From 9ec291015172d7777bf1628182e2fa190c9c16e9 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Fri, 15 Feb 2019 20:16:29 -0600
Subject: [PATCH] HTK: Refactor kubernetes security_context macro(s) to allow
 scoping

This PS updates the kubernetes_pod_security_context snippet, and adds a
macro for container securityContexts
'kubernetes_container_security_context.

Change-Id: I8b9c7b72f836efaf6c9dc3ad20fd8462b0d06d77
Signed-off-by: Pete Birley <pete@port.direct>
---
 ..._kubernetes_container_security_context.tpl | 50 ++++++++++++++++
 .../_kubernetes_pod_security_context.tpl      | 57 ++++++++++++-------
 2 files changed, 88 insertions(+), 19 deletions(-)
 create mode 100644 helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl

diff --git a/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 000000000..27b8ac0a2
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Renders securityContext for a Kubernetes container.
+  For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            container:
+              foo:
+                runAsUser: 34356
+                readOnlyRootFilesystem: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+    return: |
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
index fbf48d6d5..386553ef4 100644
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -17,34 +17,53 @@ limitations under the License.
 {{/*
 abstract: |
   Renders securityContext for a Kubernetes pod.
-values: |
-  pod:
-    user:
-      myApp:
-        uid: 34356
-    security_context:
-      myApp:
-        readOnlyRootFilesystem: true
-        seLinuxOptions:
-          level: "s0:c123,c456"
-usage: |
-  {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
-return: |
-  securityContext:
-    runAsUser: 34356
-    readOnlyRootFilesystem: true
-    seLinuxOptions:
-      level: s0:c123,c456
+  For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+  - values: |
+      pod:
+        # NOTE: The 'user' key is deprecated, and will be removed shortly.
+        user:
+          myApp:
+            uid: 34356
+        security_context:
+          myApp:
+            pod:
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsUser: 34356
+        runAsNonRoot: true
+  - values: |
+      pod:
+        security_context:
+          myApp:
+            pod:
+              runAsUser: 34356
+              runAsNonRoot: true
+    usage: |
+      {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+    return: |
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 34356
 */}}
 
 {{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $application := index . "application" -}}
 securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
   runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
 {{- if hasKey $envAll.Values.pod "security_context" }}
 {{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
-{{ toYaml ( index $envAll.Values.pod.security_context $application ) | indent 2 }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
 {{- end -}}
 {{- end -}}
 {{- end -}}