diff --git a/charts/ingest/templates/deployment.yaml b/charts/ingest/templates/deployment.yaml index 7137ce1..834841a 100755 --- a/charts/ingest/templates/deployment.yaml +++ b/charts/ingest/templates/deployment.yaml @@ -40,6 +40,10 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} command: ["/cmd"] args: ["ingest", "--interval", "60"] ports: diff --git a/charts/ingest/values.yaml b/charts/ingest/values.yaml index f1c7f73..2fa9630 100755 --- a/charts/ingest/values.yaml +++ b/charts/ingest/values.yaml @@ -2,6 +2,61 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + externalDatabase: + # -- Enable an external database, This will use postgresql chart, Change values if you use an external database + enabled: true + # -- Host for the external database + host: "postgresql" + # -- Password for the external database + postgresPassword: &postgresPassword "postgres" + # -- Database name for the external database + database: &postgresDatabase "convoy" + # -- Password for the external database, ignored in case of secret parameter with non-empty value + password: &userPassword "postgres" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Username for the external database + username: &username "postgres" + # -- Scheme for the external database. This is postgres by default + scheme: "postgres" + # -- Query params for the external database + options: "sslmode=disable&connect_timeout=30" + # -- Port for the external database + port: 5432 + + nativeRedis: + # -- Enable redis, This will use redis chart, Disable if you use an external redis + enabled: &redisEnabled true + # -- Host for the redis + host: "redis-master" + # -- password for the redis, ignored in case of secret parameter with non-empty value + password: &redisPassword "convoy" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Port for the redis + port: 6379 + + externalRedis: + # -- Enable external redis, Enable this if you use an external redis and disable Native redis + enabled: false + # -- redis cluster addresses, if set the other values won't be used + addresses: "" + # -- Host for the external redis + host: "" + # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel + scheme: "" + # -- username for the external redis. + username: "" + # -- password for the external redis, ignored in case of secret parameter with non-empty value + password: "" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Database name for the external redis. + database: "" + # -- Port for the external redis + port: "" + enabled: true app: replicaCount: 1 @@ -56,3 +111,16 @@ podDisruptionBudget: {} nodeSelector: {} tolerations: [] affinity: {} + +# containerSecurityContext holds container level security attributes. +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/charts/migrate/templates/job.yaml b/charts/migrate/templates/job.yaml index 4879b42..dd83bff 100755 --- a/charts/migrate/templates/job.yaml +++ b/charts/migrate/templates/job.yaml @@ -3,6 +3,9 @@ kind: Job metadata: name: {{ include "convoy-migrate.fullname" . }} annotations: + {{- if .Values.jobAnnotations }} + {{- toYaml .Values.jobAnnotations | nindent 4 }} + {{- end }} "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "0" "helm.sh/hook-delete-policy": before-hook-creation @@ -20,6 +23,10 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} command: ["/cmd"] args: ["migrate", "up"] env: diff --git a/charts/migrate/values.yaml b/charts/migrate/values.yaml index 6fc486a..bea6ecc 100755 --- a/charts/migrate/values.yaml +++ b/charts/migrate/values.yaml @@ -1,7 +1,60 @@ # Default values for convoy-migrate. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + externalDatabase: + # -- Enable an external database, This will use postgresql chart, Change values if you use an external database + enabled: true + # -- Host for the external database + host: "postgresql" + # -- Password for the external database + postgresPassword: &postgresPassword "postgres" + # -- Database name for the external database + database: &postgresDatabase "convoy" + # -- Password for the external database, ignored in case of secret parameter with non-empty value + password: &userPassword "postgres" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Username for the external database + username: &username "postgres" + # -- Scheme for the external database. This is postgres by default + scheme: "postgres" + # -- Query params for the external database + options: "sslmode=disable&connect_timeout=30" + # -- Port for the external database + port: 5432 + nativeRedis: + # -- Enable redis, This will use redis chart, Disable if you use an external redis + enabled: &redisEnabled true + # -- Host for the redis + host: "redis-master" + # -- password for the redis, ignored in case of secret parameter with non-empty value + password: &redisPassword "convoy" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Port for the redis + port: 6379 + + externalRedis: + # -- Enable external redis, Enable this if you use an external redis and disable Native redis + enabled: false + # -- redis cluster addresses, if set the other values won't be used + addresses: "" + # -- Host for the external redis + host: "" + # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel + scheme: "" + # -- username for the external redis. + username: "" + # -- password for the external redis, ignored in case of secret parameter with non-empty value + password: "" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Database name for the external redis. + database: "" + # -- Port for the external redis + port: "" app: replicaCount: 1 port: 3000 @@ -28,3 +81,19 @@ tolerations: [] affinity: {} jobAnnotations: {} + # environment: "production" + # owner: "devops-team" + # purpose: "database-migration" + +# containerSecurityContext holds container level security attributes. +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/charts/server/templates/deployment.yaml b/charts/server/templates/deployment.yaml index 714732c..aacd0c2 100755 --- a/charts/server/templates/deployment.yaml +++ b/charts/server/templates/deployment.yaml @@ -40,7 +40,10 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} command: ["/cmd"] args: ["server"] ports: diff --git a/charts/server/values.yaml b/charts/server/values.yaml index dfe45f4..e94dd0d 100755 --- a/charts/server/values.yaml +++ b/charts/server/values.yaml @@ -2,6 +2,60 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + externalDatabase: + # -- Enable an external database, This will use postgresql chart, Change values if you use an external database + enabled: true + # -- Host for the external database + host: "postgresql" + # -- Password for the external database + postgresPassword: &postgresPassword "postgres" + # -- Database name for the external database + database: &postgresDatabase "convoy" + # -- Password for the external database, ignored in case of secret parameter with non-empty value + password: &userPassword "postgres" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Username for the external database + username: &username "postgres" + # -- Scheme for the external database. This is postgres by default + scheme: "postgres" + # -- Query params for the external database + options: "sslmode=disable&connect_timeout=30" + # -- Port for the external database + port: 5432 + + nativeRedis: + # -- Enable redis, This will use redis chart, Disable if you use an external redis + enabled: &redisEnabled true + # -- Host for the redis + host: "redis-master" + # -- password for the redis, ignored in case of secret parameter with non-empty value + password: &redisPassword "convoy" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Port for the redis + port: 6379 + + externalRedis: + # -- Enable external redis, Enable this if you use an external redis and disable Native redis + enabled: false + # -- redis cluster addresses, if set the other values won't be used + addresses: "" + # -- Host for the external redis + host: "" + # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel + scheme: "" + # -- username for the external redis. + username: "" + # -- password for the external redis, ignored in case of secret parameter with non-empty value + password: "" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Database name for the external redis. + database: "" + # -- Port for the external redis + port: "" app: replicaCount: 1 port: 5005 @@ -90,3 +144,16 @@ podDisruptionBudget: {} nodeSelector: {} tolerations: [] affinity: {} + +# containerSecurityContext holds container level security attributes. +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/charts/stream/templates/deployment.yaml b/charts/stream/templates/deployment.yaml index ee78c7c..d4f6227 100755 --- a/charts/stream/templates/deployment.yaml +++ b/charts/stream/templates/deployment.yaml @@ -41,6 +41,10 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/cmd"] + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} args: ["stream"] ports: - name: http diff --git a/charts/stream/values.yaml b/charts/stream/values.yaml index 5ef3fb4..bf48b5d 100755 --- a/charts/stream/values.yaml +++ b/charts/stream/values.yaml @@ -2,6 +2,61 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + externalDatabase: + # -- Enable an external database, This will use postgresql chart, Change values if you use an external database + enabled: true + # -- Host for the external database + host: "postgresql" + # -- Password for the external database + postgresPassword: &postgresPassword "postgres" + # -- Database name for the external database + database: &postgresDatabase "convoy" + # -- Password for the external database, ignored in case of secret parameter with non-empty value + password: &userPassword "postgres" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Username for the external database + username: &username "postgres" + # -- Scheme for the external database. This is postgres by default + scheme: "postgres" + # -- Query params for the external database + options: "sslmode=disable&connect_timeout=30" + # -- Port for the external database + port: 5432 + + nativeRedis: + # -- Enable redis, This will use redis chart, Disable if you use an external redis + enabled: &redisEnabled true + # -- Host for the redis + host: "redis-master" + # -- password for the redis, ignored in case of secret parameter with non-empty value + password: &redisPassword "convoy" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Port for the redis + port: 6379 + + externalRedis: + # -- Enable external redis, Enable this if you use an external redis and disable Native redis + enabled: false + # -- redis cluster addresses, if set the other values won't be used + addresses: "" + # -- Host for the external redis + host: "" + # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel + scheme: "" + # -- username for the external redis. + username: "" + # -- password for the external redis, ignored in case of secret parameter with non-empty value + password: "" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Database name for the external redis. + database: "" + # -- Port for the external redis + port: "" + enabled: true app: replicaCount: 1 @@ -57,3 +112,16 @@ ingress: nodeSelector: {} tolerations: [] affinity: {} + +# containerSecurityContext holds container level security attributes. +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/charts/worker/templates/deployment.yaml b/charts/worker/templates/deployment.yaml index ec2c7d9..7496f6e 100755 --- a/charts/worker/templates/deployment.yaml +++ b/charts/worker/templates/deployment.yaml @@ -41,12 +41,15 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/cmd"] args: ["worker"] + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.app.port }} protocol: TCP env: - - name: SERVICE_NAME value: {{ .Chart.Name }} - name: PORT @@ -59,8 +62,6 @@ spec: value: {{ .Values.env.environment | quote }} - name: CONVOY_SIGNUP_ENABLED value: {{ .Values.env.sign_up_enabled | quote }} - - {{- if .Values.global.externalDatabase.enabled }} - name: CONVOY_DB_SCHEME value: {{ .Values.global.externalDatabase.scheme | quote }} diff --git a/charts/worker/values.yaml b/charts/worker/values.yaml index 778f4a8..7acd1bf 100755 --- a/charts/worker/values.yaml +++ b/charts/worker/values.yaml @@ -2,6 +2,61 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + externalDatabase: + # -- Enable an external database, This will use postgresql chart, Change values if you use an external database + enabled: true + # -- Host for the external database + host: "postgresql" + # -- Password for the external database + postgresPassword: &postgresPassword "postgres" + # -- Database name for the external database + database: &postgresDatabase "convoy" + # -- Password for the external database, ignored in case of secret parameter with non-empty value + password: &userPassword "postgres" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Username for the external database + username: &username "postgres" + # -- Scheme for the external database. This is postgres by default + scheme: "postgres" + # -- Query params for the external database + options: "sslmode=disable&connect_timeout=30" + # -- Port for the external database + port: 5432 + + nativeRedis: + # -- Enable redis, This will use redis chart, Disable if you use an external redis + enabled: &redisEnabled true + # -- Host for the redis + host: "redis-master" + # -- password for the redis, ignored in case of secret parameter with non-empty value + password: &redisPassword "convoy" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Port for the redis + port: 6379 + + externalRedis: + # -- Enable external redis, Enable this if you use an external redis and disable Native redis + enabled: false + # -- redis cluster addresses, if set the other values won't be used + addresses: "" + # -- Host for the external redis + host: "" + # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel + scheme: "" + # -- username for the external redis. + username: "" + # -- password for the external redis, ignored in case of secret parameter with non-empty value + password: "" + # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key + secret: "" + # -- Database name for the external redis. + database: "" + # -- Port for the external redis + port: "" + app: replicaCount: 1 port: 5006 @@ -76,3 +131,16 @@ podDisruptionBudget: {} nodeSelector: {} tolerations: [] affinity: {} + +# containerSecurityContext holds container level security attributes. +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL