From 9c5208bf57eab6b9ccac4a5a87e8989aeb0496e5 Mon Sep 17 00:00:00 2001
From: Dani Louca <dlouca@splunk.com>
Date: Fri, 26 May 2023 11:34:52 -0400
Subject: [PATCH] runAsUser SecurityContext not working for windows

Signed-off-by: Dani Louca <dlouca@splunk.com>
---
 .../splunk-otel-collector/templates/_helpers.tpl    | 13 +++++++++++++
 .../splunk-otel-collector/templates/daemonset.yaml  |  6 +-----
 .../templates/deployment-cluster-receiver.yaml      |  2 +-
 .../templates/deployment-gateway.yaml               |  2 +-
 .../templates/revert-patch-log-dirs-hook.yaml       |  2 +-
 5 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/helm-charts/splunk-otel-collector/templates/_helpers.tpl b/helm-charts/splunk-otel-collector/templates/_helpers.tpl
index 24dc89faf3..0ed7fa2099 100644
--- a/helm-charts/splunk-otel-collector/templates/_helpers.tpl
+++ b/helm-charts/splunk-otel-collector/templates/_helpers.tpl
@@ -428,3 +428,16 @@ Whether clusterReceiver should be enabled
 {{- $clusterReceiver := fromYaml (include "splunk-otel-collector.clusterReceiver" .) }}
 {{- and $clusterReceiver.enabled (or (eq (include "splunk-otel-collector.metricsEnabled" .) "true") (eq (include "splunk-otel-collector.objectsOrEventsEnabled" .) "true")) -}}
 {{- end -}}
+
+
+{{/*
+Build the securityContext for Linux and Windows
+*/}}
+{{- define "splunk-otel-collector.securityContext" -}}
+{{- if .isWindows }}
+{{- $_ := unset .securityContext "runAsUser" }}
+{{- else if and (eq (toString .securityContext.runAsUser) "<nil>") (.setRunAsUser) }}
+{{- $_ := set .securityContext "runAsUser" 0 }}
+{{- end }}
+{{- toYaml .securityContext }}
+{{- end -}}
diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
index d3bcb9b12d..29f6406f82 100644
--- a/helm-charts/splunk-otel-collector/templates/daemonset.yaml
+++ b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
@@ -251,11 +251,7 @@ spec:
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
         {{- if or $agent.securityContext (and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel")) }}
         securityContext:
-          {{- if $agent.securityContext }}
-          {{- toYaml $agent.securityContext | nindent 10 }}
-          {{- else }}
-          runAsUser: 0
-          {{- end }}
+          {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $agent.securityContext "setRunAsUser" true) | nindent 10 }}
         {{- end }}
         env:
           - name: SPLUNK_MEMORY_TOTAL_MIB
diff --git a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
index 58af2e2299..ccce7abee1 100644
--- a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
+++ b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
@@ -79,7 +79,7 @@ spec:
       {{- end }}
       {{- if $clusterReceiver.securityContext }}
       securityContext:
-        {{ toYaml $clusterReceiver.securityContext | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }}
       {{- end }}
       {{- if eq (include "splunk-otel-collector.distribution" .) "eks/fargate" }}
       initContainers:
diff --git a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
index 21e3fa3ea7..a7f970431c 100644
--- a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
+++ b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
@@ -59,7 +59,7 @@ spec:
       {{- end }}
       {{- if $gateway.securityContext }}
       securityContext:
-        {{ toYaml $gateway.securityContext | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }}
       {{- end }}
       containers:
       - name: otel-collector
diff --git a/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml
index 7ac37d50f3..6f84e3de79 100644
--- a/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml
+++ b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml
@@ -1,4 +1,4 @@
-{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup)) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup)) }}
+{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup) (not .Values.isWindows) ) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup) (not .Values.isWindows) ) }}
 apiVersion: v1
 kind: Pod
 metadata: