Merge pull request #159 from pierluigilenoci/security_context_improve…

…ments

Improved securityContext and timeout of the initContainer wait-for-redis

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 6.15.2
+version: 6.16.0
 apiVersion: v2
 appVersion: 7.4.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -34,8 +34,8 @@ maintainers:
 kubeVersion: ">=1.9.0-0"
 annotations:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: Drop capabilities of wait-for-redis container
+    - kind: added
+      description: securityContext and timeout of the initContainer wait-for-redis configurable via values.
       links:
         - name: Github PR
-          url: https://github.com/oauth2-proxy/manifests/pull/158
+          url: https://github.com/oauth2-proxy/manifests/pull/159

helm/oauth2-proxy/README.md

@@ -144,7 +144,9 @@ Parameter | Description | Default
 `ingress.hosts` | Ingress accepted hostnames | `nil`
 `ingress.tls` | Ingress TLS configuration | `nil`
 `initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true`
-`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor`
+`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")`
+`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true`
+`initContainers.waitForRedis.timeout` | number of seconds | 180
 `livenessProbe.enabled`  | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
 `livenessProbe.initialDelaySeconds` | number of seconds | 0
 `livenessProbe.timeoutSeconds` | number of seconds | 1

helm/oauth2-proxy/templates/deployment.yaml

@@ -65,15 +65,12 @@ spec:
           - wait
           - pod/{{ include "oauth2-proxy.redis.fullname" . }}-master-0
           - --for=condition=ready
-          - --timeout=180s
+          - --timeout={{ .Values.initContainers.waitForRedis.timeout }}s
+      {{- if .Values.initContainers.waitForRedis.securityContext.enabled }}
+      {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }}
         securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 65534
-          capabilities:
-            drop:
-            - ALL
+          {{- toYaml $securityContext | nindent 10 }}
+      {{- end }}
       {{- end }}
       containers:
       - name: {{ .Chart.Name }}

helm/oauth2-proxy/values.yaml

@@ -276,6 +276,19 @@ initContainers:
     # uses the kubernetes version of the cluster
     # the chart is deployed on, if not set
     kubectlVersion: ""
+    securityContext:
+      enabled: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 65534
+      runAsGroup: 65534
+      seccompProfile:
+        type: RuntimeDefault
+    timeout: 180
 
 # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
 # Alternatively supply an existing secret which contains the required information.