From 8cda608debc229c1381d7e9a2b094819e812c7a3 Mon Sep 17 00:00:00 2001 From: Gabriel Ladzaretti Date: Sun, 18 Aug 2024 13:44:08 +0300 Subject: [PATCH] fix(ee): improve helm security --- .../mend-renovate-ee/templates/secret.yaml | 3 + .../templates/server-deployment.yaml | 1 + .../templates/worker-deployment.yaml | 20 ++- helm-charts/mend-renovate-ee/values.yaml | 151 +++++++++++------- 4 files changed, 115 insertions(+), 60 deletions(-) diff --git a/helm-charts/mend-renovate-ee/templates/secret.yaml b/helm-charts/mend-renovate-ee/templates/secret.yaml index f9be4c60..4f1be992 100644 --- a/helm-charts/mend-renovate-ee/templates/secret.yaml +++ b/helm-charts/mend-renovate-ee/templates/secret.yaml @@ -19,6 +19,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.license-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} @@ -37,6 +38,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.server-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} @@ -76,6 +78,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.worker-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml index 6ac962fd..411ab528 100644 --- a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml @@ -31,6 +31,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateServer.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml index 231906ae..93a37599 100644 --- a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml @@ -32,6 +32,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateWorker.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -43,7 +44,7 @@ spec: - name: {{ .Chart.Name }}-worker image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.tag }}" imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }} - {{- with .Values.renovateServer.containerSecurityContext }} + {{- with .Values.renovateWorker.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} env: @@ -124,18 +125,33 @@ spec: - name: LOG_FORMAT value: {{ .Values.renovateWorker.logFormat | quote }} {{- end }} + ports: + - name: ee-worker + containerPort: 8080 + protocol: TCP + {{- with .Values.renovateServer.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.renovateServer.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.renovateWorker.resources | nindent 12 }} volumeMounts: - name: {{ .Release.Name }}-config-js-volume + readOnly: true mountPath: /usr/src/app/config.js subPath: config.js {{- if .Values.renovateWorker.npmrc }} - name: {{ .Release.Name }}-npmrc-volume + readOnly: true mountPath: /home/ubuntu/.npmrc subPath: .npmrc {{- end }} - name: {{ .Release.Name }}-cache-volume + readOnly: false mountPath: /tmp/renovate {{- if ne (len .Values.renovateWorker.extraVolumeMounts) 0 }} {{ toYaml .Values.renovateWorker.extraVolumeMounts | nindent 12 | trim }} @@ -165,7 +181,7 @@ spec: emptyDir: medium: Memory {{- else }} - emptyDir: {} + emptyDir: { } {{- end }} {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }} {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }} diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml index 37b2e952..15141cb5 100644 --- a/helm-charts/mend-renovate-ee/values.yaml +++ b/helm-charts/mend-renovate-ee/values.yaml @@ -17,13 +17,13 @@ license: existingSecret: postgresql: - # if to use PostgreSQL, if set to 'false' SQLite will be used instead - enabled: false - host: - port: - database: - user: - password: + # if to use PostgreSQL, if set to 'false' SQLite will be used instead + enabled: false + host: + port: + database: + user: + password: renovateServer: image: @@ -35,7 +35,7 @@ renovateServer: replicas: 1 # Additional server env vars - extraEnvVars: [] + extraEnvVars: [ ] # Which platform Mend Renovate will connect to. # valid values: "bitbucket-server", "github" or "gitlab" @@ -156,30 +156,38 @@ renovateServer: # Set log format, defaults to pretty format. Allowed values: undefined or 'json' logFormat: json - resources: {} + resources: + limits: + memory: "4096Mi" + cpu: "2.0" + requests: + memory: "2048Mi" + cpu: "0.5" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } - nodeSelector: {} + nodeSelector: { } - tolerations: [] + tolerations: [ ] - affinity: {} + affinity: { } - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL # name of the image pull secret imagePullSecrets: "" @@ -207,24 +215,24 @@ renovateServer: successThreshold: 1 extraVolumes: - [] + [ ] # - name: secrets-store-inline # csi: # driver: secrets-store.csi.k8s.io # readOnly: true # volumeAttributes: - # secretProviderClass: "some-secret-store" + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] - # - name: secrets-store-inline + [ ] + # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true serviceAccount: create: false existingName: - annotations: {} + annotations: { } renovateWorker: image: @@ -246,7 +254,7 @@ renovateWorker: mendRnvWorkerNodeArgs: # Additional worker env vars - extraEnvVars: [] + extraEnvVars: [ ] # Personal Access Token for github.com (used for retrieving changelogs) githubComToken: @@ -292,31 +300,39 @@ renovateWorker: # defaults to https://github.com/renovatebot/renovate renovateUserAgent: - resources: {} + resources: + limits: + memory: "4096Mi" + cpu: "2.0" + requests: + memory: "2048Mi" + cpu: "0.5" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } + + nodeSelector: { } - nodeSelector: {} + tolerations: [ ] - tolerations: [] + affinity: { } - affinity: {} - - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL # name of the image pull secret imagePullSecrets: "" @@ -324,17 +340,36 @@ renovateWorker: # This allows renovate to finish running for a repo and then gracefully exit terminationGracePeriodSeconds: 60 + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health + port: ee-worker + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + + readinessProbe: + httpGet: + path: /health + port: ee-worker + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + extraVolumes: - [] + [ ] # - name: secrets-store-inline - # csi: - # driver: secrets-store.csi.k8s.io - # readOnly: true - # volumeAttributes: - # secretProviderClass: "some-secret-store" + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] + [ ] # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true @@ -342,7 +377,7 @@ renovateWorker: serviceAccount: create: false existingName: - annotations: {} + annotations: { } ## data Persistence Parameters ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ @@ -375,7 +410,7 @@ service: type: ClusterIP port: 80 annotations: - {} + { } # cloud.google.com/load-balancer-type: "Internal" ingress: @@ -386,11 +421,11 @@ ingress: # ingressClassName: nginx annotations: - {} + { } # kubernetes.io/tls-acme: "true" hosts: - mend-renovate.local - tls: [] + tls: [ ] # - secretName: mend-renovate-tls # hosts: # - mend-renovate.local