-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy path_securityContext.tpl
More file actions
85 lines (75 loc) · 3.05 KB
/
_securityContext.tpl
File metadata and controls
85 lines (75 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
{{/*
Security context helpers for container and pod security contexts.
These helpers implement a 3-tier merge precedence:
1. Component default (e.g., .Values.executor.defaultContainerSecurityContext)
2. Global override (e.g., .Values.sourcegraph.containerSecurityContext)
3. Component override (e.g., .Values.executor.containerSecurityContext)
Later values override earlier ones, allowing customers to:
- Set global security context settings that apply to all components
- Override specific components as needed
- Retain Sourcegraph's secure defaults when no overrides are specified
*/}}
{{/*
Container security context with 3-tier merge.
Outputs "securityContext:" key with merged values, or nothing if empty.
The output includes a leading newline for proper YAML formatting.
Usage:
{{- include "sourcegraph.containerSecurityContext" (list . "executor" 8) }}
Parameters:
- $ (root context)
- component path segments (one or more strings)
- indent level (integer) as the last parameter
*/}}
{{- define "sourcegraph.containerSecurityContext" -}}
{{- $root := index . 0 -}}
{{- $indent := index . (sub (len .) 1) | int -}}
{{- $path := slice . 1 (sub (len .) 1) -}}
{{- $default := $root.Values -}}
{{- range $path -}}
{{- $default = index $default . | default dict -}}
{{- end -}}
{{- $default = $default.defaultContainerSecurityContext | default dict -}}
{{- $global := $root.Values.sourcegraph.containerSecurityContext | default dict -}}
{{- $override := $root.Values -}}
{{- range $path -}}
{{- $override = index $override . | default dict -}}
{{- end -}}
{{- $override = $override.containerSecurityContext | default dict -}}
{{- $merged := mustMergeOverwrite (deepCopy $default) $global $override -}}
{{- if $merged | keys | len | ne 0 }}
{{ "securityContext:" | indent $indent }}
{{ toYaml $merged | indent (add $indent 2 | int) -}}
{{- end -}}
{{- end -}}
{{/*
Pod security context with 3-tier merge.
Outputs "securityContext:" key with merged values, or nothing if empty.
The output includes a leading newline for proper YAML formatting.
Usage:
{{- include "sourcegraph.podSecurityContext" (list . "executor" 6) }}
Parameters:
- $ (root context)
- component path segments (one or more strings)
- indent level (integer) as the last parameter
*/}}
{{- define "sourcegraph.podSecurityContext" -}}
{{- $root := index . 0 -}}
{{- $indent := index . (sub (len .) 1) | int -}}
{{- $path := slice . 1 (sub (len .) 1) -}}
{{- $default := $root.Values -}}
{{- range $path -}}
{{- $default = index $default . | default dict -}}
{{- end -}}
{{- $default = $default.defaultPodSecurityContext | default dict -}}
{{- $global := $root.Values.sourcegraph.podSecurityContext | default dict -}}
{{- $override := $root.Values -}}
{{- range $path -}}
{{- $override = index $override . | default dict -}}
{{- end -}}
{{- $override = $override.podSecurityContext | default dict -}}
{{- $merged := mustMergeOverwrite (deepCopy $default) $global $override -}}
{{- if $merged | keys | len | ne 0 }}
{{ "securityContext:" | indent $indent }}
{{ toYaml $merged | indent (add $indent 2 | int) -}}
{{- end -}}
{{- end -}}