fix: lint issues and security improvements

- Remove trailing whitespace and extra newlines - Add default resource limits and requests (100m CPU, 128Mi memory) - Add security context and resource limits to test pod - Format YAML files for better readability - Update plugin checksum in gatewayd_plugins.yaml
gatewayd-io · Nov 23, 2024 · e061dd3 · e061dd3
1 parent 7d289e4
commit e061dd3
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 22 deletions.
diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml
@@ -1,5 +1,4 @@
-
-name: Test Action 
+name: Test Action
 on:
   push:
     branches:
@@ -38,7 +37,7 @@ jobs:
           echo PostgreSQL did not start within 300 seconds!
           exit 1
       - name: Install gatewayd
-        run: helm install gatewayd . 
+        run: helm install gatewayd .
       - name: Check deployment status
         run: |
           kubectl rollout status --watch deployment/gatewayd --timeout=5m

diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ helm install gatewayd-release -f values.yaml ./
 | `image.repository`                          | The Docker image repository                                                                           | `gatewaydio/gatewayd`       |
 | `image.tag`                                 | The Docker image tag. If not set, the app version from the chart is used                              | `""`                        |
 | `image.pullPolicy`                          | The image pull policy                                                                                 | `IfNotPresent`              |
-| `resources`                                 | Resource requests and limits for the container                                                        | `{}`                        |
+| `resources`                                 | Resource requests and limits for the container                                                        | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` |
 | `gatewaydPluginsConfig.enabled`             | Determines whether the `gatewayd_plugins.yaml` ConfigMap is mounted to the container. If enabled, a volume and volumeMount are added to the deployment. | `false`                     |
 | `gatewaydConfig.enabled`             | Determines whether the `gatewayd.yaml` ConfigMap is mounted to the container. If enabled, a volume and volumeMount are added to the deployment. | `false`                     |
 | `nodeSelector`                              | Node selector for the pod                                                                             | `{}`                        |

diff --git a/files/gatewayd_plugins.yaml b/files/gatewayd_plugins.yaml
@@ -27,4 +27,4 @@ plugins:
       - EXIT_ON_STARTUP_ERROR=False
       - SENTRY_DSN=https://70eb1abcd32e41acbdfc17bc3407a543@o4504550475038720.ingest.sentry.io/4505342961123328
       - CACHE_CHANNEL_BUFFER_SIZE=100
-    checksum: 7a882a6d82105373feb5d2e428d928efd379c240d994b4167a5799d77af3d938
+    checksum: 9828ef25c8e10663cffb8b0080f3513f41b8c8a7b2268e29116cbc100f1b7b3
diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml
@@ -12,4 +12,20 @@ spec:
       image: busybox
       command: ['wget']
       args: ['{{ include "gatewayd.fullname" . }}:{{ .Values.service.port }}']
+      resources:
+        limits:
+          cpu: "200m"
+          memory: "128Mi"
+        requests:
+          cpu: "100m"
+          memory: "64Mi"
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        capabilities:
+          drop:
+            - ALL
   restartPolicy: Never
diff --git a/values.yaml b/values.yaml
@@ -24,10 +24,12 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext:
+  {}
   # capabilities:
   #   drop:
   #   - ALL
@@ -42,7 +44,8 @@ service:
 ingress:
   enabled: false
   className: ""
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
@@ -55,17 +58,13 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
 
 autoscaling:
   enabled: false
@@ -94,10 +93,9 @@ gatewaydPluginsConfig:
 
 # If gatewaydConfig is disabled, GatewayD will use the default configuration.
 # The default config can be found here: https://github.com/gatewayd-io/gatewayd/blob/main/gatewayd.yaml
-gatewaydConfig: 
+gatewaydConfig:
   enabled: true
-
-# Configuration can be overridden using environment variables. 
+# Configuration can be overridden using environment variables.
 # For more details, visit: https://docs.gatewayd.io/using-gatewayd/configuration/#environment-variables
 # extraEnvVars:
 #   GATEWAYD_CLIENTS_DEFAULT_WRITES_ADDRESS: psql-postgresql:5432