updates airflow services with security context (#2168)

* updates airflow services with security context * update test cases * fix pre-commit * swap components in tests
astronomer · Apr 4, 2024 · e3c9337 · e3c9337
1 parent 2ddeed0
commit e3c9337
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 10 deletions.
diff --git a/charts/astronomer/templates/houston/houston-configmap.yaml b/charts/astronomer/templates/houston/houston-configmap.yaml
@@ -179,7 +179,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end }}
           webserver:
             {{ if .Values.configSyncer.enabled }}
@@ -197,7 +197,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end  }}
             resources:
               limits:
@@ -222,7 +222,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end  }}
             resources:
               limits:
@@ -238,7 +238,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end  }}
 
             podDisruptionBudget:
@@ -381,7 +381,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end }}
 
           {{ if .Values.global.openshiftEnabled }}
@@ -395,13 +395,13 @@ data:
           triggerer:
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
 
           # migrateDatabaseJob  settings
           migrateDatabaseJob:
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
 
           {{ end }}
 
@@ -456,7 +456,7 @@ data:
             {{ if .Values.global.openshiftEnabled }}
             securityContexts:
               pod:
-                runAsNonRoot: true
+                runAsNonRoot: false
             {{ end  }}
       {{- end }}
 

diff --git a/tests/chart_tests/test_openshift.py b/tests/chart_tests/test_openshift.py
@@ -22,14 +22,18 @@
     "scheduler",
     "workers",
     "redis",
-    "statsd",
     "triggerer",
     "migrateDatabaseJob",
-    "pgbouncer",
     "cleanup",
 ]
 
 
+non_airflow_components_list = [
+    "statsd",
+    "pgbouncer",
+]
+
+
 @pytest.mark.parametrize(
     "kube_version",
     supported_k8s_versions,
@@ -93,6 +97,11 @@ def test_openshift_flag_defaults_with_enabled_and_validate_houston_configmap(
         airflowConfig = prod["deployments"]["helm"]["airflow"]
 
         for component in airflow_components_list:
+            assert {"runAsNonRoot": False} == airflowConfig[component][
+                "securityContexts"
+            ]["pod"]
+
+        for component in non_airflow_components_list:
             assert {"runAsNonRoot": True} == airflowConfig[component][
                 "securityContexts"
             ]["pod"]