Merge pull request #34 from MaikuMori/modify-security-context

Adjust default security context based on deployment context
MaikuMori · Jun 2, 2024 · 4a56154 · 4a56154
2 parents 40957c8 + d5b3220
commit 4a56154
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 9 deletions.
diff --git a/charts/gotenberg/CHANGELOG.md b/charts/gotenberg/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.3.0
+
+- Add `securityContext` compatibility with OpenShift platform. (Thanks to Jonas Geiler | [@jonasgeiler](https://github.com/jonasgeiler))
+- Bump `gotenberg` version `8.5.0` -> `8.5.1`.
+
 ## 1.2.0
 
 - Bump `gotenberg` version `8.1.0` -> `8.5.0`.

diff --git a/charts/gotenberg/Chart.yaml b/charts/gotenberg/Chart.yaml
@@ -16,13 +16,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.2.0"
+version: "1.3.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "8.5.0"
+appVersion: "8.5.1"
 
 keywords:
   - gotenberg

diff --git a/charts/gotenberg/README.md b/charts/gotenberg/README.md
@@ -1,7 +1,7 @@
 # Gotenberg
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/gotenberg)](https://artifacthub.io/packages/helm/maikumori/gotenberg)
-![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.5.0](https://img.shields.io/badge/AppVersion-8.5.0-informational?style=flat-square)
+![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.5.1](https://img.shields.io/badge/AppVersion-8.5.1-informational?style=flat-square)
 
 This is a HELM chart for Gotenberg.
 
@@ -110,8 +110,7 @@ helm upgrade my-release maikumori/gotenberg --install
 | prometheus.namespace | string | `""` | Set the namespace of modules' metrics (default "gotenberg") |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
-| securityContext.privileged | bool | `false` |  |
-| securityContext.runAsUser | int | `1001` |  |
+| securityContext | object | `{ privileged: false, runAsUser: 1001 }`, except in OpenShift where `runAsUser` is not set. | Define the security context for the container. By default will use upstream recommended values. |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

diff --git a/charts/gotenberg/templates/_helpers.tpl b/charts/gotenberg/templates/_helpers.tpl
@@ -60,3 +60,25 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create a security context
+
+If .Values.securityContext is set, use it. Otherwise, use the defaults.
+
+Defaults:
+If we detect OpenShift, we remove the "runAsUser", fsGroup, "runAsGroup" fields since they're not supported.
+And apply recommended settings from upstream project.
+*/}}
+{{- define "gotenberg.securityContext" -}}
+{{- if .Values.securityContext }}
+{{- toYaml .Values.securityContext }}
+{{- else}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+privileged: false
+{{- else -}}
+privileged: false
+runAsUser: 1001
+{{- end}}
+{{- end}}
+{{- end}}
diff --git a/charts/gotenberg/templates/deployment.yaml b/charts/gotenberg/templates/deployment.yaml
@@ -32,8 +32,8 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          securityContext: 
+            {{- include "gotenberg.securityContext" . | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:

diff --git a/charts/gotenberg/values.yaml b/charts/gotenberg/values.yaml
@@ -32,9 +32,10 @@ podSecurityContext:
   {}
   # fsGroup: 2000
 
+# -- Define the security context for the container. By default will use upstream recommended values.
+# @default -- `{ privileged: false, runAsUser: 1001 }`, except in OpenShift where `runAsUser` is not set.
 securityContext:
-  privileged: false
-  runAsUser: 1001
+  {}
 
 service:
   type: ClusterIP