feat(helm) making securityContext consistent (#20546)

2024-10-10 15:48:31 +00:00 · 2024-10-10 15:48:31 +00:00 · e0aceca1b7
parent 87804624fe
commit e0aceca1b7
6 changed files with 30 additions and 35 deletions
--- a/helm/minio/Chart.yaml
+++ b/helm/minio/Chart.yaml
@ -1,7 +1,7 @@
 apiVersion: v1
 description: High Performance Object Storage
 name: minio
-version: 5.2.0
+version: 5.2.1
 appVersion: RELEASE.2024-04-18T19-09-19Z
 keywords:
  - minio
--- a/helm/minio/templates/NOTES.txt
+++ b/helm/minio/templates/NOTES.txt
@ -1,6 +1,6 @@
 {{- if eq .Values.service.type "ClusterIP" "NodePort" }}
 MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
-{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.{{ .Values.clusterDomain }}

 To access MinIO from localhost, run the below commands:

--- a/helm/minio/templates/deployment.yaml
+++ b/helm/minio/templates/deployment.yaml
@ -55,12 +55,7 @@ spec:
      {{- end }}
      {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
      securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
-        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
-        {{- end }}
+        {{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
      {{- end }}
      {{ if .Values.serviceAccount.create }}
      serviceAccountName: {{ .Values.serviceAccount.name }}
@ -173,6 +168,11 @@ spec:
              value: {{ tpl $val $ | quote }}
            {{- end }}
          resources: {{- toYaml .Values.resources | nindent 12 }}
+          {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12}}
+          {{- end }}
+          {{- end }}
        {{- with .Values.extraContainers }}
          {{- if eq (typeOf .) "string" }}
            {{- tpl . $ | nindent 8 }}
--- a/helm/minio/templates/post-job.yaml
+++ b/helm/minio/templates/post-job.yaml
@ -39,10 +39,7 @@ spec:
      tolerations: {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.postJob.securityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.postJob.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.postJob.securityContext.fsGroup }}
+      securityContext: {{ omit .Values.postJob.securityContext "enabled" | toYaml | nindent 12 }}
      {{- end }}
      volumes:
        - name: etc-path
@ -93,9 +90,9 @@ spec:
        - name: minio-make-policy
          image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
          {{- if .Values.makePolicyJob.securityContext.enabled }}
-          securityContext:
-            runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
-            runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
+          {{- with .Values.makePolicyJob.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
          {{- end }}
          imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
          {{- if .Values.makePolicyJob.exitCommand }}
@ -127,9 +124,9 @@ spec:
        - name: minio-make-bucket
          image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
          {{- if .Values.makeBucketJob.securityContext.enabled }}
-          securityContext:
-            runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }}
-            runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }}
+          {{- with .Values.makeBucketJob.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
          {{- end }}
          imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
          {{- if .Values.makeBucketJob.exitCommand }}
@ -160,9 +157,9 @@ spec:
        - name: minio-make-user
          image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
          {{- if .Values.makeUserJob.securityContext.enabled }}
-          securityContext:
-            runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }}
-            runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }}
+          {{- with .Values.makeUserJob.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
          {{- end }}
          imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
          {{- if .Values.makeUserJob.exitCommand }}
@ -193,9 +190,9 @@ spec:
        - name: minio-custom-command
          image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
          {{- if .Values.customCommandJob.securityContext.enabled }}
-          securityContext:
-            runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }}
-            runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }}
+          {{- with .Values.customCommandJob.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
          {{- end }}
          imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
          {{- if .Values.customCommandJob.exitCommand }}
@ -229,9 +226,9 @@ spec:
        - name: minio-make-svcacct
          image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
          {{- if .Values.makeServiceAccountJob.securityContext.enabled }}
-          securityContext:
-            runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }}
-            runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }}
+          {{- with .Values.makeServiceAccountJob.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
          {{- end }}
          imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
          {{- if .Values.makeServiceAccountJob.exitCommand }}
--- a/helm/minio/templates/statefulset.yaml
+++ b/helm/minio/templates/statefulset.yaml
@ -83,12 +83,7 @@ spec:
      {{- end }}
      {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
      securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-        {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
-        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
-        {{- end }}
+        {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
      {{- end }}
      {{- if .Values.serviceAccount.create }}
      serviceAccountName: {{ .Values.serviceAccount.name }}
@ -192,8 +187,9 @@ spec:
            {{- end }}
          resources: {{- toYaml .Values.resources | nindent 12 }}
          {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
-          securityContext:
-            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default false }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext: {{ toYaml . | nindent 12}}
+          {{- end }}
          {{- end }}
        {{- with .Values.extraContainers }}
          {{- if eq (typeOf .) "string" }}
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -275,6 +275,8 @@ securityContext:
  runAsGroup: 1000
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
+
+containerSecurityContext:
  readOnlyRootFilesystem: false

 # Additational pod annotations