fix (chart): pod and container security context (#158)

* fix: separate POD and Container security contexts

---------

On-behalf-of: @SAP angel.kafazov@sap.com
Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>

charts/account-operator/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.9
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.1.9
-digest: sha256:251b9de38323229efb7732e143e7c5208f0f897eb4baf02654660afb74ef1de4
-generated: "2024-12-10T13:41:52.731639377Z"
+  version: 0.2.4
+digest: sha256:f5517b37743d69737ac4f12297bf7762ed16402f3f4f83d055910d24555d48e5
+generated: "2024-12-23T15:27:50.327364112+02:00"

charts/account-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: account-operator
 description: A Helm chart to deploy OpenMFP Account-Operator
 type: application
-version: 0.5.26
+version: 0.5.27
 appVersion: "0.124.0"
 dependencies:
   - name: account-operator-crds
     version: 0.1.9
     condition: crds.enabled
     repository: oci://ghcr.io/openmfp/helm-charts
   - name: common
-    version: 0.1.9
+    version: 0.2.4
     repository: oci://ghcr.io/openmfp/helm-charts

charts/account-operator/templates/deployment.yaml

@@ -27,7 +27,7 @@ spec:
         traffic.sidecar.istio.io/excludeInboundPorts: "9443"
         {{- end }}
     spec:
-      {{ include "common.container.securityContext" . | nindent 6 }}
+      {{- include "common.pod.securityContext" . | nindent 6 }}
       containers:
         - args:
           - operator
@@ -36,15 +36,16 @@ spec:
           - '--health-probe-bind-address=:{{ include "common.getKeyValue" (dict "Values" .Values "key" "health.port") }}'
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           name: manager
+          {{- include "common.container.securityContext" . | nindent 10 }}
           ports:
-          {{ include "common.PortsMetricsHealth" . | nindent 10 }}
+          {{- include "common.PortsMetricsHealth" . | nindent 10 -}}
           {{- if .Values.webhooks.enabled }}
           - name: webhook-port
             containerPort: 9443
             protocol: TCP
           {{- end }}
-          {{ include "common.operatorHealthAndReadyness" . | nindent 10 }}
-          {{ include "common.resources" . | nindent 10 }}
+          {{- include "common.operatorHealthAndReadyness" . | nindent 10 -}}
+          {{- include "common.resources" . | nindent 10 }}
           env:
           - name: SUBROUTINES_NAMESPACE_ENABLED
             value: "{{ .Values.subroutines.namespace.enabled }}"
@@ -99,6 +100,3 @@ spec:
             defaultMode: 420
             secretName: {{ include "common.entity.name" . }}-webhook-server-cert
         {{- end }}
-
-
-

charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap

@@ -353,6 +353,11 @@ operator match the snapshot:
                 requests:
                   cpu: 150m
                   memory: 128Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               startupProbe:
                 failureThreshold: 30
                 httpGet:
@@ -361,7 +366,6 @@ operator match the snapshot:
                 periodSeconds: 10
               volumeMounts: null
           securityContext:
-            readOnlyRootFilesystem: true
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
@@ -732,6 +736,11 @@ operator match the snapshot (with kubeconfigSecret):
                 requests:
                   cpu: 40m
                   memory: 50Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               startupProbe:
                 failureThreshold: 30
                 httpGet:
@@ -742,7 +751,6 @@ operator match the snapshot (with kubeconfigSecret):
                 - mountPath: /api-kubeconfig
                   name: external-api-server
           securityContext:
-            readOnlyRootFilesystem: true
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
@@ -1120,6 +1128,11 @@ operator match the snapshot with webhook enabled:
                 requests:
                   cpu: 150m
                   memory: 128Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               startupProbe:
                 failureThreshold: 30
                 httpGet:
@@ -1131,7 +1144,6 @@ operator match the snapshot with webhook enabled:
                   name: cert
                   readOnly: true
           securityContext:
-            readOnlyRootFilesystem: true
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault

charts/account-operator/tests/deployment_test.yaml

@@ -57,7 +57,6 @@ tests:
           path: spec.template.spec.securityContext
           value:
             runAsNonRoot: true
-            readOnlyRootFilesystem: true
             seccompProfile:
               type: RuntimeDefault
       - equal:

charts/common/Chart.yaml

@@ -4,4 +4,4 @@ description: A Helm chart containing reuse templates
 
 type: library
 
-version: 0.2.4
+version: 0.2.5

charts/common/test-chart/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -25,5 +25,5 @@ appVersion: "1.16.0"
 
 dependencies:
   - name: common
-    version: 0.2.1
+    version: 0.2.4
     repository: file://..

charts/example-content/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.1.9
-digest: sha256:6577fd73184b0969a73a585bf2f488c01d1433d706d7efc13320228988ce3ee4
-generated: "2024-12-10T13:42:01.113934126Z"
+  version: 0.2.4
+digest: sha256:e249f7620a7660782e24b70acbad92555e1ebb5b40695c8ae5d32e1bf1da710b
+generated: "2024-12-23T15:27:57.140958797+02:00"

charts/example-content/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 appVersion: "0.130.0"
 description: Helm Chart for the openmfp Portal
 name: example-content
-version: 0.111.2
+version: 0.111.3
 dependencies:
   - name: common
-    version: 0.1.9
+    version: 0.2.4
     repository: oci://ghcr.io/openmfp/helm-charts

charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap

@@ -80,8 +80,7 @@ matches the snapshot:
             app: RELEASE-NAME-example-content
         spec:
           containers:
-            - automountServiceAccountToken: true
-              env:
+            - env:
                 - name: PORT
                   value: "8080"
               image: ghcr.io/openmfp/example-content:1.0.0
@@ -109,7 +108,6 @@ matches the snapshot:
                 runAsNonRoot: true
                 seccompProfile:
                   type: RuntimeDefault
-              serviceAccountName: RELEASE-NAME
               volumeMounts:
                 - mountPath: /var/cache/nginx
                   name: tmp-volume

charts/extension-manager-operator/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.6
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.1.9
-digest: sha256:51d71eee3c276b729ec8e5b47190cbff35795c873f20db80203f64a44c3c1d2c
-generated: "2024-12-10T14:35:41.728181626Z"
+  version: 0.2.4
+digest: sha256:221ad9127f8b00ef4e4ed4c37f845ace3e45ba5c416c5b25b713987c8c0a8aa1
+generated: "2024-12-23T15:28:02.601836809+02:00"

charts/extension-manager-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: extension-manager-operator
 description: A Helm chart for extension-manager-operator which manages resources like ContentConfigurations and exposes REST `/validate` endpoint
 type: application
-version: 0.22.61
+version: 0.22.62
 appVersion: "0.87.0"
 dependencies:
   - name: extension-manager-operator-crds
     version: 0.1.6
     condition: crds.enabled
     repository: oci://ghcr.io/openmfp/helm-charts
   - name: common
-    version: 0.1.9
+    version: 0.2.4
     repository: oci://ghcr.io/openmfp/helm-charts

charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap

@@ -81,7 +81,6 @@ operator match the snapshot:
             app: extension-manager-operator
             service: extension-manager-operator
         spec:
-          automountServiceAccountToken: true
           containers:
             - args:
                 - operator
@@ -128,7 +127,6 @@ operator match the snapshot:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          serviceAccountName: extension-manager-operator
           terminationGracePeriodSeconds: 10
   4: |
     apiVersion: v1

charts/infra/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.1.9
-digest: sha256:6577fd73184b0969a73a585bf2f488c01d1433d706d7efc13320228988ce3ee4
-generated: "2024-12-10T13:42:19.547888751Z"
+  version: 0.2.4
+digest: sha256:e249f7620a7660782e24b70acbad92555e1ebb5b40695c8ae5d32e1bf1da710b
+generated: "2024-12-23T15:28:09.337735641+02:00"

charts/infra/Chart.yaml

@@ -2,10 +2,10 @@ apiVersion: v2
 name: infra
 description: The infra openmfp chart configures a number of common infrastructure components for the OpenMFP platform.
 type: application
-version: 0.60.2
+version: 0.60.3
 appVersion: "0.0.0"
 
 dependencies:
   - name: common
-    version: 0.1.9
+    version: 0.2.4
     repository: oci://ghcr.io/openmfp/helm-charts