Merge "[COMMON] Synchronize common charts"
diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml
index 10894bd..986b96f 100644
--- a/kubernetes/common/common/Chart.yaml
+++ b/kubernetes/common/common/Chart.yaml
@@ -17,4 +17,4 @@
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.3
+version: 13.2.4
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index 505d805..638db8c 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -78,7 +78,16 @@
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- {{ include "common.containerSecurityContext" . | indent 2 | trim }}
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ privileged: false
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ runAsUser: 100
+ runAsGroup: 65533
resources:
limits:
cpu: 100m
diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml
index 6949da7..48de2c0 100644
--- a/kubernetes/common/elasticsearch/Chart.yaml
+++ b/kubernetes/common/elasticsearch/Chart.yaml
@@ -23,10 +23,10 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: master
version: ~13.x-0
repository: 'file://components/master'
diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
index 390228b..baceb1d 100644
--- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml
@@ -23,7 +23,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml
index d49a210..30c925a 100644
--- a/kubernetes/common/elasticsearch/components/data/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml
@@ -23,7 +23,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml
index 73d5907..e481c7c 100644
--- a/kubernetes/common/elasticsearch/components/master/Chart.yaml
+++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml
@@ -22,7 +22,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../../../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../../../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml
index 02fc2c0..465364b 100644
--- a/kubernetes/common/etcd/Chart.yaml
+++ b/kubernetes/common/etcd/Chart.yaml
@@ -28,7 +28,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml
index a5790a4..7908bfa 100644
--- a/kubernetes/common/logConfiguration/Chart.yaml
+++ b/kubernetes/common/logConfiguration/Chart.yaml
@@ -22,4 +22,4 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml
index c5bb0aa..d97aa0e 100644
--- a/kubernetes/common/mariadb-galera/Chart.yaml
+++ b/kubernetes/common/mariadb-galera/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v2
description: Chart for MariaDB Galera cluster
name: mariadb-galera
-version: 13.2.0
+version: 13.2.1
keywords:
- mariadb
- mysql
@@ -30,14 +30,14 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: readinessCheck
version: ~13.x-0
- repository: 'file://../readinessCheck'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: serviceAccount
version: ~13.x-0
- repository: 'file://../serviceAccount'
+ repository: '@local'
condition: global.mariadbGalera.enableServiceAccount
\ No newline at end of file
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index f9b4de4..2b89519 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -55,7 +55,19 @@
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ add:
+ - CHOWN
+ - SYS_CHROOT
+ runAsGroup: {{ .Values.securityContext.group_id }}
+ readOnlyRootFilesystem: false
runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
volumeMounts:
- name: previous-boot
mountPath: /bootstrap
@@ -169,6 +181,7 @@
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- end }}
+ {{ include "common.securityContext" . | indent 10 | trim }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
- name: previous-boot
@@ -218,7 +231,7 @@
timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
- {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+ securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 47264f9..d8303dd 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -659,6 +659,19 @@
## - --collect.binlog_size
##
extraFlags: []
+ securityContext:
+ readOnlyRootFilesystem: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ - CAP_NET_RAW
+ runAsGroup: 10001
+ runAsNonRoot: true
+ runAsUser: 10001
+ seccompProfile:
+ type: RuntimeDefault
## MySQL Prometheus exporter containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml
index 0ac3750..d184491 100644
--- a/kubernetes/common/mariadb-init/Chart.yaml
+++ b/kubernetes/common/mariadb-init/Chart.yaml
@@ -23,10 +23,10 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: serviceAccount
version: ~13.x-0
repository: '@local'
diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
index 44c297a..b1d0b58 100644
--- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
@@ -167,7 +167,7 @@
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.backup.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
index a64002a..493c2b2 100644
--- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
@@ -515,7 +515,7 @@
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.hidden.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
index 089119c..7de00e7 100644
--- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
@@ -513,7 +513,7 @@
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.replicaSet.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
index 619533d..817698b 100644
--- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
+++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
@@ -438,7 +438,7 @@
volumes:
- name: empty-dir
emptyDir:
- sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }}
+ sizeLimit: {{ .Values.standalone.emptyDir.sizeLimit }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml
index 342854c..4951ed6 100644
--- a/kubernetes/common/postgres-init/Chart.yaml
+++ b/kubernetes/common/postgres-init/Chart.yaml
@@ -1,5 +1,6 @@
# Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,16 +17,16 @@
apiVersion: v2
description: Chart for Postgres init job
name: postgres-init
-version: 13.0.2
+version: 13.0.3
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
- name: readinessCheck
version: ~13.x-0
repository: '@local'
diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml
index cc7d410..a2f7e12 100644
--- a/kubernetes/common/postgres-init/templates/job.yaml
+++ b/kubernetes/common/postgres-init/templates/job.yaml
@@ -39,6 +39,7 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim }}
initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }}
containers:
- command:
@@ -82,6 +83,7 @@
- mountPath: /config
name: pgconf
resources: {{ include "common.resources" . | nindent 10 }}
+ {{ include "common.containerSecurityContext" . | indent 8 | trim }}
{{ include "common.waitForJobContainer" . | indent 6 | trim }}
{{- if .Values.nodeSelector }}
nodeSelector:
@@ -98,6 +100,7 @@
name: {{ include "common.fullname" . }}
- name: pgconf
emptyDir:
+ sizeLimit: 64Mi
medium: Memory
restartPolicy: Never
{{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml
index cede7e0..99be835 100644
--- a/kubernetes/common/postgres-init/values.yaml
+++ b/kubernetes/common/postgres-init/values.yaml
@@ -97,6 +97,10 @@
roles:
- read
+securityContext:
+ user_id: 26
+ group_id: 26
+
readinessCheck:
wait_for:
services:
diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml
index d1fb768..562b69f 100644
--- a/kubernetes/common/postgres/Chart.yaml
+++ b/kubernetes/common/postgres/Chart.yaml
@@ -22,7 +22,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml
index bd8adbf..c913417 100644
--- a/kubernetes/common/readinessCheck/Chart.yaml
+++ b/kubernetes/common/readinessCheck/Chart.yaml
@@ -22,7 +22,7 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index 4e3eab3..b691c40 100644
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -23,4 +23,4 @@
dependencies:
- name: common
version: ~13.x-0
- repository: 'file://../common'
+ repository: '@local'
diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml
index dd92121..b0569eb 100644
--- a/kubernetes/common/timescaledb/Chart.yaml
+++ b/kubernetes/common/timescaledb/Chart.yaml
@@ -33,4 +33,4 @@
repository: '@local'
- name: repositoryGenerator
version: ~13.x-0
- repository: 'file://../repositoryGenerator'
+ repository: '@local'
diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml
index bee389f..1d161f3 100644
--- a/kubernetes/common/timescaledb/templates/statefulset.yaml
+++ b/kubernetes/common/timescaledb/templates/statefulset.yaml
@@ -30,6 +30,22 @@
spec:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
{{ include "common.podSecurityContext" . | indent 10 | trim}}
+ initContainers:
+ # we shouldn't need this but for unknown reason, it's fsGroup is not
+ # applied
+ - name: fix-permission
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data
+ image: {{ include "repositoryGenerator.image.busybox" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /var/lib/postgresql/data
+ name: {{ include "common.fullname" . }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
@@ -78,9 +94,9 @@
{{- end }}
{{- with .Values.tolerations }}
tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence "ignoreHelmChart" true) | indent 6 | trim }}
-{{- end }}
+ {{- end }}