diff --git a/charts/scalar-manager/README.md b/charts/scalar-manager/README.md index a11926e8..6ad7bcec 100644 --- a/charts/scalar-manager/README.md +++ b/charts/scalar-manager/README.md @@ -11,40 +11,28 @@ Current chart version is `2.0.0-SNAPSHOT` | Key | Type | Default | Description | |-----|------|---------|-------------| -| api.grafanaKubernetesServiceLabelName | string | `"app.kubernetes.io/name"` | | -| api.grafanaKubernetesServiceLabelValue | string | `"grafana"` | | -| api.grafanaKubernetesServicePortName | string | `"http-web"` | | -| api.helmScalarAdminForKubernetesChartName | string | `"scalar-admin-for-kubernetes"` | | -| api.helmScalarAdminForKubernetesChartVersion | string | `"1.0.0"` | | -| api.helmScalarRepositoryName | string | `"scalar-labs"` | | -| api.helmScalarRepositoryUrl | string | `"https://scalar-labs.github.io/helm-charts"` | | +| api.applicationProperties | string | `"grafana.kubernetesServiceLabelName=${GRAFANA_KUBERNETES_SERVICE_LABEL_NAME:app.kubernetes.io/name}\ngrafana.kubernetesServiceLabelValue=${GRAFANA_KUBERNETES_SERVICE_LABEL_VALUE:grafana}\ngrafana.kubernetesServicePortName=${GRAFANA_KUBERNETES_SERVICE_PORT_NAME:http-web}\n\nprometheus.kubernetesServiceLabelName=${PROMETHEUS_KUBERNETES_SERVICE_LABEL_NAME:app}\nprometheus.kubernetesServiceLabelValue=${PROMETHEUS_KUBERNETES_SERVICE_LABEL_VALUE:kube-prometheus-stack-prometheus}\nprometheus.kubernetesServicePortName=${PROMETHEUS_KUBERNETES_SERVICE_PORT_NAME:http-web}\n\nloki.kubernetesServiceLabelName=${LOKI_KUBERNETES_SERVICE_LABEL_NAME:app}\nloki.kubernetesServiceLabelValue=${LOKI_KUBERNETES_SERVICE_LABEL_VALUE:loki}\nloki.kubernetesServicePortName=${LOKI_KUBERNETES_SERVICE_PORT_NAME:http-metrics}\n\nhelm.scalarRepositoryName=${HELM_SCALAR_REPOSITORY_NAME:scalar-labs}\nhelm.scalarRepositoryUrl=${HELM_SCALAR_REPOSITORY_URL:https://scalar-labs.github.io/helm-charts}\nhelm.scalarAdminForKubernetesChartName=${HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_NAME:scalar-admin-for-kubernetes}\nhelm.scalarAdminForKubernetesChartVersion=${HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_VERSION:1.0.0}\n\nconfigMapNamespace=${CONFIG_MAP_NAMESPACE:default}\nconfigMapName=${CONFIG_MAP_NAME:scalar-manager-metadata}\n\npaused-state-retention.storage=${PAUSED_STATE_RETENTION_STORAGE:configmap}\npaused-state-retention.max-number=${PAUSED_STATE_RETENTION_MAX_NUMBER:100}\n"` | | | api.image.pullPolicy | string | `"IfNotPresent"` | | | api.image.repository | string | `"ghcr.io/scalar-labs/scalar-manager-api"` | | | api.image.tag | string | `""` | | -| api.lokiKubernetesServiceLabelName | string | `"app"` | | -| api.lokiKubernetesServiceLabelValue | string | `"loki"` | | -| api.lokiKubernetesServicePortName | string | `"http-metrics"` | | -| api.pausedStateRetentionMaxNumber | string | `"100"` | | -| api.pausedStateRetentionStorage | string | `"configmap"` | | -| api.prometheusKubernetesServiceLabelName | string | `"app"` | | -| api.prometheusKubernetesServiceLabelValue | string | `"kube-prometheus-stack-prometheus"` | | -| api.prometheusKubernetesServicePortName | string | `"http-web"` | | +| api.resources | object | `{}` | | | fullnameOverride | string | `""` | | | imagePullSecrets[0].name | string | `"reg-docker-secrets"` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | | +| securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.runAsNonRoot | bool | `true` | | | service.port | int | `80` | | -| service.type | string | `"LoadBalancer"` | | -| serviceAccount.automount | bool | `true` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.automountServiceAccountToken | bool | `true` | | +| serviceAccount.serviceAccountName | string | `""` | | | tolerations | list | `[]` | | | web.image.pullPolicy | string | `"IfNotPresent"` | | | web.image.repository | string | `"ghcr.io/scalar-labs/scalar-manager-web"` | | | web.image.tag | string | `""` | | +| web.resources | object | `{}` | | diff --git a/charts/scalar-manager/templates/_helpers.tpl b/charts/scalar-manager/templates/_helpers.tpl index b3d9dd53..a41ac9b0 100644 --- a/charts/scalar-manager/templates/_helpers.tpl +++ b/charts/scalar-manager/templates/_helpers.tpl @@ -48,15 +48,16 @@ Selector labels {{- define "scalar-manager.selectorLabels" -}} app.kubernetes.io/name: {{ include "scalar-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/app: scalar-manager {{- end }} {{/* Create the name of the service account to use */}} {{- define "scalar-manager.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "scalar-manager.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.serviceAccount.serviceAccountName }} +{{- .Values.serviceAccount.serviceAccountName }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{- print (include "scalar-manager.fullname" .) "-sa" | trunc 63 | trimSuffix "-" }} {{- end }} {{- end }} diff --git a/charts/scalar-manager/templates/scalar-manager/clusterrolebinding.yaml b/charts/scalar-manager/templates/scalar-manager/clusterrolebinding.yaml deleted file mode 100644 index ee1a4ffa..00000000 --- a/charts/scalar-manager/templates/scalar-manager/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "scalar-manager.fullname" . }} - labels: - {{- include "scalar-manager.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "scalar-manager.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - apiGroup: "" -roleRef: - kind: ClusterRole - name: {{ include "scalar-manager.fullname" . }} - apiGroup: rbac.authorization.k8s.io diff --git a/charts/scalar-manager/templates/scalar-manager/configmap.yaml b/charts/scalar-manager/templates/scalar-manager/configmap.yaml index d58dac26..7433d67c 100644 --- a/charts/scalar-manager/templates/scalar-manager/configmap.yaml +++ b/charts/scalar-manager/templates/scalar-manager/configmap.yaml @@ -1,12 +1,8 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "scalar-manager.fullname" . }} + name: {{ include "scalar-manager.fullname" . }}-api-application-properties namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/app: {{ include "scalar-manager.fullname" . }} - {{- include "scalar-manager.labels" . | nindent 4 }} data: - managed-clusters: "[]" - paused-states: "[]" - paused-states-updated-at: "0" + scalar-manager-api-application.properties: + {{- toYaml .Values.api.applicationProperties | nindent 4 }} diff --git a/charts/scalar-manager/templates/scalar-manager/deployment.yaml b/charts/scalar-manager/templates/scalar-manager/deployment.yaml index 6f847fed..fea46c50 100644 --- a/charts/scalar-manager/templates/scalar-manager/deployment.yaml +++ b/charts/scalar-manager/templates/scalar-manager/deployment.yaml @@ -25,62 +25,35 @@ spec: spec: restartPolicy: Always serviceAccountName: {{ include "scalar-manager.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.serviceAccount.automount }} - terminationGracePeriodSeconds: 90 + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} containers: - name: {{ .Chart.Name }}-api image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Chart.AppVersion }}" resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.api.resources | nindent 12 }} ports: - containerPort: 8080 imagePullPolicy: {{ .Values.api.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - env: - - name: GRAFANA_KUBERNETES_SERVICE_LABEL_NAME - value: {{ .Values.api.grafanaKubernetesServiceLabelName | quote }} - - name: GRAFANA_KUBERNETES_SERVICE_LABEL_VALUE - value: {{ .Values.api.grafanaKubernetesServiceLabelValue | quote }} - - name: GRAFANA_KUBERNETES_SERVICE_PORT_NAME - value: {{ .Values.api.grafanaKubernetesServicePortName | quote }} - - name: PROMETHEUS_KUBERNETES_SERVICE_LABEL_NAME - value: {{ .Values.api.prometheusKubernetesServiceLabelName | quote }} - - name: PROMETHEUS_KUBERNETES_SERVICE_LABEL_VALUE - value: {{ .Values.api.prometheusKubernetesServiceLabelValue | quote }} - - name: PROMETHEUS_KUBERNETES_SERVICE_PORT_NAME - value: {{ .Values.api.prometheusKubernetesServicePortName | quote }} - - name: LOKI_KUBERNETES_SERVICE_LABEL_NAME - value: {{ .Values.api.lokiKubernetesServiceLabelName | quote }} - - name: LOKI_KUBERNETES_SERVICE_LABEL_VALUE - value: {{ .Values.api.lokiKubernetesServiceLabelValue | quote }} - - name: LOKI_KUBERNETES_SERVICE_PORT_NAME - value: {{ .Values.api.lokiKubernetesServicePortName | quote }} - - name: HELM_SCALAR_REPOSITORY_NAME - value: {{ .Values.api.helmScalarRepositoryName | quote }} - - name: HELM_SCALAR_REPOSITORY_URL - value: {{ .Values.api.helmScalarRepositoryUrl | quote }} - - name: HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_NAME - value: {{ .Values.api.helmScalarAdminForKubernetesChartName | quote }} - - name : HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_VERSION - value: {{ .Values.api.helmScalarAdminForKubernetesChartVersion | quote }} - - name: CONFIG_MAP_LABEL_NAME - value: "app.kubernetes.io/app" - - name: CONFIG_MAP_LABEL_VALUE - value: {{ include "scalar-manager.fullname" . | quote }} - - name: PAUSED_STATE_RETENTION_STORAGE - value: {{ .Values.api.pausedStateRetentionStorage | quote }} - - name: PAUSED_STATE_RETENTION_MAX_NUMBER - value: {{ .Values.api.pausedStateRetentionMaxNumber | quote }} + volumeMounts: + - name: api-application-properties-volume + mountPath: /app/application.properties + subPath: scalar-manager-api-application.properties - name: {{ .Chart.Name }}-web image: "{{ .Values.web.image.repository }}:{{ .Values.web.image.tag | default .Chart.AppVersion }}" resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.web.resources | nindent 12 }} ports: - containerPort: 3000 imagePullPolicy: {{ .Values.web.image.pullPolicy }} securityContext: + runAsUser: 1000 {{- toYaml .Values.securityContext | nindent 12 }} + volumes: + - name: api-application-properties-volume + configMap: + name: {{ include "scalar-manager.fullname" . }}-api-application-properties securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.imagePullSecrets }} diff --git a/charts/scalar-manager/templates/scalar-manager/clusterrole.yaml b/charts/scalar-manager/templates/scalar-manager/role.yaml similarity index 85% rename from charts/scalar-manager/templates/scalar-manager/clusterrole.yaml rename to charts/scalar-manager/templates/scalar-manager/role.yaml index 1ab7f689..09685089 100644 --- a/charts/scalar-manager/templates/scalar-manager/clusterrole.yaml +++ b/charts/scalar-manager/templates/scalar-manager/role.yaml @@ -1,7 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: - name: {{ include "scalar-manager.fullname" . }} + namespace: {{ .Release.Namespace }} + name: {{ include "scalar-manager.fullname" . }}-role labels: {{- include "scalar-manager.labels" . | nindent 4 }} rules: diff --git a/charts/scalar-manager/templates/scalar-manager/rolebinding.yaml b/charts/scalar-manager/templates/scalar-manager/rolebinding.yaml new file mode 100644 index 00000000..c5385f2d --- /dev/null +++ b/charts/scalar-manager/templates/scalar-manager/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "scalar-manager.fullname" . }}-rolebinding + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ include "scalar-manager.serviceAccountName" . }} +roleRef: + kind: Role + name: {{ include "scalar-manager.fullname" . }}-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/scalar-manager/templates/scalar-manager/serviceaccount.yaml b/charts/scalar-manager/templates/scalar-manager/serviceaccount.yaml index a3844c71..7ad83bde 100644 --- a/charts/scalar-manager/templates/scalar-manager/serviceaccount.yaml +++ b/charts/scalar-manager/templates/scalar-manager/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.serviceAccount.name }} +{{- if not .Values.serviceAccount.serviceAccountName }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/scalar-manager/values.schema.json b/charts/scalar-manager/values.schema.json index 58130444..01114dcb 100644 --- a/charts/scalar-manager/values.schema.json +++ b/charts/scalar-manager/values.schema.json @@ -5,25 +5,7 @@ "api": { "type": "object", "properties": { - "grafanaKubernetesServiceLabelName": { - "type": "string" - }, - "grafanaKubernetesServiceLabelValue": { - "type": "string" - }, - "grafanaKubernetesServicePortName": { - "type": "string" - }, - "helmScalarAdminForKubernetesChartName": { - "type": "string" - }, - "helmScalarAdminForKubernetesChartVersion": { - "type": "string" - }, - "helmScalarRepositoryName": { - "type": "string" - }, - "helmScalarRepositoryUrl": { + "applicationProperties": { "type": "string" }, "image": { @@ -40,29 +22,8 @@ } } }, - "lokiKubernetesServiceLabelName": { - "type": "string" - }, - "lokiKubernetesServiceLabelValue": { - "type": "string" - }, - "lokiKubernetesServicePortName": { - "type": "string" - }, - "pausedStateRetentionMaxNumber": { - "type": "string" - }, - "pausedStateRetentionStorage": { - "type": "string" - }, - "prometheusKubernetesServiceLabelName": { - "type": "string" - }, - "prometheusKubernetesServiceLabelValue": { - "type": "string" - }, - "prometheusKubernetesServicePortName": { - "type": "string" + "resources": { + "type": "object" } } }, @@ -93,16 +54,42 @@ "type": "object" }, "podSecurityContext": { - "type": "object" + "type": "object", + "properties": { + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } }, "replicaCount": { "type": "integer" }, - "resources": { - "type": "object" - }, "securityContext": { - "type": "object" + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "runAsNonRoot": { + "type": "boolean" + } + } }, "service": { "type": "object", @@ -118,13 +105,10 @@ "serviceAccount": { "type": "object", "properties": { - "automount": { + "automountServiceAccountToken": { "type": "boolean" }, - "create": { - "type": "boolean" - }, - "name": { + "serviceAccountName": { "type": "string" } } @@ -148,6 +132,9 @@ "type": "string" } } + }, + "resources": { + "type": "object" } } } diff --git a/charts/scalar-manager/values.yaml b/charts/scalar-manager/values.yaml index a3c1fc33..9d50bedd 100644 --- a/charts/scalar-manager/values.yaml +++ b/charts/scalar-manager/values.yaml @@ -12,36 +12,27 @@ podAnnotations: {} podLabels: {} podSecurityContext: - {} - # fsGroup: 2000 + seccompProfile: + type: RuntimeDefault securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + capabilities: + drop: + - ALL + runAsNonRoot: true + allowPrivilegeEscalation: false nodeSelector: {} tolerations: [] service: - type: LoadBalancer + type: ClusterIP port: 80 serviceAccount: - # Specifies whether a service account should be created - create: true - - # Automatically mount a ServiceAccount's API credentials? - automount: true - - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" + serviceAccountName: "" + automountServiceAccountToken: true api: image: @@ -49,21 +40,43 @@ api: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" - grafanaKubernetesServiceLabelName: "app.kubernetes.io/name" - grafanaKubernetesServiceLabelValue: "grafana" - grafanaKubernetesServicePortName: "http-web" - prometheusKubernetesServiceLabelName: "app" - prometheusKubernetesServiceLabelValue: "kube-prometheus-stack-prometheus" - prometheusKubernetesServicePortName: "http-web" - lokiKubernetesServiceLabelName: "app" - lokiKubernetesServiceLabelValue: "loki" - lokiKubernetesServicePortName: "http-metrics" - helmScalarRepositoryName: "scalar-labs" - helmScalarRepositoryUrl: "https://scalar-labs.github.io/helm-charts" - helmScalarAdminForKubernetesChartName: "scalar-admin-for-kubernetes" - helmScalarAdminForKubernetesChartVersion: "1.0.0" - pausedStateRetentionStorage: "configmap" - pausedStateRetentionMaxNumber: "100" + + resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + applicationProperties: | + grafana.kubernetesServiceLabelName=${GRAFANA_KUBERNETES_SERVICE_LABEL_NAME:app.kubernetes.io/name} + grafana.kubernetesServiceLabelValue=${GRAFANA_KUBERNETES_SERVICE_LABEL_VALUE:grafana} + grafana.kubernetesServicePortName=${GRAFANA_KUBERNETES_SERVICE_PORT_NAME:http-web} + + prometheus.kubernetesServiceLabelName=${PROMETHEUS_KUBERNETES_SERVICE_LABEL_NAME:app} + prometheus.kubernetesServiceLabelValue=${PROMETHEUS_KUBERNETES_SERVICE_LABEL_VALUE:kube-prometheus-stack-prometheus} + prometheus.kubernetesServicePortName=${PROMETHEUS_KUBERNETES_SERVICE_PORT_NAME:http-web} + + loki.kubernetesServiceLabelName=${LOKI_KUBERNETES_SERVICE_LABEL_NAME:app} + loki.kubernetesServiceLabelValue=${LOKI_KUBERNETES_SERVICE_LABEL_VALUE:loki} + loki.kubernetesServicePortName=${LOKI_KUBERNETES_SERVICE_PORT_NAME:http-metrics} + + helm.scalarRepositoryName=${HELM_SCALAR_REPOSITORY_NAME:scalar-labs} + helm.scalarRepositoryUrl=${HELM_SCALAR_REPOSITORY_URL:https://scalar-labs.github.io/helm-charts} + helm.scalarAdminForKubernetesChartName=${HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_NAME:scalar-admin-for-kubernetes} + helm.scalarAdminForKubernetesChartVersion=${HELM_SCALAR_ADMIN_FOR_KUBERNETES_CHART_VERSION:1.0.0} + + configMapNamespace=${CONFIG_MAP_NAMESPACE:default} + configMapName=${CONFIG_MAP_NAME:scalar-manager-metadata} + + paused-state-retention.storage=${PAUSED_STATE_RETENTION_STORAGE:configmap} + paused-state-retention.max-number=${PAUSED_STATE_RETENTION_MAX_NUMBER:100} web: image: @@ -71,19 +84,18 @@ web: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" + resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi imagePullSecrets: - name: reg-docker-secrets - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi