Skip to content

Commit

Permalink
refa: avoid hard-coded uid in helm chart
Browse files Browse the repository at this point in the history
In order to improve installation on openshift, we need to avoid the
hard-coded uid/gid in the helm chart
  • Loading branch information
joshiste committed Dec 9, 2024
1 parent 87f71b4 commit b213734
Show file tree
Hide file tree
Showing 9 changed files with 68 additions and 78 deletions.
8 changes: 4 additions & 4 deletions charts/steadybit-agent/Chart.lock
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ dependencies:
version: 1.0.14
- name: steadybit-extension-dynatrace
repository: https://steadybit.github.io/extension-dynatrace
version: 1.1.6
version: 1.1.7
- name: steadybit-extension-gatling
repository: https://steadybit.github.io/extension-gatling
version: 1.1.15
Expand Down Expand Up @@ -61,7 +61,7 @@ dependencies:
version: 1.1.6
- name: steadybit-extension-postman
repository: https://steadybit.github.io/extension-postman
version: 1.7.10
version: 1.7.11
- name: steadybit-extension-prometheus
repository: https://steadybit.github.io/extension-prometheus
version: 1.5.11
Expand All @@ -71,5 +71,5 @@ dependencies:
- name: steadybit-extension-grafana
repository: https://steadybit.github.io/extension-grafana
version: 1.2.6
digest: sha256:1ada075973b00fc3fc18eb7bc54e1240d87a49e68ae9bf86e495bfdb450ae634
generated: "2024-12-07T06:08:31.602849838Z"
digest: sha256:1508df99b3cd7bb087dbf0d5d73a19b8462e6b351c5ca16a7545e532b3711e3f
generated: "2024-12-09T09:59:03.468184+01:00"
2 changes: 1 addition & 1 deletion charts/steadybit-agent/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -139,4 +139,4 @@ dependencies:
version: ^1.1.8
repository: https://steadybit.github.io/extension-grafana
alias: extension-grafana
condition: extension-grafana.enabled
condition: extension-grafana.enabled
Binary file not shown.
Binary file not shown.
15 changes: 6 additions & 9 deletions charts/steadybit-agent/templates/_podTemplate.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,9 @@
priorityClassName: {{ .Values.priorityClassName.name }}
{{- end }}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
runAsNonRoot: true
{{- with .Values.podSecurityContext }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: steadybit-agent
image: "{{ .Values.image.name }}:{{ default .Chart.AppVersion .Values.image.tag }}"
Expand Down Expand Up @@ -140,11 +139,9 @@
{{- toYaml . | nindent 12 }}
{{- end }}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- with .Values.containerSecurityContext }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if eq .Values.agent.persistence.provider "filesystem"}}
- name: steadybit-agent-state
Expand Down
50 changes: 20 additions & 30 deletions charts/steadybit-agent/tests/__snapshot__/deployment_test.yaml.snap
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,9 @@ manifest should match snapshot:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -238,10 +237,9 @@ should add aws account id from values:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -367,10 +365,9 @@ should add extra volumes and mount:
- mountPath: /extra
name: extramount
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -519,10 +516,9 @@ should add match labels:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -661,10 +657,9 @@ should add proxy configuration:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -794,10 +789,9 @@ should apply extra pod labels:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -929,10 +923,9 @@ should render redis settings:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1075,10 +1068,9 @@ using extensions with mtls from containerpath:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1227,10 +1219,9 @@ using extensions with mtls from secrets:
- mountPath: /opt/steadybit/agent/etc/extra-certs
name: extra-certs
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1365,10 +1356,9 @@ using image pull secrets with debug json log:
imagePullSecrets:
- name: test-pull-secret
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -113,10 +113,9 @@ using oauth2 with mtls from containerPath and token uri:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -261,10 +260,9 @@ using oauth2 with mtls from secrets:
name: oauth2-tls-server
readOnly: true
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,10 +118,9 @@ manifest should match snapshot:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -260,10 +259,9 @@ should add aws account id from values:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -396,10 +394,9 @@ should add extra volumes and mount:
- mountPath: /extra
name: extramount
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -557,10 +554,9 @@ should add match labels:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -707,10 +703,9 @@ should add proxy configuration:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -848,10 +843,9 @@ should apply extra pod labels:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1004,10 +998,9 @@ using extensions with mtls from containerpath:
- mountPath: /tmp
name: tmp-dir
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1163,10 +1156,9 @@ using extensions with mtls from secrets:
- mountPath: /opt/steadybit/agent/etc/extra-certs
name: extra-certs
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down Expand Up @@ -1308,10 +1300,9 @@ using image pull secrets with debug json log:
imagePullSecrets:
- name: test-pull-secret
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: steadybit-agent
volumes:
- emptyDir:
Expand Down
16 changes: 15 additions & 1 deletion charts/steadybit-agent/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,12 @@ podAnnotations: {}
# podLabels -- Additional labels to be added to the agent pods.
podLabels: {}

# podSecurityContext -- the security context used for the pod
podSecurityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true

# nodeSelector -- Node labels for pod assignment
nodeSelector: {}

Expand All @@ -234,6 +240,14 @@ tolerations: []
# affinity -- Affinities to influence agent pod assignment.
affinity: {}

# containerSecurityContext -- the security context used for the pod
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

# extension-aws.* -- settings for the aws extension. See https://github.com/steadybit/extension-aws for more information.
extension-aws:
# extension-aws.enabled -- Enable the AWS extension
Expand Down Expand Up @@ -433,4 +447,4 @@ extension-grafana:
enabled: false
grafana:
serviceToken: null
apiBaseUrl: null
apiBaseUrl: null

0 comments on commit b213734

Please sign in to comment.