Skip to content

Commit

Permalink
Allow chart users to specify a Security Context
Browse files Browse the repository at this point in the history
  • Loading branch information
@Asgavar
Asgavar committed Mar 15, 2022
1 parent aa31d45 commit 1f7e109
Show file tree
Hide file tree
Showing 9 changed files with 52 additions and 2 deletions.
2 changes: 1 addition & 1 deletion cockroachdb/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
name: cockroachdb
home: https://www.cockroachlabs.com
version: 7.0.0
version: 7.1.0
appVersion: 21.2.6
description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,7 @@ For details see the [`values.yaml`](values.yaml) file.
| `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` |
| `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` |
| `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` |
| `statefulset.securityContext` | Security context for containers | `{}` |
| `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` |
| `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` |
| `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Services | `26257` |
Expand Down Expand Up @@ -379,6 +380,7 @@ For details see the [`values.yaml`](values.yaml) file.
| `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` |
| `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` |
| `init.resources` | Resource requests and limits for the Pod of init Job | `{}` |
| `init.securityContext` | Security context for the init job containers | `{}` |
| `tls.enabled` | Whether to run securely using TLS certificates | `no` |
| `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` |
| `tls.serviceAccount.name` | Name of RBAC service account to use | `""` |
Expand Down Expand Up @@ -407,9 +409,11 @@ For details see the [`values.yaml`](values.yaml) file.
| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
| `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
| `tls.selfSigner.securityContext` | Security context applied to selfSigner containers | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` |
| `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
| `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
| `securityContext` | Security context applied to Pods | `{}` |


Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ spec:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
{{- end }}
args:
- rotate
- --ca
Expand Down
6 changes: 5 additions & 1 deletion cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ spec:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
{{- end }}
args:
- rotate
{{- if .Values.tls.certs.selfSigner.caProvided }}
Expand All @@ -46,4 +50,4 @@ spec:
- name: CLUSTER_DOMAIN
value: {{ .Values.clusterDomain}}
serviceAccountName: {{ template "rotatecerts.fullname" . }}
{{- end}}
{{- end}}
4 changes: 4 additions & 0 deletions cockroachdb/templates/job-certSelfSigner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ spec:
- name: cert-generate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
{{- end }}
args:
- generate
{{- if .Values.tls.certs.selfSigner.caProvided }}
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/templates/job-cleaner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ spec:
- name: cleaner
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
{{- end }}
args:
- cleanup
- --namespace={{ .Release.Namespace }}
Expand Down
12 changes: 12 additions & 0 deletions cockroachdb/templates/job.init.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
spec:
restartPolicy: OnFailure
terminationGracePeriodSeconds: 0
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
Expand All @@ -51,6 +55,10 @@ spec:
- name: copy-certs
image: "busybox"
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
{{- if .Values.init.securityContext }}
securityContext:
{{- toYaml .Values.init.securityContext | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -79,6 +87,10 @@ spec:
- name: cluster-init
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.init.securityContext }}
securityContext:
{{- toYaml .Values.init.securityContext | nindent 12 }}
{{- end }}
# Run the command in an `while true` loop because this Job is bound
# to come up before the CockroachDB Pods (due to the time needed to
# get PersistentVolumes attached to Nodes), and sleeping 5 seconds
Expand Down
12 changes: 12 additions & 0 deletions cockroachdb/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
Expand All @@ -57,6 +61,10 @@ spec:
- name: copy-certs
image: "busybox"
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
{{- if .Values.statefulset.securityContext }}
securityContext:
{{- toYaml .Values.statefulset.securityContext | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -143,6 +151,10 @@ spec:
- name: db
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.statefulset.securityContext }}
securityContext:
{{- toYaml .Values.statefulset.securityContext | nindent 12 }}
{{- end }}
args:
- shell
- -ecx
Expand Down
6 changes: 6 additions & 0 deletions cockroachdb/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ statefulset:
podManagementPolicy: Parallel
budget:
maxUnavailable: 1
securityContext: {}

# List of additional command-line arguments you want to pass to the
# `cockroach start` command.
Expand Down Expand Up @@ -389,6 +390,8 @@ init:
# cpu: "10m"
# memory: "128Mi"

securityContext: {}

provisioning:
enabled: false
# https://www.cockroachlabs.com/docs/stable/cluster-settings.html
Expand Down Expand Up @@ -491,6 +494,7 @@ tls:
registry: gcr.io
# username: john_doe
# password: changeme
securityContext: {}

networkPolicy:
enabled: false
Expand Down Expand Up @@ -521,3 +525,5 @@ iap:
# Create Google Cloud OAuth credentials and set client id and secret
# clientId:
# clientSecret:

securityContext: {}

0 comments on commit 1f7e109

Please sign in to comment.