Allow registry securitycontext configurable (#1722)

* move registry securitycontext to values * add configurable podSecurityContext to registry service * add test cases for security context * add default test case for registry security context
astronomer · Oct 17, 2023 · 09cf628 · 09cf628
1 parent 65c971a
commit 09cf628
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/charts/astronomer/templates/registry/registry-statefulset.yaml b/charts/astronomer/templates/registry/registry-statefulset.yaml
@@ -55,10 +55,9 @@ spec:
       tolerations:
 {{ toYaml (default .Values.global.platformNodePool.tolerations .Values.tolerations) | indent 8 }}
       restartPolicy: Always
-      securityContext:
-        fsGroup: 1000
-        runAsGroup: 1000
-        runAsUser: 1000
+{{- with .Values.registry.podSecurityContext }}
+      securityContext: {{ toYaml . | nindent 8 }}
+{{- end }}
 {{- include "astronomer.imagePullSecrets" . | indent 6 }}
       containers:
         - name: registry

diff --git a/charts/astronomer/values.yaml b/charts/astronomer/values.yaml
@@ -356,7 +356,10 @@ registry:
   #  requests:
   #   cpu: 100m
   #   memory: 128Mi
-
+  podSecurityContext:
+    fsGroup: 1000
+    runAsGroup: 1000
+    runAsUser: 1000
   extraEnv: []
 
   serviceAccount:

diff --git a/tests/chart_tests/test_astronomer_registry.py b/tests/chart_tests/test_astronomer_registry.py
@@ -28,6 +28,11 @@ def test_astronomer_registry_statefulset_defaults(self, kube_version):
             "quay.io/astronomer/ap-registry:" in item
             for item in jmespath.search("spec.template.spec.containers[*].image", doc)
         )
+        assert docs[0]["spec"]["template"]["spec"]["securityContext"] == {
+            "fsGroup": 1000,
+            "runAsGroup": 1000,
+            "runAsUser": 1000,
+        }
 
     def test_astronomer_registry_statefulset_with_custom_env(self, kube_version):
         """Test that helm renders statefulset template for astronomer
@@ -155,3 +160,18 @@ def test_astronomer_registry_statefulset_with_scc_disabled(self, kube_version):
             ],
         )
         assert len(docs) == 0
+
+    def test_astronomer_registry_statefulset_with_podSecurityContext_disabled(
+        self, kube_version
+    ):
+        """Test that helm renders statefulset template for astronomer
+        registry with podSecurityContext disabled."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={"astronomer": {"registry": {"podSecurityContext": []}}},
+            show_only=[
+                "charts/astronomer/templates/registry/registry-statefulset.yaml",
+            ],
+        )
+        assert len(docs) == 1
+        assert "securityContext" not in docs[0]["spec"]["template"]["spec"]