Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(charts): add pod level annotations and customizable command #9973

Merged
merged 6 commits into from
Nov 6, 2024
Merged

feat(charts): add pod level annotations and customizable command #9973

merged 6 commits into from
Nov 6, 2024

Conversation

misba7
Copy link
Contributor

@misba7 misba7 commented Oct 29, 2024

closes #9948

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-charts-jans kind-feature Issue or PR is a new feature request labels Oct 29, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 29, 2024
edited
Loading

DryRun Security Summary

The provided code changes cover a wide range of updates to the Janssen project's Helm charts, focusing on adding flexibility and customization options, which require careful review and consideration from an application security perspective, particularly regarding custom commands and scripts, sensitive information handling, Istio integration, resource constraints and healthchecks, and logging and monitoring.

Expand for full summary

Summary:

The provided code changes cover a wide range of updates to the Janssen project's Helm charts, with a focus on adding flexibility and customization options. While these changes generally do not introduce any obvious security vulnerabilities, there are several areas that require careful review and consideration from an application security perspective:

  1. Custom Commands and Scripts: The introduction of customCommand and customScripts options across multiple charts allows users to execute custom code within the deployed containers. These features should be thoroughly reviewed to ensure that any user-provided commands or scripts are properly validated and sanitized to prevent potential security issues, such as command injection or privilege escalation.

  2. Sensitive Information Handling: The charts make use of environment variables, Secrets, and other mechanisms to handle sensitive information, such as credentials and API keys. It's crucial to ensure that these sensitive assets are properly secured and not exposed through the customization options or other means.

  3. Istio Integration: The changes include updates to handle Istio-specific annotations and configurations. These integrations should be reviewed to ensure they are properly implemented and do not introduce any unintended security vulnerabilities.

  4. Resource Constraints and Healthchecks: The charts include configurations for resource limits, liveness and readiness probes, and other settings that are important for maintaining the overall security and availability of the application. These configurations should be carefully reviewed to ensure they are properly set and do not introduce any potential security risks.

  5. Logging and Monitoring: While not directly addressed in the provided changes, it's important to ensure that the application has appropriate logging and monitoring mechanisms in place to detect and respond to any security-related incidents or anomalies.

Overall, the changes appear to be focused on enhancing the flexibility and customization of the Janssen project's deployment, which can be a positive development. However, it's crucial to thoroughly review the implementation and usage of these new features to maintain the overall security and integrity of the application.

Files Changed:

  • charts/janssen-all-in-one/values.yaml: Added a new custom annotation called "pod" to the customAnnotations section, which allows users to add custom annotations to the Pods deployed by the chart.
  • charts/janssen-all-in-one/README.md: Added new configuration options for the auth server key rotation and the ability to specify custom commands for the overall deployment.
  • charts/janssen-all-in-one/templates/cronjobs.yaml: Introduced customization options for the auth server key rotation and Keycloak scheduler CronJobs, which should be reviewed for potential security risks.
  • charts/janssen-all-in-one/templates/deployment.yml: Added support for custom annotations and commands, as well as FQDN registration handling, which should be carefully reviewed.
  • charts/janssen/charts/auth-server-key-rotation/values.yaml: Added a new customCommand option, which allows users to provide a custom command for the key rotation job.
  • charts/janssen/charts/auth-server-key-rotation/README.md: Documented the new customCommand and customScripts options for the auth server key rotation chart.
  • charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml: Introduced customization options for the auth server key rotation CronJob, which should be reviewed for potential security risks.
  • charts/janssen/charts/auth-server/README.md: Added a new customCommand configuration option to the auth server chart.
  • charts/janssen/README.md: Documented the addition of various new configuration options across the Janssen charts, including options related to security and customization.
  • charts/janssen/charts/auth-server/templates/deployment.yml: Added support for custom annotations and commands, which should be reviewed for security implications.
  • charts/janssen/charts/auth-server/values.yaml: Added new customScripts and customCommand options, which should be carefully reviewed.
  • charts/janssen/charts/casa/README.md: Added a new customCommand configuration option to the Casa chart.
  • charts/janssen/charts/casa/templates/deployment.yaml: Introduced support for custom annotations and commands, which should be reviewed for security concerns.
  • charts/janssen/charts/casa/values.yaml: Added a new customCommand option, which should be reviewed for potential security risks.
  • charts/janssen/charts/config-api/README.md: Added a new `

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@iromli
Copy link
Contributor

iromli commented Nov 4, 2024

@misba7 i couldn't find customCommand for janssen-all-in-one kc-scheduler cronjob as seen in janssen chart.

@misba7
Copy link
Contributor Author

misba7 commented Nov 4, 2024

@misba7 i couldn't find customCommand for janssen-all-in-one kc-scheduler cronjob as seen in janssen chart.

Added @iromli
Will add it in flex too upon approval

@moabu moabu merged commit 12b1ca4 into main Nov 6, 2024
13 of 15 checks passed
@moabu moabu deleted the feat-jans-helm-customization branch November 6, 2024 08:56
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@misba7 @moabu
feat(charts): add pod level annotations and customizable command (#9973)
04af3b4 
* feat(charts): add pod-level annotation and customized command

Signed-off-by: Amro Misbah <[email protected]>

* docs(charts): generate helm-docs

Signed-off-by: Amro Misbah <[email protected]>

* feat(kc-scheduler): add custom command

Signed-off-by: Amro Misbah <[email protected]>

---------

Signed-off-by: Amro Misbah <[email protected]>
Co-authored-by: Mohammad Abudayyeh <[email protected]>
Former-commit-id: 12b1ca4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu moabu approved these changes

@iromli iromli iromli approved these changes

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR comp-charts-jans kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(charts): add pod level annotations and customizable command
4 participants
@misba7 @iromli @moabu @mo-auto