From a2976a6b6c76785015cd1d1c6874adb5ac5afd01 Mon Sep 17 00:00:00 2001 From: Remy Koning Date: Fri, 23 Feb 2024 11:04:58 +0100 Subject: [PATCH 1/3] ISSUE-711: add support for securityContext to SRS --- .../charts/srs/templates/srsservice_deployment.yaml | 4 ++++ charts/backingservices/values.yaml | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml b/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml index 5bc225ca3..216a78bd7 100644 --- a/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml +++ b/charts/backingservices/charts/srs/templates/srsservice_deployment.yaml @@ -105,6 +105,10 @@ spec: value: "" resources: {{- toYaml .Values.srsRuntime.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.srsRuntime.securityContext | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} {{- if .Values.srsStorage.tls.enabled }} volumes: - name: srs-certificates diff --git a/charts/backingservices/values.yaml b/charts/backingservices/values.yaml index eab5c969c..88034a918 100644 --- a/charts/backingservices/values.yaml +++ b/charts/backingservices/values.yaml @@ -38,6 +38,18 @@ srs: # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty. OAuthPublicKeyURL: "" + # Container securityContext + # securityContext: + # runAsUser: 9999 # app + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - all + + # Pod securityContext + # securityContext: + # runAsUser: 9999 # app + # This section specifies the elasticsearch cluster configuration. srsStorage: # Setting srsStorage.provisionInternalESCluster to true will provision an internal elasticsearch cluster using the configuration From 34d7476d53ba72abcbedbc0e3b981f969c51db65 Mon Sep 17 00:00:00 2001 From: Kishor Kumar Vasantala Date: Wed, 19 Jun 2024 16:28:00 +0530 Subject: [PATCH 2/3] Update values.yaml - false positive from yamllint --- charts/backingservices/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/backingservices/values.yaml b/charts/backingservices/values.yaml index fb40beb7b..6dbe9dfc0 100644 --- a/charts/backingservices/values.yaml +++ b/charts/backingservices/values.yaml @@ -38,7 +38,7 @@ srs: # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty. OAuthPublicKeyURL: "" - # Container securityContext + ## Container securityContext # securityContext: # runAsUser: 9999 # app # allowPrivilegeEscalation: false From 6fbbb8b50a33ca63d6fba75330d513048bb0b87d Mon Sep 17 00:00:00 2001 From: Kishor Kumar Vasantala Date: Wed, 19 Jun 2024 16:55:05 +0530 Subject: [PATCH 3/3] Update values.yaml - reorder to mitigate false positive with yamllint --- charts/backingservices/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/backingservices/values.yaml b/charts/backingservices/values.yaml index 6dbe9dfc0..0dfe83e58 100644 --- a/charts/backingservices/values.yaml +++ b/charts/backingservices/values.yaml @@ -32,13 +32,7 @@ srs: # Specify secret names as an array of comma-separated strings. For example: ["secret1", "secret2"] imagePullSecretNames: [] - env: - # AuthEnabled may be set to true when there is an authentication mechanism in place between SRS and Pega Infinity. - AuthEnabled: false - # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty. - OAuthPublicKeyURL: "" - - ## Container securityContext + # Container securityContext # securityContext: # runAsUser: 9999 # app # allowPrivilegeEscalation: false @@ -46,6 +40,12 @@ srs: # drop: # - all + env: + # AuthEnabled may be set to true when there is an authentication mechanism in place between SRS and Pega Infinity. + AuthEnabled: false + # When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty. + OAuthPublicKeyURL: "" + # Pod securityContext # securityContext: # runAsUser: 9999 # app