From 02d6e8987c1bc53bed08fa5e749d34c042c0daed Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Wed, 6 Nov 2024 11:11:35 -0500 Subject: [PATCH 01/11] Adding Configman handling to deployments --- pkg/config/draftconfig.go | 4 +- pkg/config/draftconfig_template_test.go | 7 ++ pkg/config/transformers/transformers.go | 19 ++++- pkg/config/validators/validators.go | 14 +++ .../helm/charts/templates/_helpers.tpl | 1 + .../helm/charts/templates/configmap.yaml | 11 +++ .../helm/charts/templates/deployment.yaml | 17 ++-- .../deployments/helm/charts/values.yaml | 85 +++++++++++++++---- .../deployments/kustomize/base/configmap.yaml | 6 ++ .../kustomize/base/deployment.yaml | 69 ++++++++++++++- .../kustomize/base/kustomization.yaml | 3 +- .../deployments/kustomize/base/service.yaml | 1 + .../manifest/manifests/configmap.yaml | 8 ++ .../manifest/manifests/deployment.yaml | 71 +++++++++++++++- .../manifest/manifests/service.yaml | 1 + pkg/fixtures/validatetemplate.go | 5 +- pkg/handlers/template_test.go | 8 +- .../helm/charts/templates/_helpers.tpl | 1 + .../helm/charts/templates/configmap.yaml | 15 ++++ .../helm/charts/templates/deployment.yaml | 23 +++-- template/deployments/helm/charts/values.yaml | 85 +++++++++++++++---- template/deployments/helm/draft.yaml | 80 +++++++++++++++++ .../deployments/kustomize/base/configmap.yaml | 9 ++ .../kustomize/base/deployment.yaml | 73 +++++++++++++++- .../kustomize/base/kustomization.yaml | 3 +- .../deployments/kustomize/base/service.yaml | 1 + template/deployments/kustomize/draft.yaml | 80 +++++++++++++++++ template/deployments/manifests/draft.yaml | 80 +++++++++++++++++ .../manifests/manifests/configmap.yaml | 9 ++ .../manifests/manifests/deployment.yaml | 69 ++++++++++++++- .../manifests/manifests/service.yaml | 1 + 31 files changed, 792 insertions(+), 67 deletions(-) create mode 100644 pkg/fixtures/deployments/helm/charts/templates/configmap.yaml create mode 100644 pkg/fixtures/deployments/kustomize/base/configmap.yaml create mode 100644 pkg/fixtures/deployments/manifest/manifests/configmap.yaml create mode 100644 template/deployments/helm/charts/templates/configmap.yaml create mode 100644 template/deployments/kustomize/base/configmap.yaml create mode 100644 template/deployments/manifests/manifests/configmap.yaml diff --git a/pkg/config/draftconfig.go b/pkg/config/draftconfig.go index 1fa8465f..c08863dd 100644 --- a/pkg/config/draftconfig.go +++ b/pkg/config/draftconfig.go @@ -16,7 +16,7 @@ import ( const draftConfigFile = "draft.yaml" type VariableValidator func(string) error -type VariableTransformer func(string) (string, error) +type VariableTransformer func(string) (any, error) type DraftConfig struct { TemplateName string `yaml:"templateName"` @@ -99,7 +99,7 @@ func (d *DraftConfig) GetVariable(name string) (*BuilderVar, error) { return nil, fmt.Errorf("variable %s not found", name) } -func (d *DraftConfig) GetVariableValue(name string) (string, error) { +func (d *DraftConfig) GetVariableValue(name string) (any, error) { for _, variable := range d.Variables { if variable.Name == name { if variable.Value == "" { diff --git a/pkg/config/draftconfig_template_test.go b/pkg/config/draftconfig_template_test.go index 6eac2791..c3873682 100644 --- a/pkg/config/draftconfig_template_test.go +++ b/pkg/config/draftconfig_template_test.go @@ -40,12 +40,19 @@ var validVariableKinds = map[string]bool{ "containerImageVersion": true, "dirPath": true, "dockerFileName": true, + "envVarMap": true, "filePath": true, "flag": true, "helmChartOverrides": true, "ingressHostName": true, "kubernetesNamespace": true, + "kubernetesProbePeriod": true, + "kubernetesProbeTimeout": true, + "kubernetesProbeThreshold": true, + "kubernetesProbeDelay": true, + "kubernetesResourceLimit": true, "kubernetesResourceName": true, + "kubernetesResourceRequest": true, "label": true, "port": true, "repositoryBranch": true, diff --git a/pkg/config/transformers/transformers.go b/pkg/config/transformers/transformers.go index 48fce997..1de0ddf8 100644 --- a/pkg/config/transformers/transformers.go +++ b/pkg/config/transformers/transformers.go @@ -1,12 +1,27 @@ package transformers -func GetTransformer(variableKind string) func(string) (string, error) { +import ( + "encoding/json" + "fmt" +) + +func GetTransformer(variableKind string) func(string) (any, error) { switch variableKind { + case "envVarMap": + return EnvironmentVariableMapTransformer default: return DefaultTransformer } } -func DefaultTransformer(inputVar string) (string, error) { +func EnvironmentVariableMapTransformer(inputVar string) (any, error) { + var inputVarMap map[string]string + if err := json.Unmarshal([]byte(inputVar), &inputVarMap); err != nil { + return "", fmt.Errorf("failed to unmarshal variable as map[string]string: %s", err) + } + return inputVarMap, nil +} + +func DefaultTransformer(inputVar string) (any, error) { return inputVar, nil } diff --git a/pkg/config/validators/validators.go b/pkg/config/validators/validators.go index 2c7e5c9f..a2c750e3 100644 --- a/pkg/config/validators/validators.go +++ b/pkg/config/validators/validators.go @@ -1,12 +1,26 @@ package validators +import ( + "encoding/json" + "fmt" +) + func GetValidator(variableKind string) func(string) error { switch variableKind { + case "envVarMap": + return KeyValueMapValidator default: return DefaultValidator } } +func KeyValueMapValidator(input string) error { + if err := json.Unmarshal([]byte(input), &map[string]string{}); err != nil { + return fmt.Errorf("failed to unmarshal variable as map[string]string: %s", err) + } + return nil +} + func DefaultValidator(input string) error { return nil } diff --git a/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl b/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl index 276b51f5..ae2123a7 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl +++ b/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl @@ -26,6 +26,7 @@ {{- define "testapp.labels" -}} helm.sh/chart: {{ include "testapp.chart" . }} {{ include "testapp.selectorLabels" . }} +app.kubernetes.io/name: {{ include "testapp.name" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/pkg/fixtures/deployments/helm/charts/templates/configmap.yaml b/pkg/fixtures/deployments/helm/charts/templates/configmap.yaml new file mode 100644 index 00000000..10921932 --- /dev/null +++ b/pkg/fixtures/deployments/helm/charts/templates/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "testapp.fullname" . }}-config + labels: + {{- include "testapp.labels" . | nindent 4 }} + namespace: {{ .Values.namespace }} +data: +{{- range $key, $value := .Values.envVars }} + {{ $key }}: {{ $value }} +{{- end }} diff --git a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml index ec61f72c..881981a8 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml +++ b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml @@ -40,15 +40,14 @@ spec: containerPort: {{ .Values.containerPort }} protocol: TCP livenessProbe: - httpGet: - path: / - port: http + {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: - httpGet: - path: / - port: http + {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "testapp.fullname" . }}-config {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -57,7 +56,13 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} + hostNetwork: false + hostIPC: false diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index c22ff16e..584cb844 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -12,7 +12,6 @@ image: tag: latest pullPolicy: Always - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -20,32 +19,24 @@ fullnameOverride: "" podAnnotations: {} podSecurityContext: {} -# fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true -# runAsUser: 1000 + # fsGroup: 2000 service: annotations: {} type: LoadBalancer port: 80 -resources: {} +resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m -# memory: 128Mi + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.5" + memory: "512Mi" autoscaling: enabled: false @@ -54,10 +45,68 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +livenessProbe: + tcpSocket: + port: 80 +readinessProbe: + tcpSocket: + port: 80 + periodSeconds: 5 + timeoutSeconds: 5 + failureThreshold: 1 + successThreshold: 1 + initialDelaySeconds: 3 + nodeSelector: {} tolerations: [] -affinity: {} +topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: testapp + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: testapp + +securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + +envVars: generatorLabel: draft \ No newline at end of file diff --git a/pkg/fixtures/deployments/kustomize/base/configmap.yaml b/pkg/fixtures/deployments/kustomize/base/configmap.yaml new file mode 100644 index 00000000..c4e5887f --- /dev/null +++ b/pkg/fixtures/deployments/kustomize/base/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: testapp-config + namespace: default +data: \ No newline at end of file diff --git a/pkg/fixtures/deployments/kustomize/base/deployment.yaml b/pkg/fixtures/deployments/kustomize/base/deployment.yaml index b3726a27..140db1b2 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment.yaml @@ -4,6 +4,7 @@ metadata: name: testapp labels: app: testapp + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default spec: @@ -21,4 +22,70 @@ spec: image: testimage:latest imagePullPolicy: Always ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 + resources: + requests: + cpu: "0.5" + memory: "512Mi" + limits: + cpu: "0.5" + memory: "512Mi" + envFrom: + - configMapRef: + name: testapp-config + livenessProbe: + tcpSocket: + port: 80 + readinessProbe: + tcpSocket: + port: 80 + periodSeconds: 5 + timeoutSeconds: 5 + failureThreshold: 1 + successThreshold: 1 + initialDelaySeconds: 3 + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: testapp + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: testapp + hostNetwork: false + hostIPC: false \ No newline at end of file diff --git a/pkg/fixtures/deployments/kustomize/base/kustomization.yaml b/pkg/fixtures/deployments/kustomize/base/kustomization.yaml index ca1d88ef..b04efeef 100644 --- a/pkg/fixtures/deployments/kustomize/base/kustomization.yaml +++ b/pkg/fixtures/deployments/kustomize/base/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - deployment.yaml - - service.yaml \ No newline at end of file + - service.yaml + - configmap.yaml \ No newline at end of file diff --git a/pkg/fixtures/deployments/kustomize/base/service.yaml b/pkg/fixtures/deployments/kustomize/base/service.yaml index 324d7ecb..62805c87 100644 --- a/pkg/fixtures/deployments/kustomize/base/service.yaml +++ b/pkg/fixtures/deployments/kustomize/base/service.yaml @@ -4,6 +4,7 @@ metadata: name: testapp namespace: default labels: + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft spec: type: LoadBalancer diff --git a/pkg/fixtures/deployments/manifest/manifests/configmap.yaml b/pkg/fixtures/deployments/manifest/manifests/configmap.yaml new file mode 100644 index 00000000..8e5e5596 --- /dev/null +++ b/pkg/fixtures/deployments/manifest/manifests/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: testapp-config + namespace: default +data: + key1: value1 + key2: value2 \ No newline at end of file diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml index 875011a6..140db1b2 100644 --- a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml @@ -4,9 +4,10 @@ metadata: name: testapp labels: app: testapp + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default - spec: +spec: replicas: 1 selector: matchLabels: @@ -21,4 +22,70 @@ metadata: image: testimage:latest imagePullPolicy: Always ports: - - containerPort: 80 \ No newline at end of file + - containerPort: 80 + resources: + requests: + cpu: "0.5" + memory: "512Mi" + limits: + cpu: "0.5" + memory: "512Mi" + envFrom: + - configMapRef: + name: testapp-config + livenessProbe: + tcpSocket: + port: 80 + readinessProbe: + tcpSocket: + port: 80 + periodSeconds: 5 + timeoutSeconds: 5 + failureThreshold: 1 + successThreshold: 1 + initialDelaySeconds: 3 + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: testapp + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: testapp + hostNetwork: false + hostIPC: false \ No newline at end of file diff --git a/pkg/fixtures/deployments/manifest/manifests/service.yaml b/pkg/fixtures/deployments/manifest/manifests/service.yaml index 324d7ecb..62805c87 100644 --- a/pkg/fixtures/deployments/manifest/manifests/service.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/service.yaml @@ -4,6 +4,7 @@ metadata: name: testapp namespace: default labels: + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft spec: type: LoadBalancer diff --git a/pkg/fixtures/validatetemplate.go b/pkg/fixtures/validatetemplate.go index 3224e607..12862562 100644 --- a/pkg/fixtures/validatetemplate.go +++ b/pkg/fixtures/validatetemplate.go @@ -1,7 +1,6 @@ package fixtures import ( - "errors" "fmt" "os" "regexp" @@ -20,7 +19,7 @@ func ValidateContentAgainstFixture(generatedContent []byte, fixturePath string) fixtureWords := strings.Split(normalizeWhitespace(fixtureContent), " ") differingWords := []string{} for i, word := range genWords { - if word != fixtureWords[i] { + if i < len(fixtureWords) && word != fixtureWords[i] { differingWords = append(differingWords, fmt.Sprintf("'%s' != '%s'", word, fixtureWords[i])) if len(differingWords) == 1 { fmt.Println("Generated Word | Fixture Word") @@ -29,7 +28,7 @@ func ValidateContentAgainstFixture(generatedContent []byte, fixturePath string) } } - return errors.New(fmt.Sprintf("generated content does not match fixture: %s", strings.Join(differingWords, ", "))) + return fmt.Errorf("generated content does not match fixture for file %s: %s", fixturePath, strings.Join(differingWords, ", ")) } return nil diff --git a/pkg/handlers/template_test.go b/pkg/handlers/template_test.go index 7083f857..62032542 100644 --- a/pkg/handlers/template_test.go +++ b/pkg/handlers/template_test.go @@ -17,7 +17,7 @@ func AlwaysFailingValidator(value string) error { return fmt.Errorf("this is a failing validator") } -func AlwaysFailingTransformer(value string) (string, error) { +func AlwaysFailingTransformer(value string) (any, error) { return "", fmt.Errorf("this is a failing transformer") } @@ -54,7 +54,7 @@ func TestTemplateHandlerValidation(t *testing.T) { fileNameOverride map[string]string expectedErr error validators map[string]func(string) error - transformers map[string]func(string) (string, error) + transformers map[string]func(string) (any, error) }{ { name: "valid manifest deployment", @@ -71,6 +71,7 @@ func TestTemplateHandlerValidation(t *testing.T) { "IMAGETAG": "latest", "GENERATORLABEL": "draft", "SERVICEPORT": "80", + "ENVVARS": `{"key1":"value1","key2":"value2"}`, }, }, { @@ -122,6 +123,7 @@ func TestTemplateHandlerValidation(t *testing.T) { "IMAGETAG": "latest", "GENERATORLABEL": "draft", "SERVICEPORT": "80", + "ENVVARS": `{"key1":"value1","key2":"value2"}`, }, fileNameOverride: map[string]string{ "deployment.yaml": "deployment-override.yaml", @@ -396,7 +398,7 @@ func TestTemplateHandlerValidation(t *testing.T) { "GENERATORLABEL": "draft", "SERVICEPORT": "80", }, - transformers: map[string]func(string) (string, error){ + transformers: map[string]func(string) (any, error){ "kubernetesResourceName": AlwaysFailingTransformer, }, expectedErr: fmt.Errorf("this is a failing transformer"), diff --git a/template/deployments/helm/charts/templates/_helpers.tpl b/template/deployments/helm/charts/templates/_helpers.tpl index 00ffbdb0..7b469861 100644 --- a/template/deployments/helm/charts/templates/_helpers.tpl +++ b/template/deployments/helm/charts/templates/_helpers.tpl @@ -36,6 +36,7 @@ Common labels {{ .Config.GetVariableValue "APPNAME" | printf "{{- define \"%s.labels\" -}}" }} helm.sh/chart: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.chart\" . }}" }} {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.selectorLabels\" . }}" }} +{{ .Config.GetVariableValue "APPNAME" | printf "app.kubernetes.io/name: {{ include \"%s.name\" . }}" }} {{`{{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/template/deployments/helm/charts/templates/configmap.yaml b/template/deployments/helm/charts/templates/configmap.yaml new file mode 100644 index 00000000..3447b36a --- /dev/null +++ b/template/deployments/helm/charts/templates/configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.fullname\" . }}-config" }} + labels: + {{ .Config.GetVariableValue "APPNAME" | printf "{{- include \"%s.labels\" . | nindent 4 }}" }} +{{- ` + namespace: {{ .Values.namespace }} +` -}} +data: +{{- ` +{{- range $key, $value := .Values.envVars }} + {{ $key }}: {{ $value }} +{{- end }} +` -}} \ No newline at end of file diff --git a/template/deployments/helm/charts/templates/deployment.yaml b/template/deployments/helm/charts/templates/deployment.yaml index 5ebad8e7..0fc370c5 100644 --- a/template/deployments/helm/charts/templates/deployment.yaml +++ b/template/deployments/helm/charts/templates/deployment.yaml @@ -12,7 +12,7 @@ spec: {{- ` {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} - {{- end }} + {{- end }} ` -}} selector: matchLabels: @@ -23,7 +23,7 @@ spec: {{- with .Values.podAnnotations }} annotations: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} ` -}} labels: {{ .Config.GetVariableValue "APPNAME" | printf "{{- include \"%s.selectorLabels\" . | nindent 8 }}" }} @@ -47,15 +47,16 @@ spec: containerPort: {{ .Values.containerPort }} protocol: TCP livenessProbe: - httpGet: - path: / - port: http + {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: - httpGet: - path: / - port: http + {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + ` -}} + envFrom: + - configMapRef: + name: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.fullname\" . }}-config" }} + {{- ` {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -64,8 +65,14 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} + hostNetwork: false + hostIPC: false ` -}} \ No newline at end of file diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index c8347edd..5cca035e 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -21,30 +21,22 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - service: annotations: {} type: LoadBalancer port: {{ .Config.GetVariableValue "SERVICEPORT" }} -resources: {} +resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + limits: + cpu: "{{ .Config.GetVariableValue "CPULIMIT" }}" + memory: "{{ .Config.GetVariableValue "MEMLIMIT" }}" + requests: + cpu: "{{ .Config.GetVariableValue "CPUREQ" }}" + memory: "{{ .Config.GetVariableValue "MEMREQ" }}" autoscaling: enabled: false @@ -53,10 +45,71 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +livenessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} +readinessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} + periodSeconds: {{ .Config.GetVariableValue "READINESSPERIOD" }} + timeoutSeconds: {{ .Config.GetVariableValue "READINESSTIMEOUT" }} + failureThreshold: {{ .Config.GetVariableValue "READINESSFAILURETHRESHOLD" }} + successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} + initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} + nodeSelector: {} tolerations: [] -affinity: {} +topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + +securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + +envVars: +{{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} + {{ $key }}: {{ $value }} +{{- end }} generatorLabel: {{ .Config.GetVariableValue "GENERATORLABEL" }} \ No newline at end of file diff --git a/template/deployments/helm/draft.yaml b/template/deployments/helm/draft.yaml index dcd8d2b3..cfacfdb1 100644 --- a/template/deployments/helm/draft.yaml +++ b/template/deployments/helm/draft.yaml @@ -53,3 +53,83 @@ variables: value: "draft" description: "the label to identify who generated the resource" versions: ">=0.0.1" + - name: "CPUREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "0.5" + description: "resource request for CPU" + versions: ">=0.0.1" + - name: "MEMREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "CPULIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "0.5" + description: "resource limit for CPU" + versions: ">=0.0.1" + - name: "MEMLIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "READINESSPERIOD" + type: "int" + kind: "kubernetesProbePeriod" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe period in seconds" + versions: ">=0.0.1" + - name: "READINESSTIMEOUT" + type: "int" + kind: "kubernetesProbeTimeout" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe timeout in seconds" + versions: ">=0.0.1" + - name: "READINESSFAILURETHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe failure threshold" + versions: ">=0.0.1" + - name: "READINESSSUCCESSTHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe success threshold" + versions: ">=0.0.1" + - name: "READINESSINITIALDELAY" + type: "int" + kind: "kubernetesProbeDelay" + default: + disablePrompt: true + value: 3 + description: "kubernetes readiness probe initial delay in seconds" + versions: ">=0.0.1" + - name: "ENVVARS" + type: "object" + kind: "envVarMap" + default: + disablePrompt: true + value: "{}" + description: "a map of key/value environment variables to be set in the deployment" + versions: ">=0.0.1" \ No newline at end of file diff --git a/template/deployments/kustomize/base/configmap.yaml b/template/deployments/kustomize/base/configmap.yaml new file mode 100644 index 00000000..474528c2 --- /dev/null +++ b/template/deployments/kustomize/base/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} + namespace: {{ .Config.GetVariableValue "NAMESPACE" }} +data: +{{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} + {{ $key }}: {{ $value }} +{{- end }} \ No newline at end of file diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index ad05db20..530d57e5 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -3,7 +3,8 @@ kind: Deployment metadata: name: {{ .Config.GetVariableValue "APPNAME" }} labels: - app: {{ .Config.GetVariableValue "APPNAME"}} + app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} spec: @@ -17,8 +18,74 @@ spec: app: {{ .Config.GetVariableValue "APPNAME" }} spec: containers: - - name: {{.Config.GetVariableValue "APPNAME" }} + - name: {{ .Config.GetVariableValue "APPNAME" }} image: {{ .Config.GetVariableValue "IMAGENAME" }}:{{ .Config.GetVariableValue "IMAGETAG" }} imagePullPolicy: Always ports: - - containerPort: {{ .Config.GetVariableValue "PORT" }} \ No newline at end of file + - containerPort: {{ .Config.GetVariableValue "PORT"}} + resources: + requests: + cpu: "{{ .Config.GetVariableValue "CPUREQ" }}" + memory: "{{ .Config.GetVariableValue "MEMREQ" }}" + limits: + cpu: "{{ .Config.GetVariableValue "CPULIMIT" }}" + memory: "{{ .Config.GetVariableValue "MEMLIMIT" }}" + envFrom: + - configMapRef: + name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} + livenessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} + readinessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} + periodSeconds: {{ .Config.GetVariableValue "READINESSPERIOD" }} + timeoutSeconds: {{ .Config.GetVariableValue "READINESSTIMEOUT" }} + failureThreshold: {{ .Config.GetVariableValue "READINESSFAILURETHRESHOLD" }} + successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} + initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + hostNetwork: false + hostIPC: false \ No newline at end of file diff --git a/template/deployments/kustomize/base/kustomization.yaml b/template/deployments/kustomize/base/kustomization.yaml index ca1d88ef..b04efeef 100644 --- a/template/deployments/kustomize/base/kustomization.yaml +++ b/template/deployments/kustomize/base/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - deployment.yaml - - service.yaml \ No newline at end of file + - service.yaml + - configmap.yaml \ No newline at end of file diff --git a/template/deployments/kustomize/base/service.yaml b/template/deployments/kustomize/base/service.yaml index 7503816d..448a0ca7 100644 --- a/template/deployments/kustomize/base/service.yaml +++ b/template/deployments/kustomize/base/service.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} labels: + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} spec: type: LoadBalancer diff --git a/template/deployments/kustomize/draft.yaml b/template/deployments/kustomize/draft.yaml index 56ce1068..2d68b013 100644 --- a/template/deployments/kustomize/draft.yaml +++ b/template/deployments/kustomize/draft.yaml @@ -53,3 +53,83 @@ variables: value: "draft" description: "the label to identify who generated the resource" versions: ">=0.0.1" + - name: "CPUREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "0.5" + description: "resource request for CPU" + versions: ">=0.0.1" + - name: "MEMREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "CPULIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "0.5" + description: "resource limit for CPU" + versions: ">=0.0.1" + - name: "MEMLIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "READINESSPERIOD" + type: "int" + kind: "kubernetesProbePeriod" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe period in seconds" + versions: ">=0.0.1" + - name: "READINESSTIMEOUT" + type: "int" + kind: "kubernetesProbeTimeout" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe timeout in seconds" + versions: ">=0.0.1" + - name: "READINESSFAILURETHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe failure threshold" + versions: ">=0.0.1" + - name: "READINESSSUCCESSTHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe success threshold" + versions: ">=0.0.1" + - name: "READINESSINITIALDELAY" + type: "int" + kind: "kubernetesProbeDelay" + default: + disablePrompt: true + value: 3 + description: "kubernetes readiness probe initial delay in seconds" + versions: ">=0.0.1" + - name: "ENVVARS" + type: "object" + kind: "envVarMap" + default: + disablePrompt: true + value: "{}" + description: "a map of key/value environment variables to be set in the deployment" + versions: ">=0.0.1" \ No newline at end of file diff --git a/template/deployments/manifests/draft.yaml b/template/deployments/manifests/draft.yaml index e946e009..0347efe9 100644 --- a/template/deployments/manifests/draft.yaml +++ b/template/deployments/manifests/draft.yaml @@ -53,3 +53,83 @@ variables: value: "draft" description: "the label to identify who generated the resource" versions: ">=0.0.1" + - name: "CPUREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "0.5" + description: "resource request for CPU" + versions: ">=0.0.1" + - name: "MEMREQ" + type: "string" + kind: "kubernetesResourceRequest" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "CPULIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "0.5" + description: "resource limit for CPU" + versions: ">=0.0.1" + - name: "MEMLIMIT" + type: "string" + kind: "kubernetesResourceLimit" + default: + disablePrompt: true + value: "512Mi" + description: "resource request for Memory" + versions: ">=0.0.1" + - name: "READINESSPERIOD" + type: "int" + kind: "kubernetesProbePeriod" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe period in seconds" + versions: ">=0.0.1" + - name: "READINESSTIMEOUT" + type: "int" + kind: "kubernetesProbeTimeout" + default: + disablePrompt: true + value: 5 + description: "kubernetes readiness probe timeout in seconds" + versions: ">=0.0.1" + - name: "READINESSFAILURETHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe failure threshold" + versions: ">=0.0.1" + - name: "READINESSSUCCESSTHRESHOLD" + type: "int" + kind: "kubernetesProbeThreshold" + default: + disablePrompt: true + value: 1 + description: "kubernetes readiness probe success threshold" + versions: ">=0.0.1" + - name: "READINESSINITIALDELAY" + type: "int" + kind: "kubernetesProbeDelay" + default: + disablePrompt: true + value: 3 + description: "kubernetes readiness probe initial delay in seconds" + versions: ">=0.0.1" + - name: "ENVVARS" + type: "object" + kind: "envVarMap" + default: + disablePrompt: true + value: "{}" + description: "a map of key/value environment variables to be set in the deployment" + versions: ">=0.0.1" \ No newline at end of file diff --git a/template/deployments/manifests/manifests/configmap.yaml b/template/deployments/manifests/manifests/configmap.yaml new file mode 100644 index 00000000..474528c2 --- /dev/null +++ b/template/deployments/manifests/manifests/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} + namespace: {{ .Config.GetVariableValue "NAMESPACE" }} +data: +{{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} + {{ $key }}: {{ $value }} +{{- end }} \ No newline at end of file diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index c8d88cea..530d57e5 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME" }} labels: app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} spec: @@ -21,4 +22,70 @@ spec: image: {{ .Config.GetVariableValue "IMAGENAME" }}:{{ .Config.GetVariableValue "IMAGETAG" }} imagePullPolicy: Always ports: - - containerPort: {{ .Config.GetVariableValue "PORT"}} \ No newline at end of file + - containerPort: {{ .Config.GetVariableValue "PORT"}} + resources: + requests: + cpu: "{{ .Config.GetVariableValue "CPUREQ" }}" + memory: "{{ .Config.GetVariableValue "MEMREQ" }}" + limits: + cpu: "{{ .Config.GetVariableValue "CPULIMIT" }}" + memory: "{{ .Config.GetVariableValue "MEMLIMIT" }}" + envFrom: + - configMapRef: + name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} + livenessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} + readinessProbe: + tcpSocket: + port: {{ .Config.GetVariableValue "PORT" }} + periodSeconds: {{ .Config.GetVariableValue "READINESSPERIOD" }} + timeoutSeconds: {{ .Config.GetVariableValue "READINESSTIMEOUT" }} + failureThreshold: {{ .Config.GetVariableValue "READINESSFAILURETHRESHOLD" }} + successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} + initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: {{ .Config.GetVariableValue "APPNAME" }} + hostNetwork: false + hostIPC: false \ No newline at end of file diff --git a/template/deployments/manifests/manifests/service.yaml b/template/deployments/manifests/manifests/service.yaml index 7503816d..448a0ca7 100644 --- a/template/deployments/manifests/manifests/service.yaml +++ b/template/deployments/manifests/manifests/service.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} labels: + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} spec: type: LoadBalancer From 9b39572edb94ad10a3eb7f37224421100c4f6250 Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Wed, 6 Nov 2024 13:59:02 -0500 Subject: [PATCH 02/11] label fixes --- .../deployments/helm/charts/templates/_helpers.tpl | 2 +- .../deployments/helm/charts/templates/deployment.yaml | 1 - .../deployments/helm/charts/templates/service.yaml | 1 - pkg/fixtures/deployments/helm/charts/values.yaml | 7 +++---- .../deployments/kustomize/base/configmap.yaml | 3 +++ .../deployments/kustomize/base/deployment.yaml | 11 +++++------ pkg/fixtures/deployments/kustomize/base/service.yaml | 2 +- .../kustomize/overlays/production/deployment.yaml | 4 ++-- .../kustomize/overlays/production/service.yaml | 1 + .../deployments/manifest/manifests/configmap.yaml | 3 +++ .../deployments/manifest/manifests/deployment.yaml | 11 +++++------ .../deployments/manifest/manifests/service.yaml | 2 +- .../deployments/helm/charts/templates/_helpers.tpl | 2 +- .../deployments/helm/charts/templates/deployment.yaml | 3 +-- .../deployments/helm/charts/templates/service.yaml | 3 +-- template/deployments/helm/charts/values.yaml | 1 - template/deployments/helm/draft.yaml | 6 +++--- template/deployments/kustomize/base/configmap.yaml | 3 +++ template/deployments/kustomize/base/deployment.yaml | 5 ++--- template/deployments/kustomize/base/service.yaml | 2 +- template/deployments/kustomize/draft.yaml | 6 +++--- .../kustomize/overlays/production/deployment.yaml | 4 ++-- .../kustomize/overlays/production/service.yaml | 1 + template/deployments/manifests/draft.yaml | 6 +++--- .../deployments/manifests/manifests/configmap.yaml | 3 +++ .../deployments/manifests/manifests/deployment.yaml | 5 ++--- template/deployments/manifests/manifests/service.yaml | 2 +- 27 files changed, 52 insertions(+), 48 deletions(-) diff --git a/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl b/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl index ae2123a7..0b48acb0 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl +++ b/pkg/fixtures/deployments/helm/charts/templates/_helpers.tpl @@ -26,7 +26,7 @@ {{- define "testapp.labels" -}} helm.sh/chart: {{ include "testapp.chart" . }} {{ include "testapp.selectorLabels" . }} -app.kubernetes.io/name: {{ include "testapp.name" . }} +kubernetes.azure.com/generator: {{ .Values.generatorLabel }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml index 881981a8..b371402e 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml +++ b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "testapp.fullname" . }} labels: {{- include "testapp.labels" . | nindent 4 }} - kubernetes.azure.com/generator: {{ .Values.generatorLabel }} namespace: {{ .Values.namespace }} spec: {{- if not .Values.autoscaling.enabled }} diff --git a/pkg/fixtures/deployments/helm/charts/templates/service.yaml b/pkg/fixtures/deployments/helm/charts/templates/service.yaml index 72b9c183..870bbf95 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/service.yaml +++ b/pkg/fixtures/deployments/helm/charts/templates/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "testapp.fullname" . }} labels: {{- include "testapp.labels" . | nindent 4 }} - kubernetes.azure.com/generator: {{.Values.generatorLabel}} annotations: {{ toYaml .Values.service.annotations | nindent 4 }} namespace: {{ .Values.namespace }} diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index 584cb844..1f87fd79 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -19,7 +19,6 @@ fullnameOverride: "" podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 service: annotations: {} @@ -32,10 +31,10 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: "0.5" - memory: "512Mi" + cpu: "2" + memory: "1Gi" requests: - cpu: "0.5" + cpu: "1" memory: "512Mi" autoscaling: diff --git a/pkg/fixtures/deployments/kustomize/base/configmap.yaml b/pkg/fixtures/deployments/kustomize/base/configmap.yaml index c4e5887f..827eeb7c 100644 --- a/pkg/fixtures/deployments/kustomize/base/configmap.yaml +++ b/pkg/fixtures/deployments/kustomize/base/configmap.yaml @@ -3,4 +3,7 @@ kind: ConfigMap metadata: name: testapp-config namespace: default + labels: + app.kubernetes.io/name: testapp + kubernetes.azure.com/generator: draft data: \ No newline at end of file diff --git a/pkg/fixtures/deployments/kustomize/base/deployment.yaml b/pkg/fixtures/deployments/kustomize/base/deployment.yaml index 140db1b2..e83af792 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: testapp labels: - app: testapp app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default @@ -11,11 +10,11 @@ spec: replicas: 1 selector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp template: metadata: labels: - app: testapp + app.kubernetes.io/name: testapp spec: containers: - name: testapp @@ -25,11 +24,11 @@ spec: - containerPort: 80 resources: requests: - cpu: "0.5" + cpu: "1" memory: "512Mi" limits: - cpu: "0.5" - memory: "512Mi" + cpu: "2" + memory: "1Gi" envFrom: - configMapRef: name: testapp-config diff --git a/pkg/fixtures/deployments/kustomize/base/service.yaml b/pkg/fixtures/deployments/kustomize/base/service.yaml index 62805c87..661722f6 100644 --- a/pkg/fixtures/deployments/kustomize/base/service.yaml +++ b/pkg/fixtures/deployments/kustomize/base/service.yaml @@ -9,7 +9,7 @@ metadata: spec: type: LoadBalancer selector: - app: testapp + app.kubernetes.io/name: testapp ports: - protocol: TCP port: 80 diff --git a/pkg/fixtures/deployments/kustomize/overlays/production/deployment.yaml b/pkg/fixtures/deployments/kustomize/overlays/production/deployment.yaml index 4d836f27..5ce48f84 100644 --- a/pkg/fixtures/deployments/kustomize/overlays/production/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/overlays/production/deployment.yaml @@ -3,13 +3,13 @@ kind: Deployment metadata: name: testapp labels: - app: testapp + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default spec: selector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp template: spec: containers: diff --git a/pkg/fixtures/deployments/kustomize/overlays/production/service.yaml b/pkg/fixtures/deployments/kustomize/overlays/production/service.yaml index b8a97d3f..0e39d804 100644 --- a/pkg/fixtures/deployments/kustomize/overlays/production/service.yaml +++ b/pkg/fixtures/deployments/kustomize/overlays/production/service.yaml @@ -4,6 +4,7 @@ metadata: name: testapp namespace: default labels: + app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft spec: type: LoadBalancer \ No newline at end of file diff --git a/pkg/fixtures/deployments/manifest/manifests/configmap.yaml b/pkg/fixtures/deployments/manifest/manifests/configmap.yaml index 8e5e5596..5d366d21 100644 --- a/pkg/fixtures/deployments/manifest/manifests/configmap.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/configmap.yaml @@ -3,6 +3,9 @@ kind: ConfigMap metadata: name: testapp-config namespace: default + labels: + app.kubernetes.io/name: testapp + kubernetes.azure.com/generator: draft data: key1: value1 key2: value2 \ No newline at end of file diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml index 140db1b2..e83af792 100644 --- a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: testapp labels: - app: testapp app.kubernetes.io/name: testapp kubernetes.azure.com/generator: draft namespace: default @@ -11,11 +10,11 @@ spec: replicas: 1 selector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp template: metadata: labels: - app: testapp + app.kubernetes.io/name: testapp spec: containers: - name: testapp @@ -25,11 +24,11 @@ spec: - containerPort: 80 resources: requests: - cpu: "0.5" + cpu: "1" memory: "512Mi" limits: - cpu: "0.5" - memory: "512Mi" + cpu: "2" + memory: "1Gi" envFrom: - configMapRef: name: testapp-config diff --git a/pkg/fixtures/deployments/manifest/manifests/service.yaml b/pkg/fixtures/deployments/manifest/manifests/service.yaml index 62805c87..661722f6 100644 --- a/pkg/fixtures/deployments/manifest/manifests/service.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/service.yaml @@ -9,7 +9,7 @@ metadata: spec: type: LoadBalancer selector: - app: testapp + app.kubernetes.io/name: testapp ports: - protocol: TCP port: 80 diff --git a/template/deployments/helm/charts/templates/_helpers.tpl b/template/deployments/helm/charts/templates/_helpers.tpl index 7b469861..d77ff2c4 100644 --- a/template/deployments/helm/charts/templates/_helpers.tpl +++ b/template/deployments/helm/charts/templates/_helpers.tpl @@ -36,7 +36,7 @@ Common labels {{ .Config.GetVariableValue "APPNAME" | printf "{{- define \"%s.labels\" -}}" }} helm.sh/chart: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.chart\" . }}" }} {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.selectorLabels\" . }}" }} -{{ .Config.GetVariableValue "APPNAME" | printf "app.kubernetes.io/name: {{ include \"%s.name\" . }}" }} +kubernetes.azure.com/generator: {{ printf "{{ .Values.generatorLabel }}" }} {{`{{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/template/deployments/helm/charts/templates/deployment.yaml b/template/deployments/helm/charts/templates/deployment.yaml index 0fc370c5..87167363 100644 --- a/template/deployments/helm/charts/templates/deployment.yaml +++ b/template/deployments/helm/charts/templates/deployment.yaml @@ -4,8 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.fullname\" . }}" }} labels: {{ .Config.GetVariableValue "APPNAME" | printf "{{- include \"%s.labels\" . | nindent 4 }}" }} - {{- ` - kubernetes.azure.com/generator: {{ .Values.generatorLabel }} + {{- ` namespace: {{ .Values.namespace }} ` -}} spec: diff --git a/template/deployments/helm/charts/templates/service.yaml b/template/deployments/helm/charts/templates/service.yaml index f7fdea76..7584f8c9 100644 --- a/template/deployments/helm/charts/templates/service.yaml +++ b/template/deployments/helm/charts/templates/service.yaml @@ -4,8 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME" | printf "{{ include \"%s.fullname\" . }}" }} labels: {{ .Config.GetVariableValue "APPNAME" | printf "{{- include \"%s.labels\" . | nindent 4 }}" }} - {{- ` - kubernetes.azure.com/generator: {{.Values.generatorLabel}} + {{- ` annotations: {{ toYaml .Values.service.annotations | nindent 4 }} namespace: {{ .Values.namespace }} diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index 5cca035e..4f69418d 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -19,7 +19,6 @@ fullnameOverride: "" podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 service: annotations: {} diff --git a/template/deployments/helm/draft.yaml b/template/deployments/helm/draft.yaml index cfacfdb1..6e5a0e37 100644 --- a/template/deployments/helm/draft.yaml +++ b/template/deployments/helm/draft.yaml @@ -58,7 +58,7 @@ variables: kind: "kubernetesResourceRequest" default: disablePrompt: true - value: "0.5" + value: "1" description: "resource request for CPU" versions: ">=0.0.1" - name: "MEMREQ" @@ -74,7 +74,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "0.5" + value: "2" description: "resource limit for CPU" versions: ">=0.0.1" - name: "MEMLIMIT" @@ -82,7 +82,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "512Mi" + value: "1Gi" description: "resource request for Memory" versions: ">=0.0.1" - name: "READINESSPERIOD" diff --git a/template/deployments/kustomize/base/configmap.yaml b/template/deployments/kustomize/base/configmap.yaml index 474528c2..76fb1235 100644 --- a/template/deployments/kustomize/base/configmap.yaml +++ b/template/deployments/kustomize/base/configmap.yaml @@ -3,6 +3,9 @@ kind: ConfigMap metadata: name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} + labels: + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} + kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} {{ $key }}: {{ $value }} diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index 530d57e5..98a97aa8 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: {{ .Config.GetVariableValue "APPNAME" }} labels: - app: {{ .Config.GetVariableValue "APPNAME" }} app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} @@ -11,11 +10,11 @@ spec: replicas: 1 selector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} template: metadata: labels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} spec: containers: - name: {{ .Config.GetVariableValue "APPNAME" }} diff --git a/template/deployments/kustomize/base/service.yaml b/template/deployments/kustomize/base/service.yaml index 448a0ca7..0fc84e87 100644 --- a/template/deployments/kustomize/base/service.yaml +++ b/template/deployments/kustomize/base/service.yaml @@ -9,7 +9,7 @@ metadata: spec: type: LoadBalancer selector: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} ports: - protocol: TCP port: {{ .Config.GetVariableValue "SERVICEPORT" }} diff --git a/template/deployments/kustomize/draft.yaml b/template/deployments/kustomize/draft.yaml index 2d68b013..074510a0 100644 --- a/template/deployments/kustomize/draft.yaml +++ b/template/deployments/kustomize/draft.yaml @@ -58,7 +58,7 @@ variables: kind: "kubernetesResourceRequest" default: disablePrompt: true - value: "0.5" + value: "1" description: "resource request for CPU" versions: ">=0.0.1" - name: "MEMREQ" @@ -74,7 +74,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "0.5" + value: "2" description: "resource limit for CPU" versions: ">=0.0.1" - name: "MEMLIMIT" @@ -82,7 +82,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "512Mi" + value: "1Gi" description: "resource request for Memory" versions: ">=0.0.1" - name: "READINESSPERIOD" diff --git a/template/deployments/kustomize/overlays/production/deployment.yaml b/template/deployments/kustomize/overlays/production/deployment.yaml index df3a7ed4..b5b36336 100644 --- a/template/deployments/kustomize/overlays/production/deployment.yaml +++ b/template/deployments/kustomize/overlays/production/deployment.yaml @@ -3,13 +3,13 @@ kind: Deployment metadata: name: {{ .Config.GetVariableValue "APPNAME" }} labels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL"}} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} spec: selector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} template: spec: containers: diff --git a/template/deployments/kustomize/overlays/production/service.yaml b/template/deployments/kustomize/overlays/production/service.yaml index 1edb9e84..e09cb036 100644 --- a/template/deployments/kustomize/overlays/production/service.yaml +++ b/template/deployments/kustomize/overlays/production/service.yaml @@ -4,6 +4,7 @@ metadata: name: {{ .Config.GetVariableValue "APPNAME"}} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} labels: + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} spec: type: LoadBalancer \ No newline at end of file diff --git a/template/deployments/manifests/draft.yaml b/template/deployments/manifests/draft.yaml index 0347efe9..cfc25e2c 100644 --- a/template/deployments/manifests/draft.yaml +++ b/template/deployments/manifests/draft.yaml @@ -58,7 +58,7 @@ variables: kind: "kubernetesResourceRequest" default: disablePrompt: true - value: "0.5" + value: "1" description: "resource request for CPU" versions: ">=0.0.1" - name: "MEMREQ" @@ -74,7 +74,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "0.5" + value: "2" description: "resource limit for CPU" versions: ">=0.0.1" - name: "MEMLIMIT" @@ -82,7 +82,7 @@ variables: kind: "kubernetesResourceLimit" default: disablePrompt: true - value: "512Mi" + value: "1Gi" description: "resource request for Memory" versions: ">=0.0.1" - name: "READINESSPERIOD" diff --git a/template/deployments/manifests/manifests/configmap.yaml b/template/deployments/manifests/manifests/configmap.yaml index 474528c2..76fb1235 100644 --- a/template/deployments/manifests/manifests/configmap.yaml +++ b/template/deployments/manifests/manifests/configmap.yaml @@ -3,6 +3,9 @@ kind: ConfigMap metadata: name: {{ .Config.GetVariableValue "APPNAME" | printf "%s-config" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} + labels: + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} + kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} {{ $key }}: {{ $value }} diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index 530d57e5..98a97aa8 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: {{ .Config.GetVariableValue "APPNAME" }} labels: - app: {{ .Config.GetVariableValue "APPNAME" }} app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} namespace: {{ .Config.GetVariableValue "NAMESPACE" }} @@ -11,11 +10,11 @@ spec: replicas: 1 selector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} template: metadata: labels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} spec: containers: - name: {{ .Config.GetVariableValue "APPNAME" }} diff --git a/template/deployments/manifests/manifests/service.yaml b/template/deployments/manifests/manifests/service.yaml index 448a0ca7..0fc84e87 100644 --- a/template/deployments/manifests/manifests/service.yaml +++ b/template/deployments/manifests/manifests/service.yaml @@ -9,7 +9,7 @@ metadata: spec: type: LoadBalancer selector: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} ports: - protocol: TCP port: {{ .Config.GetVariableValue "SERVICEPORT" }} From 3296e9f97af2bf12f08990ad340744583f6d2f91 Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Wed, 6 Nov 2024 16:40:51 -0500 Subject: [PATCH 03/11] remove some sec context --- pkg/fixtures/deployments/helm/charts/values.yaml | 6 ------ pkg/fixtures/deployments/kustomize/base/deployment.yaml | 6 ------ pkg/fixtures/deployments/manifest/manifests/deployment.yaml | 6 ------ template/deployments/helm/charts/values.yaml | 6 ------ template/deployments/kustomize/base/deployment.yaml | 6 ------ template/deployments/manifests/manifests/deployment.yaml | 6 ------ 6 files changed, 36 deletions(-) diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index 1f87fd79..58905ad1 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -79,12 +79,6 @@ affinity: app: testapp securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/pkg/fixtures/deployments/kustomize/base/deployment.yaml b/pkg/fixtures/deployments/kustomize/base/deployment.yaml index e83af792..206cce40 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment.yaml @@ -44,12 +44,6 @@ spec: successThreshold: 1 initialDelaySeconds: 3 securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml index e83af792..206cce40 100644 --- a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml @@ -44,12 +44,6 @@ spec: successThreshold: 1 initialDelaySeconds: 3 securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index 4f69418d..a99d0bc0 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -79,12 +79,6 @@ affinity: app: {{ .Config.GetVariableValue "APPNAME" }} securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index 98a97aa8..83baa4d6 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -44,12 +44,6 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index 98a97aa8..83baa4d6 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -44,12 +44,6 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 - readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: From 83ff7a015be35ed0aaf3940ef382cc584f318a97 Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Wed, 6 Nov 2024 17:25:21 -0500 Subject: [PATCH 04/11] test no sec context --- .github/workflows/integration-linux.yml | 2 ++ .../deployments/helm/charts/values.yaml | 22 +------------------ template/deployments/helm/charts/values.yaml | 22 +------------------ 3 files changed, 4 insertions(+), 42 deletions(-) diff --git a/.github/workflows/integration-linux.yml b/.github/workflows/integration-linux.yml index 3dd40c1d..3c5bbe11 100644 --- a/.github/workflows/integration-linux.yml +++ b/.github/workflows/integration-linux.yml @@ -444,6 +444,8 @@ jobs: npm install -g ajv-cli@5.0.0 ajv validate -s test/update_dry_run_schema.json -d test/temp/update_dry_run.json - run: ./draft -v update -d ./langtest/ -a webapp_routing --variable ingress-tls-cert-keyvault-uri=test.cert.keyvault.uri --variable ingress-use-osm-mtls=true --variable ingress-host=host1 + - name: print manifests + run: cat ./langtest/manifests/* - name: start minikube id: minikube uses: medyagh/setup-minikube@master diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index 58905ad1..ed83c293 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -78,27 +78,7 @@ affinity: matchLabels: app: testapp -securityContext: - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - add: - - SETPCAP - - MKNOD - - AUDIT_WRITE - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - SETGID - - SETUID - - NET_BIND_SERVICE - - SYS_CHROOT - - SETFCAP - - SYS_PTRACE +securityContext: {} envVars: diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index a99d0bc0..9887f895 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -78,27 +78,7 @@ affinity: matchLabels: app: {{ .Config.GetVariableValue "APPNAME" }} -securityContext: - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - add: - - SETPCAP - - MKNOD - - AUDIT_WRITE - - CHOWN - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - SETGID - - SETUID - - NET_BIND_SERVICE - - SYS_CHROOT - - SETFCAP - - SYS_PTRACE +securityContext: {} envVars: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} From 0074eaee9c393291eaaf87b9958df5ee5f41d15e Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Wed, 6 Nov 2024 19:32:56 -0500 Subject: [PATCH 05/11] Some fixes --- pkg/cmdhelpers/workflow_helpers.go | 2 +- .../deployments/helm/charts/templates/deployment.yaml | 2 -- pkg/fixtures/deployments/helm/charts/values.yaml | 4 ++-- pkg/fixtures/deployments/kustomize/base/deployment.yaml | 6 ++---- pkg/fixtures/deployments/manifest/manifests/deployment.yaml | 6 ++---- template/deployments/helm/charts/templates/deployment.yaml | 2 -- template/deployments/helm/charts/values.yaml | 4 ++-- template/deployments/kustomize/base/deployment.yaml | 6 ++---- template/deployments/manifests/manifests/deployment.yaml | 6 ++---- 9 files changed, 13 insertions(+), 25 deletions(-) diff --git a/pkg/cmdhelpers/workflow_helpers.go b/pkg/cmdhelpers/workflow_helpers.go index 889536c0..0c06f25a 100644 --- a/pkg/cmdhelpers/workflow_helpers.go +++ b/pkg/cmdhelpers/workflow_helpers.go @@ -80,7 +80,7 @@ func setDeploymentContainerImage(filePath, productionImage string) error { printer := printers.YAMLPrinter{} - out, err := os.OpenFile(filePath, os.O_RDWR, 0755) + out, err := os.OpenFile(filePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755) if err != nil { return nil } diff --git a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml index b371402e..033c511a 100644 --- a/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml +++ b/pkg/fixtures/deployments/helm/charts/templates/deployment.yaml @@ -63,5 +63,3 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - hostNetwork: false - hostIPC: false diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index ed83c293..e9be6462 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -66,7 +66,7 @@ topologySpreadConstraints: whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp affinity: podAntiAffinity: @@ -76,7 +76,7 @@ affinity: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp securityContext: {} diff --git a/pkg/fixtures/deployments/kustomize/base/deployment.yaml b/pkg/fixtures/deployments/kustomize/base/deployment.yaml index 206cce40..3972476c 100644 --- a/pkg/fixtures/deployments/kustomize/base/deployment.yaml +++ b/pkg/fixtures/deployments/kustomize/base/deployment.yaml @@ -72,13 +72,11 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: testapp - hostNetwork: false - hostIPC: false \ No newline at end of file + app.kubernetes.io/name: testapp \ No newline at end of file diff --git a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml index 206cce40..3972476c 100644 --- a/pkg/fixtures/deployments/manifest/manifests/deployment.yaml +++ b/pkg/fixtures/deployments/manifest/manifests/deployment.yaml @@ -72,13 +72,11 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: testapp + app.kubernetes.io/name: testapp topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: testapp - hostNetwork: false - hostIPC: false \ No newline at end of file + app.kubernetes.io/name: testapp \ No newline at end of file diff --git a/template/deployments/helm/charts/templates/deployment.yaml b/template/deployments/helm/charts/templates/deployment.yaml index 87167363..e4bad855 100644 --- a/template/deployments/helm/charts/templates/deployment.yaml +++ b/template/deployments/helm/charts/templates/deployment.yaml @@ -72,6 +72,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - hostNetwork: false - hostIPC: false ` -}} \ No newline at end of file diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index 9887f895..8a0c9509 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -66,7 +66,7 @@ topologySpreadConstraints: whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} affinity: podAntiAffinity: @@ -76,7 +76,7 @@ affinity: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} securityContext: {} diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index 83baa4d6..7f216e0d 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -72,13 +72,11 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} - hostNetwork: false - hostIPC: false \ No newline at end of file + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} \ No newline at end of file diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index 83baa4d6..7f216e0d 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -72,13 +72,11 @@ spec: topologyKey: kubernetes.io/hostname labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: - app: {{ .Config.GetVariableValue "APPNAME" }} - hostNetwork: false - hostIPC: false \ No newline at end of file + app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} \ No newline at end of file From b65f10b15d42ded8e65189a6f6bf6e3f1ac6f4ac Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Thu, 7 Nov 2024 13:44:12 -0500 Subject: [PATCH 06/11] adding limits for swift --- template/deployments/helm/charts/templates/configmap.yaml | 2 +- template/deployments/kustomize/base/configmap.yaml | 2 +- template/deployments/manifests/manifests/configmap.yaml | 2 +- test/integration/swift/helm.yaml | 4 ++++ test/integration/swift/kustomize.yaml | 4 ++++ test/integration/swift/manifest.yaml | 4 ++++ 6 files changed, 15 insertions(+), 3 deletions(-) diff --git a/template/deployments/helm/charts/templates/configmap.yaml b/template/deployments/helm/charts/templates/configmap.yaml index 3447b36a..d224844e 100644 --- a/template/deployments/helm/charts/templates/configmap.yaml +++ b/template/deployments/helm/charts/templates/configmap.yaml @@ -10,6 +10,6 @@ metadata: data: {{- ` {{- range $key, $value := .Values.envVars }} - {{ $key }}: {{ $value }} + "{{ $key }}": "{{ $value }}" {{- end }} ` -}} \ No newline at end of file diff --git a/template/deployments/kustomize/base/configmap.yaml b/template/deployments/kustomize/base/configmap.yaml index 76fb1235..9d924e4b 100644 --- a/template/deployments/kustomize/base/configmap.yaml +++ b/template/deployments/kustomize/base/configmap.yaml @@ -8,5 +8,5 @@ metadata: kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} - {{ $key }}: {{ $value }} + "{{ $key }}": "{{ $value }}" {{- end }} \ No newline at end of file diff --git a/template/deployments/manifests/manifests/configmap.yaml b/template/deployments/manifests/manifests/configmap.yaml index 76fb1235..9d924e4b 100644 --- a/template/deployments/manifests/manifests/configmap.yaml +++ b/template/deployments/manifests/manifests/configmap.yaml @@ -8,5 +8,5 @@ metadata: kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} - {{ $key }}: {{ $value }} + "{{ $key }}": "{{ $value }}" {{- end }} \ No newline at end of file diff --git a/test/integration/swift/helm.yaml b/test/integration/swift/helm.yaml index eecb1c58..c750d8be 100644 --- a/test/integration/swift/helm.yaml +++ b/test/integration/swift/helm.yaml @@ -10,6 +10,10 @@ deployVariables: value: "testapp" - name: "IMAGENAME" value: "host.minikube.internal:5001/testapp" + - name: "CPULIMIT" + value: "3" + - name: "MEMLIMIT" + value: "2Gi" languageVariables: - name: "VERSION" value: "5.5" diff --git a/test/integration/swift/kustomize.yaml b/test/integration/swift/kustomize.yaml index 254bbb98..e03493e8 100644 --- a/test/integration/swift/kustomize.yaml +++ b/test/integration/swift/kustomize.yaml @@ -10,6 +10,10 @@ deployVariables: value: "testapp" - name: "IMAGENAME" value: "host.minikube.internal:5001/testapp" + - name: "CPULIMIT" + value: "3" + - name: "MEMLIMIT" + value: "2Gi" languageVariables: - name: "VERSION" value: "5.5" diff --git a/test/integration/swift/manifest.yaml b/test/integration/swift/manifest.yaml index 91b7fbdb..1c1a4609 100644 --- a/test/integration/swift/manifest.yaml +++ b/test/integration/swift/manifest.yaml @@ -10,6 +10,10 @@ deployVariables: value: "testapp" - name: "IMAGENAME" value: "host.minikube.internal:5001/testapp" + - name: "CPULIMIT" + value: "3" + - name: "MEMLIMIT" + value: "2Gi" languageVariables: - name: "VERSION" value: "5.5" From 435276f932fbaca0e94f58dc9a7cd7ae6c9287ee Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Thu, 7 Nov 2024 14:37:58 -0500 Subject: [PATCH 07/11] update ruby repo --- .github/workflows/integration-linux.yml | 12 ++++++------ .github/workflows/integration-windows.yml | 4 ++-- test/integration_config.json | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/integration-linux.yml b/.github/workflows/integration-linux.yml index 3c5bbe11..c0f4d146 100644 --- a/.github/workflows/integration-linux.yml +++ b/.github/workflows/integration-linux.yml @@ -2240,7 +2240,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - name: Execute Dry Run with config file run: | @@ -2275,7 +2275,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - run: rm -rf ./langtest/manifests && rm -f ./langtest/Dockerfile ./langtest/.dockerignore - run: ./draft -v create -c ./test/integration/ruby/helm.yaml -d ./langtest/ @@ -2381,7 +2381,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - name: Execute Dry Run with config file run: | @@ -2416,7 +2416,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - run: rm -rf ./langtest/manifests && rm -f ./langtest/Dockerfile ./langtest/.dockerignore - run: ./draft -v create -c ./test/integration/ruby/kustomize.yaml -d ./langtest/ @@ -2513,7 +2513,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - name: Execute Dry Run with config file run: | @@ -2548,7 +2548,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - run: rm -rf ./langtest/manifests && rm -f ./langtest/Dockerfile ./langtest/.dockerignore - run: ./draft -v create -c ./test/integration/ruby/manifest.yaml -d ./langtest/ diff --git a/.github/workflows/integration-windows.yml b/.github/workflows/integration-windows.yml index 0ba56d35..d743a2a8 100644 --- a/.github/workflows/integration-windows.yml +++ b/.github/workflows/integration-windows.yml @@ -551,7 +551,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - run: Remove-Item ./langtest/manifests -Recurse -Force -ErrorAction Ignore - run: Remove-Item ./langtest/Dockerfile -ErrorAction Ignore @@ -601,7 +601,7 @@ jobs: - run: mkdir ./langtest - uses: actions/checkout@v3 with: - repository: OliverMKing/ruby-hello-world + repository: davidgamero/sinatra-hello-world path: ./langtest - run: Remove-Item ./langtest/manifests -Recurse -Force -ErrorAction Ignore - run: Remove-Item ./langtest/Dockerfile -ErrorAction Ignore diff --git a/test/integration_config.json b/test/integration_config.json index c9385762..1dae66b3 100644 --- a/test/integration_config.json +++ b/test/integration_config.json @@ -39,7 +39,7 @@ "version": "3.1.2", "port": "8000", "serviceport": 80, - "repo": "OliverMKing/ruby-hello-world" + "repo": "davidgamero/sinatra-hello-world" }, { "language": "csharp", From 360d413b1c08ddba888a5ac57cdbd38d1c944529 Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Thu, 7 Nov 2024 14:39:27 -0500 Subject: [PATCH 08/11] correct port --- test/integration/ruby/helm.yaml | 4 ++-- test/integration/ruby/kustomize.yaml | 4 ++-- test/integration/ruby/manifest.yaml | 4 ++-- test/integration_config.json | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/test/integration/ruby/helm.yaml b/test/integration/ruby/helm.yaml index 2d58f3ed..e53c19f4 100644 --- a/test/integration/ruby/helm.yaml +++ b/test/integration/ruby/helm.yaml @@ -3,7 +3,7 @@ deployType: "Helm" languageType: "ruby" deployVariables: - name: "PORT" - value: "8000" + value: "4567" - name: "SERVICEPORT" value: "80" - name: "APPNAME" @@ -16,4 +16,4 @@ languageVariables: - name: "BUILDERVERSION" value: "null" - name: "PORT" - value: "8000" + value: "4567" diff --git a/test/integration/ruby/kustomize.yaml b/test/integration/ruby/kustomize.yaml index 102f6bd7..87e8e8a9 100644 --- a/test/integration/ruby/kustomize.yaml +++ b/test/integration/ruby/kustomize.yaml @@ -3,7 +3,7 @@ deployType: "kustomize" languageType: "ruby" deployVariables: - name: "PORT" - value: "8000" + value: "4567" - name: "SERVICEPORT" value: "80" - name: "APPNAME" @@ -16,4 +16,4 @@ languageVariables: - name: "BUILDERVERSION" value: "null" - name: "PORT" - value: "8000" + value: "4567" diff --git a/test/integration/ruby/manifest.yaml b/test/integration/ruby/manifest.yaml index f0f58751..9ae7d759 100644 --- a/test/integration/ruby/manifest.yaml +++ b/test/integration/ruby/manifest.yaml @@ -3,7 +3,7 @@ deployType: "manifests" languageType: "ruby" deployVariables: - name: "PORT" - value: "8000" + value: "4567" - name: "SERVICEPORT" value: "80" - name: "APPNAME" @@ -16,4 +16,4 @@ languageVariables: - name: "BUILDERVERSION" value: "null" - name: "PORT" - value: "8000" + value: "4567" diff --git a/test/integration_config.json b/test/integration_config.json index 1dae66b3..becbd4df 100644 --- a/test/integration_config.json +++ b/test/integration_config.json @@ -37,7 +37,7 @@ { "language": "ruby", "version": "3.1.2", - "port": "8000", + "port": "4567", "serviceport": 80, "repo": "davidgamero/sinatra-hello-world" }, From f0835c2f49b5bc04245755140581c4ca35f2d1ec Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Fri, 8 Nov 2024 09:53:07 -0500 Subject: [PATCH 09/11] add runasnonroot --- template/deployments/helm/charts/values.yaml | 23 ++++++++++++++++++- .../kustomize/base/deployment.yaml | 1 + .../manifests/manifests/deployment.yaml | 1 + 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index 8a0c9509..dd5d36e1 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -78,7 +78,28 @@ affinity: matchLabels: app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} -securityContext: {} +securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE envVars: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index 7f216e0d..c2e7e776 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -44,6 +44,7 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: + runAsNonRoot: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index 7f216e0d..c2e7e776 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -44,6 +44,7 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: + runAsNonRoot: true seccompProfile: type: RuntimeDefault capabilities: From bf7e42c9740e76b4b109b2d67738e44a5c727078 Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Fri, 8 Nov 2024 10:05:04 -0500 Subject: [PATCH 10/11] need run as user --- template/deployments/helm/charts/values.yaml | 2 ++ template/deployments/kustomize/base/deployment.yaml | 2 ++ template/deployments/manifests/manifests/deployment.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index dd5d36e1..e97c664c 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -80,6 +80,8 @@ affinity: securityContext: runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index c2e7e776..d1f3fd02 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -45,6 +45,8 @@ spec: initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index c2e7e776..d1f3fd02 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -45,6 +45,8 @@ spec: initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: From 570b32866da4a060e95f3b5a539711b05474942f Mon Sep 17 00:00:00 2001 From: Brandon Foley Date: Fri, 8 Nov 2024 10:36:48 -0500 Subject: [PATCH 11/11] cleanup tests --- .../deployments/helm/charts/values.yaml | 22 ++++++++++++++++++- .../helm/charts/templates/configmap.yaml | 2 +- template/deployments/helm/charts/values.yaml | 3 --- .../deployments/kustomize/base/configmap.yaml | 2 +- .../kustomize/base/deployment.yaml | 3 --- .../manifests/manifests/configmap.yaml | 2 +- .../manifests/manifests/deployment.yaml | 3 --- 7 files changed, 24 insertions(+), 13 deletions(-) diff --git a/pkg/fixtures/deployments/helm/charts/values.yaml b/pkg/fixtures/deployments/helm/charts/values.yaml index e9be6462..5af9625e 100644 --- a/pkg/fixtures/deployments/helm/charts/values.yaml +++ b/pkg/fixtures/deployments/helm/charts/values.yaml @@ -78,7 +78,27 @@ affinity: matchLabels: app.kubernetes.io/name: testapp -securityContext: {} +securityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - SETPCAP + - MKNOD + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - SETGID + - SETUID + - NET_BIND_SERVICE + - SYS_CHROOT + - SETFCAP + - SYS_PTRACE envVars: diff --git a/template/deployments/helm/charts/templates/configmap.yaml b/template/deployments/helm/charts/templates/configmap.yaml index d224844e..3447b36a 100644 --- a/template/deployments/helm/charts/templates/configmap.yaml +++ b/template/deployments/helm/charts/templates/configmap.yaml @@ -10,6 +10,6 @@ metadata: data: {{- ` {{- range $key, $value := .Values.envVars }} - "{{ $key }}": "{{ $value }}" + {{ $key }}: {{ $value }} {{- end }} ` -}} \ No newline at end of file diff --git a/template/deployments/helm/charts/values.yaml b/template/deployments/helm/charts/values.yaml index e97c664c..8ace3114 100644 --- a/template/deployments/helm/charts/values.yaml +++ b/template/deployments/helm/charts/values.yaml @@ -79,9 +79,6 @@ affinity: app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }} securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/kustomize/base/configmap.yaml b/template/deployments/kustomize/base/configmap.yaml index 9d924e4b..76fb1235 100644 --- a/template/deployments/kustomize/base/configmap.yaml +++ b/template/deployments/kustomize/base/configmap.yaml @@ -8,5 +8,5 @@ metadata: kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} - "{{ $key }}": "{{ $value }}" + {{ $key }}: {{ $value }} {{- end }} \ No newline at end of file diff --git a/template/deployments/kustomize/base/deployment.yaml b/template/deployments/kustomize/base/deployment.yaml index d1f3fd02..7f216e0d 100644 --- a/template/deployments/kustomize/base/deployment.yaml +++ b/template/deployments/kustomize/base/deployment.yaml @@ -44,9 +44,6 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: diff --git a/template/deployments/manifests/manifests/configmap.yaml b/template/deployments/manifests/manifests/configmap.yaml index 9d924e4b..76fb1235 100644 --- a/template/deployments/manifests/manifests/configmap.yaml +++ b/template/deployments/manifests/manifests/configmap.yaml @@ -8,5 +8,5 @@ metadata: kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }} data: {{- range $key, $value := .Config.GetVariableValue "ENVVARS" }} - "{{ $key }}": "{{ $value }}" + {{ $key }}: {{ $value }} {{- end }} \ No newline at end of file diff --git a/template/deployments/manifests/manifests/deployment.yaml b/template/deployments/manifests/manifests/deployment.yaml index d1f3fd02..7f216e0d 100644 --- a/template/deployments/manifests/manifests/deployment.yaml +++ b/template/deployments/manifests/manifests/deployment.yaml @@ -44,9 +44,6 @@ spec: successThreshold: {{ .Config.GetVariableValue "READINESSSUCCESSTHRESHOLD" }} initialDelaySeconds: {{ .Config.GetVariableValue "READINESSINITIALDELAY" }} securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 3000 seccompProfile: type: RuntimeDefault capabilities: