DevOps/helm-pixelfed
2
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases 1 Wiki Activity

chores around renovate, security context, and appVersion

Browse Source 
move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only

switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release

set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue

Signed-off-by: jessebot <jessebot@linux.com>
This commit is contained in:
jessebot
2025-01-23 09:06:23 +01:00
parent 06611e73f7
commit 72342cde80
5 changed files with 25 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -5,7 +5,7 @@ A helm chart to setup [Pixelfed](https://github.com/pixelfed/pixelfed), a federa
This chart is still in a testing phase and may not be fully stable yet. This chart is still in a testing phase and may not be fully stable yet.
Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to the latest _released_ version of Pixelfed. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479). Uses @mattlqx's [docker image](https://ghcr.io/mattlqx/docker-pixelfed) which is for now pinned to a specific nightly build of the upstream `dev` branch of the official pixelfed repo. You may want to set `image.tag="dev-nginx"` (built from the top of the pixelfed repo's dev branch nightly, so it always has the latest version of pixelfed - but maybe buggy) as it may solve issues you are having that are already fixed such as this [bug that was already patched](https://github.com/pixelfed/pixelfed/issues/5220#issuecomment-2599854479).
## Features ## Features
charts/pixelfed/Chart.yaml
+4 -2
View File
@@ -15,11 +15,13 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.15.0 version: 0.16.0
# This is the version number of the application being deployed. # This is the version number of the application being deployed.
# renovate:image=ghcr.io/mattlqx/docker-pixelfed # renovate:image=ghcr.io/mattlqx/docker-pixelfed
appVersion: "v0.12.4-nginx" appVersion: "sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig"
# the below verison is currently broken on migrations :(
# appVersion: "v0.12.4-nginx"
maintainers: maintainers:
- name: "jessebot" - name: "jessebot"
charts/pixelfed/README.md
+5 -3
View File
@@ -1,6 +1,6 @@
# pixelfed # pixelfed
![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.12.4-nginx](https://img.shields.io/badge/AppVersion-v0.12.4--nginx-informational?style=flat-square) ![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: sha256-ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig](https://img.shields.io/badge/AppVersion-sha256--ea7cbbfe5ba933a934b47cd1029fb5dbc19d437d0aa3f1a309cb5c82226795e8.sig-informational?style=flat-square)
A Helm chart for deploying Pixelfed on Kubernetes A Helm chart for deploying Pixelfed on Kubernetes
@@ -183,7 +183,9 @@ A Helm chart for deploying Pixelfed on Kubernetes
| pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger | | pixelfed.webfinger | string | `"true"` | https://docs.pixelfed.org/technical-documentation/config/#webfinger |
| podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| podSecurityContext | object | `{}` | securityContext for the whole pod | | podSecurityContext.fsGroup | int | `33` | group to mount the filesystem as |
| podSecurityContext.runAsGroup | int | `33` | group to run the pixelfed pod as |
| podSecurityContext.runAsUser | int | `33` | user to run the pixelfed pod as |
| postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false | | postgresql.enabled | bool | `true` | enable the bundled [postgresql sub chart from Bitnami](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md#parameters). Must set to true if externalDatabase.enabled=false |
| postgresql.fullnameOverride | string | `"postgresql"` | | | postgresql.fullnameOverride | string | `"postgresql"` | |
| postgresql.global.storageClass | string | `""` | | | postgresql.global.storageClass | string | `""` | |
@@ -192,7 +194,7 @@ A Helm chart for deploying Pixelfed on Kubernetes
| replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ | | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
| resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage | | resources | object | `{}` | set resource limits and requests for cpu, memory, and ephemeral storage |
| revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks | | revisionHistoryLimit | int | `10` | how many revisions of the deployment to keep for rollbacks |
| securityContext | object | `{}` | securityContext for the pixelfed container | | securityContext.runAsUser | int | `33` | user to run the pixelfed container as |
| service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports | | service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
| service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. | | service.targetPort | int | `80` | Port to attach to on the pods. Also sets what port nginx listens on inside the container. |
| service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
charts/pixelfed/values.yaml
+12 -8
View File
@@ -54,15 +54,19 @@ podAnnotations: {}
# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {} podLabels: {}
# -- securityContext for the whole pod # securityContext for the whole pixelfed pod
podSecurityContext: {} podSecurityContext:
# runAsUser: 33 # -- user to run the pixelfed pod as
# runAsGroup: 33 runAsUser: 33
# fsGroup: 33 # -- group to run the pixelfed pod as
runAsGroup: 33
# -- group to mount the filesystem as
fsGroup: 33
# -- securityContext for the pixelfed container # securityContext for the pixelfed container
securityContext: {} securityContext:
# runAsUser: 33 # -- user to run the pixelfed container as
runAsUser: 33
# runAsNonRoot: true # runAsNonRoot: true
# readOnlyRootFilesystem: true # readOnlyRootFilesystem: true
# capabilities: # capabilities:
charts/pixelfed/renovate.json → renovate.json
+3 -2
View File
@@ -26,8 +26,9 @@
}, },
{ {
"matchManagers": ["github-actions"], "matchManagers": ["github-actions"],
"matchUpdateTypes": ["patch","minor"], "matchUpdateTypes": ["patch", "minor"],
"automerge": true "automerge": true,
"ignoreTests": true
} }
] ]
} }