This is an automated email from the ASF dual-hosted git repository.
klesh pushed a commit to branch main
in repository
https://gitbox.apache.org/repos/asf/incubator-devlake-helm-chart.git
The following commit(s) were added to refs/heads/main by this push:
new 944faae Feat: include security context (#121)
944faae is described below
commit 944faaec3169d39f88d3471a413e66d72eab0898
Author: Jorge GarcĂa <[email protected]>
AuthorDate: Thu May 4 05:37:38 2023 +0200
Feat: include security context (#121)
* feat: Add security context to pods and containers, and extra labels
* Added new values to setup documentation.
* Add documentation to new values
---
HelmSetup.md | 12 ++++++++
charts/devlake/templates/deployments.yaml | 26 ++++++++++++++++++
charts/devlake/templates/secrets.yaml | 1 -
charts/devlake/templates/statefulsets.yaml | 41 ++++++++++++++++++++++++++++
charts/devlake/values.yaml | 44 ++++++++++++++++++++++++++++++
5 files changed, 123 insertions(+), 1 deletion(-)
diff --git a/HelmSetup.md b/HelmSetup.md
index 68c4a9f..cbc9969 100644
--- a/HelmSetup.md
+++ b/HelmSetup.md
@@ -128,10 +128,16 @@ Some useful parameters for the chart, you could also
check them in values.yaml
| mysql.image.repository | repository for mysql's image
| mysql |
| mysql.image.tag | image tag for mysql's image
| 8 |
| mysql.image.pullPolicy | pullPolicy for mysql's image
| IfNotPresent |
+| mysql.extraLabels | extra labels for mysql's statefulset
| {} |
+| mysql.securityContext | pod security context values
| {} |
+| mysql.containerSecurityContext | container security context values
| {} |
| grafana.image.repository | repository for grafana's image
| apache/devlake-dashboard |
| grafana.image.pullPolicy | pullPolicy for grafana's image
| Always |
| grafana.useExternal | If use external grafana server
| false |
| grafana.externalUrl | external grafana server if use external
| "" |
+| grafana.extraLabels | extra labels for grafana's statefulset
| {} |
+| grafana.securityContext | pod security context values
| {} |
+| grafana.containerSecurityContext | container security context values
| {} |
| lake.storage.class | storage class for lake's volume
| "" |
| lake.storage.size | volume size for lake's data
| 100Mi |
| lake.image.repository | repository for lake's image
| apache/devlake |
@@ -139,6 +145,9 @@ Some useful parameters for the chart, you could also check
them in values.yaml
| lake.loggingDir | log dir for the lake server
| /app/logs |
| lake.loggingLevel | log level for the lake server
| info |
| lake.dotenv | initial configurations for injecting to
lake's .env | see Values.yaml |
+| lake.extraLabels | extra labels for lake's statefulset
| {} |
+| lake.securityContext | pod security context values
| {} |
+| lake.containerSecurityContext | container security context values
| {} |
| ui.image.repository | repository for ui's image
| apache/devlake-config-ui |
| ui.image.pullPolicy | pullPolicy for ui's image
| Always |
| ui.basicAuth.enabled | If the basic auth in ui is enabled
| false |
@@ -147,6 +156,9 @@ Some useful parameters for the chart, you could also check
them in values.yaml
| ui.basicAuth.useSecret | If use secret instead of configmap for
basic auth | false |
| ui.basicAuth.autoCreateSecret | If let the helm chart create the secret
| true |
| ui.basicAuth.secretName | The basic auth secret name
| devlake-auth |
+| ui.extraLabels | extra labels for ui's statefulset
| {} |
+| ui.securityContext | pod security context values
| {} |
+| ui.containerSecurityContext | container security context values
| {} |
| service.type | Service type for exposed service
| NodePort |
| service.uiPort | Node port for config ui
| 32001 |
| service.ingress.enabled | If enable ingress
| false |
diff --git a/charts/devlake/templates/deployments.yaml
b/charts/devlake/templates/deployments.yaml
index 568e6a0..d381490 100644
--- a/charts/devlake/templates/deployments.yaml
+++ b/charts/devlake/templates/deployments.yaml
@@ -34,9 +34,20 @@ spec:
labels:
{{- include "devlake.selectorLabels" . | nindent 8 }}
devlakeComponent: grafana
+ {{- with .Values.grafana.extraLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
+ {{- with .Values.grafana.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
initContainers:
{{- include "common.initContainerWaitDatabase" . | nindent 8 }}
+ {{- with .Values.grafana.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: grafana
image: "{{ .Values.grafana.image.repository }}:{{ .Values.imageTag
}}"
@@ -74,6 +85,10 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
+ {{- with .Values.grafana.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- with .Values.grafana.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
@@ -115,7 +130,14 @@ spec:
labels:
{{- include "devlake.selectorLabels" . | nindent 8 }}
devlakeComponent: ui
+ {{- with .Values.ui.extraLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
+ {{- with .Values.ui.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
containers:
- name: config-ui
image: "{{ .Values.ui.image.repository }}:{{ .Values.imageTag }}"
@@ -152,6 +174,10 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
+ {{- with .Values.ui.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- with .Values.ui.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/charts/devlake/templates/secrets.yaml
b/charts/devlake/templates/secrets.yaml
index 1b27174..d639516 100644
--- a/charts/devlake/templates/secrets.yaml
+++ b/charts/devlake/templates/secrets.yaml
@@ -14,7 +14,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-# TEST
{{- if and .Values.option.useConnectionDetailsSecret
.Values.option.autoCreateSecret }}
---
apiVersion: v1
diff --git a/charts/devlake/templates/statefulsets.yaml
b/charts/devlake/templates/statefulsets.yaml
index 328dea0..7418865 100644
--- a/charts/devlake/templates/statefulsets.yaml
+++ b/charts/devlake/templates/statefulsets.yaml
@@ -35,7 +35,14 @@ spec:
labels:
{{- include "devlake.selectorLabels" . | nindent 8 }}
devlakeComponent: mysql
+ {{- with .Values.mysql.extraLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
spec:
+ {{- with .Values.mysql.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
containers:
- name: mysql
image: "{{ .Values.mysql.image.repository }}:{{
.Values.mysql.image.tag }}"
@@ -84,6 +91,10 @@ spec:
mountPath: /etc/localtime
readOnly: true
{{- end }}
+ {{- with .Values.mysql.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- with .Values.mysql.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
@@ -134,7 +145,14 @@ spec:
# labels:
# {{- include "devlake.selectorLabels" . | nindent 8 }}
# devlakeComponent: pgsql
+# {{- with .Values.pgsql.extraLabels }}
+# {{- toYaml . | nindent 8 }}
+# {{- end }}
# spec:
+# {{- with .Values.pgsql.securityContext }}
+# securityContext:
+# {{- toYaml . | nindent 8 }}
+# {{- end }}
# containers:
# - name: pgsql
# image: "{{ .Values.pgsql.image.repository }}:{{
.Values.pgsql.image.tag }}"
@@ -178,6 +196,10 @@ spec:
# mountPath: /etc/localtime
# readOnly: true
# {{- end }}
+# {{- with .Values.pgsql.containerSecurityContext }}
+# securityContext:
+# {{- toYaml . | nindent 12 }}
+# {{- end }}
# {{- with .Values.pgsql.nodeSelector }}
# nodeSelector:
# {{- toYaml . | nindent 8 }}
@@ -230,12 +252,23 @@ spec:
labels:
{{- include "devlake.selectorLabels" . | nindent 8 }}
devlakeComponent: lake
+ {{- with .Values.lake.extraLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
annotations:
# Force reload on config changes
checksum/devlake-config: {{ include (print $.Template.BasePath
"/configmaps.yaml") . | sha256sum }}
spec:
+ {{- with .Values.lake.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
initContainers:
{{- include "common.initContainerWaitDatabase" . | nindent 8 }}
+ {{- with .Values.lake.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
- name: patch-env
image: "{{ .Values.alpine.image.repository }}:{{
.Values.alpine.image.tag }}"
imagePullPolicy: {{ .Values.alpine.image.pullPolicy }}
@@ -261,6 +294,10 @@ spec:
volumeMounts:
- mountPath: /app/config
name: {{ include "devlake.fullname" . }}-lake-config
+ {{- with .Values.lake.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: lake
image: "{{ .Values.lake.image.repository }}:{{ .Values.imageTag }}"
@@ -296,6 +333,10 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
+ {{- with .Values.lake.containerSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if .Values.lake.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
diff --git a/charts/devlake/values.yaml b/charts/devlake/values.yaml
index dabc87e..2aa6417 100644
--- a/charts/devlake/values.yaml
+++ b/charts/devlake/values.yaml
@@ -65,6 +65,12 @@ mysql:
# affinity config for mysql if have
affinity: {}
+
+ extraLabels: {}
+
+ securityContext: {}
+
+ containerSecurityContext: {}
# pgsql:
# # if use external pgsql server, please set true
@@ -108,6 +114,12 @@ mysql:
#
# # affinity config for pgsql if have
# affinity: {}
+#
+# extraLabels: {}
+#
+# securityContext: {}
+#
+# containerSecurityContext: {}
grafana:
# image for grafana
@@ -129,6 +141,13 @@ grafana:
tolerations: []
affinity: {}
+
+ extraLabels: {}
+
+ securityContext: {}
+
+ containerSecurityContext: {}
+
lake:
@@ -162,6 +181,12 @@ lake:
# debug, info, warn, error
loggingLevel: "info"
+ extraLabels: {}
+
+ securityContext: {}
+
+ containerSecurityContext: {}
+
ui:
image:
repository: apache/devlake-config-ui
@@ -182,6 +207,25 @@ ui:
useSecret: false
autoCreateSecret: true
secretName: devlake-auth
+
+ extraLabels: {}
+
+ ## SecurityContext holds pod-level security attributes and common container
settings.
+ ## This defaults to non root user with uid 101 and gid 1000.
*v1.PodSecurityContext false
+ ## ref:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ securityContext: {}
+ # fsGroup: 101
+ # runAsGroup: 1000
+ # runAsNonRoot: true
+ # runAsUser: 101
+
+ ## K8s containers' Security Context
+ ## ref:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ containerSecurityContext: {}
+ # allowPrivilegeEscalation: false
+ # capabilities:
+ # drop:
+ # - all
# alpine image for some init containers
