add security context to container spec

olamilekan000 · olamilekan000 · commit 1adab157881f · 2024-05-05T01:33:23.000+01:00
diff --git a/charts/ingest/templates/deployment.yaml b/charts/ingest/templates/deployment.yaml
@@ -40,6 +40,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           command: ["/cmd"]
           args: ["ingest", "--interval", "60"]
           ports:
diff --git a/charts/ingest/values.yaml b/charts/ingest/values.yaml
@@ -1,6 +1,15 @@
 # Default values for convoy ingest.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+global:
+  externalDatabase:
+    enabled: false
+
+  nativeRedis:
+    enabled: false
+
+  externalRedis:
+    enabled: false
 
 enabled: true
 app:
@@ -57,3 +66,16 @@ podDisruptionBudget: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
diff --git a/charts/migrate/templates/job.yaml b/charts/migrate/templates/job.yaml
@@ -3,7 +3,10 @@ kind: Job
 metadata:
   name: {{ include "convoy-migrate.fullname" . }}
   annotations:
-    {{- toYaml .Values.jobAnnotations | nindent 4 }}
+    {{- if .Values.jobAnnotations }}
+    annotations:
+      {{- toYaml .Values.jobAnnotations | nindent 4 }}
+    {{- end }}
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-weight": "0"
     "helm.sh/hook-delete-policy": before-hook-creation
@@ -21,6 +24,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           command: ["/cmd"]
           args: ["migrate", "up"]
           env:
diff --git a/charts/migrate/values.yaml b/charts/migrate/values.yaml
@@ -1,6 +1,15 @@
 # Default values for convoy-migrate.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+global:
+  externalDatabase:
+    enabled: false
+
+  nativeRedis:
+    enabled: false
+
+  externalRedis:
+    enabled: false
 
 app:
   replicaCount: 1
@@ -29,3 +38,16 @@ tolerations: []
 affinity: {}
 
 jobAnnotations: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
diff --git a/charts/server/templates/deployment.yaml b/charts/server/templates/deployment.yaml
@@ -40,7 +40,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
           command: ["/cmd"]
           args: ["server"]
           ports:
diff --git a/charts/server/values.yaml b/charts/server/values.yaml
@@ -2,6 +2,16 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    enabled: false
+
+  nativeRedis:
+    enabled: false
+
+  externalRedis:
+    enabled: false
+
 app:
   replicaCount: 1
   port: 5005
@@ -90,3 +100,16 @@ podDisruptionBudget: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
diff --git a/charts/stream/templates/deployment.yaml b/charts/stream/templates/deployment.yaml
@@ -41,6 +41,10 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/cmd"]
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           args: ["stream"]
           ports:
             - name: http
diff --git a/charts/stream/values.yaml b/charts/stream/values.yaml
@@ -2,6 +2,16 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    enabled: false
+
+  nativeRedis:
+    enabled: false
+
+  externalRedis:
+    enabled: false
+
 enabled: true
 app:
   replicaCount: 1
@@ -58,3 +68,16 @@ ingress:
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
diff --git a/charts/worker/templates/deployment.yaml b/charts/worker/templates/deployment.yaml
@@ -41,12 +41,15 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/cmd"]
           args: ["worker"]
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.app.port }}
               protocol: TCP
           env:
-
             - name: SERVICE_NAME
               value: {{ .Chart.Name }}
             - name: PORT
@@ -59,8 +62,6 @@ spec:
               value: {{ .Values.env.environment | quote }}
             - name: CONVOY_SIGNUP_ENABLED
               value: {{ .Values.env.sign_up_enabled | quote }}
-
-
             {{- if .Values.global.externalDatabase.enabled }}
             - name: CONVOY_DB_SCHEME
               value: {{ .Values.global.externalDatabase.scheme | quote }}
diff --git a/charts/worker/values.yaml b/charts/worker/values.yaml
@@ -2,6 +2,16 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    enabled: false
+
+  nativeRedis:
+    enabled: false
+
+  externalRedis:
+    enabled: false        
+
 app:
   replicaCount: 1
   port: 5006
@@ -77,3 +87,16 @@ podDisruptionBudget: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
