feat: add securityContext

eshepelyuk · Dec 27, 2023 · c1e4733 · c1e4733
1 parent 1c4cc9d
commit c1e4733
Show file tree

Hide file tree

Showing 8 changed files with 131 additions and 5 deletions.
diff --git a/templates/deployment-registry.yaml b/templates/deployment-registry.yaml
@@ -34,8 +34,16 @@ spec:
       initContainers:
         {{- toYaml . | nindent 10 }}
       {{- end }}
+      {{- with .Values.registry.podSecurityContext }}
+      securityContext:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
       containers:
         - name: registry
+          {{- with .Values.registry.securityContext }}
+          securityContext:
+            {{- toYaml .| nindent 12 }}
+          {{- end }}
           image: {{ include "apicurio-registry.image" .Values.registry }}
           {{- with .Values.registry.nodeSelector }}
           nodeSelector:

diff --git a/templates/deployment-sync.yaml b/templates/deployment-sync.yaml
@@ -34,8 +34,16 @@ spec:
       initContainers:
         {{- toYaml . | nindent 10 }}
       {{- end }}
+      {{- with .Values.sync.podSecurityContext }}
+      securityContext:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
       containers:
         - name: sync
+          {{- with .Values.sync.securityContext }}
+          securityContext:
+            {{- toYaml .| nindent 12 }}
+          {{- end }}
           image: {{ .Values.sync.image.registry }}/{{ .Values.sync.image.repository }}:{{ .Values.sync.image.tag }}
           {{- with .Values.sync.nodeSelector }}
           nodeSelector:

diff --git a/test/lint/registry.yaml b/test/lint/registry.yaml
@@ -94,3 +94,23 @@ tests:
             values don't meet the specifications of the schema(s) in the following chart(s):
             apicurio-registry:
             - registry.extraLabels: Invalid type. Expected: object, given: integer
+  - it: podSecurityContext is not object
+    set:
+      registry:
+        podSecurityContext: "qwe"
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s) in the following chart(s):
+            apicurio-registry:
+            - registry.podSecurityContext: Invalid type. Expected: object, given: string
+  - it: securityContext is not object
+    set:
+      registry:
+        securityContext: "qwe"
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s) in the following chart(s):
+            apicurio-registry:
+            - registry.securityContext: Invalid type. Expected: object, given: string
diff --git a/test/lint/sync.yaml b/test/lint/sync.yaml
@@ -62,3 +62,23 @@ tests:
             values don't meet the specifications of the schema(s) in the following chart(s):
             apicurio-registry:
             - sync.extraVolumeMounts: Invalid type. Expected: array, given: string
+  - it: podSecurityContext is not object
+    set:
+      sync:
+        podSecurityContext: "qwe"
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s) in the following chart(s):
+            apicurio-registry:
+            - sync.podSecurityContext: Invalid type. Expected: object, given: string
+  - it: securityContext is not object
+    set:
+      sync:
+        securityContext: "qwe"
+    asserts:
+      - failedTemplate:
+          errorMessage: |
+            values don't meet the specifications of the schema(s) in the following chart(s):
+            apicurio-registry:
+            - sync.securityContext: Invalid type. Expected: object, given: string
diff --git a/test/unit/deployment_registry.yaml b/test/unit/deployment_registry.yaml
@@ -232,4 +232,24 @@ tests:
             app.kubernetes.io/component: registry
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/name: apicurio-registry
-            testLabel: myLabel
+            testLabel: myLabel
+  - it: podSecurityContext
+    set:
+      registry:
+        podSecurityContext:
+          runAsUser: 1001
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 1001
+  - it: container securityContext
+    set:
+      registry:
+        securityContext:
+          runAsUser: 1001
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsUser: 1001
diff --git a/test/unit/deployment_sync.yaml b/test/unit/deployment_sync.yaml
@@ -168,4 +168,24 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.imagePullSecrets[0].name
-          value: mysecret
+          value: mysecret
+  - it: podSecurityContext
+    set:
+      sync:
+        podSecurityContext:
+          runAsUser: 1001
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 1001
+  - it: container securityContext
+    set:
+      sync:
+        securityContext:
+          runAsUser: 1001
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsUser: 1001
diff --git a/values.schema.json b/values.schema.json
@@ -31,6 +31,16 @@
         }
       }
     },
+    "podSecurityContext": {
+      "type": "object",
+      "title": "The pod securityContext Schema",
+      "properties": {}
+    },
+    "securityContext": {
+      "type": "object",
+      "title": "The container securityContext Schema",
+      "properties": {}
+    },
     "persistence": {
       "kafka": {
         "type": "object", "additionalProperties": false,
@@ -113,7 +123,9 @@
         "sql": {"$ref": "#/definitions/persistence/sql"},
         "imagePullSecrets": {"$ref": "#/definitions/imagePullSecrets"},
         "ingress": {"$ref": "#/definitions/ingress"},
-        "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for registry"}
+        "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for registry"},
+        "podSecurityContext": {"$ref": "#/definitions/podSecurityContext"},
+        "securityContext": {"$ref": "#/definitions/securityContext"}
       }
     },
     "sync": {
@@ -129,7 +141,9 @@
         "extraVolumeMounts": {"$ref": "#/definitions/volumeMounts", "title": "extra volume mounts for registry content sync"},
         "extraVolumes": {"$ref": "#/definitions/volumes", "title": "extra volumes for registry content sync"},
         "registryUrl": {"type": ["null", "string"], "default": null},
-        "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for sync"}
+        "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for sync"},
+        "podSecurityContext": {"$ref": "#/definitions/podSecurityContext"},
+        "securityContext": {"$ref": "#/definitions/securityContext"}
       }
     }
   }

diff --git a/values.yaml b/values.yaml
@@ -58,6 +58,14 @@ registry:
     annotations: {}
     labels: {}
 
+  # add podSecurityContext policy
+  podSecurityContext: {}
+    # fsGroup: 185
+    # runAsUser: 185
+    # runAsNonRoot: true
+
+  # securityContext policy
+  securityContext: {}
 sync:
   enabled: true
   # set imagePullSecret to pull image from an authenticated registry
@@ -90,4 +98,12 @@ sync:
     #   secret:
     #     secretName: kafka-user
   # add extraLabels in deployment and pod objects
-  extraLabels: {}
+  extraLabels: {}
+  # add podSecurityContext policy
+  podSecurityContext: {}
+    # fsGroup: 185
+    # runAsUser: 185
+    # runAsNonRoot: true
+
+  # securityContext policy
+  securityContext: {}