feat(argo-cd): Set container security contexts (#1579)
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
This commit is contained in:
Petr Drastil
GitHub
parent
b249ebf2a9
commit
3d9e2f35a6
12 changed files with 195 additions and 139 deletions
|
|
@ -81,10 +81,6 @@ spec:
|
|||
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
|
||||
name: {{ .Values.controller.name }}
|
||||
{{- with .Values.controller.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with .Values.controller.env }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -242,6 +238,8 @@ spec:
|
|||
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
|
||||
resources:
|
||||
{{- toYaml .Values.controller.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.controller.containerSecurityContext | nindent 10 }}
|
||||
workingDir: /home/argocd
|
||||
volumeMounts:
|
||||
{{- with .Values.controller.volumeMounts }}
|
||||
|
|
|
|||
|
|
@ -28,8 +28,10 @@ spec:
|
|||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.applicationSet.podSecurityContext) | nindent 8 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }}
|
||||
containers:
|
||||
- name: {{ .Values.applicationSet.name }}
|
||||
|
|
@ -99,7 +101,7 @@ spec:
|
|||
resources:
|
||||
{{- toYaml .Values.applicationSet.resources | nindent 12 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.applicationSet.securityContext | nindent 12 }}
|
||||
{{- toYaml .Values.applicationSet.containerSecurityContext | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.applicationSet.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
|
|
|
|||
|
|
@ -20,14 +20,15 @@ spec:
|
|||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "argo-cd.notificationsBotsSlackServiceAccountName" . }}
|
||||
securityContext: {{- toYaml (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.notifications.securityContext) | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ template "argo-cd.notifications.fullname" . }}-bot
|
||||
image: {{ default .Values.global.image.repository .Values.notifications.bots.slack.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.bots.slack.image.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.bots.slack.image.pullPolicy }}
|
||||
resources:
|
||||
{{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }}
|
||||
command:
|
||||
- argocd-notifications
|
||||
- bot
|
||||
|
|
@ -35,19 +36,20 @@ spec:
|
|||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
{{- with .Values.notifications.bots.slack.containerSecurityContext }}
|
||||
securityContext: {{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.notifications.bots.slack.resources | nindent 12 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.notifications.bots.slack.containerSecurityContext | nindent 12 }}
|
||||
{{- with .Values.notifications.bots.slack.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.notifications.bots.slack.affinity }}
|
||||
{{- with .Values.notifications.bots.slack.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.notifications.bots.slack.tolerations }}
|
||||
{{- end }}
|
||||
{{- with .Values.notifications.bots.slack.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
|
|
|
|||
|
|
@ -38,30 +38,16 @@ spec:
|
|||
- name: {{ .Values.notifications.name }}
|
||||
image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.image.imagePullPolicy }}
|
||||
resources:
|
||||
{{- toYaml .Values.notifications.resources | nindent 12 }}
|
||||
command:
|
||||
- argocd-notifications
|
||||
- --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }}
|
||||
- --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
|
||||
{{- if .Values.notifications.metrics.enabled }}
|
||||
- --metrics-port={{ .Values.notifications.metrics.port }}
|
||||
{{- end }}
|
||||
- --namespace={{ .Release.Namespace }}
|
||||
- --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
|
||||
{{- range .Values.notifications.extraArgs }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
workingDir: /app
|
||||
ports:
|
||||
{{- if .Values.notifications.metrics.enabled }}
|
||||
- containerPort: {{ .Values.notifications.metrics.port }}
|
||||
name: metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
{{- if .Values.notifications.containerSecurityContext }}
|
||||
securityContext: {{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.notifications.extraEnv }}
|
||||
env:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
|
|
@ -70,6 +56,15 @@ spec:
|
|||
envFrom:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.notifications.metrics.port }}
|
||||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.notifications.resources | nindent 12 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.notifications.containerSecurityContext | nindent 12 }}
|
||||
workingDir: /app
|
||||
volumeMounts:
|
||||
- name: tls-certs
|
||||
mountPath: /app/config/tls
|
||||
|
|
|
|||
|
|
@ -55,10 +55,6 @@ spec:
|
|||
{{- with .Values.repoServer.extraArgs }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.repoServer.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with .Values.repoServer.env }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -254,10 +250,10 @@ spec:
|
|||
timeoutSeconds: {{ .Values.repoServer.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.repoServer.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.repoServer.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.repoServer.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.repoServer.containerSecurityContext | nindent 10 }}
|
||||
{{- with .Values.repoServer.extraContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -52,10 +52,6 @@ spec:
|
|||
{{- with .Values.server.extraArgs }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with .Values.server.env }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -309,10 +305,10 @@ spec:
|
|||
timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.server.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
|
||||
{{- with .Values.server.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.server.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.server.containerSecurityContext | nindent 10 }}
|
||||
{{- with .Values.server.lifecycle }}
|
||||
lifecycle:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -324,11 +320,13 @@ spec:
|
|||
- name: argocd-extensions
|
||||
image: {{ .Values.server.extensions.image.repository }}:{{ .Values.server.extensions.image.tag }}
|
||||
imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }}
|
||||
resources:
|
||||
{{- toYaml .Values.server.extensions.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.server.extensions.containerSecurityContext | nindent 10 }}
|
||||
volumeMounts:
|
||||
- name: extensions
|
||||
mountPath: /tmp/extensions/
|
||||
resources:
|
||||
{{- toYaml .Values.server.extensions.resources | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.server.nodeSelector }}
|
||||
nodeSelector:
|
||||
|
|
|
|||
|
|
@ -36,12 +36,6 @@ spec:
|
|||
- name: copyutil
|
||||
image: {{ default .Values.global.image.repository .Values.dex.initImage.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.dex.initImage.tag }}
|
||||
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.dex.initImage.imagePullPolicy }}
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
{{- with .Values.dex.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- cp
|
||||
- -n
|
||||
|
|
@ -52,6 +46,10 @@ spec:
|
|||
name: static-files
|
||||
- mountPath: /tmp
|
||||
name: dexconfig
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
|
||||
{{- with .Values.dex.initContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
|
|
@ -64,10 +62,7 @@ spec:
|
|||
args:
|
||||
- rundex
|
||||
{{- with .Values.dex.extraArgs }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.dex.containerSecurityContext }}
|
||||
securityContext: {{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with .Values.dex.env }}
|
||||
|
|
@ -115,18 +110,20 @@ spec:
|
|||
successThreshold: {{ .Values.dex.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.dex.containerSecurityContext | nindent 10 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.dex.volumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
- name: static-files
|
||||
mountPath: /shared
|
||||
- name: dexconfig
|
||||
mountPath: /tmp
|
||||
- name: argocd-dex-server-tls
|
||||
mountPath: /tls
|
||||
{{- with .Values.dex.volumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.dex.resources | nindent 10 }}
|
||||
{{- with .Values.dex.extraContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -63,10 +63,8 @@ spec:
|
|||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.redis.resources | nindent 10 }}
|
||||
{{- with .Values.redis.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.redis.containerSecurityContext | nindent 10 }}
|
||||
{{- with .Values.redis.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
|
|
@ -86,10 +84,8 @@ spec:
|
|||
protocol: TCP
|
||||
resources:
|
||||
{{- toYaml .Values.redis.metrics.resources | nindent 10 }}
|
||||
{{- with .Values.redis.containerSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- toYaml .Values.redis.metrics.containerSecurityContext | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.redis.extraContainers }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue