From 5f86dfcf7edcc3701c6c07b25335388c1078f66c Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Thu, 29 Feb 2024 09:57:30 +0100
Subject: [PATCH] add securityContext fsGroup and capabilities

---
 src/main/helm/templates/deployment.yaml       |  7 ++++++
 ...yment_container_security_context_test.yaml | 25 ++++++++++++++++++-
 .../helm/templates/xta_adapter_cronjob.yaml   |  7 ++++++
 .../helm/xta_adapter_cronjob_basic_test.yaml  | 23 +++++++++++++++++
 4 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 8b6ef05ea..e1710b8a0 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -139,6 +139,13 @@ spec:
           {{- with (.Values.securityContext).runAsGroup }}
           runAsGroup: {{ . }}
           {{- end }}
+          {{- with (.Values.securityContext).fsGroup }}
+          fsGroup: {{ . }}
+          {{- end }}
+          {{- with (.Values.securityContext).capabilities }}
+          capabilities:
+{{ toYaml . | indent 12 }}
+          {{- end }}
         stdin: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
diff --git a/src/test/helm/deployment_container_security_context_test.yaml b/src/test/helm/deployment_container_security_context_test.yaml
index 18a745033..165a9742a 100644
--- a/src/test/helm/deployment_container_security_context_test.yaml
+++ b/src/test/helm/deployment_container_security_context_test.yaml
@@ -49,6 +49,10 @@ tests:
           path: spec.template.spec.containers[0].securityContext.runAsUser
       - isNull:
           path: spec.template.spec.containers[0].securityContext.runAsGroup
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext.fsGroup
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext.capabilities
   - it: check runAsUser
     set:
       securityContext.runAsUser: 1000
@@ -62,4 +66,23 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].securityContext.runAsGroup
-          value: 1000
\ No newline at end of file
+          value: 1000
+  - it: check fsGroup
+    set:
+      securityContext.fsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.fsGroup
+          value: 1000
+  - it: check capabilities
+    set:
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.capabilities
+          value:
+            drop:
+              - ALL
\ No newline at end of file
diff --git a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
index 2fa6f19d1..89ad38b04 100644
--- a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
+++ b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
@@ -111,6 +111,13 @@ spec:
                 {{- with (.Values.securityContext).runAsGroup }}
                 runAsGroup: {{ . }}
                 {{- end }}
+                {{- with (.Values.securityContext).fsGroup }}
+                fsGroup: {{ . }}
+                {{- end }}
+                {{- with (.Values.securityContext).capabilities }}
+                capabilities:
+{{ toYaml . | indent 18 }}
+                {{- end }}
               resources:
               {{- with .Values.resources }}
 {{ toYaml . | indent 16 }}
diff --git a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
index 4667b03c4..4b47e6a77 100644
--- a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
+++ b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
@@ -104,6 +104,10 @@ tests:
         path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsUser
     - isNull:
         path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsGroup
+    - isNull:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.fsGroup
+    - isNull:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
   - it: check runAsUser
     set:
       securityContext.runAsUser: 1000
@@ -126,3 +130,22 @@ tests:
         value: 
           ozg-component: xta-adapter
           workload: xta-adapter-cronjob
+  - it: check fsGroup
+    set:
+      securityContext.fsGroup: 1000
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.fsGroup
+          value: 1000
+  - it: check capabilities
+    set:
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    asserts:
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities
+          value:
+            drop:
+              - ALL
\ No newline at end of file
-- 
GitLab