From ed816ec991161a021d367f370fd0ba3361af5705 Mon Sep 17 00:00:00 2001
From: Thomas <lansiluo1989@gmail.com>
Date: Wed, 18 Dec 2024 18:28:39 +0800
Subject: [PATCH 1/4] feat:support custom securityContext for kafka-addon

---
 addons/kafka/templates/cmpd-broker-27.yaml  | 15 +++++++++------
 addons/kafka/templates/cmpd-broker.yaml     | 15 +++++++++------
 addons/kafka/templates/cmpd-combine.yaml    | 15 +++++++++------
 addons/kafka/templates/cmpd-controller.yaml | 15 +++++++++------
 addons/kafka/templates/cmpd-exporter.yaml   | 11 +++++++----
 addons/kafka/values.yaml                    | 11 +++++++++++
 6 files changed, 54 insertions(+), 28 deletions(-)

diff --git a/addons/kafka/templates/cmpd-broker-27.yaml b/addons/kafka/templates/cmpd-broker-27.yaml
index cfec574c6..613c8d887 100644
--- a/addons/kafka/templates/cmpd-broker-27.yaml
+++ b/addons/kafka/templates/cmpd-broker-27.yaml
@@ -117,16 +117,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Values.images.kafka2.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -228,9 +230,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:
diff --git a/addons/kafka/templates/cmpd-broker.yaml b/addons/kafka/templates/cmpd-broker.yaml
index 3a0a13888..35b2852c1 100644
--- a/addons/kafka/templates/cmpd-broker.yaml
+++ b/addons/kafka/templates/cmpd-broker.yaml
@@ -113,16 +113,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -228,9 +230,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:
diff --git a/addons/kafka/templates/cmpd-combine.yaml b/addons/kafka/templates/cmpd-combine.yaml
index c3ba5c2b0..56c9d51db 100644
--- a/addons/kafka/templates/cmpd-combine.yaml
+++ b/addons/kafka/templates/cmpd-combine.yaml
@@ -104,16 +104,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -219,9 +221,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:
diff --git a/addons/kafka/templates/cmpd-controller.yaml b/addons/kafka/templates/cmpd-controller.yaml
index d22db1308..72f307866 100644
--- a/addons/kafka/templates/cmpd-controller.yaml
+++ b/addons/kafka/templates/cmpd-controller.yaml
@@ -61,16 +61,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -155,9 +157,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:
diff --git a/addons/kafka/templates/cmpd-exporter.yaml b/addons/kafka/templates/cmpd-exporter.yaml
index 32a5adead..75979254d 100644
--- a/addons/kafka/templates/cmpd-exporter.yaml
+++ b/addons/kafka/templates/cmpd-exporter.yaml
@@ -43,15 +43,18 @@ spec:
     namespace: {{ .Release.Namespace }}
     defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
     - name: kafka-exporter
       image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafkaExporter.repository }}:{{ .Values.images.kafkaExporter.tag }}
       imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
+        {{- if .Values.container.securityContext }}
+        securityContext:
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
       env:
         - name: SERVICE_PORT
           value: "9308"
diff --git a/addons/kafka/values.yaml b/addons/kafka/values.yaml
index 83a7a9ab7..18ffb20ab 100644
--- a/addons/kafka/values.yaml
+++ b/addons/kafka/values.yaml
@@ -64,3 +64,14 @@ storageClassParameters:
   metadata:
     awsEBSVolumeType: io2
     awsEBSEnableBlockExpress: false
+
+## pod security context settings
+securityContext:
+  fsGroup: 1001
+
+## container security context settings
+container:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1001
\ No newline at end of file

From 13f1689c9213ffbbeda1945559e371343eb63672 Mon Sep 17 00:00:00 2001
From: lancelot1989 <lancelot1989@users.noreply.github.com>
Date: Wed, 18 Dec 2024 10:29:26 +0000
Subject: [PATCH 2/4] chore: auto generated files

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bbd49a0d4..30783a2ba 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ KubeBlocks add-ons.
 | etcd | etcd-3.5.15<br>etcd-3.5.6 | Etcd is a strongly consistent, distributed key-value store that provides a reliable way to store data that needs to be accessed by a distributed system or cluster of machines. | free6om |
 | greptimedb | greptimedb-0.3.2 | An open-source, cloud-native, distributed time-series database with PromQL/SQL/Python supported. | GreptimeTeam sh2 |
 | influxdb | influxdb-2.7.4 | InfluxDB(TM) is an open source time-series database. It is a core component of the TICK (Telegraf, InfluxDB(TM), Chronograf, Kapacitor) stack. |  |
-| kafka | kafka-broker-2.7.0<br>kafka-broker-3.3.2<br>kafka-combine-3.3.2<br>kafka-controller-3.3.2<br>kafka-exporter-1.6.0 | Apache Kafka is a distributed streaming platform designed to build real-time pipelines and can be used as a message broker or as a replacement for a log aggregation solution for big data applications. | caiq1nyu |
+| kafka |  | Apache Kafka is a distributed streaming platform designed to build real-time pipelines and can be used as a message broker or as a replacement for a log aggregation solution for big data applications. | caiq1nyu |
 | loki | loki-1.0.0 | Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus. It is designed to be very cost effective and easy to operate. | Chen-speculation |
 | mariadb | mariadb-10.6.15 | MariaDB is a high performance open source relational database management system that is widely used for web and application servers | yinmin |
 | milvus | milvus-v2.3.2 | A cloud-native vector database, storage for next generation AI applications. | leon-inf |

From a6011df946ea542030a3a85694ae1546b39fd704 Mon Sep 17 00:00:00 2001
From: Thomas <lansiluo1989@gmail.com>
Date: Wed, 15 Jan 2025 16:41:49 +0800
Subject: [PATCH 3/4] feat:separate exporter's securityContext

---
 addons/kafka/templates/cmpd-broker-27.yaml  | 4 ++--
 addons/kafka/templates/cmpd-broker.yaml     | 4 ++--
 addons/kafka/templates/cmpd-combine.yaml    | 4 ++--
 addons/kafka/templates/cmpd-controller.yaml | 4 ++--
 addons/kafka/templates/cmpd-exporter.yaml   | 8 ++++----
 addons/kafka/values.yaml                    | 6 ++++++
 6 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/addons/kafka/templates/cmpd-broker-27.yaml b/addons/kafka/templates/cmpd-broker-27.yaml
index 613c8d887..46889fc86 100644
--- a/addons/kafka/templates/cmpd-broker-27.yaml
+++ b/addons/kafka/templates/cmpd-broker-27.yaml
@@ -230,9 +230,9 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-        {{- if .Values.container.securityContext }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          {{- toYaml .Values.container.securityContext | nindent 10 }}
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
         {{- end }}
         command:
           - java
diff --git a/addons/kafka/templates/cmpd-broker.yaml b/addons/kafka/templates/cmpd-broker.yaml
index 35b2852c1..5f97184d1 100644
--- a/addons/kafka/templates/cmpd-broker.yaml
+++ b/addons/kafka/templates/cmpd-broker.yaml
@@ -230,9 +230,9 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-        {{- if .Values.container.securityContext }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          {{- toYaml .Values.container.securityContext | nindent 10 }}
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
         {{- end }}
         command:
           - java
diff --git a/addons/kafka/templates/cmpd-combine.yaml b/addons/kafka/templates/cmpd-combine.yaml
index 56c9d51db..a1b1fe668 100644
--- a/addons/kafka/templates/cmpd-combine.yaml
+++ b/addons/kafka/templates/cmpd-combine.yaml
@@ -221,9 +221,9 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-        {{- if .Values.container.securityContext }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          {{- toYaml .Values.container.securityContext | nindent 10 }}
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
         {{- end }}
         command:
           - java
diff --git a/addons/kafka/templates/cmpd-controller.yaml b/addons/kafka/templates/cmpd-controller.yaml
index 72f307866..a39bf1745 100644
--- a/addons/kafka/templates/cmpd-controller.yaml
+++ b/addons/kafka/templates/cmpd-controller.yaml
@@ -157,9 +157,9 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-        {{- if .Values.container.securityContext }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          {{- toYaml .Values.container.securityContext | nindent 10 }}
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
         {{- end }}
         command:
           - java
diff --git a/addons/kafka/templates/cmpd-exporter.yaml b/addons/kafka/templates/cmpd-exporter.yaml
index 75979254d..c049d5e61 100644
--- a/addons/kafka/templates/cmpd-exporter.yaml
+++ b/addons/kafka/templates/cmpd-exporter.yaml
@@ -51,10 +51,10 @@ spec:
     - name: kafka-exporter
       image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafkaExporter.repository }}:{{ .Values.images.kafkaExporter.tag }}
       imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
-        {{- if .Values.container.securityContext }}
-        securityContext:
-          {{- toYaml .Values.container.securityContext | nindent 10 }}
-        {{- end }}
+      {{- if .Values.exporter.securityContext }}
+      securityContext:
+        {{- toYaml .Values.exporter.securityContext | nindent 8 }}
+      {{- end }}
       env:
         - name: SERVICE_PORT
           value: "9308"
diff --git a/addons/kafka/values.yaml b/addons/kafka/values.yaml
index 18ffb20ab..461b32260 100644
--- a/addons/kafka/values.yaml
+++ b/addons/kafka/values.yaml
@@ -73,5 +73,11 @@ securityContext:
 container:
   securityContext:
     allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1001
+
+## exporter security context settings
+exporter:
+  securityContext:
     runAsNonRoot: true
     runAsUser: 1001
\ No newline at end of file

From 55843d7b3d57ec4aa20304ec27db309207ab2cdd Mon Sep 17 00:00:00 2001
From: lancelot1989 <lancelot1989@users.noreply.github.com>
Date: Wed, 15 Jan 2025 08:42:17 +0000
Subject: [PATCH 4/4] chore: auto generated files

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f7f4e704b..359350166 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ KubeBlocks add-ons.
 | etcd | etcd-3.5.15<br>etcd-3.5.6 | Etcd is a strongly consistent, distributed key-value store that provides a reliable way to store data that needs to be accessed by a distributed system or cluster of machines. | free6om |
 | greptimedb | greptimedb-0.3.2 | An open-source, cloud-native, distributed time-series database with PromQL/SQL/Python supported. | GreptimeTeam sh2 |
 | influxdb | influxdb-2.7.4 | InfluxDB(TM) is an open source time-series database. It is a core component of the TICK (Telegraf, InfluxDB(TM), Chronograf, Kapacitor) stack. |  |
-| kafka |  | Apache Kafka is a distributed streaming platform designed to build real-time pipelines and can be used as a message broker or as a replacement for a log aggregation solution for big data applications. | caiq1nyu |
+| kafka | kafka-broker-2.7.0<br>kafka-broker-3.3.2<br>kafka-combine-3.3.2<br>kafka-controller-3.3.2<br>kafka-exporter-1.6.0 | Apache Kafka is a distributed streaming platform designed to build real-time pipelines and can be used as a message broker or as a replacement for a log aggregation solution for big data applications. | caiq1nyu |
 | loki | loki-1.0.0 | Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus. It is designed to be very cost effective and easy to operate. | Chen-speculation |
 | mariadb | mariadb-10.6.15 | MariaDB is a high performance open source relational database management system that is widely used for web and application servers | yinmin |
 | milvus | milvus-v2.3.2 | A cloud-native vector database, storage for next generation AI applications. | leon-inf |