From e9594382ed7a2469240d62134b34bcf3e5d06a59 Mon Sep 17 00:00:00 2001
From: Yannik Schmidt <yannik.schmidt.extern@univention.de>
Date: Tue, 20 May 2025 07:30:17 +0200
Subject: [PATCH] fix(nubus): Explicitly template security context for Keycloak
 proxy

---
 helmfile/apps/nubus/values-nubus.yaml.gotmpl | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
index 4a867e10..7c1e1c5e 100644
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -706,6 +706,17 @@ nubusKeycloakExtensions:
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
     securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      enabled: true
+      runAsUser: 1000
+      runAsGroup: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
       seccompProfile:
         type: "RuntimeDefault"
       seLinuxOptions: