From d9b137306e6711e4e26f8592e63fefdf66d03756 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Mon, 26 Aug 2024 14:56:57 +0100
Subject: [PATCH 1/4] Ensure that otel-collector and otel-agent run as
 sourcegraph user

---
 charts/sourcegraph/values.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml
index 882519f5..133f0c2b 100644
--- a/charts/sourcegraph/values.yaml
+++ b/charts/sourcegraph/values.yaml
@@ -645,6 +645,10 @@ openTelemetry:
       create: false
       # -- Name of the ServiceAccount to be created or an existing ServiceAccount
       name: ""
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      runAsUser: 100
+      runAsGroup: 101
 
   agent:
     # -- Name used by resources. Does not affect service names or PVCs.
@@ -667,6 +671,10 @@ openTelemetry:
       create: false
       # -- Name of the ServiceAccount to be created or an existing ServiceAccount
       name: ""
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      runAsUser: 100
+      runAsGroup: 101
 
 nodeExporter:
   # -- Enable `node-exporter`

From bdaa66918e97c54c5fbecd0615a839ba34a6173c Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Mon, 26 Aug 2024 14:58:56 +0100
Subject: [PATCH 2/4] Update changelog

---
 charts/sourcegraph/CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/sourcegraph/CHANGELOG.md b/charts/sourcegraph/CHANGELOG.md
index 3c7bec7a..4de9641a 100644
--- a/charts/sourcegraph/CHANGELOG.md
+++ b/charts/sourcegraph/CHANGELOG.md
@@ -8,6 +8,8 @@ Use `**BREAKING**:` to denote a breaking change
 
 ## Unreleased
 
+- Updated OpenTelemetry collector and agent images to run as non-root users [#543](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/543)
+
 ## 5.6.185
 
 - Sourcegraph 5.6.185 is now available

From 9d44be888770fca6460a4125e203f0b633d8923d Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Mon, 26 Aug 2024 15:34:09 +0100
Subject: [PATCH 3/4] Include securityContext in otel deployment + daemonset

---
 .../templates/otel-collector/otel-agent.DaemonSet.yaml          | 2 ++
 .../templates/otel-collector/otel-collector.Deployment.yaml     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml b/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml
index 1e1f7cf5..ca03f26f 100644
--- a/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml
+++ b/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml
@@ -58,6 +58,8 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.openTelemetry.agent.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.openTelemetry.agent.containerSecurityContext | nindent 10 }}
         readinessProbe:
           httpGet:
             path: /
diff --git a/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml b/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml
index d0dc359c..9b3f6da2 100644
--- a/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml
+++ b/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml
@@ -74,6 +74,8 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.openTelemetry.gateway.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.openTelemetry.gateway.containerSecurityContext | nindent 10 }}
         readinessProbe:
           httpGet:
             path: /

From ede2d1c3633e33e369d226bc12c62ecb7cf61691 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Mon, 26 Aug 2024 15:53:16 +0100
Subject: [PATCH 4/4] Run helm-docs.sh

---
 charts/sourcegraph/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md
index f4489afb..741bf8ae 100644
--- a/charts/sourcegraph/README.md
+++ b/charts/sourcegraph/README.md
@@ -194,6 +194,9 @@ In addition to the documented values, all services also support the following va
 | nodeExporter.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":".2","memory":"100Mi"}}` | Resource requests & limits for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | nodeExporter.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `node-exporter` |
 | nodeExporter.serviceAccount.name | string | `"node-exporter"` | Name of the ServiceAccount to be created or an existing ServiceAccount |
+| openTelemetry.agent.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| openTelemetry.agent.containerSecurityContext.runAsGroup | int | `101` |  |
+| openTelemetry.agent.containerSecurityContext.runAsUser | int | `100` |  |
 | openTelemetry.agent.hostPorts | object | `{"otlpGrpc":4317,"otlpHttp":4318,"zpages":55679}` | Resource requests & limits for the `otel-agent` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | openTelemetry.agent.name | string | `"otel-agent"` | Name used by resources. Does not affect service names or PVCs. |
 | openTelemetry.agent.resources.limits.cpu | string | `"500m"` |  |
@@ -206,6 +209,9 @@ In addition to the documented values, all services also support the following va
 | openTelemetry.gateway.config.traces.exporters | object | `{}` | Define where traces should be exported to. Read how to configure different backends in the [OpenTelemetry documentation](https://opentelemetry.io/docs/collector/configuration/#exporters) |
 | openTelemetry.gateway.config.traces.exportersTlsSecretName | string | `""` | Define the name of a preexisting secret containing TLS certificates for exporters, which will be mounted under "/tls". Read more about TLS configuration of exporters in the [OpenTelemetry Collector documentation](https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md) |
 | openTelemetry.gateway.config.traces.processors | object | `{}` | Define trace processors. Read how to configure sampling in the [OpenTelemetry documentation](https://docs.sourcegraph.com/admin/observability/opentelemetry#sampling-traces) |
+| openTelemetry.gateway.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| openTelemetry.gateway.containerSecurityContext.runAsGroup | int | `101` |  |
+| openTelemetry.gateway.containerSecurityContext.runAsUser | int | `100` |  |
 | openTelemetry.gateway.name | string | `"otel-collector"` | Name used by resources. Does not affect service names or PVCs. |
 | openTelemetry.gateway.resources | object | `{"limits":{"cpu":"3","memory":"3Gi"},"requests":{"cpu":"1","memory":"1Gi"}}` | Resource requests & limits for the `otel-collector` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | openTelemetry.gateway.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `otel-collector` |