Add support for fsGroupChangePolicy to all subcharts
What does this MR do?
This MR introduces securityContext.fsGroupChangePolicy
to all subcharts. This MR unifies the securityContext
rendering of all subcharts by introducing a central helper template gitlab.podSecurityContext
that exposes fsGroupChangePolicy.
By default, no fsGroupChangePolicy
(which equals Always
) is applied.
Note: This feature is stable since K8s 1.23.
Related issues
Closes #3819 (closed)
Test Plan
- Render the chart with a
fsGroupChangePolicy
e.g.
certmanager-issuer:
email: test@example.com
gitlab:
gitaly:
securityContext:
fsGroupChangePolicy: "OnRootMismatch"
- Verify the
securityContext
of gitaly (or whatever resource you are testing) hassecurityContext.fsGroupChangePolicy=OnRootMismatch
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for omnibus-gitlab opened -
Validate potential values for new configuration settings. Formats such as integer10
, duration10s
, URIscheme://user:passwd@host:port
may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Mitchell Nielsen