From 79881fc075b2a4a1a1ec2813238c0510cff9fa89 Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 15:47:46 +0400
Subject: [PATCH 1/6] add readonly-file-system

---
 charts/superstream/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/superstream/values.yaml b/charts/superstream/values.yaml
index 0686493..5b893ff 100644
--- a/charts/superstream/values.yaml
+++ b/charts/superstream/values.yaml
@@ -96,11 +96,11 @@ superstreamEngine:
   podSecurityContext: {}
   # fsGroup: 2000
 
-  securityContext: {}
+  securityContext:
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
   serviceAccount:

From fd58bcfbef9d0fe9f9b03671c9e71452143bd05e Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 15:53:00 +0400
Subject: [PATCH 2/6] add security

---
 charts/superstream/values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/superstream/values.yaml b/charts/superstream/values.yaml
index 5b893ff..96e0af7 100644
--- a/charts/superstream/values.yaml
+++ b/charts/superstream/values.yaml
@@ -236,6 +236,7 @@ syslog:
   podAnnotations:
     prometheus.io/scrape: 'false'
   podSecurityContext:
+    readOnlyRootFilesystem: true
     fsGroup: 911
   remoteSyslog:
     destinationHost: telegraf

From b6fef14e78781700ff6c98fa10176fe1a302afbb Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 15:59:39 +0400
Subject: [PATCH 3/6] add security

---
 charts/superstream/templates/deployment-syslog.yaml | 4 +++-
 charts/superstream/values.yaml                      | 8 +++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/superstream/templates/deployment-syslog.yaml b/charts/superstream/templates/deployment-syslog.yaml
index 1e6c3b0..79c585a 100644
--- a/charts/superstream/templates/deployment-syslog.yaml
+++ b/charts/superstream/templates/deployment-syslog.yaml
@@ -33,7 +33,9 @@ spec:
       - name: syslog-ng
         {{ include "superstream.image" (merge (pick $.Values "global") .Values.syslog.image) | nindent 8 }}
           {{- if .Values.syslog.extraEnv }}
-          {{- range .Values.syslog.extraEnv }}              
+          {{- range .Values.syslog.extraEnv }}   
+        securityContext:
+          {{- toYaml .Values.superstreamEngine.securityContext | nindent 12 }}                     
         env:
           - name: {{ .name }}
             value: {{ .value | quote }}
diff --git a/charts/superstream/values.yaml b/charts/superstream/values.yaml
index 96e0af7..57fe41a 100644
--- a/charts/superstream/values.yaml
+++ b/charts/superstream/values.yaml
@@ -236,8 +236,14 @@ syslog:
   podAnnotations:
     prometheus.io/scrape: 'false'
   podSecurityContext:
-    readOnlyRootFilesystem: true
     fsGroup: 911
+  securityContext:
+  # capabilities:
+  #   drop:
+  #   - ALL
+    readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000    
   remoteSyslog:
     destinationHost: telegraf
     port: 6514

From 02f9b7ef6ef5bdfc79b9f375c3a3e54e1f966746 Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 16:01:22 +0400
Subject: [PATCH 4/6] update securioty

---
 charts/superstream/templates/deployment-syslog.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/superstream/templates/deployment-syslog.yaml b/charts/superstream/templates/deployment-syslog.yaml
index 79c585a..5813013 100644
--- a/charts/superstream/templates/deployment-syslog.yaml
+++ b/charts/superstream/templates/deployment-syslog.yaml
@@ -35,7 +35,7 @@ spec:
           {{- if .Values.syslog.extraEnv }}
           {{- range .Values.syslog.extraEnv }}   
         securityContext:
-          {{- toYaml .Values.superstreamEngine.securityContext | nindent 12 }}                     
+          {{- toYaml .Values.syslog.securityContext | nindent 12 }}                     
         env:
           - name: {{ .name }}
             value: {{ .value | quote }}

From 45bdd4e73c276d604086946653159bd8e89c8edd Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 16:04:13 +0400
Subject: [PATCH 5/6] remove temp

---
 charts/superstream/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/superstream/values.yaml b/charts/superstream/values.yaml
index 57fe41a..b0fe8e4 100644
--- a/charts/superstream/values.yaml
+++ b/charts/superstream/values.yaml
@@ -237,11 +237,11 @@ syslog:
     prometheus.io/scrape: 'false'
   podSecurityContext:
     fsGroup: 911
-  securityContext:
+  securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
-    readOnlyRootFilesystem: true
+    # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000    
   remoteSyslog:

From 40e5758069981417077d16e2d2ea0bcca4fa0b21 Mon Sep 17 00:00:00 2001
From: bkochauri-memphis <beka@superstream.ai>
Date: Wed, 16 Apr 2025 16:09:31 +0400
Subject: [PATCH 6/6] add

---
 charts/superstream/templates/deployment-syslog.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/superstream/templates/deployment-syslog.yaml b/charts/superstream/templates/deployment-syslog.yaml
index 5813013..96d2e34 100644
--- a/charts/superstream/templates/deployment-syslog.yaml
+++ b/charts/superstream/templates/deployment-syslog.yaml
@@ -33,14 +33,14 @@ spec:
       - name: syslog-ng
         {{ include "superstream.image" (merge (pick $.Values "global") .Values.syslog.image) | nindent 8 }}
           {{- if .Values.syslog.extraEnv }}
-          {{- range .Values.syslog.extraEnv }}   
-        securityContext:
-          {{- toYaml .Values.syslog.securityContext | nindent 12 }}                     
+          {{- range .Values.syslog.extraEnv }}                    
         env:
           - name: {{ .name }}
             value: {{ .value | quote }}
         {{- end }}
-        {{- end }}         
+        {{- end }}      
+        securityContext:
+          {{- toYaml .Values.syslog.securityContext | nindent 12 }}           
         ports:
           - name: syslog
             containerPort: {{ .Values.syslog.service.port }}