add security context to container spec

charts/ingest/templates/deployment.yaml

@@ -40,6 +40,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           command: ["/cmd"]
           args: ["ingest", "--interval", "60"]
           ports:

charts/ingest/values.yaml

@@ -2,6 +2,61 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    # -- Enable an external database, This will use postgresql chart, Change values if you use an external database
+    enabled: true
+    # -- Host for the external database
+    host: "postgresql"
+    # -- Password for the external database
+    postgresPassword: &postgresPassword "postgres"
+    # -- Database name for the external database
+    database: &postgresDatabase "convoy"
+    # -- Password for the external database, ignored in case of secret parameter with non-empty value
+    password: &userPassword "postgres"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Username for the external database
+    username: &username "postgres"
+    # -- Scheme for the external database. This is postgres by default
+    scheme: "postgres"
+    # -- Query params for the external database
+    options: "sslmode=disable&connect_timeout=30"
+    # -- Port for the external database
+    port: 5432
+
+  nativeRedis:
+    # -- Enable redis, This will use redis chart, Disable if you use an external redis
+    enabled: &redisEnabled true
+    # -- Host for the redis
+    host: "redis-master"
+    # -- password for the redis, ignored in case of secret parameter with non-empty value
+    password: &redisPassword "convoy"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Port for the redis
+    port: 6379
+
+  externalRedis:
+    # -- Enable external redis, Enable this if you use an external redis and disable Native redis
+    enabled: false
+    # -- redis cluster addresses, if set the other values won't be used
+    addresses: ""
+    # -- Host for the external redis
+    host: ""
+    # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel
+    scheme: ""
+    # -- username for the external redis.
+    username: ""
+    # -- password for the external redis, ignored in case of secret parameter with non-empty value
+    password: ""
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Database name for the external redis.
+    database: ""
+    # -- Port for the external redis
+    port: ""
+
 enabled: true
 app:
   replicaCount: 1
@@ -56,3 +111,16 @@ podDisruptionBudget: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

charts/migrate/templates/job.yaml

@@ -3,6 +3,9 @@ kind: Job
 metadata:
   name: {{ include "convoy-migrate.fullname" . }}
   annotations:
+    {{- if .Values.jobAnnotations }}
+    {{- toYaml .Values.jobAnnotations | nindent 4 }}
+    {{- end }}
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-weight": "0"
     "helm.sh/hook-delete-policy": before-hook-creation
@@ -20,6 +23,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           command: ["/cmd"]
           args: ["migrate", "up"]
           env:

charts/migrate/values.yaml

@@ -1,7 +1,60 @@
 # Default values for convoy-migrate.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+global:
+  externalDatabase:
+    # -- Enable an external database, This will use postgresql chart, Change values if you use an external database
+    enabled: true
+    # -- Host for the external database
+    host: "postgresql"
+    # -- Password for the external database
+    postgresPassword: &postgresPassword "postgres"
+    # -- Database name for the external database
+    database: &postgresDatabase "convoy"
+    # -- Password for the external database, ignored in case of secret parameter with non-empty value
+    password: &userPassword "postgres"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Username for the external database
+    username: &username "postgres"
+    # -- Scheme for the external database. This is postgres by default
+    scheme: "postgres"
+    # -- Query params for the external database
+    options: "sslmode=disable&connect_timeout=30"
+    # -- Port for the external database
+    port: 5432
 
+  nativeRedis:
+    # -- Enable redis, This will use redis chart, Disable if you use an external redis
+    enabled: &redisEnabled true
+    # -- Host for the redis
+    host: "redis-master"
+    # -- password for the redis, ignored in case of secret parameter with non-empty value
+    password: &redisPassword "convoy"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Port for the redis
+    port: 6379
+
+  externalRedis:
+    # -- Enable external redis, Enable this if you use an external redis and disable Native redis
+    enabled: false
+    # -- redis cluster addresses, if set the other values won't be used
+    addresses: ""
+    # -- Host for the external redis
+    host: ""
+    # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel
+    scheme: ""
+    # -- username for the external redis.
+    username: ""
+    # -- password for the external redis, ignored in case of secret parameter with non-empty value
+    password: ""
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Database name for the external redis.
+    database: ""
+    # -- Port for the external redis
+    port: ""
 app:
   replicaCount: 1
   port: 3000
@@ -28,3 +81,19 @@ tolerations: []
 affinity: {}
 
 jobAnnotations: {}
+  # environment: "production"
+  # owner: "devops-team"
+  # purpose: "database-migration"
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

charts/server/templates/deployment.yaml

@@ -40,7 +40,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
           command: ["/cmd"]
           args: ["server"]
           ports:

charts/server/values.yaml

@@ -2,6 +2,60 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    # -- Enable an external database, This will use postgresql chart, Change values if you use an external database
+    enabled: true
+    # -- Host for the external database
+    host: "postgresql"
+    # -- Password for the external database
+    postgresPassword: &postgresPassword "postgres"
+    # -- Database name for the external database
+    database: &postgresDatabase "convoy"
+    # -- Password for the external database, ignored in case of secret parameter with non-empty value
+    password: &userPassword "postgres"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Username for the external database
+    username: &username "postgres"
+    # -- Scheme for the external database. This is postgres by default
+    scheme: "postgres"
+    # -- Query params for the external database
+    options: "sslmode=disable&connect_timeout=30"
+    # -- Port for the external database
+    port: 5432
+
+  nativeRedis:
+    # -- Enable redis, This will use redis chart, Disable if you use an external redis
+    enabled: &redisEnabled true
+    # -- Host for the redis
+    host: "redis-master"
+    # -- password for the redis, ignored in case of secret parameter with non-empty value
+    password: &redisPassword "convoy"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Port for the redis
+    port: 6379
+
+  externalRedis:
+    # -- Enable external redis, Enable this if you use an external redis and disable Native redis
+    enabled: false
+    # -- redis cluster addresses, if set the other values won't be used
+    addresses: ""
+    # -- Host for the external redis
+    host: ""
+    # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel
+    scheme: ""
+    # -- username for the external redis.
+    username: ""
+    # -- password for the external redis, ignored in case of secret parameter with non-empty value
+    password: ""
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Database name for the external redis.
+    database: ""
+    # -- Port for the external redis
+    port: ""
 app:
   replicaCount: 1
   port: 5005
@@ -90,3 +144,16 @@ podDisruptionBudget: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

charts/stream/templates/deployment.yaml

@@ -41,6 +41,10 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/cmd"]
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}          
           args: ["stream"]
           ports:
             - name: http

charts/stream/values.yaml

@@ -2,6 +2,61 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+global:
+  externalDatabase:
+    # -- Enable an external database, This will use postgresql chart, Change values if you use an external database
+    enabled: true
+    # -- Host for the external database
+    host: "postgresql"
+    # -- Password for the external database
+    postgresPassword: &postgresPassword "postgres"
+    # -- Database name for the external database
+    database: &postgresDatabase "convoy"
+    # -- Password for the external database, ignored in case of secret parameter with non-empty value
+    password: &userPassword "postgres"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Username for the external database
+    username: &username "postgres"
+    # -- Scheme for the external database. This is postgres by default
+    scheme: "postgres"
+    # -- Query params for the external database
+    options: "sslmode=disable&connect_timeout=30"
+    # -- Port for the external database
+    port: 5432
+
+  nativeRedis:
+    # -- Enable redis, This will use redis chart, Disable if you use an external redis
+    enabled: &redisEnabled true
+    # -- Host for the redis
+    host: "redis-master"
+    # -- password for the redis, ignored in case of secret parameter with non-empty value
+    password: &redisPassword "convoy"
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Port for the redis
+    port: 6379
+
+  externalRedis:
+    # -- Enable external redis, Enable this if you use an external redis and disable Native redis
+    enabled: false
+    # -- redis cluster addresses, if set the other values won't be used
+    addresses: ""
+    # -- Host for the external redis
+    host: ""
+    # -- Scheme for the external redis. This can be redis, rediss, redis-socket or redis-sentinel
+    scheme: ""
+    # -- username for the external redis.
+    username: ""
+    # -- password for the external redis, ignored in case of secret parameter with non-empty value
+    password: ""
+    # -- If this secret parameter is not empty, password value will be ignored. The password in the secret should be in the 'password' key
+    secret: ""
+    # -- Database name for the external redis.
+    database: ""
+    # -- Port for the external redis
+    port: ""
+
 enabled: true
 app:
   replicaCount: 1
@@ -57,3 +112,16 @@ ingress:
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+# containerSecurityContext holds container level security attributes.
+containerSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL

charts/worker/templates/deployment.yaml

@@ -41,12 +41,15 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/cmd"]
           args: ["worker"]
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.app.port }}
               protocol: TCP
           env:
-
             - name: SERVICE_NAME
               value: {{ .Chart.Name }}
             - name: PORT
@@ -59,8 +62,6 @@ spec:
               value: {{ .Values.env.environment | quote }}
             - name: CONVOY_SIGNUP_ENABLED
               value: {{ .Values.env.sign_up_enabled | quote }}
-
-
             {{- if .Values.global.externalDatabase.enabled }}
             - name: CONVOY_DB_SCHEME
               value: {{ .Values.global.externalDatabase.scheme | quote }}