From 59334a0d509114a507231d9fe8e56d802d46757c Mon Sep 17 00:00:00 2001 From: Wim Fournier Date: Tue, 23 May 2023 08:53:54 +0200 Subject: [PATCH] Allow to disable containerSecurityContext Add a `enabled` property to allow the whole containerSecurityContext to be disabled. Fixes https://github.com/argoproj/argo-helm/issues/2071 Signed-off-by: wim.fournier Signed-off-by: Wim Fournier --- charts/argo-cd/Chart.yaml | 4 ++-- .../argocd-application-controller/statefulset.yaml | 2 ++ .../templates/argocd-applicationset/deployment.yaml | 2 ++ .../templates/argocd-notifications/deployment.yaml | 2 ++ .../argo-cd/templates/argocd-repo-server/deployment.yaml | 4 ++++ charts/argo-cd/templates/argocd-server/deployment.yaml | 6 +++++- charts/argo-cd/templates/dex/deployment.yaml | 4 ++++ charts/argo-cd/templates/redis/deployment.yaml | 4 ++++ charts/argo-cd/values.yaml | 9 +++++++++ 9 files changed, 34 insertions(+), 3 deletions(-) diff --git a/charts/argo-cd/Chart.yaml b/charts/argo-cd/Chart.yaml index 72042538..17f73eb4 100644 --- a/charts/argo-cd/Chart.yaml +++ b/charts/argo-cd/Chart.yaml @@ -3,7 +3,7 @@ appVersion: v2.7.2 kubeVersion: ">=1.22.0-0" description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. name: argo-cd -version: 5.34.3 +version: 5.34.4 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png sources: @@ -27,4 +27,4 @@ annotations: url: https://argoproj.github.io/argo-helm/pgp_keys.asc artifacthub.io/changes: | - kind: fixed - description: Align with upstream dex initContainers + description: Allow to disable containerSecurityContext diff --git a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml index c56bf0b3..2b63c189 100644 --- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -255,8 +255,10 @@ spec: failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} resources: {{- toYaml .Values.controller.resources | nindent 10 }} + {{- if .Values.controller.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }} + {{- end }} workingDir: /home/argocd volumeMounts: {{- with .Values.controller.volumeMounts }} diff --git a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml index 9033f5b4..ec876b55 100644 --- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -182,8 +182,10 @@ spec: {{- end }} resources: {{- toYaml .Values.applicationSet.resources | nindent 12 }} + {{- if .Values.applicationSet.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }} + {{- end }} volumeMounts: {{- with .Values.applicationSet.extraVolumeMounts }} {{- toYaml . | nindent 12 }} diff --git a/charts/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo-cd/templates/argocd-notifications/deployment.yaml index d49944fd..f9d84d88 100644 --- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml @@ -80,8 +80,10 @@ spec: protocol: TCP resources: {{- toYaml .Values.notifications.resources | nindent 12 }} + {{- if .Values.notifications.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }} + {{- end }} workingDir: /app volumeMounts: - name: tls-certs diff --git a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml index 4f2c45bd..cef0a50d 100755 --- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -273,8 +273,10 @@ spec: failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }} resources: {{- toYaml .Values.repoServer.resources | nindent 10 }} + {{- if .Values.repoServer.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }} + {{- end }} {{- with .Values.repoServer.lifecycle }} lifecycle: {{- toYaml . | nindent 10 }} @@ -295,10 +297,12 @@ spec: resources: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.repoServer.containerSecurityContext.enabled }} {{- with .Values.repoServer.containerSecurityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- end }} volumeMounts: - mountPath: /var/run/argocd name: var-files diff --git a/charts/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo-cd/templates/argocd-server/deployment.yaml index 7ce72e80..26738b9c 100755 --- a/charts/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo-cd/templates/argocd-server/deployment.yaml @@ -334,8 +334,10 @@ spec: failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} resources: {{- toYaml .Values.server.resources | nindent 10 }} + {{- if .Values.repoServer.containerSecurityContext.enabled }} securityContext: - {{- toYaml .Values.server.containerSecurityContext | nindent 10 }} + {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }} + {{- end }} {{- with .Values.server.lifecycle }} lifecycle: {{- toYaml . | nindent 10 }} @@ -346,8 +348,10 @@ spec: imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }} resources: {{- toYaml .Values.server.extensions.resources | nindent 10 }} + {{- if .Values.server.extensions.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }} + {{-end }} volumeMounts: - name: extensions mountPath: /tmp/extensions/ diff --git a/charts/argo-cd/templates/dex/deployment.yaml b/charts/argo-cd/templates/dex/deployment.yaml index 2acf4242..aedfa152 100755 --- a/charts/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo-cd/templates/dex/deployment.yaml @@ -117,8 +117,10 @@ spec: {{- end }} resources: {{- toYaml .Values.dex.resources | nindent 10 }} + {{- if .Values.dex.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} + {{- end }} volumeMounts: {{- with .Values.dex.volumeMounts }} {{- toYaml . | nindent 8 }} @@ -148,8 +150,10 @@ spec: name: dexconfig resources: {{- toYaml .Values.dex.resources | nindent 10 }} + {{- if .Values.dex.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }} + {{- end}} {{- with .Values.dex.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/argo-cd/templates/redis/deployment.yaml b/charts/argo-cd/templates/redis/deployment.yaml index fc0bebbd..26347c8e 100755 --- a/charts/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo-cd/templates/redis/deployment.yaml @@ -75,8 +75,10 @@ spec: protocol: TCP resources: {{- toYaml .Values.redis.resources | nindent 10 }} + {{- if .Values.redis.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }} + {{- end }} {{- with .Values.redis.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} @@ -99,8 +101,10 @@ spec: protocol: TCP resources: {{- toYaml .Values.redis.exporter.resources | nindent 10 }} + {{- if .Values.redis.exporter.containerSecurityContext.enabled }} securityContext: {{- toYaml .Values.redis.exporter.containerSecurityContext | nindent 10 }} + {{- end }} {{- end }} {{- with .Values.redis.extraContainers }} {{- tpl (toYaml .) $ | nindent 6 }} diff --git a/charts/argo-cd/values.yaml b/charts/argo-cd/values.yaml index 2906eb82..ebd741e2 100644 --- a/charts/argo-cd/values.yaml +++ b/charts/argo-cd/values.yaml @@ -699,6 +699,7 @@ controller: # -- Application controller container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -1017,6 +1018,7 @@ dex: # -- Dex container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -1168,6 +1170,7 @@ redis: # -- Redis exporter security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -1261,6 +1264,7 @@ redis: # -- Redis container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true allowPrivilegeEscalation: false capabilities: drop: @@ -1524,6 +1528,7 @@ server: # -- Server UI extensions container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -1628,6 +1633,7 @@ server: # -- Server container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -2159,6 +2165,7 @@ repoServer: # -- Repo server container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -2512,6 +2519,7 @@ applicationSet: # -- ApplicationSet controller container-level security context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -2850,6 +2858,7 @@ notifications: # -- Notification controller container-level security Context # @default -- See [values.yaml] containerSecurityContext: + enabled: true runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false