OpsLevel · rocktavious · May 14, 2025 · May 12, 2025 · May 13, 2025
diff --git a/.changes/unreleased/Feature-20250512-143537.yaml b/.changes/unreleased/Feature-20250512-143537.yaml
@@ -0,0 +1,3 @@
+kind: Feature
+body: Add ability to set security context on postgres and elasticsearch
+time: 2025-05-12T14:35:37.645939-05:00
diff --git a/charts/opslevel/templates/elasticsearch/statefulset.yaml b/charts/opslevel/templates/elasticsearch/statefulset.yaml
@@ -28,8 +28,10 @@ spec:
       {{- template "global.nodeSelector" . }}
       serviceAccountName: "{{ .Values.elasticsearch.serviceAccount.name }}"
       priorityClassName: opslevel-high
+      {{- with .Values.elasticsearch.securityContext }}
       securityContext:
-        fsGroup: 0
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       subdomain: elasticsearch
       containers:
         - name: elasticsearch

diff --git a/charts/opslevel/templates/faktory/statefulset.yaml b/charts/opslevel/templates/faktory/statefulset.yaml
@@ -31,6 +31,10 @@ spec:
       terminationGracePeriodSeconds: 10
       shareProcessNamespace: true
       priorityClassName: opslevel-critical
+      {{- with .Values.faktory.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: server
           image: {{ template "faktory.image" . }}

diff --git a/charts/opslevel/templates/minio/statefulset.yaml b/charts/opslevel/templates/minio/statefulset.yaml
@@ -27,6 +27,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-high
+      {{- with .Values.objectStorage.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: "{{ .Values.objectStorage.serviceAccount.name }}"
       subdomain: minio
       containers:

diff --git a/charts/opslevel/templates/mysql/statefulset.yaml b/charts/opslevel/templates/mysql/statefulset.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "global.nodeSelector" . }}
       serviceAccountName: "{{ .Values.mysql.serviceAccount.name }}"
       priorityClassName: opslevel-critical
+      {{- with .Values.mysql.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: mysql
           image: {{ template "mysql.image" . }}

diff --git a/charts/opslevel/templates/opslevel/web.yaml b/charts/opslevel/templates/opslevel/web.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opslevel.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 120
       topologySpreadConstraints:
         - maxSkew: 1

diff --git a/charts/opslevel/templates/opslevel/worker-faktory.yaml b/charts/opslevel/templates/opslevel/worker-faktory.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opslevel.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 300
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/templates/opslevel/worker-high.yaml b/charts/opslevel/templates/opslevel/worker-high.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opslevel.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 300
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/templates/opslevel/worker-low.yaml b/charts/opslevel/templates/opslevel/worker-low.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opslevel.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 300
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/templates/opslevel/worker-search.yaml b/charts/opslevel/templates/opslevel/worker-search.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opslevel.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 300
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/templates/opssight/web.yaml b/charts/opslevel/templates/opssight/web.yaml
@@ -32,6 +32,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opssight.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: opssight-web
           image: "{{ template "opssight.image" . }}"

diff --git a/charts/opslevel/templates/opssight/worker.yaml b/charts/opslevel/templates/opssight/worker.yaml
@@ -29,6 +29,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.opssight.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 315
       containers:
         - name: opssight-worker

diff --git a/charts/opslevel/templates/postgres/statefulset.yaml b/charts/opslevel/templates/postgres/statefulset.yaml
@@ -32,8 +32,10 @@ spec:
       {{- template "global.nodeSelector" . }}
       serviceAccountName: "{{ .Values.postgres.serviceAccount.name }}"
       priorityClassName: opslevel-high
+      {{- with .Values.postgres.securityContext }}
       securityContext:
-        fsGroup: 1001
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       hostNetwork: false
       hostIPC: false
       containers:

diff --git a/charts/opslevel/templates/redis/deployment.yaml b/charts/opslevel/templates/redis/deployment.yaml
@@ -29,6 +29,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.redis.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: master
           image: {{ template "redis.image" . }}

diff --git a/charts/opslevel/templates/runner/new-mode.yaml b/charts/opslevel/templates/runner/new-mode.yaml
@@ -31,6 +31,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.runner.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ .Values.runner.serviceAccount.name }}
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/templates/runner/old-mode.yaml b/charts/opslevel/templates/runner/old-mode.yaml
@@ -31,6 +31,10 @@ spec:
       {{- template "opslevel.pullSecrets" . }}
       {{- template "global.nodeSelector" . }}
       priorityClassName: opslevel-normal
+      {{- with .Values.runner.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ .Values.runner.serviceAccount.name }}
       {{- if .Values.certificate.enabled }}
       initContainers:

diff --git a/charts/opslevel/values.yaml b/charts/opslevel/values.yaml
@@ -66,6 +66,7 @@ opslevel:
     tls: false
     annotations: {}
     ingressClassName: ""
+  securityContext: {}
   tls:
     enabled: false # If enabled ensure the ingress.tls is also enabled if using ingress
     secret:
@@ -95,6 +96,7 @@ runner:
     create: true
     name: opslevel-runner
     annotations: {}
+  securityContext: {}
   pod:
     annotations: {}
   secret:
@@ -115,6 +117,7 @@ opssight:
   worker:
     replicas: 1
     resources: *resourcesSmall
+  securityContext: {}
   secret:
     name: "opssight"
     create: true
@@ -132,6 +135,7 @@ mysql:
     create: true
     name: mysql
     annotations: {}
+  securityContext: {}
   storageClass: ""
   storageSize: "10Gi"
   secret:
@@ -155,6 +159,8 @@ postgres:
     create: true
     name: postgres
     annotations: {}
+  securityContext:
+    fsGroup: 1001
   storageClass: ""
   storageSize: "10Gi"
   secret:
@@ -174,6 +180,7 @@ redis:
   resources: *resourcesMedium
   pod:
     annotations: {}
+  securityContext: {}
   secret:
     create: true
     name: "opslevel-redis"
@@ -195,6 +202,8 @@ elasticsearch:
     create: true
     name: elasticsearch
     annotations: {}
+  securityContext:
+    fsGroup: 0
   storageClass: ""
   storageSize: "8Gi"
   secret:
@@ -220,6 +229,7 @@ objectStorage:
     create: true
     name: minio
     annotations: {}
+  securityContext: {}
   storageClass: ""
   storageSize: "8Gi"
   secret:
@@ -235,6 +245,7 @@ faktory:
     repository: "746108190720.dkr.ecr.us-east-1.amazonaws.com/faktory"
     tag: "1.9.1"
   resources: *resourcesMedium
+  securityContext: {}
   storageClass: ""
   storageSize: "8Gi"
   pod: