--- name: Replace image repository in values targets: - values.yaml before: |- image: repository: ghcr.io/project-zot/zot-linux-amd64 pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "v2.0.0" after: |- image: repository: gsoci/dummy/zot-linux pullPolicy: Always tag: "" --- name: Fix security policies in the deployment targets: - templates/deployment.yaml before: |- \{\{- toYaml .Values.podSecurityContext .* after: |- fsGroup: 1337 {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }} {{- with .Values.podSeccompProfile }} seccompProfile: {{- . | toYaml | nindent 10 }} {{- end }} {{- end }} --- name: Fix security policies in container targets: - templates/deployment.yaml before: |- \{\{- toYaml .Values.securityContext .* after: |- {{- with .Values.containerSecurityContext }} {{- . | toYaml | nindent 12 }} {{- end }} readOnlyRootFilesystem: true runAsUser: 100 {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }} {{- with .Values.seccompProfile }} seccompProfile: {{- . | toYaml | nindent 14 }} {{- end }} {{- end }} --- name: Fix security policies in test jobs targets: - templates/tests/test-connection-fails.yaml - templates/tests/test-connection.yaml before: |- spec: containers: after: |- spec: securityContext: fsGroup: 1337 {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }} {{- with .Values.podSeccompProfile }} seccompProfile: {{- . | toYaml | nindent 10 }} {{- end }} {{- end }} containers: --- name: Fix security policies in test jobs containers targets: - templates/tests/test-connection-fails.yaml - templates/tests/test-connection.yaml before: |- containers: - name: wget after: |- containers: - name: wget securityContext: {{- with .Values.containerSecurityContext }} {{- . | toYaml | nindent 12 }} {{- end }} readOnlyRootFilesystem: true runAsUser: 100 {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }} {{- with .Values.seccompProfile }} seccompProfile: {{- . | toYaml | nindent 14 }} {{- end }} {{- end }}