Skip to content

Commit

Permalink
Feature: improve deployment security and resilience (#14)
Browse files Browse the repository at this point in the history
  • Loading branch information
j-furtado authored Nov 3, 2022
1 parent 8caeec8 commit 443106f
Show file tree
Hide file tree
Showing 7 changed files with 81 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/aiven-operator/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: aiven-operator
description: A Helm chart to deploy the aiven operator
type: application
version: v0.4.0
version: v0.4.1
appVersion: v0.4.0
maintainers:
- name: mhoffm-aiven
Expand Down
2 changes: 1 addition & 1 deletion charts/aiven-operator/templates/cluster_role_binding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,5 @@ roleRef:
name: {{ include "aiven-operator.fullname" . }}-role
subjects:
- kind: ServiceAccount
name: default
name: {{ include "aiven-operator.serviceAccountName" . }}
namespace: {{ include "aiven-operator.namespace" . }}
7 changes: 7 additions & 0 deletions charts/aiven-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ metadata:
labels:
{{- include "aiven-operator.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "aiven-operator.selectorLabels" . | nindent 6 }}
Expand All @@ -26,8 +28,13 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}

serviceAccountName: {{ include "aiven-operator.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
Expand Down
2 changes: 1 addition & 1 deletion charts/aiven-operator/templates/election_role_binding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,5 @@ roleRef:
name: {{ include "aiven-operator.fullname" . }}-election-role
subjects:
- kind: ServiceAccount
name: default
name: {{ include "aiven-operator.serviceAccountName" . }}
namespace: {{ include "aiven-operator.namespace" . }}
28 changes: 28 additions & 0 deletions charts/aiven-operator/templates/hpa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "aiven-operator.fullname" . }}
labels:
{{- include "aiven-operator.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "aiven-operator.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}
12 changes: 12 additions & 0 deletions charts/aiven-operator/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "aiven-operator.serviceAccountName" . }}
labels:
{{- include "aiven-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
31 changes: 31 additions & 0 deletions charts/aiven-operator/values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Default values for aiven-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

nameOverride: ""
Expand All @@ -19,6 +23,15 @@ image:

imagePullSecrets: []

serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""

resources:
limits:
cpu: 100m
Expand All @@ -29,6 +42,24 @@ resources:

podAnnotations: {}

podSecurityContext: {}
# runAsNonRoot: true
# runAsUser: 65532

securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false

autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []
Expand Down

0 comments on commit 443106f

Please sign in to comment.