Groundhog2k/issue1211 (#1226)

fb54174f · Göran Pöhner · GitHub · e5b2f52d · fb54174f · fb54174f
Unverified Commit fb54174f authored 2 years ago by Göran Pöhner Committed by GitHub 2 years ago
--- a/charts/etcd/Chart.yaml
+++ b/charts/etcd/Chart.yaml
@@ -7,6 +7,6 @@ type: application
 maintainers:
  - name: groundhog2k

-version: 0.1.1
+version: 0.1.2

 appVersion: "v3.5.7"
--- a/charts/etcd/README.md
+++ b/charts/etcd/README.md
 # Etcd

-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.5.7](https://img.shields.io/badge/AppVersion-v3.5.7-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.5.7](https://img.shields.io/badge/AppVersion-v3.5.7-informational?style=flat-square)

 ## Changelog

@@ -58,6 +58,10 @@ helm uninstall my-release
 | image.registry | string | `"quay.io/coreos"` | Image registry |
 | image.repository | string | `"etcd"` | Image name |
 | image.tag | string | `""` | Image tag |
+| initImage.pullPolicy | string | `"IfNotPresent"` | Init image pull policy |
+| initImage.registry | string | `"docker.io"` | Image registry |
+| initImage.repository | string | `"busybox"` | Init image name |
+| initImage.tag | string | `"latest"` | Init image tag |
 | imagePullSecrets | list | `[]` | Image pull secrets |
 | extraInitContainers | list | `[]` | Extra init containers |
 | extaContainers | list | `[]` | Extra containers for usage as sidecars |

--- a/charts/etcd/RELEASENOTES.md
+++ b/charts/etcd/RELEASENOTES.md
@@ -4,4 +4,5 @@
 | :------------ | :---------- | :----------------- |
 | 0.1.0 | v3.5.6 | Initial version |
 | 0.1.1 | v3.5.7 | Upgraded etcd to v3.5.7 |
+| 0.1.2 | v3.5.7 | Updated default security context |
 | | | |
--- a/charts/etcd/templates/etcdconfig.yaml
+++ b/charts/etcd/templates/etcdconfig.yaml
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "etcd.fullname" . }}
+  labels:
+    {{- include "etcd.labels" . | nindent 4 }}
+data:
+  {{- $replicaCount := int .Values.replicas }}
+  {{- $initialCluster := list }}
+  {{- $etcdFullname := include "etcd.fullname" . }}
+  {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
+  {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+  {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+  ETCD_DATA_DIR: "/data/etcd"
+  ETCD_INITIAL_CLUSTER_TOKEN: "{{ .Values.settings.clusterToken }}"
+  ETCD_INITIAL_CLUSTER_STATE: "new"
+  ETCD_LISTEN_CLIENT_URLS: "{{ $protocol }}://0.0.0.0:2379"
+  ETCD_LISTEN_PEER_URLS: "{{ $protocol }}://0.0.0.0:2380"
+  {{- if .Values.serviceMonitor.enabled }}
+  ETCD_LISTEN_METRICS_URLS: "http://0.0.0.0:12379"
+  {{- end }}
+  {{- range $e, $i := until $replicaCount }}
+  {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
+  {{- end }}
+  ETCD_INITIAL_CLUSTER: {{ join "," $initialCluster | quote }}
+  {{- if .Values.settings.https.autoTls }}
+  ETCD_AUTO_TLS: "true"
+  ETCD_PEER_AUTO_TLS: "true"
+  {{- end }}
--- a/charts/etcd/templates/scripts.yaml
+++ b/charts/etcd/templates/scripts.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "etcd.fullname" . }}-scripts
-  labels:
-    {{- include "etcd.labels" . | nindent 4 }}
-data:
-  startup.sh: |
-    #!/bin/sh
-    {{- $replicaCount := int .Values.replicas }}
-    {{- $etcdFullname := include "etcd.fullname" . }}
-    {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
-    {{- $initialCluster := list }}
-    {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
-    {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
-    echo "Initializing Etcd instance..."
-    export ETCD_DATA_DIR="/data/etcd"
-    export ETCD_NAME="${HOSTNAME}"
-    export ETCD_INITIAL_CLUSTER_TOKEN="{{ .Values.settings.clusterToken }}"
-    export ETCD_INITIAL_CLUSTER_STATE="new"
-    export ETCD_LISTEN_CLIENT_URLS="{{ $protocol }}://0.0.0.0:2379"
-    export ETCD_LISTEN_PEER_URLS="{{ $protocol }}://0.0.0.0:2380"
-    {{- if .Values.serviceMonitor.enabled }}
-    export ETCD_LISTEN_METRICS_URLS="http://0.0.0.0:12379"
-    {{- end }}
-    export ETCD_ADVERTISE_CLIENT_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2379"
-    export ETCD_INITIAL_ADVERTISE_PEER_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2380"
-    {{- range $e, $i := until $replicaCount }}
-    {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
-    {{- end }}
-    export ETCD_INITIAL_CLUSTER="{{ join "," $initialCluster | quote }}"
-    {{- if .Values.settings.https.autoTls }}
-    export ETCD_AUTO_TLS="true"
-    export ETCD_PEER_AUTO_TLS="true"
-    {{- end }}
-    mkdir -p ${ETCD_DATA_DIR}
-    chmod 700 ${ETCD_DATA_DIR}
-    echo "Finished."
-    echo "Starting etcd..."
-    etcd $@ &
-    etcdproc=$!
-    trap "_terminate $etcdproc 15 {{ .Values.settings.shutdownDelay }}" 15
-    trap "_terminate $etcdproc 9 {{ .Values.settings.shutdownDelay }}" 9
-    wait $etcdproc
-
-    # Terminates a child process
-    # $1 - PID of child process
-    # $2 - Kill signal number
-    # $3 - Delay before terminate (leave empty if no delay desired)
-    _terminate() {
-      local childproc=$1
-      local signal=$2
-      local delay=$3
-      log "Terminating entrypoint"
-      etcd
-      kill -s $signal $childproc
-      if [ ! -z "$delay" ]; then
-        log "Waiting $delay seconds before termination..."
-        sleep $delay
-      fi
-
-      log "Bye bye"
-    }
-  
-  healthcheck.sh: |
-    #!/bin/sh
-    etcdctl endpoint health {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
--- a/charts/etcd/templates/statefulset.yaml
+++ b/charts/etcd/templates/statefulset.yaml
+{{- $fullname := include "etcd.fullname" . }}
+{{- $etcdInternalServiceName := printf "%s-internal" $fullname }}
+{{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+{{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+{{- $createPvc := and (empty .Values.storage.persistentVolumeClaimName) (.Values.storage.requestedSize) }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: {{ include "etcd.fullname" . }}
+  name: {{ $fullname }}
  labels:
    {{- include "etcd.labels" . | nindent 4 }}
 spec:
@@ -9,9 +14,9 @@ spec:
  {{- if .Values.revisionHistoryLimit }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
  {{- end }}
-  serviceName: {{ include "etcd.fullname" . }}-internal
+  serviceName: {{ $fullname }}-internal
  podManagementPolicy: {{ .Values.podManagementPolicy }}
-  updateStrategy: 
+  updateStrategy:
    type: {{ .Values.updateStrategyType }}
  selector:
    matchLabels:
@@ -19,7 +24,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
+        checksum/etcdconfig: {{ include (print $.Template.BasePath "/etcdconfig.yaml") . | sha256sum }}
      {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
@@ -33,7 +38,19 @@ spec:
      serviceAccountName: {{ include "etcd.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers: 
+      initContainers:
+        - name: {{ .Chart.Name }}-init
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.initImage.registry }}/{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+          imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+          volumeMounts:
+            - name: {{ .Values.storage.volumeName }}
+              mountPath: /data
+          command: ["/bin/sh"]
+          args: ["-c", "mkdir -p /data/etcd && chmod 700 /data/etcd"]
      {{- with .Values.extraInitContainers }}
      {{- toYaml . | nindent 8 }}
      {{- end }}
@@ -60,7 +77,10 @@ spec:
          startupProbe:
            exec:
              command:
-                - /scripts/healthcheck.sh
+                - /usr/local/bin/etcdctl 
+                - endpoint 
+                - health 
+                - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
          {{- with .Values.startupProbe }}
            initialDelaySeconds: {{ .initialDelaySeconds }}
            timeoutSeconds: {{ .timeoutSeconds }}
@@ -78,7 +98,10 @@ spec:
          livenessProbe:
            exec:
              command:
-                - /scripts/healthcheck.sh
+                - /usr/local/bin/etcdctl 
+                - endpoint 
+                - health 
+                - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
          {{- with .Values.livenessProbe }}
            initialDelaySeconds: {{ .initialDelaySeconds }}
            timeoutSeconds: {{ .timeoutSeconds }}
@@ -96,7 +119,10 @@ spec:
          readinessProbe:
            exec:
              command:
-                - /scripts/healthcheck.sh
+                - /usr/local/bin/etcdctl 
+                - endpoint 
+                - health 
+                - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
          {{- with .Values.readinessProbe }}
            initialDelaySeconds: {{ .initialDelaySeconds }}
            timeoutSeconds: {{ .timeoutSeconds }}
@@ -110,19 +136,29 @@ spec:
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
-          command:
-            - /scripts/startup.sh
          {{- if .Values.args }}
          args:
            {{- range .Values.args }}
            - {{ . }}
            {{- end }}
          {{- end }}
-          {{- with .Values.env }}
          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: ETCD_NAME
+              value: $(NODE_NAME)
+            - name: ETCD_ADVERTISE_CLIENT_URLS
+              value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2379"
+            - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
+              value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2380"
+          {{- with .Values.env }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
          envFrom:
+            - configMapRef:
+                name: {{ $fullname }}
          {{- range .Values.extraEnvSecrets }}
            - secretRef:
                name: {{ . }}
@@ -132,8 +168,6 @@ spec:
              mountPath: /data
            - name: tmp
              mountPath: /tmp
-            - name: scripts
-              mountPath: /scripts
            {{- range $secret := .Values.extraSecrets }}
            - name: {{ $secret.name }}
              mountPath: {{ $secret.mountPath }}
@@ -156,38 +190,35 @@ spec:
      volumes:
        - name: tmp
          emptyDir: {}
-        - name: scripts
-          configMap:
-            name: {{ include "etcd.fullname" . }}-scripts
-            defaultMode: 0555
        {{- range $secret := .Values.extraSecrets }}
        - name: {{ $secret.name }}
          secret:
            secretName: {{ $secret.name }}
            defaultMode: 0440
        {{- end }}
-  {{- if .Values.storage.persistentVolumeClaimName }}
-        - name: {{ .Values.storage.volumeName }}
+{{- with .Values.storage }}
+  {{- if not $createPvc }}
+        - name: {{ .volumeName }}
+        {{- if .persistentVolumeClaimName }}
          persistentVolumeClaim:
-            claimName: {{ .Values.storage.persistentVolumeClaimName }}
-  {{- else }}
-  {{- if not .Values.storage.requestedSize }}
-        - name: {{ .Values.storage.volumeName }}
+            claimName: {{ .persistentVolumeClaimName }}
+        {{- else }}
          emptyDir: {}
+        {{- end }}
  {{- else }}
  volumeClaimTemplates:
    - metadata:
-        name: {{ .Values.storage.volumeName }}
+        name: {{ .volumeName }}
      spec:
-        {{- with .Values.storage.accessModes }}
+        {{- with .accessModes }}
        accessModes:
          {{- toYaml . | nindent 10 }}
        {{- end }}
-        {{- if .Values.storage.className }}
-        storageClassName: {{ .Values.storage.className }}
+        {{- if .className }}
+        storageClassName: {{ .className }}
        {{- end }}
        resources:
          requests:
-            storage: {{ .Values.storage.requestedSize }}
+            storage: {{ .requestedSize }}
  {{- end }}
-  {{- end }}
\ No newline at end of file
+{{- end }}
\ No newline at end of file
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@@ -7,6 +7,13 @@ image:
  pullPolicy: IfNotPresent
  tag: ""

+# Default Init container image
+initImage:
+  registry: "docker.io"
+  repository: "busybox"
+  pullPolicy: IfNotPresent
+  tag: "latest"
+
 ## Pull secrets and name override options
 imagePullSecrets: []
 nameOverride: ""
@@ -39,6 +46,8 @@ updateStrategyType: RollingUpdate
 ## Pod security context uses file system group 999 (postgres)
 podSecurityContext:
  fsGroup: 999
+  supplementalGroups:
+    - 999

 ## Default security options to run PostgreSQL as non-root (postgres user), read only container without privilege escalation
 securityContext:
@@ -48,6 +57,9 @@ securityContext:
  runAsNonRoot: true
  runAsGroup: 999
  runAsUser: 999
+  capabilities:
+    drop:
+      - ALL

 ## Etcd service ports (default: Client port 2379, Peer port 2380)
 service:

--- a/charts/mariadb/Chart.yaml
+++ b/charts/mariadb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
 maintainers:
  - name: groundhog2k

-version: "0.8.2"
+version: "0.8.3"

 appVersion: "10.11.2"
--- a/charts/mariadb/README.md
+++ b/charts/mariadb/README.md
 # MariaDB

-![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.11.2](https://img.shields.io/badge/AppVersion-10.11.2-informational?style=flat-square)
+![Version: 0.8.3](https://img.shields.io/badge/Version-0.8.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.11.2](https://img.shields.io/badge/AppVersion-10.11.2-informational?style=flat-square)

 ## Changelog


--- a/charts/mariadb/RELEASENOTES.md
+++ b/charts/mariadb/RELEASENOTES.md
@@ -49,4 +49,5 @@
 | 0.8.0 | 10.11.2 | Upgraded MariaDB to 10.11.2 |
 | 0.8.1 | 10.11.2 | Implemented alternative distribution with `Deployment` template (thx @tim-hanssen) |
 | 0.8.2 | 10.11.2 | Fix default update strategy to `Recreate` for distribution with `Deployment` |
+| 0.8.3 | 10.11.2 | Updated default security context |
 | | | |
--- a/charts/mariadb/values.yaml
+++ b/charts/mariadb/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
 ## Pod security options
 podSecurityContext:
  fsGroup: 999
+  supplementalGroups:
+    - 999

 ## Default security options to run MariaDB as non-root, read only container without privilege escalation
 securityContext:
@@ -47,6 +49,9 @@ securityContext:
  runAsNonRoot: true
  runAsGroup: 999
  runAsUser: 999
+  capabilities:
+    drop:
+      - ALL

 ## Default database service port (default MySQL/MariaDB port)
 service:

--- a/charts/mongodb/Chart.yaml
+++ b/charts/mongodb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
 maintainers:
  - name: groundhog2k

-version: "0.5.12"
+version: "0.5.13"

 appVersion: "6.0.5"
--- a/charts/mongodb/README.md
+++ b/charts/mongodb/README.md
 # MongoDB

-![Version: 0.5.12](https://img.shields.io/badge/Version-0.5.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.0.5](https://img.shields.io/badge/AppVersion-6.0.5-informational?style=flat-square)
+![Version: 0.5.13](https://img.shields.io/badge/Version-0.5.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.0.5](https://img.shields.io/badge/AppVersion-6.0.5-informational?style=flat-square)

 ## Changelog


--- a/charts/mongodb/RELEASENOTES.md
+++ b/charts/mongodb/RELEASENOTES.md
@@ -62,4 +62,5 @@
 | 0.5.10 | 6.0.4 | Upgraded to MongoDB 6.0.4 |
 | 0.5.11 | 6.0.5 | Upgraded to MongoDB 6.0.5 |
 | 0.5.12 | 6.0.5 | Implemented alternative distribution with `Deployment` template |
+| 0.5.13 | 6.0.5 | Updated default security context |
 | | | |
--- a/charts/mongodb/templates/_helpers.tpl
+++ b/charts/mongodb/templates/_helpers.tpl
@@ -65,7 +65,7 @@ Create the name of the service account to use
 Generate secret with configuration
 */}}
 {{- define "mongodb.createSecureConfig" -}}
-  {{- if or (or (.Values.settings.rootPassword) (.Values.settings.rootUsername)) (.Values.userDatabase) }}
+  {{- if or (or ((.Values.settings).rootPassword) ((.Values.settings).rootUsername)) (.Values.userDatabase) }}
 true
  {{- end }}
 {{- end }}
--- a/charts/mongodb/values.yaml
+++ b/charts/mongodb/values.yaml
@@ -28,6 +28,8 @@ podAnnotations: {}
 ## Pod security options
 podSecurityContext:
  fsGroup: 999
+  supplementalGroups:
+    - 999

 ## Pod management policy
 podManagementPolicy: OrderedReady
@@ -43,6 +45,9 @@ securityContext:
  runAsNonRoot: true
  runAsGroup: 999
  runAsUser: 999
+  capabilities:
+    drop:
+      - ALL

 service:
  # Suffix of the headless service name

--- a/charts/mysql/Chart.yaml
+++ b/charts/mysql/Chart.yaml
@@ -7,6 +7,6 @@ type: application
 maintainers:
  - name: groundhog2k

-version: "0.1.7"
+version: "0.1.8"

 appVersion: "8.0.32-oracle"
--- a/charts/mysql/README.md
+++ b/charts/mysql/README.md
 # MySQL

-![Version: 0.1.7](https://img.shields.io/badge/Version-0.1.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.0.32](https://img.shields.io/badge/AppVersion-8.0.32--oracle-informational?style=flat-square)
+![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 8.0.32](https://img.shields.io/badge/AppVersion-8.0.32--oracle-informational?style=flat-square)

 ## Changelog


--- a/charts/mysql/RELEASENOTES.md
+++ b/charts/mysql/RELEASENOTES.md
@@ -10,4 +10,5 @@
 | 0.1.5 | 8.0.31 | Added support for init container resources (thx @Footur) |
 | 0.1.6 | 8.0.32 | Upgraded MySQL to 8.0.32 |
 | 0.1.7 | 8.0.32 | Implemented alternative distribution with `Deployment` template |
+| 0.1.8 | 8.0.32 | Updated default security context |
 | | | |
--- a/charts/mysql/values.yaml
+++ b/charts/mysql/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
 ## Pod security options
 podSecurityContext:
  fsGroup: 999
+  supplementalGroups:
+    - 999

 ## Default security options to run MySQL as non-root, read only container without privilege escalation
 securityContext:
@@ -47,6 +49,9 @@ securityContext:
  runAsNonRoot: true
  runAsGroup: 999
  runAsUser: 999
+  capabilities:
+    drop:
+      - ALL

 ## Default database service port (default MySQL port)
 service: