From fddbb0a0592084b7f18fbd287c8510d73bf33e1c Mon Sep 17 00:00:00 2001
From: "PRIYA, FNU (fp048v)" <fp048v@att.com>
Date: Mon, 8 Nov 2021 09:45:11 -0600
Subject: [PATCH] Set Security Context to ks-user job

We need flexibility to add securityContext to ks-user job at pod and containerlevel,
so that it can be executed without elevated privileges.

Change-Id: Ibd8abdc10906ca4648bfcaa91d0f122e56690606
---
 helm-toolkit/Chart.yaml                       |  2 +-
 .../templates/manifests/_job-ks-user.yaml.tpl | 24 +++++++++++++++++++
 releasenotes/notes/helm-toolkit.yaml          |  1 +
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml
index fb1999d8ad..ebd1c30bf1 100644
--- a/helm-toolkit/Chart.yaml
+++ b/helm-toolkit/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.27
+version: 0.2.28
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:
diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index cb90b44f6c..39007de8b6 100644
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -17,6 +17,28 @@ limitations under the License.
 # {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
 # { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
 
+{{/*
+  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+  # example:
+  #  values: |
+  #    pod:
+  #      security_context:
+  #        ks_user:
+  #          pod:
+  #            runAsUser: 65534
+  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+  # example:
+  #   values: |
+  #     pod:
+  #       security_context:
+  #         ks_user:
+  #           container:
+  #             ks-user:
+  #               runAsUser: 65534
+  #               readOnlyRootFilesystem: true
+  #               allowPrivilegeEscalation: false
+*/}}
+
 {{- define "helm-toolkit.manifests.job_ks_user" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $serviceName := index . "serviceName" -}}
@@ -70,6 +92,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
     spec:
       serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       restartPolicy: {{ $restartPolicy }}
       nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
@@ -80,6 +103,7 @@ spec:
           image: {{ $envAll.Values.images.tags.ks_user }}
           imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /bin/bash
             - -c
diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml
index 519366fbe6..1b90adc9d9 100644
--- a/releasenotes/notes/helm-toolkit.yaml
+++ b/releasenotes/notes/helm-toolkit.yaml
@@ -34,4 +34,5 @@ helm-toolkit:
   - 0.2.25 Set Security Context to ks-user job
   - 0.2.26 Revert Set Security Context to ks-user job
   - 0.2.27 Correct private key size input for Certificates and remove minor version support
+  - 0.2.28 Set Security context to ks-user job at pod and container level
 ...