Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow chart users to specify a Security Context #232

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow chart users to specify a Security Context #232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cockroachdb/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
apiVersion: v1
name: cockroachdb
home: https://www.cockroachlabs.com
version: 7.0.1
version: 7.1.0
appVersion: 21.2.7
description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@ For details see the [`values.yaml`](values.yaml) file.
| `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` |
| `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` |
| `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` |
| `statefulset.securityContext` | Security context for containers | `{}` |
| `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` |
| `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` |
| `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Services | `26257` |
Expand Down Expand Up @@ -380,6 +381,7 @@ For details see the [`values.yaml`](values.yaml) file.
| `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` |
| `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` |
| `init.resources` | Resource requests and limits for the Pod of init Job | `{}` |
| `init.securityContext` | Security context for the init job containers | `{}` |
| `tls.enabled` | Whether to run securely using TLS certificates | `no` |
| `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` |
| `tls.serviceAccount.name` | Name of RBAC service account to use | `""` |
Expand Down Expand Up @@ -408,9 +410,11 @@ For details see the [`values.yaml`](values.yaml) file.
| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
| `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
| `tls.selfSigner.securityContext` | Security context applied to selfSigner containers | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` |
| `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
| `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
| `securityContext` | Security context applied to Pods | `{}` |


Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ spec:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
{{- end }}
args:
- rotate
- --ca
Expand Down
6 changes: 5 additions & 1 deletion cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ spec:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 14 }}
{{- end }}
args:
- rotate
{{- if .Values.tls.certs.selfSigner.caProvided }}
Expand All @@ -46,4 +50,4 @@ spec:
- name: CLUSTER_DOMAIN
value: {{ .Values.clusterDomain}}
serviceAccountName: {{ template "rotatecerts.fullname" . }}
{{- end}}
{{- end}}
4 changes: 4 additions & 0 deletions cockroachdb/templates/job-certSelfSigner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ spec:
- name: cert-generate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
{{- end }}
args:
- generate
{{- if .Values.tls.certs.selfSigner.caProvided }}
Expand Down
4 changes: 4 additions & 0 deletions cockroachdb/templates/job-cleaner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ spec:
- name: cleaner
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
{{- if .Values.tls.selfSigner.securityContext }}
securityContext:
{{- toYaml .Values.tls.selfSigner.securityContext | nindent 12 }}
{{- end }}
args:
- cleanup
- --namespace={{ .Release.Namespace }}
Expand Down
12 changes: 12 additions & 0 deletions cockroachdb/templates/job.init.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
spec:
restartPolicy: OnFailure
terminationGracePeriodSeconds: 0
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
Expand All @@ -51,6 +55,10 @@ spec:
- name: copy-certs
image: "busybox"
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
{{- if .Values.init.securityContext }}
securityContext:
{{- toYaml .Values.init.securityContext | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -79,6 +87,10 @@ spec:
- name: cluster-init
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.init.securityContext }}
securityContext:
{{- toYaml .Values.init.securityContext | nindent 12 }}
{{- end }}
# Run the command in an `while true` loop because this Job is bound
# to come up before the CockroachDB Pods (due to the time needed to
# get PersistentVolumes attached to Nodes), and sleeping 5 seconds
Expand Down
12 changes: 12 additions & 0 deletions cockroachdb/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- end }}
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
Expand All @@ -57,6 +61,10 @@ spec:
- name: copy-certs
image: "busybox"
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
{{- if .Values.statefulset.securityContext }}
securityContext:
{{- toYaml .Values.statefulset.securityContext | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -c
Expand Down Expand Up @@ -143,6 +151,10 @@ spec:
- name: db
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.statefulset.securityContext }}
securityContext:
{{- toYaml .Values.statefulset.securityContext | nindent 12 }}
{{- end }}
args:
- shell
- -ecx
Expand Down
6 changes: 6 additions & 0 deletions cockroachdb/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ statefulset:
podManagementPolicy: Parallel
budget:
maxUnavailable: 1
securityContext: {}

# List of additional command-line arguments you want to pass to the
# `cockroach start` command.
Expand Down Expand Up @@ -390,6 +391,8 @@ init:
# cpu: "10m"
# memory: "128Mi"

securityContext: {}

provisioning:
enabled: false
# https://www.cockroachlabs.com/docs/stable/cluster-settings.html
Expand Down Expand Up @@ -492,6 +495,7 @@ tls:
registry: gcr.io
# username: john_doe
# password: changeme
securityContext: {}

networkPolicy:
enabled: false
Expand Down Expand Up @@ -522,3 +526,5 @@ iap:
# Create Google Cloud OAuth credentials and set client id and secret
# clientId:
# clientSecret:

securityContext: {}