diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml index 6ac962fd..411ab528 100644 --- a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml @@ -31,6 +31,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateServer.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml index 231906ae..7bf6589c 100644 --- a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml @@ -32,6 +32,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateWorker.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -124,6 +125,18 @@ spec: - name: LOG_FORMAT value: {{ .Values.renovateWorker.logFormat | quote }} {{- end }} + ports: + - name: ee-worker + containerPort: 8080 + protocol: TCP + {{- with .Values.renovateServer.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.renovateServer.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.renovateWorker.resources | nindent 12 }} volumeMounts: @@ -165,7 +178,7 @@ spec: emptyDir: medium: Memory {{- else }} - emptyDir: {} + emptyDir: { } {{- end }} {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }} {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }} diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml index 37b2e952..c4dd8abd 100644 --- a/helm-charts/mend-renovate-ee/values.yaml +++ b/helm-charts/mend-renovate-ee/values.yaml @@ -17,13 +17,13 @@ license: existingSecret: postgresql: - # if to use PostgreSQL, if set to 'false' SQLite will be used instead - enabled: false - host: - port: - database: - user: - password: + # if to use PostgreSQL, if set to 'false' SQLite will be used instead + enabled: false + host: + port: + database: + user: + password: renovateServer: image: @@ -35,7 +35,7 @@ renovateServer: replicas: 1 # Additional server env vars - extraEnvVars: [] + extraEnvVars: [ ] # Which platform Mend Renovate will connect to. # valid values: "bitbucket-server", "github" or "gitlab" @@ -156,30 +156,36 @@ renovateServer: # Set log format, defaults to pretty format. Allowed values: undefined or 'json' logFormat: json - resources: {} + resources: + limits: + memory: "4096Mi" + requests: + memory: "2048Mi" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } - nodeSelector: {} + nodeSelector: { } - tolerations: [] + tolerations: [ ] - affinity: {} + affinity: { } - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL # name of the image pull secret imagePullSecrets: "" @@ -207,24 +213,24 @@ renovateServer: successThreshold: 1 extraVolumes: - [] + [ ] # - name: secrets-store-inline # csi: # driver: secrets-store.csi.k8s.io - # readOnly: true - # volumeAttributes: - # secretProviderClass: "some-secret-store" + # readOnly: true + # volumeAttributes: + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] - # - name: secrets-store-inline + [ ] + # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true serviceAccount: create: false existingName: - annotations: {} + annotations: { } renovateWorker: image: @@ -246,7 +252,7 @@ renovateWorker: mendRnvWorkerNodeArgs: # Additional worker env vars - extraEnvVars: [] + extraEnvVars: [ ] # Personal Access Token for github.com (used for retrieving changelogs) githubComToken: @@ -273,10 +279,10 @@ renovateWorker: // Enter self-hosted configuration options here. // https://docs.renovatebot.com/self-hosted-configuration/ } - - # Npmrc file. Will be mounted as a secret - # npmrc: | - # //registry.npmjs.org/:_authToken=xxxxxx + + # Npmrc file. Will be mounted as a secret + # npmrc: | + # //registry.npmjs.org/:_authToken=xxxxxx # Existing secret with npmrc configuration with key: # .npmrc: @@ -292,26 +298,30 @@ renovateWorker: # defaults to https://github.com/renovatebot/renovate renovateUserAgent: - resources: {} + resources: + limits: + memory: "4096Mi" + requests: + memory: "2048Mi" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } - nodeSelector: {} + nodeSelector: { } - tolerations: [] + tolerations: [ ] - affinity: {} + affinity: { } - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} + containerSecurityContext: { } # allowPrivilegeEscalation: false # readOnlyRootFilesystem: true # capabilities: @@ -324,17 +334,36 @@ renovateWorker: # This allows renovate to finish running for a repo and then gracefully exit terminationGracePeriodSeconds: 60 + livenessProbe: + initialDelaySeconds: 2 + httpGet: + path: /health + port: ee-worker + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + + readinessProbe: + httpGet: + path: /health + port: ee-worker + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + extraVolumes: - [] + [ ] # - name: secrets-store-inline # csi: # driver: secrets-store.csi.k8s.io - # readOnly: true - # volumeAttributes: - # secretProviderClass: "some-secret-store" + # readOnly: true + # volumeAttributes: + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] + [ ] # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true @@ -342,7 +371,7 @@ renovateWorker: serviceAccount: create: false existingName: - annotations: {} + annotations: { } ## data Persistence Parameters ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ @@ -375,7 +404,7 @@ service: type: ClusterIP port: 80 annotations: - {} + { } # cloud.google.com/load-balancer-type: "Internal" ingress: @@ -386,11 +415,11 @@ ingress: # ingressClassName: nginx annotations: - {} + { } # kubernetes.io/tls-acme: "true" hosts: - mend-renovate.local - tls: [] + tls: [ ] # - secretName: mend-renovate-tls # hosts: # - mend-renovate.local