[bitnami/contour] Envoy container fails to launch on EKS without running as root user

[geota]

Which chart:
bitnami/contour 1.0.0

Describe the bug
The envoy container fails to bind to port 80 or 443 without running it as root on a vanillla aws eks cluster.

To Reproduce
Steps to reproduce the behavior:
0. Vanilla EKS cluster with default eks.priveleged PSP
See: https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy.html

1. helm install bitnami/contour
2. View logs and see error around failing to bind to 80,443
3. Set the envoy container security context to run as root
4. See it launch successfully

Expected behavior
I expect the chart to work without any modifications on a default EKS cluster.

Version of Helm and Kubernetes:

• Output of helm version:

version.BuildInfo{Version:"v3.2.4", GitCommit:"0ad800ef43d3b826f31a5ad8dfbb4fe05d143688", GitTreeState:"dirty", GoVersion:"go1.14.3"}

• Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-26T06:17:09Z", GoVersion:"go1.14", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.8-eks-e16311", GitCommit:"e163110a04dcb2f39c3325af96d019b4925419eb", GitTreeState:"clean", BuildDate:"2020-03-27T22:37:12Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}

Additional context
Launch

$ helm install contour ~/code/charts-1/bitnami/contour -n default
manifest_sorter.go:192: info: skipping unknown hook: "crd-install"
manifest_sorter.go:192: info: skipping unknown hook: "crd-install"
manifest_sorter.go:192: info: skipping unknown hook: "crd-install"
manifest_sorter.go:192: info: skipping unknown hook: "crd-install"
NAME: contour
LAST DEPLOYED: Tue Jun 30 03:17:21 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Get Contours's load balancer IP/hostname:

     NOTE: It may take a few minutes for this to become available.

     You can watch the status by running:

         $ kubectl get svc contour --namespace default -w

     Once 'EXTERNAL-IP' is no longer '<pending>':

         $ kubectl describe svc contour --namespace default | grep Ingress | awk '{print $3}'

2. Configure DNS records corresponding to Kubernetes ingress resources to point to the load balancer IP/hostname found in step 1

$ kubectl get pods --namespace default
NAME                               READY   STATUS             RESTARTS   AGE
contour-contour-6985c5658f-c28zj   1/1     Running            0          2m44s
contour-contour-6985c5658f-w9p8g   1/1     Running            0          2m44s
contour-contour-certgen-wxcpc      0/1     Completed          0          2m44s
contour-envoy-4z4vb                1/2     CrashLoopBackOff   4          2m44s
contour-envoy-cw44l                1/2     CrashLoopBackOff   4          2m44s
contour-envoy-vv6kh                1/2     CrashLoopBackOff   4          2m44s

Envoy container log error

[2020-06-30 08:19:19.499][1][warning][config] [source/common/config/grpc_subscription_impl.cc:101] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) ingress_http: cannot bind '0.0.0.0:80': Permission denied
ingress_https: cannot bind '0.0.0.0:443': Permission denied

[2020-06-30 08:19:19.500][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:104] Caught Segmentation fault, suspect faulting address 0x0
[2020-06-30 08:19:19.500][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:91] Backtrace (use tools/stack_decode.py to get line numbers):
[2020-06-30 08:19:19.500][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:92] Envoy version: 1a0363c885c2dbb1e48b03847dbd706d1ba43eba/1.14.2/Modified/RELEASE/BoringSSL
[2020-06-30 08:19:19.501][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:98] #0: [0x564a09785c2a]
[2020-06-30 08:19:19.501][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:98] #1: [0x564a09fae0b3]
[2020-06-30 08:19:19.501][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:98] #2: [0x564a09fae18c]
[2020-06-30 08:19:19.501][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:98] #3: [0x564a09fa6a0d]
[2020-06-30 08:19:19.501][12][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:98] #4: [0x564a0a4521e5]

[joancafom]

Hi! Thank you so much for you feedback and contribution. I saw one of our engineers has already provided some feedback 😁.

Thanks!!