[Application]: add command to container and sidecars and fix security context (again) (#164)

We trapped into helm/helm#5238 with the merge
of default security context with specific ones in sidecar or
initcontainer.

objects seem to be merged by using the `or` operation - effectively
making `true` always the result for bool properties.

with this change, behavior changes, but as it was already wrong in the
past it just can get better.

---------

Co-authored-by: mhaxp <hartkopf@xplace.de>
Co-authored-by: Florian Heubeck <40993644+heubeck@users.noreply.github.com>
Co-authored-by: Florian Heubeck <heubeck@mediamarktsaturn.com>

Author: 3 people

chart-tests/application/ci/test-image-lifecycle-values.yaml

@@ -9,7 +9,8 @@ image:
   repository: busybox
   tag: stable
 container:
-  args: ["sleep", "2000"]
+  command: ["sh", "-c"]
+  args: ["sleep 2000"]
 lifecycle:
   postStart:
     exec:

chart-tests/application/ci/test-init-container-values.yaml

@@ -32,8 +32,11 @@ initContainers:
     command: ['ls', '-lah', '/']
     env: {}
     restartPolicy: Never
-    securityContext:
-      runAsNonRoot: true
-      allowPrivilegeEscalation: false
-      runAsUser: 65534
-      runAsGroup: 65534
+
+
+initDefaults:
+  securityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    runAsUser: 65534
+    runAsGroup: 65534

chart-tests/application/ci/test-sidecar-values.yaml

@@ -30,6 +30,7 @@ sidecars:
       port: 9090
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
     volumeMountNames:
       - share
     ports:
@@ -55,6 +56,17 @@ sidecars:
       port: 7070
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
+  - name: commandtest
+    image:
+      repository: busybox
+      tag: stable
+    command: ["sh", "-c"]
+    args: ["sleep 2000"]
+    livenessProbe:
+      cmd: ['ls']
+    readinessProbe:
+      cmd: ['ls']
 
 sidecarDefaults:
   resources:
@@ -64,3 +76,6 @@ sidecarDefaults:
     limits:
       cpu: 100m
       memory: 100Mi
+  securityContext:
+    runAsNonRoot: false
+    allowPrivilegeEscalation: false

chart-tests/application/ci/test-statefulset-sidecar-values.yaml

@@ -33,6 +33,7 @@ sidecars:
       port: 9090
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
     volumeMountNames:
       - share
   - name: kickback
@@ -54,6 +55,7 @@ sidecars:
       port: 7070
     securityContext:
       runAsUser: 65532
+      allowPrivilegeEscalation: false
 
 sidecarDefaults:
   resources:

charts/application/Chart.yaml

@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 1.0.0
-version: 1.29.1
+version: 1.30.0

charts/application/templates/_podTemplate.tpl

@@ -62,11 +62,7 @@ spec:
         - {{ . | quote }}
         {{- end }}
       securityContext:
-        {{- if and $i.securityContext $.Values.initDefaults.securityContext }}
-        {{- toYaml (merge $i.securityContext $.Values.initDefaults.securityContext) | nindent 8 }}
-        {{- else }}
-        {{- toYaml (or $i.securityContext $.Values.initDefaults.securityContext) | nindent 8 }}
-        {{- end }}
+        {{- toYaml (default $.Values.initDefaults.securityContext $i.securityContext ) | nindent 8 }}
       resources:
         {{- toYaml (or $i.resources $.Values.initDefaults.resources) | nindent 8 }}
       env:
@@ -121,16 +117,18 @@ spec:
       image: "{{ .image.repository }}:{{ .image.tag }}"
       {{- end }}
       imagePullPolicy: {{ or $s.image.pullPolicy $.Values.sidecarDefaults.image.pullPolicy }}
+      {{- if $s.command }}
+      command:
+        {{- range $s.command }}
+        - {{ . | quote }}
+        {{- end }}
+      {{- end }}
       args: {{ if not $s.args }}[]{{ end }}
         {{- range $s.args }}
         - {{ . | quote }}
         {{- end }}
       securityContext:
-        {{- if and $s.securityContext $.Values.sidecarDefaults.securityContext }}
-        {{- toYaml (merge $s.securityContext $.Values.sidecarDefaults.securityContext) | nindent 8 }}
-        {{- else }}
-        {{- toYaml (or $s.securityContext $.Values.sidecarDefaults.securityContext) | nindent 8 }}
-        {{- end }}
+        {{- toYaml (default $.Values.sidecarDefaults.securityContext $s.securityContext) | nindent 8 }}
       resources:
         {{- toYaml (or $s.resources $.Values.sidecarDefaults.resources) | nindent 8 }}
       env:
@@ -254,6 +252,12 @@ spec:
       image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
       {{- end }}
       imagePullPolicy: {{ .Values.image.pullPolicy }}
+      {{- if .Values.container.command }}
+      command:
+        {{- range .Values.container.command }}
+        - {{ . | quote }}
+        {{- end }}
+      {{- end }}
       args: {{ if not .Values.container.args }}[]{{ end }}
         {{- range .Values.container.args }}
         - {{ . | quote }}

charts/application/values.yaml

@@ -12,6 +12,8 @@ container:
   # annotations to be added to the pod template
   annotations:
     "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
+  # command line given to the container; []string
+  command: []
   # arguments given to the container; []string
   args: []
 
@@ -342,6 +344,7 @@ sidecars: []
 #   image:
 #     repository: quay.io/heubeck/examiner
 #     tag: 1.13.3
+#   command: []
 #   args: []
 #   env: {}
 #   configEnvFrom: []
@@ -425,6 +428,7 @@ initDefaults:
       cpu: 500m
       memory: 100Mi
   restartPolicy: Always
+  # securityContext: {}
 
 # List of tolerations, will be taken over like-for-like to pod-spec
 tolerations: []