feat: Addressing feedback

snyk · Mar 6, 2024 · c2c394a · c2c394a
1 parent ca4a6fc
commit c2c394a
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 27 deletions.
diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl
@@ -109,4 +109,15 @@ Create the name of the broker service to use
 {{- else }}
 {{- .Values.scmType}}-broker-service
 {{- end -}}
+{{- end -}}
+
+{{/*
+Create TLS secret name
+*/}}
+{{- define "tls-secret-name" -}}
+{{- if not .Values.disableSuffixes -}}
+tls-secret-{{ .Release.Name }}
+{{- else -}}
+tls-secret
+{{- end -}}
 {{- end -}}
diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml
@@ -81,7 +81,7 @@ spec:
                 mountPath: /home/node/cacert
                 readOnly: true
               {{- end }}
-              {{- if and .Values.httpsCert .Values.httpsKey }}
+              {{- if and (.Values.httpsCert) (.Values.httpsKey) }}
               - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume
                 mountPath: /home/node/tls-cert/
                 readOnly: true
@@ -375,11 +375,11 @@ spec:
          {{- if .Values.httpsCert }}
          # HTTPS Config
             - name: HTTPS_CERT
-              value: /home/node/tls-cert/{{ .Values.httpsCert }}
+              value: /home/node/tls-cert/tls.crt
          {{- end }}
          {{- if .Values.httpsKey }}
             - name: HTTPS_KEY
-              value: /home/node/tls-cert/{{ .Values.httpsKey }}
+              value: /home/node/tls-cert/tls.key
          {{- end }}
 
          {{- if .Values.tlsRejectUnauthorized  }}
@@ -455,10 +455,10 @@ spec:
         configMap:
           name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
       {{- end }}
-      {{- if and .Values.httpsCert .Values.httpsKey }}
+      {{- if and (.Values.httpsCert) (.Values.httpsKey) }}
       - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume
         secret:
-          secretName: "tls-secret{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}"
+          secretName: {{ include "tls-secret-name" . }}
       {{- end }}
 {{- if .Values.extraVolumes }}
 {{ tpl (toYaml .Values.extraVolumes | indent 6) . }}

diff --git a/charts/snyk-broker/templates/secrets.yaml b/charts/snyk-broker/templates/secrets.yaml
@@ -118,13 +118,14 @@ data:
   "nexus-nexus-url": {{ .Values.nexusUrl | b64enc | quote }}
 ---  
 {{- end}}
-{{- if and .Values.httpsCert .Values.httpsKey }}
+{{- if and (.Values.httpsCert) (.Values.httpsKey) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: tls-secret{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}
-type: Opaque
+  name: {{ include "tls-secret-name" . }}
+type: kubernetes.io/tls
 data:
-  "{{ .Values.httpsCert }}": {{ (.Files.Get .Values.httpsCert) | b64enc | quote }}
-  "{{ .Values.httpsKey }}": {{ (.Files.Get .Values.httpsKey) | b64enc | quote }}
-{{- end }}
+  tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }}
+  tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }}
+---  
+{{- end }}
diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml
@@ -193,10 +193,10 @@ logEnableBody: "false"
 ##### Enable HTTPS #####
 
 # Location of mounted cert
-httpsCert: ""
+httpsCert: "MyCertificate.crt"
 
 # Location of mounted HTTPS key
-httpsKey: ""
+httpsKey: "MyKey.key"
 
 ##### HTTPS Inspection #####
 
@@ -320,31 +320,20 @@ podSecurityContext: {}
 # These can be adjusted at your own risk. 
 
 securityContext: 
-   capabilities:
-     drop:
-     - ALL
-   readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
-   runAsNonRoot: true
-   runAsUser: 1000
+   runAsUser: 0
 
 securityContextCr: 
-   capabilities:
-     drop:
-     - ALL
-   allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
-   runAsNonRoot: true
-   runAsUser: 1000
+   runAsUser: 0
 
 securityContextCa: 
    capabilities:
      drop:
      - ALL
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
-   runAsNonRoot: true
-   runAsUser: 1000
+   runAsUser: 0
 
 ##### Service Types #####
 # If you prefer to adjust how communication to the cluster occurs, these values can be adjusted