From 7ecfdebc88b024d792d26cb00e74006481eab2aa Mon Sep 17 00:00:00 2001 From: ypoplavs <45286051+ypoplavs@users.noreply.github.com> Date: Wed, 6 Nov 2024 15:36:39 +0200 Subject: [PATCH] feat: add-global-securityContext (#228) feat: add-global-securityContext --- .../testkube-cloud-api/templates/_helpers.tpl | 35 +++++++++++++- .../templates/deployment.yaml | 6 ++- .../templates/migrations-job.yaml | 6 ++- charts/testkube-cloud-api/values.yaml | 9 +++- .../testkube-cloud-ui/templates/_helpers.tpl | 24 +++++++++- .../templates/deployment.yaml | 4 +- charts/testkube-cloud-ui/values.yaml | 5 +- charts/testkube-enterprise/Chart.lock | 8 ++-- charts/testkube-enterprise/Chart.yaml | 4 +- .../testkube-enterprise/charts/dex/Chart.yaml | 2 +- .../charts/dex/templates/_helpers.tpl | 22 +++++++++ .../charts/dex/templates/deployment.yaml | 4 +- .../charts/dex/values.yaml | 4 ++ .../charts/nats/Chart.yaml | 2 +- .../files/nats-box/deployment/container.yaml | 3 ++ .../nats-box/deployment/pod-template.yaml | 3 ++ .../files/stateful-set/nats-container.yaml | 3 ++ .../nats/files/stateful-set/pod-template.yaml | 3 ++ .../stateful-set/prom-exporter-container.yaml | 3 ++ .../stateful-set/reloader-container.yaml | 4 ++ .../charts/nats/templates/_helpers.tpl | 22 +++++++++ .../charts/nats/values.yaml | 4 ++ .../templates/_helpers.tpl | 22 +++++++++ .../templates/shared-secrets/job.yaml | 6 ++- charts/testkube-enterprise/values.yaml | 48 +++++++++++++++---- .../templates/_helpers.tpl | 22 +++++++++ .../templates/deployment.yaml | 4 +- charts/testkube-logs-service/values.yaml | 5 +- .../templates/_helpers.tpl | 35 +++++++++++++- .../templates/deployment.yaml | 6 ++- charts/testkube-worker-service/values.yaml | 7 ++- 31 files changed, 298 insertions(+), 37 deletions(-) diff --git a/charts/testkube-cloud-api/templates/_helpers.tpl b/charts/testkube-cloud-api/templates/_helpers.tpl index 3d4ed7994..4012d54f8 100644 --- a/charts/testkube-cloud-api/templates/_helpers.tpl +++ b/charts/testkube-cloud-api/templates/_helpers.tpl @@ -155,4 +155,37 @@ TODO: Implement this using dict and reuse the same for each image {{- end -}} {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-cloud-api.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-cloud-api.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for Init Container +*/}} +{{- define "init-wait-for-mongo.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.init.mongo.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml index cc41bc359..0436ef5f7 100644 --- a/charts/testkube-cloud-api/templates/deployment.yaml +++ b/charts/testkube-cloud-api/templates/deployment.yaml @@ -29,12 +29,14 @@ spec: {{- end }} serviceAccountName: {{ include "testkube-cloud-api.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-cloud-api.podSecurityContext" . | trim }} {{- if .Values.init.enabled }} initContainers: - name: wait-for-mongo image: {{ include "testkube-cloud-api.init-mongo-image" . }} imagePullPolicy: {{ .Values.init.mongo.image.pullPolicy }} + securityContext: + {{ include "init-wait-for-mongo.containerSecurityContext" . | trim }} command: ["/bin/sh", "-c"] args: - | @@ -57,7 +59,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-cloud-api.containerSecurityContext" . | trim }} image: {{ include "testkube-api.image" . }} imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }} env: diff --git a/charts/testkube-cloud-api/templates/migrations-job.yaml b/charts/testkube-cloud-api/templates/migrations-job.yaml index 7cbe44839..cde40bd4c 100644 --- a/charts/testkube-cloud-api/templates/migrations-job.yaml +++ b/charts/testkube-cloud-api/templates/migrations-job.yaml @@ -33,11 +33,13 @@ spec: {{- end }} serviceAccountName: {{ include "testkube-cloud-api.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-cloud-api.podSecurityContext" . | trim }} {{- if .Values.init.enabled }} initContainers: - name: wait-for-mongo image: {{ include "testkube-cloud-api.init-mongo-image" . }} + securityContext: + {{ include "init-wait-for-mongo.containerSecurityContext" . | trim}} command: ["/bin/sh", "-c"] args: - | @@ -60,6 +62,8 @@ spec: containers: - name: migrations image: {{ include "testkube-api.image" . }} + securityContext: + {{ include "testkube-cloud-api.containerSecurityContext" . | trim }} args: ["migrate"] env: - name: ENTERPRISE_MODE diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml index 83689032a..1a4068772 100644 --- a/charts/testkube-cloud-api/values.yaml +++ b/charts/testkube-cloud-api/values.yaml @@ -93,6 +93,10 @@ global: tls: {} # -- Toggle whether to globally skip certificate verification #skipVerify: false + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} replicaCount: 1 image: # -- If defined, it will prepend the registry to the image name, if not, default docker.io will be prepended @@ -130,6 +134,8 @@ init: pullPolicy: IfNotPresent # -- MongoSH image digest digest: "" + # -- Init container Security Context + containerSecurityContext: {} analytics: segmentio: # -- Toggle whether to enable Segment.io analytics @@ -360,8 +366,7 @@ podAnnotations: {} # -- Pod Security Context podSecurityContext: {} # fsGroup: 2000 - -# -- Security Context for app container +# -- Container Security Context securityContext: readOnlyRootFilesystem: true service: diff --git a/charts/testkube-cloud-ui/templates/_helpers.tpl b/charts/testkube-cloud-ui/templates/_helpers.tpl index 0be2ceba0..43a66fa62 100644 --- a/charts/testkube-cloud-ui/templates/_helpers.tpl +++ b/charts/testkube-cloud-ui/templates/_helpers.tpl @@ -97,4 +97,26 @@ Define image {{- else -}} {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-cloud-ui.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-cloud-ui.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-cloud-ui/templates/deployment.yaml b/charts/testkube-cloud-ui/templates/deployment.yaml index 7f1c37687..b29bab456 100644 --- a/charts/testkube-cloud-ui/templates/deployment.yaml +++ b/charts/testkube-cloud-ui/templates/deployment.yaml @@ -29,11 +29,11 @@ spec: {{- end }} serviceAccountName: {{ include "testkube-cloud-ui.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-cloud-ui.podSecurityContext" . | trim }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-cloud-ui.containerSecurityContext" . | trim }} image: {{ include "testkube-dashboard.image" . }} imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }} ports: diff --git a/charts/testkube-cloud-ui/values.yaml b/charts/testkube-cloud-ui/values.yaml index 2b6b01c4f..f181027ab 100644 --- a/charts/testkube-cloud-ui/values.yaml +++ b/charts/testkube-cloud-ui/values.yaml @@ -27,6 +27,10 @@ global: enabled: true # -- Common labels which will be added to all resources labels: {} + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} replicaCount: 1 sentry: # -- Toggle whether to enable Sentry.io error reporting @@ -80,7 +84,6 @@ podAnnotations: {} # -- Pod Security Context podSecurityContext: {} # fsGroup: 2000 - # -- Container Security Context securityContext: readOnlyRootFilesystem: true diff --git a/charts/testkube-enterprise/Chart.lock b/charts/testkube-enterprise/Chart.lock index 93e7e527a..17bff3d57 100644 --- a/charts/testkube-enterprise/Chart.lock +++ b/charts/testkube-enterprise/Chart.lock @@ -16,15 +16,15 @@ dependencies: version: 2.1.75 - name: dex repository: file://./charts/dex - version: 0.19.1-3 + version: 0.19.1-4 - name: mongodb repository: https://charts.bitnami.com/bitnami version: 15.6.16 - name: nats repository: file://./charts/nats - version: 1.2.6-1 + version: 1.2.6-2 - name: minio repository: https://charts.bitnami.com/bitnami version: 14.7.0 -digest: sha256:f58d0f9f5f0214b0c461494b9eaa34f354f0c96df7fa5e545df6108078dbe960 -generated: "2024-11-05T15:08:47.310125592Z" +digest: sha256:1d5a73633a95123776b52c7de39dafe34835b07f97026b1ace99712ffb30c578 +generated: "2024-11-06T15:30:47.69998+02:00" diff --git a/charts/testkube-enterprise/Chart.yaml b/charts/testkube-enterprise/Chart.yaml index 4e9e8a5c3..9641d8069 100644 --- a/charts/testkube-enterprise/Chart.yaml +++ b/charts/testkube-enterprise/Chart.yaml @@ -22,7 +22,7 @@ dependencies: repository: https://kubeshop.github.io/helm-charts condition: testkube-agent.enabled - name: dex - version: 0.19.1-3 + version: 0.19.1-4 repository: file://./charts/dex condition: dex.enabled - name: mongodb @@ -31,7 +31,7 @@ dependencies: condition: mongodb.enabled - name: nats condition: testkube-api.nats.enabled - version: 1.2.6-1 + version: 1.2.6-2 repository: "file://./charts/nats" - name: minio version: 14.7.0 diff --git a/charts/testkube-enterprise/charts/dex/Chart.yaml b/charts/testkube-enterprise/charts/dex/Chart.yaml index f51ef1d6c..3085664f2 100644 --- a/charts/testkube-enterprise/charts/dex/Chart.yaml +++ b/charts/testkube-enterprise/charts/dex/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 type: application name: dex -version: 0.19.1-3 +version: 0.19.1-4 appVersion: "2.41.1" kubeVersion: ">=1.14.0-0" description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. diff --git a/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl b/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl index 044cb7b0f..0184b010e 100644 --- a/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl +++ b/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl @@ -85,3 +85,25 @@ The name of the image {{- end -}} image: {{ $image }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "dex.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "dex.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} diff --git a/charts/testkube-enterprise/charts/dex/templates/deployment.yaml b/charts/testkube-enterprise/charts/dex/templates/deployment.yaml index b6b98e652..4b5ca817e 100644 --- a/charts/testkube-enterprise/charts/dex/templates/deployment.yaml +++ b/charts/testkube-enterprise/charts/dex/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: priorityClassName: {{ . | quote }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "dex.podSecurityContext" . | trim }} {{- with .Values.hostAliases }} hostAliases: {{- toYaml . | nindent 8 }} @@ -55,7 +55,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "dex.containerSecurityContext" . | trim }} {{- include "dex.image" . | nindent 10 }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: diff --git a/charts/testkube-enterprise/charts/dex/values.yaml b/charts/testkube-enterprise/charts/dex/values.yaml index b92f4acdc..70121d9be 100644 --- a/charts/testkube-enterprise/charts/dex/values.yaml +++ b/charts/testkube-enterprise/charts/dex/values.yaml @@ -7,6 +7,10 @@ global: imageRegistry: "" # -- Image pull secrets to use for testkube-cloud-api and testkube-cloud-ui imagePullSecrets: [] + # -- Global security Context for Dex Container + containerSecurityContext: {} + # -- Global security Context for Dex Pod + podSecurityContext: {} # -- Number of replicas (pods) to launch. replicaCount: 1 diff --git a/charts/testkube-enterprise/charts/nats/Chart.yaml b/charts/testkube-enterprise/charts/nats/Chart.yaml index 87361de0b..8a10ffc6d 100644 --- a/charts/testkube-enterprise/charts/nats/Chart.yaml +++ b/charts/testkube-enterprise/charts/nats/Chart.yaml @@ -6,7 +6,7 @@ keywords: - nats - messaging - cncf -version: 1.2.6-1 +version: 1.2.6-2 home: http://github.com/nats-io/k8s maintainers: - email: info@nats.io diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml index aa1753b4b..ff0caf8ff 100644 --- a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml @@ -44,3 +44,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml index ff904bf6c..eca5a3e40 100644 --- a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml +++ b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -42,3 +42,6 @@ spec: secret: secretName: {{ .secretName | quote }} {{- end }} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml index c5402efea..f87562842 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml @@ -104,3 +104,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml index 1d3ea6431..aa0661002 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml @@ -69,3 +69,6 @@ spec: - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} {{- end }} {{- end}} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml index c3e1b6fbe..84d19ec70 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -28,3 +28,6 @@ args: - -gatewayz {{- end }} - http://localhost:{{ .Values.config.monitor.port }}/ + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml index 96722045f..08f062e7e 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml @@ -25,3 +25,7 @@ volumeMounts: {{- end }} {{- end }} {{- end }} + + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl b/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl index ba0a51c56..611ad8918 100644 --- a/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl +++ b/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl @@ -280,3 +280,25 @@ output: string with following format rules "${1}") -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "nats.podSecurityContext" -}} +{{- with .Values.global.podSecurityContext }} +{{ toYaml . }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "nats.containerSecurityContext" -}} +{{- with .Values.global.containerSecurityContext }} +{{- toYaml . }} +{{- else }} +{{- toYaml .Values.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/values.yaml b/charts/testkube-enterprise/charts/nats/values.yaml index 15745ab7b..1f995d4e3 100644 --- a/charts/testkube-enterprise/charts/nats/values.yaml +++ b/charts/testkube-enterprise/charts/nats/values.yaml @@ -14,6 +14,10 @@ global: # global registry to use for all container images in the chart # can be overridden by individual image registry registry: + # -- Security Context for all pods + podSecurityContext: {} + # -- Security Context for all containers + containerSecurityContext: {} # global labels will be applied to all resources deployed by the chart labels: {} diff --git a/charts/testkube-enterprise/templates/_helpers.tpl b/charts/testkube-enterprise/templates/_helpers.tpl index 1027f0b11..17a7468b9 100644 --- a/charts/testkube-enterprise/templates/_helpers.tpl +++ b/charts/testkube-enterprise/templates/_helpers.tpl @@ -49,3 +49,25 @@ Define API image {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} {{- end -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "sharedSecretGenerator.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.sharedSecretGenerator.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "sharedSecretGenerator.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.sharedSecretGenerator.securityContext }} +{{- end }} +{{- end }} diff --git a/charts/testkube-enterprise/templates/shared-secrets/job.yaml b/charts/testkube-enterprise/templates/shared-secrets/job.yaml index 61de65b84..ca740070a 100644 --- a/charts/testkube-enterprise/templates/shared-secrets/job.yaml +++ b/charts/testkube-enterprise/templates/shared-secrets/job.yaml @@ -10,7 +10,8 @@ metadata: spec: template: spec: - securityContext: {{- toYaml .Values.sharedSecretGenerator.securityContext | nindent 8 }} + securityContext: + {{ include "sharedSecretGenerator.podSecurityContext" . | trim }} serviceAccountName: testkube-secret-generator restartPolicy: Never containers: @@ -20,7 +21,8 @@ spec: volumeMounts: - name: scripts mountPath: /scripts - securityContext: {{- toYaml .Values.sharedSecretGenerator.containerSecurityContext | nindent 12 }} + securityContext: + {{ include "sharedSecretGenerator.containerSecurityContext" . | trim }} resources: {{- toYaml .Values.sharedSecretGenerator.resources | nindent 12 }} volumes: diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml index 22da7aa55..a7b3e48f5 100644 --- a/charts/testkube-enterprise/values.yaml +++ b/charts/testkube-enterprise/values.yaml @@ -93,6 +93,11 @@ global: tls: {} # -- Toggle whether to globally skip certificate verification #skipVerify: true + # -- Global security Context for all containers, except for MongoDB and MinIo. Container security context for them needs to be provided separately. + containerSecurityContext: {} + # -- Global security Context for all pods, except for MongoDB and MinIo. Pod security Context for them needs to be provided separately. + podSecurityContext: {} + # Testkube requires a variety of secrets to operate. # Any secret not provided manually will be automatically generated with a random value by the shared secret job. sharedSecretGenerator: @@ -218,6 +223,12 @@ testkube-cloud-api: registry: "" repository: kubeshop/testkube-enterprise-api tag: 1.10.75 + # -- Pod Security Context + podSecurityContext: {} + # fsGroup: 2000 + # -- Container Security Context + securityContext: + readOnlyRootFilesystem: true ## Init block defines settings for the dependency check containers init: # -- Toggle whether to enable the dependency check containers @@ -230,6 +241,8 @@ testkube-cloud-api: tag: 7.0.12 # -- MongoSH image pull policy pullPolicy: IfNotPresent + # -- Init container Security Context + securityContext: {} # -- Specifies the path to the directory (skip the trailing slash) where CA certificates should be mounted. The mounted file should container a PEM encoded CA certificate. customCaDirPath: "" # -- Specifies the path where the license key should be mounted. @@ -400,6 +413,12 @@ testkube-cloud-ui: registry: "" repository: kubeshop/testkube-enterprise-ui tag: 2.7.0 + # -- Pod Security Context + podSecurityContext: {} + # fsGroup: 2000 + # -- Container Security Context + securityContext: + readOnlyRootFilesystem: true # -- Set resources requests and limits for Testkube UI resources: requests: @@ -428,6 +447,12 @@ testkube-worker-service: registry: "" repository: kubeshop/testkube-enterprise-worker-service tag: 1.10.74 + # -- Pod Security Context + podSecurityContext: {} + # fsGroup: 2000 + # -- Container Security Context + securityContext: + readOnlyRootFilesystem: true # -- Mongo Init Container values init: mongo: @@ -442,6 +467,8 @@ testkube-worker-service: pullPolicy: IfNotPresent # -- MongoSH image digest digest: "" + # -- Security context for Init Container + securityContext: {} # -- Set resources requests and limits for Testkube Worker Service resources: requests: @@ -477,6 +504,8 @@ nats: limits: cpu: 500m memory: 512Mi + # -- Set Security Context for NATS container + securityContext: {} # image: # repository: nats # tag: 2.10.21-alpine @@ -531,6 +560,8 @@ nats: limits: cpu: 100m memory: 256Mi + # -- Set Security Context for reloader container + securityContext: {} patch: [] # NATS Box container settings natsBox: @@ -545,6 +576,8 @@ nats: limits: cpu: 100m memory: 128Mi + # -- Set a security Context for NatsBox container + securityContext: {} # Uncomment if you want to provide a different image or pullPolicy # container: # image: @@ -557,14 +590,12 @@ nats: # image: # repository: natsio/nats-box #used to fix this: https://github.com/nats-io/nats-box/pull/66 # tag: 0.14.5-nonroot + podTemplate: + merge: + spec: + # -- Set a security Context for NatsBox pod + securityContext: {} - # -- Map of additional env vars - env: {} - # -- Merge additional fields to the container - # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core - merge: {} - # -- Patch additional fields to the container - patch: [] # Exporter container settings promExporter: # -- Toggle whether to install NATS exporter @@ -580,7 +611,8 @@ nats: env: {} # -- Merge additional fields to the container # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core - merge: {} + merge: + securityContext: {} # -- Patch additional fields to the container patch: [] ## MongoDB chart parameters diff --git a/charts/testkube-logs-service/templates/_helpers.tpl b/charts/testkube-logs-service/templates/_helpers.tpl index 02cc70f64..79e31407f 100644 --- a/charts/testkube-logs-service/templates/_helpers.tpl +++ b/charts/testkube-logs-service/templates/_helpers.tpl @@ -114,3 +114,25 @@ Define image {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} {{- end -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-logs-service.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-logs-service.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-logs-service/templates/deployment.yaml b/charts/testkube-logs-service/templates/deployment.yaml index d901ff571..b11eb7b40 100644 --- a/charts/testkube-logs-service/templates/deployment.yaml +++ b/charts/testkube-logs-service/templates/deployment.yaml @@ -29,11 +29,11 @@ spec: {{- end }} serviceAccountName: {{ include "testkube-log-service.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-logs-service.podSecurityContext" . | trim }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-logs-service.containerSecurityContext" . | trim }} image: {{ include "testkube-logs.image" . }} imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }} env: diff --git a/charts/testkube-logs-service/values.yaml b/charts/testkube-logs-service/values.yaml index ad1a0c70d..7b65ba5fc 100644 --- a/charts/testkube-logs-service/values.yaml +++ b/charts/testkube-logs-service/values.yaml @@ -19,6 +19,10 @@ global: enabled: true # -- Common labels which will be added to all resources labels: {} + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} replicaCount: 1 image: @@ -122,7 +126,6 @@ podAnnotations: {} # -- Pod Security Context podSecurityContext: {} # fsGroup: 2000 - # -- Security Context for app container securityContext: readOnlyRootFilesystem: true diff --git a/charts/testkube-worker-service/templates/_helpers.tpl b/charts/testkube-worker-service/templates/_helpers.tpl index 65c6a5a1c..56a7c06ca 100644 --- a/charts/testkube-worker-service/templates/_helpers.tpl +++ b/charts/testkube-worker-service/templates/_helpers.tpl @@ -161,4 +161,37 @@ Define Mongo init image {{- end -}} {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $tag -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "testkube-worker-service.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "testkube-worker-service.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext for Init Container +*/}} +{{- define "init-wait-for-mongo.containerSecurityContext" -}} +{{- if .Values.global.containerSecurityContext }} +{{- toYaml .Values.global.containerSecurityContext}} +{{- else }} +{{- toYaml .Values.init.mongo.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-worker-service/templates/deployment.yaml b/charts/testkube-worker-service/templates/deployment.yaml index 90b659666..10e074150 100644 --- a/charts/testkube-worker-service/templates/deployment.yaml +++ b/charts/testkube-worker-service/templates/deployment.yaml @@ -29,10 +29,12 @@ spec: {{- end }} serviceAccountName: {{ include "testkube-worker-service.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "testkube-worker-service.podSecurityContext" . | trim }} initContainers: - name: wait-for-mongo image: {{ include "testkube-worker.init-mongo-image" . }} + securityContext: + {{ include "init-wait-for-mongo.containerSecurityContext" . | trim }} command: ["/bin/sh", "-c"] args: - | @@ -54,7 +56,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "testkube-worker-service.containerSecurityContext" . | trim }} image: {{ include "testkube-worker.image" . }} imagePullPolicy: {{ .Values.global.imagePullPolicy | default .Values.image.pullPolicy }} env: diff --git a/charts/testkube-worker-service/values.yaml b/charts/testkube-worker-service/values.yaml index 24a84c1f9..2bc53494b 100644 --- a/charts/testkube-worker-service/values.yaml +++ b/charts/testkube-worker-service/values.yaml @@ -54,6 +54,10 @@ global: tls: {} # -- Toggle whether to globally skip certificate verification #skipVerify: false + # -- Global security Context for all containers + containerSecurityContext: {} + # -- Global security Context for all pods + podSecurityContext: {} replicaCount: 1 image: # -- If defined, it will prepend the registry to the image name, if not, default docker.io will be prepended @@ -82,6 +86,8 @@ init: pullPolicy: IfNotPresent # -- MongoSH image digest digest: "" + # -- Security context for Init Container + containerSecurityContext: {} # -- Specifies the path to the directory (skip the trailing slash) where CA certificates should be mounted. The mounted file should container a PEM encoded CA certificate. customCaDirPath: "" api: @@ -138,7 +144,6 @@ podAnnotations: {} # -- Pod Security Context podSecurityContext: {} # fsGroup: 2000 - # -- Security Context for app container securityContext: readOnlyRootFilesystem: true