Allow to disable containerSecurityContext

Add a `enabled` property to allow the whole containerSecurityContext to be disabled. Fixes https://github.com/argoproj/argo-helm/issues/2071 Signed-off-by: wim.fournier <github@fournier.nl> Signed-off-by: Wim Fournier <github@fournier.nl>
2023-05-23 08:53:54 +02:00 · 2023-05-23 08:53:54 +02:00 · 59334a0d50
commit 59334a0d50
parent 6593901daf
9 changed files with 34 additions and 3 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v2.7.2
 kubeVersion: ">=1.22.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.34.3
+version: 5.34.4
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -27,4 +27,4 @@ annotations:
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
    - kind: fixed
-      description: Align with upstream dex initContainers
+      description: Allow to disable containerSecurityContext
--- a/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
+++ b/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
@ -255,8 +255,10 @@ spec:
          failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
        resources:
          {{- toYaml .Values.controller.resources | nindent 10 }}
        {{- if .Values.controller.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
          {{- end }}
        workingDir: /home/argocd
        volumeMounts:
        {{- with .Values.controller.volumeMounts }}
--- a/charts/argo-cd/templates/argocd-applicationset/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-applicationset/deployment.yaml
@ -182,8 +182,10 @@ spec:
          {{- end }}
          resources:
            {{- toYaml .Values.applicationSet.resources | nindent 12 }}
          {{- if .Values.applicationSet.containerSecurityContext.enabled }}
          securityContext:
            {{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }}
          {{- end }}
          volumeMounts:
            {{- with .Values.applicationSet.extraVolumeMounts }}
              {{- toYaml . | nindent 12 }}
--- a/charts/argo-cd/templates/argocd-notifications/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-notifications/deployment.yaml
@ -80,8 +80,10 @@ spec:
            protocol: TCP
          resources:
            {{- toYaml .Values.notifications.resources | nindent 12 }}
          {{- if .Values.notifications.containerSecurityContext.enabled }}
          securityContext:
            {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
          {{- end }}
          workingDir: /app
          volumeMounts:
            - name: tls-certs
--- a/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@ -273,8 +273,10 @@ spec:
          failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
        resources:
          {{- toYaml .Values.repoServer.resources | nindent 10 }}
        {{- if .Values.repoServer.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
        {{- end }}
        {{- with .Values.repoServer.lifecycle }}
        lifecycle:
          {{- toYaml . | nindent 10 }}
@ -295,10 +297,12 @@ spec:
        resources:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- if .Values.repoServer.containerSecurityContext.enabled }}
        {{- with .Values.repoServer.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- end }}
        volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
--- a/charts/argo-cd/templates/argocd-server/deployment.yaml
+++ b/charts/argo-cd/templates/argocd-server/deployment.yaml
@ -334,8 +334,10 @@ spec:
          failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
        resources:
          {{- toYaml .Values.server.resources | nindent 10 }}
        {{- if .Values.repoServer.containerSecurityContext.enabled }}
        securityContext:
-          {{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
+          {{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
        {{- end }}
        {{- with .Values.server.lifecycle }}
        lifecycle:
          {{- toYaml . | nindent 10 }}
@ -346,8 +348,10 @@ spec:
        imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }}
        resources:
          {{- toYaml .Values.server.extensions.resources | nindent 10 }}
        {{- if .Values.server.extensions.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }}
          {{-end }}
        volumeMounts:
          - name: extensions
            mountPath: /tmp/extensions/
--- a/charts/argo-cd/templates/dex/deployment.yaml
+++ b/charts/argo-cd/templates/dex/deployment.yaml
@ -117,8 +117,10 @@ spec:
        {{- end }}
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
        {{- if .Values.dex.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
          {{- end }}
        volumeMounts:
        {{- with .Values.dex.volumeMounts }}
          {{- toYaml . | nindent 8 }}
@ -148,8 +150,10 @@ spec:
          name: dexconfig
        resources:
          {{- toYaml .Values.dex.resources | nindent 10 }}
        {{- if .Values.dex.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
          {{- end}}
      {{- with .Values.dex.initContainers }}
        {{- tpl (toYaml .) $ | nindent 6 }}
      {{- end }}
--- a/charts/argo-cd/templates/redis/deployment.yaml
+++ b/charts/argo-cd/templates/redis/deployment.yaml
@ -75,8 +75,10 @@ spec:
          protocol: TCP
        resources:
          {{- toYaml .Values.redis.resources | nindent 10 }}
        {{- if .Values.redis.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
        {{- end }}
        {{- with .Values.redis.volumeMounts }}
        volumeMounts:
          {{- toYaml . | nindent 10 }}
@ -99,8 +101,10 @@ spec:
          protocol: TCP
        resources:
          {{- toYaml .Values.redis.exporter.resources | nindent 10 }}
        {{- if .Values.redis.exporter.containerSecurityContext.enabled }}
        securityContext:
          {{- toYaml .Values.redis.exporter.containerSecurityContext | nindent 10 }}
          {{- end }}
      {{- end }}
      {{- with .Values.redis.extraContainers }}
        {{- tpl (toYaml .) $ | nindent 6 }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -699,6 +699,7 @@ controller:
  # -- Application controller container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
@ -1017,6 +1018,7 @@ dex:
  # -- Dex container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
@ -1168,6 +1170,7 @@ redis:
    # -- Redis exporter security context
    # @default -- See [values.yaml]
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
@ -1261,6 +1264,7 @@ redis:
  # -- Redis container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
@ -1524,6 +1528,7 @@ server:
    # -- Server UI extensions container-level security context
    # @default -- See [values.yaml]
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
@ -1628,6 +1633,7 @@ server:
  # -- Server container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
@ -2159,6 +2165,7 @@ repoServer:
  # -- Repo server container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
@ -2512,6 +2519,7 @@ applicationSet:
  # -- ApplicationSet controller container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
@ -2850,6 +2858,7 @@ notifications:
  # -- Notification controller container-level security Context
  # @default -- See [values.yaml]
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false