From 62f94b309ad04d50862ff43e61d4b91db51c8056 Mon Sep 17 00:00:00 2001 From: ypoplavs Date: Thu, 7 Nov 2024 15:41:46 +0200 Subject: [PATCH] add global security context --- charts/testkube-api/templates/_helpers.tpl | 44 +++++++++++++ charts/testkube-api/templates/deployment.yaml | 4 +- charts/testkube-api/templates/minio.yaml | 4 +- charts/testkube-api/values.yaml | 4 ++ charts/testkube-logs/templates/_helpers.tpl | 22 +++++++ .../testkube-logs/templates/deployment.yaml | 4 +- charts/testkube-logs/values.yaml | 4 ++ .../testkube-operator/templates/_helpers.tpl | 66 +++++++++++++++++++ .../templates/deployment.yaml | 6 +- .../templates/webhook-cert-create.yaml | 10 +-- .../templates/webhook-cert-patch.yaml | 7 +- charts/testkube-operator/values.yaml | 4 ++ charts/testkube/Chart.yaml | 2 +- charts/testkube/charts/nats/Chart.yaml | 2 +- .../files/nats-box/deployment/container.yaml | 3 + .../nats-box/deployment/pod-template.yaml | 3 + .../files/stateful-set/nats-container.yaml | 3 + .../nats/files/stateful-set/pod-template.yaml | 3 + .../stateful-set/prom-exporter-container.yaml | 3 + .../stateful-set/reloader-container.yaml | 3 + .../charts/nats/templates/_helpers.tpl | 22 +++++++ charts/testkube/charts/nats/values.yaml | 4 ++ charts/testkube/values.yaml | 4 ++ 23 files changed, 211 insertions(+), 20 deletions(-) diff --git a/charts/testkube-api/templates/_helpers.tpl b/charts/testkube-api/templates/_helpers.tpl index 3b1e9e8cd..8e26a0840 100644 --- a/charts/testkube-api/templates/_helpers.tpl +++ b/charts/testkube-api/templates/_helpers.tpl @@ -407,3 +407,47 @@ Define TESTKUBE_WATCHER_NAMESPACES variable {{- printf "" }} {{- end }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-api.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-api.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "minio.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.minio.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "minio.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.minio.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml index b5b911477..f0f7b86d1 100644 --- a/charts/testkube-api/templates/deployment.yaml +++ b/charts/testkube-api/templates/deployment.yaml @@ -289,9 +289,9 @@ spec: {{- toYaml . | nindent 12 -}} {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-api.containerSecurityContext" . | trim }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-api.podSecurityContext" . | trim }} volumes: - name: testkube-tmp emptyDir: {} diff --git a/charts/testkube-api/templates/minio.yaml b/charts/testkube-api/templates/minio.yaml index 299a903ac..f3cbe4dae 100644 --- a/charts/testkube-api/templates/minio.yaml +++ b/charts/testkube-api/templates/minio.yaml @@ -153,9 +153,9 @@ spec: resources: {{ toYaml .Values.minio.resources | nindent 12 }} {{- end }} securityContext: - {{- toYaml .Values.minio.securityContext | nindent 12 }} + {{ include "minio.containerSecurityContext" . | trim }} securityContext: - {{- toYaml .Values.minio.podSecurityContext | nindent 8 }} + {{ include "minio.podSecurityContext" . | trim }} {{- if .Values.minio.serviceAccountName }} serviceAccountName: {{ .Values.minio.serviceAccountName }} {{- end }} diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml index 5f2517eac..378b4145c 100644 --- a/charts/testkube-api/values.yaml +++ b/charts/testkube-api/values.yaml @@ -25,6 +25,10 @@ global: additionalVolumes: [] ## Additional volume mounts to be added to the Testkube API container and Test Jobs containers additionalVolumeMounts: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} features: logsV2: false whitelistedContainers: init,logs,scraper diff --git a/charts/testkube-logs/templates/_helpers.tpl b/charts/testkube-logs/templates/_helpers.tpl index 8142fae54..74c2e04a5 100644 --- a/charts/testkube-logs/templates/_helpers.tpl +++ b/charts/testkube-logs/templates/_helpers.tpl @@ -95,3 +95,25 @@ Define Testkube Logs image {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} {{- end -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-logs.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-logs.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-logs/templates/deployment.yaml b/charts/testkube-logs/templates/deployment.yaml index b84af747a..fb3e3122d 100644 --- a/charts/testkube-logs/templates/deployment.yaml +++ b/charts/testkube-logs/templates/deployment.yaml @@ -164,7 +164,7 @@ spec: {{ include "global.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 | trim }} {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-logs.containerSecurityContext" . | trim }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -183,7 +183,7 @@ spec: readOnly: true {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-logs.podSecurityContext" . | trim }} {{- if .Values.tls.certSecret.enabled }} volumes: - name: {{ .Values.tls.certSecret.name }} diff --git a/charts/testkube-logs/values.yaml b/charts/testkube-logs/values.yaml index 3002a43f6..595f3cb5d 100644 --- a/charts/testkube-logs/values.yaml +++ b/charts/testkube-logs/values.yaml @@ -21,6 +21,10 @@ global: affinity: {} # -- Tolerations to add to all deployed pods tolerations: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} debug: true diff --git a/charts/testkube-operator/templates/_helpers.tpl b/charts/testkube-operator/templates/_helpers.tpl index 3f0c4dd06..2c054e7d1 100644 --- a/charts/testkube-operator/templates/_helpers.tpl +++ b/charts/testkube-operator/templates/_helpers.tpl @@ -127,3 +127,69 @@ Define testkube operator namespace {{- default .Release.Namespace }} {{- end }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-operator.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-operator.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define podSecurityContext for Webhook Cert Job +*/}} +{{- define "webhook.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.webhook.patch.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for migrate container +*/}} +{{- define "webhook.migrate.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.webhook.migrate.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for create cert secret container +*/}} +{{- define "webhook.create.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.webhook.patch.createSecretJob.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for patch container +*/}} +{{- define "webhook.patch.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-operator/templates/deployment.yaml b/charts/testkube-operator/templates/deployment.yaml index 58e5d3ef5..ef344d306 100644 --- a/charts/testkube-operator/templates/deployment.yaml +++ b/charts/testkube-operator/templates/deployment.yaml @@ -51,7 +51,7 @@ spec: - containerPort: 9443 name: https securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{ include "testkube-operator.containerSecurityContext" . | trim }} - name: manager args: - --health-probe-bind-address=:{{ .Values.healthcheckPort }} @@ -122,13 +122,13 @@ spec: resources: {{ toYaml .Values.resources | nindent 10 }} {{- end }} securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{ include "testkube-operator.containerSecurityContext" . | trim }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-operator.podSecurityContext" . | trim }} serviceAccountName: {{ include "testkube-operator.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} volumes: diff --git a/charts/testkube-operator/templates/webhook-cert-create.yaml b/charts/testkube-operator/templates/webhook-cert-create.yaml index fb7a4559a..03c2e1fe6 100644 --- a/charts/testkube-operator/templates/webhook-cert-create.yaml +++ b/charts/testkube-operator/templates/webhook-cert-create.yaml @@ -59,7 +59,8 @@ spec: - --namespace - {{ include "testkube-operator.namespace" . }} - --ignore-not-found - securityContext: {{- toYaml .Values.webhook.migrate.securityContext | nindent 12 }} + securityContext: + {{ include "webhook.migrate.containerSecurityContext" . | trim }} {{- if .Values.webhook.migrate.resources }} resources: {{ toYaml .Values.webhook.migrate.resources | nindent 12 }} {{- end }} @@ -82,16 +83,15 @@ spec: - tls.crt - --ca-name - ca.crt - securityContext: {{- toYaml .Values.webhook.patch.createSecretJob.securityContext | nindent 12 }} + securityContext: + {{ include "webhook.create.containerSecurityContext" . | trim }} {{- if .Values.webhook.patch.createSecretJob.resources }} resources: {{ toYaml .Values.webhook.patch.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }} - {{- if .Values.webhook.patch.podSecurityContext }} securityContext: - {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }} - {{- end }} + {{ include "webhook.podSecurityContext" . | trim }} {{- if .Values.webhook.patch.affinity }} affinity: {{- toYaml .Values.webhook.patch.affinity | nindent 8 }} diff --git a/charts/testkube-operator/templates/webhook-cert-patch.yaml b/charts/testkube-operator/templates/webhook-cert-patch.yaml index 04e9c9406..4a55accfc 100644 --- a/charts/testkube-operator/templates/webhook-cert-patch.yaml +++ b/charts/testkube-operator/templates/webhook-cert-patch.yaml @@ -63,16 +63,15 @@ spec: - --patch-mutating=false - --crd-api-groups - tests.testkube.io,executor.testkube.io - securityContext: {{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext | nindent 12 }} + securityContext: + {{ include "webhook.patch.containerSecurityContext" . | trim }} {{- if .Values.webhook.patch.patchWebhookJob.resources }} resources: {{ toYaml .Values.webhook.patch.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: Never serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }} - {{- if .Values.webhook.patch.podSecurityContext }} securityContext: - {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }} - {{- end }} + {{ include "webhook.podSecurityContext" . | trim }} {{- if .Values.webhook.patch.affinity }} affinity: {{- toYaml .Values.webhook.patch.affinity | nindent 8 }} diff --git a/charts/testkube-operator/values.yaml b/charts/testkube-operator/values.yaml index 55fee0a63..f24e10b8c 100644 --- a/charts/testkube-operator/values.yaml +++ b/charts/testkube-operator/values.yaml @@ -16,6 +16,10 @@ global: nodeSelector: {} affinity: {} tolerations: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} ### @section Common parameters ## Kubernetes version (using Helm capabilities if not set) diff --git a/charts/testkube/Chart.yaml b/charts/testkube/Chart.yaml index 0765f139a..fd682b8b8 100644 --- a/charts/testkube/Chart.yaml +++ b/charts/testkube/Chart.yaml @@ -15,7 +15,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami - name: nats condition: testkube-api.nats.enabled - version: 1.2.6-1 + version: 1.2.6-2 repository: "file://./charts/nats" - name: testkube-api version: 2.1.60 diff --git a/charts/testkube/charts/nats/Chart.yaml b/charts/testkube/charts/nats/Chart.yaml index 87361de0b..8a10ffc6d 100644 --- a/charts/testkube/charts/nats/Chart.yaml +++ b/charts/testkube/charts/nats/Chart.yaml @@ -6,7 +6,7 @@ keywords: - nats - messaging - cncf -version: 1.2.6-1 +version: 1.2.6-2 home: http://github.com/nats-io/k8s maintainers: - email: info@nats.io diff --git a/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml b/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml index aa1753b4b..ff0caf8ff 100644 --- a/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml +++ b/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml @@ -44,3 +44,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml b/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml index ff904bf6c..eca5a3e40 100644 --- a/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml +++ b/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -42,3 +42,6 @@ spec: secret: secretName: {{ .secretName | quote }} {{- end }} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml b/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml index c5402efea..f87562842 100644 --- a/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml @@ -104,3 +104,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml b/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml index 1d3ea6431..2ecfd8fe6 100644 --- a/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml @@ -69,3 +69,6 @@ spec: - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} {{- end }} {{- end}} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml b/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml index c3e1b6fbe..84d19ec70 100644 --- a/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -28,3 +28,6 @@ args: - -gatewayz {{- end }} - http://localhost:{{ .Values.config.monitor.port }}/ + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml b/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml index 96722045f..dd4a55fbb 100644 --- a/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml @@ -25,3 +25,6 @@ volumeMounts: {{- end }} {{- end }} {{- end }} + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/templates/_helpers.tpl b/charts/testkube/charts/nats/templates/_helpers.tpl index ba0a51c56..611ad8918 100644 --- a/charts/testkube/charts/nats/templates/_helpers.tpl +++ b/charts/testkube/charts/nats/templates/_helpers.tpl @@ -280,3 +280,25 @@ output: string with following format rules "${1}") -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "nats.podSecurityContext" -}} +{{- with .Values.global.podSecurityContext }} +{{ toYaml . }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "nats.containerSecurityContext" -}} +{{- with .Values.global.containerSecurityContext }} +{{- toYaml . }} +{{- else }} +{{- toYaml .Values.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/values.yaml b/charts/testkube/charts/nats/values.yaml index 15745ab7b..107ad4f95 100644 --- a/charts/testkube/charts/nats/values.yaml +++ b/charts/testkube/charts/nats/values.yaml @@ -17,6 +17,10 @@ global: # global labels will be applied to all resources deployed by the chart labels: {} + # -- Security Context for all pods + podSecurityContext: {} + # -- Security Context for all containers + containerSecurityContext: {} ################################################################################ # Common options diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml index 9e0bceaa5..b874b1199 100644 --- a/charts/testkube/values.yaml +++ b/charts/testkube/values.yaml @@ -44,6 +44,10 @@ global: additionalVolumes: [] # -- Additional volume mounts to be added to the Testkube API container and Test Jobs containers additionalVolumeMounts: [] + # -- Security Context for all pods + podSecurityContext: {} + # -- Security Context for all containers + containerSecurityContext: {} # -- Test Workflows configuration testWorkflows: # -- Create TestWorkflowTemplates to easily use the service account