From 0165218556e43dda4da8c4c5cb154b5de81d7f01 Mon Sep 17 00:00:00 2001
From: stefan <stefan.voshage@dataport.de>
Date: Wed, 13 Nov 2024 10:43:13 +0100
Subject: [PATCH] =?UTF-8?q?Dataport:=20Anpassung=20der=20Helm-Charts=20gem?=
 =?UTF-8?q?=C3=A4=C3=9F=20den=20Kyverno=20Richtlinien=20bei=20Dataport=20E?=
 =?UTF-8?q?nrichtung=20eines=20Service=20Accounts=20Einrichtung=20der=20Li?=
 =?UTF-8?q?venes-probes=20Einrichtung=20des=20Securitycontext=20nach=20dem?=
 =?UTF-8?q?=20Vorbild=20des=20Alfa=20Helm-Charts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/helm/templates/_helpers.tpl    |  4 ++-
 src/main/helm/templates/deployment.yaml | 33 ++++++++++++++++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index e1ad80c9..3427f54f 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -38,7 +38,9 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- define "app.ssoRealm" -}}
 {{ printf "%s-%s-%s" (include "app.ozgcloudBundesland" .) ( include "app.ozgcloudBezeichner" . ) ( include "app.ozgcloudEnvironment" . ) | trunc 63 | trimSuffix "-" }}
 {{- end -}}
-
+{{- define "app.serviceAccountName" -}}
+{{ printf "%s" ( (.Values.serviceAccount).name | default "administration-service-account" ) }}
+{{- end -}}
 {{- define "app.ozgcloudBundesland" -}}
 {{- required "Bundesland muss angegeben sein" (.Values.ozgcloud).bundesland }}
 {{- end -}}
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index cf4720b8..b554d57c 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -48,6 +48,9 @@ spec:
         {{- include "app.defaultLabels" . | indent 8 }}
         component: {{ .Release.Name }}
     spec:
+      {{- if (.Values.serviceAccount).create }}
+      serviceAccountName: {{ include "app.serviceAccountName" . }}
+      {{- end }}
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: kubernetes.io/hostname
@@ -142,15 +145,36 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5
+        {{- if .Values.enableLivenessProbe }}
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /actuator/health/liveness
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 3
+        {{- end }}
         resources:
         {{- with .Values.resources }}
-        {{ toYaml . | indent 10 }}
+{{ toYaml . | indent 10 }}
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
           readOnlyRootFilesystem: false
           runAsNonRoot: true
+          {{- with (.Values.securityContext).runAsUser }}
+          runAsUser: {{ . }}
+          {{- end }}
+          {{- with (.Values.securityContext).runAsGroup }}
+          runAsGroup: {{ . }}
+          {{- end }}
+          {{- with (.Values.securityContext).capabilities }}
+          capabilities:
+{{ toYaml . | indent 12 }}
+          {{- end }}
         stdin: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
@@ -178,5 +202,8 @@ spec:
         - name: {{ required "image-pull-secret must be set" .Values.imagePullSecret }}
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
-      terminationGracePeriodSeconds: 300000000
\ No newline at end of file
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 30
-- 
GitLab