aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2024-08-02 14:18:07 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2024-08-07 16:09:07 +0200
commitdbabc4be8ab3a55d76fab88dab356d43e3d59e19 (patch)
tree982bc4a79078de0952a5bf9aff7ad4d4cba2cf10
parentbf35e55286a0ac2f4fe05f595cda7109f22a5e6a (diff)
[COMMON] Synchronize common charts
- solve actual findings during tests with kyverno policies - synchronize headers Issue-ID: OOM-3288 Issue-ID: OOM-3296 Change-Id: Ia7e7daa8864069493e09dd6511825aa939c5eeaf Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
-rw-r--r--kubernetes/common/common/Chart.yaml2
-rw-r--r--kubernetes/common/common/templates/_serviceMesh.tpl11
-rw-r--r--kubernetes/common/elasticsearch/Chart.yaml4
-rw-r--r--kubernetes/common/elasticsearch/components/curator/Chart.yaml4
-rw-r--r--kubernetes/common/elasticsearch/components/data/Chart.yaml4
-rw-r--r--kubernetes/common/elasticsearch/components/master/Chart.yaml4
-rw-r--r--kubernetes/common/etcd/Chart.yaml4
-rw-r--r--kubernetes/common/logConfiguration/Chart.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/Chart.yaml10
-rw-r--r--kubernetes/common/mariadb-galera/templates/statefulset.yaml15
-rw-r--r--kubernetes/common/mariadb-galera/values.yaml13
-rw-r--r--kubernetes/common/mariadb-init/Chart.yaml4
-rw-r--r--kubernetes/common/mongodb/templates/backup/cronjob.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/hidden/statefulset.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/replicaset/statefulset.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/standalone/dep-sts.yaml2
-rw-r--r--kubernetes/common/postgres-init/Chart.yaml7
-rw-r--r--kubernetes/common/postgres-init/templates/job.yaml3
-rw-r--r--kubernetes/common/postgres-init/values.yaml4
-rw-r--r--kubernetes/common/postgres/Chart.yaml4
-rw-r--r--kubernetes/common/readinessCheck/Chart.yaml4
-rw-r--r--kubernetes/common/serviceAccount/Chart.yaml2
-rw-r--r--kubernetes/common/timescaledb/Chart.yaml2
-rw-r--r--kubernetes/common/timescaledb/templates/statefulset.yaml24
24 files changed, 97 insertions, 38 deletions
diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml
index 10894bd006..986b96fa13 100644
--- a/kubernetes/common/common/Chart.yaml
+++ b/kubernetes/common/common/Chart.yaml
@@ -17,4 +17,4 @@
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.3
+version: 13.2.4
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index 505d80560d..638db8cab1 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -78,7 +78,16 @@ exit "$RCODE"
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- {{ include "common.containerSecurityContext" . | indent 2 | trim }}
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ privileged: false
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ runAsUser: 100
+ runAsGroup: 65533
resources:
limits:
cpu: 100m
diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml
index 6949da7962..48de2c0502 100644
--- a/kubernetes/common/elasticsearch/Chart.yaml
+++ b/kubernetes/common/elasticsearch/Chart.yaml
@@ -23,10 +23,10 @@ version: 13.0.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: master
version: ~13.x-0
repository: 'file://components/master'
diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
index 390228b6ae..baceb1dadc 100644
--- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
@@ -23,7 +23,7 @@ version: 13.0.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml
index d49a21085b..30c925aba7 100644
--- a/kubernetes/common/elasticsearch/components/data/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml
@@ -23,7 +23,7 @@ version: 13.0.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml
index 73d59075e3..e481c7cd4b 100644
--- a/kubernetes/common/elasticsearch/components/master/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml
@@ -22,7 +22,7 @@ version: 13.0.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml
index 02fc2c0603..465364b3da 100644
--- a/kubernetes/common/etcd/Chart.yaml
+++ b/kubernetes/common/etcd/Chart.yaml
@@ -28,7 +28,7 @@ sources:
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml
index a5790a4d62..7908bfa405 100644
--- a/kubernetes/common/logConfiguration/Chart.yaml
+++ b/kubernetes/common/logConfiguration/Chart.yaml
@@ -22,4 +22,4 @@ version: 13.0.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml
index c5bb0aaf94..d97aa0ecea 100644
--- a/kubernetes/common/mariadb-galera/Chart.yaml
+++ b/kubernetes/common/mariadb-galera/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v2
description: Chart for MariaDB Galera cluster
name: mariadb-galera
-version: 13.2.0
+version: 13.2.1
keywords:
- mariadb
- mysql
@@ -30,14 +30,14 @@ keywords:
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: readinessCheck
version: ~13.x-0
- repository: 'file://../readinessCheck'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: serviceAccount
version: ~13.x-0
- repository: 'file://../serviceAccount'
+ repository: '@local'
condition: global.mariadbGalera.enableServiceAccount \ No newline at end of file
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index f9b4de4b88..2b8951979d 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -55,7 +55,19 @@ spec:
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ add:
+ - CHOWN
+ - SYS_CHROOT
+ runAsGroup: {{ .Values.securityContext.group_id }}
+ readOnlyRootFilesystem: false
runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: previous-boot
mountPath: /bootstrap
@@ -169,6 +181,7 @@ spec:
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- end }}
+ {{ include "common.securityContext" . | indent 10 | trim }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
- name: previous-boot
@@ -218,7 +231,7 @@ spec:
timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
- {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 47264f971c..d8303dd5fd 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -659,6 +659,19 @@ metrics:
## - --collect.binlog_size
##
extraFlags: []
+ securityContext:
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ runAsGroup: 10001
+ runAsNonRoot: true
+ runAsUser: 10001
+ seccompProfile:
+ type: RuntimeDefault
## MySQL Prometheus exporter containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml
index 0ac3750bb1..d1844916e0 100644
--- a/kubernetes/common/mariadb-init/Chart.yaml
+++ b/kubernetes/common/mariadb-init/Chart.yaml
@@ -23,10 +23,10 @@ version: 13.0.2
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: serviceAccount
version: ~13.x-0
repository: '@local'
diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
index 44c297accd..b1d0b589a9 100644
--- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
@@ -167,7 +167,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.backup.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
index a64002a30a..493c2b2cfe 100644
--- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
@@ -515,7 +515,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.hidden.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
index 089119c970..7de00e7925 100644
--- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
@@ -513,7 +513,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.replicaSet.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
index 619533d8d0..817698beed 100644
--- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
+++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
@@ -438,7 +438,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.standalone.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml
index 342854c71a..4951ed6359 100644
--- a/kubernetes/common/postgres-init/Chart.yaml
+++ b/kubernetes/common/postgres-init/Chart.yaml
@@ -1,5 +1,6 @@
# Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,16 +17,16 @@
apiVersion: v2
description: Chart for Postgres init job
name: postgres-init
-version: 13.0.2
+version: 13.0.3
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: readinessCheck
version: ~13.x-0
repository: '@local'
diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml
index cc7d410eb2..a2f7e12274 100644
--- a/kubernetes/common/postgres-init/templates/job.yaml
+++ b/kubernetes/common/postgres-init/templates/job.yaml
@@ -39,6 +39,7 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
containers:
- command:
@@ -82,6 +83,7 @@ spec:
- mountPath: /config
name: pgconf
resources: {{ include "common.resources" . | nindent 10 }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
{{ include "common.waitForJobContainer" . | indent 6 | trim }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -98,6 +100,7 @@ spec:
name: {{ include "common.fullname" . }}
- name: pgconf
emptyDir:
+ sizeLimit: 64Mi
medium: Memory
restartPolicy: Never
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml
index cede7e0976..99be8354be 100644
--- a/kubernetes/common/postgres-init/values.yaml
+++ b/kubernetes/common/postgres-init/values.yaml
@@ -97,6 +97,10 @@ serviceAccount:
roles:
- read
+securityContext:
+ user_id: 26
+ group_id: 26
+
readinessCheck:
wait_for:
services:
diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml
index d1fb768cc5..562b69fd0e 100644
--- a/kubernetes/common/postgres/Chart.yaml
+++ b/kubernetes/common/postgres/Chart.yaml
@@ -22,7 +22,7 @@ version: 13.1.0
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml
index bd8adbfcea..c9134177c2 100644
--- a/kubernetes/common/readinessCheck/Chart.yaml
+++ b/kubernetes/common/readinessCheck/Chart.yaml
@@ -22,7 +22,7 @@ version: 13.1.1
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index 4e3eab3712..b691c40903 100644
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -23,4 +23,4 @@ version: 13.0.1
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml
index dd92121eb8..b0569eb662 100644
--- a/kubernetes/common/timescaledb/Chart.yaml
+++ b/kubernetes/common/timescaledb/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml
index bee389f191..1d161f3945 100644
--- a/kubernetes/common/timescaledb/templates/statefulset.yaml
+++ b/kubernetes/common/timescaledb/templates/statefulset.yaml
@@ -30,6 +30,22 @@ spec:
spec:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
{{ include "common.podSecurityContext" . | indent 10 | trim}}
+ initContainers:
+ # we shouldn't need this but for unknown reason, it's fsGroup is not
+ # applied
+ - name: fix-permission
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data
+ image: {{ include "repositoryGenerator.image.busybox" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /var/lib/postgresql/data
+ name: {{ include "common.fullname" . }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
@@ -78,9 +94,9 @@ spec:
{{- end }}
{{- with .Values.tolerations }}
tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence "ignoreHelmChart" true) | indent 6 | trim }}
-{{- end }}
+ {{- end }}