fix: Various securityContext-related fixes (#42)

* allowing consumer to set securityContext on authService (using original values as default) * allowing containerSecurityContext to be configured for the Dataplane * removed extra whitespace Co-authored-by: Kornél Dávid <[email protected]> * ndent 12 not 16 * remove use of dollar-sign and values Co-authored-by: Kornél Dávid <[email protected]> * removed extra end * removed fields that were added because of the original values for `securityContext` Co-authored-by: Kornél Dávid <[email protected]> --------- Co-authored-by: Kornél Dávid <[email protected]>
l7mp · Dec 1, 2024 · a18fe93 · a18fe93
1 parent 9b1c553
commit a18fe93
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/helm/stunner-gateway-operator/templates/stunner-auth-service.yaml b/helm/stunner-gateway-operator/templates/stunner-auth-service.yaml
@@ -30,13 +30,11 @@ spec:
           args:
           - --cds-server-address=stunner-config-discovery.{{ $.Values.namespace | default $.Release.Namespace }}.svc
           {{- range $.Values.stunnerAuthService.deployment.container.authService.args }}
-          -  {{ . }}
+          - {{ . }}
+          {{- end }}
+          {{- with .deployment.container.authService.securityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
           resources: {{- toYaml .deployment.container.authService.resources | nindent 12 }}
       nodeSelector: {{- toYaml .deployment.nodeSelector | nindent 8 }}
       tolerations: {{- toYaml .deployment.tolerations | nindent 8 }}

diff --git a/helm/stunner-gateway-operator/templates/stunner-default-dataplane.yaml b/helm/stunner-gateway-operator/templates/stunner-default-dataplane.yaml
@@ -32,11 +32,14 @@ spec:
   {{- with .affinity }}
   affinity: {{- toYaml . | nindent 4 }}
   {{- end }}
+  {{- with .containerSecurityContext }}
+  containerSecurityContext: {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- with .securityContext }}
   securityContext: {{- toYaml . | nindent 4 }}
   {{- end }}
   {{- with .tolerations }}
   tolerations: {{- toYaml . | nindent 2 }}
   {{- end }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/helm/stunner-gateway-operator/values.yaml b/helm/stunner-gateway-operator/values.yaml
@@ -67,6 +67,7 @@ stunnerGatewayOperator:
       labels: {}
       annotations: {}
       affinity: {}
+      containerSecurityContext: {}
       securityContext: {}
       tolerations: []
 
@@ -81,6 +82,8 @@ stunnerAuthService:
 #      - name: docker-registry-secret
     container:
       authService:
+        securityContext:
+          runAsNonRoot: true
         image:
           name: docker.io/l7mp/stunner-auth-server
           pullPolicy: IfNotPresent