nwalens commented on a change in pull request #18249:
URL: https://github.com/apache/airflow/pull/18249#discussion_r721686719
##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +610,62 @@ Create the name of the cleanup service account to use
{{- end -}}
{{- $kubeVersion -}}
{{- end -}}
+
+{{/*
+Set the default podsecurity.securityContext
+If no value is passed, defaults to .Values.uid and .Values.gid
+This function is required fr backwards compatibility
+*/}}
+{{- define "defaultSecurityContext" -}}
+{{- if .Values.podSecurity.securityContext -}}
+ {{ .Values.podSecurity.securityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.uid "fsGroup" .Values.gid }}
+ {{- $result | toJson }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set the default podsecurity.securityContext
+If no value is passed, defaults to .Values.uid and .Values.gid
+This function is required fr backwards compatibility
+*/}}
+{{- define "defaultContainerSecurityContext" -}}
+{{- if .Values.podSecurity.containerSecurityContext -}}
+{{ .Values.podSecurity.containerSecurityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.uid "runAsGroup" .Values.gid }}
+ {{- $result | toJson }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+For gitSync and statsD, we use their respectice uid properties as fallback
+*/}}
+{{- define "gitSyncContainerSecurityContext" -}}
+{{- if .Values.dags.gitSync.containerSecurityContext -}}
+ {{ .Values.dags.gitSync.containerSecurityContext | toYaml }}
+{{- else if .Values.podSecurity.containerSecurityContext -}}
+ {{ .Values.podSecurity.containerSecurityContext | toYaml }}
+{{- else -}}
+runAsUser: {{ .Values.dags.gitSync.uid }}
+{{- end -}}
+{{- end -}}
+
+{{- define "statsdSecurityContext" -}}
+{{- if .Values.podSecurity.securityContext -}}
+ {{ .Values.podSecurity.securityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.statsd.uid }}
+ {{- $result | toJson }}
Review comment:
Hi @jedcunningham, another thing on the gitSync vs the rest with dict.
When a template is generated, the result is always a string which in turn
the rendering of the chart does not seem to understand very well - that is the
reason for the toJson and fromJason I have there.
When I pass a dict, I can then serialise and deserialise as follows:
*_helpers.yaml:*
```
{{- define "defaultSecurityContext" -}}
{{- if .Values.podSecurity.securityContext -}}
{{ .Values.podSecurity.securityContext | toJson }}
{{- else -}}
{{- $result := dict "runAsUser" .Values.uid "fsGroup" .Values.gid }}
{{- $result | toJson }}
{{- end -}}
{{- end -}}
```
*webserver-deployment.yaml:*
```
{{- $securityContext := or .Values.webserver.securityContext (include
"defaultSecurityContext" . | mustFromJson) }}
```
Printing strings works fine for gitSync since it is being done as a template
instead of an include.
To make the rest work the same as gitSync, I would have to transfer the
logic completely to _helpers, including the value we have in the values.yaml.
When I tried, it became much less readable in my opinion:
*_helpers.yaml:*
```
{{- define "defaultSecurityContext" -}}
{{- $ := index . 0 -}}
{{- with index . 1 }}
{{- if .securityContext -}}
{{ .securityContext | toYaml }}
{{- else if $.Values.podSecurity.securityContext -}}
{{ $.Values.podSecurity.securityContext | toYaml }}
{{- else -}}
runAsUser: {{ $.Values.uid }}
fsGroup: {{ $.Values.gid }}
{{- end -}}
{{- end -}}
{{- end -}}
```
*webserver-deployment.yaml:*
``
{{- $securityContext := include "defaultSecurityContext" (list .
.Values.webserver) }}
``
I had to pass arguments to the template and then evaluate the proper result
and output it in a way that the rendering will be understood when building the
template.
Again, I'm not sure if there is an easier solution, at least I could not
find one with my limited knowledge in go templating.
Any thoughts?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
