From ba017fc8cc95525f3bc4d02ed671735b94e0514e Mon Sep 17 00:00:00 2001
From: Mario Manno <mario.manno@gmail.com>
Date: Wed, 23 Oct 2024 11:22:48 +0200
Subject: [PATCH] Add helm value to disable securityContext (#2981)

The securityContext needs to be disabled to allow for debugging with a
debugger.
However it should be possible to run debug logs with security contexts enabled.
---
 charts/fleet/ci/debug-values.yaml             |  1 +
 charts/fleet/templates/deployment.yaml        | 11 +++++++----
 charts/fleet/templates/deployment_gitjob.yaml |  5 +++--
 charts/fleet/values.yaml                      |  1 +
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/charts/fleet/ci/debug-values.yaml b/charts/fleet/ci/debug-values.yaml
index f495e1f62f..ab519706db 100644
--- a/charts/fleet/ci/debug-values.yaml
+++ b/charts/fleet/ci/debug-values.yaml
@@ -25,6 +25,7 @@ metrics:
 debug: true
 debugLevel: 4
 propagateDebugSettingsToAgents: true
+disableSecurityContext: true
 
 cpuPprof:
   period: "60s"
diff --git a/charts/fleet/templates/deployment.yaml b/charts/fleet/templates/deployment.yaml
index 3d21746bad..f2c0d32423 100644
--- a/charts/fleet/templates/deployment.yaml
+++ b/charts/fleet/templates/deployment.yaml
@@ -93,7 +93,8 @@ spec:
         - --debug
         - --debug-level
         - {{ quote $.Values.debugLevel }}
-        {{- else }}
+        {{- end }}
+        {{- if not $.Values.disableSecurityContext }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -149,7 +150,8 @@ spec:
         - --debug
         - --debug-level
         - {{ quote $.Values.debugLevel }}
-        {{- else }}
+        {{- end }}
+        {{- if not $.Values.disableSecurityContext }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -194,7 +196,8 @@ spec:
         - --debug
         - --debug-level
         - {{ quote $.Values.debugLevel }}
-        {{- else }}
+        {{- end }}
+        {{- if not $.Values.disableSecurityContext }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -226,7 +229,7 @@ spec:
       priorityClassName: "{{$.Values.priorityClassName}}"
       {{- end }}
 
-{{- if not $.Values.debug }}
+{{- if not $.Values.disableSecurityContext }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
diff --git a/charts/fleet/templates/deployment_gitjob.yaml b/charts/fleet/templates/deployment_gitjob.yaml
index 5c3df9608a..686608d1cb 100644
--- a/charts/fleet/templates/deployment_gitjob.yaml
+++ b/charts/fleet/templates/deployment_gitjob.yaml
@@ -93,7 +93,8 @@ spec:
           {{- if $.Values.debug }}
             - name: CATTLE_DEV_MODE
               value: "true"
-          {{- else }}
+          {{- end }}
+          {{- if not $.Values.disableSecurityContext }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -122,7 +123,7 @@ spec:
       priorityClassName: "{{$.Values.priorityClassName}}"
       {{- end }}
 
-{{- if not $.Values.debug }}
+{{- if not $.Values.disableSecurityContext }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml
index 6a9d47b78b..6e9d874454 100644
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@@ -84,6 +84,7 @@ metrics:
 debug: false
 debugLevel: 0
 propagateDebugSettingsToAgents: true
+disableSecurityContext: false
 
 migrations:
   clusterRegistrationCleanup: true