Merge pull request 'Attic-hardening' (#125) from attic-hardening into main
Reviewed-on: #125
This commit is contained in:
commit
2bd7fee2b8
7 changed files with 130 additions and 39 deletions
|
@ -4,7 +4,7 @@ description: A Nix binary caching server
|
||||||
# renovate: image=ghcr.io/zhaofengli/attic
|
# renovate: image=ghcr.io/zhaofengli/attic
|
||||||
appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
|
appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
|
||||||
type: application
|
type: application
|
||||||
version: 0.2.6
|
version: 0.2.7
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: Tommy Skaug
|
- name: Tommy Skaug
|
||||||
email: tommy@skaug.me
|
email: tommy@skaug.me
|
||||||
|
|
|
@ -9,12 +9,56 @@ metadata:
|
||||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
|
||||||
spec:
|
spec:
|
||||||
|
priorityClassName: {{ .Values.priorityClassName | default "default" }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
containers:
|
containers:
|
||||||
- name: general-db-init
|
- name: general-db-init
|
||||||
image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
|
image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}"
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: {{ .Values.postgres.secretName }}
|
name: {{ .Values.postgres.secretName }}
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "500m"
|
||||||
|
memory: "512Mi"
|
||||||
|
requests:
|
||||||
|
cpu: "250m"
|
||||||
|
memory: "256Mi"
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop: ["ALL"]
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- "pg_isready -U $POSTGRES_USER"
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- "pg_isready -U $POSTGRES_USER"
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
backoffLimit: 3
|
backoffLimit: 3
|
||||||
|
|
|
@ -13,11 +13,22 @@ spec:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: {{ include "attic.fullname" . }}
|
app: {{ include "attic.fullname" . }}
|
||||||
|
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
|
||||||
spec:
|
spec:
|
||||||
|
priorityClassName: {{ .Values.priorityClassName | default "default" }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
|
||||||
serviceAccountName: {{ include "attic.fullname" . }}
|
serviceAccountName: {{ include "attic.fullname" . }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ include "attic.fullname" . }}
|
- name: {{ include "attic.fullname" . }}
|
||||||
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
command: ["atticd"]
|
command: ["atticd"]
|
||||||
args: ["-f", "/var/lib/atticd/config.toml"]
|
args: ["-f", "/var/lib/atticd/config.toml"]
|
||||||
envFrom:
|
envFrom:
|
||||||
|
@ -36,10 +47,30 @@ spec:
|
||||||
mountPath: "/var/lib/atticd/config.toml"
|
mountPath: "/var/lib/atticd/config.toml"
|
||||||
subPath: config.toml
|
subPath: config.toml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop: ["ALL"]
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
volumes:
|
volumes:
|
||||||
- name: {{ include "attic.fullname" . }}
|
- name: {{ include "attic.fullname" . }}
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ .Values.persistence.existingClaim }}
|
claimName: {{ .Values.persistence.existingClaim }}
|
||||||
- name: config
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ include "attic.fullname" . }}
|
name: {{ include "attic.fullname" . }}
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
---
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -6,8 +5,11 @@ metadata:
|
||||||
labels:
|
labels:
|
||||||
{{- include "attic.labels" . | nindent 4 }}
|
{{- include "attic.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
selector:
|
selector:
|
||||||
app: {{ include "attic.fullname" . }}
|
app: {{ include "attic.fullname" . }}
|
||||||
ports:
|
ports:
|
||||||
- port: 8080
|
- port: 8080
|
||||||
targetPort: 8080
|
targetPort: 8080
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
|
|
@ -1,7 +1,11 @@
|
||||||
---
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "attic.fullname" . }}
|
name: {{ include "attic.fullname" . }}
|
||||||
labels:
|
labels:
|
||||||
{{- include "attic.labels" . | nindent 4 }}
|
{{- include "attic.labels" . | nindent 4 }}
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.serviceAccountAnnotations }}
|
||||||
|
{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
|
|
@ -7,9 +7,50 @@ metadata:
|
||||||
annotations:
|
annotations:
|
||||||
"helm.sh/hook": test
|
"helm.sh/hook": test
|
||||||
spec:
|
spec:
|
||||||
|
priorityClassName: {{ .Values.priorityClassName | default "default" }}
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: "{{ include "attic.fullname" . }}"
|
||||||
|
automountServiceAccountToken: false
|
||||||
containers:
|
containers:
|
||||||
- name: wget
|
- name: wget
|
||||||
image: busybox
|
image: busybox:stable
|
||||||
|
imagePullPolicy: Always
|
||||||
command: ['wget']
|
command: ['wget']
|
||||||
args: ['{{ include "attic.fullname" . }}:8080']
|
args: ['{{ include "attic.fullname" . }}:8080']
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "500m"
|
||||||
|
memory: "256Mi"
|
||||||
|
requests:
|
||||||
|
cpu: "250m"
|
||||||
|
memory: "128Mi"
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop: ["ALL"]
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- "wget -q --spider http://localhost:8080 || exit 1"
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
periodSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- "wget -q --spider http://localhost:8080 || exit 1"
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
config:
|
|
||||||
externalUrl: https://cache.example.com/
|
|
||||||
|
|
||||||
persistence:
|
|
||||||
existingClaim: attic
|
|
||||||
|
|
||||||
initContainers:
|
|
||||||
dbInit:
|
|
||||||
image:
|
|
||||||
repository: ghcr.io/onedr0p/postgres-init
|
|
||||||
tag: "16"
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: attic-secret
|
|
||||||
|
|
||||||
envFromSecret: attic-secret
|
|
||||||
|
|
||||||
image:
|
|
||||||
repository: ghcr.io/zhaofengli/attic
|
|
||||||
tag: 4dbdbee45728d8ce5788db6461aaaa89d98081f0
|
|
||||||
|
|
||||||
postgres:
|
|
||||||
secretName: attic-secret
|
|
||||||
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
memory: "3Gi"
|
|
||||||
cpu: "1000m"
|
|
||||||
# requests:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 250Mi
|
|
Loading…
Reference in a new issue