diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl index 85d5aed..267f979 100644 --- a/charts/questdb/templates/_helpers.tpl +++ b/charts/questdb/templates/_helpers.tpl @@ -79,3 +79,45 @@ Generate log.conf file content {{ $key }} = {{ $value }} {{- end }} {{- end }} + +{{/* +Build openshift detection +*/}} +{{- define "isOpenshiftEnabled" -}} +{{- $openshiftEnabledString := (.Values.openshift).enabled | toString -}} +{{- if eq $openshiftEnabledString "true" -}} +true +{{- else if and (eq $openshiftEnabledString "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +true +{{- end }} +{{- end }} + +{{/* +Build securityContext +*/}} +{{- define "generateSecurityContext" -}} +{{- $context := .Values.securityContext -}} +{{- if $context -}} +{{- if (include "isOpenshiftEnabled" .) -}} +{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}} +{{- end -}} +{{- else -}} +{{ $context = dict -}} +{{- end -}} +{{ $context | toYaml }} +{{- end }} + +{{/* +Build podSecurityContext +*/}} +{{- define "generatePodSecurityContext" -}} +{{- $context := .Values.podSecurityContext -}} +{{- if $context -}} +{{- if (include "isOpenshiftEnabled" .) -}} +{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}} +{{- end -}} +{{- else -}} +{{ $context = dict -}} +{{- end -}} +{{ $context | toYaml }} +{{- end }} diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml index a3956c6..75b8739 100644 --- a/charts/questdb/templates/statefulset.yaml +++ b/charts/questdb/templates/statefulset.yaml @@ -29,14 +29,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "generatePodSecurityContext" . | nindent 8 }} {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ include "questdb.serviceAccountName" . }} {{- end }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "generateSecurityContext" . | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: @@ -50,14 +50,7 @@ spec: {{- end }} volumeMounts: - name: {{ include "questdb.fullname" . }} - mountPath: {{ .Values.questdb.dataDir }}/db - subPath: db/ - - name: {{ include "questdb.fullname" . }} - mountPath: {{ .Values.questdb.dataDir }}/.checkpoint - subPath: .checkpoint/ - - name: {{ include "questdb.fullname" . }} - mountPath: {{ .Values.questdb.dataDir }}/snapshot - subPath: snapshot/ + mountPath: {{ .Values.questdb.dataDir }} {{- if .Values.questdb.serverConfig.enabled }} - name: server-config mountPath: {{ .Values.questdb.dataDir }}/conf/server.conf @@ -103,6 +96,8 @@ spec: - name: init-db-migration image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}" command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"] + securityContext: + {{- include "generateSecurityContext" . | nindent 12 }} volumeMounts: - name: {{ include "questdb.fullname" . }} mountPath: /mnt/questdb diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml index 7b7b1d1..0172465 100644 --- a/charts/questdb/values.yaml +++ b/charts/questdb/values.yaml @@ -8,8 +8,23 @@ nameOverride: "" fullnameOverride: "" podAnnotations: {} -podSecurityContext: {} -securityContext: {} +podSecurityContext: + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + extraVolumes: [] extraVolumeMounts: [] extraLabels: {} @@ -121,3 +136,7 @@ dataMigration: memory: "256Mi" limits: memory: "1Gi" + +# openshift +openshift: + enabled: detect \ No newline at end of file