[FIX] override security context capabilities in values.yaml

Add missing helm-toolkit snippet for ingress-errors container Change-Id: I9c7ec6b71a1d026257c2a1f76e18a3e3be8e244d
2020-07-20 22:27:47 -05:00 · 2020-07-20 22:27:47 -05:00 · 926dadfbf4
parent 20c6e525ea
commit 926dadfbf4
4 changed files with 18 additions and 19 deletions
--- a/charts/maas/templates/deployment-ingress-errors.yaml
+++ b/charts/maas/templates/deployment-ingress-errors.yaml
@ -50,6 +50,7 @@ spec:
          image: {{ .Values.images.tags.error_pages }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          args:
            - "-port"
            - {{ tuple "maas_ingress" "podport" "error_pages" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@ -65,6 +65,7 @@ spec:
          image: {{ .Values.images.tags.maas_rack }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
          tty: true
+{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: MAAS_ENDPOINT
 {{- if empty .Values.conf.maas.url.maas_url }}
@ -83,18 +84,8 @@ spec:
                  name: {{ .Values.conf.maas.credentials.secret.name }}
                  key: 'token'
 {{ tuple $envAll $envAll.Values.pod.resources.maas_rack | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "rack" "container" "maas_rack" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/start.sh
-          securityContext:
-            capabilities:
-              add:
-                - 'DAC_READ_SEARCH'
-                - 'NET_ADMIN'
-                - 'SYS_ADMIN'
-                - 'SYS_PTRACE'
-                - 'SYS_RESOURCE'
-                - 'SYS_TIME'
          readinessProbe:
            initialDelaySeconds: 60
            periodSeconds: 60
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@ -105,15 +105,6 @@ spec:
          readinessProbe:
            tcpSocket:
              port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-          securityContext:
-            capabilities:
-              add:
-                - 'SYS_ADMIN'
-                - 'NET_ADMIN'
-                - 'SYS_PTRACE'
-                - 'SYS_TIME'
-                - 'SYS_RESOURCE'
-                - 'DAC_READ_SEARCH'
          command:
            - /tmp/start.sh
          volumeMounts:
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@ -411,6 +411,14 @@ pod:
      container:
        maas_rack:
          readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'DAC_READ_SEARCH'
+              - 'NET_ADMIN'
+              - 'SYS_ADMIN'
+              - 'SYS_PTRACE'
+              - 'SYS_RESOURCE'
+              - 'SYS_TIME'
    region:
      pod:
        runAsUser: 0
@ -419,6 +427,14 @@ pod:
          readOnlyRootFilesystem: false
        maas_region:
          readOnlyRootFilesystem: false
+          capabilities:
+            add:
+              - 'SYS_ADMIN'
+              - 'NET_ADMIN'
+              - 'SYS_PTRACE'
+              - 'SYS_TIME'
+              - 'SYS_RESOURCE'
+              - 'DAC_READ_SEARCH'
    api_test:
      pod:
        runAsUser: 0