diff --git a/README.md b/README.md index 0fb82e7..a97bd84 100644 --- a/README.md +++ b/README.md @@ -580,7 +580,8 @@ gitea: | `extraVolumes` | Additional volumes to mount to the Gitea statefulset | `{}` | | `extraVolumeMounts` | Additional volume mounts for the Gitea containers | `{}` | | `initPreScript` | Bash script copied verbatim to start of init container | | -| `securityContext` | Run as a specific securityContext | `{}` | +| `podSecurityContext.fsGroup` | Set the shared file system group for all containers | 1000 | +| `containerSecurityContext` | Run init and gitea containers as a specific securityContext | `{}` | | `schedulerName` | Use an alternate scheduler, e.g. "stork" | | ### Image diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 1d5aa18..734f342 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -38,7 +38,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - fsGroup: 1000 + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: - name: init-directories image: "{{ include "gitea.image" . }}" @@ -65,6 +65,8 @@ spec: {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} - name: init-app-ini image: "{{ include "gitea.image" . }}" command: ["/usr/sbin/config_environment.sh"] @@ -90,11 +92,18 @@ spec: {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} - name: configure-gitea image: "{{ include "gitea.image" . }}" command: ["/usr/sbin/configure_gitea.sh"] securityContext: - runAsUser: 1000 + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini @@ -207,7 +216,12 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- /* Honor the deprecated securityContext variable when defined */ -}} + {{- if .Values.containerSecurityContext -}} + {{ toYaml .Values.containerSecurityContext | nindent 12 -}} + {{- else -}} + {{ toYaml .Values.securityContext | nindent 12 -}} + {{- end }} volumeMounts: - name: temp mountPath: /tmp diff --git a/values.yaml b/values.yaml index fabc055..ef6f324 100644 --- a/values.yaml +++ b/values.yaml @@ -14,8 +14,11 @@ image: imagePullSecrets: [] -# only usable with rootless image due to image design -securityContext: {} +# Security context is only usable with rootless image due to image design +podSecurityContext: + fsGroup: 1000 + +containerSecurityContext: {} # allowPrivilegeEscalation: false # capabilities: # drop: @@ -33,6 +36,11 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# DEPRECATED. The securityContext variable has been split two: +# - containerSecurityContext +# - podSecurityContext. +securityContext: {} + service: http: type: ClusterIP