chore: Add default securityContext to personal charts

charts/ascii-movie/Chart.yaml

@@ -4,7 +4,7 @@ description: Star Wars movie SSH and Telnet server
 home: https://charts.gabe565.com/charts/ascii-movie/
 icon: https://raw.githubusercontent.com/gabe565/ascii-movie/a1fd5c9/assets/icon.svg
 type: application
-version: 0.13.2
+version: 0.14.0
 # renovate datasource=docker depName=ghcr.io/gabe565/ascii-movie
 appVersion: 1.7.2
 kubeVersion: ">=1.22.0-0"
@@ -21,8 +21,8 @@ sources:
   - https://github.com/gabe565/ascii-movie
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Update ghcr.io/gabe565/ascii-movie docker tag to v1.7.2
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/ascii-movie

charts/ascii-movie/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/gabe565/ascii-movie/a1fd5c9/assets/icon.svg" align="right" width="92" alt="ascii-movie logo">
 
-![Version: 0.13.2](https://img.shields.io/badge/Version-0.13.2-informational?style=flat)
+![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: 1.7.2](https://img.shields.io/badge/AppVersion-1.7.2-informational?style=flat)
 
@@ -11,7 +11,7 @@ Star Wars movie SSH and Telnet server
 **Homepage:** <https://charts.gabe565.com/charts/ascii-movie/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=ascii-movie&version=0.13.2)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=ascii-movie&version=0.14.0)**
 
 ## Source Code
 
@@ -90,9 +90,11 @@ N/A
 | image.pullPolicy | string | `"Always"` | image pull policy |
 | image.repository | string | `"ghcr.io/gabe565/ascii-movie"` | image repository. |
 | image.tag | string | `"1.7.2"` | image tag |
+| podSecurityContext | object | `{"runAsNonRoot":true}` | Pod security context. |
 | secrets.ssh.enabled | string | `true` if SSH port is enabled, else `false` | Enables SSH host key volume. |
 | secrets.ssh.stringData.ssh_host_ed25519_key | string | Generated | SSH Ed25519 host key. |
 | secrets.ssh.stringData.ssh_host_rsa_key | string | Generated | SSH RSA host key. |
+| securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
 | service | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |
 | serviceMonitor.main.enabled | bool | `false` | Enables or disables the serviceMonitor. |
 | serviceMonitor.main.endpoints | list | See [values.yaml](./values.yaml) | Configures the endpoints for the serviceMonitor. |

charts/ascii-movie/values.yaml

@@ -75,3 +75,11 @@ serviceMonitor:
         path: /metrics
         interval: 30s
         scrapeTimeout: 10s
+
+# -- Container security context.
+securityContext:
+  readOnlyRootFilesystem: true
+
+# -- Pod security context.
+podSecurityContext:
+  runAsNonRoot: true

charts/castsponsorskip/Chart.yaml

@@ -4,7 +4,7 @@ description: Skip sponsored YouTube content on all local Google Cast devices.
 home: https://charts.gabe565.com/charts/castsponsorskip/
 icon: https://raw.githubusercontent.com/gabe565/CastSponsorSkip/0c8c4d4f/assets/icon.svg
 type: application
-version: 0.6.4
+version: 0.7.0
 # renovate datasource=docker depName=ghcr.io/gabe565/castsponsorskip
 appVersion: 0.7.4
 kubeVersion: ">=1.22.0-0"
@@ -21,8 +21,8 @@ sources:
   - https://github.com/gabe565/CastSponsorSkip
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Update ghcr.io/gabe565/castsponsorskip docker tag to v0.7.4
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/CastSponsorSkip

charts/castsponsorskip/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/gabe565/CastSponsorSkip/0c8c4d4f/assets/icon.svg" align="right" width="92" alt="castsponsorskip logo">
 
-![Version: 0.6.4](https://img.shields.io/badge/Version-0.6.4-informational?style=flat)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: 0.7.4](https://img.shields.io/badge/AppVersion-0.7.4-informational?style=flat)
 
@@ -11,7 +11,7 @@ Skip sponsored YouTube content on all local Google Cast devices.
 **Homepage:** <https://charts.gabe565.com/charts/castsponsorskip/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=castsponsorskip&version=0.6.4)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=castsponsorskip&version=0.7.0)**
 
 ## Source Code
 
@@ -89,8 +89,10 @@ N/A
 | controllers.main.containers.main.image.pullPolicy | string | `"IfNotPresent"` | image pull policy |
 | controllers.main.containers.main.image.repository | string | `"ghcr.io/gabe565/castsponsorskip"` | image repository |
 | controllers.main.containers.main.image.tag | string | `"0.7.4"` | image tag |
+| controllers.main.containers.main.securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
 | controllers.main.pod.dnsPolicy | string | `"ClusterFirst"` | When hostNetwork is true set dnsPolicy to `ClusterFirstWithHostNet` |
 | controllers.main.pod.hostNetwork | bool | `true` | Enable devices to be discoverable |
+| controllers.main.pod.securityContext | object | `{"runAsNonRoot":true}` | Pod security context. |
 | controllers.main.strategy | string | `"RollingUpdate"` | Set the controller upgrade strategy |
 
 ---

charts/castsponsorskip/values.yaml

@@ -27,13 +27,19 @@ controllers:
           # CSS_CATEGORIES: sponsor
           # CSS_YOUTUBE_API_KEY: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe
           # CSS_NETWORK_INTERFACE:
+        # -- Container security context.
+        securityContext:
+          readOnlyRootFilesystem: true
     # -- Set the controller upgrade strategy
     strategy: RollingUpdate
     pod:
       # -- Enable devices to be discoverable
       hostNetwork: true
       # -- When hostNetwork is true set dnsPolicy to `ClusterFirstWithHostNet`
       dnsPolicy: ClusterFirst
+      # -- Pod security context.
+      securityContext:
+        runAsNonRoot: true
 
 # @ignored
 service:

charts/domain-watch/Chart.yaml

@@ -4,7 +4,7 @@ description: Tool to watch whois reports and notify when statuses change or expi
 home: https://charts.gabe565.com/charts/domain-watch/
 icon: https://raw.githubusercontent.com/gabe565/domain-watch/4bae98d/assets/icon.svg
 type: application
-version: 1.0.1
+version: 1.1.0
 # renovate datasource=docker depName=ghcr.io/gabe565/domain-watch
 appVersion: latest
 kubeVersion: ">=1.22.0-0"
@@ -20,8 +20,8 @@ sources:
   - https://github.com/gabe565/domain-watch
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Update icon
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/domain-watch

charts/domain-watch/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/gabe565/domain-watch/4bae98d/assets/icon.svg" align="right" width="92" alt="domain-watch logo">
 
-![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat)
 
@@ -11,7 +11,7 @@ Tool to watch whois reports and notify when statuses change or expiration is inc
 **Homepage:** <https://charts.gabe565.com/charts/domain-watch/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=domain-watch&version=1.0.1)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=domain-watch&version=1.1.0)**
 
 ## Source Code
 
@@ -94,6 +94,8 @@ N/A
 | controllers.main.containers.main.image.pullPolicy | string | `"Always"` | image pull policy |
 | controllers.main.containers.main.image.repository | string | `"ghcr.io/gabe565/domain-watch"` | image repository |
 | controllers.main.containers.main.image.tag | string | `"latest"` | image tag |
+| controllers.main.containers.main.securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
+| controllers.main.pod.securityContext | object | `{"runAsNonRoot":true}` | Pod security context. |
 | controllers.main.strategy | string | `"RollingUpdate"` | Set the controller upgrade strategy |
 | service | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |
 | serviceMonitor.main.enabled | bool | `false` | Enables or disables the serviceMonitor. |

charts/domain-watch/values.yaml

@@ -38,9 +38,18 @@ controllers:
           # -- Log format. Valid options are text, json.
           WATCH_LOG_FORMAT: text
 
+        # -- Container security context.
+        securityContext:
+          readOnlyRootFilesystem: true
+
     # -- Set the controller upgrade strategy
     strategy: RollingUpdate
 
+    pod:
+      # -- Pod security context.
+      securityContext:
+        runAsNonRoot: true
+
 # -- Configures service settings for the chart.
 # @default -- See [values.yaml](./values.yaml)
 service:

charts/matrimony/Chart.yaml

@@ -4,7 +4,7 @@ description: Self-hosted wedding site configured via YAML
 home: https://charts.gabe565.com/charts/matrimony/
 icon: https://raw.githubusercontent.com/gabe565/matrimony/b13163b/frontend/public/img/logo.svg
 type: application
-version: 0.6.2
+version: 0.7.0
 # renovate datasource=docker depName=ghcr.io/gabe565/matrimony
 appVersion: latest
 kubeVersion: ">=1.22.0-0"
@@ -16,8 +16,8 @@ sources:
   - https://github.com/gabe565/matrimony
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Pin bjw-s common chart links to v1
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/matrimony

charts/matrimony/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/gabe565/matrimony/b13163b/frontend/public/img/logo.svg" align="right" width="92" alt="matrimony logo">
 
-![Version: 0.6.2](https://img.shields.io/badge/Version-0.6.2-informational?style=flat)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat)
 
@@ -11,7 +11,7 @@ Self-hosted wedding site configured via YAML
 **Homepage:** <https://charts.gabe565.com/charts/matrimony/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=matrimony&version=0.6.2)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=matrimony&version=0.7.0)**
 
 ## Source Code
 
@@ -91,7 +91,8 @@ N/A
 | image.tag | string | `"latest"` | image tag |
 | ingress.main | object | See [values.yaml](./values.yaml) | Enable and configure ingress settings for the chart under this key. |
 | persistence.data | object | See [values.yaml](./values.yaml) | Configure persistence settings for the chart under this key. |
-| podSecurityContext.fsGroup | int | `1000` | Volume group permissions |
+| podSecurityContext | object | `{"fsGroup":1000,"runAsNonroot":true}` | Pod security context. |
+| securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
 | service | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |
 
 ---

charts/matrimony/values.yaml

@@ -53,6 +53,11 @@ persistence:
     # accessMode: ReadWriteOnce
     # size: 1Gi
 
+# -- Container security context.
+securityContext:
+  readOnlyRootFilesystem: true
+
+# -- Pod security context.
 podSecurityContext:
-  # -- Volume group permissions
   fsGroup: 1000
+  runAsNonroot: true

charts/relax-sounds/Chart.yaml

@@ -4,7 +4,7 @@ description: Relax Sounds is a website that lets you stream relaxing sounds to y
 home: https://charts.gabe565.com/charts/relax-sounds/
 icon: https://github.com/gabe565/relax-sounds/raw/3e55b07/frontend/src/assets/icon-purple.svg
 type: application
-version: 1.0.0
+version: 1.1.0
 # renovate datasource=docker depName=ghcr.io/gabe565/relax-sounds
 appVersion: latest
 kubeVersion: ">=1.22.0-0"
@@ -16,8 +16,8 @@ sources:
   - https://github.com/gabe565/relax-sounds
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: Update common helm release to v2
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/relax-sounds

charts/relax-sounds/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://github.com/gabe565/relax-sounds/raw/3e55b07/frontend/src/assets/icon-purple.svg" align="right" width="92" alt="relax-sounds logo">
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat)
 
@@ -11,7 +11,7 @@ Relax Sounds is a website that lets you stream relaxing sounds to your browser o
 **Homepage:** <https://charts.gabe565.com/charts/relax-sounds/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=relax-sounds&version=1.0.0)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=relax-sounds&version=1.1.0)**
 
 ## Source Code
 
@@ -88,7 +88,8 @@ N/A
 | controllers.main.containers.main.image.pullPolicy | string | `"Always"` | image pull policy |
 | controllers.main.containers.main.image.repository | string | `"ghcr.io/gabe565/relax-sounds"` | image repository |
 | controllers.main.containers.main.image.tag | string | `"latest"` | image tag |
-| controllers.main.pod.securityContext.fsGroup | int | `1000` | Volume group permissions |
+| controllers.main.containers.main.securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
+| controllers.main.pod.securityContext | object | `{"fsGroup":1000,"runAsNonRoot":true}` | Pod security context. |
 | ingress.main | object | See [values.yaml](./values.yaml) | Enable and configure ingress settings for the chart under this key. |
 | persistence.data | object | See [values.yaml](./values.yaml) | Configure persistence settings for the chart under this key. |
 | service | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |

charts/relax-sounds/values.yaml

@@ -21,10 +21,15 @@ controllers:
         # @default -- See [values.yaml](./values.yaml)
         env: {}
 
+        # -- Container security context.
+        securityContext:
+          readOnlyRootFilesystem: true
+
     pod:
+      # -- Pod security context.
       securityContext:
-        # -- Volume group permissions
         fsGroup: 1000
+        runAsNonRoot: true
 
 # -- Configures service settings for the chart.
 # @default -- See [values.yaml](./values.yaml)

charts/transsmute/Chart.yaml

@@ -4,7 +4,7 @@ description: Transsmute builds RSS feeds for websites that don't provide them.
 home: https://charts.gabe565.com/charts/transsmute/
 icon: https://raw.githubusercontent.com/gabe565/transsmute/ce624f8/assets/icon.svg
 type: application
-version: 1.0.0
+version: 1.1.0
 # renovate datasource=docker depName=ghcr.io/gabe565/transsmute
 appVersion: latest
 kubeVersion: ">=1.22.0-0"
@@ -20,8 +20,8 @@ sources:
   - https://github.com/gabe565/transsmute
 annotations:
   artifacthub.io/changes: |-
-    - kind: changed
-      description: BREAKING - Update common helm release to v2
+    - kind: added
+      description: Add default securityContext
   artifacthub.io/links: |-
     - name: App Source
       url: https://github.com/gabe565/transsmute

charts/transsmute/README.md

@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/gabe565/transsmute/ce624f8/assets/icon.svg" align="right" width="92" alt="transsmute logo">
 
-![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat)
 
@@ -11,7 +11,7 @@ Transsmute builds RSS feeds for websites that don't provide them.
 **Homepage:** <https://charts.gabe565.com/charts/transsmute/>
 
 **This chart is not maintained by the upstream project and any issues with the chart should be raised
-[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=transsmute&version=1.0.0)**
+[here](https://github.com/gabe565/charts/issues/new?assignees=gabe565&labels=bug&template=bug_report.yaml&name=transsmute&version=1.1.0)**
 
 ## Source Code
 
@@ -88,6 +88,8 @@ N/A
 | controllers.main.containers.main.image.pullPolicy | string | `"Always"` | image pull policy |
 | controllers.main.containers.main.image.repository | string | `"ghcr.io/gabe565/transsmute"` | image repository |
 | controllers.main.containers.main.image.tag | string | `"latest"` | image tag |
+| controllers.main.containers.main.securityContext | object | `{"readOnlyRootFilesystem":true}` | Container security context. |
+| controllers.main.pod.securityContext | object | `{"runAsNonRoot":true}` | Pod security context. |
 | controllers.main.strategy | string | `"RollingUpdate"` | Set the controller upgrade strategy |
 | ingress.main | object | See [values.yaml](./values.yaml) | Enable and configure ingress settings for the chart under this key. |
 | service | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |

charts/transsmute/values.yaml

@@ -26,9 +26,18 @@ controllers:
           # TRANSSMUTE_GHCR_USERNAME: ""
           # TRANSSMUTE_GHCR_PASSWORD: ""
 
+        # -- Container security context.
+        securityContext:
+          readOnlyRootFilesystem: true
+
     # -- Set the controller upgrade strategy
     strategy: RollingUpdate
 
+    pod:
+      # -- Pod security context.
+      securityContext:
+        runAsNonRoot: true
+
 # -- Configures service settings for the chart.
 # @default -- See [values.yaml](./values.yaml)
 service: