feat: add airflow.defaultContainerSecurityContext value (#624)

* feat: add defaultContainerSecurityContext

Signed-off-by: Philipp Hitzler <[email protected]>

* fix ct lint

Signed-off-by: Philipp Hitzler <[email protected]>

* chore: small cleanups

Signed-off-by: Mathew Wicks <[email protected]>

---------

Signed-off-by: Philipp Hitzler <[email protected]>
Signed-off-by: Mathew Wicks <[email protected]>
Co-authored-by: Mathew Wicks <[email protected]>

charts/airflow/README.md

@@ -218,6 +218,7 @@ Parameter | Description | Default
 `airflow.defaultTolerations` | default toleration configs for airflow Pods (is overridden by pod-specific values) | `[]`
 `airflow.defaultTopologySpreadConstraints` | default topologySpreadConstraints for airflow Pods (is overridden by pod-specific values) | `[]`
 `airflow.defaultSecurityContext` | default securityContext configs for Pods (is overridden by pod-specific values) | `{fsGroup: 0}`
+`airflow.defaultContainerSecurityContext` | default securityContext for Containers in airflow Pods | `{}`
 `airflow.podAnnotations` | extra annotations for airflow Pods | `{}`
 `airflow.extraPipPackages` | extra pip packages to install in airflow Pods | `[]`
 `airflow.protectedPipPackages` | pip packages that are protected from upgrade/downgrade by `extraPipPackages` | `["apache-airflow"]`

charts/airflow/templates/_helpers/pods.tpl

@@ -7,6 +7,9 @@ imagePullPolicy: {{ .Values.airflow.image.pullPolicy }}
 securityContext:
   runAsUser: {{ .Values.airflow.image.uid }}
   runAsGroup: {{ .Values.airflow.image.gid }}
+  {{- if .Values.airflow.defaultContainerSecurityContext }}
+  {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 2 }}
+  {{- end }}
 {{- end }}
 
 {{/*
@@ -207,6 +210,9 @@ EXAMPLE USAGE: {{ include "airflow.container.git_sync" (dict "Release" .Release
   securityContext:
     runAsUser: {{ .Values.dags.gitSync.image.uid }}
     runAsGroup: {{ .Values.dags.gitSync.image.gid }}
+    {{- if .Values.airflow.defaultContainerSecurityContext }}
+    {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 4 }}
+    {{- end }}
   resources:
     {{- toYaml .Values.dags.gitSync.resources | nindent 4 }}
   envFrom:

charts/airflow/templates/pgbouncer/pgbouncer-deployment.yaml

@@ -141,6 +141,9 @@ spec:
           securityContext:
             runAsUser: {{ .Values.pgbouncer.image.uid }}
             runAsGroup: {{ .Values.pgbouncer.image.gid }}
+            {{- if .Values.airflow.defaultContainerSecurityContext }}
+            {{- omit .Values.airflow.defaultContainerSecurityContext "runAsUser" "runAsGroup" | toYaml | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.pgbouncer.resources | nindent 12 }}
           envFrom:

charts/airflow/values.yaml

@@ -213,6 +213,14 @@ airflow:
     ## this does NOT give root permissions to Pods, only the "root" group
     fsGroup: 0
 
+  ## default securityContext for Containers in airflow Pods
+  ## - spec for SecurityContext:
+  ##   https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#securitycontext-v1-core
+  ## - `runAsUser` is ignored, please set with per-image `*.image.uid`
+  ## - `runAsGroup` is ignored, please set with per-image `*.image.gid`
+  ##
+  defaultContainerSecurityContext: {}
+
   ## extra annotations for airflow Pods
   ##
   podAnnotations: {}
@@ -2183,7 +2191,7 @@ redis:
       ## the access mode of the PVC
       ##
       accessModes:
-      - ReadWriteOnce
+        - ReadWriteOnce
 
       ## the size of PVC to request
       ##