Allow chart users to specify a Security Context

Asgavar · Asgavar · commit 27def72a0982 · 2022-03-30T15:43:16.000+02:00
diff --git a/cockroachdb/Chart.yaml b/cockroachdb/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 7.0.1
+version: 7.1.0
 appVersion: 21.2.7
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
diff --git a/cockroachdb/README.md b/cockroachdb/README.md
@@ -344,6 +344,7 @@ For details see the [`values.yaml`](values.yaml) file.
 | `statefulset.resources`                                   | Resource requests and limits for StatefulSet Pods               | `{}`                                                  |
 | `statefulset.customLivenessProbe`                         | Custom Liveness probe                                           | `{}`                                             |
 | `statefulset.customReadinessProbe`                        | Custom Rediness probe                                           | `{}`                                             |
+| `statefulset.securityContext`                             | Security context for containers                                 | `{}`                                             |
 | `service.ports.grpc.external.port`                        | CockroachDB primary serving port in Services                    | `26257`                                               |
 | `service.ports.grpc.external.name`                        | CockroachDB primary serving port name in Services               | `grpc`                                                |
 | `service.ports.grpc.internal.port`                        | CockroachDB inter-communication port in Services                | `26257`                                               |
@@ -380,6 +381,7 @@ For details see the [`values.yaml`](values.yaml) file.
 | `init.nodeSelector`                                       | Node labels for init Job Pod assignment                         | `{}`                                                  |
 | `init.tolerations`                                        | Node taints to tolerate by init Job Pod                         | `[]`                                                  |
 | `init.resources`                                          | Resource requests and limits for the Pod of init Job            | `{}`                                                  |
+| `init.securityContext`                                    | Security context for the init job containers                    | `{}`                                                  |
 | `tls.enabled`                                             | Whether to run securely using TLS certificates                  | `no`                                                  |
 | `tls.serviceAccount.create`                               | Whether to create a new RBAC service account                    | `yes`                                                 |
 | `tls.serviceAccount.name`                                 | Name of RBAC service account to use                             | `""`                                                  |
@@ -408,9 +410,11 @@ For details see the [`values.yaml`](values.yaml) file.
 | `tls.selfSigner.image.tag`                                | Image tag to use for self signing TLS certificates              | `0.1`                                                 |
 | `tls.selfSigner.image.pullPolicy`                         | Self signing TLS certificates container pull policy             | `IfNotPresent`                                        |
 | `tls.selfSigner.image.credentials`                        | `registry`, `user` and `pass` credentials to pull private image | `{}`                                                  |
+| `tls.selfSigner.securityContext`                          | Security context applied to selfSigner containers               | `{}`                                                  |
 | `networkPolicy.enabled`                                   | Enable NetworkPolicy for CockroachDB's Pods                     | `no`                                                  |
 | `networkPolicy.ingress.grpc`                              | Whitelist resources to access gRPC port of CockroachDB's Pods   | `[]`                                                  |
 | `networkPolicy.ingress.http`                              | Whitelist resources to access gRPC port of CockroachDB's Pods   | `[]`                                                  |
+| `securityContext`                                         | Security context applied to Pods                                | `{}`                                                  |
 
 
 Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
diff --git a/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml b/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
@@ -22,6 +22,10 @@ spec:
           - name: cert-rotate-job
             image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
             imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+            {{- if .Values.tls.selfSigner.securityContext }}
+            securityContext:
+              {{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
+            {{- end }}
             args:
             - rotate
             - --ca
diff --git a/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml b/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
@@ -21,6 +21,10 @@ spec:
           - name: cert-rotate-job
             image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
             imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+            {{- if .Values.tls.selfSigner.securityContext }}
+            securityContext:
+              {{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
+            {{- end }}
             args:
             - rotate
             {{- if .Values.tls.certs.selfSigner.caProvided }}
@@ -46,4 +50,4 @@ spec:
             - name: CLUSTER_DOMAIN
               value: {{ .Values.clusterDomain}}
           serviceAccountName: {{ template "rotatecerts.fullname" . }}
-  {{- end}}
+  {{- end}}
diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml
@@ -30,6 +30,10 @@ spec:
         - name: cert-generate-job
           image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
           imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+          {{- if .Values.tls.selfSigner.securityContext }}
+          securityContext:
+            {{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
+          {{- end }}
           args:
             - generate
             {{- if .Values.tls.certs.selfSigner.caProvided }}
diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml
@@ -30,6 +30,10 @@ spec:
         - name: cleaner
           image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
           imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+          {{- if .Values.tls.selfSigner.securityContext }}
+          securityContext:
+            {{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
+          {{- end }}
           args:
             - cleanup
             - --namespace={{ .Release.Namespace }}
diff --git a/cockroachdb/templates/job.init.yaml b/cockroachdb/templates/job.init.yaml
@@ -36,6 +36,10 @@ spec:
     spec:
       restartPolicy: OnFailure
       terminationGracePeriodSeconds: 0
+    {{- if .Values.securityContext }}
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+    {{- end }}
     {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
       imagePullSecrets:
       {{- if .Values.image.credentials }}
@@ -51,6 +55,10 @@ spec:
         - name: copy-certs
           image: "busybox"
           imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+          {{- if .Values.init.securityContext }}
+          securityContext:
+            {{- toYaml .Values.init.securityContext | nindent 12 }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
@@ -79,6 +87,10 @@ spec:
         - name: cluster-init
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.init.securityContext }}
+          securityContext:
+            {{- toYaml .Values.init.securityContext | nindent 12 }}
+          {{- end }}
           # Run the command in an `while true` loop because this Job is bound
           # to come up before the CockroachDB Pods (due to the time needed to
           # get PersistentVolumes attached to Nodes), and sleeping 5 seconds
diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
@@ -41,6 +41,10 @@ spec:
       annotations: {{- toYaml . | nindent 8 }}
     {{- end }}
     spec:
+    {{- if .Values.securityContext }}
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+    {{- end }}
     {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
       imagePullSecrets:
       {{- if .Values.image.credentials }}
@@ -57,6 +61,10 @@ spec:
         - name: copy-certs
           image: "busybox"
           imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+          {{- if .Values.statefulset.securityContext }}
+            securityContext:
+              {{- toYaml .Values.statefulset.securityContext | nindent 12 }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
@@ -143,6 +151,10 @@ spec:
         - name: db
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.statefulset.securityContext }}
+            securityContext:
+              {{- toYaml .Values.statefulset.securityContext | nindent 12 }}
+          {{- end }}
           args:
             - shell
             - -ecx
diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml
@@ -169,6 +169,7 @@ statefulset:
   podManagementPolicy: Parallel
   budget:
     maxUnavailable: 1
+  securityContext: {}
 
   # List of additional command-line arguments you want to pass to the
   # `cockroach start` command.
@@ -390,6 +391,8 @@ init:
     #   cpu: "10m"
     #   memory: "128Mi"
 
+  securityContext: {}
+
   provisioning:
     enabled: false
     # https://www.cockroachlabs.com/docs/stable/cluster-settings.html
@@ -492,6 +495,7 @@ tls:
       registry: gcr.io
       # username: john_doe
       # password: changeme
+    securityContext: {}
 
 networkPolicy:
   enabled: false
@@ -522,3 +526,5 @@ iap:
   # Create Google Cloud OAuth credentials and set client id and secret
   # clientId:
   # clientSecret:
+
+securityContext: {}
