Skip to content

Commit

Permalink
refa: avoid hard-coded uid in helm chart
Browse files Browse the repository at this point in the history
In order to improve installation on openshift, we need to avoid the
hard-coded uid/gid in the helm chart
  • Loading branch information
joshiste committed Dec 6, 2024
1 parent dbba75b commit d801bca
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 41 deletions.
2 changes: 1 addition & 1 deletion charts/steadybit-extension-newrelic/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: steadybit-extension-newrelic
description: Steadybit newrelic extension Helm chart for Kubernetes.
version: 1.1.5
version: 1.1.6
appVersion: v1.0.7
home: https://www.steadybit.com/
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png
Expand Down
11 changes: 3 additions & 8 deletions charts/steadybit-extension-newrelic/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,15 +97,10 @@ spec:
httpGet:
path: /health/readiness
port: 8091
{{- with .Values.containerSecurityContext }}
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
serviceAccountName: {{ .Values.serviceAccount.name }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,11 @@ manifest should match snapshot using podAnnotations and Labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with TLS:
Expand Down Expand Up @@ -170,13 +171,14 @@ manifest should match snapshot with TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /etc/extension/certificates/server-cert
name: certificate-server-cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes:
- name: certificate-server-cert
Expand Down Expand Up @@ -270,10 +272,11 @@ manifest should match snapshot with extra env vars:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with extra labels:
Expand Down Expand Up @@ -358,10 +361,11 @@ manifest should match snapshot with extra labels:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with mutual TLS:
Expand Down Expand Up @@ -450,16 +454,17 @@ manifest should match snapshot with mutual TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts:
- mountPath: /etc/extension/certificates/client-cert-a
name: certificate-client-cert-a
readOnly: true
- mountPath: /etc/extension/certificates/server-cert
name: certificate-server-cert
readOnly: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes:
- name: certificate-client-cert-a
Expand Down Expand Up @@ -556,10 +561,11 @@ manifest should match snapshot with mutual TLS using containerPaths:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with numeric account id:
Expand Down Expand Up @@ -642,10 +648,11 @@ manifest should match snapshot with numeric account id:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with podSecurityContext:
Expand Down Expand Up @@ -728,12 +735,12 @@ manifest should match snapshot with podSecurityContext:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
runAsUser: 2222
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot with priority class:
Expand Down Expand Up @@ -816,11 +823,12 @@ manifest should match snapshot with priority class:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
priorityClassName: my-priority-class
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
manifest should match snapshot without TLS:
Expand Down Expand Up @@ -903,9 +911,10 @@ manifest should match snapshot without TLS:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-extension-newrelic
volumes: null
14 changes: 12 additions & 2 deletions charts/steadybit-extension-newrelic/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,18 @@ affinity: {}
priorityClassName: null

# podSecurityContext -- SecurityContext to apply to the pod.
podSecurityContext: {}

podSecurityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true

# containerSecurityContext -- SecurityContext to apply to the container.
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# extraEnv -- Array with extra environment variables to add to the container
# e.g:
# extraEnv:
Expand Down

0 comments on commit d801bca

Please sign in to comment.