Skip to content

Add securityContext config for Redis to helm chart #22182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jedcunningham merged 15 commits into from
Apr 8, 2022
Merged

Add securityContext config for Redis to helm chart #22182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
da8bb4a
Add securityContext config for Redis to helm chart
Mar 11, 2022
5b8617c
Merge branch 'apache:main' into helm-add-redis-securitycontext
dan-vaughan Mar 24, 2022
225f35f
Test coverage
jedcunningham Mar 28, 2022
75e0d26
Implement @jedcunningham's recommended changes
Apr 3, 2022
0120733
Implement @jedcunningham's recommended changes
Apr 3, 2022
46648dc
Merge branch 'helm-add-redis-securitycontext' of github.com:flipstone…
Apr 3, 2022
ba30928
Merge branch 'main' into helm-add-redis-securitycontext
dan-vaughan Apr 3, 2022
9fbb0cb
Add note on uid
Apr 3, 2022
f1ba551
Merge branch 'helm-add-redis-securitycontext' of github.com:flipstone…
Apr 3, 2022
73fbb85
Merge branch 'main' into helm-add-redis-securitycontext
dan-vaughan Apr 7, 2022
dc2a8d4
add redis statefulset to test_check_local_setting
Apr 7, 2022
2bc1359
Merge branch 'main' into helm-add-redis-securitycontext
dan-vaughan Apr 7, 2022
88d69cd
fix path to statefulset manifest
Apr 7, 2022
b890f1e
Merge branch 'helm-add-redis-securitycontext' of github.com:flipstone…
Apr 7, 2022
05e5c97
Merge branch 'main' into helm-add-redis-securitycontext
dan-vaughan Apr 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions chart/templates/redis/redis-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
{{- $nodeSelector := or .Values.redis.nodeSelector .Values.nodeSelector }}
{{- $affinity := or .Values.redis.affinity .Values.affinity }}
{{- $tolerations := or .Values.redis.tolerations .Values.tolerations }}
{{- $securityContext := include "localSecurityContext" .Values.redis }}
kind: StatefulSet
apiVersion: apps/v1
metadata:
Expand Down Expand Up @@ -67,6 +68,7 @@ spec:
imagePullSecrets:
- name: {{ template "registry_secret" . }}
{{- end }}
securityContext: {{ $securityContext | nindent 8 }}
containers:
- name: redis
image: {{ template "redis_image" . }}
Expand Down
18 changes: 18 additions & 0 deletions chart/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3774,6 +3774,24 @@
}
}
}
},
"securityContext": {
"description": "Security context for the cleanup job pod. If not set, the values from `securityContext` will be used.",
"type": "object",
"$ref": "#/definitions/io.k8s.api.core.v1.PodSecurityContext",
"default": {},
"examples": [
{
"runAsUser": 999,
"runAsGroup": 0,
"fsGroup": 0
}
]
},
"uid": {
"description": "Redis run as user parameter.",
"type": "integer",
"default": 0
}
}
},
Expand Down
7 changes: 7 additions & 0 deletions chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1329,6 +1329,13 @@ redis:
affinity: {}
tolerations: []

# Set to 0 for backwards-compatiblity
uid: 0
# If not set, `redis.uid` will be used
securityContext: {}
# runAsUser: 999
# runAsGroup: 0

# Auth secret for a private registry
# This is used if pulling airflow images from a private registry
registry:
Expand Down
20 changes: 15 additions & 5 deletions tests/charts/test_security_context.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ def test_check_local_setting(self):
"createUserJob": {**component_contexts},
"migrateDatabaseJob": {**component_contexts},
"triggerer": {**component_contexts},
"redis": {**component_contexts},
"statsd": {"enabled": True, **component_contexts},
"airflowVersion": "2.2.0",
"executor": "CeleryKubernetesExecutor",
Expand All @@ -152,6 +153,7 @@ def test_check_local_setting(self):
"templates/jobs/create-user-job.yaml",
"templates/jobs/migrate-database-job.yaml",
"templates/statsd/statsd-deployment.yaml",
"templates/redis/redis-statefulset.yaml",
],
)

Expand All @@ -160,14 +162,22 @@ def test_check_local_setting(self):
assert 9000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[index])
assert 90 == jmespath.search("spec.template.spec.securityContext.fsGroup", docs[index])

# Test containerSecurity priority over uid under statsd
def test_check_statsd_uid(self):
# Test containerSecurity priority over uid under components using localSecurityContext
def test_check_local_uid(self):
component_contexts = {"uid": 3000, "securityContext": {"runAsUser": 7000}}
docs = render_chart(
values={"statsd": {"enabled": True, "uid": 3000, "securityContext": {"runAsUser": 7000}}},
show_only=["templates/statsd/statsd-deployment.yaml"],
values={
"redis": {**component_contexts},
"statsd": {"enabled": True, **component_contexts},
},
show_only=[
"templates/statsd/statsd-deployment.yaml",
"templates/redis/redis-statefulset.yaml",
],
)

assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", docs[0])
for doc in docs:
assert 7000 == jmespath.search("spec.template.spec.securityContext.runAsUser", doc)

# Test containerSecurity priority over uid under dags.gitSync
def test_gitsync_sidecar_and_init_container(self):
Expand Down