[Application]: add command to container and sidecars and fix security…

… context (again) (#164) We trapped into helm/helm#5238 with the merge of default security context with specific ones in sidecar or initcontainer. objects seem to be merged by using the `or` operation - effectively making `true` always the result for bool properties. with this change, behavior changes, but as it was already wrong in the past it just can get better. --------- Co-authored-by: mhaxp <[email protected]> Co-authored-by: Florian Heubeck <[email protected]> Co-authored-by: Florian Heubeck <[email protected]>
MediaMarktSaturn · Dec 3, 2024 · e520c3a · e520c3a
1 parent f586829
commit e520c3a
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 17 deletions.
diff --git a/chart-tests/application/ci/test-image-lifecycle-values.yaml b/chart-tests/application/ci/test-image-lifecycle-values.yaml
@@ -9,7 +9,8 @@ image:
   repository: busybox
   tag: stable
 container:
-  args: ["sleep", "2000"]
+  command: ["sh", "-c"]
+  args: ["sleep 2000"]
 lifecycle:
   postStart:
     exec:

diff --git a/chart-tests/application/ci/test-init-container-values.yaml b/chart-tests/application/ci/test-init-container-values.yaml
@@ -32,8 +32,11 @@ initContainers:
     command: ['ls', '-lah', '/']
     env: {}
     restartPolicy: Never
-    securityContext:
-      runAsNonRoot: true
-      allowPrivilegeEscalation: false
-      runAsUser: 65534
-      runAsGroup: 65534
+
+
+initDefaults:
+  securityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    runAsUser: 65534
+    runAsGroup: 65534
diff --git a/chart-tests/application/ci/test-sidecar-values.yaml b/chart-tests/application/ci/test-sidecar-values.yaml
@@ -30,6 +30,7 @@ sidecars:
       port: 9090
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
     volumeMountNames:
       - share
     ports:
@@ -55,6 +56,17 @@ sidecars:
       port: 7070
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
+  - name: commandtest
+    image:
+      repository: busybox
+      tag: stable
+    command: ["sh", "-c"]
+    args: ["sleep 2000"]
+    livenessProbe:
+      cmd: ['ls']
+    readinessProbe:
+      cmd: ['ls']
 
 sidecarDefaults:
   resources:
@@ -64,3 +76,6 @@ sidecarDefaults:
     limits:
       cpu: 100m
       memory: 100Mi
+  securityContext:
+    runAsNonRoot: false
+    allowPrivilegeEscalation: false
diff --git a/chart-tests/application/ci/test-statefulset-sidecar-values.yaml b/chart-tests/application/ci/test-statefulset-sidecar-values.yaml
@@ -33,6 +33,7 @@ sidecars:
       port: 9090
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
     volumeMountNames:
       - share
   - name: kickback
@@ -54,6 +55,7 @@ sidecars:
       port: 7070
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
 
 sidecarDefaults:
   resources:

diff --git a/charts/application/Chart.yaml b/charts/application/Chart.yaml
@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 1.0.0
-version: 1.29.1
+version: 1.30.0
diff --git a/charts/application/templates/_podTemplate.tpl b/charts/application/templates/_podTemplate.tpl
@@ -62,11 +62,7 @@ spec:
         - {{ . | quote }}
         {{- end }}
       securityContext:
-        {{- if and $i.securityContext $.Values.initDefaults.securityContext }}
-        {{- toYaml (merge $i.securityContext $.Values.initDefaults.securityContext) | nindent 8 }}
-        {{- else }}
-        {{- toYaml (or $i.securityContext $.Values.initDefaults.securityContext) | nindent 8 }}
-        {{- end }}
+        {{- toYaml (default $.Values.initDefaults.securityContext $i.securityContext ) | nindent 8 }}
       resources:
         {{- toYaml (or $i.resources $.Values.initDefaults.resources) | nindent 8 }}
       env:
@@ -121,16 +117,18 @@ spec:
       image: "{{ .image.repository }}:{{ .image.tag }}"
       {{- end }}
       imagePullPolicy: {{ or $s.image.pullPolicy $.Values.sidecarDefaults.image.pullPolicy }}
+      {{- if $s.command }}
+      command:
+        {{- range $s.command }}
+        - {{ . | quote }}
+        {{- end }}
+      {{- end }}
       args: {{ if not $s.args }}[]{{ end }}
         {{- range $s.args }}
         - {{ . | quote }}
         {{- end }}
       securityContext:
-        {{- if and $s.securityContext $.Values.sidecarDefaults.securityContext }}
-        {{- toYaml (merge $s.securityContext $.Values.sidecarDefaults.securityContext) | nindent 8 }}
-        {{- else }}
-        {{- toYaml (or $s.securityContext $.Values.sidecarDefaults.securityContext) | nindent 8 }}
-        {{- end }}
+        {{- toYaml (default $.Values.sidecarDefaults.securityContext $s.securityContext) | nindent 8 }}
       resources:
         {{- toYaml (or $s.resources $.Values.sidecarDefaults.resources) | nindent 8 }}
       env:
@@ -254,6 +252,12 @@ spec:
       image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
       {{- end }}
       imagePullPolicy: {{ .Values.image.pullPolicy }}
+      {{- if .Values.container.command }}
+      command:
+        {{- range .Values.container.command }}
+        - {{ . | quote }}
+        {{- end }}
+      {{- end }}
       args: {{ if not .Values.container.args }}[]{{ end }}
         {{- range .Values.container.args }}
         - {{ . | quote }}

diff --git a/charts/application/values.yaml b/charts/application/values.yaml
@@ -12,6 +12,8 @@ container:
   # annotations to be added to the pod template
   annotations:
     "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
+  # command line given to the container; []string
+  command: []
   # arguments given to the container; []string
   args: []
 
@@ -342,6 +344,7 @@ sidecars: []
 #   image:
 #     repository: quay.io/heubeck/examiner
 #     tag: 1.13.3
+#   command: []
 #   args: []
 #   env: {}
 #   configEnvFrom: []
@@ -425,6 +428,7 @@ initDefaults:
       cpu: 500m
       memory: 100Mi
   restartPolicy: Always
+  # securityContext: {}
 
 # List of tolerations, will be taken over like-for-like to pod-spec
 tolerations: []