diff --git a/charts/testkube-enterprise/Chart.lock b/charts/testkube-enterprise/Chart.lock index 9b8e80225..60c5b0db4 100644 --- a/charts/testkube-enterprise/Chart.lock +++ b/charts/testkube-enterprise/Chart.lock @@ -16,15 +16,15 @@ dependencies: version: 2.1.75 - name: dex repository: file://./charts/dex - version: 0.19.1-3 + version: 0.19.1-4 - name: mongodb repository: https://charts.bitnami.com/bitnami version: 15.6.16 - name: nats repository: file://./charts/nats - version: 1.2.6-1 + version: 1.2.6-2 - name: minio repository: https://charts.bitnami.com/bitnami version: 14.7.0 -digest: sha256:c36445693bd3fc5818dade35194442d5e682dd78cf8360c823e026b5fac36a42 -generated: "2024-11-05T12:18:32.940978+01:00" +digest: sha256:a64fb00233a831f8e40eb92f59ba16a12e95942e355fff425104ec9c702b63b3 +generated: "2024-11-05T16:44:20.178669+02:00" diff --git a/charts/testkube-enterprise/Chart.yaml b/charts/testkube-enterprise/Chart.yaml index f347eddfe..47409fa22 100644 --- a/charts/testkube-enterprise/Chart.yaml +++ b/charts/testkube-enterprise/Chart.yaml @@ -22,7 +22,7 @@ dependencies: repository: https://kubeshop.github.io/helm-charts condition: testkube-agent.enabled - name: dex - version: 0.19.1-3 + version: 0.19.1-4 repository: file://./charts/dex condition: dex.enabled - name: mongodb @@ -31,7 +31,7 @@ dependencies: condition: mongodb.enabled - name: nats condition: testkube-api.nats.enabled - version: 1.2.6-1 + version: 1.2.6-2 repository: "file://./charts/nats" - name: minio version: 14.7.0 diff --git a/charts/testkube-enterprise/charts/dex/Chart.yaml b/charts/testkube-enterprise/charts/dex/Chart.yaml index f51ef1d6c..3085664f2 100644 --- a/charts/testkube-enterprise/charts/dex/Chart.yaml +++ b/charts/testkube-enterprise/charts/dex/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 type: application name: dex -version: 0.19.1-3 +version: 0.19.1-4 appVersion: "2.41.1" kubeVersion: ">=1.14.0-0" description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. diff --git a/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl b/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl index 044cb7b0f..7177b66ef 100644 --- a/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl +++ b/charts/testkube-enterprise/charts/dex/templates/_helpers.tpl @@ -85,3 +85,25 @@ The name of the image {{- end -}} image: {{ $image }} {{- end }} + +{{/* +Define podSecurityContext +*/}} +{{- define "dex.podSecurityContext" -}} +{{- if .Values.global.podSecurityContext }} +{{ toYaml .Values.global.podSecurityContext }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "dex.containerSecurityContext" -}} +{{- if .Values.global.securityContext }} +{{- toYaml .Values.global.securityContext}} +{{- else }} +{{- toYaml .Values.securityContext }} +{{- end }} +{{- end }} diff --git a/charts/testkube-enterprise/charts/dex/templates/deployment.yaml b/charts/testkube-enterprise/charts/dex/templates/deployment.yaml index b6b98e652..4b5ca817e 100644 --- a/charts/testkube-enterprise/charts/dex/templates/deployment.yaml +++ b/charts/testkube-enterprise/charts/dex/templates/deployment.yaml @@ -47,7 +47,7 @@ spec: priorityClassName: {{ . | quote }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{ include "dex.podSecurityContext" . | trim }} {{- with .Values.hostAliases }} hostAliases: {{- toYaml . | nindent 8 }} @@ -55,7 +55,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{ include "dex.containerSecurityContext" . | trim }} {{- include "dex.image" . | nindent 10 }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: diff --git a/charts/testkube-enterprise/charts/dex/values.yaml b/charts/testkube-enterprise/charts/dex/values.yaml index b92f4acdc..a32092e55 100644 --- a/charts/testkube-enterprise/charts/dex/values.yaml +++ b/charts/testkube-enterprise/charts/dex/values.yaml @@ -7,6 +7,10 @@ global: imageRegistry: "" # -- Image pull secrets to use for testkube-cloud-api and testkube-cloud-ui imagePullSecrets: [] + # -- Global security Context + securityContext: {} + # -- Global security Context + podSecurityContext: {} # -- Number of replicas (pods) to launch. replicaCount: 1 diff --git a/charts/testkube-enterprise/charts/nats/Chart.yaml b/charts/testkube-enterprise/charts/nats/Chart.yaml index 87361de0b..8a10ffc6d 100644 --- a/charts/testkube-enterprise/charts/nats/Chart.yaml +++ b/charts/testkube-enterprise/charts/nats/Chart.yaml @@ -6,7 +6,7 @@ keywords: - nats - messaging - cncf -version: 1.2.6-1 +version: 1.2.6-2 home: http://github.com/nats-io/k8s maintainers: - email: info@nats.io diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml index aa1753b4b..ff0caf8ff 100644 --- a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/container.yaml @@ -44,3 +44,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml index ff904bf6c..eca5a3e40 100644 --- a/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml +++ b/charts/testkube-enterprise/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -42,3 +42,6 @@ spec: secret: secretName: {{ .secretName | quote }} {{- end }} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml index c5402efea..f87562842 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/nats-container.yaml @@ -104,3 +104,6 @@ volumeMounts: - name: {{ .name | quote }} mountPath: {{ .dir | quote }} {{- end }} +# securityContext +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml index 1d3ea6431..aa0661002 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/pod-template.yaml @@ -69,3 +69,6 @@ spec: - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} {{- end }} {{- end}} + + securityContext: + {{- include "nats.podSecurityContext" $ | nindent 6 }} diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml index c3e1b6fbe..84d19ec70 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -28,3 +28,6 @@ args: - -gatewayz {{- end }} - http://localhost:{{ .Values.config.monitor.port }}/ + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml b/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml index 96722045f..08f062e7e 100644 --- a/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml +++ b/charts/testkube-enterprise/charts/nats/files/stateful-set/reloader-container.yaml @@ -25,3 +25,7 @@ volumeMounts: {{- end }} {{- end }} {{- end }} + + +securityContext: + {{- include "nats.containerSecurityContext" $ | nindent 6 }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl b/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl index ba0a51c56..611ad8918 100644 --- a/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl +++ b/charts/testkube-enterprise/charts/nats/templates/_helpers.tpl @@ -280,3 +280,25 @@ output: string with following format rules "${1}") -}} {{- end -}} + +{{/* +Define podSecurityContext +*/}} +{{- define "nats.podSecurityContext" -}} +{{- with .Values.global.podSecurityContext }} +{{ toYaml . }} +{{- else }} +{{ toYaml .Values.podSecurityContext }} +{{- end }} +{{- end }} + +{{/* +Define containerSecurityContext +*/}} +{{- define "nats.containerSecurityContext" -}} +{{- with .Values.global.containerSecurityContext }} +{{- toYaml . }} +{{- else }} +{{- toYaml .Values.containerSecurityContext }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/testkube-enterprise/charts/nats/values.yaml b/charts/testkube-enterprise/charts/nats/values.yaml index 15745ab7b..e9093113b 100644 --- a/charts/testkube-enterprise/charts/nats/values.yaml +++ b/charts/testkube-enterprise/charts/nats/values.yaml @@ -14,6 +14,12 @@ global: # global registry to use for all container images in the chart # can be overridden by individual image registry registry: + # -- Security Context for all pods + podSecurityContext: + runasuser: 100 + # -- Security Context for all containers + containerSecurityContext: + fsGroup: 2000 # global labels will be applied to all resources deployed by the chart labels: {} @@ -376,7 +382,7 @@ reloader: ############################################################ # config.monitor must be enabled promExporter: - enabled: false + enabled: true image: repository: natsio/prometheus-nats-exporter tag: 0.15.0 diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml index ae4cdcfe9..d2fbf8996 100644 --- a/charts/testkube-enterprise/values.yaml +++ b/charts/testkube-enterprise/values.yaml @@ -87,9 +87,9 @@ global: tls: {} # -- Toggle whether to globally skip certificate verification #skipVerify: true - # -- Global security Context for all containers + # -- Global security Context for all containers, except for MongoDB and MinIo. Container security context for them needs to be provided separately. securityContext: {} - # -- Global security Context for all pods + # -- Global security Context for all pods, except for MongoDB and MinIo. Pod security Context for them needs to be provided separately. podSecurityContext: {} # Testkube requires a variety of secrets to operate.