From 148611224a5cbbcba42f90eb6724990ce0dd4883 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 24 Apr 2023 23:59:26 +0200
Subject: [PATCH] fix(hedgedoc): Futureproof helm chart
This patch adds the unreleased healthcheck path as well as setting
hedgedoc up for PSS of restricted.
---
charts/hedgedoc/Chart.yaml | 2 +-
charts/hedgedoc/README.md | 11 +++++++---
charts/hedgedoc/templates/deployment.yaml | 8 +++++++
.../__snapshot__/98_snapshot_test.yaml.snap | 18 ++++++++++++----
charts/hedgedoc/values.yaml | 21 +++++++++++--------
5 files changed, 43 insertions(+), 17 deletions(-)
diff --git a/charts/hedgedoc/Chart.yaml b/charts/hedgedoc/Chart.yaml
index 83daee6f7..4e14569e0 100644
--- a/charts/hedgedoc/Chart.yaml
+++ b/charts/hedgedoc/Chart.yaml
@@ -14,7 +14,7 @@ keywords:
sources:
- https://github.com/hedgedoc/hedgedoc/tree/master
- https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/hedgedoc
-version: 0.2.3
+version: 0.3.0
# renovate: image=quay.io/hedgedoc/hedgedoc
appVersion: 1.9.7
maintainers:
diff --git a/charts/hedgedoc/README.md b/charts/hedgedoc/README.md
index 8beee62c8..56a2864ce 100644
--- a/charts/hedgedoc/README.md
+++ b/charts/hedgedoc/README.md
@@ -1,6 +1,6 @@
# hedgedoc
-  
+  
A platform to write and share markdown.
@@ -72,7 +72,10 @@ A platform to write and share markdown.
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
-| podSecurityContext | object | `{}` | |
+| podSecurityContext.allowPrivilegeEscalation | bool | `false` | |
+| podSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
+| podSecurityContext.fsGroup | int | `10000` | |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| postgresql.auth.database | string | `"hedgedoc"` | |
| postgresql.auth.existingSecret | string | `""` | |
| postgresql.auth.password | string | `""` | |
@@ -80,7 +83,9 @@ A platform to write and share markdown.
| postgresql.enabled | bool | `true` | |
| postgresql.tls.enabled | bool | `false` | |
| resources | object | `{}` | |
-| securityContext | object | `{}` | |
+| securityContext.readOnlyRootFilesystem | bool | `true` | |
+| securityContext.runAsNonRoot | bool | `true` | |
+| securityContext.runAsUser | int | `10000` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
diff --git a/charts/hedgedoc/templates/deployment.yaml b/charts/hedgedoc/templates/deployment.yaml
index dcaad8e39..6fc63d86e 100644
--- a/charts/hedgedoc/templates/deployment.yaml
+++ b/charts/hedgedoc/templates/deployment.yaml
@@ -52,11 +52,19 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
+ {{- if (semverCompare ">1.9.7" .Chart.AppVersion)}}
+ path: /_health
+ {{- else }}
path: /status
+ {{- end }}
port: http
readinessProbe:
httpGet:
+ {{- if (semverCompare ">1.9.7" .Chart.AppVersion)}}
+ path: /_health
+ {{- else }}
path: /status
+ {{- end }}
port: http
{{- if .Values.postgresql.tls.enabled }}
volumeMounts:
diff --git a/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap
index 4e7ad6368..ffd96ee40 100644
--- a/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -73,7 +73,7 @@ should match basic snapshot:
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
- path: /status
+ path: /_health
port: http
name: hedgedoc
ports:
@@ -82,11 +82,21 @@ should match basic snapshot:
protocol: TCP
readinessProbe:
httpGet:
- path: /status
+ path: /_health
port: http
resources: {}
- securityContext: {}
- securityContext: {}
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 10000
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ fsGroup: 10000
+ seccompProfile:
+ type: RuntimeDefault
serviceAccountName: RELEASE-NAME-hedgedoc
3: |
apiVersion: networking.k8s.io/v1
diff --git a/charts/hedgedoc/values.yaml b/charts/hedgedoc/values.yaml
index 510e8e714..d26b31b69 100644
--- a/charts/hedgedoc/values.yaml
+++ b/charts/hedgedoc/values.yaml
@@ -66,16 +66,19 @@ postgresql:
podAnnotations: {}
-podSecurityContext: {}
- # fsGroup: 2000
+podSecurityContext:
+ allowPrivilegeEscalation: false
+ fsGroup: 10000
+ capabilities:
+ drop:
+ - ALL
+ seccompProfile:
+ type: RuntimeDefault
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
+securityContext:
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 10000
service:
type: ClusterIP
--
GitLab