing because it runs as root (uid 0) but config.php is owned by www-data (uid 33): Console has to be executed with the user that owns the file config/config.php Current user id: 0 Owner id of config.php: 33 On vanilla Kubernetes explicitly set runAsUser/runAsGroup to 33. On OpenShift leave empty to let SCC handle UID assignment. Ref: https://github.com/nextcloud/helm/pull/740 --- .../functions/vshnnextcloud/deploy.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/comp-functions/functions/vshnnextcloud/deploy.go b/pkg/comp-functions/functions/vshnnextcloud/deploy.go index 3ff2ca8af7..c5b7eac6a2 100644 --- a/pkg/comp-functions/functions/vshnnextcloud/deploy.go +++ b/pkg/comp-functions/functions/vshnnextcloud/deploy.go @@ -478,6 +478,22 @@ func newValues(ctx context.Context, svc *runtime.ServiceRuntime, comp *vshnv1.VS } } + cronjobSecurityContext := map[string]any{} + if !isOpenShift { + cronjobSecurityContext = map[string]any{ + "runAsUser": 33, + "runAsGroup": 33, + "runAsNonRoot": true, + "allowPrivilegeEscalation": false, + "capabilities": map[string]any{ + "drop": []string{"ALL"}, + }, + "seccompProfile": map[string]any{ + "type": "RuntimeDefault", + }, + } + } + trustedDomain := []string{ comp.GetName() + "." + comp.GetInstanceNamespace() + ".svc.cluster.local", } @@ -610,6 +626,7 @@ func newValues(ctx context.Context, svc *runtime.ServiceRuntime, comp *vshnv1.VS "enabled": comp.GetInstances() > 0, "type": "cronjob", "cronjob": map[string]any{ + "securityContext": cronjobSecurityContext, "affinity": map[string]any{ "podAffinity": map[string]any{ "requiredDuringSchedulingIgnoredDuringExecution": []map[string]any{