From 14165fabed1e00eba64552fd5897c88ef9d6a581 Mon Sep 17 00:00:00 2001
From: Alexey Lazarev <xom4ek@gmail.com>
Date: Thu, 16 Jun 2022 17:52:29 +0400
Subject: [PATCH 1/2] feat(helm): add security context for init container

for ex istio using 1337 for init containers
---
 helm/oncall/templates/_helpers.tpl |  4 +++-
 helm/oncall/values.yaml            | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/helm/oncall/templates/_helpers.tpl b/helm/oncall/templates/_helpers.tpl
index bf137b40..18bcee42 100644
--- a/helm/oncall/templates/_helpers.tpl
+++ b/helm/oncall/templates/_helpers.tpl
@@ -85,6 +85,8 @@ Create the name of the service account to use
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
   imagePullPolicy: {{ .Values.image.pullPolicy }}
   command: ['sh', '-c', "until (python manage.py migrate --check); do echo Waiting for database migrations; sleep 2; done"]
+  securityContext:
+  {{ toYaml .Values.init.securityContext| nindent 4}}
   env:
     {{- include "snippet.oncall.env" . | nindent 12 }}
     {{- include "snippet.mysql.env" . | nindent 12 }}
@@ -93,4 +95,4 @@ Create the name of the service account to use
     {{- if .Values.env }}
       {{- toYaml .Values.env | nindent 12 }}
     {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index 6c781718..4f67379c 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -160,3 +160,15 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+
+init:
+  securityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 1337
+    # runAsNonRoot: true
+    # runAsUser: 1337

From b14d105478a830e5554f7a877a9635241b4dd695 Mon Sep 17 00:00:00 2001
From: Alexey Lazarev <xom4ek@gmail.com>
Date: Thu, 16 Jun 2022 17:52:42 +0400
Subject: [PATCH 2/2] fix(helm): add enabled logic for ingress and issuers

---
 helm/oncall/templates/cert-issuer.yaml     | 2 +-
 helm/oncall/templates/ingress-regular.yaml | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/helm/oncall/templates/cert-issuer.yaml b/helm/oncall/templates/cert-issuer.yaml
index 60c2b690..8b1716f3 100644
--- a/helm/oncall/templates/cert-issuer.yaml
+++ b/helm/oncall/templates/cert-issuer.yaml
@@ -1,4 +1,4 @@
-{{- if (index .Values "cert-manager") }}
+{{- if (index .Values "cert-manager").enabled }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
diff --git a/helm/oncall/templates/ingress-regular.yaml b/helm/oncall/templates/ingress-regular.yaml
index 31c4e367..dc2f82c7 100644
--- a/helm/oncall/templates/ingress-regular.yaml
+++ b/helm/oncall/templates/ingress-regular.yaml
@@ -38,6 +38,7 @@ spec:
             name: {{ include "oncall.engine.fullname" . }}
             port:
               number: 8080
+      {{ if .Values.grafana.enabled }}
       - path: /grafana
         pathType: Prefix
         backend:
@@ -45,4 +46,5 @@ spec:
             name: {{ include "oncall.grafana.fullname" . }}
             port:
               number: 80
+      {{- end }}
 {{- end }}