fix(ee): improve helm security

mend · Aug 18, 2024 · ab06e98 · ab06e98
1 parent db262e4
commit ab06e98
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 57 deletions.
diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml
@@ -31,6 +31,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateServer.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}

diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml
@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateWorker.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -124,6 +125,18 @@ spec:
             - name: LOG_FORMAT
               value: {{ .Values.renovateWorker.logFormat | quote }}
             {{- end }}
+          ports:
+            - name: ee-worker
+              containerPort: 8080
+              protocol: TCP
+          {{- with .Values.renovateServer.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.renovateServer.readinessProbe }}
+          readinessProbe:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.renovateWorker.resources | nindent 12 }}
           volumeMounts:
@@ -165,7 +178,7 @@ spec:
           emptyDir:
             medium: Memory
           {{- else }}
-          emptyDir: {}
+          emptyDir: { }
           {{- end }}
       {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }}
         {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }}

diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml
@@ -17,13 +17,13 @@ license:
   existingSecret:
 
 postgresql:
-    # if to use PostgreSQL, if set to 'false' SQLite will be used instead
-    enabled: false
-    host:
-    port:
-    database:
-    user:
-    password:
+  # if to use PostgreSQL, if set to 'false' SQLite will be used instead
+  enabled: false
+  host:
+  port:
+  database:
+  user:
+  password:
 
 renovateServer:
   image:
@@ -35,7 +35,7 @@ renovateServer:
   replicas: 1
 
   # Additional server env vars
-  extraEnvVars: []
+  extraEnvVars: [ ]
 
   # Which platform Mend Renovate will connect to.
   # valid values: "bitbucket-server", "github" or "gitlab"
@@ -156,30 +156,36 @@ renovateServer:
   # Set log format, defaults to pretty format. Allowed values: undefined or 'json'
   logFormat: json
 
-  resources: {}
+  resources:
+    limits:
+      memory: "4096Mi"
+    requests:
+      memory: "2048Mi"
 
-  annotations: {}
+  annotations: { }
 
   labels:
-    pods: {}
+    pods: { }
 
-  nodeSelector: {}
+  nodeSelector: { }
 
-  tolerations: []
+  tolerations: [ ]
 
-  affinity: {}
+  affinity: { }
 
-  podSecurityContext: {}
-  #   runAsNonRoot: true
-  #   seccompProfile:
-  #     type: RuntimeDefault
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
-  containerSecurityContext: {}
-  #   allowPrivilegeEscalation: false
-  #   readOnlyRootFilesystem: true
-  #   capabilities:
-  #     drop:
-  #       - ALL
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1000
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
 
   # name of the image pull secret
   imagePullSecrets: ""
@@ -207,24 +213,24 @@ renovateServer:
     successThreshold: 1
 
   extraVolumes:
-    []
+    [ ]
     # - name: secrets-store-inline
     #   csi:
     #     driver: secrets-store.csi.k8s.io
-    #     readOnly: true
-    #     volumeAttributes:
-    #       secretProviderClass: "some-secret-store"
+  #     readOnly: true
+  #     volumeAttributes:
+  #       secretProviderClass: "some-secret-store"
 
   extraVolumeMounts:
-    []
-    # - name: secrets-store-inline
+    [ ]
+  # - name: secrets-store-inline
   #   mountPath: "/mnt/secrets-store"
   #   readOnly: true
 
   serviceAccount:
     create: false
     existingName:
-    annotations: {}
+    annotations: { }
 
 renovateWorker:
   image:
@@ -246,7 +252,7 @@ renovateWorker:
   mendRnvWorkerNodeArgs:
 
   # Additional worker env vars
-  extraEnvVars: []
+  extraEnvVars: [ ]
 
   # Personal Access Token for github.com (used for retrieving changelogs)
   githubComToken:
@@ -273,10 +279,10 @@ renovateWorker:
       // Enter self-hosted configuration options here.
       // https://docs.renovatebot.com/self-hosted-configuration/
     }
-
-  # Npmrc file. Will be mounted as a secret
-  # npmrc: |
-    # //registry.npmjs.org/:_authToken=xxxxxx
+    
+    # Npmrc file. Will be mounted as a secret
+    # npmrc: |
+  # //registry.npmjs.org/:_authToken=xxxxxx
 
   # Existing secret with npmrc configuration with key:
   #   .npmrc:
@@ -292,26 +298,30 @@ renovateWorker:
   # defaults to https://github.com/renovatebot/renovate
   renovateUserAgent:
 
-  resources: {}
+  resources:
+    limits:
+      memory: "4096Mi"
+    requests:
+      memory: "2048Mi"
 
-  annotations: {}
+  annotations: { }
 
   labels:
-    pods: {}
+    pods: { }
 
-  nodeSelector: {}
+  nodeSelector: { }
 
-  tolerations: []
+  tolerations: [ ]
 
-  affinity: {}
+  affinity: { }
 
 
-  podSecurityContext: {}
-  #   runAsNonRoot: true
-  #   seccompProfile:
-  #     type: RuntimeDefault
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
-  containerSecurityContext: {}
+  containerSecurityContext: { }
   #   allowPrivilegeEscalation: false
   #   readOnlyRootFilesystem: true
   #   capabilities:
@@ -324,25 +334,44 @@ renovateWorker:
   # This allows renovate to finish running for a repo and then gracefully exit
   terminationGracePeriodSeconds: 60
 
+  livenessProbe:
+    initialDelaySeconds: 2
+    httpGet:
+      path: /health
+      port: ee-worker
+    periodSeconds: 10
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
+
+  readinessProbe:
+    httpGet:
+      path: /health
+      port: ee-worker
+    periodSeconds: 10
+    timeoutSeconds: 1
+    failureThreshold: 3
+    successThreshold: 1
+
   extraVolumes:
-    []
+    [ ]
     # - name: secrets-store-inline
     #   csi:
     #     driver: secrets-store.csi.k8s.io
-    #     readOnly: true
-    #     volumeAttributes:
-    #       secretProviderClass: "some-secret-store"
+  #     readOnly: true
+  #     volumeAttributes:
+  #       secretProviderClass: "some-secret-store"
 
   extraVolumeMounts:
-    []
+    [ ]
   # - name: secrets-store-inline
   #   mountPath: "/mnt/secrets-store"
   #   readOnly: true
 
   serviceAccount:
     create: false
     existingName:
-    annotations: {}
+    annotations: { }
 
 ## data Persistence Parameters
 ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
@@ -375,7 +404,7 @@ service:
   type: ClusterIP
   port: 80
   annotations:
-    {}
+    { }
   # cloud.google.com/load-balancer-type: "Internal"
 
 ingress:
@@ -386,11 +415,11 @@ ingress:
   # ingressClassName: nginx
 
   annotations:
-    {}
+    { }
   # kubernetes.io/tls-acme: "true"
   hosts:
     - mend-renovate.local
-  tls: []
+  tls: [ ]
   #  - secretName: mend-renovate-tls
   #    hosts:
   #      - mend-renovate.local