fix(ee): improve helm security (#560)

* fix(ee): improve helm security * fix imagePullSecrets * adjust resource limits * bump chart patch version * fix worker liveliness and readiness port
mend · Aug 18, 2024 · eb32b66 · eb32b66
1 parent db262e4
commit eb32b66
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 69 deletions.
diff --git a/helm-charts/mend-renovate-ee/Chart.yaml b/helm-charts/mend-renovate-ee/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: mend-renovate-enterprise-edition
-version: 2.0.0
+version: 2.0.1
 appVersion: 8.0.0
 description: Mend Renovate Enterprise Edition
 home: https://github.com/mend/renovate-ce-ee

diff --git a/helm-charts/mend-renovate-ee/templates/secret.yaml b/helm-charts/mend-renovate-ee/templates/secret.yaml
@@ -19,6 +19,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.license-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -37,6 +38,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.server-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -76,6 +78,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
+  namespace: {{ .Release.Namespace }}
   name: {{ include "mend-renovate.worker-secret-name" . }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}

diff --git a/helm-charts/mend-renovate-ee/templates/server-deployment.yaml b/helm-charts/mend-renovate-ee/templates/server-deployment.yaml
@@ -31,6 +31,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateServer.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -88,7 +89,7 @@ spec:
             {{- end }}
             {{- if or .Values.renovateServer.mendRnvGithubBotUserId }}
             - name: MEND_RNV_GITHUB_BOT_USER_ID
-              value:  {{ .Values.renovateServer.mendRnvGithubBotUserId | quote }}
+              value: {{ .Values.renovateServer.mendRnvGithubBotUserId | quote }}
             {{- end }}
             {{- if or .Values.renovateServer.mendRnvGithubAppKey .Values.renovateServer.existingSecret }}
             - name: MEND_RNV_GITHUB_APP_KEY
@@ -274,7 +275,7 @@ spec:
       {{- end }}
       {{- if .Values.renovateServer.imagePullSecrets }}
       imagePullSecrets:
-        - name: .Values.renovateServer.imagePullSecrets
+        - name:  {{ .Values.renovateServer.imagePullSecrets }}
       {{- end }}
       volumes:
         - name: {{ .Release.Name }}-database-volume
@@ -285,7 +286,7 @@ spec:
           emptyDir:
             medium: Memory
           {{- else }}
-          emptyDir: {}
+          emptyDir: { }
           {{- end }}
       {{- if ne (len .Values.renovateServer.extraVolumes) 0 }}
         {{ toYaml .Values.renovateServer.extraVolumes | nindent 8 | trim }}

diff --git a/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml b/helm-charts/mend-renovate-ee/templates/worker-deployment.yaml
@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.renovateWorker.podSecurityContext }}
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -43,7 +44,7 @@ spec:
         - name: {{ .Chart.Name }}-worker
           image: "{{ .Values.renovateWorker.image.repository }}:{{ .Values.renovateWorker.image.tag }}"
           imagePullPolicy: {{ .Values.renovateWorker.image.pullPolicy }}
-          {{- with .Values.renovateServer.containerSecurityContext }}
+          {{- with .Values.renovateWorker.containerSecurityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
@@ -124,18 +125,33 @@ spec:
             - name: LOG_FORMAT
               value: {{ .Values.renovateWorker.logFormat | quote }}
             {{- end }}
+          ports:
+            - name: ee-worker
+              containerPort: 8080
+              protocol: TCP
+          {{- with .Values.renovateWorker.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.renovateWorker.readinessProbe }}
+          readinessProbe:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.renovateWorker.resources | nindent 12 }}
           volumeMounts:
             - name: {{ .Release.Name }}-config-js-volume
+              readOnly: true
               mountPath: /usr/src/app/config.js
               subPath: config.js
             {{- if .Values.renovateWorker.npmrc }}
             - name: {{ .Release.Name }}-npmrc-volume
+              readOnly: true
               mountPath: /home/ubuntu/.npmrc
               subPath: .npmrc
             {{- end }}
             - name: {{ .Release.Name }}-cache-volume
+              readOnly: false
               mountPath: /tmp/renovate
           {{- if ne (len .Values.renovateWorker.extraVolumeMounts) 0 }}
             {{ toYaml .Values.renovateWorker.extraVolumeMounts | nindent 12 | trim }}
@@ -146,7 +162,7 @@ spec:
       {{- end }}
       {{- if .Values.renovateWorker.imagePullSecrets }}
       imagePullSecrets:
-        - name: .Values.renovateWorker.imagePullSecrets
+        - name: {{ .Values.renovateWorker.imagePullSecrets }}
       {{- end }}
       volumes:
         - name: {{ .Release.Name }}-config-js-volume
@@ -165,7 +181,7 @@ spec:
           emptyDir:
             medium: Memory
           {{- else }}
-          emptyDir: {}
+          emptyDir: { }
           {{- end }}
       {{- if ne (len .Values.renovateWorker.extraVolumes) 0 }}
         {{ toYaml .Values.renovateWorker.extraVolumes | nindent 8 | trim }}