From 9e266dac7e4e637dfd9ee8a87210bde8a8856019 Mon Sep 17 00:00:00 2001
From: Balazs Nadasdi <balazs@weave.works>
Date: Fri, 28 Jul 2023 15:18:44 +0200
Subject: [PATCH 1/2] feat: ability to set resource limits and security context
 for branch planner

Additional changes:
* Removed 8080 http port, it was the remamining of the webhook based system.

Closes #806

References:
* https://github.com/weaveworks/tf-controller/issues/806

Signed-off-by: Balazs Nadasdi <balazs@weave.works>
---
 charts/tf-controller/README.md                |  2 +-
 .../templates/planner-deployment.yaml         |  9 ++++----
 charts/tf-controller/values.yaml              | 22 +++++++++++++++++++
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/charts/tf-controller/README.md b/charts/tf-controller/README.md
index 1964941d..ad4a3422 100644
--- a/charts/tf-controller/README.md
+++ b/charts/tf-controller/README.md
@@ -31,7 +31,7 @@ __Note__: If you need to use the `imagePullSecrets` it would be best to set `ser
 | awsPackage.install | bool | `true` |  |
 | awsPackage.repository | string | `"ghcr.io/tf-controller/aws-primitive-modules"` |  |
 | awsPackage.tag | string | `"v4.38.0-v1alpha11"` |  |
-| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"pollingInterval":"30s","sourceInterval":"30s"}` | Branch Planner-specific configurations |
+| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"podSecurityContext":{"fsGroup":1337},"pollingInterval":"30s","resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"sourceInterval":"30s"}` | Branch Planner-specific configurations |
 | caCertValidityDuration | string | `"168h0m"` | Argument for `--ca-cert-validity-duration` (Controller) |
 | certRotationCheckFrequency | string | `"30m0s"` | Argument for `--cert-rotation-check-frequency` (Controller) |
 | certValidityDuration | string | `"6h0m"` | Argument for `--cert-validity-duration` (Controller) |
diff --git a/charts/tf-controller/templates/planner-deployment.yaml b/charts/tf-controller/templates/planner-deployment.yaml
index ef1ab455..04e09316 100644
--- a/charts/tf-controller/templates/planner-deployment.yaml
+++ b/charts/tf-controller/templates/planner-deployment.yaml
@@ -41,13 +41,12 @@ spec:
         image: "{{ .Values.branchPlanner.image.repository }}:{{ default .Chart.AppVersion .Values.branchPlanner.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: {{ .Chart.Name }}
-        ports:
-        - containerPort: 8080
-          name: http-prom
+        resources:
+          {{- toYaml .Values.branchPlanner.resources | nindent 10 }}
         securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
+          {{- toYaml .Values.branchPlanner.securityContext | nindent 10 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.branchPlanner.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "tf-controller.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
       {{- with .Values.nodeSelector }}
diff --git a/charts/tf-controller/values.yaml b/charts/tf-controller/values.yaml
index 8de0d63e..9bd27580 100644
--- a/charts/tf-controller/values.yaml
+++ b/charts/tf-controller/values.yaml
@@ -179,3 +179,25 @@ branchPlanner:
   pollingInterval: 30s
   # Interval value to use for Source objects for branch planner Terraform objects.
   sourceInterval: 30s
+  # Pod-level security context
+  podSecurityContext:
+    fsGroup: 1337
+  # Container-level security context
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65532
+    seccompProfile:
+      type: RuntimeDefault
+  # Resource limits and requests
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 200m
+      memory: 64Mi

From e9f40068f3a28fda59103af3e87930197576d32a Mon Sep 17 00:00:00 2001
From: Balazs Nadasdi <balazs@weave.works>
Date: Fri, 28 Jul 2023 15:47:01 +0200
Subject: [PATCH 2/2] bump azure-cli to 0.50.0

Signed-off-by: Balazs Nadasdi <balazs@weave.works>
---
 runner-azure.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runner-azure.Dockerfile b/runner-azure.Dockerfile
index 737bfba0..267b068a 100644
--- a/runner-azure.Dockerfile
+++ b/runner-azure.Dockerfile
@@ -45,7 +45,7 @@ RUN apk add --no-cache libcrypto3=3.1.1-r3 && \
     apk add --no-cache busybox
 
 # Install az cli
-ARG AZCLI_VERSION=2.40.0
+ARG AZCLI_VERSION=2.50.0
 RUN apk add --no-cache py3-pip && \
     apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev
 RUN pip install --upgrade pip && \