Merge pull request #70 from biersoeckli/feat/add-security-context-user-and-group-configuration-for-apps

feat: add security context configuration for apps (user, group, fs). …

Author: biersoeckli

prisma/migrations/20260307152228_migration/migration.sql

@@ -0,0 +1,4 @@
+-- AlterTable
+ALTER TABLE "App" ADD COLUMN "securityContextFsGroup" INTEGER;
+ALTER TABLE "App" ADD COLUMN "securityContextRunAsGroup" INTEGER;
+ALTER TABLE "App" ADD COLUMN "securityContextRunAsUser" INTEGER;

prisma/schema.prisma

@@ -185,6 +185,9 @@ model App {
   containerRegistryPassword String?
   containerCommand          String? // Custom command to override container ENTRYPOINT
   containerArgs             String? // Custom args to override container CMD (JSON array string)
+  securityContextRunAsUser  Int?
+  securityContextRunAsGroup Int?
+  securityContextFsGroup    Int?
 
   gitUrl         String?
   gitBranch      String?

src/app/project/app/[appId]/app-breadcrumbs.tsx

@@ -6,12 +6,19 @@ import { useBreadcrumbs } from "@/frontend/states/zustand.states";
 import { useEffect } from "react";
 import { AppExtendedModel } from "@/shared/model/app-extended.model";
 
-export default function AppBreadcrumbs({ app }: { app: AppExtendedModel }) {
+export default function AppBreadcrumbs({ app, apps, tabName }: { app: AppExtendedModel; apps: { id: string; name: string }[]; tabName?: string }) {
     const { setBreadcrumbs } = useBreadcrumbs();
     useEffect(() => setBreadcrumbs([
         { name: "Projects", url: "/" },
         { name: app.project.name, url: "/project/" + app.projectId },
-        { name: app.name },
+        {
+            name: app.name,
+            dropdownItems: apps.map(a => ({
+                name: a.name,
+                url: `/project/app/${a.id}${tabName ? `?tabName=${tabName}` : ''}`,
+                active: a.id === app.id,
+            })),
+        },
     ]), []);
     return <></>;
 }

src/app/project/app/[appId]/general/actions.ts

@@ -72,6 +72,9 @@ export const saveGeneralAppContainerConfig = async (prevState: any, inputData: A
             ...existingApp,
             containerCommand: validatedData.containerCommand?.trim() || null,
             containerArgs: containerArgsJson,
+            securityContextRunAsUser: validatedData.securityContextRunAsUser ?? null,
+            securityContextRunAsGroup: validatedData.securityContextRunAsGroup ?? null,
+            securityContextFsGroup: validatedData.securityContextFsGroup ?? null,
             id: appId,
         });
     });

src/app/project/app/[appId]/general/app-container-config.tsx

@@ -16,14 +16,8 @@ import { toast } from "sonner";
 import { AppExtendedModel } from "@/shared/model/app-extended.model";
 import { Trash2, Plus } from "lucide-react";
 import { z } from "zod";
-
-// Zod schema for the container config form
-const appContainerConfigZodModel = z.object({
-    containerCommand: z.string().trim().nullish(),
-    containerArgs: z.array(z.object({
-        value: z.string().trim()
-    })).optional(),
-});
+import { appContainerConfigZodModel } from "@/shared/model/app-container-config.model";
+import FormLabelWithQuestion from "@/components/custom/form-label-with-question";
 
 export type AppContainerConfigInputModel = z.infer<typeof appContainerConfigZodModel>;
 
@@ -41,6 +35,9 @@ export default function GeneralAppContainerConfig({ app, readonly }: {
         defaultValues: {
             containerCommand: app.containerCommand || '',
             containerArgs: initialArgs,
+            securityContextRunAsUser: app.securityContextRunAsUser ?? undefined,
+            securityContextRunAsGroup: app.securityContextRunAsGroup ?? undefined,
+            securityContextFsGroup: app.securityContextFsGroup ?? undefined,
         },
         disabled: readonly,
     });
@@ -150,6 +147,80 @@ export default function GeneralAppContainerConfig({ app, readonly }: {
                                 </Button>
                             )}
                         </div>
+
+                        <div className="space-y-4">
+                            <div>
+                                <p className="text-sm font-medium">Security Context (optional)</p>
+                                <p className="text-sm text-muted-foreground mt-1">
+                                    Use this when your app requires specific user/group permissions or needs to run with a specific filesystem group for volume access.
+                                </p>
+                            </div>
+                            <div className="grid grid-cols-3 gap-4">
+                                <FormField
+                                    control={form.control}
+                                    name="securityContextRunAsUser"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabelWithQuestion hint="The UID to run the container process as. Corresponds to runAsUser in the Kubernetes pod securityContext.">
+                                                Run As User
+                                            </FormLabelWithQuestion>
+                                            <FormControl>
+                                                <Input
+                                                    type="number"
+                                                    placeholder="e.g., 1001"
+                                                    {...field}
+                                                    value={field.value ?? ''}
+                                                    onChange={e => field.onChange(e.target.value === '' ? null : Number(e.target.value))}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="securityContextRunAsGroup"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabelWithQuestion hint="The GID to run the container process as. Corresponds to runAsGroup in the Kubernetes pod securityContext.">
+                                                Run As Group
+                                            </FormLabelWithQuestion>
+                                            <FormControl>
+                                                <Input
+                                                    type="number"
+                                                    placeholder="e.g., 1001"
+                                                    {...field}
+                                                    value={field.value ?? ''}
+                                                    onChange={e => field.onChange(e.target.value === '' ? null : Number(e.target.value))}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="securityContextFsGroup"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabelWithQuestion hint="A special supplemental group applied to all containers in the pod. Volume ownership will be set to this GID. Corresponds to fsGroup in the Kubernetes pod securityContext.">
+                                                FS Group
+                                            </FormLabelWithQuestion>
+                                            <FormControl>
+                                                <Input
+                                                    type="number"
+                                                    placeholder="e.g., 1001"
+                                                    {...field}
+                                                    value={field.value ?? ''}
+                                                    onChange={e => field.onChange(e.target.value === '' ? null : Number(e.target.value))}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </div>
+                        </div>
                     </CardContent>
                     {!readonly && (
                         <CardFooter className="gap-4">

src/app/project/app/[appId]/page.tsx

@@ -20,11 +20,12 @@ export default async function AppPage({
     }
     const session = await isAuthorizedReadForApp(appId);
     const role = UserGroupUtils.getRolePermissionForApp(session, appId);
-    const [app, s3Targets, volumeBackups, nodesInfo] = await Promise.all([
-        appService.getExtendedById(appId),
+    const app = await appService.getExtendedById(appId);
+    const [s3Targets, volumeBackups, nodesInfo, apps] = await Promise.all([
         s3TargetService.getAll(),
         volumeBackupService.getForApp(appId),
-        clusterService.getNodeInfo()
+        clusterService.getNodeInfo(),
+        appService.getAllAppsByProjectID(app.projectId),
     ]);
 
     return (<>
@@ -35,7 +36,7 @@ export default async function AppPage({
             app={app}
             nodesInfo={nodesInfo}
             tabName={searchParams?.tabName ?? 'overview'} />
-        <AppBreadcrumbs app={app} />
+        <AppBreadcrumbs app={app} apps={apps} tabName={searchParams?.tabName} />
     </>
     )
 }

src/components/custom/breadcrumbs-generator.tsx

@@ -39,7 +39,23 @@ export function BreadcrumbsGenerator() {
                     {breadcrumbs.map((x, index) => (<>
                         {index > 0 && <BreadcrumbSeparator />}
                         <BreadcrumbItem key={x.name}>
-                            <BreadcrumbLink href={x.url ?? undefined}>{x.name}</BreadcrumbLink>
+                            {x.dropdownItems ? (
+                                <DropdownMenu>
+                                    <DropdownMenuTrigger className="flex items-center gap-1 transition-colors hover:text-foreground">
+                                        {x.name}
+                                        <ChevronDown size={14} />
+                                    </DropdownMenuTrigger>
+                                    <DropdownMenuContent align="start">
+                                        {x.dropdownItems.map((item) => (
+                                            <DropdownMenuItem key={item.url} disabled={item.active} asChild={!item.active}>
+                                                {item.active ? <span>{item.name}</span> : <Link href={item.url}>{item.name}</Link>}
+                                            </DropdownMenuItem>
+                                        ))}
+                                    </DropdownMenuContent>
+                                </DropdownMenu>
+                            ) : (
+                                <BreadcrumbLink href={x.url ?? undefined}>{x.name}</BreadcrumbLink>
+                            )}
                         </BreadcrumbItem>
                     </>))}
                 </BreadcrumbList>

src/frontend/states/zustand.states.ts

@@ -46,9 +46,16 @@ interface ZustandBreadcrumbsProps {
     setBreadcrumbs: ((result: Breadcrumb[]) => void);
 }
 
+export interface BreadcrumbDropdownItem {
+    name: string;
+    url: string;
+    active?: boolean;
+}
+
 export interface Breadcrumb {
     name: string;
     url?: string;
+    dropdownItems?: BreadcrumbDropdownItem[];
 }
 
 export const useBreadcrumbs = create<ZustandBreadcrumbsProps>((set) => ({

src/server/services/deployment.service.ts

@@ -251,6 +251,15 @@ class DeploymentService {
             body.spec!.template!.spec!.imagePullSecrets = [{ name: dockerPullSecretName }];
         }
 
+        if (app.securityContextRunAsUser != null || app.securityContextRunAsGroup != null || app.securityContextFsGroup != null) {
+            body.spec!.template!.spec!.securityContext = {
+                ...(app.securityContextRunAsUser != null ? { runAsUser: app.securityContextRunAsUser } : {}),
+                ...(app.securityContextRunAsGroup != null ? { runAsGroup: app.securityContextRunAsGroup } : {}),
+                ...(app.securityContextFsGroup != null ? { fsGroup: app.securityContextFsGroup } : {}),
+            };
+            dlog(deploymentId, `Configured Security Context.`);
+        }
+
         if (existingDeployment) {
             dlog(deploymentId, `Replacing existing deployment...`);
             const res = await k3s.apps.replaceNamespacedDeployment(app.id, app.projectId, body);

src/shared/model/app-container-config.model.ts

@@ -1,11 +1,14 @@
-import { stringToNumber, stringToOptionalNumber } from "@/shared/utils/zod.utils";
+import { stringToOptionalNumber } from "@/shared/utils/zod.utils";
 import { z } from "zod";
 
 export const appContainerConfigZodModel = z.object({
   containerCommand: z.string().trim().nullish(),
   containerArgs: z.array(z.object({
     value: z.string().trim()
   })).optional(),
+  securityContextRunAsUser: stringToOptionalNumber,
+  securityContextRunAsGroup: stringToOptionalNumber,
+  securityContextFsGroup: stringToOptionalNumber,
 });
 
 export type AppContainerConfigModel = z.infer<typeof appContainerConfigZodModel>;