From 3e50bfcaf92f9389721b1b9c4c6424e98cfeacb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Barrag=C3=A1n=20Merino?= Date: Mon, 29 Jul 2024 19:02:41 +0200 Subject: [PATCH] feat: homogenize and simplify container and pod security context and affinity --- charts/penpot/README.md | 26 ++--- charts/penpot/README.md.gotmpl | 12 ++- .../assets-persistentvolumeclaim.yml | 12 +-- .../penpot/templates/backend-deployment.yml | 96 +++++++++---------- .../penpot/templates/exporter-deployment.yml | 42 ++++---- .../exporter-persistentvolumeclaim.yml | 12 +-- .../penpot/templates/frontend-deployment.yml | 42 ++++---- charts/penpot/values.yaml | 42 ++------ 8 files changed, 116 insertions(+), 168 deletions(-) diff --git a/charts/penpot/README.md b/charts/penpot/README.md index 565c768..ce4fd74 100644 --- a/charts/penpot/README.md +++ b/charts/penpot/README.md @@ -26,13 +26,7 @@ $ helm install my-release penpot/penpot | Key | Type | Default | Description | |-----|------|---------|-------------| | backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | -| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | -| backend.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation | -| backend.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped | -| backend.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context | -| backend.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem | -| backend.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot | -| backend.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser | +| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | | backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | | backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. | @@ -40,9 +34,7 @@ $ helm install my-release penpot/penpot | backend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) | | backend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods | | backend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods | -| backend.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | -| backend.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context | -| backend.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup | +| backend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | backend.replicaCount | int | `1` | The number of replicas to deploy. | | backend.resources | object | `{"limits":{},"requests":{}}` | Penpot backend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) | | backend.resources.limits | object | `{}` | The resources limits for the Penpot backend containers | @@ -145,13 +137,7 @@ $ helm install my-release penpot/penpot | Key | Type | Default | Description | |-----|------|---------|-------------| | exporter.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | -| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | -| exporter.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation | -| exporter.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped | -| exporter.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context | -| exporter.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem | -| exporter.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot | -| exporter.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser | +| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | exporter.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | | exporter.image.imagePullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | | exporter.image.repository | string | `"penpotapp/exporter"` | The Docker repository to pull the image from. | @@ -159,9 +145,7 @@ $ helm install my-release penpot/penpot | exporter.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) | | exporter.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods | | exporter.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods | -| exporter.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | -| exporter.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context | -| exporter.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup | +| exporter.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | exporter.replicaCount | int | `1` | The number of replicas to deploy. Enable persistence.exporter if you use more than 1 replicaCount | | exporter.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) | | exporter.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers | @@ -175,6 +159,7 @@ $ helm install my-release penpot/penpot | Key | Type | Default | Description | |-----|------|---------|-------------| | frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | +| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | | frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | | frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. | @@ -182,6 +167,7 @@ $ helm install my-release penpot/penpot | frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) | | frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods | | frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods | +| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | frontend.replicaCount | int | `1` | The number of replicas to deploy. | | frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) | | frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers | diff --git a/charts/penpot/README.md.gotmpl b/charts/penpot/README.md.gotmpl index d40b4bb..4236b29 100644 --- a/charts/penpot/README.md.gotmpl +++ b/charts/penpot/README.md.gotmpl @@ -26,8 +26,12 @@ $ helm install my-release penpot/{{ template "chart.name" . }} ## Resources -:speaking_head: [Community](https://community.penpot.app)
-:floppy_disk: [Documentation](https://help.penpot.app/)
-:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/)
-:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr)
+:speaking_head: [Community](https://community.penpot.app) + +:floppy_disk: [Documentation](https://help.penpot.app/) + +:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/) + +:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr) + :memo: [Dev Diaries](https://penpot.app/dev-diaries.html) diff --git a/charts/penpot/templates/assets-persistentvolumeclaim.yml b/charts/penpot/templates/assets-persistentvolumeclaim.yml index fa2a917..9be1157 100644 --- a/charts/penpot/templates/assets-persistentvolumeclaim.yml +++ b/charts/penpot/templates/assets-persistentvolumeclaim.yml @@ -5,11 +5,11 @@ metadata: name: {{ include "penpot.fullname" . }}-data-assets namespace: {{ .Release.Namespace }} labels: -{{- include "penpot.labels" . | nindent 4 }} -{{- if .Values.persistence.assets.annotations }} + {{- include "penpot.labels" . | nindent 4 }} + {{- if .Values.persistence.assets.annotations }} annotations: -{{ toYaml .Values.persistence.assets.annotations | indent 4 }} -{{- end }} + {{ toYaml .Values.persistence.assets.annotations | indent 4 }} + {{- end }} spec: accessModes: {{- range .Values.persistence.assets.accessModes }} @@ -18,7 +18,7 @@ spec: resources: requests: storage: {{ .Values.persistence.assets.size | quote }} -{{- if .Values.persistence.assets.storageClass }} + {{- if .Values.persistence.assets.storageClass }} storageClassName: "{{ .Values.persistence.assets.storageClass }}" -{{- end }} + {{- end }} {{- end -}} diff --git a/charts/penpot/templates/backend-deployment.yml b/charts/penpot/templates/backend-deployment.yml index e988001..92210ca 100644 --- a/charts/penpot/templates/backend-deployment.yml +++ b/charts/penpot/templates/backend-deployment.yml @@ -27,33 +27,23 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.global.imagePullSecrets }} + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "penpot.serviceAccountName" . }} - {{- if .Values.backend.podSecurityContext.enabled }} + {{- end }} + {{- with .Values.backend.podSecurityContext }} securityContext: - {{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: - - {{ .Release.Name }} - topologyKey: "kubernetes.io/hostname" + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }}-backend image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}" imagePullPolicy: {{ .Values.backend.image.pullPolicy }} - {{- if .Values.backend.containerSecurityContext.enabled }} + {{- with .Values.backend.containerSecurityContext }} securityContext: - {{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} + {{- toYaml . | nindent 12 }} + {{- end }} env: # General settings - name: PENPOT_PUBLIC_URI @@ -62,83 +52,83 @@ spec: value: "$PENPOT_FLAGS {{ .Values.config.flags }}" - name: PENPOT_SECRET_KEY value: {{ .Values.config.apiSecretKey | quote }} - {{- if .Values.config.registrationDomainWhitelist }} + {{- if .Values.config.registrationDomainWhitelist }} - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST value: {{ .Values.config.registrationDomainWhitelist | quote }} - {{- end }} + {{- end }} - name: PENPOT_TELEMETRY_ENABLED value: {{ .Values.config.telemetryEnabled | quote }} # PosgreSQL connection settings - name: PENPOT_DATABASE_URI - {{- if .Values.config.postgresql.host }} + {{- if .Values.config.postgresql.host }} value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}" - {{- else }} + {{- else }} value: {{ print "postgresql://" (include "penpot.fullname" .) "-postgresql:" .Values.config.postgresql.port "/" .Values.config.postgresql.database }} - {{- end }} + {{- end }} - name: PENPOT_DATABASE_USERNAME - {{- if not .Values.config.postgresql.secretKeys.usernameKey }} + {{- if not .Values.config.postgresql.secretKeys.usernameKey }} value: {{ .Values.config.postgresql.username | quote }} - {{- else }} + {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.postgresql.existingSecret }} key: {{ .Values.config.postgresql.secretKeys.usernameKey }} - {{- end }} + {{- end }} - name: PENPOT_DATABASE_PASSWORD - {{- if not .Values.config.postgresql.secretKeys.passwordKey }} + {{- if not .Values.config.postgresql.secretKeys.passwordKey }} value: {{ .Values.config.postgresql.password | quote }} - {{- else }} + {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.postgresql.existingSecret }} key: {{ .Values.config.postgresql.secretKeys.passwordKey }} - {{- end }} + {{- end }} # Redis connection settings - name: PENPOT_REDIS_URI - {{- if .Values.config.redis.host }} + {{- if .Values.config.redis.host }} value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}" - {{- else }} + {{- else }} value: {{ print "redis://" (include "penpot.fullname" .) "-redis-master:" .Values.config.redis.port "/" .Values.config.redis.database }} - {{- end }} + {{- end }} # Assets storage settings - name: PENPOT_ASSETS_STORAGE_BACKEND value: {{ .Values.config.assets.storageBackend | quote }} - {{- if eq .Values.config.assets.storageBackend "assets-fs" }} + {{- if eq .Values.config.assets.storageBackend "assets-fs" }} - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY value: {{ .Values.config.assets.filesystem.directory | quote }} - {{- else if eq .Values.config.assets.storageBackend "assets-s3" }} + {{- else if eq .Values.config.assets.storageBackend "assets-s3" }} - name: PENPOT_STORAGE_ASSETS_S3_REGION value: {{ .Values.config.assets.s3.region | quote }} - name: PENPOT_STORAGE_ASSETS_S3_BUCKET value: {{ .Values.config.assets.s3.bucket | quote }} - name: AWS_ACCESS_KEY_ID - {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }} + {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }} value: {{ .Values.config.assets.s3.accessKeyID | quote }} - {{- else }} + {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }} - {{- end }} + {{- end }} - name: AWS_SECRET_ACCESS_KEY - {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }} + {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }} value: {{ .Values.config.assets.s3.secretAccessKey | quote }} - {{- else }} + {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }} - {{- end }} + {{- end }} - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT - {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }} + {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }} value: {{ .Values.config.assets.s3.endpointURI | quote }} - {{- else }} + {{- else }} valueFrom: secretKeyRef: name: {{ .Values.config.assets.s3.existingSecret }} key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }} + {{- end }} {{- end }} - {{- end }} # SMTP settings {{- if .Values.config.smtp.enabled }} {{- if .Values.config.smtp.defaultFrom }} @@ -383,23 +373,23 @@ spec: protocol: TCP resources: {{- toYaml .Values.backend.resources | nindent 12 }} - {{- with .Values.backend.nodeSelector }} + {{- with .Values.backend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.backend.affinity }} + {{- end }} + {{- with .Values.backend.affinity }} affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.backend.tolerations }} + {{- end }} + {{- with .Values.backend.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} volumes: - name: app-data - {{- if .Values.persistence.assets.enabled }} + {{- if .Values.persistence.assets.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.assets.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-assets" ) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} diff --git a/charts/penpot/templates/exporter-deployment.yml b/charts/penpot/templates/exporter-deployment.yml index 09479f4..76bdab8 100644 --- a/charts/penpot/templates/exporter-deployment.yml +++ b/charts/penpot/templates/exporter-deployment.yml @@ -27,32 +27,32 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.global.imagePullSecrets }} + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "penpot.serviceAccountName" . }} - {{- if .Values.exporter.podSecurityContext.enabled }} + {{- end }} + {{- with .Values.exporter.podSecurityContext }} securityContext: - {{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }}-exporter image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}" imagePullPolicy: {{ .Values.exporter.image.imagePullPolicy }} - {{- if .Values.exporter.containerSecurityContext.enabled }} + {{- with .Values.exporter.containerSecurityContext }} securityContext: - {{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: PENPOT_PUBLIC_URI value: {{ print "http://" (include "penpot.fullname" .) ":" .Values.frontend.service.port }} - name: PENPOT_REDIS_URI - {{- if .Values.config.redis.host }} + {{- if .Values.config.redis.host }} value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}" - {{- else }} + {{- else }} value: {{ print "redis://" (include "penpot.fullname" .) "-redis-master:" .Values.config.redis.port "/" .Values.config.redis.database }} - {{- end }} + {{- end }} - name: PENPOT_TEMPDIR value: "/tmp/penpot-exporter" volumeMounts: @@ -65,23 +65,23 @@ spec: protocol: TCP resources: {{- toYaml .Values.exporter.resources | nindent 12 }} - {{- with .Values.exporter.nodeSelector }} + {{- with .Values.exporter.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.exporter.affinity }} + {{- end }} + {{- with .Values.exporter.affinity }} affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.exporter.tolerations }} + {{- end }} + {{- with .Values.exporter.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} volumes: - name: app-data - {{- if .Values.persistence.exporter.enabled }} + {{- if .Values.persistence.exporter.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.exporter.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-exporter" ) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} diff --git a/charts/penpot/templates/exporter-persistentvolumeclaim.yml b/charts/penpot/templates/exporter-persistentvolumeclaim.yml index 19582bd..a0485b4 100644 --- a/charts/penpot/templates/exporter-persistentvolumeclaim.yml +++ b/charts/penpot/templates/exporter-persistentvolumeclaim.yml @@ -5,11 +5,11 @@ metadata: name: {{ include "penpot.fullname" . }}-data-exporter namespace: {{ .Release.Namespace }} labels: -{{- include "penpot.labels" . | nindent 4 }} -{{- if .Values.persistence.exporter.annotations }} + {{- include "penpot.labels" . | nindent 4 }} + {{- if .Values.persistence.exporter.annotations }} annotations: -{{ toYaml .Values.persistence.exporter.annotations | indent 4 }} -{{- end }} + {{ toYaml .Values.persistence.exporter.annotations | indent 4 }} + {{- end }} spec: accessModes: {{- range .Values.persistence.exporter.accessModes }} @@ -18,7 +18,7 @@ spec: resources: requests: storage: {{ .Values.persistence.exporter.size | quote }} -{{- if .Values.persistence.exporter.storageClass }} + {{- if .Values.persistence.exporter.storageClass }} storageClassName: "{{ .Values.persistence.exporter.storageClass }}" -{{- end }} + {{- end }} {{- end -}} diff --git a/charts/penpot/templates/frontend-deployment.yml b/charts/penpot/templates/frontend-deployment.yml index a42b522..c88df36 100644 --- a/charts/penpot/templates/frontend-deployment.yml +++ b/charts/penpot/templates/frontend-deployment.yml @@ -27,25 +27,23 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.global.imagePullSecrets }} + serviceAccountName: {{ include "penpot.serviceAccountName" . }} + {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "penpot.serviceAccountName" . }} - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/instance - operator: In - values: - - {{ .Release.Name }} - topologyKey: "kubernetes.io/hostname" + {{- end }} + {{- with .Values.frontend.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }}-frontend image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }}" imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + {{- with .Values.frontend.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: PENPOT_FLAGS value: "$PENPOT_FLAGS {{ .Values.config.flags }}" @@ -63,23 +61,23 @@ spec: protocol: TCP resources: {{- toYaml .Values.frontend.resources | nindent 12 }} - {{- with .Values.frontend.nodeSelector }} + {{- with .Values.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.frontend.affinity }} + {{- end }} + {{- with .Values.frontend.affinity }} affinity: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.frontend.tolerations }} + {{- end }} + {{- with .Values.frontend.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} volumes: - name: app-data - {{- if .Values.persistence.assets.enabled }} + {{- if .Values.persistence.assets.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.assets.existingClaim | default ( printf "%s-%s" ( include "penpot.fullname" . ) "data-assets" ) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} diff --git a/charts/penpot/values.yaml b/charts/penpot/values.yaml index 86e9228..e804e19 100644 --- a/charts/penpot/values.yaml +++ b/charts/penpot/values.yaml @@ -339,34 +339,16 @@ backend: # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Backend parameters podSecurityContext: - # -- Enabled Penpot pods' security context - # @section -- Backend parameters - enabled: true - # -- Set Penpot pod's security context fsGroup - # @section -- Backend parameters fsGroup: 1001 # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Backend parameters containerSecurityContext: - # -- Enabled Penpot containers' security context - # @section -- Backend parameters - enabled: true - # -- Set Penpot containers' security context runAsUser - # @section -- Backend parameters runAsUser: 1001 - # -- Set Penpot containers' security context allowPrivilegeEscalation - # @section -- Backend parameters allowPrivilegeEscalation: false - # -- Set Penpot containers' security context capabilities to be dropped - # @section -- Backend parameters capabilities: drop: - all - # -- Set Penpot containers' security context readOnlyRootFilesystem - # @section -- Backend parameters readOnlyRootFilesystem: false - # -- Set Penpot container's security context runAsNonRoot - # @section -- Backend parameters runAsNonRoot: true # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Backend parameters @@ -417,6 +399,12 @@ frontend: # -- An optional map of annotations to be applied to the controller Pods # @section -- Frontend parameters podAnnotations: {} + # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + # @section -- Frontend parameters + podSecurityContext: {} + # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) + # @section -- Frontend parameters + containerSecurityContext: {} # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Frontend parameters affinity: {} @@ -469,34 +457,16 @@ exporter: # -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Exporter parameters podSecurityContext: - # -- Enabled Penpot pods' security context - # @section -- Exporter parameters - enabled: true - # -- Set Penpot pod's security context fsGroup - # @section -- Exporter parameters fsGroup: 1001 # -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) # @section -- Exporter parameters containerSecurityContext: - # -- Enabled Penpot containers' security context - # @section -- Exporter parameters - enabled: true - # -- Set Penpot containers' security context runAsUser - # @section -- Exporter parameters runAsUser: 1001 - # -- Set Penpot containers' security context allowPrivilegeEscalation - # @section -- Exporter parameters allowPrivilegeEscalation: false - # -- Set Penpot containers' security context capabilities to be dropped - # @section -- Exporter parameters capabilities: drop: - all - # -- Set Penpot containers' security context readOnlyRootFilesystem - # @section -- Exporter parameters readOnlyRootFilesystem: false - # -- Set Penpot container's security context runAsNonRoot - # @section -- Exporter parameters runAsNonRoot: true # -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # @section -- Exporter parameters