fix(ee): improve helm security

helm-charts/mend-renovate-ee/templates/secret.yaml

@@ -19,6 +19,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.license-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -37,6 +38,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.server-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -76,6 +78,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.worker-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}

helm-charts/mend-renovate-ee/templates/server-deployment.yaml

@@ -31,6 +31,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateServer.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}

helm-charts/mend-renovate-ee/templates/worker-deployment.yaml

@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateWorker.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -43,7 +44,7 @@ spec:
         - name: {{ .Chart.Name }}-worker
           image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.tag }}"
           imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }}
-          {{- with .Values.renovateServer.containerSecurityContext }}
+          {{- with .Values.renovateWorker.containerSecurityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
@@ -124,18 +125,33 @@ spec:
             - name: LOG_FORMAT
               value: {{ .Values.renovateWorker.logFormat | quote }}
             {{- end }}
+          ports:
+            - name: ee-worker
+              containerPort: 8080
+              protocol: TCP
+          {{- with .Values.renovateServer.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.renovateServer.readinessProbe }}
+          readinessProbe:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.renovateWorker.resources | nindent 12 }}
           volumeMounts:
             - name: {{ .Release.Name }}-config-js-volume
+              readOnly: true
               mountPath: /usr/src/app/config.js
               subPath: config.js
             {{- if .Values.renovateWorker.npmrc }}
             - name: {{ .Release.Name }}-npmrc-volume
+              readOnly: true
               mountPath: /home/ubuntu/.npmrc
               subPath: .npmrc
             {{- end }}
             - name: {{ .Release.Name }}-cache-volume
+              readOnly: false
               mountPath: /tmp/renovate
           {{- if ne (len .Values.renovateWorker.extraVolumeMounts) 0 }}
             {{ toYaml .Values.renovateWorker.extraVolumeMounts | nindent 12 | trim }}
@@ -165,7 +181,7 @@ spec:
           emptyDir:
             medium: Memory
           {{- else }}
-          emptyDir: {}
+          emptyDir: { }
           {{- end }}
       {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }}
         {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }}

helm-charts/mend-renovate-ee/values.yaml

@@ -273,10 +273,10 @@ renovateWorker:
       // Enter self-hosted configuration options here.
       // https://docs.renovatebot.com/self-hosted-configuration/
     }
-
-  # Npmrc file. Will be mounted as a secret
-  # npmrc: |
-    # //registry.npmjs.org/:_authToken=xxxxxx
+    
+    # Npmrc file. Will be mounted as a secret
+    # npmrc: |
+  # //registry.npmjs.org/:_authToken=xxxxxx
 
   # Existing secret with npmrc configuration with key:
   #   .npmrc: