fix(clamav): Switch to official clamav image

[jplitza]

I chose the _base version of the image because the previously used MailU version didn't include a database either.

Fixes #325
Fixes #432

[jplitza]

@desaintmartin Did you have a chance to look at this? (Mentioning you since you seemed interested in #325)

[desaintmartin]

That's nice, thanks for the contribution! Is there anything to know when changing to upstream?

[jplitza]

@desaintmartin Not that I am aware of, no. As you can see, the UID of the clamav user in the image changes. But at least in our use case, everything else worked as expected.

Something we experienced with both MailU's and upstream's _base images - since they don't contain any database - were problems with the CDN's rate limit. Especially in combination with the HPA (which is enabled by default), the rate limit was quickly exhausted, causing the pods failing to start at all. We solved that by using a caching proxy (see #458 for the necessary changes to the chart). But maybe the HPA shouldn't be enabled by default, since frequently starting new pods facilitates early exhaustion of the rate limit.

[desaintmartin]

Actually, we at Wiremind disabled this HPA due to the small efficiency gains versus all those problems, maybe it should indeed be disabled by default, which would require (another) breaking change.

Anyway, thanks for the contribution, everything seems fine! lgtm

[pinkfloydx33]

DatabaseOwner is still 2000 in the freshclam configuration, was this intended?

[jplitza]

It wasn't, thanks for noticing! As I understand the docs, that option is only relevant when freshclam is started as root (not the case by default) and in that case the user given has to have write access to the database directory. Since (in the default security context) that directory is owned by group 101, the setting should probably default to user 100 as well (although it doesn't take effect in default config anyway)

[pinkfloydx33]

I was worried because of #322 which implies there could be issues when a PVC is involved. They had to give the pod security context the fsGroup of 2000, I assume to match the value in freshclam

We're about to rollout an install using Flux to AKS with a PVC... and I was double checking issues and settings. This got me worried enough that we decided we were going to try and override the freshclam conf defaults to use a matching GID, but unclear if it's really going to be necessary. We'd rather just take the default values but it's unclear if we can.