Merge branch 'master' into add-fullname-override-on-values

Author: yu-croco

.github/workflows/push.yaml

@@ -45,7 +45,7 @@ jobs:
           version: v1.51.1
           only-new-issues: false
           args: --timeout 10m
-          
+
       - name: Install kubectl
         run: |
           curl -LO "https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl"
@@ -108,7 +108,7 @@ jobs:
             org.opencontainers.image.source=${{ github.event.repository.clone_url }}
             org.opencontainers.image.created=${{ steps.prep.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
-            
+
       ##############################
       ## Add steps to generate required artifacts for a release here(helm chart, operator manifest etc.)
       ##############################
@@ -148,16 +148,16 @@ jobs:
           linting: on
           commit_username: stakater-user
           commit_email: stakater@gmail.com
-          
+
       # Commit back changes
       - name: Commit files
         run: |
           git config --local user.email "stakater@gmail.com"
           git config --local user.name "stakater-user"
-          git status 
+          git status
           git add .
           git commit -m "[skip-ci] Update artifacts" -a
-          
+
       - name: Push changes
         uses: ad-m/github-push-action@master
         with:

deployments/kubernetes/chart/reloader/Chart.yaml

@@ -3,8 +3,8 @@
 apiVersion: v1
 name: reloader
 description: Reloader chart that runs on kubernetes
-version: v1.0.5
-appVersion: v1.0.5
+version: v1.0.9
+appVersion: v1.0.9
 keywords:
   - Reloader
   - kubernetes

deployments/kubernetes/chart/reloader/templates/clusterrole.yaml

@@ -38,8 +38,8 @@ rules:
     resources:
       - namespaces
     verbs:
-      - get         
-{{- end }}      
+      - get
+{{- end }}
 {{- if and (.Capabilities.APIVersions.Has "apps.openshift.io/v1") (.Values.reloader.isOpenshift) }}
   - apiGroups:
       - "apps.openshift.io"

deployments/kubernetes/chart/reloader/templates/deployment.yaml

@@ -128,8 +128,6 @@ spec:
 
         ports:
         - name: http
-          containerPort: 9091
-        - name: metrics
           containerPort: 9090
         livenessProbe:
           httpGet:
@@ -142,15 +140,19 @@ spec:
         readinessProbe:
           httpGet:
             path: /metrics
-            port: metrics
+            port: http
           timeoutSeconds: {{ .Values.reloader.deployment.readinessProbe.timeoutSeconds | default "5" }}
           failureThreshold: {{ .Values.reloader.deployment.readinessProbe.failureThreshold | default "5" }}
           periodSeconds: {{ .Values.reloader.deployment.readinessProbe.periodSeconds | default "10" }}
           successThreshold: {{ .Values.reloader.deployment.readinessProbe.successThreshold | default "1" }}
 
-      {{- with .Values.reloader.deployment.containerSecurityContext }}
-        securityContext: {{ toYaml . | nindent 10 }}
-      {{- end }}
+        {{- $containerSecurityContext := .Values.reloader.deployment.containerSecurityContext | default dict }}
+        {{- if .Values.reloader.readOnlyRootFileSystem }}
+          {{- $_ := set $containerSecurityContext "readOnlyRootFilesystem" true }}
+        {{- end }}
+
+        securityContext:
+          {{- toYaml $containerSecurityContext | nindent 10 }}
 
       {{- if eq .Values.reloader.readOnlyRootFileSystem true }}
         volumeMounts:

deployments/kubernetes/chart/reloader/tests/deployment_test.yaml

@@ -0,0 +1,50 @@
+suite: Deployment
+
+templates:
+  - deployment.yaml
+
+tests:
+  - it: sets readOnlyRootFilesystem in container securityContext when reloader.readOnlyRootFileSystem is true
+    set:
+      reloader:
+        readOnlyRootFileSystem: true
+        deployment:
+          containerSecurityContext:
+            readOnlyRootFilesystem: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: sets readOnlyRootFilesystem in container securityContext even if reloader.deployment.containerSecurityContext is null
+    set:
+      reloader:
+        readOnlyRootFileSystem: true
+        deployment:
+          containerSecurityContext: null
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: does not override readOnlyRootFilesystem in container securityContext based on reloader.readOnlyRootFileSystem
+    set:
+      reloader:
+        readOnlyRootFileSystem: false
+        deployment:
+          containerSecurityContext:
+            readOnlyRootFilesystem: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: template is still valid with no defined containerSecurityContext
+    set:
+      reloader:
+        readOnlyRootFileSystem: false
+        deployment:
+          containerSecurityContext: null
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.containers[0].securityContext

deployments/kubernetes/chart/reloader/values.yaml

@@ -69,10 +69,10 @@ reloader:
     labels:
       provider: stakater
       group: com.stakater.platform
-      version: v1.0.5
+      version: v1.0.9
     image:
       name: stakater/reloader
-      tag: v1.0.5
+      tag: v1.0.9
       pullPolicy: IfNotPresent
     # Support for extra environment variables.
     env:

deployments/kubernetes/kustomization.yaml

@@ -4,7 +4,5 @@ kind: Kustomization
 resources:
   - manifests/clusterrole.yaml
   - manifests/clusterrolebinding.yaml
-  - manifests/role.yaml
-  - manifests/rolebinding.yaml
   - manifests/serviceaccount.yaml
-  - manifests/deployment.yaml
+  - manifests/deployment.yaml

deployments/kubernetes/manifests/clusterrole.yaml

@@ -9,7 +9,7 @@ metadata:
     meta.helm.sh/release-name: "reloader"
   labels:
     app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.9"
     release: "reloader"
     heritage: "Helm"
     app.kubernetes.io/managed-by: "Helm"

deployments/kubernetes/manifests/clusterrolebinding.yaml

@@ -9,7 +9,7 @@ metadata:
     meta.helm.sh/release-name: "reloader"
   labels:
     app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.9"
     release: "reloader"
     heritage: "Helm"
     app.kubernetes.io/managed-by: "Helm"

deployments/kubernetes/manifests/deployment.yaml

@@ -8,13 +8,13 @@ metadata:
     meta.helm.sh/release-name: "reloader"
   labels:
     app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.9"
     release: "reloader"
     heritage: "Helm"
     app.kubernetes.io/managed-by: "Helm"
     group: com.stakater.platform
     provider: stakater
-    version: v1.0.5
+    version: v1.0.9
   name: reloader-reloader
   namespace: default
 spec:
@@ -28,23 +28,21 @@ spec:
     metadata:
       labels:
         app: reloader-reloader
-        chart: "reloader-v1.0.5"
+        chart: "reloader-v1.0.9"
         release: "reloader"
         heritage: "Helm"
         app.kubernetes.io/managed-by: "Helm"
         group: com.stakater.platform
         provider: stakater
-        version: v1.0.5
+        version: v1.0.9
     spec:
       containers:
-      - image: "stakater/reloader:v1.0.5"
+      - image: "stakater/reloader:v1.0.9"
         imagePullPolicy: IfNotPresent
         name: reloader-reloader
 
         ports:
         - name: http
-          containerPort: 9091
-        - name: metrics
           containerPort: 9090
         livenessProbe:
           httpGet:
@@ -57,11 +55,14 @@ spec:
         readinessProbe:
           httpGet:
             path: /metrics
-            port: metrics
+            port: http
           timeoutSeconds: 5
           failureThreshold: 5
           periodSeconds: 10
           successThreshold: 1
+
+        securityContext:
+          {}
       securityContext: 
         runAsNonRoot: true
         runAsUser: 65534