From aef4f73d859f815fd53db10a93031cee04e9ea86 Mon Sep 17 00:00:00 2001
From: Zadkiel AHARONIAN <hello@zadkiel.fr>
Date: Wed, 11 Dec 2024 10:13:33 +0100
Subject: [PATCH] fix(helm): redundant container security contexts (#458)

Signed-off-by: GitHub <noreply@github.com>
---
 .github/workflows/pull_request.yaml           | 32 +++++++++++-----
 .../forecastle/templates/deployment.yaml      |  9 ++---
 .../forecastle/tests/deployment_test.yaml     | 37 +++++++++++++++++++
 .../kubernetes/chart/forecastle/values.yaml   | 12 ------
 .../templates/chart/values.yaml.tmpl          |  9 ++---
 5 files changed, 67 insertions(+), 32 deletions(-)
 create mode 100644 deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml

diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index 61c25158..267eaae8 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -9,6 +9,7 @@ env:
   DOCKER_FILE_PATH: Dockerfile
   KUBERNETES_VERSION: "1.22.2"
   KIND_VERSION: "0.10.0"
+  HELM_VERSION: "3.16.3"
   REGISTRY: ghcr.io
 
 jobs:
@@ -22,10 +23,6 @@ jobs:
       with:
         ref: ${{github.event.pull_request.head.sha}}
 
-    # Setting up helm binary
-    - name: Set up Helm
-      uses: azure/setup-helm@v3
-
     - name: Set up Go
       id: go
       uses: actions/setup-go@v4
@@ -41,11 +38,6 @@ jobs:
         go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0
         golangci-lint run --timeout=10m ./...
 
-    - name: Helm Lint
-      run: |
-        cd deployments/kubernetes/chart/forecastle
-        helm lint
-
     - name: Generate Tag
       id: generate_tag
       run: |
@@ -64,7 +56,6 @@ jobs:
         echo GHCR_IMAGE_REPOSITORY=${{env.REGISTRY}}/$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
     # To identify any broken changes in dockerfiles or dependencies
-
     - name: Build image
       uses: docker/build-push-action@v5
       with:
@@ -81,3 +72,24 @@ jobs:
           org.opencontainers.image.source=${{ github.event.repository.clone_url }}
           org.opencontainers.image.created=${{ steps.prep.outputs.created }}
           org.opencontainers.image.revision=${{ github.sha }}
+
+  test-helm:
+    runs-on: ubuntu-latest
+    name: Test Helm
+    if: "! contains(toJSON(github.event.commits.*.message), '[skip-ci]')"
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{github.event.pull_request.head.sha}}
+
+    - uses: d3adb5/helm-unittest-action@v2
+      with:
+        helm-version: v${{ env.HELM_VERSION }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Helm Lint
+      run: |
+        cd deployments/kubernetes/chart/forecastle
+        helm lint
diff --git a/deployments/kubernetes/chart/forecastle/templates/deployment.yaml b/deployments/kubernetes/chart/forecastle/templates/deployment.yaml
index 803cc814..7b59a4e4 100644
--- a/deployments/kubernetes/chart/forecastle/templates/deployment.yaml
+++ b/deployments/kubernetes/chart/forecastle/templates/deployment.yaml
@@ -31,7 +31,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
-      - securityContext: {{- toYaml .Values.forecastle.container.securityContext | nindent 12 }}
+      - {{- $containerSecurityContext := mustMergeOverwrite ((.Values.forecastle.container).securityContext | default dict) ((.Values.forecastle.deployment).securityContext | default dict) }}
+        {{- if $containerSecurityContext }}
+        securityContext: {{- toYaml $containerSecurityContext | nindent 12 }}
+        {{- end }}
         env:
         - name: KUBERNETES_NAMESPACE
           valueFrom:
@@ -46,10 +49,6 @@ spec:
         volumeMounts:
         - name: {{ template "forecastle.name" . }}-config
           mountPath: /etc/forecastle
-      {{- with .Values.forecastle.deployment.securityContext }}
-        securityContext:
-          {{- toYaml . | nindent 10 }}
-      {{- end }}
       {{- if .Values.forecastle.openshiftOauthProxy.enabled }}
       - name: oauth-proxy
         image: "{{ default "stakater/oauth-proxy:v0.0.2" .Values.forecastle.openshiftOauthProxy.image }}"
diff --git a/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml b/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml
new file mode 100644
index 00000000..c15d0ae9
--- /dev/null
+++ b/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml
@@ -0,0 +1,37 @@
+suite: Deployment
+
+templates:
+  - deployment.yaml
+  - configmap.yaml # dependency
+
+tests:
+  - it: includes container security context
+    template: deployment.yaml
+    set:
+      forecastle.deployment.securityContext: { allowPrivilegeEscalation: false }
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+
+  - it: includes container security context (deprecated) entries
+    template: deployment.yaml
+    set:
+      forecastle.container.securityContext: { allowPrivilegeEscalation: false }
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+
+  - it: merges container security context fields
+    template: deployment.yaml
+    set:
+      forecastle.container.securityContext: { allowPrivilegeEscalation: true }
+      forecastle.deployment.securityContext: { runAsNonRoot: true, allowPrivilegeEscalation: false }
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsNonRoot
+          value: true
diff --git a/deployments/kubernetes/chart/forecastle/values.yaml b/deployments/kubernetes/chart/forecastle/values.yaml
index 3d633ac5..76c5f856 100644
--- a/deployments/kubernetes/chart/forecastle/values.yaml
+++ b/deployments/kubernetes/chart/forecastle/values.yaml
@@ -43,18 +43,6 @@ forecastle:
     #     memory: 64Mi
   pod:
     annotations: {}
-  container:
-    securityContext:
-      {}
-      #privileged: false
-      #capabilities:
-      #  drop:
-      #    - ALL
-      #readOnlyRootFilesystem: true
-      #runAsNonRoot: true
-      #runAsUser: 1000
-      #runAsGroup: 1000
-      #allowPrivilegeEscalation: false
   podDisruptionBudget:
     {}
     #minAvailable: 90%
diff --git a/deployments/kubernetes/templates/chart/values.yaml.tmpl b/deployments/kubernetes/templates/chart/values.yaml.tmpl
index b85a6e15..de854b28 100644
--- a/deployments/kubernetes/templates/chart/values.yaml.tmpl
+++ b/deployments/kubernetes/templates/chart/values.yaml.tmpl
@@ -13,14 +13,10 @@ forecastle:
     annotations: {}
     affinity: {}
     nodeSelector: {}
-    securityContext: {}
+    podSecurityContext: {}
       #runAsNonRoot: true
       #  seccompProfile:
       #    type: RuntimeDefault
-    tolerations: {}
-  pod:
-    annotations: {}
-  container:
     securityContext: {}
       #privileged: false
       #capabilities:
@@ -31,6 +27,9 @@ forecastle:
       #runAsUser: 1000
       #runAsGroup: 1000
       #allowPrivilegeEscalation: false
+    tolerations: {}
+  pod:
+    annotations: {}
   resources: {}
     #limits:
     #  cpu: 100m