From fb54174f6e41b308900917c71eed0e84df11540f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=B6ran=20P=C3=B6hner?=
<10630407+groundhog2k@users.noreply.github.com>
Date: Fri, 31 Mar 2023 21:42:25 +0200
Subject: [PATCH] Groundhog2k/issue1211 (#1226)
---
charts/etcd/Chart.yaml | 2 +-
charts/etcd/README.md | 6 +-
charts/etcd/RELEASENOTES.md | 1 +
charts/etcd/templates/etcdconfig.yaml | 29 +++++++++
charts/etcd/templates/scripts.yaml | 67 -------------------
charts/etcd/templates/statefulset.yaml | 89 +++++++++++++++++---------
charts/etcd/values.yaml | 12 ++++
charts/mariadb/Chart.yaml | 2 +-
charts/mariadb/README.md | 2 +-
charts/mariadb/RELEASENOTES.md | 1 +
charts/mariadb/values.yaml | 5 ++
charts/mongodb/Chart.yaml | 2 +-
charts/mongodb/README.md | 2 +-
charts/mongodb/RELEASENOTES.md | 1 +
charts/mongodb/templates/_helpers.tpl | 2 +-
charts/mongodb/values.yaml | 5 ++
charts/mysql/Chart.yaml | 2 +-
charts/mysql/README.md | 2 +-
charts/mysql/RELEASENOTES.md | 1 +
charts/mysql/values.yaml | 5 ++
charts/postgres/Chart.yaml | 2 +-
charts/postgres/README.md | 2 +-
charts/postgres/RELEASENOTES.md | 1 +
charts/postgres/values.yaml | 5 ++
charts/redis/Chart.yaml | 2 +-
charts/redis/README.md | 2 +-
charts/redis/RELEASENOTES.md | 1 +
charts/redis/values.yaml | 5 ++
28 files changed, 149 insertions(+), 109 deletions(-)
create mode 100644 charts/etcd/templates/etcdconfig.yaml
delete mode 100644 charts/etcd/templates/scripts.yaml
diff --git a/charts/etcd/Chart.yaml b/charts/etcd/Chart.yaml
index e32e9173..99a5bd12 100644
--- a/charts/etcd/Chart.yaml
+++ b/charts/etcd/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: 0.1.1
+version: 0.1.2
appVersion: "v3.5.7"
diff --git a/charts/etcd/README.md b/charts/etcd/README.md
index 4fa9143a..97b71fa5 100644
--- a/charts/etcd/README.md
+++ b/charts/etcd/README.md
@@ -1,6 +1,6 @@
# Etcd
-  
+  
## Changelog
@@ -58,6 +58,10 @@ helm uninstall my-release
| image.registry | string | `"quay.io/coreos"` | Image registry |
| image.repository | string | `"etcd"` | Image name |
| image.tag | string | `""` | Image tag |
+| initImage.pullPolicy | string | `"IfNotPresent"` | Init image pull policy |
+| initImage.registry | string | `"docker.io"` | Image registry |
+| initImage.repository | string | `"busybox"` | Init image name |
+| initImage.tag | string | `"latest"` | Init image tag |
| imagePullSecrets | list | `[]` | Image pull secrets |
| extraInitContainers | list | `[]` | Extra init containers |
| extaContainers | list | `[]` | Extra containers for usage as sidecars |
diff --git a/charts/etcd/RELEASENOTES.md b/charts/etcd/RELEASENOTES.md
index 215afeb6..cccf197b 100644
--- a/charts/etcd/RELEASENOTES.md
+++ b/charts/etcd/RELEASENOTES.md
@@ -4,4 +4,5 @@
| :------------ | :---------- | :----------------- |
| 0.1.0 | v3.5.6 | Initial version |
| 0.1.1 | v3.5.7 | Upgraded etcd to v3.5.7 |
+| 0.1.2 | v3.5.7 | Updated default security context |
| | | |
diff --git a/charts/etcd/templates/etcdconfig.yaml b/charts/etcd/templates/etcdconfig.yaml
new file mode 100644
index 00000000..1dee6867
--- /dev/null
+++ b/charts/etcd/templates/etcdconfig.yaml
@@ -0,0 +1,29 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: {{ include "etcd.fullname" . }}
+ labels:
+ {{- include "etcd.labels" . | nindent 4 }}
+data:
+ {{- $replicaCount := int .Values.replicas }}
+ {{- $initialCluster := list }}
+ {{- $etcdFullname := include "etcd.fullname" . }}
+ {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
+ {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+ {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+ ETCD_DATA_DIR: "/data/etcd"
+ ETCD_INITIAL_CLUSTER_TOKEN: "{{ .Values.settings.clusterToken }}"
+ ETCD_INITIAL_CLUSTER_STATE: "new"
+ ETCD_LISTEN_CLIENT_URLS: "{{ $protocol }}://0.0.0.0:2379"
+ ETCD_LISTEN_PEER_URLS: "{{ $protocol }}://0.0.0.0:2380"
+ {{- if .Values.serviceMonitor.enabled }}
+ ETCD_LISTEN_METRICS_URLS: "http://0.0.0.0:12379"
+ {{- end }}
+ {{- range $e, $i := until $replicaCount }}
+ {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
+ {{- end }}
+ ETCD_INITIAL_CLUSTER: {{ join "," $initialCluster | quote }}
+ {{- if .Values.settings.https.autoTls }}
+ ETCD_AUTO_TLS: "true"
+ ETCD_PEER_AUTO_TLS: "true"
+ {{- end }}
diff --git a/charts/etcd/templates/scripts.yaml b/charts/etcd/templates/scripts.yaml
deleted file mode 100644
index b1d6133c..00000000
--- a/charts/etcd/templates/scripts.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "etcd.fullname" . }}-scripts
- labels:
- {{- include "etcd.labels" . | nindent 4 }}
-data:
- startup.sh: |
- #!/bin/sh
- {{- $replicaCount := int .Values.replicas }}
- {{- $etcdFullname := include "etcd.fullname" . }}
- {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
- {{- $initialCluster := list }}
- {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
- {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
- echo "Initializing Etcd instance..."
- export ETCD_DATA_DIR="/data/etcd"
- export ETCD_NAME="${HOSTNAME}"
- export ETCD_INITIAL_CLUSTER_TOKEN="{{ .Values.settings.clusterToken }}"
- export ETCD_INITIAL_CLUSTER_STATE="new"
- export ETCD_LISTEN_CLIENT_URLS="{{ $protocol }}://0.0.0.0:2379"
- export ETCD_LISTEN_PEER_URLS="{{ $protocol }}://0.0.0.0:2380"
- {{- if .Values.serviceMonitor.enabled }}
- export ETCD_LISTEN_METRICS_URLS="http://0.0.0.0:12379"
- {{- end }}
- export ETCD_ADVERTISE_CLIENT_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2379"
- export ETCD_INITIAL_ADVERTISE_PEER_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2380"
- {{- range $e, $i := until $replicaCount }}
- {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
- {{- end }}
- export ETCD_INITIAL_CLUSTER="{{ join "," $initialCluster | quote }}"
- {{- if .Values.settings.https.autoTls }}
- export ETCD_AUTO_TLS="true"
- export ETCD_PEER_AUTO_TLS="true"
- {{- end }}
- mkdir -p ${ETCD_DATA_DIR}
- chmod 700 ${ETCD_DATA_DIR}
- echo "Finished."
- echo "Starting etcd..."
- etcd $@ &
- etcdproc=$!
- trap "_terminate $etcdproc 15 {{ .Values.settings.shutdownDelay }}" 15
- trap "_terminate $etcdproc 9 {{ .Values.settings.shutdownDelay }}" 9
- wait $etcdproc
-
- # Terminates a child process
- # $1 - PID of child process
- # $2 - Kill signal number
- # $3 - Delay before terminate (leave empty if no delay desired)
- _terminate() {
- local childproc=$1
- local signal=$2
- local delay=$3
- log "Terminating entrypoint"
- etcd
- kill -s $signal $childproc
- if [ ! -z "$delay" ]; then
- log "Waiting $delay seconds before termination..."
- sleep $delay
- fi
-
- log "Bye bye"
- }
-
- healthcheck.sh: |
- #!/bin/sh
- etcdctl endpoint health {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
diff --git a/charts/etcd/templates/statefulset.yaml b/charts/etcd/templates/statefulset.yaml
index c75a0f03..36aabc5f 100644
--- a/charts/etcd/templates/statefulset.yaml
+++ b/charts/etcd/templates/statefulset.yaml
@@ -1,7 +1,12 @@
+{{- $fullname := include "etcd.fullname" . }}
+{{- $etcdInternalServiceName := printf "%s-internal" $fullname }}
+{{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+{{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+{{- $createPvc := and (empty .Values.storage.persistentVolumeClaimName) (.Values.storage.requestedSize) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
- name: {{ include "etcd.fullname" . }}
+ name: {{ $fullname }}
labels:
{{- include "etcd.labels" . | nindent 4 }}
spec:
@@ -9,9 +14,9 @@ spec:
{{- if .Values.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- end }}
- serviceName: {{ include "etcd.fullname" . }}-internal
+ serviceName: {{ $fullname }}-internal
podManagementPolicy: {{ .Values.podManagementPolicy }}
- updateStrategy:
+ updateStrategy:
type: {{ .Values.updateStrategyType }}
selector:
matchLabels:
@@ -19,7 +24,7 @@ spec:
template:
metadata:
annotations:
- checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
+ checksum/etcdconfig: {{ include (print $.Template.BasePath "/etcdconfig.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -33,7 +38,19 @@ spec:
serviceAccountName: {{ include "etcd.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
- initContainers:
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ image: "{{ .Values.initImage.registry }}/{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+ imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+ volumeMounts:
+ - name: {{ .Values.storage.volumeName }}
+ mountPath: /data
+ command: ["/bin/sh"]
+ args: ["-c", "mkdir -p /data/etcd && chmod 700 /data/etcd"]
{{- with .Values.extraInitContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -60,7 +77,10 @@ spec:
startupProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.startupProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -78,7 +98,10 @@ spec:
livenessProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.livenessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -96,7 +119,10 @@ spec:
readinessProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.readinessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -110,19 +136,29 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- command:
- - /scripts/startup.sh
{{- if .Values.args }}
args:
{{- range .Values.args }}
- {{ . }}
{{- end }}
{{- end }}
- {{- with .Values.env }}
env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: ETCD_NAME
+ value: $(NODE_NAME)
+ - name: ETCD_ADVERTISE_CLIENT_URLS
+ value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2379"
+ - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
+ value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2380"
+ {{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
+ - configMapRef:
+ name: {{ $fullname }}
{{- range .Values.extraEnvSecrets }}
- secretRef:
name: {{ . }}
@@ -132,8 +168,6 @@ spec:
mountPath: /data
- name: tmp
mountPath: /tmp
- - name: scripts
- mountPath: /scripts
{{- range $secret := .Values.extraSecrets }}
- name: {{ $secret.name }}
mountPath: {{ $secret.mountPath }}
@@ -156,38 +190,35 @@ spec:
volumes:
- name: tmp
emptyDir: {}
- - name: scripts
- configMap:
- name: {{ include "etcd.fullname" . }}-scripts
- defaultMode: 0555
{{- range $secret := .Values.extraSecrets }}
- name: {{ $secret.name }}
secret:
secretName: {{ $secret.name }}
defaultMode: 0440
{{- end }}
- {{- if .Values.storage.persistentVolumeClaimName }}
- - name: {{ .Values.storage.volumeName }}
+{{- with .Values.storage }}
+ {{- if not $createPvc }}
+ - name: {{ .volumeName }}
+ {{- if .persistentVolumeClaimName }}
persistentVolumeClaim:
- claimName: {{ .Values.storage.persistentVolumeClaimName }}
- {{- else }}
- {{- if not .Values.storage.requestedSize }}
- - name: {{ .Values.storage.volumeName }}
+ claimName: {{ .persistentVolumeClaimName }}
+ {{- else }}
emptyDir: {}
+ {{- end }}
{{- else }}
volumeClaimTemplates:
- metadata:
- name: {{ .Values.storage.volumeName }}
+ name: {{ .volumeName }}
spec:
- {{- with .Values.storage.accessModes }}
+ {{- with .accessModes }}
accessModes:
{{- toYaml . | nindent 10 }}
{{- end }}
- {{- if .Values.storage.className }}
- storageClassName: {{ .Values.storage.className }}
+ {{- if .className }}
+ storageClassName: {{ .className }}
{{- end }}
resources:
requests:
- storage: {{ .Values.storage.requestedSize }}
+ storage: {{ .requestedSize }}
{{- end }}
- {{- end }}
\ No newline at end of file
+{{- end }}
\ No newline at end of file
diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml
index e6837636..8e4a2c57 100644
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@@ -7,6 +7,13 @@ image:
pullPolicy: IfNotPresent
tag: ""
+# Default Init container image
+initImage:
+ registry: "docker.io"
+ repository: "busybox"
+ pullPolicy: IfNotPresent
+ tag: "latest"
+
## Pull secrets and name override options
imagePullSecrets: []
nameOverride: ""
@@ -39,6 +46,8 @@ updateStrategyType: RollingUpdate
## Pod security context uses file system group 999 (postgres)
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run PostgreSQL as non-root (postgres user), read only container without privilege escalation
securityContext:
@@ -48,6 +57,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Etcd service ports (default: Client port 2379, Peer port 2380)
service:
diff --git a/charts/mariadb/Chart.yaml b/charts/mariadb/Chart.yaml
index 83c8905f..c819f206 100644
--- a/charts/mariadb/Chart.yaml
+++ b/charts/mariadb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.8.2"
+version: "0.8.3"
appVersion: "10.11.2"
diff --git a/charts/mariadb/README.md b/charts/mariadb/README.md
index 074b07b8..af6275df 100644
--- a/charts/mariadb/README.md
+++ b/charts/mariadb/README.md
@@ -1,6 +1,6 @@
# MariaDB
-  
+  
## Changelog
diff --git a/charts/mariadb/RELEASENOTES.md b/charts/mariadb/RELEASENOTES.md
index 1f940a5a..267c6b1a 100644
--- a/charts/mariadb/RELEASENOTES.md
+++ b/charts/mariadb/RELEASENOTES.md
@@ -49,4 +49,5 @@
| 0.8.0 | 10.11.2 | Upgraded MariaDB to 10.11.2 |
| 0.8.1 | 10.11.2 | Implemented alternative distribution with `Deployment` template (thx @tim-hanssen) |
| 0.8.2 | 10.11.2 | Fix default update strategy to `Recreate` for distribution with `Deployment` |
+| 0.8.3 | 10.11.2 | Updated default security context |
| | | |
diff --git a/charts/mariadb/values.yaml b/charts/mariadb/values.yaml
index a8444893..fef36b99 100644
--- a/charts/mariadb/values.yaml
+++ b/charts/mariadb/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run MariaDB as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Default database service port (default MySQL/MariaDB port)
service:
diff --git a/charts/mongodb/Chart.yaml b/charts/mongodb/Chart.yaml
index 09ea1c86..ab33345b 100644
--- a/charts/mongodb/Chart.yaml
+++ b/charts/mongodb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.5.12"
+version: "0.5.13"
appVersion: "6.0.5"
diff --git a/charts/mongodb/README.md b/charts/mongodb/README.md
index 68898361..b8d54fed 100644
--- a/charts/mongodb/README.md
+++ b/charts/mongodb/README.md
@@ -1,6 +1,6 @@
# MongoDB
-  
+  
## Changelog
diff --git a/charts/mongodb/RELEASENOTES.md b/charts/mongodb/RELEASENOTES.md
index 3128a4f9..acf72b62 100644
--- a/charts/mongodb/RELEASENOTES.md
+++ b/charts/mongodb/RELEASENOTES.md
@@ -62,4 +62,5 @@
| 0.5.10 | 6.0.4 | Upgraded to MongoDB 6.0.4 |
| 0.5.11 | 6.0.5 | Upgraded to MongoDB 6.0.5 |
| 0.5.12 | 6.0.5 | Implemented alternative distribution with `Deployment` template |
+| 0.5.13 | 6.0.5 | Updated default security context |
| | | |
diff --git a/charts/mongodb/templates/_helpers.tpl b/charts/mongodb/templates/_helpers.tpl
index 03693815..b20d2a36 100644
--- a/charts/mongodb/templates/_helpers.tpl
+++ b/charts/mongodb/templates/_helpers.tpl
@@ -65,7 +65,7 @@ Create the name of the service account to use
Generate secret with configuration
*/}}
{{- define "mongodb.createSecureConfig" -}}
- {{- if or (or (.Values.settings.rootPassword) (.Values.settings.rootUsername)) (.Values.userDatabase) }}
+ {{- if or (or ((.Values.settings).rootPassword) ((.Values.settings).rootUsername)) (.Values.userDatabase) }}
true
{{- end }}
{{- end }}
diff --git a/charts/mongodb/values.yaml b/charts/mongodb/values.yaml
index 97b0eccc..e227de51 100644
--- a/charts/mongodb/values.yaml
+++ b/charts/mongodb/values.yaml
@@ -28,6 +28,8 @@ podAnnotations: {}
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Pod management policy
podManagementPolicy: OrderedReady
@@ -43,6 +45,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
service:
# Suffix of the headless service name
diff --git a/charts/mysql/Chart.yaml b/charts/mysql/Chart.yaml
index 3c1607e8..59f63bdb 100644
--- a/charts/mysql/Chart.yaml
+++ b/charts/mysql/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.1.7"
+version: "0.1.8"
appVersion: "8.0.32-oracle"
diff --git a/charts/mysql/README.md b/charts/mysql/README.md
index 6f3416e1..dea75a00 100644
--- a/charts/mysql/README.md
+++ b/charts/mysql/README.md
@@ -1,6 +1,6 @@
# MySQL
-  
+  
## Changelog
diff --git a/charts/mysql/RELEASENOTES.md b/charts/mysql/RELEASENOTES.md
index f4fb6a2e..a27aa722 100644
--- a/charts/mysql/RELEASENOTES.md
+++ b/charts/mysql/RELEASENOTES.md
@@ -10,4 +10,5 @@
| 0.1.5 | 8.0.31 | Added support for init container resources (thx @Footur) |
| 0.1.6 | 8.0.32 | Upgraded MySQL to 8.0.32 |
| 0.1.7 | 8.0.32 | Implemented alternative distribution with `Deployment` template |
+| 0.1.8 | 8.0.32 | Updated default security context |
| | | |
diff --git a/charts/mysql/values.yaml b/charts/mysql/values.yaml
index c72ff9a2..ea160f69 100644
--- a/charts/mysql/values.yaml
+++ b/charts/mysql/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run MySQL as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Default database service port (default MySQL port)
service:
diff --git a/charts/postgres/Chart.yaml b/charts/postgres/Chart.yaml
index 8605444b..cb45c605 100644
--- a/charts/postgres/Chart.yaml
+++ b/charts/postgres/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.4.3"
+version: "0.4.4"
appVersion: "15.2"
diff --git a/charts/postgres/README.md b/charts/postgres/README.md
index f963b5a2..8a0b14b9 100644
--- a/charts/postgres/README.md
+++ b/charts/postgres/README.md
@@ -1,6 +1,6 @@
# PostgreSQL
-  
+  
## Changelog
diff --git a/charts/postgres/RELEASENOTES.md b/charts/postgres/RELEASENOTES.md
index 5de05449..2b070fd0 100644
--- a/charts/postgres/RELEASENOTES.md
+++ b/charts/postgres/RELEASENOTES.md
@@ -27,4 +27,5 @@
| 0.4.1 | 15.1 | Upgraded to Postgres 15.1 |
| 0.4.2 | 15.2 | Upgraded to Postgres 15.2 |
| 0.4.3 | 15.2 | Implemented alternative distribution with `Deployment` template |
+| 0.4.4 | 15.2 | Updated default security context |
| | | |
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
index ed0d8f94..3dcc0167 100644
--- a/charts/postgres/values.yaml
+++ b/charts/postgres/values.yaml
@@ -35,6 +35,8 @@ updateStrategyType: RollingUpdate
## Pod security context uses file system group 999 (postgres)
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run PostgreSQL as non-root (postgres user), read only container without privilege escalation
securityContext:
@@ -44,6 +46,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## The postgres service configuration (Default is ClusterIP with port 5432)
service:
diff --git a/charts/redis/Chart.yaml b/charts/redis/Chart.yaml
index bcd07e37..97d36156 100644
--- a/charts/redis/Chart.yaml
+++ b/charts/redis/Chart.yaml
@@ -8,7 +8,7 @@ maintainers:
- name: groundhog2k
# This is the chart version
-version: "0.6.8"
+version: "0.6.9"
# This is the version number of the application being deployed.
appVersion: "7.0.10"
diff --git a/charts/redis/README.md b/charts/redis/README.md
index 8bb368cd..c4dfafc0 100644
--- a/charts/redis/README.md
+++ b/charts/redis/README.md
@@ -1,6 +1,6 @@
# Redis
-  
+  
## Changelog
diff --git a/charts/redis/RELEASENOTES.md b/charts/redis/RELEASENOTES.md
index 68be4508..d5928bff 100644
--- a/charts/redis/RELEASENOTES.md
+++ b/charts/redis/RELEASENOTES.md
@@ -28,4 +28,5 @@
| 0.6.6 | 7.0.10 | Fixed redis volume deployment in non-HA mode |
| 0.6.7 | 7.0.10 | Fix default update strategy to `Recreate` for distribution with `Deployment` |
| 0.6.8 | 7.0.10 | Made internal volume name configurable |
+| 0.6.9 | 7.0.10 | Updated default security context |
| | | |
diff --git a/charts/redis/values.yaml b/charts/redis/values.yaml
index 8f124ce9..cfd794e1 100644
--- a/charts/redis/values.yaml
+++ b/charts/redis/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run Redis as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
+ capabilities:
+ drop:
+ - ALL
## Default redis service port (default Redis server port 6379, defaul Redis sentinel port 26379)
service:
--
GitLab