fix(securityContext): add missing securityContext for certSselfSigner…

… jobs
Orbitalize · Apr 3, 2023 · a3b6625 · a3b6625
1 parent e5baadb
commit a3b6625
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/build/templates/values.yaml b/build/templates/values.yaml
@@ -462,6 +462,9 @@ tls:
     selfSigner:
       # If set, the cockroach db will generate its own certificates
       enabled: true
+      # Run selfSigner as non-root
+      securityContext:
+        enabled: true
       # If set, the user should provide the CA certificate to sign other certificates.
       caProvided: false
       # It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.

diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml
@@ -25,6 +25,15 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     spec:
+    {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+    {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+      securityContext:
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+    {{- end }}
+    {{- end }}
       restartPolicy: Never
       containers:
         - name: cert-generate-job

diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml
@@ -25,6 +25,15 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     spec:
+    {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+    {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+      securityContext:
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+    {{- end }}
+    {{- end }}
       restartPolicy: Never
       containers:
         - name: cleaner

diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml
@@ -463,6 +463,9 @@ tls:
     selfSigner:
       # If set, the cockroach db will generate its own certificates
       enabled: true
+      # Run selfSigner as non-root
+      securityContext:
+        enabled: true
       # If set, the user should provide the CA certificate to sign other certificates.
       caProvided: false
       # It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.