diff --git a/cockroachdb/templates/job.init.yaml b/cockroachdb/templates/job.init.yaml index 144c609a..907e72e3 100644 --- a/cockroachdb/templates/job.init.yaml +++ b/cockroachdb/templates/job.init.yaml @@ -37,6 +37,15 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }} + {{- if and .Values.init.securityContext.enabled }} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + fsGroup: 1000 + runAsNonRoot: true + {{- end }} + {{- end }} restartPolicy: OnFailure terminationGracePeriodSeconds: 0 {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} @@ -52,14 +61,6 @@ spec: serviceAccountName: {{ template "cockroachdb.tls.serviceAccount.name" . }} initContainers: - name: copy-certs - {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }} - {{- if and .Values.init.securityContext.enabled }} - securityContext: - runAsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true - {{- end }} - {{- end }} image: {{ .Values.tls.copyCerts.image | quote }} imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }} command: @@ -91,14 +92,6 @@ spec: {{- end }} containers: - name: cluster-init - {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }} - {{- if and .Values.init.securityContext.enabled }} - securityContext: - runAsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true - {{- end }} - {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} # Run the command in an `while true` loop because this Job is bound