feat: add-global-securityContext (#228)

feat: add-global-securityContext
kubeshop · Nov 6, 2024 · 7ecfdeb · 7ecfdeb
1 parent 62876cd
commit 7ecfdeb
Show file tree

Hide file tree

Showing 31 changed files with 298 additions and 37 deletions.
diff --git a/charts/testkube-cloud-api/templates/_helpers.tpl b/charts/testkube-cloud-api/templates/_helpers.tpl
@@ -155,4 +155,37 @@ TODO: Implement this using dict and reuse the same for each image
 {{- end -}}
 
 {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "testkube-cloud-api.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "testkube-cloud-api.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext for Init Container
+*/}}
+{{- define "init-wait-for-mongo.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.init.mongo.containerSecurityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml
@@ -29,12 +29,14 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "testkube-cloud-api.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-cloud-api.podSecurityContext" . | trim }}
       {{- if .Values.init.enabled }}
       initContainers:
         - name: wait-for-mongo
           image: {{ include "testkube-cloud-api.init-mongo-image" . }}
           imagePullPolicy: {{ .Values.init.mongo.image.pullPolicy }}
+          securityContext:
+            {{ include "init-wait-for-mongo.containerSecurityContext" . | trim }}
           command: ["/bin/sh", "-c"]
           args:
             - |
@@ -57,7 +59,7 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "testkube-cloud-api.containerSecurityContext" . | trim }}
           image: {{ include "testkube-api.image" . }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }}
           env:

diff --git a/charts/testkube-cloud-api/templates/migrations-job.yaml b/charts/testkube-cloud-api/templates/migrations-job.yaml
@@ -33,11 +33,13 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "testkube-cloud-api.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-cloud-api.podSecurityContext" . | trim }}
       {{- if .Values.init.enabled }}
       initContainers:
         - name: wait-for-mongo
           image: {{ include "testkube-cloud-api.init-mongo-image" . }}
+          securityContext:
+            {{ include "init-wait-for-mongo.containerSecurityContext" . | trim}}
           command: ["/bin/sh", "-c"]
           args:
             - |
@@ -60,6 +62,8 @@ spec:
       containers:
         - name: migrations
           image: {{ include "testkube-api.image" . }}
+          securityContext:
+            {{ include "testkube-cloud-api.containerSecurityContext" . | trim  }}
           args: ["migrate"]
           env:
             - name: ENTERPRISE_MODE

diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml
@@ -93,6 +93,10 @@ global:
   tls: {}
   # -- Toggle whether to globally skip certificate verification
   #skipVerify: false
+  # -- Global security Context for all containers
+  containerSecurityContext: {}
+  # -- Global security Context for all pods
+  podSecurityContext: {}
 replicaCount: 1
 image:
   # -- If defined, it will prepend the registry to the image name, if not, default docker.io will be prepended
@@ -130,6 +134,8 @@ init:
       pullPolicy: IfNotPresent
       # -- MongoSH image digest
       digest: ""
+      # -- Init container Security Context
+    containerSecurityContext: {}
 analytics:
   segmentio:
     # -- Toggle whether to enable Segment.io analytics
@@ -360,8 +366,7 @@ podAnnotations: {}
 # -- Pod Security Context
 podSecurityContext: {}
 # fsGroup: 2000
-
-# -- Security Context for app container
+# -- Container Security Context
 securityContext:
   readOnlyRootFilesystem: true
 service:

diff --git a/charts/testkube-cloud-ui/templates/_helpers.tpl b/charts/testkube-cloud-ui/templates/_helpers.tpl
@@ -97,4 +97,26 @@ Define image
 {{- else -}}
     {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "testkube-cloud-ui.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "testkube-cloud-ui.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/testkube-cloud-ui/templates/deployment.yaml b/charts/testkube-cloud-ui/templates/deployment.yaml
@@ -29,11 +29,11 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "testkube-cloud-ui.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-cloud-ui.podSecurityContext" . | trim }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "testkube-cloud-ui.containerSecurityContext" . | trim }}
           image: {{ include "testkube-dashboard.image" . }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }}
           ports:

diff --git a/charts/testkube-cloud-ui/values.yaml b/charts/testkube-cloud-ui/values.yaml
@@ -27,6 +27,10 @@ global:
     enabled: true
   # -- Common labels which will be added to all resources
   labels: {}
+  # -- Global security Context for all containers
+  containerSecurityContext: {}
+  # -- Global security Context for all pods
+  podSecurityContext: {}
 replicaCount: 1
 sentry:
   # -- Toggle whether to enable Sentry.io error reporting
@@ -80,7 +84,6 @@ podAnnotations: {}
 # -- Pod Security Context
 podSecurityContext: {}
 # fsGroup: 2000
-
 # -- Container Security Context
 securityContext:
   readOnlyRootFilesystem: true

diff --git a/charts/testkube-enterprise/Chart.lock b/charts/testkube-enterprise/Chart.lock
@@ -16,15 +16,15 @@ dependencies:
   version: 2.1.75
 - name: dex
   repository: file://./charts/dex
-  version: 0.19.1-3
+  version: 0.19.1-4
 - name: mongodb
   repository: https://charts.bitnami.com/bitnami
   version: 15.6.16
 - name: nats
   repository: file://./charts/nats
-  version: 1.2.6-1
+  version: 1.2.6-2
 - name: minio
   repository: https://charts.bitnami.com/bitnami
   version: 14.7.0
-digest: sha256:f58d0f9f5f0214b0c461494b9eaa34f354f0c96df7fa5e545df6108078dbe960
-generated: "2024-11-05T15:08:47.310125592Z"
+digest: sha256:1d5a73633a95123776b52c7de39dafe34835b07f97026b1ace99712ffb30c578
+generated: "2024-11-06T15:30:47.69998+02:00"
diff --git a/charts/testkube-enterprise/Chart.yaml b/charts/testkube-enterprise/Chart.yaml
@@ -22,7 +22,7 @@ dependencies:
     repository: https://kubeshop.github.io/helm-charts
     condition: testkube-agent.enabled
   - name: dex
-    version: 0.19.1-3
+    version: 0.19.1-4
     repository: file://./charts/dex
     condition: dex.enabled
   - name: mongodb
@@ -31,7 +31,7 @@ dependencies:
     condition: mongodb.enabled
   - name: nats
     condition: testkube-api.nats.enabled
-    version: 1.2.6-1
+    version: 1.2.6-2
     repository: "file://./charts/nats"
   - name: minio
     version: 14.7.0

diff --git a/charts/testkube-enterprise/charts/dex/Chart.yaml b/charts/testkube-enterprise/charts/dex/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: dex
-version: 0.19.1-3
+version: 0.19.1-4
 appVersion: "2.41.1"
 kubeVersion: ">=1.14.0-0"
 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.

diff --git a/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl b/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl
@@ -85,3 +85,25 @@ The name of the image
 {{- end -}}
 image: {{ $image }}
 {{- end }}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "dex.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "dex.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/testkube-enterprise/charts/dex/templates/deployment.yaml b/charts/testkube-enterprise/charts/dex/templates/deployment.yaml
@@ -47,15 +47,15 @@ spec:
       priorityClassName: {{ . | quote }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "dex.podSecurityContext" . | trim }}
       {{- with .Values.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "dex.containerSecurityContext" . | trim }}
           {{- include "dex.image" . | nindent 10 }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:

diff --git a/charts/testkube-enterprise/charts/dex/values.yaml b/charts/testkube-enterprise/charts/dex/values.yaml
@@ -7,6 +7,10 @@ global:
   imageRegistry: ""
   # -- Image pull secrets to use for testkube-cloud-api and testkube-cloud-ui
   imagePullSecrets: []
+  # -- Global security Context for Dex Container
+  containerSecurityContext: {}
+  # -- Global security Context for Dex Pod
+  podSecurityContext: {}
 
 # -- Number of replicas (pods) to launch.
 replicaCount: 1

diff --git a/charts/testkube-enterprise/charts/nats/Chart.yaml b/charts/testkube-enterprise/charts/nats/Chart.yaml
@@ -6,7 +6,7 @@ keywords:
 - nats
 - messaging
 - cncf
-version: 1.2.6-1
+version: 1.2.6-2
 home: http://github.com/nats-io/k8s
 maintainers:
 - email: [email protected]

diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml
@@ -44,3 +44,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml
@@ -42,3 +42,6 @@ spec:
     secret:
       secretName: {{ .secretName | quote }}
   {{- end }}
+
+  securityContext:
+  {{- include "nats.podSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml
@@ -104,3 +104,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml
@@ -69,3 +69,6 @@ spec:
   - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }}
   {{- end }}
   {{- end}}
+
+  securityContext:
+    {{- include "nats.podSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml
@@ -28,3 +28,6 @@ args:
 - -gatewayz
 {{- end }}
 - http://localhost:{{ .Values.config.monitor.port }}/
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml
@@ -25,3 +25,7 @@ volumeMounts:
 {{- end }}
 {{- end }}
 {{- end }}
+
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}
diff --git a/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl b/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl
@@ -280,3 +280,25 @@ output: string with following format rules
     "${1}")
   -}}
 {{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "nats.podSecurityContext" -}}
+{{- with .Values.global.podSecurityContext }}
+{{ toYaml . }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext  }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "nats.containerSecurityContext" -}}
+{{- with .Values.global.containerSecurityContext }}
+{{- toYaml . }}
+{{- else }}
+{{- toYaml .Values.containerSecurityContext }}
+{{- end }}
+{{- end }}
diff --git a/charts/testkube-enterprise/charts/nats/values.yaml b/charts/testkube-enterprise/charts/nats/values.yaml
@@ -14,6 +14,10 @@ global:
     # global registry to use for all container images in the chart
     # can be overridden by individual image registry
     registry:
+  # -- Security Context for all pods
+  podSecurityContext: {}
+  # -- Security Context for all containers
+  containerSecurityContext: {}
 
   # global labels will be applied to all resources deployed by the chart
   labels: {}