Skip to content

Commit e1b89d6

Browse files
jasonodonnelljasonodonnell
authored
Make readOnlyRootFilesystem configurable (#93)
1 parent 2ca3fd2 commit e1b89d6

5 files changed

+79
-12
lines changed

templates/server-statefulset.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,9 @@ spec:
4141
terminationGracePeriodSeconds: 10
4242
serviceAccountName: {{ template "vault.fullname" . }}
4343
securityContext:
44+
{{- if .Values.server.securityContext.readOnlyRootFilesystem }}
4445
readOnlyRootFilesystem: true
46+
{{- end }}
4547
runAsNonRoot: true
4648
runAsGroup: {{ .Values.server.gid | default 1000 }}
4749
runAsUser: {{ .Values.server.uid | default 100 }}

test/unit/server-dev-statefulset.bats

+27-6
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ load _helpers
314314

315315
#--------------------------------------------------------------------
316316
# Security Contexts
317-
@test "server/standalone-StatefulSet: uid default" {
317+
@test "server/dev-StatefulSet: uid default" {
318318
cd `chart_dir`
319319
local actual=$(helm template \
320320
-x templates/server-statefulset.yaml \
@@ -324,7 +324,7 @@ load _helpers
324324
[ "${actual}" = "100" ]
325325
}
326326

327-
@test "server/standalone-StatefulSet: uid configurable" {
327+
@test "server/dev-StatefulSet: uid configurable" {
328328
cd `chart_dir`
329329
local actual=$(helm template \
330330
-x templates/server-statefulset.yaml \
@@ -335,7 +335,7 @@ load _helpers
335335
[ "${actual}" = "2000" ]
336336
}
337337

338-
@test "server/standalone-StatefulSet: gid default" {
338+
@test "server/dev-StatefulSet: gid default" {
339339
cd `chart_dir`
340340
local actual=$(helm template \
341341
-x templates/server-statefulset.yaml \
@@ -345,7 +345,7 @@ load _helpers
345345
[ "${actual}" = "1000" ]
346346
}
347347

348-
@test "server/standalone-StatefulSet: gid configurable" {
348+
@test "server/dev-StatefulSet: gid configurable" {
349349
cd `chart_dir`
350350
local actual=$(helm template \
351351
-x templates/server-statefulset.yaml \
@@ -356,7 +356,7 @@ load _helpers
356356
[ "${actual}" = "2000" ]
357357
}
358358

359-
@test "server/standalone-StatefulSet: fsgroup default" {
359+
@test "server/dev-StatefulSet: fsgroup default" {
360360
cd `chart_dir`
361361
local actual=$(helm template \
362362
-x templates/server-statefulset.yaml \
@@ -366,7 +366,7 @@ load _helpers
366366
[ "${actual}" = "1000" ]
367367
}
368368

369-
@test "server/standalone-StatefulSet: fsgroup configurable" {
369+
@test "server/dev-StatefulSet: fsgroup configurable" {
370370
cd `chart_dir`
371371
local actual=$(helm template \
372372
-x templates/server-statefulset.yaml \
@@ -376,3 +376,24 @@ load _helpers
376376
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
377377
[ "${actual}" = "2000" ]
378378
}
379+
380+
@test "server/dev-StatefulSet: readOnlyRootFilesystem default" {
381+
cd `chart_dir`
382+
local actual=$(helm template \
383+
-x templates/server-statefulset.yaml \
384+
--set 'server.dev.enabled=true' \
385+
. | tee /dev/stderr |
386+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
387+
[ "${actual}" = "true" ]
388+
}
389+
390+
@test "server/dev-StatefulSet: readOnlyRootFilesystem configurable" {
391+
cd `chart_dir`
392+
local actual=$(helm template \
393+
-x templates/server-statefulset.yaml \
394+
--set 'server.dev.enabled=true' \
395+
--set 'server.securityContext.readOnlyRootFilesystem=false' \
396+
. | tee /dev/stderr |
397+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
398+
[ "${actual}" = "null" ]
399+
}

test/unit/server-ha-statefulset.bats

+27-6
Original file line numberDiff line numberDiff line change
@@ -509,7 +509,7 @@ load _helpers
509509

510510
#--------------------------------------------------------------------
511511
# Security Contexts
512-
@test "server/standalone-StatefulSet: uid default" {
512+
@test "server/ha-StatefulSet: uid default" {
513513
cd `chart_dir`
514514
local actual=$(helm template \
515515
-x templates/server-statefulset.yaml \
@@ -519,7 +519,7 @@ load _helpers
519519
[ "${actual}" = "100" ]
520520
}
521521

522-
@test "server/standalone-StatefulSet: uid configurable" {
522+
@test "server/ha-StatefulSet: uid configurable" {
523523
cd `chart_dir`
524524
local actual=$(helm template \
525525
-x templates/server-statefulset.yaml \
@@ -530,7 +530,7 @@ load _helpers
530530
[ "${actual}" = "2000" ]
531531
}
532532

533-
@test "server/standalone-StatefulSet: gid default" {
533+
@test "server/ha-StatefulSet: gid default" {
534534
cd `chart_dir`
535535
local actual=$(helm template \
536536
-x templates/server-statefulset.yaml \
@@ -540,7 +540,7 @@ load _helpers
540540
[ "${actual}" = "1000" ]
541541
}
542542

543-
@test "server/standalone-StatefulSet: gid configurable" {
543+
@test "server/ha-StatefulSet: gid configurable" {
544544
cd `chart_dir`
545545
local actual=$(helm template \
546546
-x templates/server-statefulset.yaml \
@@ -551,7 +551,7 @@ load _helpers
551551
[ "${actual}" = "2000" ]
552552
}
553553

554-
@test "server/standalone-StatefulSet: fsgroup default" {
554+
@test "server/ha-StatefulSet: fsgroup default" {
555555
cd `chart_dir`
556556
local actual=$(helm template \
557557
-x templates/server-statefulset.yaml \
@@ -561,7 +561,7 @@ load _helpers
561561
[ "${actual}" = "1000" ]
562562
}
563563

564-
@test "server/standalone-StatefulSet: fsgroup configurable" {
564+
@test "server/ha-StatefulSet: fsgroup configurable" {
565565
cd `chart_dir`
566566
local actual=$(helm template \
567567
-x templates/server-statefulset.yaml \
@@ -571,3 +571,24 @@ load _helpers
571571
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
572572
[ "${actual}" = "2000" ]
573573
}
574+
575+
@test "server/ha-StatefulSet: readOnlyRootFilesystem default" {
576+
cd `chart_dir`
577+
local actual=$(helm template \
578+
-x templates/server-statefulset.yaml \
579+
--set 'server.ha.enabled=true' \
580+
. | tee /dev/stderr |
581+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
582+
[ "${actual}" = "true" ]
583+
}
584+
585+
@test "server/ha-StatefulSet: readOnlyRootFilesystem configurable" {
586+
cd `chart_dir`
587+
local actual=$(helm template \
588+
-x templates/server-statefulset.yaml \
589+
--set 'server.ha.enabled=true' \
590+
--set 'server.securityContext.readOnlyRootFilesystem=false' \
591+
. | tee /dev/stderr |
592+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
593+
[ "${actual}" = "null" ]
594+
}

test/unit/server-statefulset.bats

+19
Original file line numberDiff line numberDiff line change
@@ -592,3 +592,22 @@ load _helpers
592592
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
593593
[ "${actual}" = "2000" ]
594594
}
595+
596+
@test "server/standalone-StatefulSet: readOnlyRootFilesystem default" {
597+
cd `chart_dir`
598+
local actual=$(helm template \
599+
-x templates/server-statefulset.yaml \
600+
. | tee /dev/stderr |
601+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
602+
[ "${actual}" = "true" ]
603+
}
604+
605+
@test "server/standalone-StatefulSet: readOnlyRootFilesystem configurable" {
606+
cd `chart_dir`
607+
local actual=$(helm template \
608+
-x templates/server-statefulset.yaml \
609+
--set 'server.securityContext.readOnlyRootFilesystem=false' \
610+
. | tee /dev/stderr |
611+
yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
612+
[ "${actual}" = "null" ]
613+
}

values.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ server:
1414
# Resource requests, limits, etc. for the server cluster placement. This
1515
# should map directly to the value of the resources field for a PodSpec.
1616
# By default no direct resource request is made.
17+
18+
securityContext:
19+
readOnlyRootFilesystem: true
20+
1721
resources:
1822
# resources:
1923
# requests:

0 commit comments

Comments
 (0)