From 1138ac764c69148cde3bca2d0e949662225b30a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bauer?= <andre.bauer@staffbase.com>
Date: Thu, 27 Jun 2024 13:27:30 +0200
Subject: [PATCH] add pod securitycontext to auth proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: André Bauer <andre.bauer@staffbase.com>
---
 charts/visual-regression-tracker/Chart.yaml               | 2 +-
 .../templates/auth-proxy-deployment.yaml                  | 2 ++
 charts/visual-regression-tracker/values.yaml              | 8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/charts/visual-regression-tracker/Chart.yaml b/charts/visual-regression-tracker/Chart.yaml
index 66d1ba4..0eb850e 100644
--- a/charts/visual-regression-tracker/Chart.yaml
+++ b/charts/visual-regression-tracker/Chart.yaml
@@ -6,7 +6,7 @@ sources:
   - https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker
   - https://github.com/kokuwaio/helm-charts/tree/main/charts/visual-regression-tracker
 type: application
-version: 4.0.0
+version: 4.0.1
 appVersion: "5.0.4"
 maintainers:
   - name: monotek
diff --git a/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml b/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml
index cb5ed45..adb3846 100644
--- a/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml
+++ b/charts/visual-regression-tracker/templates/auth-proxy-deployment.yaml
@@ -82,6 +82,8 @@ spec:
               mountPath: /etc/nginx/conf.d/default.conf
               subPath: default.conf
               readOnly: true
+      securityContext:
+        {{- toYaml .Values.authProxy.podSecurityContext | nindent 8 }}
       volumes:
         - name: tmpdir
           emptyDir:
diff --git a/charts/visual-regression-tracker/values.yaml b/charts/visual-regression-tracker/values.yaml
index 5fcd9d0..71db114 100644
--- a/charts/visual-regression-tracker/values.yaml
+++ b/charts/visual-regression-tracker/values.yaml
@@ -58,6 +58,14 @@ authProxy:
 
   podLabels: {}
 
+  podSecurityContext:
+    fsGroup: 101
+    runAsGroup: 101
+    runAsNonRoot: true
+    runAsUser: 101
+    seccompProfile:
+      type: RuntimeDefault
+
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little