chore(helm): add support for securityContext and resources in sideloa…

…d container (#7350) --------- Co-authored-by: Mohamed Amine Arous <“[email protected]”> Co-authored-by: Nicolas Giard <[email protected]>
requarks · Nov 22, 2024 · 94d253b · 94d253b
1 parent c7c2057
commit 94d253b
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 13 deletions.
diff --git a/dev/helm/Chart.yaml b/dev/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wiki
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 2.2.0
+version: 2.3.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
 AppVersion: latest

diff --git a/dev/helm/README.md b/dev/helm/README.md
@@ -97,32 +97,35 @@ The following table lists the configurable parameters of the Wiki.js chart and t
 | `image.repository`                   | Wiki.js image                                | `requarks/wiki`                                           |
 | `image.tag`                          | Wiki.js image tag                            | `latest`                                                      |
 | `imagePullPolicy`                    | Image pull policy                           | `IfNotPresent`                                             |
-| `replicacount`                   | Amount of wiki.js service pods to run                   | `1`                                                        |
-| `revisionHistoryLimit`                   | Total amount of revision history points                   | `10`                                        |
-| `resources.limits`               | wiki.js service resource limits                         | `nil`                               |
-| `resources.requests`             | wiki.js service resource requests                       | `nil`                               |
-| `nodeSelector`                   | Node labels for wiki.js pod assignment          | `{}`                                                       |
-| `affinity`                       | Affinity settings for wiki.js pod assignment    | `{}`                                                       |
-| `schedulerName`                  | Name of an alternate scheduler for wiki.js pod  | `nil`                                                      |
-| `tolerations`                    | Toleration labels for wiki.jsk pod assignment    | `[]`                                                       |
-| `volumeMounts`                   | Volume mounts for Wiki.js container              | `[]`                                                       |
-| `volumes`                        | Volumes for Wiki.js Pod                          | `[]`                                                       |
+| `replicacount`                       | Number of Wiki.js pods to run                   | `1`                                                        |
+| `revisionHistoryLimit`               | Total number of revision history points                   | `10`                                        |
+| `resources.limits`               | Wiki.js service resource limits                         | `nil`                               |
+| `resources.requests`             | Wiki.js service resource requests                       | `nil`                               |
+| `nodeSelector`                   | Node labels for the Wiki.js pod assignment          | `{}`                                                       |
+| `affinity`                       | Affinity settings for the Wiki.js pod assignment    | `{}`                                                       |
+| `schedulerName`                  | Name of an alternate scheduler for the Wiki.js pod  | `nil`                                                      |
+| `tolerations`                    | Toleration labels for the Wiki.js pod assignment    | `[]`                                                       |
+| `volumeMounts`                   | Volume mounts for the Wiki.js container              | `[]`                                                       |
+| `volumes`                        | Volumes for the Wiki.js pod                          | `[]`                                                       |
 | `ingress.enabled`                    | Enable ingress controller resource          | `false`                                                    |
 | `ingress.className`                  | Ingress class name                          | `""`                                                       |
 | `ingress.annotations`                | Ingress annotations                         | `{}`                                                       |
 | `ingress.hosts`                      | List of ingress rules                        | `[{"host": "wiki.local", "paths": ["/"]}]`                |
 | `ingress.tls`                        | Ingress TLS configuration                   | `[]`                                                       |
 | `sideload.enabled`                   | Enable sideloading of locale files from git | `false`                                                    |
 | `sideload.repoURL`                   | Git repository URL containing locale files  | `https://github.com/Requarks/wiki-localization`            |
-| `sideload.env`                       | Environment variables for sideload Container | `{}`                                                      |
+| `sideload.env`                       | Environment variables for the sideload container | `{}`                                                      |
+| `sideload.securityContext`           | Security context for the sideload container     | `nil`                                                      |
+| `sideload.resources.limits`          | Resource limits for the sideload container      | `nil`                                                      |
+| `sideload.resources.requests`        | Resource requests for the sideload container    | `nil`                                                      |
 | `nodeExtraCaCerts`                   | Trusted certificates path                   | `nil`                                                      |
 | `postgresql.enabled`                 | Deploy postgres server (see below)          | `true`                                                     |
 | `postgresql.postgresqlDatabase`        | Postgres database name                      | `wiki`                                                   |
 | `postgresql.postgresqlUser`            | Postgres username                           | `postgres`                                                   |
 | `postgresql.postgresqlHost`            | External postgres host                      | `nil`                                                      |
 | `postgresql.postgresqlPassword`        | External postgres password                  | `nil`                                                      |
 | `postgresql.existingSecret`            | Provide an existing `Secret` for postgres   | `nil`                                                      |
-| `postgresql.existingSecretKey`          | The postgres password key in the existing `Secret`   | `postgresql-password`                              |
+| `postgresql.existingSecretKey`         | The postgres password key in the existing `Secret`   | `postgresql-password`                              |
 | `postgresql.postgresqlPort`            | External postgres port                      | `5432`                                                     |
 | `postgresql.ssl`                       | Enable external postgres SSL connection     | `false`                                                   |
 | `postgresql.ca`                        | Certificate of Authority content for postgres  | `nil`                                                     |

diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml
@@ -27,12 +27,16 @@ spec:
       {{- if .Values.sideload.enabled }}
       initContainers:
         - name: {{ .Chart.Name }}-sideload
+          securityContext:
+            {{- toYaml .Values.sideload.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ default "latest" .Values.image.tag }}"
           imagePullPolicy: {{ default "IfNotPresent" .Values.image.imagePullPolicy }}
           env:
             {{- toYaml .Values.sideload.env | nindent 12 }}
           command: [ "sh", "-c" ]
           args: [ "mkdir -p /wiki/data/sideload && git clone --depth=1 {{ .Values.sideload.repoURL }} /wiki/data/sideload/" ]
+          resources:
+            {{- toYaml .Values.sideload.resources | nindent 12 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}

diff --git a/dev/helm/values.yaml b/dev/helm/values.yaml
@@ -115,6 +115,26 @@ sideload:
   #  - name: HTTPS_PROXY
   #    value: http://my.proxy.com:3128
 
+  securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+  resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
 ## Append extra trusted certificates for node process from extra volume via NODE_EXTRA_CA_CERTS variable
 # nodeExtraCaCerts: "/path/to/certs.pem"