chores around renovate, security context, and appVersion
move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot
@@ -15,11 +15,13 @@ type: application
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.15.0
|
||||
version: 0.16.0
|
||||
|
||||
# This is the version number of the application being deployed.
|
||||
# renovate:image=ghcr.io/mattlqx/docker-pixelfed
|
||||
appVersion: "v0.12.4-nginx"
|
||||
appVersion: "sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig"
|
||||
# the below verison is currently broken on migrations :(
|
||||
# appVersion: "v0.12.4-nginx"
|
||||
|
||||
maintainers:
|
||||
- name: "jessebot"
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# pixelfed
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
A Helm chart for deploying Pixelfed on Kubernetes
|
||||
|
||||
@@ -183,7 +183,9 @@ A Helm chart for deploying Pixelfed on Kubernetes
|
||||
| pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger |
|
||||
| podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
|
||||
| podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
|
||||
| podSecurityContext | object | `{}` | securityContext for the whole pod |
|
||||
| podSecurityContext.fsGroup | int | `33` | group to mount the filesystem as |
|
||||
| podSecurityContext.runAsGroup | int | `33` | group to run the pixelfed pod as |
|
||||
| podSecurityContext.runAsUser | int | `33` | user to run the pixelfed pod as |
|
||||
| postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false |
|
||||
| postgresql.fullnameOverride | string | `"postgresql"` | |
|
||||
| postgresql.global.storageClass | string | `""` | |
|
||||
@@ -192,7 +194,7 @@ A Helm chart for deploying Pixelfed on Kubernetes
|
||||
| replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
|
||||
| resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage |
|
||||
| revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks |
|
||||
| securityContext | object | `{}` | securityContext for the pixelfed container |
|
||||
| securityContext.runAsUser | int | `33` | user to run the pixelfed container as |
|
||||
| service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
|
||||
| service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. |
|
||||
| service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"customManagers": [
|
||||
{
|
||||
"customType": "regex",
|
||||
"datasourceTemplate": "docker",
|
||||
"fileMatch": [
|
||||
"(^|/)Chart\\.yaml$"
|
||||
],
|
||||
"matchStrings": [
|
||||
"#\\s*renovate: image=(?<depName>.*?)\\s+appVersion:\\s*[\"']?(?<currentValue>[\\w+\\.\\-]*)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"packageRules": [
|
||||
{
|
||||
"description": "Bump helm chart versions by a patch when updating values files. Digests, pins, rollbacks, replacements and pinDigest updates are deliberately ignored since in our use case, these need a manual decision about the version bump for the chart. This can be removed when https://github.com/renovatebot/renovate/issues/8231 is implemented and enabled.",
|
||||
"matchManagers": ["helm-values", "regex"],
|
||||
"postUpgradeTasks": {
|
||||
"commands": [
|
||||
"scripts/bump-chart-version.sh '{{{parentDir}}}' '{{{updateType}}}'"
|
||||
],
|
||||
"fileFilters": ["**/Chart.yaml"],
|
||||
"executionMode": "branch"
|
||||
}
|
||||
},
|
||||
{
|
||||
"matchManagers": ["github-actions"],
|
||||
"matchUpdateTypes": ["patch","minor"],
|
||||
"automerge": true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -54,15 +54,19 @@ podAnnotations: {}
|
||||
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
||||
podLabels: {}
|
||||
|
||||
# -- securityContext for the whole pod
|
||||
podSecurityContext: {}
|
||||
# runAsUser: 33
|
||||
# runAsGroup: 33
|
||||
# fsGroup: 33
|
||||
# securityContext for the whole pixelfed pod
|
||||
podSecurityContext:
|
||||
# -- user to run the pixelfed pod as
|
||||
runAsUser: 33
|
||||
# -- group to run the pixelfed pod as
|
||||
runAsGroup: 33
|
||||
# -- group to mount the filesystem as
|
||||
fsGroup: 33
|
||||
|
||||
# -- securityContext for the pixelfed container
|
||||
securityContext: {}
|
||||
# runAsUser: 33
|
||||
# securityContext for the pixelfed container
|
||||
securityContext:
|
||||
# -- user to run the pixelfed container as
|
||||
runAsUser: 33
|
||||
# runAsNonRoot: true
|
||||
# readOnlyRootFilesystem: true
|
||||
# capabilities:
|
||||
|
||||
Reference in New Issue
Block a user