Skip to content

Commit

Permalink
fix:security kontext for helm
Browse files Browse the repository at this point in the history
  • Loading branch information
torsten-simon committed Jun 19, 2024
1 parent ece26f2 commit 088a1cc
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 6 deletions.
7 changes: 5 additions & 2 deletions deploy/docker/helm/src/main/chart/templates/ingress.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,16 @@ metadata:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "180"
nginx.ingress.kubernetes.io/proxy-send-timeout: "180"
{{- with .Values.ingress.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
spec:
tls:
- hosts:
- connector.services.{{ .Values.baseUrl }}
- {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }}
secretName: edu-sharing-connector-tls
rules:
- host: connector.services.{{ .Values.baseUrl }}
- host: {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }}
http:
paths:
- backend:
Expand Down
2 changes: 1 addition & 1 deletion deploy/docker/helm/src/main/chart/templates/service.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ spec:
- port: 3306
name: tcp-db
targetPort: db
{{- end }}
{{- end }}
14 changes: 13 additions & 1 deletion deploy/docker/helm/src/main/chart/templates/statefulset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,19 @@ spec:
labels:
app: edu-sharing-connector
spec:
{{- with .Values.podSecurityContext }}
securityContext: {{ toYaml . | nindent 8 }}
{{- end }}
containers:
- name: edu-sharing-connector
image: docker.edu-sharing.com/community/edu_sharing-community-services-edu-connector-service:{{ .Values.version }}
{{- with .Values.securityContext }}
securityContext: {{ toYaml . | nindent 10 }}
{{- end }}
imagePullPolicy: Always
env:
- name: HOST_EXTERNAL
value: "connector.services.{{ .Values.baseUrl }}"
value: {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }}
- name: PROT_EXTERNAL
value: "https"
- name: PORT_EXTERNAL
Expand Down Expand Up @@ -96,9 +102,15 @@ spec:
labels:
app: edu-sharing-connector-db
spec:
{{- with merge .Values.database.podSecurityContext .Values.podSecurityContext }}
securityContext: {{ toYaml . | nindent 8 }}
{{- end }}
containers:
- name: edu-sharing-connector-db
image: docker.edu-sharing.com/community/edu_sharing-community-services-edu-connector-deploy-docker-build-postgresql:{{ .Values.version }}
{{- with merge .Values.database.securityContext .Values.securityContext }}
securityContext: {{ toYaml . | nindent 10 }}
{{- end }}
env:
- name: POSTGRESQL_DATABASE
value: connector
Expand Down
25 changes: 23 additions & 2 deletions deploy/docker/helm/src/main/chart/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
baseUrl:
storageClassName:
clusterIssuer: letsencrypt
version: 8.1.2
version: 8.3.0-RC1
database:
storageSize: 30Gi
enabled: true
Expand All @@ -11,4 +11,25 @@ database:
port: "???"
database: "???"
username: "???"
password: "???"
password: "???"
podSecurityContext:
fsGroup: 1001
securityContext:
runAsUser: 1001


podSecurityContext:

fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch

securityContext:

allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsUser: 1000

ingress:
annotations:

0 comments on commit 088a1cc

Please sign in to comment.