[COMMON][TIMESCALEDB] TemporalDB and securityContext settings

- make pod/containerSecurityContext settings more configurable
  in _pod.tpl
- fix MariaDB statefulset
- Fix temporal statefulset to comply with security rules
- Set timescaleDB via RepositoryGenerator

Issue-ID: OOM-3310

Change-Id: I870f1e835020c2b30225741e700d1a6abfba8ad3
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>

diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml
index 986b96f..c8609d6 100644 (file)
--- a/kubernetes/common/common/Chart.yaml
+++ b/kubernetes/common/common/Chart.yaml
@@ -17,4 +17,4 @@
 apiVersion: v2
 description: Common templates for inclusion in other charts
 name: common
-version: 13.2.4
+version: 13.2.5

diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl
index 0a1d0ab..743e3db 100644 (file)
--- a/kubernetes/common/common/templates/_pod.tpl
+++ b/kubernetes/common/common/templates/_pod.tpl
@@ -53,25 +53,58 @@
 
 {{/*
    Generate securityContext for pod
+   required variables: user_id, group_id
+   optional variables: fsgroup_id, runAsNonRoot, seccompProfileType
+   Example in values.yaml
+   securityContext:
+     user_id: 70
+     group_id: 70
+     # fsgroup_id: 70
+     # runAsNonRoot: true
+     # seccompProfileType: "RuntimeDefault"
 */}}
 {{- define "common.podSecurityContext" -}}
 securityContext:
   runAsUser: {{ .Values.securityContext.user_id }}
   runAsGroup: {{ .Values.securityContext.group_id }}
-  fsGroup: {{ .Values.securityContext.group_id }}
-  runAsNonRoot: true
+  fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }}
+  runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }}
   seccompProfile:
-    type: RuntimeDefault
+    type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }}
 {{- end }}
 
 {{/*
-   Generate securityContext for container
+   Generate securityContext for container (optional)
+   predefined variables: capabilities.drop
+   optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation
+   Example in values.yaml
+   containerSecurityContext:
+     capabilities:
+       privileged: false
+       runAsUser: 1337
+       runAsGroup: 1337
+       runAsNonRoot: true
+       readOnlyRootFilesystem: true
+       allowPrivilegeEscalation: false
 */}}
 {{- define "common.containerSecurityContext" -}}
 securityContext:
+{{- if not .Values.containerSecurityContext }}
   readOnlyRootFilesystem: true
   privileged: false
   allowPrivilegeEscalation: false
+{{- else }}
+  readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }}
+  privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }}
+  allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }}
+  runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }}
+{{-   if .Values.containerSecurityContext.runAsUser }}
+  runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+{{-   end }}
+{{-   if .Values.containerSecurityContext.runAsGroup }}
+  runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }}
+{{    end }}
+{{- end }}
   capabilities:
     drop:
       - ALL

diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml
index d97aa0e..41d11a6 100644 (file)
--- a/kubernetes/common/mariadb-galera/Chart.yaml
+++ b/kubernetes/common/mariadb-galera/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: Chart for MariaDB Galera cluster
 name: mariadb-galera
-version: 13.2.1
+version: 13.2.2
 keywords:
   - mariadb
   - mysql

diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index 2b89519..66ce8ab 100644 (file)
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -66,6 +66,7 @@ spec:
             runAsGroup: {{ .Values.securityContext.group_id }}
             readOnlyRootFilesystem: false
             runAsUser: 0
+            runAsNonRoot: false
             seccompProfile:
               type: RuntimeDefault
           volumeMounts:
@@ -181,7 +182,7 @@ spec:
             successThreshold: {{ .Values.startupProbe.successThreshold }}
             failureThreshold: {{ .Values.startupProbe.failureThreshold }}
           {{- end }}
-          {{ include "common.securityContext" . | indent 10 | trim }}
+          {{ include "common.containerSecurityContext" . | indent 10 | trim }}
           resources: {{ include "common.resources" . | nindent 12 }}
           volumeMounts:
             - name: previous-boot

diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index d8303dd..faab7af 100644 (file)
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -217,10 +217,13 @@ serviceAccount:
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 ##
 securityContext:
-  enabled: true
   user_id: 10001
   group_id: 10001
 
+# Old Bitnami Chart does not work without Filesystem access
+containerSecurityContext:
+  readOnlyFileSystem: false
+
 ## Database credentials for root (admin) user
 ##
 rootUser:

diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml
index b0569eb..8ce4600 100644 (file)
--- a/kubernetes/common/timescaledb/Chart.yaml
+++ b/kubernetes/common/timescaledb/Chart.yaml
@@ -22,7 +22,7 @@ apiVersion: v2
 appVersion: "1.0"
 description: ONAP timescaledb
 name: timescaledb
-version: 13.0.0
+version: 13.0.1
 
 dependencies:
   - name: common

diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml
index 1d161f3..031241d 100644 (file)
--- a/kubernetes/common/timescaledb/templates/statefulset.yaml
+++ b/kubernetes/common/timescaledb/templates/statefulset.yaml
@@ -29,27 +29,12 @@ spec:
     metadata: {{- include "common.templateMetadata" (dict "ignoreHelmChart" true "dot" . ) | nindent 6 }}
     spec:
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
-      {{ include "common.podSecurityContext" . | indent 10 | trim}}
-      initContainers:
-        # we shouldn't need this but for unknown reason, it's fsGroup is not
-        # applied
-        - name: fix-permission
-          command:
-            - /bin/sh
-          args:
-            - -c
-            - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data
-          image: {{ include "repositoryGenerator.image.busybox" . }}
-          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-          securityContext:
-            runAsUser: 0
-          volumeMounts:
-            - mountPath: /var/lib/postgresql/data
-              name: {{ include "common.fullname" . }}
+      {{ include "common.podSecurityContext" . | indent 6 | trim}}
       containers:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.pullPolicy }}
+          {{ include "common.containerSecurityContext" . | indent 10 | trim}}
           ports: {{ include "common.containerPorts" . | nindent 12  }}
           livenessProbe:
             exec:
@@ -80,10 +65,15 @@ spec:
               mountPath: /docker-entrypoint-initdb.d
             - name: {{ include "common.fullname" . }}
               mountPath: /var/lib/postgresql/data
+            - name: var-run
+              mountPath: /var/run/postgresql
       volumes:
         - name: {{ include "common.fullname" . }}-init
           configMap:
             name: {{ include "common.fullname" . }}-init
+        - name: var-run
+          emptyDir:
+            sizeLimit: {{ .Values.dirSizes.varDir.sizeLimit }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
       {{- toYaml . | nindent 8 }}

diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml
index 2643f55..35beab7 100644 (file)
--- a/kubernetes/common/timescaledb/values.yaml
+++ b/kubernetes/common/timescaledb/values.yaml
@@ -21,9 +21,9 @@ global:
   persistence: {}
 
 #################################################################
-# Secrets.
+# Image
 ##############################################################
-image: timescale/timescaledb:2.5.1-pg14
+image: timescale/timescaledb:2.16.1-pg14
 
 pullPolicy: Always
 containerPorts: 5432
@@ -41,11 +41,6 @@ securityContext:
   # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group)
   user_id: 70
   group_id: 70
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
 
 flavor: small
 
@@ -114,6 +109,10 @@ config:
   pgRootUserName: postgres
   pgDatabase: timescaledb
 
+dirSizes:
+  varDir:
+    sizeLimit: 64Mi
+
 secrets:
   - uid: root-creds
     type: basicAuth

diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 663712c..6ca0e26 100755 (executable)
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -97,7 +97,6 @@ global:
   mariadbImage: bitnami/mariadb:10.5.8
 
   # mongodb server image
-
   mongodbImage: percona/percona-server-mongodb:7.0.5-3
 
   # nginx server image