diff --git a/charts/testkube-api/templates/_helpers.tpl b/charts/testkube-api/templates/_helpers.tpl index 3b1e9e8cd..358bf8a70 100644 --- a/charts/testkube-api/templates/_helpers.tpl +++ b/charts/testkube-api/templates/_helpers.tpl @@ -407,3 +407,47 @@ Define TESTKUBE_WATCHER_NAMESPACES variable {{- printf "" }} {{- end }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-api.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-api.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define podSecurityContext for MinIo +*/}} +{{- define "minio.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.minio.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for MinIo +*/}} +{{- define "minio.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.minio.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml index b5b911477..27e8298e8 100644 --- a/charts/testkube-api/templates/deployment.yaml +++ b/charts/testkube-api/templates/deployment.yaml @@ -288,10 +288,8 @@ spec: {{- with .Values.global.volumes.additionalVolumeMounts }} {{- toYaml . | nindent 12 -}} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + securityContext: {{ include "testkube-api.containerSecurityContext" . | nindent 12 }} + securityContext: {{ include "testkube-api.podSecurityContext" . | nindent 8 }} volumes: - name: testkube-tmp emptyDir: {} diff --git a/charts/testkube-api/templates/minio.yaml b/charts/testkube-api/templates/minio.yaml index 299a903ac..2bb354b30 100644 --- a/charts/testkube-api/templates/minio.yaml +++ b/charts/testkube-api/templates/minio.yaml @@ -152,10 +152,8 @@ spec: {{- if .Values.minio.resources }} resources: {{ toYaml .Values.minio.resources | nindent 12 }} {{- end }} - securityContext: - {{- toYaml .Values.minio.securityContext | nindent 12 }} - securityContext: - {{- toYaml .Values.minio.podSecurityContext | nindent 8 }} + securityContext: {{ include "minio.containerSecurityContext" . | nindent 12 }} + securityContext: {{ include "minio.podSecurityContext" . | nindent 8 }} {{- if .Values.minio.serviceAccountName }} serviceAccountName: {{ .Values.minio.serviceAccountName }} {{- end }} diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml index 5f2517eac..378b4145c 100644 --- a/charts/testkube-api/values.yaml +++ b/charts/testkube-api/values.yaml @@ -25,6 +25,10 @@ global: additionalVolumes: [] ## Additional volume mounts to be added to the Testkube API container and Test Jobs containers additionalVolumeMounts: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} features: logsV2: false whitelistedContainers: init,logs,scraper diff --git a/charts/testkube-logs/templates/_helpers.tpl b/charts/testkube-logs/templates/_helpers.tpl index 8142fae54..6d838528e 100644 --- a/charts/testkube-logs/templates/_helpers.tpl +++ b/charts/testkube-logs/templates/_helpers.tpl @@ -95,3 +95,25 @@ Define Testkube Logs image {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} {{- end -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-logs.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-logs.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-logs/templates/deployment.yaml b/charts/testkube-logs/templates/deployment.yaml index b84af747a..ec52eeb2e 100644 --- a/charts/testkube-logs/templates/deployment.yaml +++ b/charts/testkube-logs/templates/deployment.yaml @@ -163,8 +163,7 @@ spec: {{- if .Values.extraEnvVars }} {{ include "global.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 | trim }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + securityContext: {{ include "testkube-logs.containerSecurityContext" . | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -182,8 +181,7 @@ spec: name: {{ .Values.tls.certSecret.name }} readOnly: true {{- end }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + securityContext: {{ include "testkube-logs.podSecurityContext" . | nindent 8 }} {{- if .Values.tls.certSecret.enabled }} volumes: - name: {{ .Values.tls.certSecret.name }} diff --git a/charts/testkube-logs/values.yaml b/charts/testkube-logs/values.yaml index 3002a43f6..595f3cb5d 100644 --- a/charts/testkube-logs/values.yaml +++ b/charts/testkube-logs/values.yaml @@ -21,6 +21,10 @@ global: affinity: {} # -- Tolerations to add to all deployed pods tolerations: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} debug: true diff --git a/charts/testkube-operator/templates/_helpers.tpl b/charts/testkube-operator/templates/_helpers.tpl index 3f0c4dd06..63bea589c 100644 --- a/charts/testkube-operator/templates/_helpers.tpl +++ b/charts/testkube-operator/templates/_helpers.tpl @@ -127,3 +127,69 @@ Define testkube operator namespace {{- default .Release.Namespace }} {{- end }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-operator.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-operator.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define podSecurityContext for Webhook Cert Job +*/}} +{{- define "webhook.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.webhook.patch.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for migrate container +*/}} +{{- define "webhook.migrate.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.webhook.migrate.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for create cert secret container +*/}} +{{- define "webhook.create.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.webhook.patch.createSecretJob.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for patch container +*/}} +{{- define "webhook.patch.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext }} +{{- else }} +{{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-operator/templates/deployment.yaml b/charts/testkube-operator/templates/deployment.yaml index 58e5d3ef5..18a287848 100644 --- a/charts/testkube-operator/templates/deployment.yaml +++ b/charts/testkube-operator/templates/deployment.yaml @@ -50,8 +50,7 @@ spec: ports: - containerPort: 9443 name: https - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + securityContext: {{ include "testkube-operator.containerSecurityContext" . | nindent 10 }} - name: manager args: - --health-probe-bind-address=:{{ .Values.healthcheckPort }} @@ -121,14 +120,12 @@ spec: {{- if .Values.resources }} resources: {{ toYaml .Values.resources | nindent 10 }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + securityContext: {{ include "testkube-operator.containerSecurityContext" . | nindent 10 }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + securityContext: {{ include "testkube-operator.podSecurityContext" . | nindent 8 }} serviceAccountName: {{ include "testkube-operator.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} volumes: diff --git a/charts/testkube-operator/templates/webhook-cert-create.yaml b/charts/testkube-operator/templates/webhook-cert-create.yaml index fb7a4559a..524938a16 100644 --- a/charts/testkube-operator/templates/webhook-cert-create.yaml +++ b/charts/testkube-operator/templates/webhook-cert-create.yaml @@ -59,7 +59,7 @@ spec: - --namespace - {{ include "testkube-operator.namespace" . }} - --ignore-not-found - securityContext: {{- toYaml .Values.webhook.migrate.securityContext | nindent 12 }} + securityContext: {{ include "webhook.migrate.containerSecurityContext" . | nindent 12 }} {{- if .Values.webhook.migrate.resources }} resources: {{ toYaml .Values.webhook.migrate.resources | nindent 12 }} {{- end }} @@ -82,16 +82,13 @@ spec: - tls.crt - --ca-name - ca.crt - securityContext: {{- toYaml .Values.webhook.patch.createSecretJob.securityContext | nindent 12 }} + securityContext: {{ include "webhook.create.containerSecurityContext" . | nindent 12 }} {{- if .Values.webhook.patch.createSecretJob.resources }} resources: {{ toYaml .Values.webhook.patch.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }} - {{- if .Values.webhook.patch.podSecurityContext }} - securityContext: - {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }} - {{- end }} + securityContext: {{ include "webhook.podSecurityContext" . | nindent 8 }} {{- if .Values.webhook.patch.affinity }} affinity: {{- toYaml .Values.webhook.patch.affinity | nindent 8 }} diff --git a/charts/testkube-operator/templates/webhook-cert-patch.yaml b/charts/testkube-operator/templates/webhook-cert-patch.yaml index 04e9c9406..7e3c32807 100644 --- a/charts/testkube-operator/templates/webhook-cert-patch.yaml +++ b/charts/testkube-operator/templates/webhook-cert-patch.yaml @@ -63,16 +63,13 @@ spec: - --patch-mutating=false - --crd-api-groups - tests.testkube.io,executor.testkube.io - securityContext: {{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext | nindent 12 }} + securityContext: {{ include "webhook.patch.containerSecurityContext" . | nindent 12 }} {{- if .Values.webhook.patch.patchWebhookJob.resources }} resources: {{ toYaml .Values.webhook.patch.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: Never serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }} - {{- if .Values.webhook.patch.podSecurityContext }} - securityContext: - {{- toYaml .Values.webhook.patch.podSecurityContext | nindent 8 }} - {{- end }} + securityContext: {{ include "webhook.podSecurityContext" . | nindent 8 }} {{- if .Values.webhook.patch.affinity }} affinity: {{- toYaml .Values.webhook.patch.affinity | nindent 8 }} diff --git a/charts/testkube-operator/values.yaml b/charts/testkube-operator/values.yaml index 55fee0a63..f24e10b8c 100644 --- a/charts/testkube-operator/values.yaml +++ b/charts/testkube-operator/values.yaml @@ -16,6 +16,10 @@ global: nodeSelector: {} affinity: {} tolerations: [] + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} ### @section Common parameters ## Kubernetes version (using Helm capabilities if not set) diff --git a/charts/testkube/Chart.yaml b/charts/testkube/Chart.yaml index 0765f139a..fd682b8b8 100644 --- a/charts/testkube/Chart.yaml +++ b/charts/testkube/Chart.yaml @@ -15,7 +15,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami - name: nats condition: testkube-api.nats.enabled - version: 1.2.6-1 + version: 1.2.6-2 repository: "file://./charts/nats" - name: testkube-api version: 2.1.60 diff --git a/charts/testkube/charts/nats/Chart.yaml b/charts/testkube/charts/nats/Chart.yaml index 87361de0b..8a10ffc6d 100644 --- a/charts/testkube/charts/nats/Chart.yaml +++ b/charts/testkube/charts/nats/Chart.yaml @@ -6,7 +6,7 @@ keywords: - nats - messaging - cncf -version: 1.2.6-1 +version: 1.2.6-2 home: http://github.com/nats-io/k8s maintainers: - email: info@nats.io diff --git a/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml b/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml index aa1753b4b..ff0caf8ff 100644 --- a/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml +++ b/charts/testkube/charts/nats/files/nats-box/deployment/container.yaml @@ -44,3 +44,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml b/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml index ff904bf6c..eca5a3e40 100644 --- a/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml +++ b/charts/testkube/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -42,3 +42,6 @@ spec: secret: secretName: {{ .secretName | quote }} {{- end }} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml b/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml index c5402efea..f87562842 100644 --- a/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/nats-container.yaml @@ -104,3 +104,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml b/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml index 1d3ea6431..2ecfd8fe6 100644 --- a/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/pod-template.yaml @@ -69,3 +69,6 @@ spec: - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} {{- end }} {{- end}} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml b/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml index c3e1b6fbe..84d19ec70 100644 --- a/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -28,3 +28,6 @@ args: - -gatewayz {{- end }} - http://localhost:{{ .Values.config.monitor.port }}/ + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml b/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml index 96722045f..dd4a55fbb 100644 --- a/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml +++ b/charts/testkube/charts/nats/files/stateful-set/reloader-container.yaml @@ -25,3 +25,6 @@ volumeMounts: {{- end }} {{- end }} {{- end }} + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/templates/_helpers.tpl b/charts/testkube/charts/nats/templates/_helpers.tpl index ba0a51c56..611ad8918 100644 --- a/charts/testkube/charts/nats/templates/_helpers.tpl +++ b/charts/testkube/charts/nats/templates/_helpers.tpl @@ -280,3 +280,25 @@ output: string with following format rules "${1}") -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "nats.podSecurityContext" -}} +{{- with .Values.global.podSecurityContext }} +{{ toYaml . }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "nats.containerSecurityContext" -}} +{{- with .Values.global.containerSecurityContext }} +{{- toYaml . }} +{{- else }} +{{- toYaml .Values.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube/charts/nats/values.yaml b/charts/testkube/charts/nats/values.yaml index 15745ab7b..107ad4f95 100644 --- a/charts/testkube/charts/nats/values.yaml +++ b/charts/testkube/charts/nats/values.yaml @@ -17,6 +17,10 @@ global: # global labels will be applied to all resources deployed by the chart labels: {} + # -- Security Context for all pods + podSecurityContext: {} + # -- Security Context for all containers + containerSecurityContext: {} ################################################################################ # Common options diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml index 9e0bceaa5..b874b1199 100644 --- a/charts/testkube/values.yaml +++ b/charts/testkube/values.yaml @@ -44,6 +44,10 @@ global: additionalVolumes: [] # -- Additional volume mounts to be added to the Testkube API container and Test Jobs containers additionalVolumeMounts: [] + # -- Security Context for all pods + podSecurityContext: {} + # -- Security Context for all containers + containerSecurityContext: {} # -- Test Workflows configuration testWorkflows: # -- Create TestWorkflowTemplates to easily use the service account