projects / osm / devops.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Adding security_context flag to charms
[osm/devops.git] / installers / charm / prometheus / src / charm.py
diff --git a/installers/charm/prometheus/src/charm.py b/installers/charm/prometheus/src/charm.py
index e3e0e42..61589e2 100755 (executable)
--- a/installers/charm/prometheus/src/charm.py
+++ b/installers/charm/prometheus/src/charm.py
@@ -60,6 +60,8 @@ class ConfigModel(ModelValidator):
     ingress_whitelist_source_range: Optional[str]
     tls_secret_name: Optional[str]
     enable_web_admin_api: bool
+    image_pull_policy: str
+    security_context: bool
 
     @validator("web_subpath")
     def validate_web_subpath(cls, v):
@@ -87,6 +89,18 @@ class ConfigModel(ModelValidator):
             ip_network(v)
         return v
 
+    @validator("image_pull_policy")
+    def validate_image_pull_policy(cls, v):
+        values = {
+            "always": "Always",
+            "ifnotpresent": "IfNotPresent",
+            "never": "Never",
+        }
+        v = v.lower()
+        if v not in values.keys():
+            raise ValueError("value must be always, ifnotpresent or never")
+        return values[v]
+
 
 class PrometheusCharm(CharmedOsmBase):
 
@@ -146,7 +160,9 @@ class PrometheusCharm(CharmedOsmBase):
         # Validate config
         config = ConfigModel(**dict(self.config))
         # Create Builder for the PodSpec
-        pod_spec_builder = PodSpecV3Builder()
+        pod_spec_builder = PodSpecV3Builder(
+            enable_security_context=config.security_context
+        )
 
         # Build Backup Container
         backup_image = OCIImageResource(self, "backup-image")
@@ -157,7 +173,12 @@ class PrometheusCharm(CharmedOsmBase):
         pod_spec_builder.add_container(backup_container)
 
         # Build Container
-        container_builder = ContainerV3Builder(self.app.name, image_info)
+        container_builder = ContainerV3Builder(
+            self.app.name,
+            image_info,
+            config.image_pull_policy,
+            run_as_non_root=config.security_context,
+        )
         container_builder.add_port(name=self.app.name, port=PORT)
         container_builder.add_http_readiness_probe(
             "/-/ready",