Run containers as root and use emptyDir for writeable dirs

- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh

1 files changed, 8 insertions, 2 deletions

diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index b74a5fc..6f47c36 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
       # Container 1: SSH Git Server
       - name: git-server
         image: registry.lan.buetow.org:30001/git-server:1.0
+        imagePullPolicy: Always
         ports:
         - containerPort: 22
           name: ssh
@@ -30,12 +31,15 @@ spec:
           mountPath: /home/git/.ssh/authorized_keys
           subPath: authorized_keys
           readOnly: true
+        - name: ssh-host-keys
+          mountPath: /etc/ssh
         securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
+          runAsUser: 0
+          runAsGroup: 0
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+            add: ["CHOWN", "DAC_OVERRIDE"]
         resources:
           requests:
             cpu: 50m
@@ -94,3 +98,5 @@ spec:
           name: cgit-config
       - name: cgit-cache
         emptyDir: {}
+      - name: ssh-host-keys
+        emptyDir: {}