Add securityContext at spec level

[pidge-raman]

When mounting extra volumes for plugins or h2 database volume. In order to make sure the metabase has the permission to access these volume we need to set security context with fsGroup with respective group for the metabase user which we can set using enviroment variable like MUID and MGID.

Sample Deployement yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: metabase
    app.kubernetes.io/instance: metabase
    chart: metabase-2.14.4
    heritage: Helm
    release: metabase
  name: metabase
  namespace: metabase
spec:
  replicas: 1
  selector:
    matchLabels:
      app: metabase
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: metabase
        release: metabase
    spec:
      containers:
        - env:
            - name: MB_JETTY_HOST
              value: 0.0.0.0
            - name: MB_JETTY_PORT
              value: '3000'
            - name: MB_DB_TYPE
              value: h2
            - name: MB_DB_FILE
              value: /db/metabase.db
            - name: MB_ENCRYPTION_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: ENCRYPTION_KEY
                  name: metabase-db
            - name: MB_PASSWORD_COMPLEXITY
              value: normal
            - name: MB_PASSWORD_LENGTH
              value: '6'
            - name: JAVA_TIMEZONE
              value: UTC
            - name: MB_PLUGINS_DIR
              value: /plugins
            - name: MB_EMOJI_IN_LOGS
              value: 'true'
            - name: MB_COLORIZE_LOGS
              value: 'true'
            - name: MUID
              value: '1099'
            - name: MGID
              value: '10999'
          image: 'metabase/metabase:v0.49.8'
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 6
            httpGet:
              path: /api/health
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 120
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 30
          name: metabase
          ports:
            - containerPort: 3000
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /api/health
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          resources: {}
          securityContext:
            runAsGroup: 1099
            runAsUser: 1099
          volumeMounts:
            - mountPath: /db
              name: db
            - mountPath: /plugins
              name: plugins
      restartPolicy: Always
      securityContext:
        fsGroup: 1099
      serviceAccount: metabase
      serviceAccountName: metabase
      volumes:
        - name: db
          persistentVolumeClaim:
            claimName: metabase-db
        - name: plugins
          persistentVolumeClaim:
            claimName: metabase-plugins

[lhoss]

will need this feature too (planning to use this helm chart in a gov project running containers on OpenShift)