[stacks-blockchain] add initContainerSecurityContext option

hirosystems · Sep 27, 2022 · c70bc6f · c70bc6f
1 parent 39baf5b
commit c70bc6f
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 9 deletions.
diff --git a/hirosystems/stacks-blockchain/Chart.lock b/hirosystems/stacks-blockchain/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: bitcoin-core
   repository: https://charts.hiro.so/hirosystems
-  version: 1.0.1
+  version: 1.1.0
 - name: common
   repository: https://charts.bitnami.com/bitnami
   version: 1.17.1
-digest: sha256:84d06d4cfdd4896f39f203925e68a1c518bbe1e2de7710d2298e7a09ba8fa869
-generated: "2022-08-26T14:08:14.453358-04:00"
+digest: sha256:3db4e457ff36fe8b49bfa5f6f7a9a8ae865dce13bbc61799dad30e1719ac3b79
+generated: "2022-09-27T09:54:15.412558-04:00"
diff --git a/hirosystems/stacks-blockchain/Chart.yaml b/hirosystems/stacks-blockchain/Chart.yaml
@@ -33,4 +33,4 @@ name: stacks-blockchain
 sources:
   - https://github.com/stacks-network/stacks-blockchain
   - https://docs.stacks.co/
-version: 1.0.3
+version: 1.1.0
diff --git a/hirosystems/stacks-blockchain/templates/statefulset.yaml b/hirosystems/stacks-blockchain/templates/statefulset.yaml
@@ -88,8 +88,8 @@ spec:
               else
                 echo "Previous data found. Exiting."
               fi
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- if .Values.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.resources }}
           resources: {{- toYaml .Values.resources | nindent 12 }}
@@ -109,9 +109,9 @@ spec:
             - /bin/bash
             - -ec
             - |
-              chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.containerSecurityContext.fsGroup }} {{ .Values.persistence.mountPath }}
-          {{- if .Values.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+              chown -R {{ .Values.initContainerSecurityContext.runAsUser }}:{{ .Values.initContainerSecurityContext.fsGroup }} {{ .Values.persistence.mountPath }}
+          {{- if .Values.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.volumePermissions.resources }}
           resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}

diff --git a/hirosystems/stacks-blockchain/values.yaml b/hirosystems/stacks-blockchain/values.yaml
@@ -213,6 +213,19 @@ containerSecurityContext:
   runAsNonRoot: true
   readOnlyRootFilesystem: false
 
+## Configure Init Container Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+## @param stacksBlockchain.initContainerSecurityContext.enabled Enabled stacks-blockchain init containers' Security Context
+## @param stacksBlockchain.initContainerSecurityContext.runAsUser Set stacks-blockchain init containers' Security Context runAsUser
+## @param stacksBlockchain.initContainerSecurityContext.runAsNonRoot Set stacks-blockchain init containers' Security Context runAsNonRoot
+## @param stacksBlockchain.initContainerSecurityContext.readOnlyRootFilesystem Set stacks-blockchain init containers' Security Context runAsNonRoot
+##
+initContainerSecurityContext:
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+
 ## @param stacksBlockchain.existingConfigmap The name of an existing ConfigMap with your custom configuration for stacks-blockchain
 ##
 existingConfigmap: