From 663e6ab45d95f013ec506b985255fd6d0920e24f Mon Sep 17 00:00:00 2001
From: Gustaf Lindstedt <gustaf.lindstedt@embark-studios.com>
Date: Mon, 5 Dec 2022 15:45:03 +0100
Subject: [PATCH 1/3] Stricter default for `podSecurityContext`

Had to patch this in to conform with our own policies but seems like a good default to have
---
 operations/phlare/helm/phlare/values.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/operations/phlare/helm/phlare/values.yaml b/operations/phlare/helm/phlare/values.yaml
index 16e44041e..1501acb88 100644
--- a/operations/phlare/helm/phlare/values.yaml
+++ b/operations/phlare/helm/phlare/values.yaml
@@ -42,6 +42,8 @@ phlare:
 
   podSecurityContext:
     fsGroup: 10001
+    runAsUser: 10001
+    runAsNonRoot: true
 
   securityContext:
     {}

From c5f944f1f0a1173a4712d3f90f33b422cc08834d Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Wed, 7 Dec 2022 09:21:12 +0000
Subject: [PATCH 2/3] Update generated README

---
 operations/phlare/helm/phlare/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/operations/phlare/helm/phlare/README.md b/operations/phlare/helm/phlare/README.md
index c276ce02b..ec5873fee 100644
--- a/operations/phlare/helm/phlare/README.md
+++ b/operations/phlare/helm/phlare/README.md
@@ -40,6 +40,8 @@
 | phlare.podAnnotations."phlare.grafana.com/port" | string | `"4100"` |  |
 | phlare.podAnnotations."phlare.grafana.com/scrape" | string | `"true"` |  |
 | phlare.podSecurityContext.fsGroup | int | `10001` |  |
+| phlare.podSecurityContext.runAsNonRoot | bool | `true` |  |
+| phlare.podSecurityContext.runAsUser | int | `10001` |  |
 | phlare.replicaCount | int | `1` |  |
 | phlare.resources | object | `{}` |  |
 | phlare.securityContext | object | `{}` |  |

From c56e96dd5b16dbb3fefc974c9b2a831882a55097 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Wed, 7 Dec 2022 09:55:25 +0000
Subject: [PATCH 3/3] Update generated assets

---
 .../phlare/helm/phlare/rendered/micro-services.yaml       | 8 ++++++++
 operations/phlare/helm/phlare/rendered/single-binary.yaml | 2 ++
 operations/phlare/jsonnet/values.json                     | 4 +++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/operations/phlare/helm/phlare/rendered/micro-services.yaml b/operations/phlare/helm/phlare/rendered/micro-services.yaml
index 5a6fb72b5..574801a7d 100644
--- a/operations/phlare/helm/phlare/rendered/micro-services.yaml
+++ b/operations/phlare/helm/phlare/rendered/micro-services.yaml
@@ -698,6 +698,8 @@ spec:
       serviceAccountName: phlare-dev
       securityContext:
         fsGroup: 10001
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: "agent"
           securityContext:
@@ -775,6 +777,8 @@ spec:
       serviceAccountName: phlare-dev
       securityContext:
         fsGroup: 10001
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: "distributor"
           securityContext:
@@ -851,6 +855,8 @@ spec:
       serviceAccountName: phlare-dev
       securityContext:
         fsGroup: 10001
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: "querier"
           securityContext:
@@ -1024,6 +1030,8 @@ spec:
       serviceAccountName: phlare-dev
       securityContext:
         fsGroup: 10001
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: "ingester"
           securityContext:
diff --git a/operations/phlare/helm/phlare/rendered/single-binary.yaml b/operations/phlare/helm/phlare/rendered/single-binary.yaml
index 6ce7e77f5..4c2b9c804 100644
--- a/operations/phlare/helm/phlare/rendered/single-binary.yaml
+++ b/operations/phlare/helm/phlare/rendered/single-binary.yaml
@@ -212,6 +212,8 @@ spec:
       serviceAccountName: phlare-dev
       securityContext:
         fsGroup: 10001
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: "phlare"
           securityContext:
diff --git a/operations/phlare/jsonnet/values.json b/operations/phlare/jsonnet/values.json
index 8fa27ec17..64e5763b9 100644
--- a/operations/phlare/jsonnet/values.json
+++ b/operations/phlare/jsonnet/values.json
@@ -64,7 +64,9 @@
       "phlare.grafana.com/scrape": "true"
     },
     "podSecurityContext": {
-      "fsGroup": 10001
+      "fsGroup": 10001,
+      "runAsNonRoot": true,
+      "runAsUser": 10001
     },
     "replicaCount": 1,
     "resources": {},