add global security context

charts/testkube-api/templates/_helpers.tpl

@@ -407,3 +407,47 @@ Define TESTKUBE_WATCHER_NAMESPACES variable
 {{- printf "" }}
 {{- end }}
 {{- end }}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "testkube-api.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "testkube-api.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "minio.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.minio.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "minio.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.minio.securityContext }}
+{{- end }}
+{{- end }}

charts/testkube-api/templates/deployment.yaml

@@ -289,9 +289,9 @@ spec:
             {{- toYaml . | nindent 12 -}}
             {{- end }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "testkube-api.containerSecurityContext" . | trim }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-api.podSecurityContext" . | trim }}
       volumes:
         - name: testkube-tmp
           emptyDir: {}

charts/testkube-api/templates/minio.yaml

@@ -153,9 +153,9 @@ spec:
           resources: {{ toYaml .Values.minio.resources | nindent 12 }}
           {{- end }}
           securityContext:
-            {{- toYaml .Values.minio.securityContext | nindent 12 }}
+            {{ include "minio.containerSecurityContext" . | trim }}
       securityContext:
-        {{- toYaml .Values.minio.podSecurityContext | nindent 8 }}
+        {{ include "minio.podSecurityContext" . | trim }}
       {{- if  .Values.minio.serviceAccountName }}
       serviceAccountName: {{ .Values.minio.serviceAccountName }}
       {{- end }}

charts/testkube-api/values.yaml

@@ -25,6 +25,10 @@ global:
     additionalVolumes: []
     ## Additional volume mounts to be added to the Testkube API container and Test Jobs containers
     additionalVolumeMounts: []
+  # -- Global security Context for all containers
+  containerSecurityContext: {}
+  # -- Global security Context for all pods
+  podSecurityContext: {}
   features:
     logsV2: false
     whitelistedContainers: init,logs,scraper

charts/testkube-logs/templates/_helpers.tpl

@@ -95,3 +95,25 @@ Define Testkube Logs image
     {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "testkube-logs.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "testkube-logs.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}

charts/testkube-logs/templates/deployment.yaml

@@ -164,7 +164,7 @@ spec:
             {{ include "global.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 | trim }}
           {{- end }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "testkube-logs.containerSecurityContext" . | trim }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -183,7 +183,7 @@ spec:
               readOnly: true
           {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-logs.podSecurityContext" . | trim }}
       {{- if .Values.tls.certSecret.enabled }}
       volumes:
         - name: {{ .Values.tls.certSecret.name }}

charts/testkube-logs/values.yaml

@@ -21,6 +21,10 @@ global:
   affinity: {}
   # -- Tolerations to add to all deployed pods
   tolerations: []
+  # -- Global security Context for all containers
+  containerSecurityContext: {}
+  # -- Global security Context for all pods
+  podSecurityContext: {}
 
 debug: true
 

charts/testkube-operator/templates/_helpers.tpl

@@ -127,3 +127,69 @@ Define testkube operator namespace
 {{- default .Release.Namespace }}
 {{- end }}
 {{- end }}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "testkube-operator.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "testkube-operator.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define podSecurityContext for Webhook Cert Job
+*/}}
+{{- define "webhook.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.webhook.patch.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext for migrate container
+*/}}
+{{- define "webhook.migrate.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.webhook.migrate.securityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext for create cert secret container
+*/}}
+{{- define "webhook.create.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.webhook.patch.createSecretJob.securityContext  }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext for patch container
+*/}}
+{{- define "webhook.patch.containerSecurityContext" -}}
+{{- if .Values.global.containerSecurityContext }}
+{{- toYaml .Values.global.containerSecurityContext}}
+{{- else }}
+{{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext  }}
+{{- end }}
+{{- end }}

charts/testkube-operator/templates/deployment.yaml

@@ -51,7 +51,7 @@ spec:
         - containerPort: 9443
           name: https
         securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
+          {{ include "testkube-operator.containerSecurityContext" . | trim }}
       - name: manager
         args:
         - --health-probe-bind-address=:{{ .Values.healthcheckPort }}
@@ -122,13 +122,13 @@ spec:
         resources: {{ toYaml .Values.resources | nindent 10 }}
         {{- end }}
         securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
+          {{ include "testkube-operator.containerSecurityContext" . | trim }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "testkube-operator.podSecurityContext" . | trim }}
       serviceAccountName: {{ include "testkube-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       volumes:

charts/testkube-operator/templates/webhook-cert-create.yaml

@@ -59,7 +59,8 @@ spec:
             - --namespace
             - {{ include "testkube-operator.namespace" . }}
             - --ignore-not-found
-          securityContext: {{- toYaml .Values.webhook.migrate.securityContext | nindent 12 }}
+          securityContext:
+            {{ include "webhook.migrate.containerSecurityContext" . | trim }}
           {{- if .Values.webhook.migrate.resources }}
           resources: {{ toYaml .Values.webhook.migrate.resources | nindent 12 }}
           {{- end }}
@@ -82,16 +83,15 @@ spec:
             - tls.crt
             - --ca-name
             - ca.crt
-          securityContext: {{- toYaml .Values.webhook.patch.createSecretJob.securityContext | nindent 12 }}
+          securityContext:
+            {{ include "webhook.create.containerSecurityContext" . | trim }}
           {{- if .Values.webhook.patch.createSecretJob.resources }}
           resources: {{ toYaml .Values.webhook.patch.createSecretJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }}
-      {{- if .Values.webhook.patch.podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }}
-      {{- end }}
+        {{ include "webhook.podSecurityContext" . | trim }}
       {{- if .Values.webhook.patch.affinity }}
       affinity:
       {{- toYaml .Values.webhook.patch.affinity | nindent 8 }}

charts/testkube-operator/templates/webhook-cert-patch.yaml

@@ -63,16 +63,15 @@ spec:
             - --patch-mutating=false
             - --crd-api-groups
             - tests.testkube.io,executor.testkube.io
-          securityContext: {{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext | nindent 12 }}
+          securityContext:
+            {{ include "webhook.patch.containerSecurityContext" . | trim }}
           {{- if .Values.webhook.patch.patchWebhookJob.resources }}
           resources: {{ toYaml .Values.webhook.patch.patchWebhookJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: Never
       serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }}
-      {{- if .Values.webhook.patch.podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }}
-      {{- end }}
+        {{ include "webhook.podSecurityContext" . | trim }}
       {{- if .Values.webhook.patch.affinity }}
       affinity:
       {{- toYaml .Values.webhook.patch.affinity | nindent 8 }}

charts/testkube-operator/values.yaml

@@ -16,6 +16,10 @@ global:
   nodeSelector: {}
   affinity: {}
   tolerations: []
+  # -- Global security Context for all containers
+  containerSecurityContext: {}
+  # -- Global security Context for all pods
+  podSecurityContext: {}
 
 ### @section Common parameters
 ## Kubernetes version (using Helm capabilities if not set)

charts/testkube/Chart.yaml

@@ -15,7 +15,7 @@ dependencies:
     repository: https://charts.bitnami.com/bitnami
   - name: nats
     condition: testkube-api.nats.enabled
-    version: 1.2.6-1
+    version: 1.2.6-2
     repository: "file://./charts/nats"
   - name: testkube-api
     version: 2.1.60

charts/testkube/charts/nats/Chart.yaml

@@ -6,7 +6,7 @@ keywords:
 - nats
 - messaging
 - cncf
-version: 1.2.6-1
+version: 1.2.6-2
 home: http://github.com/nats-io/k8s
 maintainers:
 - email: [email protected]

charts/testkube/charts/nats/files/nats-box/deployment/container.yaml

@@ -44,3 +44,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml

@@ -42,3 +42,6 @@ spec:
     secret:
       secretName: {{ .secretName | quote }}
   {{- end }}
+
+  securityContext:
+  {{- include "nats.podSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/files/stateful-set/nats-container.yaml

@@ -104,3 +104,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/files/stateful-set/pod-template.yaml

@@ -69,3 +69,6 @@ spec:
   - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }}
   {{- end }}
   {{- end}}
+
+  securityContext:
+    {{- include "nats.podSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml

@@ -28,3 +28,6 @@ args:
 - -gatewayz
 {{- end }}
 - http://localhost:{{ .Values.config.monitor.port }}/
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml

@@ -25,3 +25,6 @@ volumeMounts:
 {{- end }}
 {{- end }}
 {{- end }}
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube/charts/nats/templates/_helpers.tpl

@@ -280,3 +280,25 @@ output: string with following format rules
     "${1}")
   -}}
 {{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "nats.podSecurityContext" -}}
+{{- with .Values.global.podSecurityContext }}
+{{ toYaml . }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext  }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "nats.containerSecurityContext" -}}
+{{- with .Values.global.containerSecurityContext }}
+{{- toYaml . }}
+{{- else }}
+{{- toYaml .Values.containerSecurityContext }}
+{{- end }}
+{{- end }}