Add security context for statefulset and post-upgrade/install jobs

[tzahigro1]

This PR adds the option to configure "runAsNonRoot" and "allowPrivilegeEscalation" fields under "securityContext" for the statefulset , post-install-upgrade-job and post-upgrade job inside the values file under statefulset.securityContext.allowPrivilegeEscalation and statefulset.securityContext.runAsNonRoot

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Tzahi Grodzevsky seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[RafalKorepta]

Hi @tzahigro1,

I don't have problem with that implementation, but there are dedicated values for post jobs

helm-charts/charts/redpanda/values.yaml

Lines 568 to 608 in 90d3dbb

	post_install_job:
	enabled: true
	# Resource requests and limits for the post-install batch job
	# resources:
	# requests:
	# cpu: 1
	# memory: 512Mi
	# limits:
	# cpu: 2
	# memory: 1024Mi
	# labels: {}
	# annotations: {}
	affinity: {}
	post_upgrade_job:
	enabled: true
	# Resource requests and limits for the post-upgrade batch job
	# resources:
	# requests:
	# cpu: 1
	# memory: 512Mi
	# limits:
	# cpu: 2
	# memory: 1024Mi
	# labels: {}
	# annotations: {}
	# Additional environment variables for the Post Upgrade Job
	# extraEnv:
	# - name: AWS_SECRET_ACCESS_KEY
	# valueFrom:
	# secretKeyRef:
	# name: my-secret
	# key: redpanda-aws-secret-access-key
	# Additional environment variables for the Post Upgrade Job mapped from Secret or ConfigMap
	# extraEnvFrom:
	# - secretRef:
	# name: redpanda-aws-secrets
	affinity: {}
	# When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish
	# its rollout. User can extend Job default backoff limit of `6`.
	# backoffLimit:

which could have that securityContext part.

It would be good, as a follow up, to give users ability to change the securityContext per container.

Could you bump the following semver? The patch version should suffice.

helm-charts/charts/redpanda/Chart.yaml

Line 26 in 90d3dbb

version: 5.7.33

Could you signed CLA?

[RafalKorepta]

I see that CLA is signed. I will bump Chart.yaml quickly.

[tzahigro1]

Hi @tzahigro1,

I don't have problem with that implementation, but there are dedicated values for post jobs

helm-charts/charts/redpanda/values.yaml

Lines 568 to 608 in 90d3dbb

	post_install_job:
	enabled: true
	# Resource requests and limits for the post-install batch job
	# resources:
	# requests:
	# cpu: 1
	# memory: 512Mi
	# limits:
	# cpu: 2
	# memory: 1024Mi
	# labels: {}
	# annotations: {}
	affinity: {}
	post_upgrade_job:
	enabled: true
	# Resource requests and limits for the post-upgrade batch job
	# resources:
	# requests:
	# cpu: 1
	# memory: 512Mi
	# limits:
	# cpu: 2
	# memory: 1024Mi
	# labels: {}
	# annotations: {}
	# Additional environment variables for the Post Upgrade Job
	# extraEnv:
	# - name: AWS_SECRET_ACCESS_KEY
	# valueFrom:
	# secretKeyRef:
	# name: my-secret
	# key: redpanda-aws-secret-access-key
	# Additional environment variables for the Post Upgrade Job mapped from Secret or ConfigMap
	# extraEnvFrom:
	# - secretRef:
	# name: redpanda-aws-secrets
	affinity: {}
	# When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish
	# its rollout. User can extend Job default backoff limit of `6`.
	# backoffLimit:

which could have that securityContext part.

It would be good, as a follow up, to give users ability to change the securityContext per container.

Could you bump the following semver? The patch version should suffice.

helm-charts/charts/redpanda/Chart.yaml

Line 26 in 90d3dbb

version: 5.7.33

Could you signed CLA?

Yes I saw that but upon looking at the previous implementation the "runAsUser" and "runAsGroup" values come from there so I figured its the place to add it.
I agree with you that a better more preferred way is to add them to the values under each "job" , although it can conflict with the current implementation because I see that there are 3 resources using the same "container-security-context" values from helpers.tpl

[tzahigro1]

for example in the existing _helpers.tpl
https://github.com/tzahigro1/redpanda-helm-charts/blob/b71a4578678e0587a27abaa30f55b152b9ae2d67/charts/redpanda/templates/_helpers.tpl#L477
You can see that "container-security-context" already takes the value from ".Values.statefulset.securityContext.runAsUser" and ".Values.statefulset.securityContext.runAsGroup"
and it is used inside the post-upgrade job aswell as in the post-install-upgrade-job and statefulset.
I think this value from "_helpers.tpl" either need to be merged with the values inside "values.yaml" file or some other implementation.
@RafalKorepta Please let me know what you think

[RafalKorepta]

@tzahigro1 I agree with you that this needs to be refactored. I will create follow up to address that.

[RafalKorepta]

Great to see that improvement!

You can always extend the values.yaml with commented example and defines new fields in values.schema.json

[tzahigro1]

The CLA is bugged because I made commits from user without proper email address format , I re-wrote the commit history with my correct email.
@RafalKorepta

[EliranTurgeman]

@alejandroEsc , @chrisseto please review :)

[tzahigro1]

I see that the PR is merged but don't see any new chart released?
Can you please make sure the new chart is released and let us know.
@RafalKorepta @chrisseto

[RafalKorepta]

@tzahigro1 The chart.yaml was not changed. Probably by rebasing the semver bump was missed.

If CI passes for #1087, then your changes would be included in new chart release.