Skip to content

Commit

Permalink
Pass security context to grafana-dashboard job (#1356)
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha authored Oct 24, 2024
1 parent bd42191 commit 094155c
Show file tree
Hide file tree
Showing 6 changed files with 146 additions and 43 deletions.
50 changes: 32 additions & 18 deletions charts/kubedb-grafana-dashboards/README.md
View file

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions charts/kubedb-grafana-dashboards/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,17 @@ Selector labels
app.kubernetes.io/name: {{ include "kubedb-grafana-dashboards.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Returns the registry used for image docker image
*/}}
{{- define "image.registry" -}}
{{- list .Values.registryFQDN .Values.image.registry | compact | join "/" }}
{{- end }}

{{- define "docker.imagePullSecrets" -}}
{{- with .Values.imagePullSecrets -}}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
71 changes: 48 additions & 23 deletions charts/kubedb-grafana-dashboards/templates/dedicated/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,58 @@ spec:
# ttlSecondsAfterFinished: 0
backoffLimit: 3
template:
{{- with .Values.podAnnotations }}
metadata:
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- include "docker.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: false
volumes:
- name: grafana-dashboards
configMap:
name: {{ include "kubedb-grafana-dashboards.fullname" . }}-config
containers:
- name: post-json-container
image: curlimages/curl:latest
securityContext:
{{- toYaml .Values.image.securityContext | nindent 10 }}
image: {{ include "image.registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command:
- sh
- -c
- |
sleep 2; \
FILES="/grafana/dashboards/*.json"; \
for f in $FILES; \
do \
echo "Processing dashboard file $f ..."; \
curl \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {{ .Values.grafana.apikey }}" \
--data-binary @"$f" \
{{ .Values.grafana.url }}/api/dashboards/import; \
done
- sh
- -c
- |
sleep 2; \
FILES="/grafana/dashboards/*.json"; \
for f in $FILES; \
do \
echo "Processing dashboard file $f ..."; \
curl \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {{ .Values.grafana.apikey }}" \
--data-binary @"$f" \
{{ .Values.grafana.url }}/api/dashboards/import; \
done
resources:
{{- toYaml .Values.image.resources | nindent 10 }}
volumeMounts:
- mountPath: /grafana/dashboards
name: grafana-dashboards
- mountPath: /grafana/dashboards
name: grafana-dashboards
volumes:
- name: grafana-dashboards
configMap:
name: {{ include "kubedb-grafana-dashboards.fullname" . }}-config
restartPolicy: Never
{{ end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{ end }}
50 changes: 50 additions & 0 deletions charts/kubedb-grafana-dashboards/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,53 @@ grafana:
app:
name: ""
namespace: ""

# Docker registry fqdn used to pull KubeDB related images
# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image}
registryFQDN: ""
image:
# Docker registry used to pull operator image
registry: curlimages
# Name of operator container image
repository: curl
# Operator container image tag
tag: "latest"
# Security options this container should run with
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
# Compute Resources required by this container
resources: {}
# requests:
# cpu: 100m
# memory: 128Mi

# Specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
#
# Example:
# helm template charts/stash \
# --set imagePullSecrets[0].name=sec0 \
# --set imagePullSecrets[1].name=sec1
imagePullSecrets: []
# Container image pull policy
imagePullPolicy: Always
# Annotations applied to operator deployment
annotations: {}
# Annotations passed to operator pod(s).
podAnnotations: {}
# Node labels for pod assignment
nodeSelector: {}
# Tolerations for pod assignment
tolerations: []
# Affinity rules for pod assignment
affinity: {}
# Security options the operator pod should run with.
podSecurityContext: # +doc-gen:break
fsGroup: 65534
2 changes: 1 addition & 1 deletion charts/kubedb-ui-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `kubedb-ui-server`
| nodeSelector | Node labels for pod assignment | <code>{}</code> |
| tolerations | Tolerations for pod assignment | <code>[]</code> |
| affinity | Affinity rules for pod assignment | <code>{}</code> |
| podSecurityContext | Security options the operator pod should run with. | <code>{"fsGroup":65535}</code> |
| podSecurityContext | Security options the operator pod should run with. | <code>{"fsGroup":65534}</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
| serviceAccount.annotations | Annotations to add to the service account | <code>{}</code> |
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code></code> |
Expand Down
2 changes: 1 addition & 1 deletion charts/kubedb-ui-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ tolerations: []
affinity: {}
# Security options the operator pod should run with.
podSecurityContext: # +doc-gen:break
fsGroup: 65535
fsGroup: 65534
serviceAccount:
# Specifies whether a service account should be created
create: true
Expand Down

0 comments on commit 094155c

Please sign in to comment.