Skip to content

Commit 468e9ed

Browse files
feat(chart/webapp): expose extraContainers, extraInitContainers, init/sidecar securityContext
Adds four optional values on the webapp deployment: - webapp.extraContainers — sidecars (TLS terminator, log shipper, audit agent, etc.) - webapp.extraInitContainers — additional inits scheduled after the built-in volume-permissions init - webapp.initContainers.securityContext — overrides the default `runAsUser: 1000` on the built-in volume-permissions init container - webapp.sidecarContainers.securityContext — overrides the default `runAsUser: 1000, runAsNonRoot: true` on the built-in token-syncer sidecar Defaults are empty / unset, preserving current behavior. Mirrors the pattern already supported on the supervisor chart. Lets operators satisfy strict pod-security admission (PSA "restricted", FedRAMP/IL5, OpenShift restricted SCC) without forking the chart. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 22a176e commit 468e9ed

2 files changed

Lines changed: 54 additions & 0 deletions

File tree

hosting/k8s/helm/templates/webapp.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,18 +77,31 @@ spec:
7777
image: {{ include "trigger-v4.webapp.volumePermissions.image" . }}
7878
imagePullPolicy: {{ .Values.webapp.volumePermissions.image.pullPolicy }}
7979
command: ['sh', '-c', 'mkdir -p /home/node/shared']
80+
{{- with .Values.webapp.initContainers.securityContext }}
81+
securityContext:
82+
{{- toYaml . | nindent 12 }}
83+
{{- else }}
8084
securityContext:
8185
runAsUser: 1000
86+
{{- end }}
8287
volumeMounts:
8388
- name: shared
8489
mountPath: /home/node/shared
90+
{{- with .Values.webapp.extraInitContainers }}
91+
{{- toYaml . | nindent 8 }}
92+
{{- end }}
8593
containers:
8694
- name: token-syncer
8795
image: {{ include "trigger-v4.webapp.tokenSyncer.image" . }}
8896
imagePullPolicy: {{ .Values.webapp.tokenSyncer.image.pullPolicy }}
97+
{{- with .Values.webapp.sidecarContainers.securityContext }}
98+
securityContext:
99+
{{- toYaml . | nindent 12 }}
100+
{{- else }}
89101
securityContext:
90102
runAsUser: 1000
91103
runAsNonRoot: true
104+
{{- end }}
92105
command:
93106
- /bin/bash
94107
- -c
@@ -414,6 +427,9 @@ spec:
414427
{{- with .Values.webapp.extraVolumeMounts }}
415428
{{- toYaml . | nindent 12 }}
416429
{{- end }}
430+
{{- with .Values.webapp.extraContainers }}
431+
{{- toYaml . | nindent 8 }}
432+
{{- end }}
417433
volumes:
418434
- name: shared
419435
{{- if .Values.persistence.shared.enabled }}

hosting/k8s/helm/values.yaml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,44 @@ webapp:
172172
# mountPath: /etc/ssl/certs
173173
# readOnly: true
174174

175+
# Extra containers added to the webapp pod (sidecars). Useful for
176+
# in-pod TLS (nginx, envoy), log shippers, audit agents, etc.
177+
extraContainers:
178+
[]
179+
# - name: nginx-tls
180+
# image: nginx:alpine
181+
# ports:
182+
# - name: https-internal
183+
# containerPort: 3031
184+
# volumeMounts:
185+
# - name: nginx-config
186+
# mountPath: /etc/nginx/conf.d
187+
# - name: nginx-tls-certs
188+
# mountPath: /etc/nginx/tls
189+
190+
# Extra init containers added to the webapp pod, scheduled after the
191+
# built-in `volume-permissions` init.
192+
extraInitContainers:
193+
[]
194+
# - name: wait-for-secrets
195+
# image: busybox
196+
# command: [...]
197+
198+
# Container-level securityContext applied to the built-in
199+
# `volume-permissions` init container. When unset, defaults to
200+
# `runAsUser: 1000`. Set this to enforce stricter pod-security
201+
# admission (e.g. FIPS / FedRAMP / Pod Security Standards "restricted":
202+
# `runAsNonRoot: true`, `allowPrivilegeEscalation: false`,
203+
# `capabilities.drop: [ALL]`, `seccompProfile.type: RuntimeDefault`).
204+
initContainers:
205+
securityContext: {}
206+
207+
# Container-level securityContext applied to the built-in `token-syncer`
208+
# sidecar. Same shape + intent as `webapp.initContainers.securityContext`.
209+
# Defaults to `{ runAsUser: 1000, runAsNonRoot: true }` when unset.
210+
sidecarContainers:
211+
securityContext: {}
212+
175213
# ServiceMonitor for Prometheus monitoring
176214
serviceMonitor:
177215
enabled: false

0 commit comments

Comments
 (0)