[stacks-blockchain-api] add initContainerSecurityContext option

hirosystems · Sep 27, 2022 · f54cab9 · f54cab9
1 parent c70bc6f
commit f54cab9
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 15 deletions.
diff --git a/hirosystems/stacks-blockchain-api/Chart.lock b/hirosystems/stacks-blockchain-api/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: stacks-blockchain
   repository: https://charts.hiro.so/hirosystems
-  version: 1.0.3
+  version: 1.1.0
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 11.8.1
+  version: 11.9.1
 - name: common
   repository: https://charts.bitnami.com/bitnami
   version: 1.17.1
-digest: sha256:493958949f125bed3ca3f3b20af95990666a44c5cda064f5e905ae5ea4e7a1da
-generated: "2022-09-01T18:00:37.82902-04:00"
+digest: sha256:f946ed2a24c9d3269af44f19d9824f8852ef057c6cd49ef935dfbaad2222f58a
+generated: "2022-09-27T09:58:24.643457-04:00"
diff --git a/hirosystems/stacks-blockchain-api/Chart.yaml b/hirosystems/stacks-blockchain-api/Chart.yaml
@@ -41,4 +41,4 @@ sources:
   - https://github.com/hirosystems/stacks-blockchain-api
   - https://docs.hiro.so/api
   - https://docs.hiro.so/get-started/stacks-blockchain-api
-version: 1.0.5
+version: 1.1.0
diff --git a/hirosystems/stacks-blockchain-api/templates/api-writer/statefulset.yaml b/hirosystems/stacks-blockchain-api/templates/api-writer/statefulset.yaml
@@ -94,6 +94,12 @@ spec:
               else
                 echo "Previous data found. Exiting."
               fi
+          {{- if .Values.apiWriter.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.apiWriter.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.apiWriter.resources }}
+          resources: {{- toYaml .Values.apiWriter.resources | nindent 12 }}
+          {{- end }}
         {{- if .Values.apiWriter.config.exportEvents }}
         - name: export-events
           image: {{ template "stacksBlockchainApi.image" . }}
@@ -125,8 +131,8 @@ spec:
             - -c
             - |
               node ./lib/index.js export-events --file ${STACKS_EXPORT_EVENTS_FILE}
-          {{- if .Values.apiWriter.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.apiWriter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- if .Values.apiWriter.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.apiWriter.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.apiWriter.resources }}
           resources: {{- toYaml .Values.apiWriter.resources | nindent 12 }}
@@ -159,8 +165,8 @@ spec:
               else
                 echo "Previous data found. Exiting."
               fi
-          {{- if .Values.apiWriter.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.apiWriter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- if .Values.apiWriter.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.apiWriter.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.apiWriter.resources }}
           resources: {{- toYaml .Values.apiWriter.resources | nindent 12 }}
@@ -180,10 +186,10 @@ spec:
             - /bin/bash
             - -ec
             - |
-              chown -R {{ .Values.apiWriter.containerSecurityContext.runAsUser }}:{{ .Values.apiWriter.containerSecurityContext.fsGroup }} {{ .Values.apiWriter.persistence.data.mountPath }}
-              chown -R {{ .Values.apiWriter.containerSecurityContext.runAsUser }}:{{ .Values.apiWriter.containerSecurityContext.fsGroup }} {{ .Values.apiWriter.persistence.bns.mountPath }}
-          {{- if .Values.apiWriter.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.apiWriter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+              chown -R {{ .Values.apiWriter.initContainerSecurityContext.runAsUser }}:{{ .Values.apiWriter.initContainerSecurityContext.fsGroup }} {{ .Values.apiWriter.persistence.data.mountPath }}
+              chown -R {{ .Values.apiWriter.initContainerSecurityContext.runAsUser }}:{{ .Values.apiWriter.initContainerSecurityContext.fsGroup }} {{ .Values.apiWriter.persistence.bns.mountPath }}
+          {{- if .Values.apiWriter.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.apiWriter.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.apiWriter.volumePermissions.resources }}
           resources: {{- toYaml .Values.apiWriter.volumePermissions.resources | nindent 12 }}
@@ -224,8 +230,8 @@ spec:
             - -c
             - |
               node ./lib/index.js import-events --file ${STACKS_EXPORT_EVENTS_FILE} --wipe-db --force --mode pruned
-          {{- if .Values.apiWriter.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.apiWriter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- if .Values.apiWriter.initContainerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.apiWriter.initContainerSecurityContext "enabled" | toYaml | nindent 12 }}
           {{- end }}
           {{- if .Values.apiWriter.resources }}
           resources: {{- toYaml .Values.apiWriter.resources | nindent 12 }}

diff --git a/hirosystems/stacks-blockchain-api/values.yaml b/hirosystems/stacks-blockchain-api/values.yaml
@@ -204,6 +204,19 @@ apiWriter:
     runAsNonRoot: true
     readOnlyRootFilesystem: false
 
+  ## Configure Init Container Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  ## @param apiWriter.initContainerSecurityContext.enabled Enabled Stacks Blockchain API Writer init containers' Security Context
+  ## @param apiWriter.initContainerSecurityContext.runAsUser Set Stacks Blockchain API Writer init containers' Security Context runAsUser
+  ## @param apiWriter.initContainerSecurityContext.runAsNonRoot Set Stacks Blockchain API Writer init containers' Security Context runAsNonRoot
+  ## @param apiWriter.initContainerSecurityContext.readOnlyRootFilesystem Set Stacks Blockchain API Writer init containers' Security Context runAsNonRoot
+  ##
+  initContainerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false
+
   service:
     ## @param service.type Stacks Blockchain API Writer service type
     ##