update security context for NATS and Dex

charts/testkube-enterprise/Chart.lock

@@ -16,15 +16,15 @@ dependencies:
   version: 2.1.75
 - name: dex
   repository: file://./charts/dex
-  version: 0.19.1-3
+  version: 0.19.1-4
 - name: mongodb
   repository: https://charts.bitnami.com/bitnami
   version: 15.6.16
 - name: nats
   repository: file://./charts/nats
-  version: 1.2.6-1
+  version: 1.2.6-2
 - name: minio
   repository: https://charts.bitnami.com/bitnami
   version: 14.7.0
-digest: sha256:c36445693bd3fc5818dade35194442d5e682dd78cf8360c823e026b5fac36a42
-generated: "2024-11-05T12:18:32.940978+01:00"
+digest: sha256:a64fb00233a831f8e40eb92f59ba16a12e95942e355fff425104ec9c702b63b3
+generated: "2024-11-05T16:44:20.178669+02:00"

charts/testkube-enterprise/Chart.yaml

@@ -22,7 +22,7 @@ dependencies:
     repository: https://kubeshop.github.io/helm-charts
     condition: testkube-agent.enabled
   - name: dex
-    version: 0.19.1-3
+    version: 0.19.1-4
     repository: file://./charts/dex
     condition: dex.enabled
   - name: mongodb
@@ -31,7 +31,7 @@ dependencies:
     condition: mongodb.enabled
   - name: nats
     condition: testkube-api.nats.enabled
-    version: 1.2.6-1
+    version: 1.2.6-2
     repository: "file://./charts/nats"
   - name: minio
     version: 14.7.0

charts/testkube-enterprise/charts/dex/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: dex
-version: 0.19.1-3
+version: 0.19.1-4
 appVersion: "2.41.1"
 kubeVersion: ">=1.14.0-0"
 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.

charts/testkube-enterprise/charts/dex/templates/_helpers.tpl

@@ -85,3 +85,25 @@ The name of the image
 {{- end -}}
 image: {{ $image }}
 {{- end }}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "dex.podSecurityContext" -}}
+{{- if .Values.global.podSecurityContext }}
+{{ toYaml .Values.global.podSecurityContext }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "dex.containerSecurityContext" -}}
+{{- if .Values.global.securityContext }}
+{{- toYaml .Values.global.securityContext}}
+{{- else }}
+{{- toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}

charts/testkube-enterprise/charts/dex/templates/deployment.yaml

@@ -47,15 +47,15 @@ spec:
       priorityClassName: {{ . | quote }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{ include "dex.podSecurityContext" . | trim }}
       {{- with .Values.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{ include "dex.containerSecurityContext" . | trim }}
           {{- include "dex.image" . | nindent 10 }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:

charts/testkube-enterprise/charts/dex/values.yaml

@@ -7,6 +7,10 @@ global:
   imageRegistry: ""
   # -- Image pull secrets to use for testkube-cloud-api and testkube-cloud-ui
   imagePullSecrets: []
+  # -- Global security Context
+  securityContext: {}
+  # -- Global security Context
+  podSecurityContext: {}
 
 # -- Number of replicas (pods) to launch.
 replicaCount: 1

charts/testkube-enterprise/charts/nats/Chart.yaml

@@ -6,7 +6,7 @@ keywords:
 - nats
 - messaging
 - cncf
-version: 1.2.6-1
+version: 1.2.6-2
 home: http://github.com/nats-io/k8s
 maintainers:
 - email: [email protected]

charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml

@@ -44,3 +44,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml

@@ -42,3 +42,6 @@ spec:
     secret:
       secretName: {{ .secretName | quote }}
   {{- end }}
+
+  securityContext:
+  {{- include "nats.podSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml

@@ -104,3 +104,6 @@ volumeMounts:
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}
 {{- end }}
+# securityContext
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml

@@ -69,3 +69,6 @@ spec:
   - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }}
   {{- end }}
   {{- end}}
+
+  securityContext:
+    {{- include "nats.podSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml

@@ -28,3 +28,6 @@ args:
 - -gatewayz
 {{- end }}
 - http://localhost:{{ .Values.config.monitor.port }}/
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml

@@ -25,3 +25,7 @@ volumeMounts:
 {{- end }}
 {{- end }}
 {{- end }}
+
+
+securityContext:
+  {{- include "nats.containerSecurityContext" $ | nindent 6 }}

charts/testkube-enterprise/charts/nats/templates/_helpers.tpl

@@ -280,3 +280,25 @@ output: string with following format rules
     "${1}")
   -}}
 {{- end -}}
+
+{{/*
+Define podSecurityContext
+*/}}
+{{- define "nats.podSecurityContext" -}}
+{{- with .Values.global.podSecurityContext }}
+{{ toYaml . }}
+{{- else }}
+{{ toYaml .Values.podSecurityContext  }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define containerSecurityContext
+*/}}
+{{- define "nats.containerSecurityContext" -}}
+{{- with .Values.global.containerSecurityContext }}
+{{- toYaml . }}
+{{- else }}
+{{- toYaml .Values.containerSecurityContext }}
+{{- end }}
+{{- end }}

charts/testkube-enterprise/charts/nats/values.yaml

@@ -14,6 +14,12 @@ global:
     # global registry to use for all container images in the chart
     # can be overridden by individual image registry
     registry:
+  # -- Security Context for all pods
+  podSecurityContext:
+    runasuser: 100
+  # -- Security Context for all containers
+  containerSecurityContext:
+    fsGroup: 2000
 
   # global labels will be applied to all resources deployed by the chart
   labels: {}
@@ -376,7 +382,7 @@ reloader:
 ############################################################
 # config.monitor must be enabled
 promExporter:
-  enabled: false
+  enabled: true
   image:
     repository: natsio/prometheus-nats-exporter
     tag: 0.15.0

charts/testkube-enterprise/values.yaml

@@ -87,9 +87,9 @@ global:
   tls: {}
   # -- Toggle whether to globally skip certificate verification
   #skipVerify: true
-  # -- Global security Context for all containers
+  # -- Global security Context for all containers, except for MongoDB and MinIo. Container security context for them needs to be provided separately.
   securityContext: {}
-  # -- Global security Context for all pods
+  # -- Global security Context for all pods, except for MongoDB and MinIo. Pod security Context for them needs to be provided separately.
   podSecurityContext: {}
 
 # Testkube requires a variety of secrets to operate.