truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-04-30 05:21:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8daa01d53cfec7f59075ff7a67eccede548c462d
chart/library/common/templates/lib/pod/_podSecurityContext.tpl
Stavros Kois 929e60d801 NAS-121003 / 23.10 / Adapt charts CI and improve/fix common (#1011) 
* Adapt charts CI and improve/fix common

* add check on permissions contaienr

* add postgres template

* update comments

* Update create_app.sh

* add check

* update script

* auto gen item.yaml from Chart,yaml

* rename readme on dest

* duplicate readme from the same source

* correct comment

* reoder

* remove extra space

* keep both README and app-readme

* update regex, to also allow 2 letter names, which is also valid

* No need to check host network if there aren't any pod values

* use same pattern as the pod.name label (not prepending release-name

* update deps

* add chart dirs to ci

* Add a validation to check if there is any yaml errors after merging files

* update charts path on ci

* common/1.0.0/ -> common/

* update common-test dep path

* temp update create_app script

* make permissions container name configurable, incase we want to change order of execution

* update naming convention

* fix typo and a missed name change

* do not allow `--` in names
2023-03-16 17:36:19 +02:00

91 lines
3.3 KiB
Smarty
Raw Blame History

{{/* Returns Pod Security Context */}}
{{/* Call this template:
{{ include "ix.v1.common.lib.pod.securityContext" (dict "rootCtx" $ "objectData" $objectData) }}
rootCtx: The root context of the chart.
objectData: The object data to be used to render the Pod.
*/}}
{{- define "ix.v1.common.lib.pod.securityContext" -}}
{{- $rootCtx := .rootCtx -}}
{{- $objectData := .objectData -}}
{{- if not $rootCtx.Values.securityContext.pod -}}
{{- fail "Pod - Expected non-empty <.Values.securityContext.pod>" -}}
{{- end -}}
{{/* Initialize from the "global" option */}}
{{- $secContext := mustDeepCopy $rootCtx.Values.securityContext.pod -}}
{{/* Override with pod's option */}}
{{- with $objectData.podSpec.securityContext -}}
{{- $secContext = mustMergeOverwrite $secContext . -}}
{{- end -}}
{{/* TODO: Add supplemental groups
devices (5, 10, 20, 24) (Only when devices is assigned on the pod's containers)
TODO: Unit Test the above cases
*/}}
{{- $gpuAdded := false -}}
{{- range $GPUValues := $rootCtx.Values.scaleGPU -}}
{{/* If there is a selector and pod is selected */}}
{{- if $GPUValues.targetSelector -}}
{{- if mustHas $objectData.shortName ($GPUValues.targetSelector | keys) -}}
{{- $gpuAdded = true -}}
{{- end -}}
{{/* If there isn't a selector, but pod is primary */}}
{{- else if $objectData.primary -}}
{{- $gpuAdded = true -}}
{{- end -}}
{{- end -}}
{{- if $gpuAdded -}}
{{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups (list 44)) -}}
{{- end -}}
{{- $portRange := fromJson (include "ix.v1.common.lib.helpers.securityContext.getPortRange" (dict "rootCtx" $rootCtx "objectData" $objectData)) -}}
{{- if and $portRange.low (le (int $portRange.low) 1024) -}} {{/* If a container wants to bind a port <= 1024 change the unprivileged_port_start */}}
{{- $_ := set $secContext "sysctls" (mustAppend $secContext.sysctls (dict "name" "net.ipv4.ip_unprivileged_port_start" "value" (printf "%v" $portRange.low))) -}}
{{- end -}}
{{- if not $secContext.fsGroup -}}
{{- fail "Pod - Expected non-empty <fsGroup>" -}}
{{- end -}}
{{/* Used by the fixedEnv template */}}
{{- $_ := set $objectData.podSpec "calculatedFSGroup" $secContext.fsGroup -}}
{{- if not $secContext.fsGroupChangePolicy -}}
{{- fail "Pod - Expected non-empty <fsGroupChangePolicy>" -}}
{{- end -}}
{{- $policies := (list "Always" "OnRootMismatch") -}}
{{- if not (mustHas $secContext.fsGroupChangePolicy $policies) -}}
{{- fail (printf "Pod - Expected <fsGroupChangePolicy> to be one of [%s], but got [%s]" (join ", " $policies) $secContext.fsGroupChangePolicy) -}}
{{- end }}
fsGroup: {{ $secContext.fsGroup }}
fsGroupChangePolicy: {{ $secContext.fsGroupChangePolicy }}
{{- with $secContext.supplementalGroups }}
supplementalGroups:
{{- range . }}
- {{ . }}
{{- end -}}
{{- else }}
supplementalGroups: []
{{- end -}}
{{- with $secContext.sysctls }}
sysctls:
{{- range . }}
{{- if not .name -}}
{{- fail "Pod - Expected non-empty <name> in <sysctls>" -}}
{{- end -}}
{{- if not .value -}}
{{- fail "Pod - Expected non-empty <value> in <sysctls>" -}}
{{- end }}
- name: {{ tpl .name $rootCtx | quote }}
value: {{ tpl .value $rootCtx | quote }}
{{- end -}}
{{- else }}
sysctls: []
{{- end -}}
{{- end -}}
Reference in New Issue View Git Blame Copy Permalink