restructure directories a bit

library/common/1.0.0/templates/lib/container/_securityContext.tpl

@@ -1,20 +1,20 @@
 {{/* Security Context included by the container */}}
 {{- define "ix.v1.common.container.securityContext" -}}
-{{- $secContext := .secCont -}}
-{{- $podSecContext := .podSecCont -}}
-{{- $root := .root -}}
-{{/* Check that they are set as booleans to prevent typos */}}
-{{- with $secContext -}}
- {{- if or (not (kindIs "bool" .runAsNonRoot)) (not (kindIs "bool" .privileged)) (not (kindIs "bool" .readOnlyRootFilesystem)) (not (kindIs "bool" .allowPrivilegeEscalation)) -}}
-    {{- fail "One or more of the following are not set as booleans (runAsNonRoot, privileged, readOnlyRootFilesystem, allowPrivilegeEscalation)" -}}
- {{- end -}}
-{{- end -}}
-{{/* Only run as root if it's explicitly defined */}}
-{{- if or (not $podSecContext.runAsUser) (not $podSecContext.runAsGroup) -}}
-  {{- if $secContext.runAsNonRoot -}}
-    {{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}}
+  {{- $secContext := .secCont -}}
+  {{- $podSecContext := .podSecCont -}}
+  {{- $root := .root -}}
+  {{/* Check that they are set as booleans to prevent typos */}}
+  {{- with $secContext -}}
+    {{- if or (not (kindIs "bool" .runAsNonRoot)) (not (kindIs "bool" .privileged)) (not (kindIs "bool" .readOnlyRootFilesystem)) (not (kindIs "bool" .allowPrivilegeEscalation)) -}}
+        {{- fail "One or more of the following are not set as booleans (runAsNonRoot, privileged, readOnlyRootFilesystem, allowPrivilegeEscalation)" -}}
+    {{- end -}}
+  {{- end -}}
+{{/* Only run as root if it's explicitly defined */}}
+  {{- if or (not $podSecContext.runAsUser) (not $podSecContext.runAsGroup) -}}
+    {{- if $secContext.runAsNonRoot -}}
+      {{- fail "You are trying to run as root (user or group), but runAsNonRoot is set to true" -}}
+    {{- end -}}
   {{- end -}}
-{{- end -}}
 runAsNonRoot: {{ $secContext.runAsNonRoot }}
 readOnlyRootFilesystem: {{ $secContext.readOnlyRootFilesystem }}
 allowPrivilegeEscalation: {{ $secContext.allowPrivilegeEscalation }}
@@ -41,23 +41,3 @@ capabilities:
     drop: []
   {{- end }}
 {{- end -}}
-
-{{/* A dict podSecContext is expected with keys line runAsUser */}}
-{{- define "ix.v1.common.container.podSecurityContext" -}}
-{{- $podSecCont := .podSecCont -}}
-runAsUser: {{ required "<runAsUser> value is required." $podSecCont.runAsUser }}
-runAsGroup: {{ required "<runAsGroup> value is required." $podSecCont.runAsGroup }}
-fsGroup: {{ required "<fsGroup> value is required." $podSecCont.fsGroup }}
-{{- with $podSecCont.supplementalGroups }}
-supplementalGroups:
-  {{- range . }}
-  - {{ . }}
-  {{- end -}}
-{{- end -}}
-{{- with $podSecCont.fsGroupChangePolicy -}}
-  {{- if not (has . (list "Always" "OnRootMismatch")) -}}
-    {{- fail "Invalid option for fsGroupChangePolicy. Valid options are <Always> and <OnRootMismatch>." -}}
-  {{- end }}
-fsGroupChangePolicy: {{ . }}
-{{- end -}}
-{{- end -}}

library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl

@@ -0,0 +1,19 @@
+{{/* A dict podSecContext is expected with keys line runAsUser */}}
+{{- define "ix.v1.common.container.podSecurityContext" -}}
+  {{- $podSecCont := .podSecCont -}}
+runAsUser: {{ required "<runAsUser> value is required." $podSecCont.runAsUser }}
+runAsGroup: {{ required "<runAsGroup> value is required." $podSecCont.runAsGroup }}
+fsGroup: {{ required "<fsGroup> value is required." $podSecCont.fsGroup }}
+  {{- with $podSecCont.supplementalGroups }}
+supplementalGroups:
+    {{- range . }}
+  - {{ . }}
+    {{- end -}}
+  {{- end -}}
+  {{- with $podSecCont.fsGroupChangePolicy -}}
+    {{- if not (has . (list "Always" "OnRootMismatch")) -}}
+      {{- fail "Invalid option for fsGroupChangePolicy. Valid options are <Always> and <OnRootMismatch>." -}}
+    {{- end }}
+fsGroupChangePolicy: {{ . }}
+  {{- end -}}
+{{- end -}}