This is an automated email from the ASF dual-hosted git repository.

klesh pushed a commit to branch main
in repository 
https://gitbox.apache.org/repos/asf/incubator-devlake-helm-chart.git


The following commit(s) were added to refs/heads/main by this push:
     new 944faae  Feat: include security context (#121)
944faae is described below

commit 944faaec3169d39f88d3471a413e66d72eab0898
Author: Jorge GarcĂ­a <[email protected]>
AuthorDate: Thu May 4 05:37:38 2023 +0200

    Feat: include security context (#121)
    
    * feat: Add security context to pods and containers, and extra labels
    
    * Added new values to setup documentation.
    
    * Add documentation to new values
---
 HelmSetup.md                               | 12 ++++++++
 charts/devlake/templates/deployments.yaml  | 26 ++++++++++++++++++
 charts/devlake/templates/secrets.yaml      |  1 -
 charts/devlake/templates/statefulsets.yaml | 41 ++++++++++++++++++++++++++++
 charts/devlake/values.yaml                 | 44 ++++++++++++++++++++++++++++++
 5 files changed, 123 insertions(+), 1 deletion(-)

diff --git a/HelmSetup.md b/HelmSetup.md
index 68c4a9f..cbc9969 100644
--- a/HelmSetup.md
+++ b/HelmSetup.md
@@ -128,10 +128,16 @@ Some useful parameters for the chart, you could also 
check them in values.yaml
 | mysql.image.repository            | repository for mysql's image             
                | mysql                      |
 | mysql.image.tag                   | image tag for mysql's image              
                | 8                          |
 | mysql.image.pullPolicy            | pullPolicy for mysql's image             
                | IfNotPresent               |
+| mysql.extraLabels                 | extra labels for mysql's statefulset     
                | {}                         |
+| mysql.securityContext             | pod security context values              
                | {}                         |
+| mysql.containerSecurityContext    | container security context values        
                | {}                         |
 | grafana.image.repository          | repository for grafana's image           
                | apache/devlake-dashboard   |
 | grafana.image.pullPolicy          | pullPolicy for grafana's image           
                | Always                     |
 | grafana.useExternal               | If use external grafana server           
                | false                      |
 | grafana.externalUrl               | external grafana server if use external  
                | ""                         |
+| grafana.extraLabels               | extra labels for grafana's statefulset   
                | {}                         |
+| grafana.securityContext           | pod security context values              
                | {}                         |
+| grafana.containerSecurityContext  | container security context values        
                | {}                         |
 | lake.storage.class                | storage class for lake's volume          
                | ""                         |
 | lake.storage.size                 | volume size for lake's data              
                | 100Mi                      |
 | lake.image.repository             | repository for lake's image              
                | apache/devlake             |
@@ -139,6 +145,9 @@ Some useful parameters for the chart, you could also check 
them in values.yaml
 | lake.loggingDir                   | log dir for the lake server              
                | /app/logs                  |
 | lake.loggingLevel                 | log level for the lake server            
                | info                       |
 | lake.dotenv                       | initial configurations for injecting to 
lake's .env      | see Values.yaml            |
+| lake.extraLabels                  | extra labels for lake's statefulset      
                | {}                         |
+| lake.securityContext              | pod security context values              
                | {}                         |
+| lake.containerSecurityContext     | container security context values        
                | {}                         |
 | ui.image.repository               | repository for ui's image                
                | apache/devlake-config-ui   |
 | ui.image.pullPolicy               | pullPolicy for ui's image                
                | Always                     |
 | ui.basicAuth.enabled              | If the basic auth in ui is enabled       
                | false                      |
@@ -147,6 +156,9 @@ Some useful parameters for the chart, you could also check 
them in values.yaml
 | ui.basicAuth.useSecret            | If use secret instead of configmap for 
basic auth        | false                      |
 | ui.basicAuth.autoCreateSecret     | If let the helm chart create the secret  
                | true                       |
 | ui.basicAuth.secretName           | The basic auth secret name               
                | devlake-auth               |
+| ui.extraLabels                    | extra labels for ui's statefulset        
                | {}                         |
+| ui.securityContext                | pod security context values              
                | {}                         |
+| ui.containerSecurityContext       | container security context values        
                | {}                         |
 | service.type                      | Service type for exposed service         
                | NodePort                   |
 | service.uiPort                    | Node port for config ui                  
                | 32001                      |
 | service.ingress.enabled           | If enable ingress                        
                | false                      |
diff --git a/charts/devlake/templates/deployments.yaml 
b/charts/devlake/templates/deployments.yaml
index 568e6a0..d381490 100644
--- a/charts/devlake/templates/deployments.yaml
+++ b/charts/devlake/templates/deployments.yaml
@@ -34,9 +34,20 @@ spec:
       labels:
         {{- include "devlake.selectorLabels" . | nindent 8 }}
         devlakeComponent: grafana
+        {{- with .Values.grafana.extraLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
+      {{- with .Values.grafana.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       initContainers:
         {{- include "common.initContainerWaitDatabase" . | nindent 8 }}
+          {{- with .Values.grafana.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       containers:
         - name: grafana
           image: "{{ .Values.grafana.image.repository }}:{{ .Values.imageTag 
}}"
@@ -74,6 +85,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.grafana.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.grafana.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -115,7 +130,14 @@ spec:
       labels:
         {{- include "devlake.selectorLabels" . | nindent 8 }}
         devlakeComponent: ui
+        {{- with .Values.ui.extraLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
+      {{- with .Values.ui.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: config-ui
           image: "{{ .Values.ui.image.repository }}:{{ .Values.imageTag }}"
@@ -152,6 +174,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.ui.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.ui.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/charts/devlake/templates/secrets.yaml 
b/charts/devlake/templates/secrets.yaml
index 1b27174..d639516 100644
--- a/charts/devlake/templates/secrets.yaml
+++ b/charts/devlake/templates/secrets.yaml
@@ -14,7 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-# TEST
 {{- if and .Values.option.useConnectionDetailsSecret 
.Values.option.autoCreateSecret }}
 ---
 apiVersion: v1
diff --git a/charts/devlake/templates/statefulsets.yaml 
b/charts/devlake/templates/statefulsets.yaml
index 328dea0..7418865 100644
--- a/charts/devlake/templates/statefulsets.yaml
+++ b/charts/devlake/templates/statefulsets.yaml
@@ -35,7 +35,14 @@ spec:
       labels:
         {{- include "devlake.selectorLabels" . | nindent 8 }}
         devlakeComponent: mysql
+        {{- with .Values.mysql.extraLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
+      {{- with .Values.mysql.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: mysql
           image: "{{ .Values.mysql.image.repository }}:{{ 
.Values.mysql.image.tag }}"
@@ -84,6 +91,10 @@ spec:
               mountPath: /etc/localtime
               readOnly: true
             {{- end }}
+          {{- with .Values.mysql.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.mysql.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -134,7 +145,14 @@ spec:
 #      labels:
 #        {{- include "devlake.selectorLabels" . | nindent 8 }}
 #        devlakeComponent: pgsql
+#          {{- with .Values.pgsql.extraLabels }}
+#          {{- toYaml . | nindent 8 }}
+#          {{- end }}
 #    spec:
+#      {{- with .Values.pgsql.securityContext }}
+#      securityContext:
+#        {{- toYaml . | nindent 8 }}
+#      {{- end }}
 #      containers:
 #        - name: pgsql
 #          image: "{{ .Values.pgsql.image.repository }}:{{ 
.Values.pgsql.image.tag }}"
@@ -178,6 +196,10 @@ spec:
 #              mountPath: /etc/localtime
 #              readOnly: true
 #            {{- end }}
+#          {{- with .Values.pgsql.containerSecurityContext }}
+#          securityContext:
+#            {{- toYaml . | nindent 12 }}
+#          {{- end }}
 #      {{- with .Values.pgsql.nodeSelector }}
 #      nodeSelector:
 #        {{- toYaml . | nindent 8 }}
@@ -230,12 +252,23 @@ spec:
       labels:
         {{- include "devlake.selectorLabels" . | nindent 8 }}
         devlakeComponent: lake
+        {{- with .Values.lake.extraLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       annotations:
         # Force reload on config changes
         checksum/devlake-config: {{ include (print $.Template.BasePath 
"/configmaps.yaml") . | sha256sum }}
     spec:
+      {{- with .Values.lake.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       initContainers:
         {{- include "common.initContainerWaitDatabase" . | nindent 8 }}
+          {{- with .Values.lake.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         - name: patch-env
           image: "{{ .Values.alpine.image.repository }}:{{ 
.Values.alpine.image.tag }}"
           imagePullPolicy: {{ .Values.alpine.image.pullPolicy }}
@@ -261,6 +294,10 @@ spec:
           volumeMounts:
             - mountPath: /app/config
               name: {{ include "devlake.fullname" . }}-lake-config
+          {{- with .Values.lake.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       containers:
         - name: lake
           image: "{{ .Values.lake.image.repository }}:{{ .Values.imageTag }}"
@@ -296,6 +333,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.lake.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- if .Values.lake.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
diff --git a/charts/devlake/values.yaml b/charts/devlake/values.yaml
index dabc87e..2aa6417 100644
--- a/charts/devlake/values.yaml
+++ b/charts/devlake/values.yaml
@@ -65,6 +65,12 @@ mysql:
 
   # affinity config for mysql if have
   affinity: {}
+  
+  extraLabels: {}
+
+  securityContext: {}
+
+  containerSecurityContext: {}
 
 # pgsql:
 #  # if use external pgsql server, please set true
@@ -108,6 +114,12 @@ mysql:
 #
 #  # affinity config for pgsql if have
 #  affinity: {}
+#  
+#  extraLabels: {}
+#
+#  securityContext: {}
+#
+#  containerSecurityContext: {}
 
 grafana:
   # image for grafana
@@ -129,6 +141,13 @@ grafana:
   tolerations: []
 
   affinity: {}
+  
+  extraLabels: {}
+
+  securityContext: {}
+
+  containerSecurityContext: {}
+  
 
 
 lake:
@@ -162,6 +181,12 @@ lake:
   # debug, info, warn, error
   loggingLevel: "info"
 
+  extraLabels: {}
+
+  securityContext: {}
+
+  containerSecurityContext: {}
+
 ui:
   image:
     repository: apache/devlake-config-ui
@@ -182,6 +207,25 @@ ui:
     useSecret: false
     autoCreateSecret: true
     secretName: devlake-auth
+  
+  extraLabels: {}
+
+  ## SecurityContext holds pod-level security attributes and common container 
settings.
+  ## This defaults to non root user with uid 101 and gid 1000. 
*v1.PodSecurityContext  false
+  ## ref: 
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  securityContext: {}
+    # fsGroup: 101
+    # runAsGroup: 1000
+    # runAsNonRoot: true
+    # runAsUser: 101
+
+  ## K8s containers' Security Context
+  ## ref: 
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  containerSecurityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop: 
+    #       - all
 
 
 # alpine image for some init containers

Reply via email to