charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/common] Add option to remove empty seLinuxOptions from securityContext in non OpenShift environment

Open minijus opened this issue 1 year ago • 2 comments

Description of the change

Adding new global.compatibility.omitEmptySeLinuxOption option to conditionally remove empty/falsy seLinuxOptionsproperty.

Applicable issues

  • fixes #28934

Checklist

  • [x] Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • [ ] Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • [x] Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • [x] All commits signed off and in agreement of Developer Certificate of Origin (DCO)

minijus avatar Aug 21 '24 07:08 minijus

Not sure when/how values/README files should be updated on all charts that use bitnami/common. I suppose global.compatibility.omitEmptySeLinuxOption with description on every other chart should only be added when updating bitnami/common?

minijus avatar Aug 21 '24 08:08 minijus

Thank you for your contribution @minijus!

I would like to request a change, could you please move the new code block our of the {{- if (((.context.Values.global).compatibility).openshift) -}} conditional?

Additionally, I think it would be good to add the extra parenthesis (). Those parenthesis prevent errors when the parent value does not exist.

Suggestion:

{{- if (((.context.Values.global).compatibility).openshift) -}}
  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
    {{- if not .secContext.seLinuxOptions -}}
    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
    {{- end -}}
  {{- end -}}
{{- end -}}
{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}}
  {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}

Thanks for the review!

I did the change.

minijus avatar Aug 23 '24 11:08 minijus

@migruiz4 would you be able to have a look at this PR again?

minijus avatar Sep 04 '24 14:09 minijus