diff --git a/charts/drydock/templates/job-drydock-db-init.yaml b/charts/drydock/templates/job-drydock-db-init.yaml index 46c3b300..5c82a5df 100644 --- a/charts/drydock/templates/job-drydock-db-init.yaml +++ b/charts/drydock/templates/job-drydock-db-init.yaml @@ -36,6 +36,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "db_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -47,6 +48,7 @@ spec: image: {{ .Values.images.tags.drydock_db_init | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "db_init" "container" "drydock_db_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: USER_DB_NAME valueFrom: diff --git a/charts/drydock/templates/job-drydock-db-sync.yaml b/charts/drydock/templates/job-drydock-db-sync.yaml index 457c905f..ddb5942d 100644 --- a/charts/drydock/templates/job-drydock-db-sync.yaml +++ b/charts/drydock/templates/job-drydock-db-sync.yaml @@ -36,6 +36,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "db_sync" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: @@ -47,6 +48,7 @@ spec: image: {{ .Values.images.tags.drydock_db_sync | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "db_sync" "container" "drydock_db_sync" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: DRYDOCK_DB_URL valueFrom: diff --git a/charts/drydock/templates/tests/test-drydock-api.yaml b/charts/drydock/templates/tests/test-drydock-api.yaml index 174f1c78..ce2c8343 100644 --- a/charts/drydock/templates/tests/test-drydock-api.yaml +++ b/charts/drydock/templates/tests/test-drydock-api.yaml @@ -29,6 +29,7 @@ metadata: labels: {{ tuple $envAll "drydock" "api-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: +{{ dict "envAll" $envAll "application" "api_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} restartPolicy: Never nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -40,6 +41,7 @@ spec: image: {{ .Values.images.tags.drydock }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "api_test" "container" "drydock_api_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} command: ["/bin/bash", "-c", "curl -v -X GET --fail ${DRYDOCK_URL}/api/v1.0/health; exit $?"] ... {{- end }} diff --git a/charts/drydock/templates/tests/test-drydock-auth.yaml b/charts/drydock/templates/tests/test-drydock-auth.yaml index 0894dcfb..337e08d3 100644 --- a/charts/drydock/templates/tests/test-drydock-auth.yaml +++ b/charts/drydock/templates/tests/test-drydock-auth.yaml @@ -30,6 +30,7 @@ metadata: labels: {{ tuple $envAll "drydock" "auth-test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: +{{ dict "envAll" $envAll "application" "auth_test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} restartPolicy: Never nodeSelector: {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} @@ -41,6 +42,7 @@ spec: image: {{ .Values.images.tags.drydock }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} +{{ dict "envAll" $envAll "application" "auth_test" "container" "drydock_auth_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} command: ["/bin/bash", "-c", 'curl -v -X GET --fail ${DRYDOCK_URL}/api/v1.0/tasks; exit_code=$?; if [ "$exit_code" = "22" ]; then exit 0; fi; exit 1'] ... {{- end }} diff --git a/charts/drydock/values.yaml b/charts/drydock/values.yaml index 54d5f43f..eb1375e8 100644 --- a/charts/drydock/values.yaml +++ b/charts/drydock/values.yaml @@ -79,8 +79,36 @@ pod: runAsUser: 65534 container: drydock_api: - allowPrivilegeEscalation: false readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + db_init: + pod: + runAsUser: 65534 + container: + drydock_db_init: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + db_sync: + pod: + runAsUser: 65534 + container: + drydock_db_sync: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + api_test: + pod: + runAsUser: 65534 + container: + drydock_api_test: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + auth_test: + pod: + runAsUser: 65534 + container: + drydock_auth_test: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false lifecycle: upgrades: deployments: