Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prequel changes to adding security context to the AppRepo cleanup jobs #6646

Merged
merged 10 commits into from
Aug 21, 2023
Merged

Prequel changes to adding security context to the AppRepo cleanup jobs #6646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
98c6122
Apply same fix in go dockerfiles
antgamdia Aug 17, 2023
841dbc7
Prevent duplicated yaml keys
antgamdia Aug 17, 2023
3320292
Minor fix in test
antgamdia Aug 17, 2023
8459c1c
Add missing args in tests
antgamdia Aug 17, 2023
30f6e4a
Remove old code comment
antgamdia Aug 17, 2023
c8b2128
Add missing old cron job handling
antgamdia Aug 17, 2023
52acc2c
Pass security context in apprepo chart tpl properly
antgamdia Aug 17, 2023
67c32b6
Merge branch 'main' into 6545-add-seccontext-apprepo-1
antgamdia Aug 17, 2023
feed62d
Update copyright header
antgamdia Aug 17, 2023
2f00e80
Fix wrong values metadata. Generate readme
antgamdia Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 54 additions & 3 deletions chart/kubeapps/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,13 +485,13 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `kubeappsapis.containerSecurityContext.runAsUser` | Set KubeappsAPIs container's Security Context runAsUser | `1001` |
| `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set KubeappsAPIs container's Security Context runAsNonRoot | `true` |
| `kubeappsapis.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `kubeappsapis.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `kubeappsapis.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `kubeappsapis.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `kubeappsapis.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `kubeappsapis.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `kubeappsapis.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `kubeappsapis.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `kubeappsapis.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `kubeappsapis.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `kubeappsapis.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `kubeappsapis.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `kubeappsapis.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
Expand Down Expand Up @@ -533,6 +533,57 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `kubeappsapis.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` |
| `kubeappsapis.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |

### OCI Catalog chart configuration

| Name | Description | Value |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------- |
| `ociCatalog.enabled` | Enable the OCI catalog gRPC service for cataloging | `false` |
| `ociCatalog.image.registry` | OCI Catalog image registry | `docker.io` |
| `ociCatalog.image.repository` | OCI Catalog image repository | `kubeapps/oci-catalog` |
| `ociCatalog.image.tag` | OCI Catalog image tag (immutable tags are recommended) | `latest` |
| `ociCatalog.image.digest` | OCI Catalog image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `ociCatalog.image.pullPolicy` | OCI Catalog image pull policy | `IfNotPresent` |
| `ociCatalog.image.pullSecrets` | Dashboard image pull secrets | `[]` |
| `ociCatalog.image.debug` | Enable image debug mode | `false` |
| `ociCatalog.extraFlags` | Additional command line flags for OCI Catalog | `[]` |
| `ociCatalog.extraEnvVars` | Array with extra environment variables to add to the oci-catalog container | `[]` |
| `ociCatalog.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the OCI Catalog container | `""` |
| `ociCatalog.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the OCI Catalog container | `""` |
| `ociCatalog.containerPorts.grpc` | OCI Catalog gRPC container port | `50061` |
| `ociCatalog.resources.limits.cpu` | The CPU limits for the OCI Catalog container | `250m` |
| `ociCatalog.resources.limits.memory` | The memory limits for the OCI Catalog container | `256Mi` |
| `ociCatalog.resources.requests.cpu` | The requested CPU for the OCI Catalog container | `25m` |
| `ociCatalog.resources.requests.memory` | The requested memory for the OCI Catalog container | `32Mi` |
| `ociCatalog.containerSecurityContext.enabled` | Enabled OCI Catalog containers' Security Context | `true` |
| `ociCatalog.containerSecurityContext.runAsUser` | Set OCI Catalog container's Security Context runAsUser | `1001` |
| `ociCatalog.containerSecurityContext.runAsNonRoot` | Set OCI Catalog container's Security Context runAsNonRoot | `true` |
| `ociCatalog.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `ociCatalog.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `ociCatalog.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `ociCatalog.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `ociCatalog.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `ociCatalog.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `ociCatalog.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `ociCatalog.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `ociCatalog.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `ociCatalog.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `ociCatalog.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `ociCatalog.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `ociCatalog.startupProbe.enabled` | Enable startupProbe | `false` |
| `ociCatalog.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `ociCatalog.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `ociCatalog.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `ociCatalog.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `ociCatalog.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `ociCatalog.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `ociCatalog.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `ociCatalog.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `ociCatalog.lifecycleHooks` | Custom lifecycle hooks for OCI Catalog containers | `{}` |
| `ociCatalog.command` | Override default container command (useful when using custom images) | `[]` |
| `ociCatalog.args` | Override default container args (useful when using custom images) | `[]` |
| `ociCatalog.extraVolumes` | Optionally specify extra list of additional volumes for the OCI Catalog pod(s) | `[]` |
| `ociCatalog.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OCI Catalog container(s) | `[]` |

### Redis® chart configuration

| Name | Description | Value |
Expand Down Expand Up @@ -1034,4 +1085,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.
15 changes: 10 additions & 5 deletions chart/kubeapps/templates/apprepository/apprepositories.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,14 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
{{- if or $.Values.apprepository.containerSecurityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector }}
{{- if or $.Values.apprepository.podSecurityContext.enabled $.Values.apprepository.containerSecurityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector .tolerations}}
syncJobPodTemplate:
spec:
{{- if $.Values.apprepository.initialReposProxy.enabled }}
{{- if or $.Values.apprepository.initialReposProxy.enabled $.Values.apprepository.containerSecurityContext.enabled }}
containers:
- env:
-
{{- if $.Values.apprepository.initialReposProxy.enabled }}
env:
- name: https_proxy
value: {{ $.Values.apprepository.initialReposProxy.httpsProxy }}
- name: http_proxy
Expand All @@ -40,8 +42,11 @@ spec:
value: {{ $.Values.apprepository.initialReposProxy.noProxy }}
{{- end }}
{{- if $.Values.apprepository.containerSecurityContext.enabled }}
securityContext:
runAsUser: {{ $.Values.apprepository.containerSecurityContext.runAsUser }}
securityContext: {{- omit $.Values.apprepository.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if $.Values.apprepository.podSecurityContext.enabled }}
securityContext: {{- omit $.Values.apprepository.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .nodeSelector }}
nodeSelector: {{- toYaml .nodeSelector | nindent 8 }}
Expand Down
2 changes: 0 additions & 2 deletions chart/kubeapps/templates/kubeappsapis/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,15 +191,13 @@ spec:
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.kubeappsapis.livenessProbe "enabled") "context" $) | nindent 12 }}
exec:
command: ["grpc_health_probe", "-addr=:{{ .Values.kubeappsapis.containerPorts.http }}"]
initialDelaySeconds: 10
{{- end }}
{{- if .Values.kubeappsapis.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.kubeappsapis.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.kubeappsapis.readinessProbe "enabled") "context" $) | nindent 12 }}
exec:
command: ["grpc_health_probe", "-addr=:{{ .Values.kubeappsapis.containerPorts.http }}"]
initialDelaySeconds: 5
{{- end }}
{{- if .Values.kubeappsapis.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customStartupProbe "context" $) | nindent 12 }}
Expand Down
Loading