[COMMON] Fix Kyverno Policies

common: - Add settings to common pod templates and fix Cassandra serviceMesh and MariaDB operator templates - Added template for mongodb - Empty lines to files added readinessCheck: - Add missing security settings mariadb-init: - add security settings in job cassandra: - Empty lines added to files mongodb: - make emptyDir volume size configurable others: - update chart dependency for mongodb in components - fix linter errors in all files Issue-ID: OOM-3295 Issue-ID: OOM-3296 Change-Id: Ieb64be337013e0477f7aaca9c75bb6a3f3264848 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
author: Andreas Geissler <andreas-geissler@telekom.de> 2024-05-08 15:18:55 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2024-07-05 09:25:23 +0200
commit: dc8c05476d316a16627d5b0934b69c3a9ecc38b7 (patch)
tree: 89c3b4a84a44c6e5db7086dfdc83630c17e6455b /kubernetes/common/mariadb-init
parent: 0f3311521a169a4774064f9c948460c955620f62 (diff)
9 files changed, 66 insertions, 55 deletions
diff --git a/kubernetes/common/mariadb-init/.helmignore b/kubernetes/common/mariadb-init/.helmignore
index dadf202953..f4d0b92f20 100644
--- a/kubernetes/common/mariadb-init/.helmignore
+++ b/kubernetes/common/mariadb-init/.helmignore
@@ -21,3 +21,14 @@
 *.tmproj
 
 tests
+# Project/CI/CD related items
+.gitlab
+.gitlab-ci.yml
+.dockerignore
+# Helm build files
+.helmignore
+.cache/
+.config/
+.local/
+# OOM specific dirs
+components/
diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml
index fa89a669d2..6414785154 100644
--- a/kubernetes/common/mariadb-init/Chart.yaml
+++ b/kubernetes/common/mariadb-init/Chart.yaml
@@ -13,11 +13,11 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+---
 apiVersion: v2
 description: Chart for MariaDB Galera init job
 name: mariadb-init
-version: 13.0.0
+version: 13.0.1
 
 dependencies:
   - name: common
diff --git a/kubernetes/common/mariadb-init/templates/_configmap.tpl b/kubernetes/common/mariadb-init/templates/_configmap.tpl
index ea612a078d..8d111b5170 100644
--- a/kubernetes/common/mariadb-init/templates/_configmap.tpl
+++ b/kubernetes/common/mariadb-init/templates/_configmap.tpl
@@ -1,4 +1,4 @@
-{{/*
+{{- /*
 # Copyright © 2019 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,7 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/}}
+*/ -}}
 
 {{/*
   Choose the name of the configmap to use.
diff --git a/kubernetes/common/mariadb-init/templates/_mariadb.tpl b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
index 5563fe714d..fda93b52ef 100644
--- a/kubernetes/common/mariadb-init/templates/_mariadb.tpl
+++ b/kubernetes/common/mariadb-init/templates/_mariadb.tpl
@@ -1,4 +1,4 @@
-{{/*
+{{- /*
 # Copyright © 2019 Orange
 # Copyright © 2020 Samsung Electronics
 #
@@ -13,7 +13,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/}}
+*/ -}}
 
 {{/*
   Choose the name of the mariadb secret to use.
diff --git a/kubernetes/common/mariadb-init/templates/configmap.yaml b/kubernetes/common/mariadb-init/templates/configmap.yaml
index 6708efdb60..6df329e8a5 100644
--- a/kubernetes/common/mariadb-init/templates/configmap.yaml
+++ b/kubernetes/common/mariadb-init/templates/configmap.yaml
@@ -1,4 +1,3 @@
-{{/*
 # Copyright © 2019 Orange
 # Modifications Copyright © 2018 AT&T
 #
@@ -13,8 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/}}
-
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml
index 4bb142d001..d620bd2edc 100644
--- a/kubernetes/common/mariadb-init/templates/job.yaml
+++ b/kubernetes/common/mariadb-init/templates/job.yaml
@@ -1,4 +1,3 @@
-{{/*
 # Copyright © 2019 Orange
 # Copyright © 2020 Samsung Electronics
 #
@@ -13,8 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/}}
-
+---
 {{ include "mariadbInit._updateSecrets" . -}}
 
 apiVersion: batch/v1
@@ -42,11 +40,13 @@ spec:
         release: {{ include "common.release" . }}
       name: {{ include "common.name" . }}
     spec:
+      {{ include "common.podSecurityContext" . | indent 6 | trim }}
       initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
       containers:
       - name: {{ include "common.name" . }}
         image: {{ include "repositoryGenerator.image.mariadb" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        {{ include "common.containerSecurityContext" . | indent 8 | trim }}
         command:
           - /bin/sh
           - -c
diff --git a/kubernetes/common/mariadb-init/templates/secret.yaml b/kubernetes/common/mariadb-init/templates/secret.yaml
index a9d9e0b704..b2876bcb82 100644
--- a/kubernetes/common/mariadb-init/templates/secret.yaml
+++ b/kubernetes/common/mariadb-init/templates/secret.yaml
@@ -1,4 +1,3 @@
-{{/*
 # Copyright © 2017 Amdocs, Bell Canada, Orange
 # Copyright © 2020 Samsung Electronics
 #
@@ -13,8 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-*/}}
-
+---
 {{ include "mariadbInit._updateSecrets" . -}}
 
 {{ include "common.secretFast" . }}
diff --git a/kubernetes/common/mariadb-init/tests/job_test.yaml b/kubernetes/common/mariadb-init/tests/job_test.yaml
index cff8f947f8..33cd1c2dc3 100644
--- a/kubernetes/common/mariadb-init/tests/job_test.yaml
+++ b/kubernetes/common/mariadb-init/tests/job_test.yaml
@@ -98,11 +98,11 @@ tests:
   - it: "should render with default value (volumes)"
     asserts:
       - contains:
-            path: spec.template.spec.volumes
-            content:
-              name: mariadb-conf
-              configMap:
-                name: RELEASE-NAME-mariadb-init
+          path: spec.template.spec.volumes
+          content:
+            name: mariadb-conf
+            configMap:
+              name: RELEASE-NAME-mariadb-init
 
   - it: "should render with nameOverride set"
     set:
@@ -136,11 +136,11 @@ tests:
                 name: RELEASE-NAME-myJob-secret
                 key: db-user-password
       - contains:
-            path: spec.template.spec.volumes
-            content:
-              name: mariadb-conf
-              configMap:
-                name: RELEASE-NAME-myJob
+          path: spec.template.spec.volumes
+          content:
+            name: mariadb-conf
+            configMap:
+              name: RELEASE-NAME-myJob
 
   - it: "should render with configmap set"
     set:
@@ -158,8 +158,8 @@ tests:
     set:
       global:
         mariadbGalera:
-            nameOverride: myMaria
-            servicePort: 545
+          nameOverride: myMaria
+          servicePort: 545
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].args
@@ -187,10 +187,10 @@ tests:
     set:
       global:
         mariadbGalera:
-            nameOverride: myMaria
-            servicePort: 545
-            userRootSecret: galera-secret
-            userRootSecretKey: root-password
+          nameOverride: myMaria
+          servicePort: 545
+          userRootSecret: galera-secret
+          userRootSecretKey: root-password
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].args
@@ -230,11 +230,11 @@ tests:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                - key: kubernetes.io/e2e-az-name
-                  operator: In
-                  values:
-                    - e2e-az1
-                    - e2e-az2
+                  - key: kubernetes.io/e2e-az-name
+                    operator: In
+                    values:
+                      - e2e-az1
+                      - e2e-az2
     asserts:
       - equal:
           path: spec.template.spec.affinity
@@ -243,11 +243,11 @@ tests:
               requiredDuringSchedulingIgnoredDuringExecution:
                 nodeSelectorTerms:
                   - matchExpressions:
-                    - key: kubernetes.io/e2e-az-name
-                      operator: In
-                      values:
-                        - e2e-az1
-                        - e2e-az2
+                      - key: kubernetes.io/e2e-az-name
+                        operator: In
+                        values:
+                          - e2e-az1
+                          - e2e-az2
   - it: "should use large flavor"
     set:
       flavor: large
diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml
index 57dfb400c4..591477c5cf 100644
--- a/kubernetes/common/mariadb-init/values.yaml
+++ b/kubernetes/common/mariadb-init/values.yaml
@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+---
 #################################################################
 # Global configuration defaults.
 #################################################################
@@ -106,21 +106,25 @@ config:
   #     externalSecret: some-secret-name
   config_map: default
 
+securityContext:
+  user_id: 100
+  group_id: 65533
+
 nodeSelector: {}
 
 affinity: {}
 
-#resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  #
-  # Example:
-  # Configure resource requests and limits
-  # ref: http://kubernetes.io/docs/user-guide/compute-resources/
-  # Minimum memory for development is 2 CPU cores and 4GB memory
-  # Minimum memory for production is 4 CPU cores and 8GB memory
+# resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+#
+# Example:
+# Configure resource requests and limits
+# ref: http://kubernetes.io/docs/user-guide/compute-resources/
+# Minimum memory for development is 2 CPU cores and 4GB memory
+# Minimum memory for production is 4 CPU cores and 8GB memory
 flavor: small
 resources:
   small:
@@ -139,7 +143,7 @@ resources:
       memory: "20Mi"
   unlimited: {}
 
-#Pods Service Account
+# Pods Service Account
 serviceAccount:
   nameOverride: mariadb-init
   roles:
@@ -152,4 +156,4 @@ wait_for_job_container:
 readinessCheck:
   wait_for:
     services:
-    - '{{ include "common.mariadbService" . }}'
+      - '{{ include "common.mariadbService" . }}'
author	Andreas Geissler <andreas-geissler@telekom.de>	2024-05-08 15:18:55 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2024-07-05 09:25:23 +0200
commit	dc8c05476d316a16627d5b0934b69c3a9ecc38b7 (patch)
tree	89c3b4a84a44c6e5db7086dfdc83630c17e6455b /kubernetes/common/mariadb-init
parent	0f3311521a169a4774064f9c948460c955620f62 (diff)