wait-for-migration initContainer does not abide by securityContext

helm-charts/charts/openfga/templates/deployment.yaml

Lines 37 to 42 in 2753840

    
           {{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations }} 
        
           initContainers: 
        
             - name: wait-for-migration 
        
               image: groundnuty/k8s-wait-for:v1.6 
        
               args: ["job", '{{ include "openfga.fullname" . }}-migrate'] 
        
           {{- end }}

The wait-for-migration container does not use the securityContext from the Helm values, which means a PodSecurityContext with runAsNonRoot: true will always fail.

Fixed in release v0.1.19

@jon-whit, I failed to catch this earlier, but the Job is also missing the service account configuration. I don't want to over inflate your release version, if that's something you all keep track of. How would you like to proceed with a fix on that issue?

When I test a fix for this one, I'll add some other common security restrictions to see what else is missing as well.

	{{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations }}
	initContainers:
	- name: wait-for-migration
	image: groundnuty/k8s-wait-for:v1.6
	args: ["job", '{{ include "openfga.fullname" . }}-migrate']
	{{- end }}