DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: #404 - Change Redis image to run as non-root user (#405)

Browse source 
* fix: #404 - Set Security Context for Redis Pod

* Separate Container and Pod Security Context for Redis

* Bump Chart Version

* Syntax fix

* Also set Group in Redis Security Context
This commit is contained in:
Frederik Weber 2020-07-15 19:18:47 +02:00 committed by GitHub
parent bc78e3cbe1
commit 9b80bd95e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/argo-cd/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v1
appVersion: "1.6.1" appVersion: "1.6.1"
description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd name: argo-cd
version: 2.5.3 version: 2.5.4
home: https://github.com/argoproj/argo-helm home: https://github.com/argoproj/argo-helm
icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
keywords: keywords:

1
charts/argo-cd/README.md
View file

@ -311,6 +311,7 @@ through `xxx.extraArgs`
| redis.podLabels | Labels for the Redis server pods | `{}` | | redis.podLabels | Labels for the Redis server pods | `{}` |
| redis.priorityClassName | Priority class for redis | `""` | | redis.priorityClassName | Priority class for redis | `""` |
| redis.resources | Resource limits and requests for redis | `{}` | | redis.resources | Resource limits and requests for redis | `{}` |
| redis.securityContext | Redis Pod Security Context | See [values.yaml](values.yaml) |
| redis.servicePort | Redis service port | `6379` | | redis.servicePort | Redis service port | `6379` |
| redis.tolerations | [Tolerations for use with node taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` | | redis.tolerations | [Tolerations for use with node taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | `[]` |
| redis-ha | Configures [Redis HA subchart](https://github.com/helm/charts/tree/master/stable/redis-ha) The properties below have been changed from the subchart defaults | | | redis-ha | Configures [Redis HA subchart](https://github.com/helm/charts/tree/master/stable/redis-ha) The properties below have been changed from the subchart defaults | |

4
charts/argo-cd/templates/redis/deployment.yaml
View file

@ -41,8 +41,8 @@ spec:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
automountServiceAccountToken: false automountServiceAccountToken: false
{{- if .Values.global.securityContext }} {{- if .Values.redis.securityContext }}
securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} securityContext: {{- toYaml .Values.redis.securityContext | nindent 8 }}
{{- end }} {{- end }}
containers: containers:
- name: {{ template "argo-cd.redis.fullname" . }} - name: {{ template "argo-cd.redis.fullname" . }}

6
charts/argo-cd/values.yaml
View file

@ -277,6 +277,12 @@ redis:
# drop: # drop:
# - all # - all
## Redis Pod specific security context
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
resources: {} resources: {}
# limits: # limits: