Add support for fsGroupChangePolicy to all subcharts (!3000) · Merge requests · GitLab.org / charts / GitLab Chart

Clemens Beck requested to merge support-fs-group-change-policy into master Feb 24, 2023

What does this MR do?

This MR introduces securityContext.fsGroupChangePolicy to all subcharts. This MR unifies the securityContext rendering of all subcharts by introducing a central helper template gitlab.podSecurityContext that exposes fsGroupChangePolicy.

By default, no fsGroupChangePolicy (which equals Always) is applied.

Note: This feature is stable since K8s 1.23.

Related issues

Closes #3819 (closed)

Test Plan

Render the chart with a fsGroupChangePolicy

e.g.

certmanager-issuer:
  email: test@example.com
gitlab:
  gitaly:
    securityContext:
      fsGroupChangePolicy: "OnRootMismatch"

Verify the securityContext of gitaly (or whatever resource you are testing) has securityContext.fsGroupChangePolicy=OnRootMismatch

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

Merge Request Title and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Tests added
~~Integration tests added to GitLab QA~~
~~Equivalent MR/issue for omnibus-gitlab opened~~
Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.

Edited Mar 09, 2023 by Mitchell Nielsen

Add support for fsGroupChangePolicy to all subcharts