Merge pull request #8 from thealtoclef/update-doris-operator-security…

…-context ✨ chore: update doris-operator Helm chart configuration
thealtoclef · Dec 16, 2024 · 90979d9 · 90979d9
2 parents f91a80f + 9f9d64a
commit 90979d9
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/helm-charts/doris-operator/Chart.yaml b/helm-charts/doris-operator/Chart.yaml
@@ -38,7 +38,7 @@ maintainers:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.6.1
+version: 1.6.2-rc.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm-charts/doris-operator/templates/deployment.yaml b/helm-charts/doris-operator/templates/deployment.yaml
@@ -68,7 +68,7 @@ spec:
       #             values:
       #               - linux
       securityContext:
-        runAsNonRoot: true
+        {{- toYaml .Values.dorisOperator.podSecurityContext | nindent 8 }}
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
@@ -87,10 +87,7 @@ spec:
           {{- end }}
           name: dorisoperator
           securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
+            {{- toYaml .Values.dorisOperator.securityContext | nindent 12 }}
           env:
             - name: ENABLE_WEBHOOK
               value: "{{ template  "webhook.enable" . }}"
@@ -119,7 +116,11 @@ spec:
           # TODO(user): Configure the resources accordingly based on the project requirements.
           # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
           resources:
+          {{- if .Values.dorisOperator.resources -}}
+            {{- toYaml .Values.dorisOperator.resources | nindent 12 }}
+          {{- else -}}
             {{- include "operator.default.resource" . | indent 8 }}
+          {{- end -}}
           volumeMounts:
             - mountPath:  /tmp/k8s-webhook-server/serving-certs
               name: cert

diff --git a/helm-charts/doris-operator/values.yaml b/helm-charts/doris-operator/values.yaml
@@ -44,3 +44,17 @@ dorisOperator:
   #             values:
   #               - target-host-name
   enableWebhook: false
+  podSecurityContext:
+    runAsNonRoot: true
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+  resources: {}
+    # requests:
+    #   cpu: 1
+    #   memory: 2Gi
+    # limits:
+    #   cpu: 2
+    #   memory: 4Gi