sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(notes): Explicitly template security contexts; add missing ingress classes and pull secrets

Browse Source
This commit is contained in:
Thomas Kaltenbrunner
2025-08-13 12:56:51 +02:00
committed by Thorsten Roßner
parent 410a1ade69
commit 834c84768a
2 changed files with 66 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
helmfile/apps/notes/values.yaml.gotmpl
View File

@@ -4,10 +4,12 @@
global: global:
collaborationServerSecret: collaborationServerSecret:
value: {{ .Values.secrets.notes.collaborationSecret | quote }} value: {{ .Values.secrets.notes.collaborationSecret | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
yProviderApiKey: yProviderApiKey:
value: {{ .Values.secrets.notes.collaborationSecret | quote }} value: {{ .Values.secrets.notes.collaborationSecret | quote }}
fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
backend: backend:
image: image:
@@ -23,14 +25,13 @@ backend:
{{- if .Values.annotations.notesBackend.ingress }} {{- if .Values.annotations.notesBackend.ingress }}
{{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }} {{ .Values.annotations.notesBackend.ingress | toYaml | nindent 6 }}
{{- end }} {{- end }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressAdmin: ingressAdmin:
enabled: true enabled: true
annotations: annotations:
{{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }} {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
replicaCount: {{ .Values.replicas.notesBackend }} replicaCount: {{ .Values.replicas.notesBackend }}
containerSecurityContext:
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
configuration: configuration:
ai: ai:
apiKey: apiKey:
@@ -100,12 +101,31 @@ backend:
value: "False" value: "False"
- name: "FRONTEND_FOOTER_FEATURE_ENABLED" - name: "FRONTEND_FOOTER_FEATURE_ENABLED"
value: "False" value: "False"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
podAnnotations: podAnnotations:
{{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }} {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
podAnnotationsCreateUser: podAnnotationsCreateUser:
{{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }} {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }}
podAnnotationsMigrate: podAnnotationsMigrate:
{{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }} {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
resources: resources:
{{ .Values.resources.notesBackend | toYaml | nindent 4 }} {{ .Values.resources.notesBackend | toYaml | nindent 4 }}
service: service:
@@ -131,10 +151,16 @@ frontend:
repository: {{ .Values.images.notesFrontend.repository | quote }} repository: {{ .Values.images.notesFrontend.repository | quote }}
pullPolicy: "IfNotPresent" pullPolicy: "IfNotPresent"
tag: {{ .Values.images.notesFrontend.tag | quote }} tag: {{ .Values.images.notesFrontend.tag | quote }}
ingress:
enabled: true
annotations:
{{ .Values.annotations.notesFrontend.ingress | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressMedia: ingressMedia:
enabled: true enabled: true
annotations: annotations:
{{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }} {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
extraEnvVars: extraEnvVars:
- name: "ICS_BASE_URL" - name: "ICS_BASE_URL"
value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }} value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
@@ -145,10 +171,26 @@ frontend:
resources: resources:
{{ .Values.resources.notesFrontend | toYaml | nindent 4 }} {{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: seLinuxOptions:
{{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }} {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
podAnnotations: podAnnotations:
{{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }} {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
podSecurityContext:
enabled: true
fsGroup: 1000
fsGroupChangePolicy: "Always"
service: service:
annotations: annotations:
{{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }} {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
@@ -181,16 +223,34 @@ y-provider:
subPath: "ca-certificates.crt" subPath: "ca-certificates.crt"
{{- end }} {{- end }}
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
privileged: false
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
seLinuxOptions: seLinuxOptions:
{{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
ingressCollaborationApi: ingressCollaborationApi:
annotations: annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }} {{ .Values.annotations.notesYProvider.ingressCollaborationAPI | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
ingressCollaborationWs: ingressCollaborationWs:
annotations: annotations:
{{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }} {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
podAnnotations: podAnnotations:
{{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }} {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
podSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: "Always"
service: service:
annotations: annotations:
{{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }} {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}

1
helmfile/environments/default/annotations.yaml.gotmpl
View File

@@ -134,6 +134,7 @@ annotations:
pod: ~ pod: ~
service: ~ service: ~
notesFrontend: notesFrontend:
ingress: ~
ingressMedia: ~ ingressMedia: ~
pod: ~ pod: ~
service: ~ service: ~