Skip to content

Commit

Permalink
fix: switch from pod to defaultPodOptions on storage cluster
Browse files Browse the repository at this point in the history 
Signed-off-by: Devin Buhl <[email protected]>
  • Loading branch information
@onedr0p
onedr0p committed Apr 15, 2024
1 parent bfc3a5b commit d6c1177
Show file tree
Hide file tree
Showing 6 changed files with 62 additions and 47 deletions.
4 changes: 2 additions & 2 deletions kubernetes/storage/apps/default/filebrowser/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ spec:
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
cpu: 100m
limits:
memory: 512Mi
memory: 2Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
Expand Down
30 changes: 25 additions & 5 deletions kubernetes/storage/apps/default/kopia/app/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,31 @@ spec:
target:
name: kopia-repository-secret
template:
templateFrom:
- configMap:
name: kopia-repository-config-tpl
items:
- key: repository.config
engineVersion: v2
data:
repository.config: |
{
"storage": {
"type": "s3",
"config": {
"bucket": "expanse",
"endpoint": "{{ .CLOUDFLARE_ACCOUNT_TAG }}.r2.cloudflarestorage.com",
"accessKeyID": "{{ .AWS_ACCESS_KEY_ID }}",
"secretAccessKey": "{{ .AWS_SECRET_ACCESS_KEY }}"
}
},
"caching": {
"cacheDirectory": "/app/cache",
"maxCacheSize": 5242880000,
"maxMetadataCacheSize": 5242880000,
"maxListCacheDuration": 30
},
"hostname": "expanse.turbo.ac",
"username": "devin",
"description": "expanse",
"enableActions": false,
"formatBlobCacheDuration": 900000000000
}
dataFrom:
- extract:
key: cloudflare
19 changes: 17 additions & 2 deletions kubernetes/storage/apps/default/kopia/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,23 @@ spec:
startup:
enabled: false
securityContext:
privileged: true
runAsUser: 0
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 100m
limits:
memory: 2Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [10000]
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: kopia
Expand Down
6 changes: 0 additions & 6 deletions kubernetes/storage/apps/default/kopia/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,3 @@ kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
configMapGenerator:
- name: kopia-repository-config-tpl
files:
- repository.config=./resources/repository.config
generatorOptions:
disableNameSuffixHash: true
22 changes: 0 additions & 22 deletions kubernetes/storage/apps/default/kopia/app/resources/repository.config
View file

This file was deleted.

28 changes: 18 additions & 10 deletions kubernetes/storage/apps/default/minio/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,7 @@ spec:
envFrom:
- secretRef:
name: minio-secret
args:
- server
- /data
- --console-address
- :9001
args: ["server", "/data", "--console-address", ":9001"]
probes:
liveness: &probes
enabled: true
Expand All @@ -64,11 +60,23 @@ spec:
startup:
enabled: false
securityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [100]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 100m
limits:
memory: 2Gi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: [10000]
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: minio
Expand Down

0 comments on commit d6c1177

Please sign in to comment.