Allow the user to specify container securityContext. Fixes #97 #99

README.md

@@ -45,4 +45,5 @@ Configure your Infinispan cluster by specifying values in the `deploy.*` section
 | `deploy.makeDataDirWritable` | Allows write access to the `data` directory for each Infinispan Server node. | false | Setting the value to `true` creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory and changes its permissions. |
 | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. |
 | `deploy.nameOverride` | Specifies a name for all Infinispan cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. |
+| `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - |
 | `deploy.infinispan` | Infinispan Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. |

README.md.tpl

@@ -45,4 +45,5 @@ Configure your {brandname} cluster by specifying values in the `deploy.*` sectio
 | `deploy.makeDataDirWritable` | Allows write access to the `data` directory for each {brandname} Server node. | false | Setting the value to `true` creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory and changes its permissions. |
 | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. |
 | `deploy.nameOverride` | Specifies a name for all {brandname} cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. |
+| `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - |
 | `deploy.infinispan` | {brandname} Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. |

documentation/asciidoc/topics/ref_deployment_configuration_values.adoc

@@ -22,7 +22,7 @@ You can also find field and value descriptions in the link:{helm_chart_readme}[{
 |No default value.
 
 |`deploy.container.libraries`
-| Libraries to be downloaded before server startup. Specify multiple, space-separated artifacts represented as URLs or as Maven coordinates. Archive artifacts in .tar, .tar.gz or .zip formats will be extracted. 
+| Libraries to be downloaded before server startup. Specify multiple, space-separated artifacts represented as URLs or as Maven coordinates. Archive artifacts in .tar, .tar.gz or .zip formats will be extracted.
 |No default value.
 
 |`deploy.container.storage.ephemeral`
@@ -102,6 +102,10 @@ If you do not specify a port, the platform selects an available one.
 |Allows write access to the `data` directory for each {brandname} Server node. |`false`
 If you set the value to `true`, {brandname} creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory to change permissions.
 
+|`deploy.securityContext`
+|Configures the securityContext used by the StatefulSet pods. |`{}`
+This can be used to change the group of mounted file systems. Set `securityContext.fsGroup` to `185` if you need to explicitly match the group owner for `/opt/infinispan/server/data` to the default {brandname}'s group
+
 |`deploy.monitoring.enabled`
 |Enable or disable monitoring using `ServiceMonitor`.
 | `false` Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled.

templates/statefulset.yaml

@@ -33,6 +33,12 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- end }}
+      {{- if .Values.deploy.securityContext }}
+      securityContext:
+      {{- with .Values.deploy.securityContext }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -163,4 +169,4 @@ spec:
         resources:
           requests:
             storage: {{ .Values.deploy.container.storage.size }}
-  {{- end }}
+  {{- end }}

values.schema.json

@@ -180,6 +180,13 @@
                         "null"
                     ]
                 },
+                "securityContext": {
+                  "description": "Defines the securityContext policy used by the cluster's StatefulSet.",
+                    "type": [
+                        "object",
+                        "null"
+                    ]
+                },
                 "expose": {
                     "description": "Controls network access to Infinispan Server endpoints.",
                     "properties": {

values.schema.json.tpl

@@ -180,6 +180,13 @@
                         "null"
                     ]
                 },
+                "securityContext": {
+                  "description": "Defines the securityContext policy used by the cluster's StatefulSet.",
+                    "type": [
+                        "object",
+                        "null"
+                    ]
+                },
                 "expose": {
                     "description": "Controls network access to {brandname} Server endpoints.",
                     "properties": {

values.yaml

@@ -83,9 +83,12 @@ deploy:
   tolerations: []
 
   nodeAffinity: {}
-  
+
   nodeSelector: {}
 
+  securityContext:
+    fsGroup: 185
+
   infinispan:
     cacheContainer:
       # [USER] Add cache, template, and counter configuration.