A lot of work on the workload library

charts/workload/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/workload/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: softplayer-lib-workload
+description: A library to be reused accross softplayer charts
+type: library
+version: 0.1.0
+maintainers:
+  - name: allanger
+    email: allanger@badhouseplants.net

charts/workload/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+

charts/workload/templates/_utils.yaml

@@ -0,0 +1,13 @@
+{{- /*
+lib.util.merge will merge two YAML templates and output the result.
+This takes an array of three values:
+- the top context
+- the template name of the overrides (destination)
+- the template name of the base (source)
+*/}}
+{{- define "lib.util.merge" -}}
+{{- $top := first . -}}
+{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
+{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
+{{- toYaml (merge $overrides $tpl) -}}
+{{- end -}}

charts/workload/templates/_workloads.yaml

@@ -0,0 +1,13 @@
+{{- define "helpers.allowed_workloads" -}}
+{{ index .Chart.Annotations "allowed_workload_kinds" }}
+{{- end -}}
+
+{{- define "lib.workload" -}}
+---
+{{ if eq .Values.workload.kind "Deployment" -}}
+{{- if contains .Values.workload.kind (include "helpers.allowed_workloads" .) }}
+{{- include "lib.deployment" . }}
+{{- end }}
+{{- end }}
+{{- end }}
+

charts/workload/templates/addons/traefik/_ingress_route_tcp.tpl

@@ -0,0 +1,13 @@
+{{- define "lib.traefik.ingress_route_tcp" -}}
+{{- range $k, $v := .Values.traefik.tcpRoutes }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+---
+{{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+spec:
+{{ tpl ($v | toYaml | indent 2 | toString) $  }}
+{{- end }}
+{{- end }}
+{{- end -}}

charts/workload/templates/addons/traefik/_ingress_route_udp.tpl

@@ -0,0 +1,13 @@
+{{- define "lib.traefik.ingress_route_udp" -}}
+{{- range $k, $v := .Values.traefik.udpRoutes }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+---
+{{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteUDP" }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteUDP
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+spec:
+{{ tpl ($v | toYaml | indent 2 | toString) $  }}
+{{- end }}
+{{- end }}
+{{- end -}}

charts/workload/templates/configs/_env.tpl

@@ -0,0 +1,20 @@
+{{- define "lib.config.env" -}}
+{{- range $k, $v := .Values.env }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+---
+apiVersion: v1
+{{- if not $v.sensitive }}
+kind: ConfigMap
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+data:
+{{- else }}
+kind: Secret
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+stringData:
+{{- end }}
+{{- with $v.data }}
+{{ toYaml . | indent 2}}
+{{- end }}
+{{- end }}
+{{- end -}}
+

charts/workload/templates/configs/_files.tpl

@@ -0,0 +1,20 @@
+{{- define "lib.config.files" -}}
+{{- range $k, $v := .Values.files }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+---
+apiVersion: v1
+{{- if not $v.sensitive }}
+kind: ConfigMap
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+data:
+{{- else }}
+kind: Secret
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+stringData:
+{{- end }}
+{{- with $v.data }}
+{{ toYaml . | indent 2}}
+{{- end }}
+{{- end }}
+{{- end -}}
+

charts/workload/templates/deployment/_containers.tpl

@@ -0,0 +1,117 @@
+{{- define "helper.deployment.containers" -}} {{- /* (define) */ -}}
+{{- if not .Values.workload.containers -}} {{- /* (1) */ -}}
+{{ fail ".Values.workload.containers can not be empty (heler.deployment.containers)" }}
+{{- end -}} {{- /* /(1) */ -}}
+containers:
+{{- range $k,$v := .Values.workload.containers }} {{- /* (1) */}}
+  - name: {{ $k }}
+    {{- include "helper.workload.containerSecurityContext" . | nindent 4 -}}
+    {{- include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) | indent 4 -}}
+    {{- include "helper.container.command" $v | nindent 4 -}}
+    {{- include "helper.container.args" $v | nindent 4 -}}
+    {{- include "helper.container.ports" (dict "Context" $ "Container" $v) | nindent 4 -}}
+    {{- include "helper.container.volumeMounts" $v | nindent 4 -}}
+    {{- include "helper.container.envFrom" (dict "Context" $ "Container" $v) | nindent 4 -}}
+{{- end }} {{- /* /(1) */}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.deployment.initContainers" -}} {{- /* (define) */ -}}
+{{- if .Values.workload.initContainers -}} {{- /* (1) */ -}}
+initContainers:
+{{- range $k,$v := .Values.workload.initContainers }} {{- /* (2) */}}
+  - name: {{ $k }}
+    {{- include "helper.workload.containerSecurityContext" . | nindent 4 -}}
+    {{- include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) | indent 4 -}}
+    {{- include "helper.container.command" $v | nindent 4 -}}
+    {{- include "helper.container.args" $v | nindent 4 -}}
+    {{- include "helper.container.ports" (dict "Context" $ "Container" $v) | nindent 4 -}}
+    {{- include "helper.container.volumeMounts" $v | nindent 4 -}}
+    {{- include "helper.container.envFrom" (dict "Context" $ "Container" $v) | nindent 4 -}}
+{{- end }} {{- /* /(1) */}}
+{{- end -}} {{- /* /(2) */ -}}
+
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.deployment.container" -}} {{- /* (define) */ -}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.container.command" -}} {{- /* (define) */ -}}
+{{- with .command }} {{- /* (1) */ -}}
+command: 
+{{ . | toYaml | indent 2 }}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.container.args" -}} {{- /* (define) */ -}}
+{{- with .args }} {{- /* (1) */ -}}
+args: 
+{{ . | toYaml | indent 2 }}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.container.ports" -}} {{- /* (define) */ -}}
+{{- if .Container.ports -}} {{- /* (1) */ -}}
+ports:
+{{- range $p := .Container.ports -}} {{- /* (2) */ -}}
+{{- if kindIs "string" $p }} {{- /* (3) */}}
+  - containerPort: {{ index (index $.Context.Values.service.ports $p) "targetPort" }}
+    protocol: {{ index (index $.Context.Values.service.ports $p) "protocol" }}
+{{- else }}
+{{ print "-" | indent 2 | -}}
+{{ $p | toYaml | nindent 4 -}}
+{{- end -}} {{- /* /(3) */ -}}
+{{- end -}} {{- /* /(2) */ -}}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.container.volumeMounts" -}} {{- /* (define) */ -}}
+{{- if .mounts -}} {{- /* (1) */ -}}
+volumeMounts:
+{{- range $mountKind, $mountData := .mounts }} {{- /* (2) */}}
+{{- if eq $mountKind "storage" }} {{- /* (3) */}}
+{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
+  - name: {{ printf "%s-storage" $mountName }}
+    mountPath: {{ $mountEntry.path }} 
+{{- end }} {{- /* /(4) */}}
+{{- end }} {{- /* /(3) */}}
+{{- if eq $mountKind "files" }} {{- /* (3) */}}
+{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
+  - name: {{ printf "%s-file" $mountName }}
+    mountPath: {{ $mountEntry.path }} 
+{{- end }} {{- /* /(4) */}}
+{{- end }} {{- /* /(3) */}}
+{{- if eq $mountKind "extraVolumes" }} {{- /* (3) */}}
+{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
+  - name: {{ printf "%s-extra" $mountName }}
+    mountPath: {{ $mountEntry.path }} 
+{{- end }} {{- /* /(4) */}}
+{{- end }} {{- /* /(3) */}}
+{{- end }} {{- /* /(2) */}}
+{{- end }} {{- /* /(1) */}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{- define "helper.container.envFrom" -}} {{- /* (define) */ -}}
+{{/* If env should be set from a Configmap/Secret */}}
+{{- if .Container.envFrom }} {{- /* (1) */}}
+envFrom:
+{{- range $k := .Container.envFrom -}} {{- /* (2) */ -}}
+{{/* If envFrom entry is a string, then refer to the env created by the library */}}
+{{- if kindIs "string" $k -}} {{- /* (3) */ -}}
+{{- if (index $.Context.Values.env $k) -}} {{- /* (4) */ -}}
+{{- if (index $.Context.Values.env $k).sensitive }} {{- /* (5) */}}
+  - secretRef:
+{{- else }}
+  - configMapRef:
+{{- end }} {{- /* /(5) */}}
+    name: {{- printf " %s-%s" (include "chart.fullname" $.Context) $k -}}
+{{- end -}} {{- /* /(4) */}}
+{{- /* Otherwise try to add references directly (if Secrets/ConfigMaps are not managed by the chart) */ -}}
+{{- else -}}
+{{- range $k, $v := $k }} {{- /* (5) */}}
+  - {{ $k }}:
+{{ toYaml $v | indent 14 }}
+{{- end -}} {{- /* /(4) */ -}}
+{{- end -}} {{- /* /(3) */ -}}
+{{- end -}} {{- /* /(2) */ -}}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}

charts/workload/templates/deployment/_deployment.tpl

@@ -0,0 +1,11 @@
+{{- define "lib.deployment" -}}
+# ---------------------------------------------------------------------
+# The deployment is build within the helm library
+# please check the lib/tempaltes/deployment/base
+# ---------------------------------------------------------------------
+apiVersion: apps/v1
+kind: Deployment
+{{- include "lib.metadata" (dict "Context" . "customName" "")}}
+{{- include "deployment.spec" . }}
+{{- end -}}
+

charts/workload/templates/deployment/_spec.tpl

@@ -0,0 +1,29 @@
+{{/*
+  This is a builder for deployments
+*/}}
+
+{{- define "deployment.spec" }} {{- /* (define) */}}
+# ---------------------------------------------------------------------
+# The spec is build within the helm library
+# please check the lib/templates/deployment/spec
+# ---------------------------------------------------------------------
+spec: 
+  replicas: {{ .Values.workload.replicas | default 1}}
+  selector:
+    matchLabels:
+{{ include "metadata.selectorLabels" . | indent 6 }}
+{{ include "lib.deployment.template" . | indent 2 }}
+
+{{- end -}}
+
+{{- define "lib.deployment.template" -}} {{- /* (define) */ -}}
+template:
+  metadata:
+    labels:
+      {{- include "metadata.labels" . | nindent 6 }}
+  spec:
+    {{- include "helper.workload.securityContext" . | nindent 4 -}}
+    {{- include "helper.deployment.volumes" . | nindent 4 }}
+    {{- include "helper.deployment.containers" . | nindent 4 }}
+    {{- include "helper.deployment.initContainers" . | nindent 4 }}
+{{- end -}} {{- /* /(define) */ -}}

charts/workload/templates/deployment/_volumes.tpl

@@ -0,0 +1,32 @@
+{{- define "helper.deployment.volumes" -}} {{- /* (define) */ -}}
+{{- if or ( or .Values.storage .Values.extraVolumes) .Values.files }} {{- /* (1)*/}}
+volumes:
+{{- /* If storage is defined, mount the pvc */ -}}
+  {{- if .Values.storage }} {{- /* (2) */}}
+    {{- range $k, $v := .Values.storage }} {{- /* (3) */}}
+  - name: {{ $k }}-storage
+    persistentVolumeClaim:
+      claimName: " {{- printf "%s-%s" (include "chart.fullname" $) $k }}"
+    {{- end }} {{- /* /(3) */}}
+  {{- end  }} {{- /* /(2) */}}
+  {{- if .Values.extraVolumes}} {{- /* (2) */}}
+    {{- range $k, $v := .Values.extraVolumes}} {{- /* (3) */}}
+  - name: {{ $k }}-extra
+    {{- $v | toYaml | nindent 4 }}
+    {{- end }} {{- /* /(3) */}}
+  {{- end }} {{- /* /(2) */}}
+  {{- if .Values.files }} {{- /* (2) */}}
+    {{- range $k, $v := .Values.files }} {{- /* (3) */}}
+  - name: {{ $k }}-file
+      {{- if $v.sensitive }} {{- /* (4) */}}
+    secret:
+      defaultMode: 420
+      secretName: "{{ printf "%s-%s" (include "chart.fullname" $) $k }}"
+      {{- else }}
+    configMap:
+      name: "{{- printf "%s-%s" (include "chart.fullname" $) $k }}"
+      {{- end }} {{- /* /(4) */}}
+    {{- end }} {{- /* /(3) */}}
+  {{- end }} {{- /* /(2) */}}
+{{- end -}} {{- /* /(1)*/ -}}
+{{- end -}} {{- /* /(define) */ -}}

charts/workload/templates/metadata/_base.tpl

@@ -0,0 +1,13 @@
+{{- define "lib.metadata" }}
+metadata:
+  {{- if .customName }}
+  name: {{ .customName }}
+  {{- else }}
+  name: {{ include "chart.fullname" .Context }}
+  {{- end }}
+  labels:
+{{ include "metadata.labels" .Context | indent 4 }}
+{{- end }}
+
+{{- define "metadata.customName" -}}
+{{- end -}}

charts/workload/templates/metadata/_labels.tpl

@@ -0,0 +1,20 @@
+{{/*
+Common labels
+*/}}
+{{- define "metadata.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "metadata.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+

charts/workload/templates/notes/_notes.tpl

@@ -0,0 +1,8 @@
+{{- define "lib.notes" -}}
+*** Release metadata ***
+Chart: {{ .Chart.Name }}
+Chart version: {{ .Chart.Version }}
+App version: {{ .Chart.Version }}
+Image: {{ index $.Chart.Annotations "helm.badhouseplants.net/registry" }}
+Release name: {{ .Release.Name }}
+{{- end }}

charts/workload/templates/pvc/_pvc.tpl

@@ -0,0 +1,25 @@
+{{- define "lib.pvc" -}}
+{{- range $k, $v := .Values.storage }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+---
+# ---------------------------------------------------------------------
+# This pvc is created as a part of softplayer helm library
+# please see /lib/tempaltes/pvc/_pvc.tpl
+# ---------------------------------------------------------------------
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+spec:
+{{- with $v.accessModes }}
+  accessModes:
+{{ toYaml . | indent 4}}
+{{- end }}
+  resources:
+    requests:
+      storage: {{ $v.size }}
+{{- if ne $v.storageClassName "default" }}
+  storageClassName: {{ $v.storageClassName }}
+{{- end }}
+{{- end }}
+{{- end -}}

charts/workload/templates/rbac/_rbac.yaml

@@ -0,0 +1,34 @@
+{{- define "lib.rbac" -}}
+{{- range $k, $v := .Values.rbac }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $v.role.kind }}
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+rules:
+{{ $v.role.rules | toYaml | indent 2}}
+
+{{- if $v.serviceAccount }}
+---
+apiVersion: v1
+kind: ServiceAccount
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+---
+kind: {{ $v.binding.kind }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+subjects:
+
+- kind: ServiceAccount
+  name: {{ $customName }}
+  namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: {{ $v.role.kind }}
+  name: {{ $customName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end  }}
+{{- end  }}
+
+{{- end -}}
+

charts/workload/templates/service/_service.tpl

@@ -0,0 +1,25 @@
+{{- define "lib.service" }}
+---
+# ---------------------------------------------------------------------
+# This service is created as a part of softplayer helm library
+# please see /lib/tempaltes/service/_service.tpl
+# ---------------------------------------------------------------------
+apiVersion: v1
+kind: Service
+{{- include "lib.metadata" (dict "Context" . "customName" "")}}
+spec:
+  {{- if (.Values.service).type }}
+  type: {{ .Values.service.type }}
+  {{- else }}
+  type: ClusterIP
+  {{- end }}
+  selector:
+{{ include "metadata.selectorLabels" .  | indent 4}}
+  ports:
+{{- range $k,$v := .Values.service.ports }}
+    - name: {{ $k }}
+      port: {{ $v.port }}
+      targetPort: {{ $v.targetPort}}
+      protocol: {{ $v.protocol}}
+{{- end }}
+{{- end }}

charts/workload/templates/service/_services.tpl

@@ -0,0 +1,31 @@
+{{- define "lib.services" }}
+{{- range $k, $v := .Values.services }}
+{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
+
+---
+# ---------------------------------------------------------------------
+# This service is created as a part of softplayer helm library
+# please see /lib/tempaltes/service/_service.tpl
+# ---------------------------------------------------------------------
+apiVersion: v1
+kind: Service
+{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
+spec:
+  {{- if ($v).type }}
+  type: {{ $v.type }}
+  {{- else }}
+  type: ClusterIP
+  {{- end }}
+  selector:
+{{ include "metadata.selectorLabels" $  | indent 4}}
+  ports:
+{{- range $k,$v := $v.ports }}
+    - name: {{ $k }}
+      port: {{ $v.port }}
+      targetPort: {{ $v.targetPort}}
+      protocol: {{ $v.protocol}}
+{{- end }}
+{{- end }}
+
+{{- end -}}
+

charts/workload/templates/workload/_image.tpl

@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------
+# Main workload helpers
+# ---------------------------------------------------------------------
+{{/*
+  Prepare a tag for the container image 
+  Example: 
+  {{ include "helper.workload.tag" (dict "AppVersion" $.Chart.AppVersion "Tag" .Image.tag) }}
+*/}}
+{{- define "helper.workload.tag" -}} {{/* (define) */}}
+{{- if or .Tag .AppVersion -}} {{/* (1) */}}
+  {{- if .Tag -}} {{/* (2) */}}
+    {{- .Tag -}} 
+  {{- else -}}
+    {{- .AppVersion  -}}
+  {{- end -}} {{/* /(2) */}}
+{{- else -}}
+  {{ fail ".Tag or .AppVersion must be passed to this helper (helper.workload.tag)"}}
+{{- end -}} {{/* /(1) */}}
+{{- end -}} {{/* /(define) */}}
+
+{{/*
+  Prepare the image name for the container
+  Example: 
+  {{ include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) }}
+*/}}
+{{- define "helper.workload.image" -}} {{/* (define) */}}
+{{- if and .Chart .Image -}} {{/* (1) */}}
+image: {{ printf "%s/%s:%s" .Image.registry .Image.repository (include "helper.workload.tag" (dict "AppVersion" $.Chart.AppVersion "Tag" .Image.tag)) }}
+imagePullPolicy: {{ .Image.pullPolicy | default "Always" }}
+{{- else -}}
+  {{ fail ".Chart and .Image must be passed to this helper (helper.workload.image)"}}
+{{- end -}} {{/* /(1) */}}
+{{- end -}} {{/* /(define) */}}

charts/workload/templates/workload/_security.tpl

@@ -0,0 +1,36 @@
+{{/* Build a pod security context */}}
+{{- define "helper.workload.securityContext" -}} {{- /* (define) */ -}}
+{{- if not .Values.workload.securityContext -}} {{- /* (1) */ -}}
+# ---------------------------------------------------------------------
+# Using the default security context, if it doesn't work for you,
+# please update `.Values.workload.securityContext`
+# ---------------------------------------------------------------------
+securityContext:
+  runAsUser: 1000
+  runAsGroup: 3000
+  fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+{{- else -}}
+  {{- with .Values.workload.securityContext -}} {{- /* (2) */ -}}
+securityContext:
+{{ toYaml . | indent 2 }}
+  {{- end }} {{- /* /(2) */}}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}
+
+{{/* Build a container security context */}}
+{{- define "helper.workload.containerSecurityContext" -}} {{- /* (define) */ -}}
+securityContext:
+{{- if  not .securityContext }} {{- /* (1) */}}
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+{{- else }}
+{{- with .securityContext }} {{- /* (2) */}}
+{{ toYaml . | indent 2 }}
+{{- end }} {{- /* /(2) */}}
+{{- end -}} {{- /* /(1) */ -}}
+{{- end -}} {{- /* /(define) */ -}}