diff --git a/templates/backup.yml b/templates/backup.yml index 18d2d57..95332e5 100644 --- a/templates/backup.yml +++ b/templates/backup.yml @@ -3,7 +3,7 @@ apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }} kind: CronJob metadata: - name: {{ template "common.names.fullname" . }} + name: {{ printf "%s-backup" (include "common.names.fullname" $) }} labels: {{- include "stream.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -34,6 +34,9 @@ spec: - name: backup image: {{ include "common.images.image" (dict "imageRoot" .Values.backup.image) }} imagePullPolicy: {{ .Values.backup.imagePullPolicy | default "IfNotPresent" | quote }} + {{- if .Values.backup.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.backup.containerSecurityContext "enabled" | toYaml | nindent 14 }} + {{- end }} command: - toolbox - backup @@ -52,5 +55,8 @@ spec: {{- end }} resources: {{- toYaml .Values.backup.resources | nindent 14 }} restartPolicy: Never + {{- if .Values.backup.podSecurityContext.enabled }} + securityContext: {{- omit .Values.backup.podSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} backoffLimit: {{ .Values.backup.backoffLimit }} {{- end -}} diff --git a/templates/upgrade.yml b/templates/upgrade.yml index a65c2e5..8c47f6b 100644 --- a/templates/upgrade.yml +++ b/templates/upgrade.yml @@ -11,6 +11,9 @@ spec: - name: stream-upgrade image: {{ include "common.images.image" (dict "imageRoot" .Values.upgrade.image "global" .Values.global) }} imagePullPolicy: {{ .Values.upgrade.image.pullPolicy | default "IfNotPresent" | quote }} + {{- if .Values.upgrade.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.upgrade.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.upgrade.image) "context" $) | nindent 10 }} args: [ "-y", @@ -26,5 +29,8 @@ spec: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.externalDatabase.secretName "context" $) }} key: {{ include "common.secrets.key" (dict "existingSecret" .Values.externalDatabase.secretKey "key" "mongoUri") }} restartPolicy: Never + {{- if .Values.upgrade.podSecurityContext.enabled }} + securityContext: {{- omit .Values.upgrade.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} backoffLimit: 0 {{- end }} diff --git a/values.yaml b/values.yaml index 98ae97a..b8137e7 100644 --- a/values.yaml +++ b/values.yaml @@ -556,7 +556,27 @@ upgrade: limits: memory: 512Mi cpu: 500m - requests: {} + requests: + memory: 512Mi + cpu: 500m + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param upgrade.podSecurityContext.enabled Enabled Horizon pods' Security Context + ## @param upgrade.podSecurityContext.fsGroup Set Horizon pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param upgrade.containerSecurityContext.enabled Enabled Horizon containers' Security Context + ## @param upgrade.containerSecurityContext.runAsUser Set Horizon container's Security Context runAsUser + ## @param upgrade.containerSecurityContext.runAsNonRoot Set Horizon container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true ## Configuration for a Stream external database ## Refer to the Stream installation guide to configure the installation correctly @@ -620,15 +640,35 @@ backup: tag: v0.2.0 pullPolicy: IfNotPresent pullSecrets: [] + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param backup.podSecurityContext.enabled Enabled Horizon pods' Security Context + ## @param backup.podSecurityContext.fsGroup Set Horizon pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context (only main container) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.containerSecurityContext.enabled Enabled Horizon containers' Security Context + ## @param backup.containerSecurityContext.runAsUser Set Horizon container's Security Context runAsUser + ## @param backup.containerSecurityContext.runAsNonRoot Set Horizon container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true ## backup container resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## @param backup.resources.limits [object] The resources limits for the backup container ## @param backup.resources.requests [object] The requested resources for the backup container resources: limits: - memory: 126Mi cpu: 500m - requests: {} + memory: 512Mi + requests: + cpu: 500m + memory: 512Mi ## Configure environment variable injections into the backup pods. ## This is the way you should inject secrets into the app if you wish ## to use the Kubernetes secrets implementation.