feat(console): add more snippets / update securityContext (#6)

conduktor · Aug 30, 2023 · 604d46b · 604d46b
1 parent 0845cfe
commit 604d46b
Show file tree

Hide file tree

Showing 8 changed files with 208 additions and 97 deletions.
diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: console
 appVersion: 1.17.3
-version: 1.0.2
+version: 1.0.3
 description: Helm chart to deploy Conduktor Platform on Kubernetes
 icon: https://www.conduktor.io/svgs/logo/symbol.svg
 home: https://www.conduktor.io

diff --git a/charts/console/README.md b/charts/console/README.md
diff --git a/charts/console/ci/01-basic-values.yaml b/charts/console/ci/01-basic-values.yaml
@@ -20,3 +20,4 @@ platform:
     requests:
       cpu: 1500m
       memory: 4Gi
+test: true
diff --git a/charts/console/ci/02-pod-tls-existingSecret-values.yaml b/charts/console/ci/02-pod-tls-existingSecret-values.yaml
@@ -26,3 +26,4 @@ platform:
     requests:
       cpu: 1500m
       memory: 4Gi
+test: true
diff --git a/charts/console/ci/03-pod-tls-selfsigned-values.yaml b/charts/console/ci/03-pod-tls-selfsigned-values.yaml
@@ -81,3 +81,4 @@ platform:
     requests:
       cpu: 1500m
       memory: 4Gi
+test: true
diff --git a/charts/console/templates/platform/deployment.yaml b/charts/console/templates/platform/deployment.yaml
@@ -65,8 +65,12 @@ spec:
       {{- if .Values.platform.topologySpreadConstraints }}
       topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.platform.topologySpreadConstraints "context" .) | nindent 8 }}
       {{- end }}
-      {{- if .Values.platform.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.platform.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- if .Values.platform.podSecurityContext }}
+      securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.platform.containerSecurityContext "context" $) | nindent 10 }}
+      {{- else }}
+      securityContext:
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
       {{- end }}
       {{- if .Values.platform.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.platform.terminationGracePeriodSeconds }}
@@ -79,8 +83,12 @@ spec:
         - name: conduktor-platform
           image: {{ template "conduktor.image" . }}
           imagePullPolicy: {{ .Values.platform.image.pullPolicy }}
-          {{- if .Values.platform.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.platform.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- if .Values.platform.containerSecurityContext }}
+          securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.platform.containerSecurityContext "context" $) | nindent 12 }}
+          {{- else }}
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           {{- end }}
           {{- if .Values.diagnosticMode.enabled }}
           command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

diff --git a/charts/console/templates/tests/01-setup-postgresql.yaml b/charts/console/templates/tests/01-setup-postgresql.yaml
@@ -1,7 +1,7 @@
 {{/**
 This is hack so that we install a fresh postgresql (without volume) for each test.
 **/}}
-{{- if regexMatch "^cdkt-test-.*$" .Values.nameOverride }}
+{{- if eq .Values.test true }}
 {{- $postgres_password := "conduktor123" }}
 {{- $postgres_db := "platform" }}
 apiVersion: apps/v1

diff --git a/charts/console/values.yaml b/charts/console/values.yaml
@@ -220,26 +220,22 @@ platform:
       cpu: 2000m
       ## @param platform.resources.requests.memory Memory resource requests
       memory: 4Gi
-  ## Configure Pods Security Context
+  ## @param platform.podSecurityContext Conduktor Platform Pod Security Context
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-  ## @param platform.podSecurityContext.enabled Enabled Conduktor Platform pods' Security Context
-  ## @param platform.podSecurityContext.fsGroup Set Conduktor Platform pod's Security Context fsGroup
+  ## default:
+  ## securityContext:
+  ##   readOnlyRootFilesystem: true
+  ##   runAsNonRoot: true
   ##
-  podSecurityContext:
-    enabled: true
-    fsGroup: 1001
-  ## Configure Container Security Context
+  podSecurityContext: {}
+  ## @param platform.containerSecurityContext Conduktor Platform containers' Security Context
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-  ## @param platform.containerSecurityContext.enabled Enabled Conduktor Platform containers' Security Context
-  ## @param platform.containerSecurityContext.runAsUser Set Conduktor Platform containers' Security Context runAsUser
-  ## @param platform.containerSecurityContext.runAsNonRoot Set Conduktor Platform containers' Security Context runAsNonRoot
-  ## @param platform.containerSecurityContext.readOnlyRootFilesystem Set Conduktor Platform containers' Security Context runAsNonRoot
+  ## default:
+  ## securityContext:
+  ##   readOnlyRootFilesystem: true
+  ##   runAsNonRoot: true
   ##
-  containerSecurityContext:
-    enabled: true
-    runAsUser: 1001
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
+  containerSecurityContext: {}
 
   ## @param platform.existingConfigmap The name of an existing ConfigMap with your custom configuration for Conduktor Platform
   ##
@@ -544,3 +540,6 @@ serviceAccount:
   ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
   ##
   automountServiceAccountToken: true
+
+## @param test Enable additional manifests for testing purposes
+test: false