Merge pull request 'Attic-hardening' (#125) from attic-hardening into main
All checks were successful
Release Charts / Get Charts being Changed (push) Successful in 7s
Release Charts / Publish Helm Chart (push) Successful in 6s

Reviewed-on: #125
This commit is contained in:
Tommy 2024-11-14 21:22:04 +00:00 committed by Mooo[bot]
commit 2bd7fee2b8
Signed by: Mooo[bot]
GPG key ID: CF3AFE4D5B62BB9A
7 changed files with 130 additions and 39 deletions

View file

@ -4,7 +4,7 @@ description: A Nix binary caching server
# renovate: image=ghcr.io/zhaofengli/attic # renovate: image=ghcr.io/zhaofengli/attic
appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0 appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
type: application type: application
version: 0.2.6 version: 0.2.7
maintainers: maintainers:
- name: Tommy Skaug - name: Tommy Skaug
email: tommy@skaug.me email: tommy@skaug.me

View file

@ -9,12 +9,56 @@ metadata:
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec: spec:
template: template:
metadata:
labels:
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
spec: spec:
priorityClassName: {{ .Values.priorityClassName | default "default" }}
automountServiceAccountToken: false
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
restartPolicy: Never restartPolicy: Never
containers: containers:
- name: general-db-init - name: general-db-init
image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}" image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
imagePullPolicy: IfNotPresent
envFrom: envFrom:
- secretRef: - secretRef:
name: {{ .Values.postgres.secretName }} name: {{ .Values.postgres.secretName }}
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "250m"
memory: "256Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
livenessProbe:
exec:
command:
- sh
- -c
- "pg_isready -U $POSTGRES_USER"
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- "pg_isready -U $POSTGRES_USER"
initialDelaySeconds: 5
periodSeconds: 10
backoffLimit: 3 backoffLimit: 3

View file

@ -13,11 +13,22 @@ spec:
metadata: metadata:
labels: labels:
app: {{ include "attic.fullname" . }} app: {{ include "attic.fullname" . }}
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
spec: spec:
priorityClassName: {{ .Values.priorityClassName | default "default" }}
automountServiceAccountToken: false
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
serviceAccountName: {{ include "attic.fullname" . }} serviceAccountName: {{ include "attic.fullname" . }}
containers: containers:
- name: {{ include "attic.fullname" . }} - name: {{ include "attic.fullname" . }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command: ["atticd"] command: ["atticd"]
args: ["-f", "/var/lib/atticd/config.toml"] args: ["-f", "/var/lib/atticd/config.toml"]
envFrom: envFrom:
@ -36,10 +47,30 @@ spec:
mountPath: "/var/lib/atticd/config.toml" mountPath: "/var/lib/atticd/config.toml"
subPath: config.toml subPath: config.toml
readOnly: true readOnly: true
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 5
periodSeconds: 10
volumes: volumes:
- name: {{ include "attic.fullname" . }} - name: {{ include "attic.fullname" . }}
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim }} claimName: {{ .Values.persistence.existingClaim }}
- name: config - name: config
configMap: configMap:
name: {{ include "attic.fullname" . }} name: {{ include "attic.fullname" . }}

View file

@ -1,4 +1,3 @@
---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@ -6,8 +5,11 @@ metadata:
labels: labels:
{{- include "attic.labels" . | nindent 4 }} {{- include "attic.labels" . | nindent 4 }}
spec: spec:
type: ClusterIP
selector: selector:
app: {{ include "attic.fullname" . }} app: {{ include "attic.fullname" . }}
ports: ports:
- port: 8080 - port: 8080
targetPort: 8080 targetPort: 8080
protocol: TCP
name: http

View file

@ -1,7 +1,11 @@
---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "attic.fullname" . }} name: {{ include "attic.fullname" . }}
labels: labels:
{{- include "attic.labels" . | nindent 4 }} {{- include "attic.labels" . | nindent 4 }}
annotations:
{{- if .Values.serviceAccountAnnotations }}
{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
{{- end }}
automountServiceAccountToken: false

View file

@ -7,9 +7,50 @@ metadata:
annotations: annotations:
"helm.sh/hook": test "helm.sh/hook": test
spec: spec:
priorityClassName: {{ .Values.priorityClassName | default "default" }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
automountServiceAccountToken: false
containers: containers:
- name: wget - name: wget
image: busybox image: busybox:stable
imagePullPolicy: Always
command: ['wget'] command: ['wget']
args: ['{{ include "attic.fullname" . }}:8080'] args: ['{{ include "attic.fullname" . }}:8080']
resources:
limits:
cpu: "500m"
memory: "256Mi"
requests:
cpu: "250m"
memory: "128Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
livenessProbe:
exec:
command:
- sh
- -c
- "wget -q --spider http://localhost:8080 || exit 1"
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- "wget -q --spider http://localhost:8080 || exit 1"
initialDelaySeconds: 5
periodSeconds: 10
restartPolicy: Never restartPolicy: Never

View file

@ -1,31 +0,0 @@
config:
externalUrl: https://cache.example.com/
persistence:
existingClaim: attic
initContainers:
dbInit:
image:
repository: ghcr.io/onedr0p/postgres-init
tag: "16"
envFrom:
- secretRef:
name: attic-secret
envFromSecret: attic-secret
image:
repository: ghcr.io/zhaofengli/attic
tag: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
postgres:
secretName: attic-secret
resources:
limits:
memory: "3Gi"
cpu: "1000m"
# requests:
# cpu: 100m
# memory: 250Mi