feat: Make securityContext configurable

itboon · Sep 16, 2024 · a8aa2d5 · a8aa2d5
1 parent a5c2b7d
commit a8aa2d5
Show file tree

Hide file tree

Showing 10 changed files with 93 additions and 5 deletions.
diff --git a/charts/rocketmq-cluster/templates/broker/statefulset.yaml b/charts/rocketmq-cluster/templates/broker/statefulset.yaml
@@ -84,12 +84,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        fsGroup: 3000
-        runAsUser: 3000
+        {{- if $.Values.broker.podSecurityContext }}
+        {{- toYaml $.Values.broker.podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: broker
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with $.Values.broker.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq-cluster/templates/controller/statefulset.yaml b/charts/rocketmq-cluster/templates/controller/statefulset.yaml
@@ -65,10 +65,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: nameserver
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq-cluster/templates/nameserver/statefulset.yaml b/charts/rocketmq-cluster/templates/nameserver/statefulset.yaml
@@ -65,10 +65,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: nameserver
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq-cluster/templates/proxy/deployment.yaml b/charts/rocketmq-cluster/templates/proxy/deployment.yaml
@@ -64,10 +64,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: proxy
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq-cluster/values.yaml b/charts/rocketmq-cluster/values.yaml
@@ -6,11 +6,18 @@ image:
   pullPolicy: IfNotPresent
   tag: "5.3.0"
 
+podSecurityContext:
+  fsGroup: 3000
+  runAsUser: 3000
+
 broker:
   size:
     master: 2
     replica: 1
 
+  # podSecurityContext: {}
+  # containerSecurityContext: {}
+
   master:
     brokerRole: ASYNC_MASTER
     jvm:

diff --git a/charts/rocketmq/templates/broker/statefulset.yaml b/charts/rocketmq/templates/broker/statefulset.yaml
@@ -84,12 +84,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        fsGroup: 3000
-        runAsUser: 3000
+        {{- if $.Values.broker.podSecurityContext }}
+        {{- toYaml $.Values.broker.podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: broker
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with $.Values.broker.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq/templates/controller/statefulset.yaml b/charts/rocketmq/templates/controller/statefulset.yaml
@@ -65,10 +65,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: nameserver
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq/templates/nameserver/statefulset.yaml b/charts/rocketmq/templates/nameserver/statefulset.yaml
@@ -65,10 +65,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: nameserver
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq/templates/proxy/deployment.yaml b/charts/rocketmq/templates/proxy/deployment.yaml
@@ -64,10 +64,20 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        {{- if .podSecurityContext }}
+        {{- toYaml .podSecurityContext | nindent 8 }}
+        {{- else if $.Values.podSecurityContext }}
+        {{- toYaml $.Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
       - name: proxy
         image: {{ $image | quote }}
         imagePullPolicy: {{ $.Values.image.pullPolicy | default "IfNotPresent" }}
+        {{- with .containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         command:
           - sh
           - /mq-server-start.sh

diff --git a/charts/rocketmq/values.yaml b/charts/rocketmq/values.yaml
@@ -5,11 +5,18 @@ image:
   pullPolicy: IfNotPresent
   tag: "5.3.0"
 
+podSecurityContext:
+  fsGroup: 3000
+  runAsUser: 3000
+
 broker:
   size:
     master: 1
     replica: 0
 
+  # podSecurityContext: {}
+  # containerSecurityContext: {}
+
   master:
     brokerRole: ASYNC_MASTER
     jvm:
@@ -89,7 +96,7 @@ nameserver:
 
   persistence:
     enabled: false
-    size: 8Gi
+    size: 20Gi
     #storageClass: "gp2"
 
   affinityOverride: {}