Merge pull request #27 from foomo/squadron-keel-server-0.1.3

fix(squadron-keel-server): add security context
foomo · Oct 23, 2024 · a48227b · a48227b
2 parents 4defcb6 + 6fc33d1
commit a48227b
Show file tree

Hide file tree

Showing 7 changed files with 237 additions and 72 deletions.
diff --git a/charts/squadron-keel-server/Chart.yaml b/charts/squadron-keel-server/Chart.yaml
@@ -15,5 +15,5 @@ annotations:
     - name: Chart Source
       url: https://github.com/foomo/helm-charts
 
-version: 0.1.2
-appVersion: 0.1.2
+version: 0.1.3
+appVersion: 0.1.3
diff --git a/charts/squadron-keel-server/README.md b/charts/squadron-keel-server/README.md
@@ -1,6 +1,6 @@
 # squadron-keel-server
 
-![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.2](https://img.shields.io/badge/AppVersion-0.1.2-informational?style=flat-square)
+![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.3](https://img.shields.io/badge/AppVersion-0.1.3-informational?style=flat-square)
 
 Squadron Keel Server chart
 
@@ -72,21 +72,31 @@ Squadron Keel Server chart
 | otel.otlp.endpoint | string | `"alloy:4317"` | Enpoint uri |
 | otel.otlp.insecure | bool | `true` | Indicates wether to use insecure connection |
 | otel.ratio | int | `1` | Trace ratio |
-| persistence | object | `{"accessMode":"ReadWriteOnce","enabled":false,"mountPath":"/var/lib/server/data","size":"1Gi","storageClassName":""}` | Persistence settings |
+| persistence | object | `{"accessMode":"ReadWriteOnce","enabled":false,"mountPath":"/var/lib/server/data","size":"1Gi","storageClass":""}` | Persistence settings |
 | persistence.accessMode | string | `"ReadWriteOnce"` | Access mode |
 | persistence.enabled | bool | `false` | Indicates wether a pv should be attached or not |
 | persistence.mountPath | string | `"/var/lib/server/data"` | Storage mount path |
 | persistence.size | string | `"1Gi"` | Storage size |
-| persistence.storageClassName | string | `""` | Storage class name |
-| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":"","minAvailable":""}` | See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ |
+| persistence.storageClass | string | `""` | Storage class name |
+| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":"","minAvailable":""}` | Pod disruption budget settings |
 | podDisruptionBudget.enabled | bool | `false` | Indicates wether the pod disruption budget is enabled |
 | ports | object | `{}` | http: 8080 |
 | rbac | object | `{"enabled":false}` | RBAC configuration |
 | rbac.enabled | bool | `false` | Create PodSecurityPolicy. |
+| replicas | int | `1` | Number of replications |
 | revisionHistoryLimit | int | `10` | Number of revisions to keep |
+| schedule | object | `{"affinity":{},"nodeSelector":{},"priorityClass":null,"tolerations":[]}` | Schedule settings |
+| schedule.affinity | object | `{}` | Affinity for pod assignment |
+| schedule.nodeSelector | object | `{}` | Node labels for pod assignment |
+| schedule.tolerations | list | `[]` | Tolerations for pod assignment |
 | secretEnv | object | `{}` | Map of environment variables to add as a secret |
 | secretMounts | list | `[]` |  |
-| server | object | `{"additionalEnv":[],"additionalEnvFrom":[],"additionalLabels":{},"additionalPorts":[],"additionalVolumeMounts":[],"additionalVolumes":[],"annotations":{},"hostAliases":[],"livenessProbe":{"httpGet":{"path":"/healthz/liveness","port":"healthz"}},"podAnnotations":{},"readinessProbe":{"httpGet":{"path":"/healthz/readiness","port":"healthz"}},"replicas":1,"resources":{},"startupProbe":{"httpGet":{"path":"/healthz/startup","port":"healthz"}},"strategy":{}}` | Server settings |
+| securityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}` | Security context |
+| securityContext.fsGroup | int | `10001` | File system group id |
+| securityContext.runAsGroup | int | `10001` | Run as group id |
+| securityContext.runAsNonRoot | bool | `true` | Indicates wether to run as non root user |
+| securityContext.runAsUser | int | `10001` | Run as user id |
+| server | object | `{"additionalEnv":[],"additionalEnvFrom":[],"additionalLabels":{},"additionalPorts":[],"additionalVolumeMounts":[],"additionalVolumes":[],"annotations":{},"hostAliases":[],"livenessProbe":{"httpGet":{"path":"/healthz/liveness","port":"healthz"}},"podAnnotations":{},"readinessProbe":{"httpGet":{"path":"/healthz/readiness","port":"healthz"}},"resources":{},"startupProbe":{"httpGet":{"path":"/healthz/startup","port":"healthz"}}}` | Server settings |
 | server.additionalEnv | list | `[]` | Additional environment variables |
 | server.additionalEnvFrom | list | `[]` | Additional env from |
 | server.additionalLabels | object | `{}` | Additional labels |
@@ -95,13 +105,11 @@ Squadron Keel Server chart
 | server.additionalVolumes | list | `[]` | Additional volumes |
 | server.annotations | object | `{}` | Deployment annotations |
 | server.hostAliases | list | `[]` | Host aliases |
-| server.livenessProbe | object | `{"httpGet":{"path":"/healthz/liveness","port":"healthz"}}` | See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes |
+| server.livenessProbe | object | `{"httpGet":{"path":"/healthz/liveness","port":"healthz"}}` | Liveness probe settings |
 | server.podAnnotations | object | `{}` | Pod annotations |
-| server.readinessProbe | object | `{"httpGet":{"path":"/healthz/readiness","port":"healthz"}}` | See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes |
-| server.replicas | int | `1` | Number of replications |
+| server.readinessProbe | object | `{"httpGet":{"path":"/healthz/readiness","port":"healthz"}}` | Readiness probe settings |
 | server.resources | object | `{}` | See: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ |
-| server.startupProbe | object | `{"httpGet":{"path":"/healthz/startup","port":"healthz"}}` | See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes |
-| server.strategy | object | `{}` | Deployment strategy settings |
+| server.startupProbe | object | `{"httpGet":{"path":"/healthz/startup","port":"healthz"}}` | Startup probe settings |
 | service | object | `{"additionalLabels":{},"annotations":{},"type":"ClusterIP"}` | Service settings |
 | service.additionalLabels | object | `{}` | Additional Service labels |
 | service.annotations | object | `{}` | Service annotations |
@@ -115,9 +123,10 @@ Squadron Keel Server chart
 | serviceMonitor.annotations | object | `{}` | ServiceMonitor annotations |
 | serviceMonitor.enabled | bool | `false` | If enabled, ServiceMonitor resources for Prometheus Operator are created |
 | serviceMonitor.interval | string | `""` | ServiceMonitor scrape interval |
-| serviceMonitor.metricRelabelings | list | `[]` | See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint |
-| serviceMonitor.relabelings | list | `[]` | See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig |
+| serviceMonitor.metricRelabelings | list | `[]` | ServiceMonitor metric relabel configs to apply to samples before ingestion |
+| serviceMonitor.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping. |
 | serviceMonitor.scrapeTimeout | string | `""` | ServiceMonitor scrape timeout in Go duration format (e.g. 15s) |
-| serviceMonitor.targetLabels | list | `[]` | See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec |
+| serviceMonitor.targetLabels | list | `[]` | ServiceMonitor will add labels from the service to the Prometheus metric |
 | squadron | string | `""` | Squadron name |
 | unit | string | `""` | Squadron unit name |
+| updateStrategy | string | `"RollingUpdate"` | Deployment update strategy |
diff --git a/charts/squadron-keel-server/templates/deployment.yaml b/charts/squadron-keel-server/templates/deployment.yaml
@@ -13,12 +13,11 @@ metadata:
   namespace: {{ include "keel.server.namespace" . }}
 spec:
   {{- if not  .Values.autoscaling.enabled }}
-  replicas: {{ .Values.server.replicas }}
+  replicas: {{ .Values.replicas }}
   {{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
-  {{- with .Values.server.strategy }}
-  strategy: {{- toYaml . | nindent 4 }}
-  {{- end }}
+  strategy:
+    type: {{ .Values.updateStrategy }}
   selector:
     matchLabels: {{- include "keel.server.selectorLabels" . | nindent 6 }}
   template:
@@ -33,12 +32,17 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "keel.server.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
       {{- if .Values.graceful.enabled }}
       terminationGracePeriodSeconds: {{ .Values.graceful.periodSeconds }}
       {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.server.hostAliases }}
       hostAliases: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -57,7 +61,7 @@ spec:
               containerPort: 9300
             - name: healthz
               containerPort: 9400
-            - name: prometheus
+            - name: prom-metrics
               containerPort: 9200
             {{- range $key, $value := .Values.ports }}
             - name: {{ $key }}
@@ -97,7 +101,7 @@ spec:
             {{- range .Values.secretMounts }}
             - name: {{ . }}
               readOnly: true
-              mountPath: /etc/secrets/{{ . }}
+              mountPath: /run/secrets/{{ . }}
             {{- end }}
           {{- with .Values.server.resources }}
           resources: {{- toYaml . | nindent 12 }}
@@ -117,6 +121,21 @@ spec:
               exec:
                 command: [ 'sh', '-c', 'sleep {{ .Values.graceful.delaySeconds }}' ]
           {{- end }}
+      {{- with .Values.schedule.priorityClass }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.schedule.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.schedule.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.schedule.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- if .Values.persistence.enabled }}
         - name: {{ include "keel.server.fullname" . }}-data

diff --git a/charts/squadron-keel-server/templates/persistentvolumeclaim.yaml b/charts/squadron-keel-server/templates/persistentvolumeclaim.yaml
@@ -7,7 +7,7 @@ metadata:
   namespace: {{ include "keel.server.namespace" . }}
 spec:
   accessModes: [{{ .Values.persistence.accessMode }}]
-  {{- with .Values.persistence.storageClassName }}
+  {{- with .Values.persistence.storageClass }}
   storageClassName: {{ . }}
   {{- end }}
   resources:
@@ -28,7 +28,7 @@ spec:
   volumeName: {{ $value.name }}
   {{- end }}
   accessModes: [ {{ default $value.accessMode "ReadWriteOnce" }} ]
-  {{- with $value.storageClassName }}
+  {{- with $value.storageClass }}
   storageClassName: {{ . }}
   {{- end }}
   {{- with $value.size }}

diff --git a/charts/squadron-keel-server/templates/service.yaml b/charts/squadron-keel-server/templates/service.yaml
@@ -15,6 +15,9 @@ spec:
   type: {{ .Values.service.type }}
   selector: {{- include "keel.server.selectorLabels" . | nindent 4 }}
   ports:
+    - name: server-prom-metrics
+      port: 9200
+      targetPort: 9200
     {{- range $key, $value := .Values.ports }}
     - name: {{ $key }}
       port: {{ $value }}