chore: enable container security contexts modifications

.github/workflows/ct.yaml

@@ -24,7 +24,7 @@ jobs:
         uses: azure/setup-helm@v3
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.4.0
+        uses: helm/chart-testing-action@v2.6.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed

charts/athens-proxy/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: athens-proxy
-version: 0.7.1
+version: 0.8.0
 appVersion: v0.12.0
 description: The proxy server for Go modules
 icon: https://raw.githubusercontent.com/gomods/athens/main/docs/static/banner.png

charts/athens-proxy/ci/basic-values.yaml

@@ -10,3 +10,8 @@ jaeger:
   enabled: true
 extraLabels:
   athensIs: "awesome"
+image:
+  runAsNonRoot: true
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true

charts/athens-proxy/templates/deployment.yaml

@@ -29,6 +29,11 @@ spec:
         {{- toYaml .Values.annotations | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.image.runAsNonRoot }}
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      {{- end }}
       serviceAccount: {{ template "fullname" . }}
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
@@ -57,10 +62,9 @@ spec:
             subPath: id_rsa-{{ $server.host }}
           {{- end }}
           {{- end }}
-          {{- if .Values.image.runAsNonRoot }}
+          {{- with .Values.initContainerSecurityContext }}
           securityContext:
-            runAsUser: 1000
-            runAsGroup: 1000
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           {{- with .Values.intiContainerResources }}
           resources:
@@ -235,15 +239,14 @@ spec:
           subPath: {{ $server.existingSecret.subPath | quote }}
         {{- end }}
         {{- end }}
-        {{- if .Values.image.runAsNonRoot }}
+        {{- with .Values.securityContext }}
         securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
+          {{- toYaml . | nindent 10 }}
         {{- end }}
-      {{- with .Values.resources }}
+        {{- with .Values.resources }}
         resources:
           {{- toYaml . | nindent 10 }}
-      {{- end }}
+        {{- end }}
       volumes:
       - name: storage-volume
       {{- if .Values.storage.disk.persistence.enabled }}

charts/athens-proxy/values.yaml

@@ -94,6 +94,16 @@ storage:
     # as GCP figures out internal authentication between products for you.
     serviceAccount: ""
 
+# Container security context configuration (see API reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core)
+# This will override the `image.runAsNonRoot` settings in the specified container if `runAsUser` or `runAsGroup` are set
+securityContext: {}
+  # allowPrivilegeEscalation: false
+  # runAsNonRoot: true
+
+initContainerSecurityContext: {}
+  # allowPrivilegeEscalation: false
+  # runAsNonRoot: true
+
 # Extra environment variables to be passed
 # You can add any new ones at the bottom
 configEnvVars: {}