nwalens commented on a change in pull request #18249:
URL: https://github.com/apache/airflow/pull/18249#discussion_r722090589
##########
File path: chart/templates/_helpers.yaml
##########
@@ -610,3 +610,62 @@ Create the name of the cleanup service account to use
{{- end -}}
{{- $kubeVersion -}}
{{- end -}}
+
+{{/*
+Set the default podsecurity.securityContext
+If no value is passed, defaults to .Values.uid and .Values.gid
+This function is required fr backwards compatibility
+*/}}
+{{- define "defaultSecurityContext" -}}
+{{- if .Values.podSecurity.securityContext -}}
+ {{ .Values.podSecurity.securityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.uid "fsGroup" .Values.gid }}
+ {{- $result | toJson }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set the default podsecurity.securityContext
+If no value is passed, defaults to .Values.uid and .Values.gid
+This function is required fr backwards compatibility
+*/}}
+{{- define "defaultContainerSecurityContext" -}}
+{{- if .Values.podSecurity.containerSecurityContext -}}
+{{ .Values.podSecurity.containerSecurityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.uid "runAsGroup" .Values.gid }}
+ {{- $result | toJson }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+For gitSync and statsD, we use their respectice uid properties as fallback
+*/}}
+{{- define "gitSyncContainerSecurityContext" -}}
+{{- if .Values.dags.gitSync.containerSecurityContext -}}
+ {{ .Values.dags.gitSync.containerSecurityContext | toYaml }}
+{{- else if .Values.podSecurity.containerSecurityContext -}}
+ {{ .Values.podSecurity.containerSecurityContext | toYaml }}
+{{- else -}}
+runAsUser: {{ .Values.dags.gitSync.uid }}
+{{- end -}}
+{{- end -}}
+
+{{- define "statsdSecurityContext" -}}
+{{- if .Values.podSecurity.securityContext -}}
+ {{ .Values.podSecurity.securityContext | toJson }}
+{{- else -}}
+ {{- $result := dict "runAsUser" .Values.statsd.uid }}
+ {{- $result | toJson }}
Review comment:
Another thing that came to mind is that the worker deployment requires a
**uid** and **gid** to run a chown when fixed permissions is enabled.
To do that, we need to be able to extract the keys from the yaml which was
produced by the template like so:
```
- "{{ pluck "runAsUser" $containerSecurityContext | first }}:{{ pluck
"runAsGroup" $containerSecurityContext | first }}"
```
I'm not sure we can do that with a plain text result from the template.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
