Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove readOnlyRootFilesystem configurable (#110)

Browse source
This commit is contained in:
Jason O'Donnell 2019-11-12 19:55:31 -05:00 committed by GitHub
parent a5331f5b38
commit 3fbbf7b8df
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 6 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
CHANGELOG.md
View file

@ -1,3 +1,9 @@
## 0.2.1 (November 12th, 2019)
Bugs:
* Removed `readOnlyRootFilesystem` causing issues when validating deployments
## 0.2.0 (October 29th, 2019) ## 0.2.0 (October 29th, 2019)
Features: Features:

3
templates/server-statefulset.yaml
View file

@ -41,9 +41,6 @@ spec:
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }} serviceAccountName: {{ template "vault.fullname" . }}
securityContext: securityContext:
{{- if .Values.server.securityContext.readOnlyRootFilesystem }}
readOnlyRootFilesystem: true
{{- end }}
runAsNonRoot: true runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }} runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }} runAsUser: {{ .Values.server.uid | default 100 }}

21
test/unit/server-dev-statefulset.bats
View file

@ -376,24 +376,3 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/dev-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/dev-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

21
test/unit/server-ha-statefulset.bats
View file

@ -571,24 +571,3 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/ha-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ha-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

19
test/unit/server-statefulset.bats
View file

@ -639,22 +639,3 @@ load _helpers
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ] [ "${actual}" = "2000" ]
} }
@test "server/standalone-StatefulSet: readOnlyRootFilesystem default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/standalone-StatefulSet: readOnlyRootFilesystem configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.securityContext.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

3
values.yaml
View file

@ -21,9 +21,6 @@ server:
# should map directly to the value of the resources field for a PodSpec. # should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made. # By default no direct resource request is made.
securityContext:
readOnlyRootFilesystem: true
resources: resources:
# resources: # resources:
# requests: # requests: