From a655139b2482653fac5fa68f099ed2ee2e3c9ae1 Mon Sep 17 00:00:00 2001
From: Evelyn Gurschler <evelyn.gurschler@bmw.de>
Date: Mon, 14 Oct 2024 14:59:10 +0200
Subject: [PATCH] chore(seeding): add securityContext

---
 charts/centralidp/templates/job-seeding.yaml | 17 ++++++++++++++++-
 charts/sharedidp/templates/job-seeding.yaml  | 17 ++++++++++++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/charts/centralidp/templates/job-seeding.yaml b/charts/centralidp/templates/job-seeding.yaml
index 062d3797..4d689549 100644
--- a/charts/centralidp/templates/job-seeding.yaml
+++ b/charts/centralidp/templates/job-seeding.yaml
@@ -226,6 +226,13 @@ spec:
             mountPath: "app/realms"
       initContainers:
         - name: init-cx-central
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           image: {{ .Values.realmSeeding.initContainer.image.name }}
           imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
           command:
@@ -239,7 +246,15 @@ spec:
           - name: realms
             mountPath: "app/realms"
         - name: wait-for-keycloak
-          image: appropriate/curl:latest
+          image: alpine/curl:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           {{ if .Values.realmSeeding.keycloakServiceTls -}}
           command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
           {{- else -}}
diff --git a/charts/sharedidp/templates/job-seeding.yaml b/charts/sharedidp/templates/job-seeding.yaml
index bc668796..333de750 100644
--- a/charts/sharedidp/templates/job-seeding.yaml
+++ b/charts/sharedidp/templates/job-seeding.yaml
@@ -192,6 +192,13 @@ spec:
             mountPath: "app/realms"
       initContainers:
         - name: init-cx-central
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           image: {{ .Values.realmSeeding.initContainer.image.name }}
           imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
           command:
@@ -205,7 +212,15 @@ spec:
           - name: realms
             mountPath: "app/realms"
         - name: wait-for-keycloak
-          image: appropriate/curl:latest
+          image: alpine/curl:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           {{ if .Values.realmSeeding.keycloakServiceTls -}}
           command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
           {{- else -}}