From 3da34b919d95895b5c76492bb6792f95c478fd7d Mon Sep 17 00:00:00 2001
From: Daniel Pawlik <dpawlik@redhat.com>
Date: Mon, 30 Oct 2023 15:27:05 +0100
Subject: [PATCH] Add securityContext and image registry prefix to the tutorial
 manifests

The securityContext parameters should be available into the manifests.
Without it, testing the k8up on the MicroShift environment will raise
warnings:

    Warning: would violate PodSecurity "restricted:latest":
    seccompProfile (pod or container "mariadb" must set
    securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Also added the registry prefix to the images used in the tutorial, to
avoid complication when the runtime environment would not choose
docker.io as a default registry.
---
 .../ROOT/examples/tutorial/mariadb/deployment.yaml   | 12 +++++++++++-
 .../ROOT/examples/tutorial/minio/deployment.yaml     | 12 +++++++++++-
 .../ROOT/examples/tutorial/wordpress/deployment.yaml | 12 +++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml b/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml
index 68a4ca5eb..f740f9728 100644
--- a/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml
+++ b/docs/modules/ROOT/examples/tutorial/mariadb/deployment.yaml
@@ -19,8 +19,18 @@ spec:
       annotations:
         k8up.io/backupcommand: /bin/bash -c 'mysqldump -uroot -p"${MARIADB_ROOT_PASSWORD}" --all-databases'
     spec:
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-      - image: mariadb:10.4
+      - image: docker.io/mariadb:10.4
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         name: mariadb
         readinessProbe:
           timeoutSeconds: 1
diff --git a/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml b/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml
index 5df38a2af..69b4fc174 100644
--- a/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml
+++ b/docs/modules/ROOT/examples/tutorial/minio/deployment.yaml
@@ -17,12 +17,22 @@ spec:
       - name: data
         persistentVolumeClaim:
           claimName: minio-pvc
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: minio
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - name: data
           mountPath: "/data"
-        image: minio/minio
+        image: docker.io/minio/minio
         args:
         - server
         - /data
diff --git a/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml b/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml
index 2bb475298..2c11feeb5 100644
--- a/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml
+++ b/docs/modules/ROOT/examples/tutorial/wordpress/deployment.yaml
@@ -17,8 +17,18 @@ spec:
         app: wordpress
         tier: frontend
     spec:
+      securityContext:
+        runAsUser: 10002
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-      - image: wordpress:5.4-apache
+      - image: docker.io/wordpress:5.4-apache
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         name: wordpress
         env:
         - name: WORDPRESS_DB_HOST