From 4855f464f098b736e02b39b202d0fea34f8f6b25 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 18 Oct 2023 11:28:49 -0700 Subject: [PATCH 1/2] update to go1.21.3 --- .github/workflows/vulncheck.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml index 9da6076e..7b37e3d8 100644 --- a/.github/workflows/vulncheck.yml +++ b/.github/workflows/vulncheck.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [ 1.21.1 ] + go-version: [ 1.21.3 ] steps: - name: Check out code into the Go module directory uses: actions/checkout@v3 From 94491916c07bdc6126e4e58fb45a756b384f2145 Mon Sep 17 00:00:00 2001 From: yaraskm <62650344+yaraskm@users.noreply.github.com> Date: Thu, 19 Oct 2023 05:52:32 -0400 Subject: [PATCH 2/2] Leverage Helm values in templates (#251) * Leverage Helm values in templates - A number of variables exist in values.yaml that are not leveraged at all in the deployment templates, such as: - Resources - Service Account - Affinity - Tolerations - Security Context - Updated the templates to leverage values that were already possible, as well as adding support for image.version * Leverage the svc name pattern for client lookup as well * Use a Secret to store S3 keys in K8S deployment - Passing the access and secret keys directly as environment variables can inadvertently leak them in a multitenant system, as anyone with the `view` ClusterRole or higher on the namespace will have the ability to read the spec of the `Job`. - Instead, create a secret with the keys and mount them as environment variables from there. --------- Co-authored-by: Harshavardhana --- k8s/helm/templates/_helpers.tpl | 7 ++++++ k8s/helm/templates/job.yaml | 32 ++++++++++++++++++++++++---- k8s/helm/templates/secret.yaml | 9 ++++++++ k8s/helm/templates/statefulset.yaml | 19 +++++++++++++++-- k8s/helm/values.yaml | 33 ++++++++++++++++------------- 5 files changed, 79 insertions(+), 21 deletions(-) create mode 100644 k8s/helm/templates/secret.yaml diff --git a/k8s/helm/templates/_helpers.tpl b/k8s/helm/templates/_helpers.tpl index 763db267..8baf5c9d 100644 --- a/k8s/helm/templates/_helpers.tpl +++ b/k8s/helm/templates/_helpers.tpl @@ -31,6 +31,13 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the image tag to use. +*/}} +{{- define "warp.imageVersion" -}} +{{- default .Chart.AppVersion .Values.image.version -}} +{{- end -}} + {{/* Common labels */}} diff --git a/k8s/helm/templates/job.yaml b/k8s/helm/templates/job.yaml index 0efcb8e1..fa98818d 100644 --- a/k8s/helm/templates/job.yaml +++ b/k8s/helm/templates/job.yaml @@ -10,11 +10,11 @@ spec: restartPolicy: Never containers: - name: {{ include "warp.fullname" . }} - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - "{{ .Values.warpConfiguration.operationToBenchmark }}" - - "--warp-client=warp-{0...{{ sub .Values.replicaCount 1 }}}.warp.{{ .Release.Namespace }}" + - "--warp-client={{ include "warp.fullname" . }}-{0...{{ sub .Values.replicaCount 1 }}}.{{ include "warp.fullname" . }}.{{ .Release.Namespace }}" {{- range $k, $v := .Values.warpJobArgs }} - --{{ $k }}={{ $v }} {{- end }} @@ -28,10 +28,34 @@ spec: - name: WARP_REGION value: {{ .Values.warpConfiguration.s3ServerRegion | quote }} - name: WARP_ACCESS_KEY - value: {{ .Values.warpConfiguration.s3AccessKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: access_key - name: WARP_SECRET_KEY - value: {{ .Values.warpConfiguration.s3SecretKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: secret_key + {{- if .Values.serverResources }} + resources: {{- toYaml .Values.serverResources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "warp.serviceAccountName" . }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- .Values.affinity | toYaml | nindent 8 }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- .Values.tolerations | toYaml | nindent 8 }} + {{- end }} backoffLimit: 4 diff --git a/k8s/helm/templates/secret.yaml b/k8s/helm/templates/secret.yaml new file mode 100644 index 00000000..db9dedbb --- /dev/null +++ b/k8s/helm/templates/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "warp.fullname" . }}-credentials + labels: + {{- include "warp.labels" . | nindent 4 }} +data: + access_key: {{ .Values.warpConfiguration.s3AccessKey | b64enc }} + secret_key: {{ .Values.warpConfiguration.s3SecretKey | b64enc }} diff --git a/k8s/helm/templates/statefulset.yaml b/k8s/helm/templates/statefulset.yaml index ce3636a4..20754457 100644 --- a/k8s/helm/templates/statefulset.yaml +++ b/k8s/helm/templates/statefulset.yaml @@ -19,16 +19,31 @@ spec: spec: containers: - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - client ports: - name: http - containerPort: 7761 + containerPort: {{ .Values.service.port }} + {{- if .Values.clientResources }} + resources: {{- toYaml .Values.clientResources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "warp.serviceAccountName" . }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.affinity }} affinity: {{- .Values.affinity | toYaml | nindent 8 }} {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- .Values.tolerations | toYaml | nindent 8 }} + {{- end }} diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 31068f62..64585986 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -8,6 +8,8 @@ replicaCount: 4 image: repository: minio/warp pullPolicy: IfNotPresent + # Set version to use a specific release of Warp + # version: latest imagePullSecrets: [] nameOverride: "" @@ -52,30 +54,31 @@ serviceAccount: create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: + # name: -podSecurityContext: {} - # fsGroup: 2000 +securityContext: + readOnlyRootFilesystem: true -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + fsGroup: 1001 service: port: 7761 -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. +serverResources: {} # limits: + # cpu: 500m + # memory: 512Mi + # requests: # cpu: 100m # memory: 128Mi + +clientResources: {} + # limits: + # cpu: 4 + # memory: 512Mi # requests: # cpu: 100m # memory: 128Mi