infra/charts/headlamp/tests/expected_templates/security-context.yaml

---
# Source: headlamp/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
---
# Source: headlamp/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: oidc
  namespace: default
type: Opaque
data:
---
# Source: headlamp/templates/plugin-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: headlamp-plugin-config
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
data:
  plugin.yml: |
---
# Source: headlamp/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: headlamp
  namespace: default
---
# Source: headlamp/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
---
# Source: headlamp/templates/deployment.yaml
# This block of code is used to extract the values from the env.
# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        fsGroup: 2000
        runAsGroup: 3000
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: headlamp
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
            seccompProfile:
              type: RuntimeDefault
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
          volumeMounts:
            - name: plugins-dir
              mountPath: /headlamp/plugins
        - name: headlamp-plugin
          image: node:18-alpine
          command: ["/bin/sh", "-c"]
          args:
            - |
              if [ -f "/config/plugin.yml" ]; then
                echo "Installing plugins from config..."
                cat /config/plugin.yml
                # Use a writable cache directory
                export NPM_CONFIG_CACHE=/tmp/npm-cache
                # Use a writable config directory
                export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
                mkdir -p /tmp/npm-cache /tmp/npm-userconfig
                npx --yes @headlamp-k8s/pluginctl@1.0.0 install --config /config/plugin.yml --folderName /headlamp/plugins --watch
              fi
          volumeMounts:
            - name: plugins-dir
              mountPath: /headlamp/plugins
            - name: plugin-config
              mountPath: /config
          resources:
            null
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1001
      volumes:
        - name: plugins-dir
          emptyDir: {}
        - name: plugin-config
          configMap:
            name: headlamp-plugin-config