fix: set resource limit/request and security context for upgrade/back…

templates/backup.yml

@@ -3,7 +3,7 @@
 apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }}
 kind: CronJob
 metadata:
-  name: {{ template "common.names.fullname" . }}
+  name: {{ printf "%s-backup" (include "common.names.fullname" $) }}
   labels: {{- include "stream.labels.standard" . | nindent 4 }}
   {{- if .Values.commonLabels }}
   {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
@@ -34,6 +34,9 @@ spec:
           - name: backup
             image: {{ include "common.images.image" (dict "imageRoot" .Values.backup.image) }}
             imagePullPolicy: {{ .Values.backup.imagePullPolicy | default "IfNotPresent" | quote }}
+            {{- if .Values.backup.containerSecurityContext.enabled }}
+            securityContext: {{- omit .Values.backup.containerSecurityContext "enabled" | toYaml | nindent 14 }}
+            {{- end }}
             command:
               - toolbox
               - backup
@@ -52,5 +55,8 @@ spec:
             {{- end }}
             resources: {{- toYaml .Values.backup.resources | nindent 14 }}
           restartPolicy: Never
+          {{- if .Values.backup.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.backup.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
       backoffLimit: {{ .Values.backup.backoffLimit }}
 {{- end -}}

templates/upgrade.yml

@@ -11,6 +11,9 @@ spec:
         - name: stream-upgrade
           image: {{ include "common.images.image" (dict "imageRoot" .Values.upgrade.image "global" .Values.global) }}
           imagePullPolicy: {{ .Values.upgrade.image.pullPolicy | default "IfNotPresent" | quote }}
+          {{- if .Values.upgrade.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.upgrade.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.upgrade.image) "context" $) | nindent 10 }}
           args: [
               "-y",
@@ -26,5 +29,8 @@ spec:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.externalDatabase.secretName "context" $) }}
                   key: {{ include "common.secrets.key" (dict "existingSecret" .Values.externalDatabase.secretKey "key" "mongoUri") }}
       restartPolicy: Never
+      {{- if .Values.upgrade.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.upgrade.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
   backoffLimit: 0
 {{- end }}

values.yaml

@@ -556,7 +556,27 @@ upgrade:
     limits:
       memory: 512Mi
       cpu: 500m
-    requests: {}
+    requests:
+      memory: 512Mi
+      cpu: 500m
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param upgrade.podSecurityContext.enabled Enabled Horizon pods' Security Context
+  ## @param upgrade.podSecurityContext.fsGroup Set Horizon pod's Security Context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context (only main container)
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ## @param upgrade.containerSecurityContext.enabled Enabled Horizon containers' Security Context
+  ## @param upgrade.containerSecurityContext.runAsUser Set Horizon container's Security Context runAsUser
+  ## @param upgrade.containerSecurityContext.runAsNonRoot Set Horizon container's Security Context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
 
 ## Configuration for a Stream external database
 ## Refer to the Stream installation guide to configure the installation correctly
@@ -620,15 +640,35 @@ backup:
     tag: v0.2.0
     pullPolicy: IfNotPresent
     pullSecrets: []
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param backup.podSecurityContext.enabled Enabled Horizon pods' Security Context
+  ## @param backup.podSecurityContext.fsGroup Set Horizon pod's Security Context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context (only main container)
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ## @param backup.containerSecurityContext.enabled Enabled Horizon containers' Security Context
+  ## @param backup.containerSecurityContext.runAsUser Set Horizon container's Security Context runAsUser
+  ## @param backup.containerSecurityContext.runAsNonRoot Set Horizon container's Security Context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
   ## backup container resource requests and limits
   ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
   ## @param backup.resources.limits [object] The resources limits for the backup container
   ## @param backup.resources.requests [object] The requested resources for the backup container
   resources:
     limits:
-      memory: 126Mi
       cpu: 500m
-    requests: {}
+      memory: 512Mi
+    requests:
+      cpu: 500m
+      memory: 512Mi
   ## Configure environment variable injections into the backup pods.
   ## This is the way you should inject secrets into the app if you wish
   ## to use the Kubernetes secrets implementation.