From 578828fbcb592ed1e10993c911fe083884684707 Mon Sep 17 00:00:00 2001 From: Keyvan Date: Fri, 14 Feb 2025 17:25:08 +0100 Subject: [PATCH] feat: enable securityContext for upload connector frontend --- charts/radar-upload-connect-frontend/Chart.yaml | 2 +- charts/radar-upload-connect-frontend/README.md | 6 +++--- .../templates/deployment.yaml | 13 ++++++++++--- charts/radar-upload-connect-frontend/values.yaml | 14 +++++++++----- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/charts/radar-upload-connect-frontend/Chart.yaml b/charts/radar-upload-connect-frontend/Chart.yaml index 6b2df82b..924c5566 100644 --- a/charts/radar-upload-connect-frontend/Chart.yaml +++ b/charts/radar-upload-connect-frontend/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "0.5.14" description: A Helm chart for RADAR-base upload connector frontend application that provides a UI for uploading files and sending them to the upload-backend. name: radar-upload-connect-frontend -version: 0.6.1 +version: 0.6.2 icon: "http://radar-base.org/wp-content/uploads/2022/09/Logo_RADAR-Base-RGB.png" sources: - https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/radar-upload-connect-frontend diff --git a/charts/radar-upload-connect-frontend/README.md b/charts/radar-upload-connect-frontend/README.md index 4289c18d..72f593d6 100644 --- a/charts/radar-upload-connect-frontend/README.md +++ b/charts/radar-upload-connect-frontend/README.md @@ -3,7 +3,7 @@ # radar-upload-connect-frontend [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/radar-upload-connect-frontend)](https://artifacthub.io/packages/helm/radar-base/radar-upload-connect-frontend) -![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.14](https://img.shields.io/badge/AppVersion-0.5.14-informational?style=flat-square) +![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.14](https://img.shields.io/badge/AppVersion-0.5.14-informational?style=flat-square) A Helm chart for RADAR-base upload connector frontend application that provides a UI for uploading files and sending them to the upload-backend. @@ -47,9 +47,9 @@ A Helm chart for RADAR-base upload connector frontend application that provides | nameOverride | string | `""` | String to partially override radar-upload-connect-frontend.fullname template with a string (will prepend the release name) | | fullnameOverride | string | `""` | String to fully override radar-upload-connect-frontend.fullname template with a string | | podSecurityContext | object | `{}` | Configure radar-upload-connect-frontend pods' Security Context | -| securityContext | object | `{}` | Configure radar-upload-connect-frontend containers' Security Context | +| securityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | Configure radar-upload-connect-frontend containers' Security Context | | service.type | string | `"ClusterIP"` | Kubernetes Service type | -| service.port | int | `80` | radar-upload-connect-frontend port | +| service.port | int | `8080` | radar-upload-connect-frontend port | | disable_tls | bool | `false` | Reconfigure Ingress to not force TLS | | advertised_protocol | string | `"https"` | The protocol in advertised URIs (https, http) | | ingress.enabled | bool | `true` | Enable ingress controller resource | diff --git a/charts/radar-upload-connect-frontend/templates/deployment.yaml b/charts/radar-upload-connect-frontend/templates/deployment.yaml index 14eed7c3..421186db 100644 --- a/charts/radar-upload-connect-frontend/templates/deployment.yaml +++ b/charts/radar-upload-connect-frontend/templates/deployment.yaml @@ -60,14 +60,14 @@ spec: {{- end }} ports: - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP {{- if .Values.customLivenessProbe }} livenessProbe: {{- .Values.customLivenessProbe | toYaml | nindent 12 }} {{- else if .Values.livenessProbe.enabled }} livenessProbe: tcpSocket: - port: 80 + port: 8080 initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} @@ -79,7 +79,7 @@ spec: {{- else if .Values.readinessProbe.enabled }} readinessProbe: tcpSocket: - port: 80 + port: 8080 initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} @@ -88,6 +88,9 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /tmp + name: temp {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -100,3 +103,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: temp + emptyDir: + sizeLimit: 500Mi diff --git a/charts/radar-upload-connect-frontend/values.yaml b/charts/radar-upload-connect-frontend/values.yaml index c2f86928..70e9dacc 100644 --- a/charts/radar-upload-connect-frontend/values.yaml +++ b/charts/radar-upload-connect-frontend/values.yaml @@ -35,19 +35,23 @@ podSecurityContext: {} # fsGroup: 2000 # -- Configure radar-upload-connect-frontend containers' Security Context -securityContext: {} +securityContext: # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + runAsUser: 1000 + runAsGroup: 1000 service: # -- Kubernetes Service type type: ClusterIP # -- radar-upload-connect-frontend port - port: 80 + port: 8080 # -- Reconfigure Ingress to not force TLS disable_tls: false