From 1f7e1095d167e4541243bfaa75513141abbc61e5 Mon Sep 17 00:00:00 2001 From: Artur Juraszek Date: Tue, 15 Mar 2022 13:53:32 +0100 Subject: [PATCH] Allow chart users to specify a Security Context --- cockroachdb/Chart.yaml | 2 +- cockroachdb/README.md | 4 ++++ cockroachdb/templates/cronjob-ca-certSelfSigner.yaml | 4 ++++ .../cronjob-client-node-certSelfSigner.yaml | 6 +++++- cockroachdb/templates/job-certSelfSigner.yaml | 4 ++++ cockroachdb/templates/job-cleaner.yaml | 4 ++++ cockroachdb/templates/job.init.yaml | 12 ++++++++++++ cockroachdb/templates/statefulset.yaml | 12 ++++++++++++ cockroachdb/values.yaml | 6 ++++++ 9 files changed, 52 insertions(+), 2 deletions(-) diff --git a/cockroachdb/Chart.yaml b/cockroachdb/Chart.yaml index 7233fd72..3f65e2c0 100644 --- a/cockroachdb/Chart.yaml +++ b/cockroachdb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: cockroachdb home: https://www.cockroachlabs.com -version: 7.0.0 +version: 7.1.0 appVersion: 21.2.6 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png diff --git a/cockroachdb/README.md b/cockroachdb/README.md index 75555599..3c4ab826 100644 --- a/cockroachdb/README.md +++ b/cockroachdb/README.md @@ -343,6 +343,7 @@ For details see the [`values.yaml`](values.yaml) file. | `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` | | `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` | | `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` | +| `statefulset.securityContext` | Security context for containers | `{}` | | `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` | | `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` | | `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Services | `26257` | @@ -379,6 +380,7 @@ For details see the [`values.yaml`](values.yaml) file. | `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` | | `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` | | `init.resources` | Resource requests and limits for the Pod of init Job | `{}` | +| `init.securityContext` | Security context for the init job containers | `{}` | | `tls.enabled` | Whether to run securely using TLS certificates | `no` | | `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` | | `tls.serviceAccount.name` | Name of RBAC service account to use | `""` | @@ -407,9 +409,11 @@ For details see the [`values.yaml`](values.yaml) file. | `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` | | `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` | | `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | +| `tls.selfSigner.securityContext` | Security context applied to selfSigner containers | `{}` | | `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` | | `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` | | `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` | +| `securityContext` | Security context applied to Pods | `{}` | Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`. diff --git a/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml b/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml index 2885ba36..92da777e 100644 --- a/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml +++ b/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml @@ -22,6 +22,10 @@ spec: - name: cert-rotate-job image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + {{- if .Values.tls.selfSigner.securityContext }} + securityContext: + {{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }} + {{- end }} args: - rotate - --ca diff --git a/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml b/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml index 1bc42021..b7cd1bdc 100644 --- a/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml +++ b/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml @@ -21,6 +21,10 @@ spec: - name: cert-rotate-job image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + {{- if .Values.tls.selfSigner.securityContext }} + securityContext: + {{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }} + {{- end }} args: - rotate {{- if .Values.tls.certs.selfSigner.caProvided }} @@ -46,4 +50,4 @@ spec: - name: CLUSTER_DOMAIN value: {{ .Values.clusterDomain}} serviceAccountName: {{ template "rotatecerts.fullname" . }} - {{- end}} \ No newline at end of file + {{- end}} diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml index fdf091cb..f807be37 100644 --- a/cockroachdb/templates/job-certSelfSigner.yaml +++ b/cockroachdb/templates/job-certSelfSigner.yaml @@ -30,6 +30,10 @@ spec: - name: cert-generate-job image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + {{- if .Values.tls.selfSigner.securityContext }} + securityContext: + {{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }} + {{- end }} args: - generate {{- if .Values.tls.certs.selfSigner.caProvided }} diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml index e87f3743..bcdbb53f 100644 --- a/cockroachdb/templates/job-cleaner.yaml +++ b/cockroachdb/templates/job-cleaner.yaml @@ -30,6 +30,10 @@ spec: - name: cleaner image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}" imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}" + {{- if .Values.tls.selfSigner.securityContext }} + securityContext: + {{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }} + {{- end }} args: - cleanup - --namespace={{ .Release.Namespace }} diff --git a/cockroachdb/templates/job.init.yaml b/cockroachdb/templates/job.init.yaml index e030154b..32d2891d 100644 --- a/cockroachdb/templates/job.init.yaml +++ b/cockroachdb/templates/job.init.yaml @@ -36,6 +36,10 @@ spec: spec: restartPolicy: OnFailure terminationGracePeriodSeconds: 0 + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} imagePullSecrets: {{- if .Values.image.credentials }} @@ -51,6 +55,10 @@ spec: - name: copy-certs image: "busybox" imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }} + {{- if .Values.init.securityContext }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 12 }} + {{- end }} command: - /bin/sh - -c @@ -79,6 +87,10 @@ spec: - name: cluster-init image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.init.securityContext }} + securityContext: + {{- toYaml .Values.init.securityContext | nindent 12 }} + {{- end }} # Run the command in an `while true` loop because this Job is bound # to come up before the CockroachDB Pods (due to the time needed to # get PersistentVolumes attached to Nodes), and sleeping 5 seconds diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml index ba920e07..f0e1c63d 100644 --- a/cockroachdb/templates/statefulset.yaml +++ b/cockroachdb/templates/statefulset.yaml @@ -41,6 +41,10 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }} imagePullSecrets: {{- if .Values.image.credentials }} @@ -57,6 +61,10 @@ spec: - name: copy-certs image: "busybox" imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }} + {{- if .Values.statefulset.securityContext }} + securityContext: + {{- toYaml .Values.statefulset.securityContext | nindent 12 }} + {{- end }} command: - /bin/sh - -c @@ -143,6 +151,10 @@ spec: - name: db image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.statefulset.securityContext }} + securityContext: + {{- toYaml .Values.statefulset.securityContext | nindent 12 }} + {{- end }} args: - shell - -ecx diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml index fea72a06..f5feb659 100644 --- a/cockroachdb/values.yaml +++ b/cockroachdb/values.yaml @@ -168,6 +168,7 @@ statefulset: podManagementPolicy: Parallel budget: maxUnavailable: 1 + securityContext: {} # List of additional command-line arguments you want to pass to the # `cockroach start` command. @@ -389,6 +390,8 @@ init: # cpu: "10m" # memory: "128Mi" + securityContext: {} + provisioning: enabled: false # https://www.cockroachlabs.com/docs/stable/cluster-settings.html @@ -491,6 +494,7 @@ tls: registry: gcr.io # username: john_doe # password: changeme + securityContext: {} networkPolicy: enabled: false @@ -521,3 +525,5 @@ iap: # Create Google Cloud OAuth credentials and set client id and secret # clientId: # clientSecret: + +securityContext: {}