From 14165fabed1e00eba64552fd5897c88ef9d6a581 Mon Sep 17 00:00:00 2001
From: Alexey Lazarev <xom4ek@gmail.com>
Date: Thu, 16 Jun 2022 17:52:29 +0400
Subject: [PATCH] feat(helm): add security context for init container

for ex istio using 1337 for init containers
---
 helm/oncall/templates/_helpers.tpl |  4 +++-
 helm/oncall/values.yaml            | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/helm/oncall/templates/_helpers.tpl b/helm/oncall/templates/_helpers.tpl
index bf137b40..18bcee42 100644
--- a/helm/oncall/templates/_helpers.tpl
+++ b/helm/oncall/templates/_helpers.tpl
@@ -85,6 +85,8 @@ Create the name of the service account to use
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
   imagePullPolicy: {{ .Values.image.pullPolicy }}
   command: ['sh', '-c', "until (python manage.py migrate --check); do echo Waiting for database migrations; sleep 2; done"]
+  securityContext:
+  {{ toYaml .Values.init.securityContext| nindent 4}}
   env:
     {{- include "snippet.oncall.env" . | nindent 12 }}
     {{- include "snippet.mysql.env" . | nindent 12 }}
@@ -93,4 +95,4 @@ Create the name of the service account to use
     {{- if .Values.env }}
       {{- toYaml .Values.env | nindent 12 }}
     {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index 6c781718..4f67379c 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -160,3 +160,15 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+
+init:
+  securityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 1337
+    # runAsNonRoot: true
+    # runAsUser: 1337