feat(argocd-notifications): Add ability to define security context (#1116)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

charts/argocd-notifications/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v1.2.1
 description: A Helm chart for ArgoCD notifications, an add-on to ArgoCD.
 name: argocd-notifications
 type: application
-version: 1.7.1
+version: 1.8.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argocd-notifications.readthedocs.io/en/stable/assets/logo.png
 keywords:
@@ -15,4 +15,4 @@ maintainers:
   - name: andyfeller
 annotations:
   artifacthub.io/changes: |
-    - "[Changed]: Consistent .helmignore"
+    - "[Added]: Ability to define security context for Slack bot deployment"

charts/argocd-notifications/README.md

@@ -65,6 +65,7 @@ docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:late
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | bots.slack.affinity | object | `{}` | Assign custom [affinity] rules |
+| bots.slack.containerSecurityContext | object | `{}` | Container Security Context |
 | bots.slack.enabled | bool | `false` | Enable slack bot |
 | bots.slack.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the Slack bot |
 | bots.slack.image.repository | string | `"argoprojlabs/argocd-notifications"` | Repository to use for the Slack bot |
@@ -72,6 +73,7 @@ docker run --rm --volume "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:late
 | bots.slack.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
 | bots.slack.nodeSelector | object | `{}` | [Node selector] |
 | bots.slack.resources | object | `{}` | Resource limits and requests for the Slack bot |
+| bots.slack.securityContext | object | `{"runAsNonRoot":true}` | Pod Security Context |
 | bots.slack.service.annotations | object | `{}` | Service annotations for Slack bot |
 | bots.slack.service.port | int | `80` | Service port for Slack bot |
 | bots.slack.service.type | string | `"LoadBalancer"` | Service type for Slack bot |

charts/argocd-notifications/templates/bots/slack/deployment.yaml

@@ -21,6 +21,9 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ include "argocd-notifications.bots.slack.serviceAccountName" . }}
+      {{- with .Values.bots.slack.securityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ include "argocd-notifications.name" . }}-bot
           image: "{{ .Values.bots.slack.image.repository }}:{{ default .Chart.AppVersion .Values.bots.slack.image.tag }}"
@@ -34,6 +37,9 @@ spec:
           ports:
           - containerPort: 8080
             name: http
+          {{- with .Values.bots.slack.containerSecurityContext }}
+          securityContext: {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.bots.slack.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/argocd-notifications/values.yaml

@@ -428,6 +428,13 @@ bots:
       # -- Annotations applied to created service account
       annotations: {}
 
+    # -- Pod Security Context
+    securityContext:
+      runAsNonRoot: true
+
+    # -- Container Security Context
+    containerSecurityContext: {}
+
     # -- Resource limits and requests for the Slack bot
     resources: {}
     # limits: