fix: nest .Values.seccompProfile.enable and .Values.securityContext.enabled correctly (#2874)

CarstenSon · web-flow · commit 342916bac6b2 · 2025-01-29T17:07:53.000-05:00
* fix: set securityContext only in case of opt-in

* fix: nesting of secCompProfile and securityContext
diff --git a/helm-chart/templates/adservice.yaml b/helm-chart/templates/adservice.yaml
@@ -55,11 +55,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/cartservice.yaml b/helm-chart/templates/cartservice.yaml
@@ -237,11 +237,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: redis
         securityContext:
diff --git a/helm-chart/templates/checkoutservice.yaml b/helm-chart/templates/checkoutservice.yaml
@@ -54,11 +54,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/currencyservice.yaml b/helm-chart/templates/currencyservice.yaml
@@ -55,11 +55,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/emailservice.yaml b/helm-chart/templates/emailservice.yaml
@@ -55,11 +55,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/frontend.yaml b/helm-chart/templates/frontend.yaml
@@ -56,11 +56,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
         - name: server
           securityContext:
diff --git a/helm-chart/templates/loadgenerator.yaml b/helm-chart/templates/loadgenerator.yaml
@@ -59,11 +59,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       {{- if .Values.loadGenerator.checkFrontendInitContainer }}
       initContainers:
       - command:
diff --git a/helm-chart/templates/opentelemetry-collector.yaml b/helm-chart/templates/opentelemetry-collector.yaml
@@ -47,6 +47,7 @@ spec:
       {{- else }}
       serviceAccountName: default
       {{- end }}
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
@@ -56,6 +57,7 @@ spec:
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       {{- if eq .Values.opentelemetryCollector.projectId "PROJECT_ID" }}
       initContainers:
       # Init container retrieves the current cloud project id from the metadata server
diff --git a/helm-chart/templates/paymentservice.yaml b/helm-chart/templates/paymentservice.yaml
@@ -49,6 +49,7 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
@@ -58,6 +59,7 @@ spec:
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/productcatalogservice.yaml b/helm-chart/templates/productcatalogservice.yaml
@@ -55,11 +55,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
diff --git a/helm-chart/templates/recommendationservice.yaml b/helm-chart/templates/recommendationservice.yaml
@@ -55,12 +55,12 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
       containers:
+      {{- end }}
       - name: server
         securityContext:
           allowPrivilegeEscalation: false
diff --git a/helm-chart/templates/shippingservice.yaml b/helm-chart/templates/shippingservice.yaml
@@ -54,11 +54,11 @@ spec:
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
-      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
         {{- end }}
+      {{- end }}
       containers:
       - name: server
         securityContext:
