From 088a1cc987acfdbcc84715d1ca4a7d1b683cdc53 Mon Sep 17 00:00:00 2001 From: Torsten Simon Date: Wed, 19 Jun 2024 13:56:19 +0200 Subject: [PATCH] fix:security kontext for helm --- .../helm/src/main/chart/templates/ingress.yml | 7 ++++-- .../helm/src/main/chart/templates/service.yml | 2 +- .../src/main/chart/templates/statefulset.yml | 14 ++++++++++- deploy/docker/helm/src/main/chart/values.yaml | 25 +++++++++++++++++-- 4 files changed, 42 insertions(+), 6 deletions(-) diff --git a/deploy/docker/helm/src/main/chart/templates/ingress.yml b/deploy/docker/helm/src/main/chart/templates/ingress.yml index e6116cc..22fe9bd 100644 --- a/deploy/docker/helm/src/main/chart/templates/ingress.yml +++ b/deploy/docker/helm/src/main/chart/templates/ingress.yml @@ -9,13 +9,16 @@ metadata: nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" nginx.ingress.kubernetes.io/proxy-read-timeout: "180" nginx.ingress.kubernetes.io/proxy-send-timeout: "180" + {{- with .Values.ingress.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} spec: tls: - hosts: - - connector.services.{{ .Values.baseUrl }} + - {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }} secretName: edu-sharing-connector-tls rules: - - host: connector.services.{{ .Values.baseUrl }} + - host: {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }} http: paths: - backend: diff --git a/deploy/docker/helm/src/main/chart/templates/service.yml b/deploy/docker/helm/src/main/chart/templates/service.yml index a9a443a..999b9a7 100644 --- a/deploy/docker/helm/src/main/chart/templates/service.yml +++ b/deploy/docker/helm/src/main/chart/templates/service.yml @@ -23,4 +23,4 @@ spec: - port: 3306 name: tcp-db targetPort: db -{{- end }} \ No newline at end of file +{{- end }} diff --git a/deploy/docker/helm/src/main/chart/templates/statefulset.yml b/deploy/docker/helm/src/main/chart/templates/statefulset.yml index 29691ca..8fdff5e 100644 --- a/deploy/docker/helm/src/main/chart/templates/statefulset.yml +++ b/deploy/docker/helm/src/main/chart/templates/statefulset.yml @@ -13,13 +13,19 @@ spec: labels: app: edu-sharing-connector spec: + {{- with .Values.podSecurityContext }} + securityContext: {{ toYaml . | nindent 8 }} + {{- end }} containers: - name: edu-sharing-connector image: docker.edu-sharing.com/community/edu_sharing-community-services-edu-connector-service:{{ .Values.version }} + {{- with .Values.securityContext }} + securityContext: {{ toYaml . | nindent 10 }} + {{- end }} imagePullPolicy: Always env: - name: HOST_EXTERNAL - value: "connector.services.{{ .Values.baseUrl }}" + value: {{ if .Values.absoluteUrl }}{{ .Values.absoluteUrl }}{{else}}"connector.services.{{ .Values.baseUrl }}"{{ end }} - name: PROT_EXTERNAL value: "https" - name: PORT_EXTERNAL @@ -96,9 +102,15 @@ spec: labels: app: edu-sharing-connector-db spec: + {{- with merge .Values.database.podSecurityContext .Values.podSecurityContext }} + securityContext: {{ toYaml . | nindent 8 }} + {{- end }} containers: - name: edu-sharing-connector-db image: docker.edu-sharing.com/community/edu_sharing-community-services-edu-connector-deploy-docker-build-postgresql:{{ .Values.version }} + {{- with merge .Values.database.securityContext .Values.securityContext }} + securityContext: {{ toYaml . | nindent 10 }} + {{- end }} env: - name: POSTGRESQL_DATABASE value: connector diff --git a/deploy/docker/helm/src/main/chart/values.yaml b/deploy/docker/helm/src/main/chart/values.yaml index 6c3d085..9d83644 100644 --- a/deploy/docker/helm/src/main/chart/values.yaml +++ b/deploy/docker/helm/src/main/chart/values.yaml @@ -1,7 +1,7 @@ baseUrl: storageClassName: clusterIssuer: letsencrypt -version: 8.1.2 +version: 8.3.0-RC1 database: storageSize: 30Gi enabled: true @@ -11,4 +11,25 @@ database: port: "???" database: "???" username: "???" - password: "???" \ No newline at end of file + password: "???" + podSecurityContext: + fsGroup: 1001 + securityContext: + runAsUser: 1001 + + +podSecurityContext: + + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + +securityContext: + + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + +ingress: + annotations: \ No newline at end of file