add securityContext overrides for st2web as nginx has unique caps req…

…uirements
StackStorm · Dec 7, 2021 · ea730a0 · ea730a0
1 parent f585af8
commit ea730a0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/templates/deployments.yaml b/templates/deployments.yaml
@@ -432,7 +432,7 @@ spec:
       - name: st2web
         image: '{{ template "imageRepository" . }}/st2web:{{ tpl (.Values.st2web.image.tag | default .Values.image.tag) . }}'
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        {{- with .Values.securityContext }}
+        {{- with default .Values.securityContext .Values.st2web.securityContext }}
         securityContext: {{- toYaml . | nindent 10 }}
         {{- end }}
         ports:
@@ -515,7 +515,7 @@ spec:
     {{- with .Values.dnsConfig }}
       dnsConfig: {{- toYaml . | nindent 8 }}
     {{- end }}
-    {{- with .Values.podSecurityContext }}
+    {{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.st2web.nodeSelector }}

diff --git a/values.yaml b/values.yaml
@@ -235,7 +235,7 @@ st2:
 
 ##
 ## Default SecurityContext for pods and containers.
-## Overrides available for st2actionrunner, st2sensorcontainer, and st2client pods.
+## Overrides available for st2web, st2actionrunner, st2sensorcontainer, and st2client pods.
 ##
 podSecurityContext: {}
 securityContext: {}
@@ -311,6 +311,9 @@ st2web:
   # ST2WEB_HTTPS: 1
   serviceAccount:
     attach: false
+  # override the default .podSecurityContext or .securityContext here
+  podSecurityContext: {}
+  securityContext: {}  # NB: nginx requires some capabilities, drop ALL will cause issues.
   # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []