diff --git a/helm-charts/mend-renovate-ee/Chart.yaml b/helm-charts/mend-renovate-ee/Chart.yaml index e36bf9b7..f8317f2e 100644 --- a/helm-charts/mend-renovate-ee/Chart.yaml +++ b/helm-charts/mend-renovate-ee/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: mend-renovate-enterprise-edition -version: 2.0.0 +version: 2.0.1 appVersion: 8.0.0 description: Mend Renovate Enterprise Edition home: https://github.com/mend/renovate-ce-ee diff --git a/helm-charts/mend-renovate-ee/templates/secret.yaml b/helm-charts/mend-renovate-ee/templates/secret.yaml index f9be4c60..4f1be992 100644 --- a/helm-charts/mend-renovate-ee/templates/secret.yaml +++ b/helm-charts/mend-renovate-ee/templates/secret.yaml @@ -19,6 +19,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.license-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} @@ -37,6 +38,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.server-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} @@ -76,6 +78,7 @@ data: apiVersion: v1 kind: Secret metadata: + namespace: {{ .Release.Namespace }} name: {{ include "mend-renovate.worker-secret-name" . }} labels: app.kubernetes.io/name: {{ .Release.Name }} diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml index 6ac962fd..46aa4eff 100644 --- a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml @@ -31,6 +31,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateServer.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -88,7 +89,7 @@ spec: {{- end }} {{- if or .Values.renovateServer.mendRnvGithubBotUserId }} - name: MEND_RNV_GITHUB_BOT_USER_ID - value: {{ .Values.renovateServer.mendRnvGithubBotUserId | quote }} + value: {{ .Values.renovateServer.mendRnvGithubBotUserId | quote }} {{- end }} {{- if or .Values.renovateServer.mendRnvGithubAppKey .Values.renovateServer.existingSecret }} - name: MEND_RNV_GITHUB_APP_KEY @@ -274,7 +275,7 @@ spec: {{- end }} {{- if .Values.renovateServer.imagePullSecrets }} imagePullSecrets: - - name: .Values.renovateServer.imagePullSecrets + - name: {{ .Values.renovateServer.imagePullSecrets }} {{- end }} volumes: - name: {{ .Release.Name }}-database-volume @@ -285,7 +286,7 @@ spec: emptyDir: medium: Memory {{- else }} - emptyDir: {} + emptyDir: { } {{- end }} {{- if ne (len .Values.renovateServer.extraVolumes) 0 }} {{ toYaml .Values.renovateServer.extraVolumes | nindent 8 | trim }} diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml index 231906ae..4479b1fb 100644 --- a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml +++ b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml @@ -32,6 +32,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: false {{- with .Values.renovateWorker.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} @@ -43,7 +44,7 @@ spec: - name: {{ .Chart.Name }}-worker image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.tag }}" imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }} - {{- with .Values.renovateServer.containerSecurityContext }} + {{- with .Values.renovateWorker.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} env: @@ -124,18 +125,33 @@ spec: - name: LOG_FORMAT value: {{ .Values.renovateWorker.logFormat | quote }} {{- end }} + ports: + - name: ee-worker + containerPort: 8080 + protocol: TCP + {{- with .Values.renovateWorker.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.renovateWorker.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.renovateWorker.resources | nindent 12 }} volumeMounts: - name: {{ .Release.Name }}-config-js-volume + readOnly: true mountPath: /usr/src/app/config.js subPath: config.js {{- if .Values.renovateWorker.npmrc }} - name: {{ .Release.Name }}-npmrc-volume + readOnly: true mountPath: /home/ubuntu/.npmrc subPath: .npmrc {{- end }} - name: {{ .Release.Name }}-cache-volume + readOnly: false mountPath: /tmp/renovate {{- if ne (len .Values.renovateWorker.extraVolumeMounts) 0 }} {{ toYaml .Values.renovateWorker.extraVolumeMounts | nindent 12 | trim }} @@ -146,7 +162,7 @@ spec: {{- end }} {{- if .Values.renovateWorker.imagePullSecrets }} imagePullSecrets: - - name: .Values.renovateWorker.imagePullSecrets + - name: {{ .Values.renovateWorker.imagePullSecrets }} {{- end }} volumes: - name: {{ .Release.Name }}-config-js-volume @@ -165,7 +181,7 @@ spec: emptyDir: medium: Memory {{- else }} - emptyDir: {} + emptyDir: { } {{- end }} {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }} {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }} diff --git a/helm-charts/mend-renovate-ee/values.yaml b/helm-charts/mend-renovate-ee/values.yaml index 37b2e952..983acfa7 100644 --- a/helm-charts/mend-renovate-ee/values.yaml +++ b/helm-charts/mend-renovate-ee/values.yaml @@ -17,13 +17,13 @@ license: existingSecret: postgresql: - # if to use PostgreSQL, if set to 'false' SQLite will be used instead - enabled: false - host: - port: - database: - user: - password: + # if to use PostgreSQL, if set to 'false' SQLite will be used instead + enabled: false + host: + port: + database: + user: + password: renovateServer: image: @@ -35,7 +35,7 @@ renovateServer: replicas: 1 # Additional server env vars - extraEnvVars: [] + extraEnvVars: [ ] # Which platform Mend Renovate will connect to. # valid values: "bitbucket-server", "github" or "gitlab" @@ -156,30 +156,38 @@ renovateServer: # Set log format, defaults to pretty format. Allowed values: undefined or 'json' logFormat: json - resources: {} + resources: + limits: + memory: "4096Mi" + cpu: "2000m" + requests: + memory: "512Mi" + cpu: "10m" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } - nodeSelector: {} + nodeSelector: { } - tolerations: [] + tolerations: [ ] - affinity: {} + affinity: { } - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL # name of the image pull secret imagePullSecrets: "" @@ -187,44 +195,45 @@ renovateServer: # This allows renovate to finish running for a repo and then gracefully exit terminationGracePeriodSeconds: 60 - livenessProbe: - initialDelaySeconds: 2 + readinessProbe: httpGet: path: /health port: ee-server - periodSeconds: 10 + initialDelaySeconds: 20 + periodSeconds: 20 timeoutSeconds: 1 failureThreshold: 3 successThreshold: 1 - readinessProbe: + livenessProbe: httpGet: path: /health port: ee-server + initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 successThreshold: 1 extraVolumes: - [] + [ ] # - name: secrets-store-inline # csi: # driver: secrets-store.csi.k8s.io # readOnly: true # volumeAttributes: - # secretProviderClass: "some-secret-store" + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] - # - name: secrets-store-inline + [ ] + # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true serviceAccount: create: false existingName: - annotations: {} + annotations: { } renovateWorker: image: @@ -246,7 +255,7 @@ renovateWorker: mendRnvWorkerNodeArgs: # Additional worker env vars - extraEnvVars: [] + extraEnvVars: [ ] # Personal Access Token for github.com (used for retrieving changelogs) githubComToken: @@ -292,31 +301,39 @@ renovateWorker: # defaults to https://github.com/renovatebot/renovate renovateUserAgent: - resources: {} + resources: + limits: + memory: "4096Mi" + cpu: "2000m" + requests: + memory: "512Mi" + cpu: "10m" - annotations: {} + annotations: { } labels: - pods: {} + pods: { } + + nodeSelector: { } - nodeSelector: {} + tolerations: [ ] - tolerations: [] + affinity: { } - affinity: {} - - podSecurityContext: {} - # runAsNonRoot: true - # seccompProfile: - # type: RuntimeDefault + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - containerSecurityContext: {} - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL # name of the image pull secret imagePullSecrets: "" @@ -324,17 +341,37 @@ renovateWorker: # This allows renovate to finish running for a repo and then gracefully exit terminationGracePeriodSeconds: 60 + readinessProbe: + httpGet: + path: /health + port: ee-worker + initialDelaySeconds: 20 + periodSeconds: 20 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + + livenessProbe: + httpGet: + path: /health + port: ee-worker + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + extraVolumes: - [] + [ ] # - name: secrets-store-inline - # csi: - # driver: secrets-store.csi.k8s.io - # readOnly: true - # volumeAttributes: - # secretProviderClass: "some-secret-store" + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "some-secret-store" extraVolumeMounts: - [] + [ ] # - name: secrets-store-inline # mountPath: "/mnt/secrets-store" # readOnly: true @@ -342,7 +379,7 @@ renovateWorker: serviceAccount: create: false existingName: - annotations: {} + annotations: { } ## data Persistence Parameters ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ @@ -375,7 +412,7 @@ service: type: ClusterIP port: 80 annotations: - {} + { } # cloud.google.com/load-balancer-type: "Internal" ingress: @@ -386,11 +423,11 @@ ingress: # ingressClassName: nginx annotations: - {} + { } # kubernetes.io/tls-acme: "true" hosts: - mend-renovate.local - tls: [] + tls: [ ] # - secretName: mend-renovate-tls # hosts: # - mend-renovate.local