Merge pull request 'Attic-hardening' (#125) from attic-hardening into main

Reviewed-on: #125
2024-11-14 21:22:04 +00:00 · 2024-11-14 21:22:04 +00:00 · 2bd7fee2b8
commit 2bd7fee2b8
parent eec8cec84e 3218db38db
7 changed files with 130 additions and 39 deletions
--- a/charts/attic/Chart.yaml
+++ b/charts/attic/Chart.yaml
@ -4,7 +4,7 @@ description: A Nix binary caching server
 # renovate: image=ghcr.io/zhaofengli/attic
 appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
 type: application
-version: 0.2.6
+version: 0.2.7
 maintainers:
 - name: Tommy Skaug
  email: tommy@skaug.me
--- a/charts/attic/templates/db-init.yaml
+++ b/charts/attic/templates/db-init.yaml
@ -9,12 +9,56 @@ metadata:
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
    spec:
+      priorityClassName: {{ .Values.priorityClassName | default "default" }}
+      automountServiceAccountToken: false
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
      restartPolicy: Never
      containers:
        - name: general-db-init
          image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
+          imagePullPolicy: IfNotPresent
          envFrom:
            - secretRef:
                name: {{ .Values.postgres.secretName }}
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+            requests:
+              cpu: "250m"
+              memory: "256Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "pg_isready -U $POSTGRES_USER"
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "pg_isready -U $POSTGRES_USER"
+            initialDelaySeconds: 5
+            periodSeconds: 10
  backoffLimit: 3
--- a/charts/attic/templates/deployment-server.yaml
+++ b/charts/attic/templates/deployment-server.yaml
@ -13,11 +13,22 @@ spec:
    metadata:
      labels:
        app: {{ include "attic.fullname" . }}
+        app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
    spec:
+      priorityClassName: {{ .Values.priorityClassName | default "default" }}
+      automountServiceAccountToken: false
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
      serviceAccountName: {{ include "attic.fullname" . }}
      containers:
      - name: {{ include "attic.fullname" . }}
        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: IfNotPresent
        command: ["atticd"]
        args: ["-f", "/var/lib/atticd/config.toml"]
        envFrom:
@ -36,10 +47,30 @@ spec:
          mountPath: "/var/lib/atticd/config.toml"
          subPath: config.toml
          readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop: ["ALL"]
+          seccompProfile:
+            type: RuntimeDefault
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 10
      volumes:
        - name: {{ include "attic.fullname" . }}
          persistentVolumeClaim:
            claimName: {{ .Values.persistence.existingClaim }}
        - name: config
          configMap:
-            name: {{ include "attic.fullname" . }}
+            name: {{ include "attic.fullname" . }}
--- a/charts/attic/templates/service-server.yaml
+++ b/charts/attic/templates/service-server.yaml
@ -1,4 +1,3 @@
---
 apiVersion: v1
 kind: Service
 metadata:
@ -6,8 +5,11 @@ metadata:
  labels:
    {{- include "attic.labels" . | nindent 4 }}
 spec:
+  type: ClusterIP
  selector:
    app: {{ include "attic.fullname" . }}
  ports:
-  - port: 8080
-    targetPort: 8080
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP
+      name: http
--- a/charts/attic/templates/serviceaccount.yaml
+++ b/charts/attic/templates/serviceaccount.yaml
@ -1,7 +1,11 @@
---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "attic.fullname" . }}
  labels:
-    {{- include "attic.labels" . | nindent 4 }}
+    {{- include "attic.labels" . | nindent 4 }}
+  annotations:
+    {{- if .Values.serviceAccountAnnotations }}
+    {{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
+    {{- end }}
+automountServiceAccountToken: false
--- a/charts/attic/templates/test/test-connection.yaml
+++ b/charts/attic/templates/test/test-connection.yaml
@ -7,9 +7,50 @@ metadata:
  annotations:
    "helm.sh/hook": test
 spec:
+  priorityClassName: {{ .Values.priorityClassName | default "default" }}
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
+  automountServiceAccountToken: false
  containers:
    - name: wget
-      image: busybox
+      image: busybox:stable
+      imagePullPolicy: Always
      command: ['wget']
      args: ['{{ include "attic.fullname" . }}:8080']
+      resources:
+        limits:
+          cpu: "500m"
+          memory: "256Mi"
+        requests:
+          cpu: "250m"
+          memory: "128Mi"
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        capabilities:
+          drop: ["ALL"]
+        seccompProfile:
+          type: RuntimeDefault
+      livenessProbe:
+        exec:
+          command:
+            - sh
+            - -c
+            - "wget -q --spider http://localhost:8080 || exit 1"
+        initialDelaySeconds: 30
+        periodSeconds: 10
+      readinessProbe:
+        exec:
+          command:
+            - sh
+            - -c
+            - "wget -q --spider http://localhost:8080 || exit 1"
+        initialDelaySeconds: 5
+        periodSeconds: 10
  restartPolicy: Never
--- a/charts/attic/tests/values.yaml
+++ b/charts/attic/tests/values.yaml
@ -1,31 +0,0 @@
-config:
-  externalUrl: https://cache.example.com/
-
-persistence:
-  existingClaim: attic
-
-initContainers:
-  dbInit:
-    image:
-      repository: ghcr.io/onedr0p/postgres-init
-      tag: "16"
-    envFrom:
-    - secretRef:
-        name: attic-secret
-
-envFromSecret: attic-secret
-
-image:
-  repository: ghcr.io/zhaofengli/attic
-  tag: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
-
-postgres:
-  secretName: attic-secret
-
-resources:
-  limits:
-    memory: "3Gi"
-    cpu: "1000m"
-#  requests:
-#    cpu: 100m
-#    memory: 250Mi