Rabbitmq: Fix security context

This PS fixes the use of the security context macros for the rabbitmq chart Change-Id: I91499757bd7af95132d0aee33a16d642e26439bb
2019-03-12 18:54:34 -04:00 · 2019-03-12 18:54:34 -04:00 · 7f20bcd938
commit 7f20bcd938
parent 010faee9d5
5 changed files with 43 additions and 8 deletions
--- a/rabbitmq/templates/job-cluster-wait.yaml
+++ b/rabbitmq/templates/job-cluster-wait.yaml
@ -34,6 +34,7 @@ spec:
      labels:
 {{ tuple $envAll "rabbitmq" "cluster-wait" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "cluster_wait" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
@ -43,6 +44,7 @@ spec:
      containers:
        - name: {{.Release.Name}}-rabbitmq-cluster-wait
 {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          env:
            - name: RABBITMQ_ADMIN_CONNECTION
              value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
--- a/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml
@ -38,6 +38,7 @@ spec:
 {{ tuple $envAll "prometheus_rabbitmq_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      namespace: {{ $envAll.Values.endpoints.prometheus_rabbitmq_exporter.namespace }}
    spec:
+{{ dict "envAll" $envAll "application" "exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $rcControllerName | quote }}
      nodeSelector:
        {{ $envAll.Values.labels.prometheus_rabbitmq_exporter.node_selector_key }}: {{ $envAll.Values.labels.prometheus_rabbitmq_exporter.node_selector_value | quote }}
@ -48,6 +49,7 @@ spec:
        - name: rabbitmq-exporter
 {{ tuple $envAll "prometheus_rabbitmq_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_rabbitmq_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "exporter" "container" "rabbitmq_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          ports:
            - name: metrics
              containerPort: {{ $envAll.Values.network.prometheus_rabbitmq_exporter.port }}
--- a/rabbitmq/templates/pod-test.yaml
+++ b/rabbitmq/templates/pod-test.yaml
@ -36,6 +36,7 @@ metadata:
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
    "helm.sh/hook": test-success
 spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
    {{ $envAll.Values.labels.test.node_selector_key }}: {{ $envAll.Values.labels.test.node_selector_value | quote }}
@ -45,6 +46,7 @@ spec:
  containers:
    - name: {{.Release.Name}}-rabbitmq-test
 {{ tuple $envAll "scripted_test" | include "helm-toolkit.snippets.image" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "rabbitmq_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      env:
        - name: RABBITMQ_ADMIN_CONNECTION
          value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
--- a/rabbitmq/templates/statefulset.yaml
+++ b/rabbitmq/templates/statefulset.yaml
@ -82,8 +82,7 @@ spec:
        secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }}
        secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $rcControllerName | quote }}
      affinity:
 {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -93,9 +92,8 @@ spec:
 {{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        - name: rabbitmq-password
 {{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_password" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/rabbitmq-password-hash.py
          env:
@ -122,9 +120,8 @@ spec:
              readOnly: true
        - name: rabbitmq-cookie
 {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_cookie" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/rabbitmq-cookie.sh
          volumeMounts:
@ -143,9 +140,8 @@ spec:
 {{- if $envAll.Values.volume.chown_on_start }}
        - name: rabbitmq-perms
 {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - chown
            - -R
@ -161,6 +157,7 @@ spec:
        - name: rabbitmq
 {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "server" "container" "rabbitmq" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/rabbitmq-start.sh
          ports:
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@ -48,6 +48,38 @@ images:
      - image_repo_sync

 pod:
+  security_context:
+    exporter:
+      pod:
+        runAsUser: 65534
+      container:
+        rabbitmq_exporter:
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+    server:
+      pod:
+        runAsUser: 0
+      container:
+        rabbitmq_password:
+          readOnlyRootFilesystem: false
+        rabbitmq_cookie:
+          readOnlyRootFilesystem: false
+        rabbitmq_perms:
+          readOnlyRootFilesystem: false
+        rabbitmq:
+          readOnlyRootFilesystem: false
+    cluster_wait:
+      pod:
+        runAsUser: 0
+      container:
+        rabbitmq_cluster_wait:
+          readOnlyRootFilesystem: false
+    test:
+      pod:
+        runAsUser: 0
+      container:
+        rabbitmq_test:
+          readOnlyRootFilesystem: false
  affinity:
    anti:
      type: