Make pods/containers security context configurable

tegioz · tegioz · commit 5c5c83dda4d2 · 2025-10-24T12:32:19.000+02:00
Signed-off-by: Sergio Castaño Arteaga &lt;tegioz@icloud.com&gt;
diff --git a/charts/ocg/templates/_helpers.tpl b/charts/ocg/templates/_helpers.tpl
@@ -78,6 +78,7 @@ longest resource name ("db-migrator-install" = 19 chars).
 Provide an init container to verify the database is accessible
 */}}
 {{- define "chart.checkDbIsReadyInitContainer" -}}
+{{- $securityContext := default (dict) .Values.checkDbIsReadyInitContainer.securityContext }}
 name: check-db-ready
 {{ if .Values.postgresql.image.registry -}}
 image: {{ .Values.postgresql.image.registry }}/{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}
@@ -92,6 +93,11 @@ env:
     value: "{{ .Values.db.port }}"
   - name: PGUSER
     value: "{{ .Values.db.user }}"
+{{- if $securityContext }}
+securityContext:{{- toYaml $securityContext | nindent 2 }}
+{{- else }}
+securityContext: {}
+{{- end }}
 command: ['sh', '-c', 'until pg_isready; do echo waiting for database; sleep 2; done;']
 {{- end -}}
 
diff --git a/charts/ocg/templates/db_migrator_job.yaml b/charts/ocg/templates/db_migrator_job.yaml
@@ -13,6 +13,10 @@ metadata:
 spec:
   template:
     spec:
+    {{- with .Values.dbmigrator.job.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -24,6 +28,10 @@ spec:
         - name: dbmigrator
           image: {{ .Values.dbmigrator.job.image.repository }}:{{ .Values.imageTag | default (printf "v%s" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.pullPolicy }}
+          {{- with .Values.dbmigrator.job.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: TERN_CONF
               value: {{ .Values.configDir }}/tern.conf
diff --git a/charts/ocg/templates/server_deployment.yaml b/charts/ocg/templates/server_deployment.yaml
@@ -17,6 +17,10 @@ spec:
         app.kubernetes.io/component: server
         {{- include "chart.selectorLabels" . | nindent 8 }}
     spec:
+    {{- with .Values.server.deploy.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -38,6 +42,10 @@ spec:
         - name: server
           image: {{ .Values.server.deploy.image.repository }}:{{ .Values.imageTag | default (printf "v%s" .Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.pullPolicy }}
+          {{- with .Values.server.deploy.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: server-config
               mountPath: {{ .Values.configDir | quote }}
diff --git a/charts/ocg/values.yaml b/charts/ocg/values.yaml
@@ -18,6 +18,10 @@ fullnameOverride: ""
 # Directory path where the configuration files should be mounted
 configDir: "/home/ocg/.config/ocg"
 
+# Check database readiness init container configuration
+checkDbIsReadyInitContainer:
+  securityContext: {}
+
 # Database configuration
 db:
   host: ""
@@ -53,9 +57,11 @@ log:
 # Database migrator configuration
 dbmigrator:
   job:
+    containerSecurityContext: {}
     image:
       # Database migrator image repository (without the tag)
       repository: ocg/dbmigrator
+    podSecurityContext: {}
 
 # Server configuration
 server:
@@ -137,10 +143,12 @@ server:
 
   # Deployment configuration
   deploy:
-    replicaCount: 1
+    containerSecurityContext: {}
     image:
       # Database migrator image repository (without the tag)
       repository: ocg/server
+    podSecurityContext: {}
+    replicaCount: 1
     resources: {}
 
 # PostgreSQL configuration
diff --git a/database/tests/scripts/ocg_db_tests b/database/tests/scripts/ocg_db_tests
@@ -1,14 +1,15 @@
 #!/usr/bin/env bash
 
 # Database configuration
-export PGHOST="${PGHOST:-localhost}"
+export PGHOST="${PGHOST:-/private/tmp}"
 export PGPORT="${PGPORT:-5432}"
 export PGUSER="${PGUSER:-postgres}"
 export PGDATABASE="${PGDATABASE:-ocg_tests}"
 export PGSSLMODE="${PGSSLMODE:-disable}"
 
 # Prepare tern config file
-tern_config=$(mktemp /tmp/tern.conf.XXXXXX)
+export TERN_CONF_TESTS_PATH="${TERN_CONF_TESTS_PATH:-/tmp/ocg/tern.conf.XXXXXX}"
+tern_config=$(mktemp $TERN_CONF_TESTS_PATH)
 cat > "$tern_config" <<EOF
 [database]
 host=$PGHOST
