From 32c685cd2a6e9d2294607c98d36d2f5535bf6bdd Mon Sep 17 00:00:00 2001
From: jsirianni <joe.sirianni@observiq.com>
Date: Fri, 23 Jun 2023 14:09:20 -0400
Subject: [PATCH] support configuring pod and container security context

---
 charts/bindplane/Chart.yaml               |  2 +-
 charts/bindplane/templates/bindplane.yaml | 14 ++++++--------
 charts/bindplane/values.yaml              | 18 ++++++++++++++++++
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/charts/bindplane/Chart.yaml b/charts/bindplane/Chart.yaml
index 1e44c03f..c74a2ee1 100644
--- a/charts/bindplane/Chart.yaml
+++ b/charts/bindplane/Chart.yaml
@@ -3,7 +3,7 @@ name: bindplane
 description: BindPlane OP is an open source observability pipeline.
 type: application
 # The chart's version
-version: 0.0.32
+version: 0.0.33
 # The BindPlane OP tagged release. If the user does not
 # set the `image.tag` values option, this version is used.
 appVersion: 1.17.1
diff --git a/charts/bindplane/templates/bindplane.yaml b/charts/bindplane/templates/bindplane.yaml
index ba5b1e08..71f121a6 100644
--- a/charts/bindplane/templates/bindplane.yaml
+++ b/charts/bindplane/templates/bindplane.yaml
@@ -29,8 +29,10 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
       serviceAccountName: {{ include "bindplane.fullname" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        fsGroup: 65534
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: server
           image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
@@ -350,14 +352,10 @@ spec:
             httpGet:
               path: /health
               port: http
+          {{- with .Values.containerSecurityContext }}
           securityContext:
-            runAsNonRoot: true
-            runAsUser: 65534
-            # Persistent data is written to a volume, the bindplane process should
-            # never need to write to the container filesystem.
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop: ["ALL"]
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             {{- if eq .Values.backend.type "bbolt" }}
             - mountPath: /data
diff --git a/charts/bindplane/values.yaml b/charts/bindplane/values.yaml
index c50c447a..20039001 100644
--- a/charts/bindplane/values.yaml
+++ b/charts/bindplane/values.yaml
@@ -211,3 +211,21 @@ email:
   sendgrid:
     # -- The sendgrid API token to use when authenticating to Sendgrid.
     token: ""
+
+# -- The Pod spec's securityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
+podSecurityContext:
+  # This field supports all pod securityContext options.
+  # BindPlane uses the following container securityContext by default:
+  fsGroup: 65534
+
+# -- The Container's securityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container.
+containerSecurityContext:
+  # This field supports all container securityContext options.
+  # BindPlane uses the following container securityContext by default:
+  runAsNonRoot: true
+  runAsUser: 65534
+  # Persistent data is written to a volume, the bindplane process should
+  # never need to write to the container filesystem.
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: ["ALL"]