diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ab3e082..d8a2be78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Changelog -## In Development +## Development +* Fix syntax with ensure-packs-volumes-are-writable job (#403) (by @skiedude) +* Add securityContext support to custom st2packs images, extra_hooks jobs; Also fallback to st2actionrunner securityContext for misc init container jobs and pods. (#410) (by @cognifloyd) +* Stop generating the DataStore Secret (#385) and checksum labels (#391) when existing secret provided or disabled (by @bmarick) +* Stop generating the checksum labels for Auth Secret (#392) when existing secret provided or disabled (by @bmarick) + +## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) * Remove unsupported k8s Versions (1.24.x and 1.25.x by @ZoeLeah) * Update and add new K8s versions (1.28.3, 1.27.7 and 1.26.10 by @ZoeLeah) diff --git a/Chart.yaml b/Chart.yaml index 6d01f67c..8f450441 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 # StackStorm version which refers to Docker images tag appVersion: "3.8" name: stackstorm-ha -version: 0.110.0 +version: 1.0.0 description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment. home: https://stackstorm.com/ icon: https://landscape.cncf.io/logos/stack-storm.svg diff --git a/README.md b/README.md index 562d81f2..90c812e4 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,7 @@ NOTE: With care, `st2packs` images can be used with `volumes`. Just make sure to If a pack is installed via an `st2packs` image and then it gets updated with `st2 pack install`, a subsequent `helm upgrade` will revert back to the version in the `st2packs` image. #### Configure the storage volumes -Enable the `st2.packs.voluems` section of Helm values and add volume definitions for both `packs` and `virtualenvs`. +Enable the `st2.packs.volumes` section of Helm values and add volume definitions for both `packs` and `virtualenvs`. Each of the volume definitions should be customized for your cluster and storage solution. For example, to use persistentVolumeClaims: @@ -369,3 +369,11 @@ This approach allows not only extending sub-chart with custom objects and templa but also adds flexibility to include many sub-chart dependencies and pin versions as well as include all the sub-chart values in one single place. This approach is infra-as-code friendly and more reproducible. See official Helm documentation about [Subcharts](https://helm.sh/docs/chart_template_guide/#subcharts-and-global-values) and [Dependencies](https://helm.sh/docs/developing_charts/#managing-dependencies-manually-via-the-charts-directory). + +## Releasing information +In order to create a release, the steps are as follows: +1. Create a pull request by updating [CHANGELOG.md](./CHANGELOG.md) by replacing the "In Development" heading with the new version, and [Chart.yaml](./Chart.yaml) by replacing the `version` value. +2. Once the pull request is merged, create and push the matching tag (for example, if you are creating release `v1.0.0`, then the tag should also be `v1.0.0`). +3. After the tag is pushed, create the corresponding [release](https://github.com/StackStorm/stackstorm-k8s/releases). +4. After the release is created, switch to the `gh-pages` branch, and generate the updated [Helm index](https://helm.sh/docs/helm/helm_repo_index/), [package](https://helm.sh/docs/helm/helm_package/) and [provenance](https://helm.sh/docs/topics/provenance/). +5. After committing and pushing the changes in the previous step, verify that the new release is present on [ArtifactHub](https://artifacthub.io/packages/helm/stackstorm/stackstorm-ha). diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 200fc7aa..964618d7 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -346,7 +346,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - | /bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared && /bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared - {{- with $.Values.securityContext }} + {{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} @@ -367,7 +368,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - | /bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared && /bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} @@ -386,7 +388,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - '-ec' - | /bin/cp -aR /opt/stackstorm/configs/. /opt/stackstorm/configs-shared - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 687d04f6..fae31be2 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -28,7 +28,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2auth") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if not .Values.st2.existingAuthSecret }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2auth.postStartScript }} checksum/post-start-script: {{ .Values.st2auth.postStartScript | sha256sum }} {{- end }} @@ -164,7 +166,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2api") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2api.postStartScript }} checksum/post-start-script: {{ .Values.st2api.postStartScript | sha256sum }} {{- end }} @@ -428,7 +432,7 @@ spec: - name: st2web image: '{{ template "stackstorm-ha.imageRepository" . }}/st2web:{{ tpl (.Values.st2web.image.tag | default .Values.image.tag) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2web.securityContext }} + {{- with .Values.st2web.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} ports: @@ -515,7 +519,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }} + {{- with .Values.st2web.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2web.nodeSelector }} @@ -548,7 +552,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2rulesengine") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2rulesengine.postStartScript }} checksum/post-start-script: {{ .Values.st2rulesengine.postStartScript | sha256sum }} {{- end }} @@ -769,7 +775,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2workflowengine") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2workflowengine.postStartScript }} checksum/post-start-script: {{ .Values.st2workflowengine.postStartScript | sha256sum }} {{- end }} @@ -886,7 +894,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2scheduler") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2scheduler.postStartScript }} checksum/post-start-script: {{ .Values.st2scheduler.postStartScript | sha256sum }} {{- end }} @@ -1137,7 +1147,9 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }} + {{- if and (ne "disable" (default "" $.Values.st2.datastore_crypto_key)) (not $.Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") $ | sha256sum }} + {{- end }} {{- if $.Values.st2sensorcontainer.postStartScript }} checksum/post-start-script: {{ $.Values.st2sensorcontainer.postStartScript | sha256sum }} {{- end }} @@ -1188,7 +1200,7 @@ spec: - name: {{ $name }} image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2sensorcontainer:{{ tpl ($sensor.image.tag | default $.Values.image.tag) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with default $.Values.securityContext $sensor.securityContext }} + {{- with $sensor.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} {{- with $sensor.readinessProbe }} @@ -1283,7 +1295,7 @@ spec: {{- with $.Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default $.Values.podSecurityContext $sensor.podSecurityContext }} + {{- with $sensor.podSecurityContext | default $.Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with $sensor.nodeSelector }} @@ -1319,7 +1331,9 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2actionrunner.postStartScript }} checksum/post-start-script: {{ .Values.st2actionrunner.postStartScript | sha256sum }} {{- end }} @@ -1354,7 +1368,7 @@ spec: image: '{{ .image.repository | default (include "stackstorm-ha.imageRepository" $) }}/{{ .image.name | default "st2actionrunner" }}:{{ tpl (.image.tag | default $.Values.image.tag) $ }}' {{- end }} imagePullPolicy: {{ .Values.st2actionrunner.image.pullPolicy | default .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2actionrunner.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} # TODO: Add liveness/readiness probes (#3) @@ -1437,7 +1451,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2actionrunner.podSecurityContext }} + {{- with .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2actionrunner.nodeSelector }} @@ -1573,9 +1587,13 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} checksum/rbac: {{ include (print $.Template.BasePath "/configmaps_rbac.yaml") . | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} + {{- if not .Values.st2.existingAuthSecret }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} + {{- end }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2.overrides }} checksum/overrides: {{ include (print $.Template.BasePath "/configmaps_overrides.yaml") . | sha256sum }} {{- end }} @@ -1601,7 +1619,7 @@ spec: - name: generate-st2client-config image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} envFrom: @@ -1628,7 +1646,7 @@ spec: - name: st2client image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default .Values.image.tag) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2actionrunner.securityContext }} + {{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} env: @@ -1729,7 +1747,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }} + {{- with .Values.st2client.podSecurityContext | default .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2client.nodeSelector }} diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 6f421b3b..0f6792ec 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -412,7 +412,8 @@ spec: - name: st2-register-content-custom-init image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 10 }} {{- end }} command: {{- toYaml $.Values.jobs.preRegisterContentCommand | nindent 8 }} @@ -426,7 +427,8 @@ spec: - name: st2-register-content image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 10 }} {{- end }} command: @@ -471,7 +473,8 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.podSecurityContext }} + {{- with .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.jobs.nodeSelector }} @@ -541,7 +544,7 @@ spec: and then delete this st2canary pod manually. INTRO - function __handle_error__(){ + function __handle_error__ { cat <<- 'FAIL' ERROR: One or more volumes in st2.packs.volumes (from helm values) does not meet StackStorm's shared volumes requirements! @@ -578,6 +581,7 @@ spec: {{- toYaml $.Values.st2.packs.volumes.configs | nindent 10 }} {{- end }} # st2canary job does not support extra_volumes. Let us know if you need this. + restartPolicy: Never {{- if $.Values.dnsPolicy }} dnsPolicy: {{ $.Values.dnsPolicy }} {{- end }} @@ -641,7 +645,7 @@ spec: - name: generate-st2client-config image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with $.Values.securityContext }} + {{- with $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} envFrom: @@ -668,7 +672,7 @@ spec: - name: {{ $name }} image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with $.Values.securityContext }} + {{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} {{- if $.Values.jobs.env }} @@ -718,7 +722,7 @@ spec: {{- with $.Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with $.Values.podSecurityContext }} + {{- with .podSecurityContext | default $.Values.st2actionrunner.podSecurityContext | default $.Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with $.Values.jobs.nodeSelector }} diff --git a/tests/unit/security_context_test.yaml b/tests/unit/security_context_test.yaml index bde31b3d..0468d362 100644 --- a/tests/unit/security_context_test.yaml +++ b/tests/unit/security_context_test.yaml @@ -18,6 +18,9 @@ templates: - secrets_st2auth.yaml - secrets_st2chatops.yaml +# TODO: test initContainers that use st2.packs.images[].securityContext +# (there is no good way to select initContainers) + tests: - it: Deployment and Job Pods+Containers have no SecurityContext by default templates: @@ -34,6 +37,7 @@ tests: # job-st2-apikey-load # job-st2-key-load # job-st2-register-content + # job-ensure-packs-volumes-are-writable # extra_hooks job set: st2chatops: @@ -135,7 +139,16 @@ tests: template: deployments.yaml set: st2: - packs: { sensors: [] } # ensure only 1 sensor + packs: + sensors: [] # ensure only 1 sensor + #images: &st2_packs_images + # - repository: index.docker.io/stackstorm + # name: st2packs + # tag: example + # securityContext: &st2packs_security_context + # capabilities: + # drop: [ALL] + # add: [kill, net_raw, chown, fowner] rbac: { enabled: true } # enable rbac job podSecurityContext: *global_pod_security_context @@ -159,8 +172,14 @@ tests: securityContext: *security_context_override st2client: - podSecurityContext: *pod_security_context_override - securityContext: *security_context_override + podSecurityContext: &pod_security_context_override_2 + fsGroup: 8888 + supplementalGroups: [4444] + securityContext: &security_context_override_2 + capabilities: + drop: [ALL] + add: [kill, net_raw, chown] + asserts: - hasDocuments: count: 13 @@ -231,16 +250,202 @@ tests: # st2client pod - notEqual: *global_pod_security_context_assert documentIndex: 12 + - notEqual: *override_pod_security_context_assert + documentIndex: 12 + - equal: &override_pod_security_context_assert_2 + path: spec.template.spec.securityContext + value: *pod_security_context_override_2 + documentIndex: 12 + + # st2client container + - notEqual: *global_container0_security_context_assert + documentIndex: 12 + - notEqual: *override_container0_security_context_assert + documentIndex: 12 + - equal: &override_container0_security_context_assert_2 + path: spec.template.spec.containers[0].securityContext + value: *security_context_override_2 + documentIndex: 12 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 12 + #- notEqual: *override_initcontainers_security_context_assert + # documentIndex: 12 + #- equal: &override_initcontainers_security_context_assert_2 + # path: spec.template.spec.initContainers[].securityContext + # value: *security_context_override + # documentIndex: 12 + + - it: st2client Deployment Pod+Containers default to st2actionrunner SecurityContext overrides + template: deployments.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + #images: *st2_packs_images + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + #st2client: no override defined + + asserts: + - hasDocuments: + count: 13 + + # st2client pod + - notEqual: *global_pod_security_context_assert + documentIndex: 12 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 12 - equal: *override_pod_security_context_assert documentIndex: 12 # st2client container - notEqual: *global_container0_security_context_assert documentIndex: 12 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 12 - equal: *override_container0_security_context_assert documentIndex: 12 # path can only select one element, not all initContainers (if present). #- notEqual: *global_initcontainers_security_context_assert # documentIndex: 12 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 12 #- equal: *override_initcontainers_security_context_assert # documentIndex: 12 + + # overrides for register-content job and extra_hooks job(s) + # document indexes: 3, 5 + + - it: extra_hooks Jobs Pod+Containers accept SecurityContext overrides + template: jobs.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + images: [] + volumes: *volumes_enabled + configs: {} # has one core.yaml config file by default (dicts get merged) + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + jobs: + extra_hooks: + - name: upgrade-warning + hook: pre-upgrade, pre-rollback + hook_weight: -5 + command: ["st2", "run", "--tail", "custom_pack.warn_about_upgrade"] + podSecurityContext: *pod_security_context_override_2 + securityContext: *security_context_override_2 + + asserts: + - hasDocuments: + count: 6 + + # extra_hooks job pod + - notEqual: *global_pod_security_context_assert + documentIndex: 5 + - notEqual: *override_pod_security_context_assert + documentIndex: 5 + - equal: *override_pod_security_context_assert_2 + documentIndex: 5 + + # extra_hooks job container + - notEqual: *global_container0_security_context_assert + documentIndex: 5 + - notEqual: *override_container0_security_context_assert + documentIndex: 5 + - equal: *override_container0_security_context_assert_2 + documentIndex: 5 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 5 + #- notEqual: *override_initcontainers_security_context_assert + # documentIndex: 5 + #- equal: *override_initcontainers_security_context_assert_2 + # documentIndex: 5 + + - it: register-content and extra_hooks Jobs Pod+Containers default to st2actionrunner SecurityContext overrides + template: jobs.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + images: [] + volumes: *volumes_enabled + configs: {} # has one core.yaml config file by default (dicts get merged) + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + jobs: + extra_hooks: *jobs_extra_hooks + # does not override podSecurityContext or securityContext + + asserts: + - hasDocuments: + count: 6 + + # job-register-content pod + - notEqual: *global_pod_security_context_assert + documentIndex: 3 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 3 + - equal: *override_pod_security_context_assert + documentIndex: 3 + + # job-register-content container + - notEqual: *global_container0_security_context_assert + documentIndex: 3 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 3 + - equal: *override_container0_security_context_assert + documentIndex: 3 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 3 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 3 + #- equal: *override_initcontainers_security_context_assert + # documentIndex: 3 + + # extra_hooks job pod + - notEqual: *global_pod_security_context_assert + documentIndex: 5 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 5 + - equal: *override_pod_security_context_assert + documentIndex: 5 + + # extra_hooks job container + - notEqual: *global_container0_security_context_assert + documentIndex: 5 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 5 + - equal: *override_container0_security_context_assert + documentIndex: 5 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 5 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 5 + #- equal: *override_initcontainers_security_context_assert + # documentIndex: 5 diff --git a/values.yaml b/values.yaml index 81038d37..06a77d7c 100644 --- a/values.yaml +++ b/values.yaml @@ -150,6 +150,8 @@ st2: # pullPolicy: IfNotPresent # Optional name of the imagePullSecret if your custom packs image is hosted by a private Docker registry # pullSecret: st2packs-auth + # Optional .securityContext override for container + # securityContext: # Custom packs volumes definitions. # @@ -288,7 +290,7 @@ st2: ## ## Default SecurityContext for pods and containers. -## Overrides available for st2web, st2actionrunner, st2sensorcontainer, and st2client pods. +## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images. ## podSecurityContext: {} securityContext: {} @@ -703,7 +705,7 @@ st2actionrunner: attach: false # override the default .podSecurityContext or .securityContext here podSecurityContext: {} - securityContext: {} + securityContext: {} # also applies to init or jobs containers that copy/modify files # postStartScript is optional. It has the contents of a bash script. # k8s will run the script in the st2 container in parallel with the ENTRYPOINT. # The pod will not be marked as "running" until this script completes successfully. @@ -984,6 +986,8 @@ jobs: # hook: post-install # required "helm.sh/hook" # hook_weight: 10 # optional hook_weight (defaults to 10) # resources: {} # optional definition of resources to request + # podSecurityContext: {} # optional definition of pod securityContext override + # securityContext: {} # optional definition of container securityContext override # command: # required command to run # - st2 # - run