From e061dd32cb0a0f1559a56470d016b8ce2b9d3759 Mon Sep 17 00:00:00 2001 From: Sina Darbouy Date: Fri, 22 Nov 2024 19:09:47 +0100 Subject: [PATCH] fix: lint issues and security improvements - Remove trailing whitespace and extra newlines - Add default resource limits and requests (100m CPU, 128Mi memory) - Add security context and resource limits to test pod - Format YAML files for better readability - Update plugin checksum in gatewayd_plugins.yaml --- .github/workflows/helm-test.yml | 5 ++--- README.md | 2 +- files/gatewayd_plugins.yaml | 2 +- templates/tests/test-connection.yaml | 16 ++++++++++++++ values.yaml | 32 +++++++++++++--------------- 5 files changed, 35 insertions(+), 22 deletions(-) diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index b4a8be6..70a40fb 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -1,5 +1,4 @@ - -name: Test Action +name: Test Action on: push: branches: @@ -38,7 +37,7 @@ jobs: echo PostgreSQL did not start within 300 seconds! exit 1 - name: Install gatewayd - run: helm install gatewayd . + run: helm install gatewayd . - name: Check deployment status run: | kubectl rollout status --watch deployment/gatewayd --timeout=5m diff --git a/README.md b/README.md index 3c050c9..44d1102 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ helm install gatewayd-release -f values.yaml ./ | `image.repository` | The Docker image repository | `gatewaydio/gatewayd` | | `image.tag` | The Docker image tag. If not set, the app version from the chart is used | `""` | | `image.pullPolicy` | The image pull policy | `IfNotPresent` | -| `resources` | Resource requests and limits for the container | `{}` | +| `resources` | Resource requests and limits for the container | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | | `gatewaydPluginsConfig.enabled` | Determines whether the `gatewayd_plugins.yaml` ConfigMap is mounted to the container. If enabled, a volume and volumeMount are added to the deployment. | `false` | | `gatewaydConfig.enabled` | Determines whether the `gatewayd.yaml` ConfigMap is mounted to the container. If enabled, a volume and volumeMount are added to the deployment. | `false` | | `nodeSelector` | Node selector for the pod | `{}` | diff --git a/files/gatewayd_plugins.yaml b/files/gatewayd_plugins.yaml index 5a2eafe..b8006bb 100644 --- a/files/gatewayd_plugins.yaml +++ b/files/gatewayd_plugins.yaml @@ -27,4 +27,4 @@ plugins: - EXIT_ON_STARTUP_ERROR=False - SENTRY_DSN=https://70eb1abcd32e41acbdfc17bc3407a543@o4504550475038720.ingest.sentry.io/4505342961123328 - CACHE_CHANNEL_BUFFER_SIZE=100 - checksum: 7a882a6d82105373feb5d2e428d928efd379c240d994b4167a5799d77af3d938 + checksum: 9828ef25c8e10663cffb8b0080f3513f41b8c8a7b2268e29116cbc100f1b7b3 diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml index 1119154..241d3a6 100644 --- a/templates/tests/test-connection.yaml +++ b/templates/tests/test-connection.yaml @@ -12,4 +12,20 @@ spec: image: busybox command: ['wget'] args: ['{{ include "gatewayd.fullname" . }}:{{ .Values.service.port }}'] + resources: + limits: + cpu: "200m" + memory: "128Mi" + requests: + cpu: "100m" + memory: "64Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL restartPolicy: Never diff --git a/values.yaml b/values.yaml index dfeee07..0552712 100644 --- a/values.yaml +++ b/values.yaml @@ -24,10 +24,12 @@ serviceAccount: podAnnotations: {} podLabels: {} -podSecurityContext: {} +podSecurityContext: + {} # fsGroup: 2000 -securityContext: {} +securityContext: + {} # capabilities: # drop: # - ALL @@ -42,7 +44,8 @@ service: ingress: enabled: false className: "" - annotations: {} + annotations: + {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: @@ -55,17 +58,13 @@ ingress: # hosts: # - chart-example.local -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi autoscaling: enabled: false @@ -94,10 +93,9 @@ gatewaydPluginsConfig: # If gatewaydConfig is disabled, GatewayD will use the default configuration. # The default config can be found here: https://github.com/gatewayd-io/gatewayd/blob/main/gatewayd.yaml -gatewaydConfig: +gatewaydConfig: enabled: true - -# Configuration can be overridden using environment variables. +# Configuration can be overridden using environment variables. # For more details, visit: https://docs.gatewayd.io/using-gatewayd/configuration/#environment-variables # extraEnvVars: # GATEWAYD_CLIENTS_DEFAULT_WRITES_ADDRESS: psql-postgresql:5432