Add option to configure securityContext on both pods and containers

Signed-off-by: Kajot-dev <[email protected]>
goharbor · Dec 22, 2023 · c0baafe · c0baafe
1 parent c7d2e6b
commit c0baafe
Show file tree

Hide file tree

Showing 11 changed files with 162 additions and 46 deletions.
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -33,9 +33,9 @@ spec:
 {{ toYaml .Values.core.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.core.podSecurityContext) }}
+      securityContext: {{ .Values.core.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.core.serviceAccountName }}
       serviceAccountName: {{ .Values.core.serviceAccountName }}
 {{- end -}}
@@ -146,6 +146,9 @@ spec:
 {{- end }}
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
+        {{- if not (empty .Values.core.containerSecurityContext) }}
+        securityContext: {{ .Values.core.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: config
           mountPath: /etc/core/app.conf

diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml
@@ -19,9 +19,9 @@ spec:
         component: migrator
     spec:
       restartPolicy: Never
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.core.podSecurityContext) }}
+      securityContext: {{ .Values.core.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.core.serviceAccountName }}
       serviceAccountName: {{ .Values.core.serviceAccountName }}
 {{- end -}}
@@ -47,7 +47,10 @@ spec:
               secretKeyRef:
                 name: {{ .Values.database.external.existingSecret }}
                 key: password
-        {{- end }}               
+        {{- end }}
+        {{- if not (empty .Values.core.containerSecurityContext) }}
+        securityContext: {{ .Values.core.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: config
           mountPath: /etc/core/app.conf

diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
@@ -28,9 +28,9 @@ spec:
 {{ toYaml .Values.database.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 999
-        fsGroup: 999
+      {{- if not (empty .Values.database.internal.podSecurityContext) }}
+      securityContext: {{ .Values.database.internal.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.database.internal.serviceAccountName }}
       serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
 {{- end -}}
@@ -54,6 +54,9 @@ spec:
         resources:
 {{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }}
 {{- end }}
+        {{- if not (empty .Values.database.internal.initContainer.migrator.containerSecurityContext) }}
+        securityContext: {{ .Values.database.internal.initContainer.migrator.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
           - name: database-data
             mountPath: /var/lib/postgresql/data
@@ -71,6 +74,9 @@ spec:
         resources:
 {{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
 {{- end }}
+        {{- if not (empty .Values.database.internal.initContainer.permissions.containerSecurityContext) }}
+        securityContext: {{ .Values.database.internal.initContainer.permissions.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
           - name: database-data
             mountPath: /var/lib/postgresql/data

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -31,9 +31,9 @@ spec:
 {{ toYaml .Values.exporter.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.exporter.podSecurityContext) }}
+      securityContext: {{ .Values.exporter.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.exporter.serviceAccountName }}
       serviceAccountName: {{ .Values.exporter.serviceAccountName }}
 {{- end -}}
@@ -99,6 +99,9 @@ spec:
 {{- end }}
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
+        {{- if not (empty .Values.exporter.containerSecurityContext ) }}
+        securityContext: {{ .Values.exporter.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -39,9 +39,9 @@ spec:
 {{ toYaml .Values.jobservice.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.jobservice.podSecurityContext) }}
+      securityContext: {{ .Values.jobservice.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.jobservice.serviceAccountName }}
       serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
 {{- end -}}
@@ -123,6 +123,9 @@ spec:
             name: "{{ template "harbor.jobservice" . }}"
         ports:
         - containerPort: {{ template "harbor.jobservice.containerPort" . }}
+        {{- if not (empty .Values.jobservice.containerSecurityContext) }}
+        securityContext: {{ .Values.jobservice.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: jobservice-config
           mountPath: /etc/jobservice/config.yml

diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml
@@ -37,9 +37,9 @@ spec:
 {{- if .Values.nginx.serviceAccountName }}
       serviceAccountName: {{ .Values.nginx.serviceAccountName }}
 {{- end }}
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.nginx.podSecurityContext) }}
+      securityContext: {{ .Values.nginx.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -91,6 +91,9 @@ spec:
         - containerPort: 8080
         - containerPort: 8443
         - containerPort: 4443
+        {{- if not (empty .Values.nginx.containerSecurityContext) }}
+        securityContext: {{ .Values.nginx.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: config
           mountPath: /etc/nginx/nginx.conf

diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml
@@ -26,14 +26,14 @@ spec:
 {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
         checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }}
 {{- end }}
-        checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }}  
+        checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }}
 {{- if .Values.portal.podAnnotations }}
 {{ toYaml .Values.portal.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.portal.podSecurityContext) }}
+      securityContext: {{ .Values.portal.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -80,6 +80,9 @@ spec:
           periodSeconds: 10
         ports:
         - containerPort: {{ template "harbor.portal.containerPort" . }}
+        {{- if not (empty .Values.portal.containerSecurityContext) }}
+        securityContext: {{ .Values.portal.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: portal-config
           mountPath: /etc/nginx/nginx.conf

diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml
@@ -27,9 +27,9 @@ spec:
 {{ toYaml .Values.redis.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 999
-        fsGroup: 999
+      {{- if not (empty .Values.redis.internal.podSecurityContext) }}
+      securityContext: {{ .Values.redis.internal.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.redis.internal.serviceAccountName }}
       serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
 {{- end -}}
@@ -61,6 +61,9 @@ spec:
         env:
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.redis.internal.containerSecurityContext ) }}
+        securityContext: {{ .Values.redis.internal.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
           mountPath: /var/lib/redis

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -41,10 +41,9 @@ spec:
 {{ toYaml .Values.registry.podAnnotations | indent 8 }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
-        fsGroupChangePolicy: OnRootMismatch
+      {{- if not (empty .Values.registry.podSecurityContext) }}
+      securityContext: {{ .Values.registry.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
 {{- if .Values.registry.serviceAccountName }}
       serviceAccountName: {{ .Values.registry.serviceAccountName }}
 {{- end -}}
@@ -167,6 +166,9 @@ spec:
         ports:
         - containerPort: {{ template "harbor.registry.containerPort" . }}
         - containerPort: 5001
+        {{- if not (empty .Values.registry.registry.containerSecurityContext) }}
+        securityContext: {{ .Values.registry.registry.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: registry-data
           mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
@@ -319,6 +321,9 @@ spec:
 {{- end }}
         ports:
         - containerPort: {{ template "harbor.registryctl.containerPort" . }}
+        {{- if not (empty .Values.registry.controller.containerSecurityContext) }}
+        securityContext: {{ .Values.registry.controller.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: registry-data
           mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}

diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml
@@ -40,9 +40,9 @@ spec:
 {{- if .Values.trivy.serviceAccountName }}
       serviceAccountName: {{ .Values.trivy.serviceAccountName }}
 {{- end }}
-      securityContext:
-        runAsUser: 10000
-        fsGroup: 10000
+      {{- if not (empty .Values.trivy.podSecurityContext) }}
+      securityContext: {{ .Values.trivy.podSecurityContext | toYaml | nindent 8 }}
+      {{- end }}
       automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }}
 {{- with .Values.trivy.topologySpreadConstraints}}
       topologySpreadConstraints:
@@ -130,6 +130,9 @@ spec:
           ports:
             - name: api-server
               containerPort: {{ template "harbor.trivy.containerPort" . }}
+          {{- if not (empty .Values.trivy.containerSecurityContext) }}
+          securityContext: {{ .Values.trivy.containerSecurityContext | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
           - name: data
             mountPath: /home/scanner/.cache