Skip to content

Fix PVC provisioning and allow non-root volume permissions #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kharkevich merged 4 commits into from
Dec 31, 2025
Merged

Fix PVC provisioning and allow non-root volume permissions #1

kharkevich merged 4 commits into from
Dec 31, 2025

Conversation

@borishim
Copy link
Contributor

@borishim borishim commented Dec 9, 2025
edited
Loading

Summary

  • Added templates/pvc.yaml so a PersistentVolumeClaim is actually rendered whenever persistence.enabled is true, matching the Deployment’s mlflow-storage volume reference.
  • Fixed envFrom indentation in the Deployment override so shared secrets/configs no longer “break” the template merge; the persistence-specific security context, init container, and volume mount now render reliably.
  • Introduced persistence.volumePermissions configuration (enabled/runAsUser) and wired it into the Deployment so clusters with strict PodSecurity policies can disable the init container or run it as a non-root UID.

Testing

  • Ran helm template to confirm PVC creation, init-container toggling, and clean rendering both with and without shared secrets.

@borishim
Copy link
Contributor Author

borishim commented Dec 30, 2025

Hi @kharkevich , can you take a look at this when you got some spare time? Thanks!

@kharkevich kharkevich requested a review from Copilot December 31, 2025 20:20
Copilot AI reviewed Dec 31, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes PersistentVolumeClaim provisioning and adds configuration options for volume permission handling in strict PodSecurity environments. The changes ensure that a PVC is actually created when persistence is enabled, fix template indentation issues that broke rendering with shared secrets/configs, and provide flexibility to disable or customize the init container that sets volume permissions.

Key changes:

  • Added PVC template that renders when persistence is enabled
  • Fixed envFrom indentation (from 2 to 12 spaces) to properly merge shared secrets and configs
  • Introduced configurable volumePermissions with enabled flag and runAsUser option

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
charts/mlflow-tracking-server/Chart.yaml Version bump to 1.1.3 for this patch release
charts/mlflow-tracking-server/values.yaml Added volumePermissions configuration with enabled and runAsUser options
charts/mlflow-tracking-server/templates/pvc.yaml New template to create PVC using common helper when persistence is enabled
charts/mlflow-tracking-server/templates/deployment.yaml Added conditional logic for volumePermissions, fixed envFrom indentation, and made init container conditional and configurable

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kharkevich kharkevich merged commit 1cfb496 into mlflow-oidc:main Dec 31, 2025
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@borishim @kharkevich