fix(ee): improve helm security

mend · Aug 18, 2024 · 8cda608 · 8cda608
1 parent db262e4
commit 8cda608
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 60 deletions.
diff --git a/helm-charts/mend-renovate-ee/templates/secret.yaml b/helm-charts/mend-renovate-ee/templates/secret.yaml
@@ -19,6 +19,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.license-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -37,6 +38,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.server-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -76,6 +78,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.worker-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}

diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml
@@ -31,6 +31,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateServer.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}

diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml
@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateWorker.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -43,7 +44,7 @@ spec:
         - name: {{ .Chart.Name }}-worker
           image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.tag }}"
           imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }}
-          {{- with .Values.renovateServer.containerSecurityContext }}
+          {{- with .Values.renovateWorker.containerSecurityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
@@ -124,18 +125,33 @@ spec:
             - name: LOG_FORMAT
               value: {{ .Values.renovateWorker.logFormat | quote }}
             {{- end }}
+          ports:
+            - name: ee-worker
+              containerPort: 8080
+              protocol: TCP
+          {{- with .Values.renovateServer.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.renovateServer.readinessProbe }}
+          readinessProbe:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.renovateWorker.resources | nindent 12 }}
           volumeMounts:
             - name: {{ .Release.Name }}-config-js-volume
+              readOnly: true
               mountPath: /usr/src/app/config.js
               subPath: config.js
             {{- if .Values.renovateWorker.npmrc }}
             - name: {{ .Release.Name }}-npmrc-volume
+              readOnly: true
               mountPath: /home/ubuntu/.npmrc
               subPath: .npmrc
             {{- end }}
             - name: {{ .Release.Name }}-cache-volume
+              readOnly: false
               mountPath: /tmp/renovate
           {{- if ne (len .Values.renovateWorker.extraVolumeMounts) 0 }}
             {{ toYaml .Values.renovateWorker.extraVolumeMounts | nindent 12 | trim }}
@@ -165,7 +181,7 @@ spec:
           emptyDir:
             medium: Memory
           {{- else }}
-          emptyDir: {}
+          emptyDir: { }
           {{- end }}
       {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }}
         {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }}

diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml
@@ -17,13 +17,13 @@ license:
   existingSecret:
 
 postgresql:
-    # if to use PostgreSQL, if set to 'false' SQLite will be used instead
-    enabled: false
-    host:
-    port:
-    database:
-    user:
-    password:
+  # if to use PostgreSQL, if set to 'false' SQLite will be used instead
+  enabled: false
+  host:
+  port:
+  database:
+  user:
+  password:
 
 renovateServer:
   image:
@@ -35,7 +35,7 @@ renovateServer:
   replicas: 1
 
   # Additional server env vars
-  extraEnvVars: []
+  extraEnvVars: [ ]
 
   # Which platform Mend Renovate will connect to.
   # valid values: "bitbucket-server", "github" or "gitlab"
@@ -156,30 +156,38 @@ renovateServer:
   # Set log format, defaults to pretty format. Allowed values: undefined or 'json'
   logFormat: json
 
-  resources: {}
+  resources:
+    limits:
+      memory: "4096Mi"
+      cpu: "2.0"
+    requests:
+      memory: "2048Mi"
+      cpu: "0.5"
 
-  annotations: {}
+  annotations: { }
 
   labels:
-    pods: {}
+    pods: { }
 
-  nodeSelector: {}
+  nodeSelector: { }
 
-  tolerations: []
+  tolerations: [ ]
 
-  affinity: {}
+  affinity: { }
 
-  podSecurityContext: {}
-  #   runAsNonRoot: true
-  #   seccompProfile:
-  #     type: RuntimeDefault
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
-  containerSecurityContext: {}
-  #   allowPrivilegeEscalation: false
-  #   readOnlyRootFilesystem: true
-  #   capabilities:
-  #     drop:
-  #       - ALL
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
 
   # name of the image pull secret
   imagePullSecrets: ""
@@ -207,24 +215,24 @@ renovateServer:
     successThreshold: 1
 
   extraVolumes:
-    []
+    [ ]
     # - name: secrets-store-inline
     #   csi:
     #     driver: secrets-store.csi.k8s.io
     #     readOnly: true
     #     volumeAttributes:
-    #       secretProviderClass: "some-secret-store"
+  #       secretProviderClass: "some-secret-store"
 
   extraVolumeMounts:
-    []
-    # - name: secrets-store-inline
+    [ ]
+  # - name: secrets-store-inline
   #   mountPath: "/mnt/secrets-store"
   #   readOnly: true
 
   serviceAccount:
     create: false
     existingName:
-    annotations: {}
+    annotations: { }
 
 renovateWorker:
   image:
@@ -246,7 +254,7 @@ renovateWorker:
   mendRnvWorkerNodeArgs:
 
   # Additional worker env vars
-  extraEnvVars: []
+  extraEnvVars: [ ]
 
   # Personal Access Token for github.com (used for retrieving changelogs)
   githubComToken:
@@ -292,57 +300,84 @@ renovateWorker:
   # defaults to https://github.com/renovatebot/renovate
   renovateUserAgent:
 
-  resources: {}
+  resources:
+    limits:
+      memory: "4096Mi"
+      cpu: "2.0"
+    requests:
+      memory: "2048Mi"
+      cpu: "0.5"
 
-  annotations: {}
+  annotations: { }
 
   labels:
-    pods: {}
+    pods: { }
+
+  nodeSelector: { }
 
-  nodeSelector: {}
+  tolerations: [ ]
 
-  tolerations: []
+  affinity: { }
 
-  affinity: {}
 
-
-  podSecurityContext: {}
-  #   runAsNonRoot: true
-  #   seccompProfile:
-  #     type: RuntimeDefault
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
-  containerSecurityContext: {}
-  #   allowPrivilegeEscalation: false
-  #   readOnlyRootFilesystem: true
-  #   capabilities:
-  #     drop:
-  #       - ALL
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
 
   # name of the image pull secret
   imagePullSecrets: ""
 
   # This allows renovate to finish running for a repo and then gracefully exit
   terminationGracePeriodSeconds: 60
 
+  livenessProbe:
+    initialDelaySeconds: 2
+    httpGet:
+      path: /health
+      port: ee-worker
+    periodSeconds: 10
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
+
+  readinessProbe:
+    httpGet:
+      path: /health
+      port: ee-worker
+    periodSeconds: 10
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
+
   extraVolumes:
-    []
+    [ ]
     # - name: secrets-store-inline
-    #   csi:
-    #     driver: secrets-store.csi.k8s.io
-    #     readOnly: true
-    #     volumeAttributes:
-    #       secretProviderClass: "some-secret-store"
+  #   csi:
+  #     driver: secrets-store.csi.k8s.io
+  #     readOnly: true
+  #     volumeAttributes:
+  #       secretProviderClass: "some-secret-store"
 
   extraVolumeMounts:
-    []
+    [ ]
   # - name: secrets-store-inline
   #   mountPath: "/mnt/secrets-store"
   #   readOnly: true
 
   serviceAccount:
     create: false
     existingName:
-    annotations: {}
+    annotations: { }
 
 ## data Persistence Parameters
 ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
@@ -375,7 +410,7 @@ service:
   type: ClusterIP
   port: 80
   annotations:
-    {}
+    { }
   # cloud.google.com/load-balancer-type: "Internal"
 
 ingress:
@@ -386,11 +421,11 @@ ingress:
   # ingressClassName: nginx
 
   annotations:
-    {}
+    { }
   # kubernetes.io/tls-acme: "true"
   hosts:
     - mend-renovate.local
-  tls: []
+  tls: [ ]
   #  - secretName: mend-renovate-tls
   #    hosts:
   #      - mend-renovate.local