From 2c9c61d8780f8f7d7c4e25fd8a168cead0e3ef91 Mon Sep 17 00:00:00 2001
From: Jennifer Richards <jennifer@staff.ietf.org>
Date: Tue, 23 Apr 2024 22:34:24 -0300
Subject: [PATCH] ci: more memcached mem; set securityContext (#7356)

---
 helm/templates/deployments/memcached.yaml |  1 +
 helm/values.yaml                          | 23 +++++++++++++----------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/helm/templates/deployments/memcached.yaml b/helm/templates/deployments/memcached.yaml
index 4bc35927d..7bf21c1d7 100644
--- a/helm/templates/deployments/memcached.yaml
+++ b/helm/templates/deployments/memcached.yaml
@@ -31,6 +31,7 @@ spec:
           securityContext:
             {{- toYaml $podValues.securityContext | nindent 12 }}
           image: "{{ $podValues.image.repository }}:{{ default "latest" $podValues.image.tag }}"
+          args: ["-m", "$(MEMCACHED_MEM_LIMIT)"]
           imagePullPolicy: {{ default "IfNotPresent" $podValues.image.imagePullPolicy }}
           env:
             {{- if .Values.env }}
diff --git a/helm/values.yaml b/helm/values.yaml
index 1a47d7f63..dae391aaa 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -515,9 +515,6 @@ memcached:
   podAnnotations: {}
   podLabels: {}
 
-  podSecurityContext: {}
-    # fsGroup: 2000
-
   replicaCount: 1
 
   resources: {}
@@ -532,13 +529,17 @@ memcached:
     #   cpu: 100m
     #   memory: 128Mi
 
-  securityContext: {}
-    # capabilities:
-    #   drop:
-    #   - ALL
-    # readOnlyRootFilesystem: true
-    # runAsNonRoot: true
-    # runAsUser: 1000
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 11211
+    runAsGroup: 11211
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
 
   service:
     type: ClusterIP
@@ -674,3 +675,5 @@ env:
   # Scout configuration
   DATATRACKER_SCOUT_KEY: "this-is-the-scout-key"
   DATATRACKER_SCOUT_NAME: "StagingDatatracker"
+
+  MEMCACHED_MEM_LIMIT: "1024"