From 7f97afec9b303d4ec6b2b11ea3dc21e6a233c923 Mon Sep 17 00:00:00 2001
From: Marco Maurer <mkilchhofer@users.noreply.github.com>
Date: Mon, 15 Apr 2024 14:00:49 +0200
Subject: [PATCH] feat: Add ability to define securityContext and
 podSecurityContext

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
---
 deploy/charts/version-checker/README.md        |  2 ++
 .../version-checker/templates/deployment.yaml  |  9 ++++++++-
 .../version-checker/tests/deployment_test.yaml | 18 ++++++++++++++++++
 deploy/charts/version-checker/values.yaml      | 15 +++++++++++++++
 4 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/deploy/charts/version-checker/README.md b/deploy/charts/version-checker/README.md
index 30816dbe..4b95ab0e 100644
--- a/deploy/charts/version-checker/README.md
+++ b/deploy/charts/version-checker/README.md
@@ -40,6 +40,7 @@ A Helm chart for version-checker
 | livenessProbe.initialDelaySeconds | int | `3` | Number of seconds after the container has started before liveness probes are initiated. |
 | livenessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the livenessProbe. |
 | nodeSelector | object | `{}` | Configure nodeSelector |
+| podSecurityContext | object | `{}` | Set pod-level security context |
 | prometheus.enabled | bool | `false` | Deploy a Prometheus-Operator Prometheus Object to collect version-checker metrics |
 | prometheus.replicas | int | `1` | Number of Prometheus replicas to create |
 | prometheus.serviceAccountName | string | `"prometheus"` | ServiceAccount for new Prometheus Object |
@@ -51,6 +52,7 @@ A Helm chart for version-checker
 | readinessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the readinessProbe. |
 | replicaCount | int | `1` | Replica Count for version-checker |
 | resources | object | `{}` | Setup version-checkers resource requests/limits |
+| securityContext | object | `{}` | Set container-level security context |
 | selfhosted | []{name: "", host: "", username:"", password:"", token:""}] | `[]` | Setup a number of SelfHosted Repositories and their credentials |
 | service.annotations | object | `{}` | Additional annotations to add to the service |
 | service.labels | object | `{}` | Additional labels to add to the service |
diff --git a/deploy/charts/version-checker/templates/deployment.yaml b/deploy/charts/version-checker/templates/deployment.yaml
index f670b183..753d3fb5 100644
--- a/deploy/charts/version-checker/templates/deployment.yaml
+++ b/deploy/charts/version-checker/templates/deployment.yaml
@@ -54,6 +54,10 @@ spec:
           - "--test-all-containers={{.Values.versionChecker.testAllContainers}}"
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
+        {{- with .Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.livenessProbe.enabled }}
         livenessProbe:
           {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 10}}
@@ -202,7 +206,10 @@ spec:
         {{- if .Values.env }}
         {{- toYaml .Values.env | nindent 8 }}
         {{- end }}
-
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- if $secretEnabled }}
         - name: {{ include "version-checker.name" . }}
diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml
index 14c4c4dc..029416a0 100644
--- a/deploy/charts/version-checker/tests/deployment_test.yaml
+++ b/deploy/charts/version-checker/tests/deployment_test.yaml
@@ -425,3 +425,21 @@ tests:
       - equal:
           path: spec.template.metadata.annotations["foo"]
           value: bar
+
+  - it: (Pod-)SecurityContext is reflected
+    set:
+      podSecurityContext:
+        runAsUser: 65534
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 65534
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml
index 813513f4..de0e7a57 100644
--- a/deploy/charts/version-checker/values.yaml
+++ b/deploy/charts/version-checker/values.yaml
@@ -118,6 +118,21 @@ resources:
   #   memory: 128Mi
   #
 
+# -- Set container-level security context
+securityContext: {}
+  # allowPrivilegeEscalation: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 65534
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+# -- Set pod-level security context
+podSecurityContext: {}
+
 # Configure the readiness probe for version-checker
 readinessProbe:
   # -- Enable/Disable the setting of a readinessProbe