diff --git a/templates/deployment-registry.yaml b/templates/deployment-registry.yaml index 1742dd3..5136146 100644 --- a/templates/deployment-registry.yaml +++ b/templates/deployment-registry.yaml @@ -34,8 +34,16 @@ spec: initContainers: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.registry.podSecurityContext }} + securityContext: + {{- toYaml .| nindent 8 }} + {{- end }} containers: - name: registry + {{- with .Values.registry.securityContext }} + securityContext: + {{- toYaml .| nindent 12 }} + {{- end }} image: {{ include "apicurio-registry.image" .Values.registry }} {{- with .Values.registry.nodeSelector }} nodeSelector: diff --git a/templates/deployment-sync.yaml b/templates/deployment-sync.yaml index e655dab..9a7b69b 100644 --- a/templates/deployment-sync.yaml +++ b/templates/deployment-sync.yaml @@ -34,8 +34,16 @@ spec: initContainers: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.sync.podSecurityContext }} + securityContext: + {{- toYaml .| nindent 8 }} + {{- end }} containers: - name: sync + {{- with .Values.sync.securityContext }} + securityContext: + {{- toYaml .| nindent 12 }} + {{- end }} image: {{ .Values.sync.image.registry }}/{{ .Values.sync.image.repository }}:{{ .Values.sync.image.tag }} {{- with .Values.sync.nodeSelector }} nodeSelector: diff --git a/test/lint/registry.yaml b/test/lint/registry.yaml index c82ca5d..60ceff5 100644 --- a/test/lint/registry.yaml +++ b/test/lint/registry.yaml @@ -94,3 +94,23 @@ tests: values don't meet the specifications of the schema(s) in the following chart(s): apicurio-registry: - registry.extraLabels: Invalid type. Expected: object, given: integer + - it: podSecurityContext is not object + set: + registry: + podSecurityContext: "qwe" + asserts: + - failedTemplate: + errorMessage: | + values don't meet the specifications of the schema(s) in the following chart(s): + apicurio-registry: + - registry.podSecurityContext: Invalid type. Expected: object, given: string + - it: securityContext is not object + set: + registry: + securityContext: "qwe" + asserts: + - failedTemplate: + errorMessage: | + values don't meet the specifications of the schema(s) in the following chart(s): + apicurio-registry: + - registry.securityContext: Invalid type. Expected: object, given: string diff --git a/test/lint/sync.yaml b/test/lint/sync.yaml index 2e90192..7a5cfd8 100644 --- a/test/lint/sync.yaml +++ b/test/lint/sync.yaml @@ -62,3 +62,23 @@ tests: values don't meet the specifications of the schema(s) in the following chart(s): apicurio-registry: - sync.extraVolumeMounts: Invalid type. Expected: array, given: string + - it: podSecurityContext is not object + set: + sync: + podSecurityContext: "qwe" + asserts: + - failedTemplate: + errorMessage: | + values don't meet the specifications of the schema(s) in the following chart(s): + apicurio-registry: + - sync.podSecurityContext: Invalid type. Expected: object, given: string + - it: securityContext is not object + set: + sync: + securityContext: "qwe" + asserts: + - failedTemplate: + errorMessage: | + values don't meet the specifications of the schema(s) in the following chart(s): + apicurio-registry: + - sync.securityContext: Invalid type. Expected: object, given: string diff --git a/test/unit/deployment_registry.yaml b/test/unit/deployment_registry.yaml index f88a1e5..fea53cd 100644 --- a/test/unit/deployment_registry.yaml +++ b/test/unit/deployment_registry.yaml @@ -232,4 +232,24 @@ tests: app.kubernetes.io/component: registry app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/name: apicurio-registry - testLabel: myLabel \ No newline at end of file + testLabel: myLabel + - it: podSecurityContext + set: + registry: + podSecurityContext: + runAsUser: 1001 + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 1001 + - it: container securityContext + set: + registry: + securityContext: + runAsUser: 1001 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + runAsUser: 1001 \ No newline at end of file diff --git a/test/unit/deployment_sync.yaml b/test/unit/deployment_sync.yaml index cca5a72..fcb6c94 100644 --- a/test/unit/deployment_sync.yaml +++ b/test/unit/deployment_sync.yaml @@ -168,4 +168,24 @@ tests: asserts: - equal: path: spec.template.spec.imagePullSecrets[0].name - value: mysecret \ No newline at end of file + value: mysecret + - it: podSecurityContext + set: + sync: + podSecurityContext: + runAsUser: 1001 + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 1001 + - it: container securityContext + set: + sync: + securityContext: + runAsUser: 1001 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + runAsUser: 1001 \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index 20b5483..c327d6b 100644 --- a/values.schema.json +++ b/values.schema.json @@ -31,6 +31,16 @@ } } }, + "podSecurityContext": { + "type": "object", + "title": "The pod securityContext Schema", + "properties": {} + }, + "securityContext": { + "type": "object", + "title": "The container securityContext Schema", + "properties": {} + }, "persistence": { "kafka": { "type": "object", "additionalProperties": false, @@ -113,7 +123,9 @@ "sql": {"$ref": "#/definitions/persistence/sql"}, "imagePullSecrets": {"$ref": "#/definitions/imagePullSecrets"}, "ingress": {"$ref": "#/definitions/ingress"}, - "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for registry"} + "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for registry"}, + "podSecurityContext": {"$ref": "#/definitions/podSecurityContext"}, + "securityContext": {"$ref": "#/definitions/securityContext"} } }, "sync": { @@ -129,7 +141,9 @@ "extraVolumeMounts": {"$ref": "#/definitions/volumeMounts", "title": "extra volume mounts for registry content sync"}, "extraVolumes": {"$ref": "#/definitions/volumes", "title": "extra volumes for registry content sync"}, "registryUrl": {"type": ["null", "string"], "default": null}, - "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for sync"} + "extraLabels": {"$ref": "#/definitions/labels", "title": "deployment and pod resources labels for sync"}, + "podSecurityContext": {"$ref": "#/definitions/podSecurityContext"}, + "securityContext": {"$ref": "#/definitions/securityContext"} } } } diff --git a/values.yaml b/values.yaml index ea21006..8a5c160 100644 --- a/values.yaml +++ b/values.yaml @@ -58,6 +58,14 @@ registry: annotations: {} labels: {} + # add podSecurityContext policy + podSecurityContext: {} + # fsGroup: 185 + # runAsUser: 185 + # runAsNonRoot: true + + # securityContext policy + securityContext: {} sync: enabled: true # set imagePullSecret to pull image from an authenticated registry @@ -90,4 +98,12 @@ sync: # secret: # secretName: kafka-user # add extraLabels in deployment and pod objects - extraLabels: {} \ No newline at end of file + extraLabels: {} + # add podSecurityContext policy + podSecurityContext: {} + # fsGroup: 185 + # runAsUser: 185 + # runAsNonRoot: true + + # securityContext policy + securityContext: {} \ No newline at end of file