RHIDP-1690: Fix SNYK findings (#25)

redhat-developer · Jun 20, 2024 · bec7efa · bec7efa
1 parent e53911e
commit bec7efa
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 2 deletions.
diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml
@@ -45,4 +45,4 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.16.1
+version: 2.16.2
diff --git a/charts/backstage/README.md b/charts/backstage/README.md
@@ -2,7 +2,7 @@
 # RHDH Backstage Helm Chart for OpenShift
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/rhdh-chart&style=flat-square)](https://artifacthub.io/packages/search?repo=rhdh-chart)
-![Version: 2.16.1](https://img.shields.io/badge/Version-2.16.1-informational?style=flat-square)
+![Version: 2.16.2](https://img.shields.io/badge/Version-2.16.2-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for deploying RHDH (a Backstage application)

diff --git a/charts/backstage/templates/tests/test-connection.yaml b/charts/backstage/templates/tests/test-connection.yaml
@@ -12,7 +12,26 @@ metadata:
 spec:
   containers:
     - name: curl
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        capabilities:
+          drop: ["ALL"]
+        runAsNonRoot: false
+      resources:
+        requests:
+          cpu: 10m
+          memory: 20Mi
+        limits:
+          cpu: 10m
+          memory: 20Mi
+      livenessProbe:
+        exec:
+          command:
+          - ls
+          - /usr/bin/curl
       image: quay.io/curl/curl:latest
+      imagePullPolicy: IfNotPresent
       command: ["/bin/sh", "-c"]
       args:
         - |

diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml
@@ -61,6 +61,22 @@ upstream:
         auth:
           keys:
             - secret: ${BACKEND_SECRET}
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      runAsNonRoot: true
+      readOnlyRootFilesystem: true
+      seccompProfile:
+        type: "RuntimeDefault"
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1Gi
+      limits:
+        cpu: 1000m
+        memory: 2.5Gi
+        ephemeral-storage: 5Gi
     readinessProbe:
       failureThreshold: 3
       httpGet:
@@ -101,6 +117,8 @@ upstream:
       # The initContainer below will install dynamic plugins in this volume mount.
       - name: dynamic-plugins-root
         mountPath: /opt/app-root/src/dynamic-plugins-root
+      - name: diststatic
+        mountPath: /opt/app-root/src/packages/app/dist/static
     extraVolumes:
       # -- Ephemeral volume that will contain the dynamic plugins installed by the initContainer below at start.
       - name: dynamic-plugins-root
@@ -128,8 +146,28 @@ upstream:
           defaultMode: 420
           optional: true
           secretName: dynamic-plugins-npmrc
+      - name: npmcacache
+        emptyDir: {}
+      - name: diststatic
+        emptyDir: {}
     initContainers:
       - name: install-dynamic-plugins
+        resources:
+          requests:
+            cpu: 250m
+            memory: 256Mi
+          limits:
+            cpu: 1000m
+            memory: 2.5Gi
+            ephemeral-storage: 5Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: "RuntimeDefault"
         # -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount.
         # It could be replaced by a custom image based on this one.
         # @default -- `quay.io/janus-idp/backstage-showcase:latest`
@@ -152,6 +190,8 @@ upstream:
             name: dynamic-plugins-npmrc
             readOnly: true
             subPath: .npmrc
+          - mountPath: /opt/app-root/src/.npm/_cacache
+            name: npmcacache
         workingDir: /opt/app-root/src
     installDir: /opt/app-root/src
     podAnnotations:
@@ -170,10 +210,19 @@ upstream:
         adminPasswordKey: postgres-password
         userPasswordKey: password
     primary:
+      # TODO: https://issues.redhat.com/browse/RHIDP-2645
       podSecurityContext:
         enabled: false
       containerSecurityContext:
         enabled: false
+      resources:
+        requests:
+          cpu: 250m
+          memory: 256Mi
+        limits:
+          cpu: 250m
+          memory: 1024Mi
+          ephemeral-storage: 20Mi
       persistence:
         enabled: true
         size: 1Gi

diff --git a/ct-install.yaml b/ct-install.yaml
@@ -3,3 +3,4 @@ chart-dirs:
 validate-maintainers: false
 remote: origin
 target-branch: main
+helm-extra-args: --timeout 500s