From 11bd523543bdb797f368eef46b76c64719e4fa6e Mon Sep 17 00:00:00 2001
From: Martin Weise <martin.weise@tuwien.ac.at>
Date: Sat, 24 May 2025 16:24:25 +0200
Subject: [PATCH] WIP

Signed-off-by: Martin Weise <martin.weise@tuwien.ac.at>
---
 helm/dbrepo/templates/storage-setup-job.yaml |  3 +++
 helm/dbrepo/values.yaml                      | 23 ++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/helm/dbrepo/templates/storage-setup-job.yaml b/helm/dbrepo/templates/storage-setup-job.yaml
index 69845b1846..d22641c055 100644
--- a/helm/dbrepo/templates/storage-setup-job.yaml
+++ b/helm/dbrepo/templates/storage-setup-job.yaml
@@ -16,6 +16,9 @@ spec:
         - name: init
           image: {{ .Values.storageservice.setupJob.image.name }}
           imagePullPolicy: {{ .Values.storageservice.setupJob.image.pullPolicy | default "IfNotPresent" }}
+          {{- if .Values.storageservice.setupJob.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.storageservice.setupJob.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           env:
             - name: POD_IP
               valueFrom:
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index 72c8bf87b6..4a4ffc1e60 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -791,6 +791,29 @@ storageservice:
     s3:
       ## @param storageservice.setupJob.s3.endpoint The S3-capable endpoint the microservice connects to.
       endpoint: http://storage-service-s3:8333
+    containerSecurityContext:
+      ## @param storageservice.setupJob.containerSecurityContext.enabled Enabled containers' Security Context
+      enabled: true
+      ## @param storageservice.setupJob.containerSecurityContext.seLinuxOptions Set SELinux options in container
+      seLinuxOptions: { }
+      ## @param storageservice.setupJob.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+      runAsUser: 1001
+      ## @param storageservice.setupJob.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+      runAsGroup: 0
+      ## @param storageservice.setupJob.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+      runAsNonRoot: true
+      ## @param storageservice.setupJob.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+      allowPrivilegeEscalation: false
+      ## @param storageservice.setupJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+      readOnlyRootFilesystem: false
+      capabilities:
+        ## @param storageservice.setupJob.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+        drop: [ "ALL" ]
+        ## @param storageservice.setupJob.containerSecurityContext.capabilities.add Set container's Security Context runAsNonRoot
+        add: [ "NET_BIND_SERVICE" ]
+      seccompProfile:
+        ## @param storageservice.setupJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+        type: "RuntimeDefault"
     ## @param storageservice.setupJob.resourcesPreset The container resource preset
     resourcesPreset: "nano"
     ## @param storageservice.setupJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-- 
GitLab