0
Fork 0
mirror of https://github.com/penpot/penpot-helm.git synced 2024-12-22 05:32:59 -05:00

feat: homogenize and simplify container and pod security context and affinity

This commit is contained in:
David Barragán Merino 2024-07-29 19:02:41 +02:00 committed by David Barragán Merino
parent 0f45e6477f
commit 3e50bfcaf9
8 changed files with 116 additions and 168 deletions

View file

@ -26,13 +26,7 @@ $ helm install my-release penpot/penpot
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| backend.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation |
| backend.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped |
| backend.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context |
| backend.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem |
| backend.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot |
| backend.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser |
| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. |
@ -40,9 +34,7 @@ $ helm install my-release penpot/penpot
| backend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
| backend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
| backend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
| backend.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| backend.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context |
| backend.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup |
| backend.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| backend.replicaCount | int | `1` | The number of replicas to deploy. |
| backend.resources | object | `{"limits":{},"requests":{}}` | Penpot backend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
| backend.resources.limits | object | `{}` | The resources limits for the Penpot backend containers |
@ -145,13 +137,7 @@ $ helm install my-release penpot/penpot
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| exporter.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| exporter.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Set Penpot containers' security context allowPrivilegeEscalation |
| exporter.containerSecurityContext.capabilities | object | `{"drop":["all"]}` | Set Penpot containers' security context capabilities to be dropped |
| exporter.containerSecurityContext.enabled | bool | `true` | Enabled Penpot containers' security context |
| exporter.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Set Penpot containers' security context readOnlyRootFilesystem |
| exporter.containerSecurityContext.runAsNonRoot | bool | `true` | Set Penpot container's security context runAsNonRoot |
| exporter.containerSecurityContext.runAsUser | int | `1001` | Set Penpot containers' security context runAsUser |
| exporter.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| exporter.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| exporter.image.imagePullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| exporter.image.repository | string | `"penpotapp/exporter"` | The Docker repository to pull the image from. |
@ -159,9 +145,7 @@ $ helm install my-release penpot/penpot
| exporter.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
| exporter.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
| exporter.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
| exporter.podSecurityContext | object | `{"enabled":true,"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| exporter.podSecurityContext.enabled | bool | `true` | Enabled Penpot pods' security context |
| exporter.podSecurityContext.fsGroup | int | `1001` | Set Penpot pod's security context fsGroup |
| exporter.podSecurityContext | object | `{"fsGroup":1001}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| exporter.replicaCount | int | `1` | The number of replicas to deploy. Enable persistence.exporter if you use more than 1 replicaCount |
| exporter.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
| exporter.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |
@ -175,6 +159,7 @@ $ helm install my-release penpot/penpot
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| frontend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| frontend.containerSecurityContext | object | `{}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| frontend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| frontend.image.repository | string | `"penpotapp/frontend"` | The Docker repository to pull the image from. |
@ -182,6 +167,7 @@ $ helm install my-release penpot/penpot
| frontend.nodeSelector | object | `{}` | Node labels for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/user-guide/node-selection/) |
| frontend.podAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Pods |
| frontend.podLabels | object | `{}` | An optional map of labels to be applied to the controller Pods |
| frontend.podSecurityContext | object | `{}` | Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| frontend.replicaCount | int | `1` | The number of replicas to deploy. |
| frontend.resources | object | `{"limits":{},"requests":{}}` | Penpot frontend resource requests and limits. Check [the official doc](https://kubernetes.io/docs/user-guide/compute-resources/) |
| frontend.resources.limits | object | `{}` | The resources limits for the Penpot frontend containers |

View file

@ -26,8 +26,12 @@ $ helm install my-release penpot/{{ template "chart.name" . }}
## Resources
:speaking_head: [Community](https://community.penpot.app)<br />
:floppy_disk: [Documentation](https://help.penpot.app/)<br />
:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/)<br />
:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr)<br />
:speaking_head: [Community](https://community.penpot.app)
:floppy_disk: [Documentation](https://help.penpot.app/)
:houses: [Architecture](https://help.penpot.app/technical-guide/developer/architecture/)
:woman_teacher: [Tutorials](https://www.youtube.com/playlist?list=PLgcCPfOv5v54WpXhHmNO7T-YC7AE-SRsr)
:memo: [Dev Diaries](https://penpot.app/dev-diaries.html)

View file

@ -5,11 +5,11 @@ metadata:
name: {{ include "penpot.fullname" . }}-data-assets
namespace: {{ .Release.Namespace }}
labels:
{{- include "penpot.labels" . | nindent 4 }}
{{- if .Values.persistence.assets.annotations }}
{{- include "penpot.labels" . | nindent 4 }}
{{- if .Values.persistence.assets.annotations }}
annotations:
{{ toYaml .Values.persistence.assets.annotations | indent 4 }}
{{- end }}
{{ toYaml .Values.persistence.assets.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.assets.accessModes }}
@ -18,7 +18,7 @@ spec:
resources:
requests:
storage: {{ .Values.persistence.assets.size | quote }}
{{- if .Values.persistence.assets.storageClass }}
{{- if .Values.persistence.assets.storageClass }}
storageClassName: "{{ .Values.persistence.assets.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

View file

@ -27,32 +27,22 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
{{- if .Values.backend.podSecurityContext.enabled }}
{{- with .Values.backend.podSecurityContext }}
securityContext:
{{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
topologyKey: "kubernetes.io/hostname"
containers:
- name: {{ .Chart.Name }}-backend
image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}"
imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
{{- if .Values.backend.containerSecurityContext.enabled }}
{{- with .Values.backend.containerSecurityContext }}
securityContext:
{{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
# General settings

View file

@ -27,22 +27,22 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
{{- if .Values.exporter.podSecurityContext.enabled }}
{{- with .Values.exporter.podSecurityContext }}
securityContext:
{{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-exporter
image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}"
imagePullPolicy: {{ .Values.exporter.image.imagePullPolicy }}
{{- if .Values.exporter.containerSecurityContext.enabled }}
{{- with .Values.exporter.containerSecurityContext }}
securityContext:
{{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: PENPOT_PUBLIC_URI

View file

@ -5,11 +5,11 @@ metadata:
name: {{ include "penpot.fullname" . }}-data-exporter
namespace: {{ .Release.Namespace }}
labels:
{{- include "penpot.labels" . | nindent 4 }}
{{- if .Values.persistence.exporter.annotations }}
{{- include "penpot.labels" . | nindent 4 }}
{{- if .Values.persistence.exporter.annotations }}
annotations:
{{ toYaml .Values.persistence.exporter.annotations | indent 4 }}
{{- end }}
{{ toYaml .Values.persistence.exporter.annotations | indent 4 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.exporter.accessModes }}
@ -18,7 +18,7 @@ spec:
resources:
requests:
storage: {{ .Values.persistence.exporter.size | quote }}
{{- if .Values.persistence.exporter.storageClass }}
{{- if .Values.persistence.exporter.storageClass }}
storageClassName: "{{ .Values.persistence.exporter.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

View file

@ -27,25 +27,23 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "penpot.serviceAccountName" . }}
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- {{ .Release.Name }}
topologyKey: "kubernetes.io/hostname"
{{- with .Values.frontend.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-frontend
image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }}"
imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
{{- with .Values.frontend.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: PENPOT_FLAGS
value: "$PENPOT_FLAGS {{ .Values.config.flags }}"

View file

@ -339,34 +339,16 @@ backend:
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Backend parameters
podSecurityContext:
# -- Enabled Penpot pods' security context
# @section -- Backend parameters
enabled: true
# -- Set Penpot pod's security context fsGroup
# @section -- Backend parameters
fsGroup: 1001
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Backend parameters
containerSecurityContext:
# -- Enabled Penpot containers' security context
# @section -- Backend parameters
enabled: true
# -- Set Penpot containers' security context runAsUser
# @section -- Backend parameters
runAsUser: 1001
# -- Set Penpot containers' security context allowPrivilegeEscalation
# @section -- Backend parameters
allowPrivilegeEscalation: false
# -- Set Penpot containers' security context capabilities to be dropped
# @section -- Backend parameters
capabilities:
drop:
- all
# -- Set Penpot containers' security context readOnlyRootFilesystem
# @section -- Backend parameters
readOnlyRootFilesystem: false
# -- Set Penpot container's security context runAsNonRoot
# @section -- Backend parameters
runAsNonRoot: true
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# @section -- Backend parameters
@ -417,6 +399,12 @@ frontend:
# -- An optional map of annotations to be applied to the controller Pods
# @section -- Frontend parameters
podAnnotations: {}
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters
podSecurityContext: {}
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Frontend parameters
containerSecurityContext: {}
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# @section -- Frontend parameters
affinity: {}
@ -469,34 +457,16 @@ exporter:
# -- Configure Pods Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Exporter parameters
podSecurityContext:
# -- Enabled Penpot pods' security context
# @section -- Exporter parameters
enabled: true
# -- Set Penpot pod's security context fsGroup
# @section -- Exporter parameters
fsGroup: 1001
# -- Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# @section -- Exporter parameters
containerSecurityContext:
# -- Enabled Penpot containers' security context
# @section -- Exporter parameters
enabled: true
# -- Set Penpot containers' security context runAsUser
# @section -- Exporter parameters
runAsUser: 1001
# -- Set Penpot containers' security context allowPrivilegeEscalation
# @section -- Exporter parameters
allowPrivilegeEscalation: false
# -- Set Penpot containers' security context capabilities to be dropped
# @section -- Exporter parameters
capabilities:
drop:
- all
# -- Set Penpot containers' security context readOnlyRootFilesystem
# @section -- Exporter parameters
readOnlyRootFilesystem: false
# -- Set Penpot container's security context runAsNonRoot
# @section -- Exporter parameters
runAsNonRoot: true
# -- Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# @section -- Exporter parameters