feat(cf-common): no podSecurityContext if enabled=false (#36)

Author: mikhail-klimko

charts/cf-common-test/tests/deployment/spec_test.yaml

@@ -215,3 +215,40 @@ tests:
             volumeMounts:
             - name: var-logs
               mountPath: /var/log
+
+  - it: Test pod security context
+    values:
+      - values.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsGroup: 0
+            runAsNonRoot: true
+            runAsUser: 1000
+            fsGroup: 0
+
+  - it: Test disabled pod security context
+    values:
+      - values.yaml
+    set:
+      podSecurityContext:
+        enabled: false
+    asserts:
+      - isNull:
+          path: spec.template.spec.securityContext
+
+  - it: Test pod security context (omit enabled)
+    values:
+      - values.yaml
+    set:
+      podSecurityContext:
+        enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsGroup: 0
+            runAsNonRoot: true
+            runAsUser: 1000
+            fsGroup: 0

charts/cf-common-test/tests/deployment/values.yaml

@@ -19,6 +19,12 @@ controller:
       maxSurge: "50%"
   revisionHistoryLimit: 5
 
+podSecurityContext:
+  runAsGroup: 0
+  runAsNonRoot: true
+  runAsUser: 1000
+  fsGroup: 0
+
 container:
   image:
     registry: 839151377425.dkr.ecr.us-east-1.amazonaws.com/codefresh-inc

charts/cf-common/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v0.0.0
 description: Codefresh library chart
 name: cf-common
-version: 0.5.2
+version: 0.6.0
 type: library
 keywords:
   - codefresh

charts/cf-common/README.md

@@ -2,7 +2,7 @@
 
 Codefresh library chart
 
-![Version: 0.5.2](https://img.shields.io/badge/Version-0.5.2-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
 
 ## Installing the Chart
 
@@ -18,7 +18,7 @@ Include this chart as a dependency in your `Chart.yaml` e.g.
 # Chart.yaml
 dependencies:
 - name: cf-common
-  version: 0.5.2
+  version: 0.6.0
   repository: https://chartmuseum.codefresh.io/cf-common
 ```
 

charts/cf-common/templates/classic/_helpers.tpl

@@ -2,10 +2,10 @@
 Calculate RabbitMQ URI (for On-Prem)
 Must me called from chart root context.
 Usage:
-{{ include "cf-common-0.5.2.classic.calculateRabbitMqUri" . }}
+{{ include "cf-common-0.6.0.classic.calculateRabbitMqUri" . }}
 */}}
 
-{{- define "cf-common-0.5.2.classic.calculateRabbitMqUri" }}
+{{- define "cf-common-0.6.0.classic.calculateRabbitMqUri" }}
 
 {{- $rabbitmqProtocol := .Values.global.rabbitmqProtocol | default "amqp" -}}
 {{- $rabbitmqUsername := .Values.global.rabbitmqUsername -}}
@@ -23,9 +23,9 @@ coalesce here for backward compatibility
 {{/*
 Calculate Mongo Uri (for On-Prem)
 Usage:
-{{ include "cf.common-0.5.2.classic.calculateMongoUri" (dict "dbName" $.Values.global.pipelineManagerService "mongoURI" $.Values.global.mongoURI) }}
+{{ include "cf.common-0.6.0.classic.calculateMongoUri" (dict "dbName" $.Values.global.pipelineManagerService "mongoURI" $.Values.global.mongoURI) }}
 */}}
-{{- define "cf-common-0.5.2.classic.calculateMongoUri" -}}
+{{- define "cf-common-0.6.0.classic.calculateMongoUri" -}}
   {{- if contains "?" .mongoURI -}}
     {{- $mongoURI :=  (splitList "?" .mongoURI) -}}
     {{- printf "%s%s?%s" (first $mongoURI) .dbName (last $mongoURI) }}

charts/cf-common/templates/common/_annotations.tpl

@@ -2,19 +2,19 @@
 Render checksum annotation
 Must be called from chart root context.
 Usage:
-annotations: {{ include "cf-common-0.5.2.annotations.podAnnotations" . | nindent }}
+annotations: {{ include "cf-common-0.6.0.annotations.podAnnotations" . | nindent }}
 */}}
-{{- define "cf-common-0.5.2.annotations.podAnnotations" -}}
+{{- define "cf-common-0.6.0.annotations.podAnnotations" -}}
 
 {{- if .Values.podAnnotations -}}
-  {{- include "cf-common-0.5.2.tplrender" (dict "Values" .Values.podAnnotations "context" $) | nindent 0 }}
+  {{- include "cf-common-0.6.0.tplrender" (dict "Values" .Values.podAnnotations "context" $) | nindent 0 }}
 {{- end -}}
 
 {{- $configMapFound := dict -}}
 {{- range $configMapIndex, $configMapItem := .Values.configMaps -}}
 
   {{- if $configMapItem.enabled -}}
-    {{- $_ := set $configMapFound $configMapIndex ( include "cf-common-0.5.2.tplrender" (dict "Values" $configMapItem.data "context" $) | sha256sum) -}}
+    {{- $_ := set $configMapFound $configMapIndex ( include "cf-common-0.6.0.tplrender" (dict "Values" $configMapItem.data "context" $) | sha256sum) -}}
   {{- end -}}
 
   {{- if $configMapFound -}}
@@ -27,7 +27,7 @@ annotations: {{ include "cf-common-0.5.2.annotations.podAnnotations" . | nindent
 {{- range $secretIndex, $secretItem := .Values.secrets -}}
 
   {{- if $secretItem.enabled -}}
-    {{- $_ := set $secretFound $secretIndex ( include "cf-common-0.5.2.tplrender" (dict "Values" $secretItem.stringData "context" $) | sha256sum) -}}
+    {{- $_ := set $secretFound $secretIndex ( include "cf-common-0.6.0.tplrender" (dict "Values" $secretItem.stringData "context" $) | sha256sum) -}}
   {{- end -}}
 
   {{- if $secretFound -}}

charts/cf-common/templates/common/_labels.tpl

@@ -1,28 +1,28 @@
 {{/*
 Kubernetes standard labels
 */}}
-{{- define "cf-common-0.5.2.labels.standard" -}}
-app.kubernetes.io/name: {{ include "cf-common-0.5.2.names.name" . }}
-helm.sh/chart: {{ include "cf-common-0.5.2.names.chart" . }}
+{{- define "cf-common-0.6.0.labels.standard" -}}
+app.kubernetes.io/name: {{ include "cf-common-0.6.0.names.name" . }}
+helm.sh/chart: {{ include "cf-common-0.6.0.names.chart" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
 {{/*
 Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
 */}}
-{{- define "cf-common-0.5.2.labels.matchLabels" -}}
-app.kubernetes.io/name: {{ include "cf-common-0.5.2.names.name" . }}
+{{- define "cf-common-0.6.0.labels.matchLabels" -}}
+app.kubernetes.io/name: {{ include "cf-common-0.6.0.names.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 
 {{/*
 Extra labels
 Usage:
-{{ include "cf-common-0.5.2.labels.extraLabels" ( dict "Values" .Values.path.to.the.labels "context" $) }}
+{{ include "cf-common-0.6.0.labels.extraLabels" ( dict "Values" .Values.path.to.the.labels "context" $) }}
 */}}
-{{- define "cf-common-0.5.2.labels.extraLabels" -}}
+{{- define "cf-common-0.6.0.labels.extraLabels" -}}
   {{- if not (kindIs "map" .Values) -}}
   {{- fail "ERROR: labels block must be a map" -}}
   {{- end -}}
@@ -34,9 +34,9 @@ Usage:
 {{/*
 Annotations
 Usage:
-{{ include "cf-common-0.5.2.annotations" ( dict "Values" .Values.path.to.the.annotations "context" $) }}
+{{ include "cf-common-0.6.0.annotations" ( dict "Values" .Values.path.to.the.annotations "context" $) }}
 */}}
-{{- define "cf-common-0.5.2.annotations" -}}
+{{- define "cf-common-0.6.0.annotations" -}}
   {{- if not (kindIs "map" .Values) -}}
   {{- fail "ERROR: annotations block must be a map" -}}
   {{- end -}}

charts/cf-common/templates/common/_names.tpl

@@ -1,14 +1,14 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "cf-common-0.5.2.names.name" -}}
+{{- define "cf-common-0.6.0.names.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "cf-common-0.5.2.names.chart" -}}
+{{- define "cf-common-0.6.0.names.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -17,7 +17,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "cf-common-0.5.2.names.fullname" -}}
+{{- define "cf-common-0.6.0.names.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -33,10 +33,10 @@ If release name contains chart name it will be used as a full name.
 {{/*
 ServiceAccount Name
 */}}
-{{- define "cf-common-0.5.2.names.serviceAccountName" -}}
+{{- define "cf-common-0.6.0.names.serviceAccountName" -}}
   {{- if .Values.serviceAccount -}}
     {{- if .Values.serviceAccount.enabled -}}
-      {{- .Values.serviceAccount.nameOverride | default (include "cf-common-0.5.2.names.fullname" .)  -}}
+      {{- .Values.serviceAccount.nameOverride | default (include "cf-common-0.6.0.names.fullname" .)  -}}
     {{- else -}}
       {{- print "default" -}}
     {{- end -}}

charts/cf-common/templates/common/_tpl.tpl

@@ -1,9 +1,9 @@
 {{/*
 Renders a value that contains template.
 Usage:
-{{ include "cf-common-0.5.2.tplrender" ( dict "Values" .Values.path.to.the.Value "context" $) }}
+{{ include "cf-common-0.6.0.tplrender" ( dict "Values" .Values.path.to.the.Value "context" $) }}
 */}}
-{{- define "cf-common-0.5.2.tplrender" -}}
+{{- define "cf-common-0.6.0.tplrender" -}}
   {{- $tpl := .Values -}}
   {{- if not (typeIs "string" $tpl) -}}
     {{- $tpl = toYaml $tpl -}}

charts/cf-common/templates/container/_container.tpl

@@ -2,28 +2,28 @@
 Renders main container in pod template.
 Called from pod template.
 Usage:
-{{ include "cf-common-0.5.2.container" (dict "Values" .Values.container "context" $) }}
+{{ include "cf-common-0.6.0.container" (dict "Values" .Values.container "context" $) }}
 */}}
-{{-  define "cf-common-0.5.2.container" -}}
+{{-  define "cf-common-0.6.0.container" -}}
 
 {{/* Restoring root $ context */}}
 {{- $ := .context -}}
 
-{{- $containerName := include "cf-common-0.5.2.names.fullname" $ -}}
+{{- $containerName := include "cf-common-0.6.0.names.fullname" $ -}}
 {{- if and (hasKey .Values "nameOverride") .Values.nameOverride }}
-{{- $containerName = include "cf-common-0.5.2.tplrender" (dict "Values" .Values.nameOverride "context" $) -}}
+{{- $containerName = include "cf-common-0.6.0.tplrender" (dict "Values" .Values.nameOverride "context" $) -}}
 {{- end }}
 
 
 - name: {{ $containerName }}
-  image: {{ include "cf-common-0.5.2.image.name" (dict "image" .Values.image "context" $) }}
+  image: {{ include "cf-common-0.6.0.image.name" (dict "image" .Values.image "context" $) }}
   imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
 
   {{- with .Values.command }}
     {{- if not (kindIs "slice" .) }}
       {{- fail "ERROR: container.command block must be a list!" }}
     {{- end }}
-  command: {{- include "cf-common-0.5.2.tplrender" (dict "Values" . "context" $) | nindent 2 }}
+  command: {{- include "cf-common-0.6.0.tplrender" (dict "Values" . "context" $) | nindent 2 }}
   {{- end }}
 
   {{- with .Values.args }}
@@ -53,12 +53,12 @@ Usage:
       {{- if not (kindIs "slice" .) }}
         {{ fail "ERROR: container.envFrom block must be a list!"}}
       {{- end }}
-      {{- include "cf-common-0.5.2.tplrender" (dict "Values" . "context" $) | trim | nindent 4 }}
+      {{- include "cf-common-0.6.0.tplrender" (dict "Values" . "context" $) | trim | nindent 4 }}
     {{- end }}
     {{- range $secretName, $secretItem := $.Values.secrets }}
       {{- if $secretItem.enabled }}
     - secretRef:
-        name: {{ printf "%s-%s" (include "cf-common-0.5.2.names.fullname" $) $secretName }}
+        name: {{ printf "%s-%s" (include "cf-common-0.6.0.names.fullname" $) $secretName }}
       {{- end }}
     {{- end }}
   {{- end }}
@@ -75,18 +75,18 @@ For backward compatibility (.Values.env takes precedence over .Values.container.
   {{- $mergedEnv = merge $mergedEnv $.Values.global.env }}
     {{- end }}
   env:
-  {{- include "cf-common-0.5.2.env-vars" (dict "Values" $mergedEnv "context" $) | trim | nindent 2 }}
+  {{- include "cf-common-0.6.0.env-vars" (dict "Values" $mergedEnv "context" $) | trim | nindent 2 }}
   {{- end }}
 
-  {{- include "cf-common-0.5.2.ports" $ | trim | nindent 2 }}
+  {{- include "cf-common-0.6.0.ports" $ | trim | nindent 2 }}
 
   {{- with .Values.volumeMounts }}
   volumeMounts:
-  {{- include "cf-common-0.5.2.volumeMounts" (dict "Values" . "context" $) | trim | nindent 2 }}
+  {{- include "cf-common-0.6.0.volumeMounts" (dict "Values" . "context" $) | trim | nindent 2 }}
   {{- end }}
 
   {{- with .Values.probes }}
-  {{- include "cf-common-0.5.2.probes" . | trim | nindent 2 }}
+  {{- include "cf-common-0.6.0.probes" . | trim | nindent 2 }}
   {{- end }}
 
   {{- with .Values.resources }}