fix(helm): pod security context

helm-charts/secrets-operator/Chart.yaml

@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.10.13
+version: v0.10.14
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.10.13"
+appVersion: "v0.10.14"

helm-charts/secrets-operator/templates/deployment.yaml

@@ -49,8 +49,8 @@ spec:
           }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
-      securityContext:
-        runAsNonRoot: true
+      securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent
+        8 }}
       serviceAccountName: {{ include "secrets-operator.serviceAccountName" . }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

helm-charts/secrets-operator/values.yaml

@@ -18,14 +18,16 @@ controllerManager:
       readOnlyRootFilesystem: true
     image:
       repository: infisical/kubernetes-operator
-      tag: v0.10.13
+      tag: v0.10.14
     resources:
       limits:
         cpu: 500m
         memory: 128Mi
       requests:
         cpu: 10m
         memory: 64Mi
+  podSecurityContext:
+    runAsNonRoot: true
     seccompProfile:
       type: RuntimeDefault
   replicas: 1

scripts/generate-helm.sh

@@ -278,22 +278,6 @@ if [ -f "${HELM_DIR}/templates/deployment.yaml" ]; then
       continue
     fi
 
-    # check if this is the problematic pod securityContext line
-    if [[ "$line" =~ securityContext.*Values.controllerManager.podSecurityContext ]] && [ "$securityContext_replaced" -eq 0 ]; then
-      # Replace with our custom securityContext
-      echo "      securityContext:" >> "${HELM_DIR}/templates/deployment.yaml.new"
-      echo "        runAsNonRoot: true" >> "${HELM_DIR}/templates/deployment.yaml.new"
-      securityContext_replaced=1
-      continue
-    fi
-
-    # skip the line if it's just the trailing part of the replacement
-    if [[ "$securityContext_replaced" -eq 1 ]] && [[ "$line" =~ ^[[:space:]]*[0-9]+[[:space:]]*\}\} ]]; then
-      # this is the trailing part of the template expression, skip it
-      securityContext_replaced=0
-      continue
-    fi
-
     # skip the simplified args line that replaced our custom one
     if [[ "$line" =~ args:.*Values.controllerManager.manager.args ]]; then
       continue
@@ -424,15 +408,6 @@ if [ -f "${HELM_DIR}/values.yaml" ]; then
       in_resources_section=1
     fi
 
-    if [[ "$line" =~ podSecurityContext: ]]; then
-      # skip this line and continue to the next line
-      continue
-    fi
-
-    if [[ "$line" =~ runAsNonRoot: ]] && [ "$in_resources_section" -eq 1 ]; then
-      # also skip this line and continue to the next line
-      continue
-    fi
 
     if [[ "$line" =~ ^[[:space:]]*serviceAccount: ]]; then
       # set the flag to 1 so we can continue to print the associated lines later