Merge pull request #208 from LeoColomb/fix/values-1

Streamline rendering for security contexts
netbox-community · May 13, 2024 · aabfead · aabfead
2 parents 3165419 + d6ade5e
commit aabfead
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 20 deletions.
diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: netbox
-version: 5.0.0-beta10
+version: 5.0.0-beta11
 appVersion: "v4.0.0"
 type: application
 kubeVersion: ^1.25.0-0

diff --git a/charts/netbox/templates/cronjob.yaml b/charts/netbox/templates/cronjob.yaml
@@ -36,16 +36,18 @@ spec:
           {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) | nindent 6 }}
           serviceAccountName: {{ include "netbox.serviceAccountName" . }}
           automountServiceAccountToken: {{ .Values.housekeeping.automountServiceAccountToken }}
-          securityContext:
-            {{- toYaml .Values.housekeeping.podSecurityContext | nindent 12 }}
+          {{- if .Values.housekeeping.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.housekeeping.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           {{- with .Values.housekeeping.initContainers }}
           initContainers:
           {{- toYaml . | nindent 10 }}
           {{- end }}
           containers:
           - name: {{ .Chart.Name }}-housekeeping
-            securityContext:
-              {{- toYaml .Values.housekeeping.securityContext | nindent 14 }}
+            {{- if .Values.housekeeping.securityContext.enabled }}
+            securityContext: {{- omit .Values.housekeeping.securityContext "enabled" | toYaml | nindent 14 }}
+            {{- end }}
             image: {{ include "netbox.image" . | quote }}
             command:
             - /opt/netbox/venv/bin/python

diff --git a/charts/netbox/templates/deployment.yaml b/charts/netbox/templates/deployment.yaml
@@ -53,7 +53,9 @@ spec:
         {{- else if ne .Values.init.resourcesPreset "none" }}
         resources: {{- include "common.resources.preset" (dict "type" .Values.init.resourcesPreset) | nindent 10 }}
         {{- end }}
-        securityContext: {{- .Values.init.securityContext | toYaml | nindent 10 }}
+        {{- if .Values.init.securityContext.enabled }}
+        securityContext: {{- omit .Values.init.securityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: optunit
           mountPath: /opt/unit

diff --git a/charts/netbox/templates/tests/test-connection.yaml b/charts/netbox/templates/tests/test-connection.yaml
@@ -17,4 +17,7 @@ spec:
     resources:
       {{- toYaml .Values.test.resources | nindent 6 }}
     {{- end }}
+    {{- if .Values.test.securityContext.enabled }}
+    securityContext: {{- omit .Values.test.securityContext "enabled" | toYaml | nindent 12 }}
+    {{- end }}
   restartPolicy: Never
diff --git a/charts/netbox/templates/worker-deployment.yaml b/charts/netbox/templates/worker-deployment.yaml
@@ -44,16 +44,18 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "netbox.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.worker.automountServiceAccountToken }}
-      securityContext:
-        {{- toYaml .Values.worker.podSecurityContext | nindent 8 }}
+      {{- if .Values.worker.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.worker.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       {{- with .Values.worker.initContainers }}
       initContainers:
       {{- toYaml . | nindent 6 }}
       {{- end }}
       containers:
       - name: {{ .Chart.Name }}-worker
-        securityContext:
-          {{- toYaml .Values.worker.securityContext | nindent 10 }}
+        {{- if .Values.worker.securityContext.enabled }}
+        securityContext: {{- omit .Values.worker.securityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
         image: {{ include "netbox.image" . | quote }}
         command:
         - /opt/netbox/venv/bin/python

diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml
@@ -679,16 +679,16 @@ podSecurityContext:
   fsGroup: 1000
 ## Configure Container Security Context (only main container)
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-## @param containerSecurityContext.enabled Enabled containers' Security Context
-## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
-## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
-## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
-## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
-## @param containerSecurityContext.privileged Set container's Security Context privileged
-## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
-## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
-## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
-## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+## @param securityContext.enabled Enabled containers' Security Context
+## @param securityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+## @param securityContext.runAsUser Set containers' Security Context runAsUser
+## @param securityContext.runAsGroup Set containers' Security Context runAsGroup
+## @param securityContext.runAsNonRoot Set container's Security Context runAsNonRoot
+## @param securityContext.privileged Set container's Security Context privileged
+## @param securityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+## @param securityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
+## @param securityContext.capabilities.drop List of capabilities to be dropped
+## @param securityContext.seccompProfile.type Set container's Security Context seccomp profile
 ##
 securityContext:
   enabled: true
@@ -990,13 +990,15 @@ init:
   ## Init container' Security Context
   ## Note: the chown of the data folder is done to securityContext.runAsUser
   ## and not the below init.securityContext.runAsUser
+  ## @param init.securityContext.enabled Enabled containers' Security Context
   ## @param init.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container
   ## @param init.securityContext.runAsUser User ID for the init container
   ## @param init.securityContext.runAsGroup Group ID for the init container
   ## @param init.securityContext.runAsNonRoot runAsNonRoot for the init container
   ## @param init.securityContext.seccompProfile.type seccompProfile.type for the init container
   ##
   securityContext:
+    enabled: true
     seLinuxOptions: {}
     seccompProfile:
       type: RuntimeDefault
@@ -1055,13 +1057,15 @@ test:
   ## test container' Security Context
   ## Note: the chown of the data folder is done to securityContext.runAsUser
   ## and not the below test.securityContext.runAsUser
+  ## @param test.securityContext.enabled Enabled containers' Security Context
   ## @param test.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container
   ## @param test.securityContext.runAsUser User ID for the test container
   ## @param test.securityContext.runAsGroup Group ID for the test container
   ## @param test.securityContext.runAsNonRoot runAsNonRoot for the test container
   ## @param test.securityContext.seccompProfile.type seccompProfile.type for the test container
   ##
   securityContext:
+    enabled: false
     seLinuxOptions: {}
     seccompProfile:
       type: RuntimeDefault