feat: add securityContext and podSecurityContext options (#263)

* add containerSecurityContext to postfix and dovecot containers
Postfix and Dovecot sometimes need capabilities that some CRIs, such as cri-o, do not support by default, e.g. `SYS_CHROOT`. In these cases, if these capabilities are not added explicitly, postfix and dovecot won't start.

This commit adds `.Values.{postfix,dovecot}.containerSecurityContext` to values.yaml and to the corresponding templates.

* securityContext: add podSecurityContext as well

* fix typo in helmdoc for postfix.podSecurityContext

* feat: Added pod and container security contexts for all services

Signed-off-by: fastlorenzo <git@bernardi.be>

* chore: updated readme

Signed-off-by: fastlorenzo <git@bernardi.be>

---------

Signed-off-by: fastlorenzo <git@bernardi.be>
Co-authored-by: fastlorenzo <git@bernardi.be>

mailu/templates/admin/deployment.yaml

@@ -60,10 +60,16 @@ spec:
       {{- if .Values.admin.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.admin.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.admin.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.admin.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: admin
           image: {{ .Values.imageRegistry }}/{{ .Values.admin.image.repository }}:{{ default (include "mailu.version" .) .Values.admin.image.tag }}
           imagePullPolicy: {{ .Values.admin.image.pullPolicy }}
+          {{- if .Values.admin.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.admin.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: admin

mailu/templates/clamav/statefulset.yaml

@@ -62,10 +62,16 @@ spec:
       {{- if .Values.clamav.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.clamav.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.clamav.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.clamav.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: clamav
           image: {{ .Values.imageRegistry }}/{{ .Values.clamav.image.repository }}:{{ default (include "mailu.version" .) .Values.clamav.image.tag }}
           imagePullPolicy: {{ .Values.clamav.image.pullPolicy }}
+          {{- if .Values.clamav.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.clamav.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: clamav

mailu/templates/dovecot/deployment.yaml

@@ -61,10 +61,16 @@ spec:
       {{- if .Values.dovecot.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.dovecot.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.dovecot.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.dovecot.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: dovecot
           image: {{ .Values.imageRegistry }}/{{ .Values.dovecot.image.repository }}:{{ default (include "mailu.version" .) .Values.dovecot.image.tag }}
           imagePullPolicy: {{ .Values.dovecot.image.pullPolicy }}
+          {{- if .Values.dovecot.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.dovecot.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: dovecotdata

mailu/templates/fetchmail/deployment.yaml

@@ -61,10 +61,16 @@ spec:
       {{- if .Values.fetchmail.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.fetchmail.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.fetchmail.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.fetchmail.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: fetchmail
           image: {{ .Values.imageRegistry }}/{{ .Values.fetchmail.image.repository }}:{{ default (include "mailu.version" .) .Values.fetchmail.image.tag }}
           imagePullPolicy: {{ .Values.fetchmail.image.pullPolicy }}
+          {{- if .Values.fetchmail.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.fetchmail.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: fetchmail

mailu/templates/front/deployment.yaml

@@ -65,10 +65,16 @@ spec:
       {{- if .Values.front.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.front.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.front.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.front.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: front
           image: {{ .Values.imageRegistry }}/{{ .Values.front.image.repository }}:{{ default (include "mailu.version" .) .Values.front.image.tag }}
           imagePullPolicy: {{ .Values.front.image.pullPolicy }}
+          {{- if .Values.front.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.front.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: certs
               mountPath: /certs

mailu/templates/oletools/deployment.yaml

@@ -61,10 +61,16 @@ spec:
       {{- if .Values.oletools.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.oletools.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.oletools.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.oletools.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: oletools
           image: {{ .Values.imageRegistry }}/{{ .Values.oletools.image.repository }}:{{ default (include "mailu.version" .) .Values.oletools.image.tag }}
           imagePullPolicy: {{ .Values.oletools.image.pullPolicy }}
+          {{- if .Values.oletools.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.oletools.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           {{- if .Values.oletools.extraVolumeMounts }}
           volumeMounts:
             {{- include "common.tplvalues.render" (dict "value" .Values.oletools.extraVolumeMounts "context" $) | nindent 12 }}

mailu/templates/postfix/deployment.yaml

@@ -60,10 +60,16 @@ spec:
       {{- if .Values.postfix.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.postfix.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.postfix.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.postfix.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: postfix
           image: {{ .Values.imageRegistry }}/{{ .Values.postfix.image.repository }}:{{ default (include "mailu.version" .) .Values.postfix.image.tag }}
           imagePullPolicy: {{ .Values.postfix.image.pullPolicy }}
+          {{- if .Values.postfix.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.postfix.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - mountPath: /queue
               name: data

mailu/templates/rspamd/deployment.yaml

@@ -60,11 +60,17 @@ spec:
       {{- if .Values.rspamd.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.rspamd.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.rspamd.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.rspamd.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       hostname: rspamd # https://github.com/Mailu/helm-charts/issues/95
       containers:
         - name: rspamd
           image: {{ .Values.imageRegistry }}/{{ .Values.rspamd.image.repository }}:{{ default (include "mailu.version" .) .Values.rspamd.image.tag }}
           imagePullPolicy: {{ .Values.rspamd.image.pullPolicy }}
+          {{- if .Values.rspamd.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.rspamd.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: rspamd

mailu/templates/webdav/deployment.yaml

@@ -61,10 +61,16 @@ spec:
       {{- if .Values.webdav.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.webdav.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.webdav.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.webdav.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: webdav
           image: {{ .Values.imageRegistry }}/{{ .Values.webdav.image.repository }}:{{ default (include "mailu.version" .) .Values.webdav.image.tag }}
           imagePullPolicy: {{ .Values.webdav.image.pullPolicy }}
+          {{- if .Values.webdav.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.webdav.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: data
               subPath: webdav

mailu/templates/webmail/deployment.yaml

@@ -61,10 +61,16 @@ spec:
       {{- if .Values.webmail.initContainers }}
       initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.webmail.initContainers "context" $) | nindent 8 }}
       {{- end }}
+      {{- if .Values.webmail.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.webmail.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: webmail
           image: {{ .Values.imageRegistry }}/{{ .Values.webmail.image.repository }}:{{ default (include "mailu.version" .) .Values.webmail.image.tag }}
           imagePullPolicy: {{ .Values.webmail.image.pullPolicy }}
+          {{- if .Values.webmail.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.webmail.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - mountPath: /data
               name: data