aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2024-05-08 15:18:55 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2024-07-05 09:25:23 +0200
commitdc8c05476d316a16627d5b0934b69c3a9ecc38b7 (patch)
tree89c3b4a84a44c6e5db7086dfdc83630c17e6455b
parent0f3311521a169a4774064f9c948460c955620f62 (diff)
[COMMON] Fix Kyverno Policies
common: - Add settings to common pod templates and fix Cassandra serviceMesh and MariaDB operator templates - Added template for mongodb - Empty lines to files added readinessCheck: - Add missing security settings mariadb-init: - add security settings in job cassandra: - Empty lines added to files mongodb: - make emptyDir volume size configurable others: - update chart dependency for mongodb in components - fix linter errors in all files Issue-ID: OOM-3295 Issue-ID: OOM-3296 Change-Id: Ieb64be337013e0477f7aaca9c75bb6a3f3264848 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
-rw-r--r--kubernetes/common/cassandra/.helmignore32
-rw-r--r--kubernetes/common/cassandra/Chart.yaml2
-rw-r--r--kubernetes/common/cassandra/resources/config/docker-entrypoint.sh1
-rw-r--r--kubernetes/common/cassandra/resources/exec.py2
-rw-r--r--kubernetes/common/cassandra/templates/backup/cronjob.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/cassOp.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/configmap.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/pv.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/secrets.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/service.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/servicemonitor.yaml2
-rw-r--r--kubernetes/common/cassandra/templates/statefulset.yaml2
-rw-r--r--kubernetes/common/common/.helmignore32
-rw-r--r--kubernetes/common/common/Chart.yaml4
-rw-r--r--kubernetes/common/common/templates/_affinities.tpl2
-rw-r--r--kubernetes/common/common/templates/_cassOp.tpl9
-rw-r--r--kubernetes/common/common/templates/_dmaapProvisioning.tpl2
-rw-r--r--kubernetes/common/common/templates/_log.tpl1
-rw-r--r--kubernetes/common/common/templates/_mariadb.tpl70
-rw-r--r--kubernetes/common/common/templates/_mongodb.tpl165
-rw-r--r--kubernetes/common/common/templates/_pod.tpl7
-rw-r--r--kubernetes/common/common/templates/_serviceMesh.tpl8
-rw-r--r--kubernetes/common/elasticsearch/.helmignore31
-rw-r--r--kubernetes/common/elasticsearch/Chart.yaml6
-rw-r--r--kubernetes/common/elasticsearch/components/curator/Chart.yaml2
-rw-r--r--kubernetes/common/elasticsearch/components/curator/values.yaml1
-rw-r--r--kubernetes/common/elasticsearch/templates/_helpers.tpl2
-rw-r--r--kubernetes/common/etcd/.helmignore11
-rw-r--r--kubernetes/common/etcd/templates/service.yaml1
-rw-r--r--kubernetes/common/logConfiguration/.helmignore32
-rw-r--r--kubernetes/common/mariadb-galera/.helmignore11
-rw-r--r--kubernetes/common/mariadb-galera/templates/backup/pvc.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/configmap.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/mariadb.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/metrics-svc.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/pdb.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/prometheusrules.yaml1
-rw-r--r--kubernetes/common/mariadb-galera/templates/pv.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/secrets.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/servicemonitor.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/statefulset.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/values.yaml4
-rw-r--r--kubernetes/common/mariadb-init/.helmignore11
-rw-r--r--kubernetes/common/mariadb-init/Chart.yaml4
-rw-r--r--kubernetes/common/mariadb-init/templates/_configmap.tpl4
-rw-r--r--kubernetes/common/mariadb-init/templates/_mariadb.tpl4
-rw-r--r--kubernetes/common/mariadb-init/templates/configmap.yaml4
-rw-r--r--kubernetes/common/mariadb-init/templates/job.yaml6
-rw-r--r--kubernetes/common/mariadb-init/templates/secret.yaml4
-rw-r--r--kubernetes/common/mariadb-init/tests/job_test.yaml52
-rw-r--r--kubernetes/common/mariadb-init/values.yaml32
-rw-r--r--kubernetes/common/mongodb/Chart.yaml2
-rw-r--r--kubernetes/common/mongodb/README.md2
-rw-r--r--kubernetes/common/mongodb/common/templates/_images.tpl1
-rw-r--r--kubernetes/common/mongodb/templates/arbiter/statefulset.yaml6
-rw-r--r--kubernetes/common/mongodb/templates/backup/cronjob.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/hidden/statefulset.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/networkpolicy.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/replicaset/statefulset.yaml2
-rw-r--r--kubernetes/common/mongodb/templates/standalone/dep-sts.yaml2
-rw-r--r--kubernetes/common/mongodb/values.yaml24
-rw-r--r--kubernetes/common/postgres-init/.helmignore11
-rw-r--r--kubernetes/common/postgres-init/Chart.yaml2
-rw-r--r--kubernetes/common/postgres-init/values.yaml2
-rw-r--r--kubernetes/common/postgres/.helmignore11
-rw-r--r--kubernetes/common/postgres/Chart.yaml2
-rw-r--r--kubernetes/common/postgres/configs/pg_hba.conf1
-rw-r--r--kubernetes/common/postgres/templates/deployment-primary.yaml2
-rw-r--r--kubernetes/common/postgres/templates/deployment-replica.yaml2
-rw-r--r--kubernetes/common/postgres/templates/metrics-svc-primary.yaml2
-rw-r--r--kubernetes/common/postgres/templates/metrics-svc-replica.yaml2
-rw-r--r--kubernetes/common/postgres/templates/postgres.yaml2
-rw-r--r--kubernetes/common/postgres/templates/pv-primary.yaml2
-rw-r--r--kubernetes/common/postgres/templates/pvc-replica.yaml2
-rw-r--r--kubernetes/common/postgres/templates/service-replica.yaml2
-rw-r--r--kubernetes/common/postgres/templates/servicemonitor.yaml2
-rw-r--r--kubernetes/common/readinessCheck/.helmignore32
-rw-r--r--kubernetes/common/readinessCheck/Chart.yaml4
-rw-r--r--kubernetes/common/readinessCheck/templates/_readinessCheck.tpl7
-rw-r--r--kubernetes/common/repositoryGenerator/.helmignore32
-rw-r--r--kubernetes/common/serviceAccount/.helmignore32
-rw-r--r--kubernetes/common/serviceAccount/Chart.yaml2
-rw-r--r--kubernetes/common/serviceAccount/templates/role.yaml1
-rw-r--r--kubernetes/common/serviceAccount/templates/service-account.yaml2
-rw-r--r--kubernetes/common/timescaledb/.helmignore12
-rw-r--r--kubernetes/common/timescaledb/Chart.yaml2
-rw-r--r--kubernetes/common/timescaledb/templates/statefulset.yaml16
-rw-r--r--kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml2
-rw-r--r--kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml6
-rw-r--r--kubernetes/multicloud/components/multicloud-k8s/Chart.yaml2
-rw-r--r--kubernetes/nbi/Chart.yaml2
-rw-r--r--kubernetes/platform/components/chartmuseum/templates/deployment.yaml15
-rw-r--r--kubernetes/portal-ng/components/portal-ng-history/Chart.yaml2
-rw-r--r--kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml2
94 files changed, 693 insertions, 166 deletions
diff --git a/kubernetes/common/cassandra/.helmignore b/kubernetes/common/cassandra/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/cassandra/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/cassandra/Chart.yaml b/kubernetes/common/cassandra/Chart.yaml
index ee3f4e5355..81f5c5dae7 100644
--- a/kubernetes/common/cassandra/Chart.yaml
+++ b/kubernetes/common/cassandra/Chart.yaml
@@ -30,4 +30,4 @@ dependencies:
- name: serviceAccount
version: ~13.x-0
repository: 'file://../serviceAccount'
- condition: global.cassandra.enableServiceAccount \ No newline at end of file
+ condition: global.cassandra.enableServiceAccount
diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
index f9f62739f2..50051b4b44 100644
--- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
+++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh
@@ -93,4 +93,3 @@ if [ "$1" = 'cassandra' ]; then
fi
exec "$@"
-
diff --git a/kubernetes/common/cassandra/resources/exec.py b/kubernetes/common/cassandra/resources/exec.py
index a7f297399e..ec2f0b4fc6 100644
--- a/kubernetes/common/cassandra/resources/exec.py
+++ b/kubernetes/common/cassandra/resources/exec.py
@@ -118,5 +118,3 @@ def main(argv):
if __name__ == "__main__":
main(sys.argv[1:])
-
-
diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
index 6db1202b4f..263ac28512 100644
--- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml
+++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml
@@ -250,4 +250,4 @@ spec:
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-backup-data
{{- end -}}
-{{- end -}} \ No newline at end of file
+{{- end -}}
diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml
index 9f463adf08..6b7052d10e 100644
--- a/kubernetes/common/cassandra/templates/cassOp.yaml
+++ b/kubernetes/common/cassandra/templates/cassOp.yaml
@@ -16,4 +16,4 @@
{{- if .Values.global.cassandra.useOperator }}
{{ include "common.k8ssandraCluster" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml
index 5510986e54..117100a441 100644
--- a/kubernetes/common/cassandra/templates/configmap.yaml
+++ b/kubernetes/common/cassandra/templates/configmap.yaml
@@ -26,4 +26,4 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml
index d18e51d2f4..00e61d3bb5 100644
--- a/kubernetes/common/cassandra/templates/pv.yaml
+++ b/kubernetes/common/cassandra/templates/pv.yaml
@@ -15,4 +15,4 @@
*/}}
{{- if not .Values.global.cassandra.useOperator }}
{{ include "common.replicaPV" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml
index 5a611a9bef..181e5f98a7 100644
--- a/kubernetes/common/cassandra/templates/secrets.yaml
+++ b/kubernetes/common/cassandra/templates/secrets.yaml
@@ -18,4 +18,4 @@
{{- if .Values.global.cassandra.useOperator }}
{{ include "common.secretFast" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml
index 8b2e534a5f..6b6f585d2f 100644
--- a/kubernetes/common/cassandra/templates/service.yaml
+++ b/kubernetes/common/cassandra/templates/service.yaml
@@ -16,4 +16,4 @@
{{- if not .Values.global.cassandra.useOperator }}
{{ include "common.headlessService" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml
index 078107393a..57f4d3f412 100644
--- a/kubernetes/common/cassandra/templates/servicemonitor.yaml
+++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml
@@ -18,4 +18,4 @@
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml
index ddaff5c7c0..d76dde3454 100644
--- a/kubernetes/common/cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/cassandra/templates/statefulset.yaml
@@ -199,4 +199,4 @@ spec:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/common/.helmignore b/kubernetes/common/common/.helmignore
new file mode 100644
index 0000000000..f066c4b723
--- /dev/null
+++ b/kubernetes/common/common/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.local/
+.config/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml
index ffcda6736a..787930a473 100644
--- a/kubernetes/common/common/Chart.yaml
+++ b/kubernetes/common/common/Chart.yaml
@@ -12,8 +12,8 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+---
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.0
+version: 13.2.1
diff --git a/kubernetes/common/common/templates/_affinities.tpl b/kubernetes/common/common/templates/_affinities.tpl
index bf7ae497ca..69d0e78680 100644
--- a/kubernetes/common/common/templates/_affinities.tpl
+++ b/kubernetes/common/common/templates/_affinities.tpl
@@ -106,4 +106,4 @@ Return a podAffinity/podAntiAffinity definition
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
-{{- end -}} \ No newline at end of file
+{{- end -}}
diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl
index b0cf8e331e..bdcf5caa02 100644
--- a/kubernetes/common/common/templates/_cassOp.tpl
+++ b/kubernetes/common/common/templates/_cassOp.tpl
@@ -111,13 +111,18 @@ spec:
name: {{ $datacenter.name }}
size: {{ $datacenter.size }}
{{- end }}
- {{ if .Values.podAnnotations -}}
+ podSecurityContext:
+ fsGroup: 999
+ runAsGroup: 999
+ runAsUser: 999
+ runAsNonRoot: true
metadata:
+ {{ if .Values.podAnnotations -}}
pods:
annotations:
{{ toYaml .Values.podAnnotations | nindent 10 }}
+ {{- end }}
commonLabels:
app: {{ .Values.k8ssandraOperator.config.clusterName }}
version: {{ .Values.k8ssandraOperator.cassandraVersion }}
- {{- end }}
{{ end }}
diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl
index e7b90ea8ff..f162e9a2f9 100644
--- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl
+++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl
@@ -115,4 +115,4 @@
{{- include "common.dmaap.provisioning._volumeMounts" $dot | trim | nindent 2 }}
resources: {{ include "common.resources" $dot | nindent 4 }}
{{- end -}}
-{{- end -}} \ No newline at end of file
+{{- end -}}
diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl
index 993c48239a..dc900dd4e4 100644
--- a/kubernetes/common/common/templates/_log.tpl
+++ b/kubernetes/common/common/templates/_log.tpl
@@ -59,4 +59,3 @@ data:
{{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }}
{{- end }}
{{- end -}}
-
diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl
index 3092298a7d..0e46e5ef26 100644
--- a/kubernetes/common/common/templates/_mariadb.tpl
+++ b/kubernetes/common/common/templates/_mariadb.tpl
@@ -257,6 +257,29 @@ spec:
runAsUser: 10001
runAsGroup: 10001
fsGroup: 10001
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ securityContext:
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ volumes:
+ - name: run
+ emptyDir:
+ sizeLimit: 64Mi
+ - name: tmp
+ emptyDir:
+ sizeLimit: 64Mi
+ volumeMounts:
+ - name: run
+ mountPath: /run/mysqld
+ - name: tmp
+ mountPath: /tmp
inheritMetadata:
{{ if .Values.podAnnotations -}}
annotations: {{ toYaml .Values.podAnnotations | nindent 6 }}
@@ -288,6 +311,17 @@ spec:
enabled: true
authDelegatorRoleName: {{ $dbinst }}-auth
gracefulShutdownTimeout: 5s
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ privileged: false
+ runAsNonRoot: true
+ runAsUser: 10001
+ seccompProfile:
+ type: RuntimeDefault
primary:
automaticFailover: true
podIndex: 0
@@ -301,6 +335,17 @@ spec:
initContainer:
image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }}
imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ privileged: false
+ runAsNonRoot: true
+ runAsUser: 10001
+ seccompProfile:
+ type: RuntimeDefault
config:
reuseStorageVolume: false
volumeClaimTemplate:
@@ -334,6 +379,31 @@ spec:
{{- if default false $dot.Values.global.metrics.enabled }}
metrics:
enabled: true
+ exporter:
+ image: {{ include "repositoryGenerator.dockerHubRepository" . }}/prom/mysqld-exporter:v0.15.1
+ port: 9104
+ podSecurityContext:
+ fsGroup: 10001
+ runAsGroup: 10001
+ runAsUser: 10001
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ securityContext:
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ resources:
+ limits:
+ cpu: 100m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
{{- end }}
affinity:
podAntiAffinity:
diff --git a/kubernetes/common/common/templates/_mongodb.tpl b/kubernetes/common/common/templates/_mongodb.tpl
new file mode 100644
index 0000000000..80d8d72194
--- /dev/null
+++ b/kubernetes/common/common/templates/_mongodb.tpl
@@ -0,0 +1,165 @@
+{{/*
+# Copyright © 2019 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{/*
+ UID of mongodb root password
+*/}}
+{{- define "common.mongodb.secret.rootPassUID" -}}
+ {{- printf "db-root-password" }}
+{{- end -}}
+
+{{/*
+ Name of mongodb secret
+*/}}
+{{- define "common.mongodb.secret._secretName" -}}
+ {{- $global := .dot }}
+ {{- $chartName := tpl .chartName $global -}}
+ {{- include "common.secret.genName" (dict "global" $global "uid" (include .uidTemplate $global) "chartName" $chartName) }}
+{{- end -}}
+
+{{/*
+ Name of mongodb root password secret
+*/}}
+{{- define "common.mongodb.secret.rootPassSecretName" -}}
+ {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.rootPassUID") }}
+{{- end -}}
+
+{{/*
+ UID of mongodb user credentials
+*/}}
+{{- define "common.mongodb.secret.userCredentialsUID" -}}
+ {{- printf "db-user-credentials" }}
+{{- end -}}
+
+{{/*
+ Name of mongodb user credentials secret
+*/}}
+{{- define "common.mongodb.secret.userCredentialsSecretName" -}}
+ {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.userCredentialsUID") }}
+{{- end -}}
+
+{{/*
+ UID of mongodb primary password
+*/}}
+{{- define "common.mongodb.secret.primaryPasswordUID" -}}
+ {{- printf "primary-password" }}
+{{- end -}}
+
+{{/*
+ Name of mongodb user credentials secret
+*/}}
+{{- define "common.mongodb.secret.primaryPasswordSecretName" -}}
+ {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.primaryPasswordUID") }}
+{{- end -}}
+
+{{/*
+ Choose the name of the mongodb app label to use.
+*/}}
+{{- define "common.mongodbAppName" -}}
+ {{- if .Values.global.mongodb.localCluster -}}
+ {{- index .Values "mongodb" "nameOverride" -}}
+ {{- else -}}
+ {{- .Values.global.mongodb.nameOverride -}}
+ {{- end -}}
+{{- end -}}
+
+#Not edited yet
+{{/*
+ Create mongodb cluster via mongodb percona-operator
+*/}}
+{{- define "common.mongodbOpInstance" -}}
+{{- $dot := default . .dot -}}
+{{- $global := $dot.Values.global -}}
+{{- $dbinst := include "common.name" $dot -}}
+---
+
+apiVersion: psmdb.percona.com/v1
+kind: PerconaServerMongoDB
+metadata:
+ name: {{ $dbinst }}
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+spec:
+ metadata:
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+ {{- if .Values.mongodbOperator.imageMongo }}
+ image: {{ .Values.mongodbOperator.imageMongo | quote }}
+ {{- end }}
+ imagePullSecrets:
+ - name: {{ include "common.namespace" . }}-docker-registry-key
+ mongodbVersion: {{ $dot.Values.mongodbOperator.mongodbVersion }}
+ instances:
+ - name: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }}
+ replicas: {{ default 2 .Values.mongodbOperator.instanceReplicas }}
+ dataVolumeClaimSpec:
+ {{- if .Values.instanceStorageClassName }}
+ storageClassName: {{ .Values.mongodbOperator.instanceStorageClassName | quote }}
+ {{- end }}
+ accessModes:
+ - "ReadWriteOnce"
+ resources:
+ requests:
+ storage: {{ default "1Gi" .Values.mongodbOperator.instanceSize | quote }}
+ {{- if or .Values.instanceMemory .Values.mongodbOperator.instanceCPU }}
+ resources:
+ limits:
+ cpu: {{ default "" .Values.mongodbOperator.instanceCPU | quote }}
+ memory: {{ default "" .Values.mongodbOperator.instanceMemory | quote }}
+ {{- end }}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ podAffinityTerm:
+ topologyKey: kubernetes.io/hostname
+ labelSelector:
+ matchLabels:
+ mongodb-operator.crunchydata.com/cluster: {{ $dbinst }}
+ mongodb-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }}
+ proxy:
+ pgBouncer:
+ metadata:
+ labels:
+ app: {{ $dbinst }}
+ version: "5.5"
+ {{- if .Values.mongodbOperator.imagePgBouncer }}
+ image: {{ .Values.mongodbOperator.imagePgBouncer | quote }}
+ {{- end }}
+ replicas: {{ default 2 .Values.mongodbOperator.bouncerReplicas }}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ podAffinityTerm:
+ topologyKey: kubernetes.io/hostname
+ labelSelector:
+ matchLabels:
+ mongodb-operator.crunchydata.com/cluster: {{ $dbinst }}
+ mongodb-operator.crunchydata.com/role: pgbouncer
+ {{- if .Values.mongodbOperator.monitoring }}
+ monitoring:
+ pgmonitor:
+ exporter:
+ image: {{ default "" .Values.mongodbOperator.imageExporter | quote }}
+ {{- if .Values.mongodbOperator.monitoringConfig }}
+{{ toYaml .Values.monitoringConfig | indent 8 }}
+ {{- end }}
+ {{- end }}
+ users:
+ - name: mongodb
+{{- end -}}
diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl
index 810350bfa6..0a1d0abdf6 100644
--- a/kubernetes/common/common/templates/_pod.tpl
+++ b/kubernetes/common/common/templates/_pod.tpl
@@ -59,6 +59,9 @@ securityContext:
runAsUser: {{ .Values.securityContext.user_id }}
runAsGroup: {{ .Values.securityContext.group_id }}
fsGroup: {{ .Values.securityContext.group_id }}
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
{{- end }}
{{/*
@@ -69,4 +72,8 @@ securityContext:
readOnlyRootFilesystem: true
privileged: false
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
{{- end }}
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index de779f8db8..55e9e00410 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -65,6 +65,14 @@ exit "$RCODE"
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{ include "common.containerSecurityContext" . | indent 2 | trim }}
+ resources:
+ limits:
+ cpu: 100m
+ memory: 500Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
{{- end }}
{{- end }}
diff --git a/kubernetes/common/elasticsearch/.helmignore b/kubernetes/common/elasticsearch/.helmignore
index 68ffb32406..0bab41b6b1 100644
--- a/kubernetes/common/elasticsearch/.helmignore
+++ b/kubernetes/common/elasticsearch/.helmignore
@@ -1 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
components/
diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml
index 82c8ccd056..6949da7962 100644
--- a/kubernetes/common/elasticsearch/Chart.yaml
+++ b/kubernetes/common/elasticsearch/Chart.yaml
@@ -24,6 +24,9 @@ dependencies:
- name: common
version: ~13.x-0
repository: 'file://../common'
+ - name: repositoryGenerator
+ version: ~13.x-0
+ repository: 'file://../repositoryGenerator'
- name: master
version: ~13.x-0
repository: 'file://components/master'
@@ -35,6 +38,3 @@ dependencies:
version: ~13.x-0
repository: 'file://components/curator'
condition: elasticsearch.curator.enabled,curator.enabled
- - name: repositoryGenerator
- version: ~13.x-0
- repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
index 39780f2e83..390228b6ae 100644
--- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
@@ -26,4 +26,4 @@ dependencies:
repository: 'file://../../../common'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator' \ No newline at end of file
+ repository: 'file://../../../repositoryGenerator'
diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml
index 00f113b5bb..d02d017108 100644
--- a/kubernetes/common/elasticsearch/components/curator/values.yaml
+++ b/kubernetes/common/elasticsearch/components/curator/values.yaml
@@ -175,4 +175,3 @@ extraInitContainers: {}
# "storage_class": "${S3_STORAGE_CLASS}"
# }
# }
-
diff --git a/kubernetes/common/elasticsearch/templates/_helpers.tpl b/kubernetes/common/elasticsearch/templates/_helpers.tpl
index 1de2599af9..34663e14f1 100644
--- a/kubernetes/common/elasticsearch/templates/_helpers.tpl
+++ b/kubernetes/common/elasticsearch/templates/_helpers.tpl
@@ -69,5 +69,3 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
-
-
diff --git a/kubernetes/common/etcd/.helmignore b/kubernetes/common/etcd/.helmignore
index f0c1319444..0bab41b6b1 100644
--- a/kubernetes/common/etcd/.helmignore
+++ b/kubernetes/common/etcd/.helmignore
@@ -19,3 +19,14 @@
.project
.idea/
*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/etcd/templates/service.yaml b/kubernetes/common/etcd/templates/service.yaml
index 006378f631..72dea06832 100644
--- a/kubernetes/common/etcd/templates/service.yaml
+++ b/kubernetes/common/etcd/templates/service.yaml
@@ -35,4 +35,3 @@ spec:
selector:
app.kubernetes.io/name: {{ include "common.name" . }}
app.kubernetes.io/instance: {{ include "common.release" . }}
-
diff --git a/kubernetes/common/logConfiguration/.helmignore b/kubernetes/common/logConfiguration/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/logConfiguration/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/mariadb-galera/.helmignore b/kubernetes/common/mariadb-galera/.helmignore
index f0c1319444..0bab41b6b1 100644
--- a/kubernetes/common/mariadb-galera/.helmignore
+++ b/kubernetes/common/mariadb-galera/.helmignore
@@ -19,3 +19,14 @@
.project
.idea/
*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml
index 4c2bfcd389..05aafb5cc9 100644
--- a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml
+++ b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml
@@ -47,4 +47,4 @@ spec:
{{- end -}}
{{- end -}}
{{- end -}}
-{{- end -}} \ No newline at end of file
+{{- end -}}
diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml
index 0aa0a63f0a..152d39f4a5 100644
--- a/kubernetes/common/mariadb-galera/templates/configmap.yaml
+++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml
@@ -39,4 +39,4 @@ data:
my.cnf: |
{{ .Values.mariadbConfiguration | indent 4 }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/mariadb.yaml b/kubernetes/common/mariadb-galera/templates/mariadb.yaml
index ce09c9ff06..d8ada6fbbb 100644
--- a/kubernetes/common/mariadb-galera/templates/mariadb.yaml
+++ b/kubernetes/common/mariadb-galera/templates/mariadb.yaml
@@ -16,4 +16,4 @@
{{- if .Values.global.mariadbGalera.useOperator }}
{{ include "common.mariadbOpInstance" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml
index d37aeb1751..e628deea15 100644
--- a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml
+++ b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml
@@ -34,4 +34,4 @@ spec:
targetPort: tcp-metrics
selector: {{- include "common.matchLabels" . | nindent 4 }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml
index 734f03f237..da83abc993 100644
--- a/kubernetes/common/mariadb-galera/templates/pdb.yaml
+++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml
@@ -29,4 +29,4 @@ spec:
selector:
matchLabels: {{- include "common.matchLabels" . | nindent 6 }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml
index cf0ab566a4..ee9124f23b 100644
--- a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml
+++ b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml
@@ -28,4 +28,3 @@ spec:
rules:
{{- toYaml .Values.metrics.prometheusRules.rules | nindent 6 }}
{{- end }}
-
diff --git a/kubernetes/common/mariadb-galera/templates/pv.yaml b/kubernetes/common/mariadb-galera/templates/pv.yaml
index 129b5b26c7..267755259d 100644
--- a/kubernetes/common/mariadb-galera/templates/pv.yaml
+++ b/kubernetes/common/mariadb-galera/templates/pv.yaml
@@ -17,4 +17,4 @@
{{- if not .Values.global.mariadbGalera.useOperator }}
{{ include "common.replicaPV" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml
index 527f41266d..77a8e38e80 100644
--- a/kubernetes/common/mariadb-galera/templates/secrets.yaml
+++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml
@@ -16,4 +16,4 @@
# limitations under the License.
*/}}
-{{ include "common.secretFast" . }} \ No newline at end of file
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml
index 4cbf7b394f..1bffb246f4 100644
--- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml
+++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml
@@ -18,4 +18,4 @@
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index 70cc0c34bd..f9b4de4b88 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -266,4 +266,4 @@ spec:
volumeClaimTemplates:
- {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 3d9725cb43..47264f971c 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -63,9 +63,9 @@ mariadbOperator:
galera:
enabled: true
agentImage: mariadb-operator/mariadb-operator
- agentVersion: v0.0.27
+ agentVersion: v0.0.28
initImage: mariadb-operator/mariadb-operator
- initVersion: v0.0.27
+ initVersion: v0.0.28
## String to partially override common.names.fullname template (will maintain the release name)
##
diff --git a/kubernetes/common/mariadb-init/.helmignore b/kubernetes/common/mariadb-init/.helmignore
index dadf202953..f4d0b92f20 100644
--- a/kubernetes/common/mariadb-init/.helmignore
+++ b/kubernetes/common/mariadb-init/.helmignore
@@ -21,3 +21,14 @@
*.tmproj
tests
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml
index fa89a669d2..6414785154 100644
--- a/kubernetes/common/mariadb-init/Chart.yaml
+++ b/kubernetes/common/mariadb-init/Chart.yaml
@@ -13,11 +13,11 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+---
apiVersion: v2
description: Chart for MariaDB Galera init job
name: mariadb-init
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
diff --git a/kubernetes/common/mariadb-init/templates/_configmap.tpl b/kubernetes/common/mariadb-init/templates/_configmap.tpl
index ea612a078d..8d111b5170 100644
--- a/kubernetes/common/mariadb-init/templates/_configmap.tpl
+++ b/kubernetes/common/mariadb-init/templates/_configmap.tpl
@@ -1,4 +1,4 @@
-{{/*
+{{- /*
# Copyright © 2019 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,7 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
+*/ -}}
{{/*
Choose the name of the configmap to use.
diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
index 5563fe714d..fda93b52ef 100644
--- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl
+++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
@@ -1,4 +1,4 @@
-{{/*
+{{- /*
# Copyright © 2019 Orange
# Copyright © 2020 Samsung Electronics
#
@@ -13,7 +13,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
+*/ -}}
{{/*
Choose the name of the mariadb secret to use.
diff --git a/kubernetes/common/mariadb-init/templates/configmap.yaml b/kubernetes/common/mariadb-init/templates/configmap.yaml
index 6708efdb60..6df329e8a5 100644
--- a/kubernetes/common/mariadb-init/templates/configmap.yaml
+++ b/kubernetes/common/mariadb-init/templates/configmap.yaml
@@ -1,4 +1,3 @@
-{{/*
# Copyright © 2019 Orange
# Modifications Copyright © 2018 AT&T
#
@@ -13,8 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
-
+---
apiVersion: v1
kind: ConfigMap
metadata:
diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml
index 4bb142d001..d620bd2edc 100644
--- a/kubernetes/common/mariadb-init/templates/job.yaml
+++ b/kubernetes/common/mariadb-init/templates/job.yaml
@@ -1,4 +1,3 @@
-{{/*
# Copyright © 2019 Orange
# Copyright © 2020 Samsung Electronics
#
@@ -13,8 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
-
+---
{{ include "mariadbInit._updateSecrets" . -}}
apiVersion: batch/v1
@@ -42,11 +40,13 @@ spec:
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.image.mariadb" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
command:
- /bin/sh
- -c
diff --git a/kubernetes/common/mariadb-init/templates/secret.yaml b/kubernetes/common/mariadb-init/templates/secret.yaml
index a9d9e0b704..b2876bcb82 100644
--- a/kubernetes/common/mariadb-init/templates/secret.yaml
+++ b/kubernetes/common/mariadb-init/templates/secret.yaml
@@ -1,4 +1,3 @@
-{{/*
# Copyright © 2017 Amdocs, Bell Canada, Orange
# Copyright © 2020 Samsung Electronics
#
@@ -13,8 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
-
+---
{{ include "mariadbInit._updateSecrets" . -}}
{{ include "common.secretFast" . }}
diff --git a/kubernetes/common/mariadb-init/tests/job_test.yaml b/kubernetes/common/mariadb-init/tests/job_test.yaml
index cff8f947f8..33cd1c2dc3 100644
--- a/kubernetes/common/mariadb-init/tests/job_test.yaml
+++ b/kubernetes/common/mariadb-init/tests/job_test.yaml
@@ -98,11 +98,11 @@ tests:
- it: "should render with default value (volumes)"
asserts:
- contains:
- path: spec.template.spec.volumes
- content:
- name: mariadb-conf
- configMap:
- name: RELEASE-NAME-mariadb-init
+ path: spec.template.spec.volumes
+ content:
+ name: mariadb-conf
+ configMap:
+ name: RELEASE-NAME-mariadb-init
- it: "should render with nameOverride set"
set:
@@ -136,11 +136,11 @@ tests:
name: RELEASE-NAME-myJob-secret
key: db-user-password
- contains:
- path: spec.template.spec.volumes
- content:
- name: mariadb-conf
- configMap:
- name: RELEASE-NAME-myJob
+ path: spec.template.spec.volumes
+ content:
+ name: mariadb-conf
+ configMap:
+ name: RELEASE-NAME-myJob
- it: "should render with configmap set"
set:
@@ -158,8 +158,8 @@ tests:
set:
global:
mariadbGalera:
- nameOverride: myMaria
- servicePort: 545
+ nameOverride: myMaria
+ servicePort: 545
asserts:
- contains:
path: spec.template.spec.initContainers[0].args
@@ -187,10 +187,10 @@ tests:
set:
global:
mariadbGalera:
- nameOverride: myMaria
- servicePort: 545
- userRootSecret: galera-secret
- userRootSecretKey: root-password
+ nameOverride: myMaria
+ servicePort: 545
+ userRootSecret: galera-secret
+ userRootSecretKey: root-password
asserts:
- contains:
path: spec.template.spec.initContainers[0].args
@@ -230,11 +230,11 @@ tests:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key: kubernetes.io/e2e-az-name
- operator: In
- values:
- - e2e-az1
- - e2e-az2
+ - key: kubernetes.io/e2e-az-name
+ operator: In
+ values:
+ - e2e-az1
+ - e2e-az2
asserts:
- equal:
path: spec.template.spec.affinity
@@ -243,11 +243,11 @@ tests:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key: kubernetes.io/e2e-az-name
- operator: In
- values:
- - e2e-az1
- - e2e-az2
+ - key: kubernetes.io/e2e-az-name
+ operator: In
+ values:
+ - e2e-az1
+ - e2e-az2
- it: "should use large flavor"
set:
flavor: large
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index 57dfb400c4..591477c5cf 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -11,7 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+---
#################################################################
# Global configuration defaults.
#################################################################
@@ -106,21 +106,25 @@ config:
# externalSecret: some-secret-name
config_map: default
+securityContext:
+ user_id: 100
+ group_id: 65533
+
nodeSelector: {}
affinity: {}
-#resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- #
- # Example:
- # Configure resource requests and limits
- # ref: http://kubernetes.io/docs/user-guide/compute-resources/
- # Minimum memory for development is 2 CPU cores and 4GB memory
- # Minimum memory for production is 4 CPU cores and 8GB memory
+# resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+#
+# Example:
+# Configure resource requests and limits
+# ref: http://kubernetes.io/docs/user-guide/compute-resources/
+# Minimum memory for development is 2 CPU cores and 4GB memory
+# Minimum memory for production is 4 CPU cores and 8GB memory
flavor: small
resources:
small:
@@ -139,7 +143,7 @@ resources:
memory: "20Mi"
unlimited: {}
-#Pods Service Account
+# Pods Service Account
serviceAccount:
nameOverride: mariadb-init
roles:
@@ -152,4 +156,4 @@ wait_for_job_container:
readinessCheck:
wait_for:
services:
- - '{{ include "common.mariadbService" . }}'
+ - '{{ include "common.mariadbService" . }}'
diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml
index 2d6bf4bb4f..fc39ce3dee 100644
--- a/kubernetes/common/mongodb/Chart.yaml
+++ b/kubernetes/common/mongodb/Chart.yaml
@@ -40,4 +40,4 @@ maintainers:
name: mongodb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 14.12.3
+version: 14.12.4
diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md
index 065e047fdc..a4d1803a9f 100644
--- a/kubernetes/common/mongodb/README.md
+++ b/kubernetes/common/mongodb/README.md
@@ -1117,4 +1117,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
-limitations under the License. \ No newline at end of file
+limitations under the License.
diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl
index 1bcb779df5..e6acf9e3c6 100644
--- a/kubernetes/common/mongodb/common/templates/_images.tpl
+++ b/kubernetes/common/mongodb/common/templates/_images.tpl
@@ -114,4 +114,3 @@ Return the proper image version (ingores image revision/prerelease info & fallba
{{- print .chart.AppVersion -}}
{{- end -}}
{{- end -}}
-
diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
index 041b0cb51d..ee033e9437 100644
--- a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
@@ -274,7 +274,8 @@ spec:
{{- end }}
volumes:
- name: empty-dir
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
- name: common-scripts
configMap:
@@ -287,7 +288,8 @@ spec:
{{- end }}
{{- if and .Values.tls.enabled .Values.arbiter.enabled }}
- name: certs
- emptyDir: {}
+ emptyDir:
+ sizeLimit: 64Mi
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
secret:
diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
index 2e884b14b9..44c297accd 100644
--- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
@@ -167,7 +167,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: 64Mi
+ sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
index 08a55ebd06..a64002a30a 100644
--- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
@@ -515,7 +515,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: 64Mi
+ sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml
index f6d62ca867..63c4d715d4 100644
--- a/kubernetes/common/mongodb/templates/networkpolicy.yaml
+++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml
@@ -80,4 +80,4 @@ spec:
{{- if $extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
index b171eca005..089119c970 100644
--- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
@@ -513,7 +513,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: 64Mi
+ sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
index 6f63f0be5b..619533d8d0 100644
--- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
+++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
@@ -438,7 +438,7 @@ spec:
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: 64Mi
+ sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml
index 9612859392..7628846a3e 100644
--- a/kubernetes/common/mongodb/values.yaml
+++ b/kubernetes/common/mongodb/values.yaml
@@ -307,6 +307,14 @@ hostAliases: []
## @param replicaSetName Name of the replica set (only when `architecture=replicaset`)
## Ignored when mongodb.architecture=standalone
##
+replicaSet:
+ emptyDir:
+ sizeLimit: 1Gi
+
+standalone:
+ emptyDir:
+ sizeLimit: 1Gi
+
replicaSetName: rs0
## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`)
## Ignored when mongodb.architecture=standalone
@@ -1166,6 +1174,8 @@ backup:
## @param backup.enabled Enable the logical dump of the database "regularly"
##
enabled: false
+ emptyDir:
+ sizeLimit: 1Gi
## Fine tuning cronjob's config
##
cronjob:
@@ -1438,6 +1448,8 @@ volumePermissions:
## @section Arbiter parameters
##
arbiter:
+ emptyDir:
+ sizeLimit: 1Gi
## @param arbiter.enabled Enable deploying the arbiter
## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/
##
@@ -1616,8 +1628,8 @@ arbiter:
allowPrivilegeEscalation: false
capabilities:
drop:
- - ALL
- - CAP_NET_RAW
+ - ALL
+ - CAP_NET_RAW
seccompProfile:
type: "RuntimeDefault"
## MongoDB(&reg;) Arbiter containers' resource requests and limits.
@@ -1783,6 +1795,8 @@ hidden:
## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/
##
enabled: false
+ emptyDir:
+ sizeLimit: 1Gi
## @param hidden.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
@@ -1960,9 +1974,7 @@ hidden:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
- drop:
- - ALL
- - CAP_NET_RAW
+ drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## MongoDB(&reg;) Hidden containers' resource requests and limits.
@@ -1971,7 +1983,7 @@ hidden:
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production).
+ ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
diff --git a/kubernetes/common/postgres-init/.helmignore b/kubernetes/common/postgres-init/.helmignore
index f0c1319444..0bab41b6b1 100644
--- a/kubernetes/common/postgres-init/.helmignore
+++ b/kubernetes/common/postgres-init/.helmignore
@@ -19,3 +19,14 @@
.project
.idea/
*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml
index 81f566f9e1..be9ecc2f5f 100644
--- a/kubernetes/common/postgres-init/Chart.yaml
+++ b/kubernetes/common/postgres-init/Chart.yaml
@@ -31,4 +31,4 @@ dependencies:
repository: '@local'
- name: serviceAccount
version: ~13.x-0
- repository: '@local' \ No newline at end of file
+ repository: '@local'
diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml
index 160e6720ed..cede7e0976 100644
--- a/kubernetes/common/postgres-init/values.yaml
+++ b/kubernetes/common/postgres-init/values.yaml
@@ -104,4 +104,4 @@ readinessCheck:
wait_for_job_container:
containers:
- - '{{ include "common.name" . }}-update-config' \ No newline at end of file
+ - '{{ include "common.name" . }}-update-config'
diff --git a/kubernetes/common/postgres/.helmignore b/kubernetes/common/postgres/.helmignore
index f0c1319444..0bab41b6b1 100644
--- a/kubernetes/common/postgres/.helmignore
+++ b/kubernetes/common/postgres/.helmignore
@@ -19,3 +19,14 @@
.project
.idea/
*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml
index 3920d8e73d..d1fb768cc5 100644
--- a/kubernetes/common/postgres/Chart.yaml
+++ b/kubernetes/common/postgres/Chart.yaml
@@ -25,4 +25,4 @@ dependencies:
repository: 'file://../common'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator' \ No newline at end of file
+ repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/postgres/configs/pg_hba.conf b/kubernetes/common/postgres/configs/pg_hba.conf
index 580185c6f0..d8918409e8 100644
--- a/kubernetes/common/postgres/configs/pg_hba.conf
+++ b/kubernetes/common/postgres/configs/pg_hba.conf
@@ -65,4 +65,3 @@
#local all all trust
# IPv4 local connections:
host all all 0.0.0.0/0 md5
-
diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml
index 535eefa8cf..7947559211 100644
--- a/kubernetes/common/postgres/templates/deployment-primary.yaml
+++ b/kubernetes/common/postgres/templates/deployment-primary.yaml
@@ -15,4 +15,4 @@
*/}}
{{- if not .Values.global.postgres.useOperator }}
{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml
index 97c7e11053..246e1e9a07 100644
--- a/kubernetes/common/postgres/templates/deployment-replica.yaml
+++ b/kubernetes/common/postgres/templates/deployment-replica.yaml
@@ -15,4 +15,4 @@
*/}}
{{- if not .Values.global.postgres.useOperator }}
{{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml
index 00a5182eb1..b8d7912210 100644
--- a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml
+++ b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml
@@ -35,4 +35,4 @@ spec:
name: {{ .Values.container.name.primary }}
release: {{ include "common.release" . }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml
index b8b9e793e8..6d9990a7bc 100644
--- a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml
+++ b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml
@@ -35,4 +35,4 @@ spec:
name: {{ .Values.container.name.replica }}
release: {{ include "common.release" . }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/postgres.yaml b/kubernetes/common/postgres/templates/postgres.yaml
index aca6aa260f..0dad7f5886 100644
--- a/kubernetes/common/postgres/templates/postgres.yaml
+++ b/kubernetes/common/postgres/templates/postgres.yaml
@@ -16,4 +16,4 @@
{{- if .Values.global.postgres.useOperator }}
{{ include "common.postgresOpInstance" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/pv-primary.yaml b/kubernetes/common/postgres/templates/pv-primary.yaml
index 8db79d665e..9e73ceb8e3 100644
--- a/kubernetes/common/postgres/templates/pv-primary.yaml
+++ b/kubernetes/common/postgres/templates/pv-primary.yaml
@@ -38,4 +38,4 @@ spec:
path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary
{{- end -}}
{{- end -}}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/pvc-replica.yaml b/kubernetes/common/postgres/templates/pvc-replica.yaml
index f59adf736a..e71284fcec 100644
--- a/kubernetes/common/postgres/templates/pvc-replica.yaml
+++ b/kubernetes/common/postgres/templates/pvc-replica.yaml
@@ -43,4 +43,4 @@ spec:
storageClassName: {{ include "common.storageClass" . }}
{{- end }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/service-replica.yaml b/kubernetes/common/postgres/templates/service-replica.yaml
index 68694561bd..878a02ef66 100644
--- a/kubernetes/common/postgres/templates/service-replica.yaml
+++ b/kubernetes/common/postgres/templates/service-replica.yaml
@@ -40,4 +40,4 @@ spec:
selector:
name: "{{.Values.container.name.replica}}"
release: {{ include "common.release" . }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/postgres/templates/servicemonitor.yaml b/kubernetes/common/postgres/templates/servicemonitor.yaml
index 522e515545..3fb716b133 100644
--- a/kubernetes/common/postgres/templates/servicemonitor.yaml
+++ b/kubernetes/common/postgres/templates/servicemonitor.yaml
@@ -17,4 +17,4 @@
{{- if .Values.metrics.serviceMonitor.enabled }}
{{ include "common.serviceMonitor" . }}
{{- end }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/readinessCheck/.helmignore b/kubernetes/common/readinessCheck/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/readinessCheck/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml
index bb2986a9fb..bd8adbfcea 100644
--- a/kubernetes/common/readinessCheck/Chart.yaml
+++ b/kubernetes/common/readinessCheck/Chart.yaml
@@ -17,7 +17,7 @@
apiVersion: v2
description: Template used to wait for other deployment/sts/jobs in onap
name: readinessCheck
-version: 13.1.0
+version: 13.1.1
dependencies:
- name: common
@@ -25,4 +25,4 @@ dependencies:
repository: 'file://../common'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator' \ No newline at end of file
+ repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
index 51791fec13..42f526148a 100644
--- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
+++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl
@@ -95,6 +95,13 @@
securityContext:
runAsUser: {{ $subchartDot.Values.user }}
runAsGroup: {{ $subchartDot.Values.group }}
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
command:
- /app/ready.py
args:
diff --git a/kubernetes/common/repositoryGenerator/.helmignore b/kubernetes/common/repositoryGenerator/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/repositoryGenerator/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/serviceAccount/.helmignore b/kubernetes/common/serviceAccount/.helmignore
new file mode 100644
index 0000000000..0bab41b6b1
--- /dev/null
+++ b/kubernetes/common/serviceAccount/.helmignore
@@ -0,0 +1,32 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index 7afd31f4d9..4e3eab3712 100644
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -23,4 +23,4 @@ version: 13.0.1
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common' \ No newline at end of file
+ repository: 'file://../common'
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 83cb945ba9..d6d041f916 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -128,6 +128,7 @@ rules:
- pods/exec
verbs:
- create
+ - get
- apiGroups:
- cert-manager.io
resources:
diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml
index 20bd94f49a..683d5d2984 100644
--- a/kubernetes/common/serviceAccount/templates/service-account.yaml
+++ b/kubernetes/common/serviceAccount/templates/service-account.yaml
@@ -21,4 +21,4 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
-{{- end }} \ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore
index 50af031725..0bab41b6b1 100644
--- a/kubernetes/common/timescaledb/.helmignore
+++ b/kubernetes/common/timescaledb/.helmignore
@@ -19,4 +19,14 @@
.project
.idea/
*.tmproj
-.vscode/
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml
index d8b9869817..dd92121eb8 100644
--- a/kubernetes/common/timescaledb/Chart.yaml
+++ b/kubernetes/common/timescaledb/Chart.yaml
@@ -33,4 +33,4 @@ dependencies:
repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator' \ No newline at end of file
+ repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml
index 653326be5f..bee389f191 100644
--- a/kubernetes/common/timescaledb/templates/statefulset.yaml
+++ b/kubernetes/common/timescaledb/templates/statefulset.yaml
@@ -30,22 +30,6 @@ spec:
spec:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
{{ include "common.podSecurityContext" . | indent 10 | trim}}
- initContainers:
- # we shouldn't need this but for unknown reason, it's fsGroup is not
- # applied
- - name: fix-permission
- command:
- - /bin/sh
- args:
- - -c
- - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data
- image: {{ include "repositoryGenerator.image.busybox" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- securityContext:
- runAsUser: 0
- volumeMounts:
- - mountPath: /var/lib/postgresql/data
- name: {{ include "common.fullname" . }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
index 7b30414fa3..8596dcd2e1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
@@ -41,5 +41,5 @@ dependencies:
version: ~13.x-0
repository: '@local'
- name: mongodb
- version: 14.12.3
+ version: ~14.12.x-0
repository: '@local' \ No newline at end of file
diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml
index 2795a2b5e5..4bb57063ad 100644
--- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml
+++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml
@@ -23,7 +23,11 @@ spec:
template:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
- {{ include "common.podSecurityContext" . | indent 6 | trim}}
+ # temporarily use less restrictions
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ runAsGroup: {{ .Values.securityContext.group_id }}
+ fsGroup: {{ .Values.securityContext.group_id }}
initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 8 }}
- name: {{ include "common.name" . }}-permission-fixer
securityContext:
diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
index 8d50814fd0..5dc375290a 100644
--- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
@@ -27,7 +27,7 @@ dependencies:
# be published independently to a repo (at this point)
repository: '@local'
- name: mongodb
- version: 14.12.3
+ version: ~14.12.x-0
repository: '@local'
- name: etcd
version: ~13.x-0
diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml
index 6f403f7f74..3ffd2a1f81 100644
--- a/kubernetes/nbi/Chart.yaml
+++ b/kubernetes/nbi/Chart.yaml
@@ -27,7 +27,7 @@ dependencies:
# be published independently to a repo (at this point)
repository: '@local'
- name: mongodb
- version: 14.12.3
+ version: ~14.12.x-0
repository: '@local'
- name: mariadb-galera
version: ~13.x-0
diff --git a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml
index 3956255fb2..fea1a1a614 100644
--- a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml
+++ b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml
@@ -27,21 +27,6 @@ spec:
metadata: {{- include "common.templateMetadata" . | nindent 6 }}
spec:
{{ include "common.podSecurityContext" . | indent 7 | trim}}
- initContainers:
- - name: volume-permissions
- image: {{ include "repositoryGenerator.image.busybox" . }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - sh
- args:
- - "-c"
- - |
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} //chartmuseum-persist
- securityContext:
- runAsUser: 0
- volumeMounts:
- - name: chart-persistent
- mountPath: "/chartmuseum-persist"
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ .Values.image }}
diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
index ab28bf2949..4b62b5def2 100644
--- a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
+++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
@@ -47,5 +47,5 @@ dependencies:
version: ~13.x-0
repository: '@local'
- name: mongodb
- version: 14.12.3
+ version: ~14.12.x-0
repository: '@local'
diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
index 8f8c494a68..96088586fc 100644
--- a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
+++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
@@ -47,7 +47,7 @@ dependencies:
version: ~13.x-0
repository: '@local'
- name: mongodb
- version: 14.12.3
+ version: ~14.12.x-0
repository: '@local'