Correct the security settings and improve templates.
Issue-ID: OOM-3288
Change-Id: Idf1d59b33bea4d27a523d990b218b2e36ffb0348
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
enableServiceAccount: false
k8ssandraOperator:
- cassandraVersion: 4.1.3
+ cassandraVersion: 4.1.6
persistence:
#storageClassName: default
size: 10Gi
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.6
+version: 13.2.10
name: {{ include "common.fullname" $dot }}-ingress
annotations:
{{ include "ingress.config.annotations" $dot }}
- labels:
- app: {{ $dot.Chart.Name }}
- chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" $dot }}
- heritage: {{ $dot.Release.Service }}
+ labels: {{- include "common.labels" $dot | nindent 4 }}
spec:
rules:
{{ include "ingress.config.port" $dot | trim }}
The function takes several arguments (inside a dictionary):
- .dot : environment (.)
- .labels : labels to add (dict)
+ - .suffix : name suffix
*/}}
{{- define "common.labels" -}}
{{- $dot := default . .dot -}}
-app.kubernetes.io/name: {{ include "common.name" $dot }}
-app: {{ include "common.name" $dot }}
+{{- $suffix := .suffix -}}
+app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }}
+app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }}
{{- if $dot.Chart.AppVersion }}
version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}"
{{- else }}
privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }}
allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }}
runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }}
-{{- if .Values.containerSecurityContext.runAsUser }}
+{{- if hasKey .Values.containerSecurityContext "runAsUser" }}
runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
{{- end }}
-{{- if .Values.containerSecurityContext.runAsGroup }}
+{{- if hasKey .Values.containerSecurityContext "runAsGroup" }}
runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }}
-{{ end }}
+{{- end }}
{{- end }}
capabilities:
drop:
Generates a secret header with given name and desired labels.
- The template takes two arguments:
+ The template takes three arguments:
- .global: environment (.)
- .name: name of the secret
- .annotations: annotations which should be used
*/}}
{{- define "common.secret._header" -}}
{{- $global := .global }}
+
{{- $name := .name }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}
namespace: {{ include "common.namespace" $global }}
- labels:
- app: {{ include "common.name" $global }}
- chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" $global }}
- heritage: {{ $global.Release.Service }}
+ labels: {{- include "common.labels" $global | nindent 4 }}
{{- if .annotations }}
annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
{{- end }}
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
- selector:
- app: '{{ include "common.name" . }}'
- chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
- release: '{{ include "common.release" . }}'
- heritage: '{{ .Release.Service }}'
+ selector: {{- include "common.matchLabels" . | nindent 4 }}
## RelabelConfigs to apply to samples before scraping
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
metadata:
name: {{ include "common.name" . }}-ku
labels:
+ {{- include "common.labels" . | nindent 4 }}
strimzi.io/cluster: {{ include "common.release" . }}-strimzi
spec:
authentication:
name: {{ ($topic.name) | lower }}-kt
{{- end }}
labels:
+ {{- include "common.labels" $ | nindent 4 }}
strimzi.io/cluster: {{ include "common.release" $ }}-strimzi
spec:
{{- if (hasKey $topic "partitions") }}
apiVersion: v2
description: Chart for MariaDB Galera cluster
name: mariadb-galera
-version: 13.2.2
+version: 13.2.3
keywords:
- mariadb
- mysql
initContainers:
# we shouldn't need this but for unknown reason, it's fsGroup is not
# applied
- - name: fix-permission
+ {{- if .Values.mariadbConfiguration }}
+ - name: copy-config
command:
- /bin/sh
args:
- -c
- |
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/
- {{- if .Values.mariadbConfiguration }}
cp /config/my.cnf /actual/my.cnf
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual
- {{- end }}
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- - CAP_NET_RAW
- add:
- - CHOWN
- - SYS_CHROOT
- runAsGroup: {{ .Values.securityContext.group_id }}
- readOnlyRootFilesystem: false
- runAsUser: 0
- runAsNonRoot: false
- seccompProfile:
- type: RuntimeDefault
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
volumeMounts:
- - name: previous-boot
- mountPath: /bootstrap
- - name: mariadb-tmp-folder
- mountPath: /tmp
- - name: {{ include "common.fullname" . }}
- mountPath: /data
- {{- if .Values.mariadbConfiguration }}
- name: mariadb-galera-starting-config
mountPath: /config/my.cnf
subPath: my.cnf
- name: mariadb-galera-actual-config
mountPath: /actual
- {{- end }}
+ {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
+ - name: tmp
+ mountPath: /tmp
- name: previous-boot
mountPath: /opt/bitnami/mariadb/.bootstrap
- name: {{ include "common.fullname" . }}
tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
{{- end }}
volumes:
+ - name: tmp
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
- name: previous-boot
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.bootSizeLimit }}
- name: mariadb-tmp-folder
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }}
{{- if .Values.mariadbConfiguration }}
- name: mariadb-galera-actual-config
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.configSizeLimit }}
- name: mariadb-galera-starting-config
configMap:
name: {{ printf "%s-configuration" (include "common.fullname" .) }}
memory: "3Gi"
unlimited: {}
+volumes:
+ bootSizeLimit: 50Mi
+ tmpSizeLimit: 200Mi
+ configSizeLimit: 50Mi
+ tmpMariaDBSizeLimit: 100Mi
+
## MariaDB Galera containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
requests:
cpu: "0.5"
memory: "200Mi"
+
## MariaDB Galera metrics container's liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
Code Review / oom.git / commitdiff