From cb3822187d68ec066768e297e8621317acb2d79c Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Fri, 26 Jul 2024 13:13:39 +0200
Subject: [PATCH] Add metrics.securityContext and metrics.podSecurityContext

Signed-off-by: jessebot <jessebot@linux.com>
---
 charts/nextcloud/Chart.yaml                       |  2 +-
 .../nextcloud/templates/metrics/deployment.yaml   |  9 +++++++--
 charts/nextcloud/values.yaml                      | 15 +++++++++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
index ec72c02c..a40cd088 100644
--- a/charts/nextcloud/Chart.yaml
+++ b/charts/nextcloud/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nextcloud
-version: 5.4.0
+version: 5.5.0
 appVersion: 29.0.4
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:
diff --git a/charts/nextcloud/templates/metrics/deployment.yaml b/charts/nextcloud/templates/metrics/deployment.yaml
index 27dae552..e40f0eab 100644
--- a/charts/nextcloud/templates/metrics/deployment.yaml
+++ b/charts/nextcloud/templates/metrics/deployment.yaml
@@ -79,7 +79,12 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.metrics.securityContext }}
           securityContext:
-            runAsUser: 1000
-            runAsNonRoot: true
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.metrics.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
index 2d2d5d40..301ef9ea 100644
--- a/charts/nextcloud/values.yaml
+++ b/charts/nextcloud/values.yaml
@@ -645,6 +645,21 @@ metrics:
       prometheus.io/port: "9205"
     labels: {}
 
+  # security context for the metrics CONTAINER in the pod
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+
+  # security context for the metrics POD
+  podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
   ## Prometheus Operator ServiceMonitor configuration
   ##
   serviceMonitor: