[v9] Backport #13016 (Buddy merge for #11939)

eat(helm): expose securityContext as a value (#13016) (#13286)

The PodSecurityPolicy specifies `MustRunAsNonRoot` but the image runs as root.
`Error: container has runAsNonRoot and image will run as root (pod: "<redacted>", container: teleport).`
We expose the securityContext to allow forcing to run as a non-root user such as 99 (nobody) and respect the psp.

Co-authored-by: daquinoaldo <[email protected]>

docs/pages/kubernetes-access/helm/reference/teleport-cluster.mdx

@@ -1460,6 +1460,30 @@ will also be applied to `initContainers`.
   </TabItem>
 </Tabs>
 
+## `securityContext`
+
+| Type | Default value | Can be used in `custom` mode? |
+| - | - | - |
+| `object` | `{}` | ✅  |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+
+The `securityContext` applies to any pods created by the chart, including `initContainers`.
+
+<Tabs>
+  <TabItem label="values.yaml">
+  ```yaml
+  securityContext:
+    runAsUser: 99
+  ```
+  </TabItem>
+  <TabItem label="--set">
+  ```code
+  $ --set securityContext.runAsUser=99
+  ```
+  </TabItem>
+</Tabs>
+
 ## `tolerations`
 
 | Type | Default value | Can be used in `custom` mode? |

examples/chart/CONTRIBUTING.md

@@ -0,0 +1,51 @@
+# Contributing to Teleport Helm charts
+
+Firstly, thanks for considering a contribution to Teleport's Helm charts.
+
+## A couple of brief warnings
+
+Please note that we won't accept contributions that are particularly esoteric, difficult to use or poorly implemented.
+Our goal is to:
+
+- keep the charts easy to use
+- keep all functionality relevant to a broad audience
+- always use sane defaults which are right for most deployments
+- require as few values changes as possible for everyday usage
+
+If your functionality is only really useful to you, it's best to keep it on your own fork and deploy from there.
+
+Sometimes Teleport staff may take over your PR and make changes, implement it in a slightly different way, or just merge it
+as part of a bigger merge of multiple PRs at once. We will make sure that you still get credit in the final commit if this
+happens.
+
+## Guidelines
+
+Here is a list of things that you should do to make sure to do in order to get a smooth PR review process with minimal
+changes required:
+
+1) Add a linter file which includes examples for any new values you add under the `.lint/` directory for the
+appropriate chart. The linter will check this during CI and make sure the values are correctly formatted, along
+with your chart changes. The file should contain all necessary values to deploy a reference install.
+
+2) Add unit tests for your functionality under the `tests/` directory for the appropriate chart, particularly if you're
+adding new values. Make sure that all functionality is tested, so we can be sure that it works as intended for every use
+case. A good tip is to use your newly added linter file to set values appropriate for your test.
+
+3) Add any new values at the correct location in the `values.schema.json` file for the appropriate chart. This
+will ensure that Helm is able to validate values at install-time and can prevent users from making easy mistakes.
+
+4) Document any new values or changes to existing behaviour in the [chart reference](../../docs/pages/kubernetes-access/helm/reference).
+
+5) Run `make lint-helm test-helm` from the root of the repo before raising your PR.
+You will need `yamllint`, `helm` and [helm3-unittest](https://github.com/vbehar/helm3-unittest) installed locally.
+
+`make -C build.assets lint-helm test-helm` will run these via Docker if you'd prefer not to install locally.
+
+6) If you get a snapshot error during your testing, you should verify that your changes intended to alter the output,
+then run `make test-helm-update-snapshots` to update the snapshots and commit these changes along with your PR.
+
+Again, `make -C build.assets test-helm-update-snapshots` will run this via Docker.
+
+7) Document the changes you've made in the PR summary.
+
+Thanks!

examples/chart/teleport-cluster/.lint/security-context-empty.yaml

@@ -0,0 +1 @@
+clusterName: helm-lint

examples/chart/teleport-cluster/.lint/security-context.yaml

@@ -0,0 +1,8 @@
+clusterName: helm-lint
+securityContext:
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsGroup: 99
+  runAsNonRoot: true
+  runAsUser: 99

examples/chart/teleport-cluster/templates/deployment.yaml

@@ -168,6 +168,9 @@ spec:
 {{- if .Values.resources }}
         resources:
   {{- toYaml .Values.resources | nindent 10 }}
+{{- end }}
+{{- if .Values.securityContext }}
+        securityContext: {{- toYaml .Values.securityContext | nindent 10 }}
 {{- end }}
         volumeMounts:
 {{- if .Values.enterprise }}

examples/chart/teleport-cluster/values.schema.json

@@ -533,6 +533,11 @@
             "type": "object",
             "default": {}
         },
+        "securityContext": {
+            "$id": "#/properties/securityContext",
+            "type": "object",
+            "default": {}
+        },
         "tolerations": {
             "$id": "#/properties/tolerations",
             "type": "array",

examples/chart/teleport-cluster/values.yaml

@@ -282,6 +282,10 @@ resources: {}
 #    cpu: "1"
 #    memory: "2Gi"
 
+# Security context to add to the container
+securityContext: {}
+  # runAsUser: 99
+
 # Priority class name to add to the deployment
 priorityClassName: ""