Merge pull request #68 from marklogic/feature/CLD-596

barkhachoithani · web-flow · commit 0fcc2d19abf5 · 2023-01-16T15:53:18.000-08:00
CLD-596: Add support for securityContext in the helm chart
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -206,6 +206,9 @@ spec:
                             sleep 10s
                         fi
                     done
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           {{- if .Values.livenessProbe.enabled }}
           livenessProbe:
             httpGet:
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -100,6 +100,12 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+# Below are the security configurations for container, by default security will be enabled
+containerSecurityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsNonRoot: true
+  allowPrivilegeEscalation: true
 
 # Below are the advanced configurations, please understand read the reference before you make changes
 
diff --git a/test/template/sec_template_test.go b/test/template/sec_template_test.go
@@ -0,0 +1,94 @@
+package template_test
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
+	"github.com/gruntwork-io/terratest/modules/random"
+)
+
+func TestChartTemplateSecurityEnabled(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../charts")
+	releaseName := "marklogic-sec-test"
+	t.Log(helmChartPath, releaseName)
+	require.NoError(t, err)
+
+	// Set up the namespace; confirm that the template renders the expected value for the namespace.
+	namespaceName := "marklogic-" + strings.ToLower(random.UniqueId())
+	t.Logf("Namespace: %s\n", namespaceName)
+
+	// Setup the args for helm install
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"image.repository":                 "marklogicdb/marklogic-db",
+			"image.tag":                        "latest",
+			"persistence.enabled":              "false",
+			"containerSecurityContext.enabled": "true",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	// render the tempate
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/statefulset.yaml"})
+
+	var statefulset appsv1.StatefulSet
+	helm.UnmarshalK8SYaml(t, output, &statefulset)
+
+	// Verify the name and namespace matches
+	require.Equal(t, namespaceName, statefulset.Namespace)
+
+	// Verify the securityContext values are set for container
+	expectedRunAsUser := 1000
+	statefulSetContainers := statefulset.Spec.Template.Spec.Containers
+	actualRunAsUser := *(statefulSetContainers[0].SecurityContext.RunAsUser)
+	require.Equal(t, len(statefulSetContainers), 1)
+	require.Equal(t, int(actualRunAsUser), expectedRunAsUser)
+}
+
+func TestChartTemplateSecurityDisabled(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../charts")
+	releaseName := "marklogic-sec-test"
+	t.Log(helmChartPath, releaseName)
+	require.NoError(t, err)
+
+	// Set up the namespace; confirm that the template renders the expected value for the namespace.
+	namespaceName := "marklogic-" + strings.ToLower(random.UniqueId())
+	t.Logf("Namespace: %s\n", namespaceName)
+
+	// Setup the args for helm install
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"image.repository":                 "marklogicdb/marklogic-db",
+			"image.tag":                        "latest",
+			"persistence.enabled":              "false",
+			"containerSecurityContext.enabled": "false",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	// render the tempate
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/statefulset.yaml"})
+
+	var statefulset appsv1.StatefulSet
+	helm.UnmarshalK8SYaml(t, output, &statefulset)
+
+	// Verify the name and namespace matches
+	require.Equal(t, namespaceName, statefulset.Namespace)
+
+	// Verify SecurityContext is not set for container
+	statefulSetContainers := statefulset.Spec.Template.Spec.Containers
+	require.Equal(t, len(statefulSetContainers), 1)
+	require.Nil(t, statefulSetContainers[0].SecurityContext)
+}
