[COMMON] Fix Kyverno Policies

common: - Add settings to common pod templates and fix Cassandra serviceMesh and MariaDB operator templates - Added template for mongodb - Empty lines to files added readinessCheck: - Add missing security settings mariadb-init: - add security settings in job cassandra: - Empty lines added to files mongodb: - make emptyDir volume size configurable others: - update chart dependency for mongodb in components - fix linter errors in all files Issue-ID: OOM-3295 Issue-ID: OOM-3296 Change-Id: Ieb64be337013e0477f7aaca9c75bb6a3f3264848 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
author: Andreas Geissler <andreas-geissler@telekom.de> 2024-05-08 15:18:55 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2024-07-05 09:25:23 +0200
commit: dc8c05476d316a16627d5b0934b69c3a9ecc38b7 (patch)
tree: 89c3b4a84a44c6e5db7086dfdc83630c17e6455b /kubernetes/common/mongodb
parent: 0f3311521a169a4774064f9c948460c955620f62 (diff)
10 files changed, 29 insertions, 16 deletions
diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml
index 2d6bf4bb4f..fc39ce3dee 100644
--- a/kubernetes/common/mongodb/Chart.yaml
+++ b/kubernetes/common/mongodb/Chart.yaml
@@ -40,4 +40,4 @@ maintainers:
 name: mongodb
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 14.12.3
+version: 14.12.4
diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md
index 065e047fdc..a4d1803a9f 100644
--- a/kubernetes/common/mongodb/README.md
+++ b/kubernetes/common/mongodb/README.md
@@ -1117,4 +1117,4 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License.
-\ No newline at end of file
+limitations under the License.
diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl
index 1bcb779df5..e6acf9e3c6 100644
--- a/kubernetes/common/mongodb/common/templates/_images.tpl
+++ b/kubernetes/common/mongodb/common/templates/_images.tpl
@@ -114,4 +114,3 @@ Return the proper image version (ingores image revision/prerelease info & fallba
     {{- print .chart.AppVersion -}}
 {{- end -}}
 {{- end -}}
-
diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
index 041b0cb51d..ee033e9437 100644
--- a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
@@ -274,7 +274,8 @@ spec:
         {{- end }}
       volumes:
         - name: empty-dir
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
       {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
         - name: common-scripts
           configMap:
@@ -287,7 +288,8 @@ spec:
         {{- end }}
         {{- if and .Values.tls.enabled .Values.arbiter.enabled }}
         - name: certs
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- if (include "mongodb.autoGenerateCerts" .) }}
         - name: certs-volume
           secret:
diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
index 2e884b14b9..44c297accd 100644
--- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
@@ -167,7 +167,7 @@ spec:
           volumes:
             - name: empty-dir
               emptyDir:
-                sizeLimit: 64Mi
+                sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
             - name: common-scripts
               configMap:
                 name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
index 08a55ebd06..a64002a30a 100644
--- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
@@ -515,7 +515,7 @@ spec:
       volumes:
         - name: empty-dir
           emptyDir:
-            sizeLimit: 64Mi
+            sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml
index f6d62ca867..63c4d715d4 100644
--- a/kubernetes/common/mongodb/templates/networkpolicy.yaml
+++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml
@@ -80,4 +80,4 @@ spec:
     {{- if $extraIngress }}
     {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }}
     {{- end }}
-{{- end }}
-\ No newline at end of file
+{{- end }}
diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
index b171eca005..089119c970 100644
--- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
@@ -513,7 +513,7 @@ spec:
       volumes:
         - name: empty-dir
           emptyDir:
-            sizeLimit: 64Mi
+            sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
index 6f63f0be5b..619533d8d0 100644
--- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
+++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
@@ -438,7 +438,7 @@ spec:
       volumes:
         - name: empty-dir
           emptyDir:
-            sizeLimit: 64Mi
+            sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml
index 9612859392..7628846a3e 100644
--- a/kubernetes/common/mongodb/values.yaml
+++ b/kubernetes/common/mongodb/values.yaml
@@ -307,6 +307,14 @@ hostAliases: []
 ## @param replicaSetName Name of the replica set (only when `architecture=replicaset`)
 ## Ignored when mongodb.architecture=standalone
 ##
+replicaSet:
+  emptyDir:
+    sizeLimit: 1Gi
+
+standalone:
+  emptyDir:
+    sizeLimit: 1Gi
+
 replicaSetName: rs0
 ## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`)
 ## Ignored when mongodb.architecture=standalone
@@ -1166,6 +1174,8 @@ backup:
   ## @param backup.enabled Enable the logical dump of the database "regularly"
   ##
   enabled: false
+  emptyDir:
+    sizeLimit: 1Gi
   ## Fine tuning cronjob's config
   ##
   cronjob:
@@ -1438,6 +1448,8 @@ volumePermissions:
 ## @section Arbiter parameters
 ##
 arbiter:
+  emptyDir:
+    sizeLimit: 1Gi
   ## @param arbiter.enabled Enable deploying the arbiter
   ##   https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/
   ##
@@ -1616,8 +1628,8 @@ arbiter:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
-        - ALL
-        - CAP_NET_RAW
+      - ALL
+      - CAP_NET_RAW
     seccompProfile:
       type: "RuntimeDefault"
   ## MongoDB(&reg;) Arbiter containers' resource requests and limits.
@@ -1783,6 +1795,8 @@ hidden:
   ##   https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/
   ##
   enabled: false
+  emptyDir:
+    sizeLimit: 1Gi
   ## @param hidden.automountServiceAccountToken Mount Service Account token in pod
   ##
   automountServiceAccountToken: false
@@ -1960,9 +1974,7 @@ hidden:
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     capabilities:
-      drop:
-        - ALL
-        - CAP_NET_RAW
+      drop: ["ALL"]
     seccompProfile:
       type: "RuntimeDefault"
   ## MongoDB(&reg;) Hidden containers' resource requests and limits.
@@ -1971,7 +1983,7 @@ hidden:
   ## choice for the user. This also increases chances charts run on environments with little
   ## resources, such as Minikube. If you do want to specify resources, uncomment the following
   ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production).
+  ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
   resourcesPreset: "none"
author	Andreas Geissler <andreas-geissler@telekom.de>	2024-05-08 15:18:55 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2024-07-05 09:25:23 +0200
commit	dc8c05476d316a16627d5b0934b69c3a9ecc38b7 (patch)
tree	89c3b4a84a44c6e5db7086dfdc83630c17e6455b /kubernetes/common/mongodb
parent	0f3311521a169a4774064f9c948460c955620f62 (diff)