Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

US-625432 Configure securityContext for Pega containers #789

Merged
merged 3 commits into from
Jul 22, 2024
Merged

US-625432 Configure securityContext for Pega containers #789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4e751b7
US-625432 Configure securityContext for Pega containers
Jul 18, 2024
b8072fb
Merge branch 'master' into US-625432
PEGA-NarasimhaRao-Meda Jul 19, 2024
cb91586
Merge branch 'master' into US-625432
PEGA-NarasimhaRao-Meda Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/pega/templates/_pega-deployment.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,10 @@ spec:
envFrom:
- configMapRef:
name: {{ template "pegaEnvironmentConfig" .root }}
{{- if .node.containerSecurityContext }}
securityContext:
{{ toYaml .node.containerSecurityContext | indent 10 }}
{{- end }}
resources:
{{- if .node.resources }}
{{ toYaml .node.resources | indent 10 }}
Expand Down
27 changes: 27 additions & 0 deletions charts/pega/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,15 @@ global:
# runAsUser: 9001
# fsGroup: 0

# To specify security settings for a Container, include the securityContext field in the Container manifest
# Security settings that you specify for a Container apply only to the pega container,
# and they override settings made at the Pod level when there is overlap. Container settings
# do not affect the Pod's Volumes.
# See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
# containerSecurityContext:
# capabilities:
# add: ["SYS_TIME"]

hpa:
enabled: true
# To configure behavior specifications for hpa, set the required scaleUp & scaleDown values.
Expand Down Expand Up @@ -319,6 +328,15 @@ global:
# runAsUser: 9001
# fsGroup: 0

# To specify security settings for a Container, include the securityContext field in the Container manifest
# Security settings that you specify for a Container apply only to the pega container,
# and they override settings made at the Pod level when there is overlap. Container settings
# do not affect the Pod's Volumes.
# See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
# containerSecurityContext:
# capabilities:
# add: ["SYS_TIME"]

hpa:
enabled: true

Expand Down Expand Up @@ -381,6 +399,15 @@ global:
# runAsUser: 9001
# fsGroup: 0

# To specify security settings for a Container, include the securityContext field in the Container manifest
# Security settings that you specify for a Container apply only to the pega container,
# and they override settings made at the Pod level when there is overlap. Container settings
# do not affect the Pod's Volumes.
# See, https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
# containerSecurityContext:
# capabilities:
# add: ["SYS_TIME"]

replicas: 2

volumeClaimTemplate:
Expand Down
85 changes: 85 additions & 0 deletions terratest/src/test/pega/pega-tier-deployment_container_security_context_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
package pega

import (
"fmt"
"path/filepath"
"strings"
"testing"

"github.com/gruntwork-io/terratest/modules/helm"
"github.com/stretchr/testify/require"
appsv1 "k8s.io/api/apps/v1"
)

func TestPegaTierDeploymentContainerSecurityContext(t *testing.T) {
var supportedVendors = []string{"k8s", "openshift", "eks", "gke", "aks", "pks"}
var supportedOperations = []string{"deploy"}
var deploymentNames = []string{"myapp-dev"}

helmChartPath, err := filepath.Abs(PegaHelmChartPath)
require.NoError(t, err)

for _, vendor := range supportedVendors {

var depObj appsv1.Deployment

for _, operation := range supportedOperations {

for _, depName := range deploymentNames {

fmt.Println(vendor + "-" + operation)

var options = &helm.Options{
SetValues: map[string]string{
"global.provider": vendor,
"global.actions.execute": operation,
"global.deployment.name": depName,
},
}

yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"})
yamlSplit := strings.Split(yamlContent, "---")
UnmarshalK8SYaml(t, yamlSplit[1], &depObj)
require.Nil(t, depObj.Spec.Template.Spec.Containers[0].SecurityContext)

}
}
}
}

func TestPegaTierDeploymentSecurityContextForPegaContainer(t *testing.T) {
var supportedVendors = []string{"k8s", "openshift"}
var supportedOperations = []string{"deploy"}
var deploymentNames = []string{"myapp-dev"}

helmChartPath, err := filepath.Abs(PegaHelmChartPath)
require.NoError(t, err)

for _, vendor := range supportedVendors {

var depObj appsv1.Deployment

for _, operation := range supportedOperations {

for _, depName := range deploymentNames {

fmt.Println(vendor + "-" + operation)

var options = &helm.Options{
SetValues: map[string]string{
"global.provider": vendor,
"global.actions.execute": operation,
"global.deployment.name": depName,
"global.tier[0].containerSecurityContext.runAsUser": "7009",
},
}

yamlContent := RenderTemplate(t, options, helmChartPath, []string{"templates/pega-tier-deployment.yaml"})
yamlSplit := strings.Split(yamlContent, "---")
UnmarshalK8SYaml(t, yamlSplit[1], &depObj)

require.Equal(t, int64(7009), *depObj.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser)
}
}
}
}
Loading