diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3d06ba1..0ef2da5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -49,7 +49,7 @@ jobs: with: name: vaas repository: gdatasoftwareag/charts - tag: 1.0.2 + tag: 1.0.3 path: charts/vaas registry: ghcr.io registry_username: ${{ secrets.REGISTRY_USERNAME }} diff --git a/charts/vaas/Chart.lock b/charts/vaas/Chart.lock index b72ce6b..aabefcb 100644 --- a/charts/vaas/Chart.lock +++ b/charts/vaas/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami - version: 18.1.5 + version: 18.12.1 - name: gdscan repository: https://gdatasoftwareag.github.io/gdscan/ - version: 1.4.5 + version: 1.6.0 - name: mini-identity-provider repository: oci://ghcr.io/gdatasoftwareag version: 0.1.17 -digest: sha256:e4f283b831d4726932df1ba32ed10a746faa7aa89fd7345c3f952b7563e856bd -generated: "2024-02-12T09:11:31.341370564+01:00" +digest: sha256:58cd2dbd7a6d6d3749dd68c3ae1c0e75237a368ebf01cafa36ca7794a8982118 +generated: "2024-02-13T08:40:59.295006648+01:00" diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index 2979cfd..2d2974b 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vaas -version: 1.0.2 +version: 1.0.3 description: Deployment of a Verdict-as-a-Service on-premise instance maintainers: - name: G DATA CyberDefense AG @@ -8,11 +8,11 @@ maintainers: type: application dependencies: - name: redis - version: 18.1.5 + version: 18.12.1 condition: redis.enabled repository: https://charts.bitnami.com/bitnami - name: gdscan - version: 1.4.5 + version: 1.6.0 condition: gdscan.enabled repository: https://gdatasoftwareag.github.io/gdscan/ - name: mini-identity-provider diff --git a/charts/vaas/templates/gateway/_helpers.tpl b/charts/vaas/templates/gateway/_helpers.tpl index 30dfead..87cd34d 100644 --- a/charts/vaas/templates/gateway/_helpers.tpl +++ b/charts/vaas/templates/gateway/_helpers.tpl @@ -72,6 +72,10 @@ Create environment variables to configure gateway container. value: {{.Values.gateway.uploadUrl}} - name: JwtSettings__Secret value: {{ randAlphaNum 64 }} +- name: GDScanConfiguration__Url + value: "http://gdscan:8080/scan/body" +- name: RedisConfiguration__Configuration + value: "redis-master" {{- if .Values.gateway.cloudhashlookup.enabled }} - name: VerdictAsAService__Url value: {{ .Values.gateway.options.url | quote }} diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index 92ed189..52e64c7 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -28,8 +28,9 @@ spec: emptyDir: {} containers: - name: {{ include "gateway.name" . }} - securityContext: - readOnlyRootFilesystem: true + {{- if .Values.gateway.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.gateway.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} volumeMounts: diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 82f6a52..6c032fc 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -102,8 +102,14 @@ gateway: memory: 256Mi containerSecurityContext: - enabled: false - + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault image: repository: ghcr.io/gdatasoftwareag/vaas/gateway pullPolicy: Always @@ -147,8 +153,6 @@ gdscan: repository: ghcr.io/gdatasoftwareag/vaas/scanserver pullPolicy: Always tag: 1.9.8 - containerSecurityContext: - enabled: false resources: limits: memory: 2.5Gi @@ -160,8 +164,6 @@ gdscan: repository: ghcr.io/gdatasoftwareag/vaas/scanner pullPolicy: Always tag: 1.9.8 - containerSecurityContext: - enabled: false resources: limits: memory: 4Gi @@ -222,8 +224,6 @@ gdscan: registry: docker.io repository: bitnami/kubectl tag: latest - containerSecurityContext: - enabled: false enabled: true schedule: "0 * * * *" networkPolicy: @@ -247,6 +247,13 @@ redis: persistence: enabled: false containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault networkPolicy: enabled: true