fix(mok): Add missing DAC_OVERWRITE capability to postfix

7d0bf458 · Sheogorath · ad10c228 · 7d0bf458 · 7d0bf458 · 7d0bf458
Verified Commit 7d0bf458 authored 2 years ago by Sheogorath
--- a/charts/mok/Chart.yaml
+++ b/charts/mok/Chart.yaml
@@ -3,7 +3,7 @@ name: mok
 description: |
  Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.
 type: application
-version: 0.1.1
+version: 0.1.2
 sources:
  - https://de.postfix.org/ftpmirror/index.html
  - https://github.com/dovecot/core

--- a/charts/mok/README.md
+++ b/charts/mok/README.md
 # mok

-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)

 Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that runs without a database server on Kubernetes, taking advantage of configmaps and secret.

@@ -72,6 +72,7 @@ Mail on Kubernetes (MoK) is a project to deploy a functional mailserver that run
 | postfix.securityContext.capabilities.add[3] | string | `"SETUID"` | required to change user id as supervisord as well as postfix |
 | postfix.securityContext.capabilities.add[4] | string | `"SETGID"` | required to change group id as supervisord as well as postfix |
 | postfix.securityContext.capabilities.add[5] | string | `"FOWNER"` | required to set up the chroot directory on startup |
+| postfix.securityContext.capabilities.add[6] | string | `"DAC_OVERRIDE"` | required to setup TLS and alike |
 | postfix.securityContext.capabilities.drop[0] | string | `"ALL"` | getting rid of all capabilities since we already have too many |
 | postfix.securityContext.runAsNonRoot | bool | `false` |  |
 | postfix.service.public.type | string | `"LoadBalancer"` | type of the public endpoint for smtp, submission, and submissions. **Note**: It's configured to share the IP with dovecot in case of metallb |

--- a/charts/mok/values.yaml
+++ b/charts/mok/values.yaml
@@ -69,6 +69,8 @@ postfix:
        - SETGID
        # -- required to set up the chroot directory on startup
        - FOWNER
+        # -- required to setup TLS and alike
+        - DAC_OVERRIDE
      drop:
        # -- getting rid of all capabilities since we already have too many
        - ALL