diff --git a/README.md b/README.md index cdc4555..2c49f15 100644 --- a/README.md +++ b/README.md @@ -45,4 +45,5 @@ Configure your Infinispan cluster by specifying values in the `deploy.*` section | `deploy.makeDataDirWritable` | Allows write access to the `data` directory for each Infinispan Server node. | false | Setting the value to `true` creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory and changes its permissions. | | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. | | `deploy.nameOverride` | Specifies a name for all Infinispan cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. | +| `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | | `deploy.infinispan` | Infinispan Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/README.md.tpl b/README.md.tpl index 330cf32..61c38ed 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -45,4 +45,5 @@ Configure your {brandname} cluster by specifying values in the `deploy.*` sectio | `deploy.makeDataDirWritable` | Allows write access to the `data` directory for each {brandname} Server node. | false | Setting the value to `true` creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory and changes its permissions. | | `deploy.monitoring.enabled` | Enable or disable `ServiceMonitor` functionality. | false | Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. | | `deploy.nameOverride` | Specifies a name for all {brandname} cluster resources. | Helm Chart release name | Configure a name for the created resources only if you need it to be different to the Helm Chart release name. | +| `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | | `deploy.infinispan` | {brandname} Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/documentation/asciidoc/topics/ref_deployment_configuration_values.adoc b/documentation/asciidoc/topics/ref_deployment_configuration_values.adoc index 681be44..b87264a 100644 --- a/documentation/asciidoc/topics/ref_deployment_configuration_values.adoc +++ b/documentation/asciidoc/topics/ref_deployment_configuration_values.adoc @@ -22,7 +22,7 @@ You can also find field and value descriptions in the link:{helm_chart_readme}[{ |No default value. |`deploy.container.libraries` -| Libraries to be downloaded before server startup. Specify multiple, space-separated artifacts represented as URLs or as Maven coordinates. Archive artifacts in .tar, .tar.gz or .zip formats will be extracted. +| Libraries to be downloaded before server startup. Specify multiple, space-separated artifacts represented as URLs or as Maven coordinates. Archive artifacts in .tar, .tar.gz or .zip formats will be extracted. |No default value. |`deploy.container.storage.ephemeral` @@ -102,6 +102,10 @@ If you do not specify a port, the platform selects an available one. |Allows write access to the `data` directory for each {brandname} Server node. |`false` If you set the value to `true`, {brandname} creates an initContainer that runs `chmod -R` on the `/opt/infinispan/server/data` directory to change permissions. +|`deploy.securityContext` +|Allow to set securityContext for cluster's statefulSet |`{}` +This can be used to change the group of mounted file systems. Set `securityContext.fsGroup` to `185` if you need to explicitly match the group owner for `/opt/infinispan/server/data` to the default {brandname}'s group + |`deploy.monitoring.enabled` |Enable or disable monitoring using `ServiceMonitor`. | `false` Users must have `monitoring-edit` role assigned by the admin to deploy the Helm chart with `ServiceMonitor` enabled. diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 7e7f941..fff117e 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -33,6 +33,12 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + {{- if .Values.deploy.securityContext }} + securityContext: + {{- with .Values.deploy.securityContext }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -163,4 +169,4 @@ spec: resources: requests: storage: {{ .Values.deploy.container.storage.size }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/values.schema.json b/values.schema.json index 27b95a8..9baf827 100644 --- a/values.schema.json +++ b/values.schema.json @@ -180,6 +180,13 @@ "null" ] }, + "securityContext": { + "description": "Defines the securityContext policy used by the cluster's StatefulSet.", + "type": [ + "object", + "null" + ] + }, "expose": { "description": "Controls network access to Infinispan Server endpoints.", "properties": { diff --git a/values.schema.json.tpl b/values.schema.json.tpl index 6424f00..71e963d 100644 --- a/values.schema.json.tpl +++ b/values.schema.json.tpl @@ -180,6 +180,13 @@ "null" ] }, + "securityContext": { + "description": "Defines the securityContext policy used by the cluster's StatefulSet.", + "type": [ + "object", + "null" + ] + }, "expose": { "description": "Controls network access to {brandname} Server endpoints.", "properties": { diff --git a/values.yaml b/values.yaml index dbe2e19..007b2f4 100644 --- a/values.yaml +++ b/values.yaml @@ -83,9 +83,12 @@ deploy: tolerations: [] nodeAffinity: {} - + nodeSelector: {} + securityContext: + fsGroup: 185 + infinispan: cacheContainer: # [USER] Add cache, template, and counter configuration.