From 72342cde8044d6c4796ca3a1bfe86ac539982dbc Mon Sep 17 00:00:00 2001 From: jessebot Date: Thu, 23 Jan 2025 09:06:23 +0100 Subject: [PATCH] chores around renovate, security context, and appVersion move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue Signed-off-by: jessebot --- README.md | 2 +- charts/pixelfed/Chart.yaml | 6 ++++-- charts/pixelfed/README.md | 8 +++++--- charts/pixelfed/values.yaml | 20 +++++++++++-------- .../pixelfed/renovate.json => renovate.json | 5 +++-- 5 files changed, 25 insertions(+), 16 deletions(-) rename charts/pixelfed/renovate.json => renovate.json (91%) diff --git a/README.md b/README.md index 04dab49..10a8300 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ A helm chart to setup [Pixelfed](https://github.com/pixelfed/pixelfed), a federa This chart is still in a testing phase and may not be fully stable yet. -Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to the latest _released_ version of Pixelfed. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479). +Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to a specific nightly build of the upstream `dev` branch of the official pixelfed repo. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479). ## Features diff --git a/charts/pixelfed/Chart.yaml b/charts/pixelfed/Chart.yaml index 29f97fb..2b12bb9 100644 --- a/charts/pixelfed/Chart.yaml +++ b/charts/pixelfed/Chart.yaml @@ -15,11 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.15.0 +version: 0.16.0 # This is the version number of the application being deployed. # renovate:image=ghcr.io/mattlqx/docker-pixelfed -appVersion: "v0.12.4-nginx" +appVersion: "sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig" +# the below verison is currently broken on migrations :( +# appVersion: "v0.12.4-nginx" maintainers: - name: "jessebot" diff --git a/charts/pixelfed/README.md b/charts/pixelfed/README.md index 9700204..30ac5e9 100644 --- a/charts/pixelfed/README.md +++ b/charts/pixelfed/README.md @@ -1,6 +1,6 @@ # pixelfed -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig](https://img.shields.io/badge/AppVersion-sha256--ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig-informational?style=flat-square) A Helm chart for deploying Pixelfed on Kubernetes @@ -183,7 +183,9 @@ A Helm chart for deploying Pixelfed on Kubernetes | pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger | | podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | -| podSecurityContext | object | `{}` | securityContext for the whole pod | +| podSecurityContext.fsGroup | int | `33` | group to mount the filesystem as | +| podSecurityContext.runAsGroup | int | `33` | group to run the pixelfed pod as | +| podSecurityContext.runAsUser | int | `33` | user to run the pixelfed pod as | | postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false | | postgresql.fullnameOverride | string | `"postgresql"` | | | postgresql.global.storageClass | string | `""` | | @@ -192,7 +194,7 @@ A Helm chart for deploying Pixelfed on Kubernetes | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | | resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage | | revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks | -| securityContext | object | `{}` | securityContext for the pixelfed container | +| securityContext.runAsUser | int | `33` | user to run the pixelfed container as | | service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports | | service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. | | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | diff --git a/charts/pixelfed/values.yaml b/charts/pixelfed/values.yaml index 8994a6b..561de54 100644 --- a/charts/pixelfed/values.yaml +++ b/charts/pixelfed/values.yaml @@ -54,15 +54,19 @@ podAnnotations: {} # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} -# -- securityContext for the whole pod -podSecurityContext: {} - # runAsUser: 33 - # runAsGroup: 33 - # fsGroup: 33 +# securityContext for the whole pixelfed pod +podSecurityContext: + # -- user to run the pixelfed pod as + runAsUser: 33 + # -- group to run the pixelfed pod as + runAsGroup: 33 + # -- group to mount the filesystem as + fsGroup: 33 -# -- securityContext for the pixelfed container -securityContext: {} - # runAsUser: 33 +# securityContext for the pixelfed container +securityContext: + # -- user to run the pixelfed container as + runAsUser: 33 # runAsNonRoot: true # readOnlyRootFilesystem: true # capabilities: diff --git a/charts/pixelfed/renovate.json b/renovate.json similarity index 91% rename from charts/pixelfed/renovate.json rename to renovate.json index 532a0d2..3f860f4 100644 --- a/charts/pixelfed/renovate.json +++ b/renovate.json @@ -26,8 +26,9 @@ }, { "matchManagers": ["github-actions"], - "matchUpdateTypes": ["patch","minor"], - "automerge": true + "matchUpdateTypes": ["patch", "minor"], + "automerge": true, + "ignoreTests": true } ] }