fix kubernetes vulnerabilities

On-behalf-of: @SAP angel.kafazov@sap.com
Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>

.kube-linter.yaml

@@ -0,0 +1,4 @@
+checks:
+  ignorePaths:
+    - charts/keycloak/charts/keycloak/**
+    - charts/openmfp/charts/**

charts/example-content/templates/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: {{ include "common.entity.name" . }}
   labels:
     app: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   strategy:
     rollingUpdate:

charts/example-content/tests/__snapshot__/snapshot_test.yaml.snap

@@ -32,6 +32,7 @@ matches the snapshot:
       labels:
         app: RELEASE-NAME-example-content
       name: RELEASE-NAME-example-content
+      namespace: NAMESPACE
     spec:
       revisionHistoryLimit: 3
       selector:
@@ -170,6 +171,7 @@ matches the snapshot (internalUrl):
       labels:
         app: RELEASE-NAME-example-content
       name: RELEASE-NAME-example-content
+      namespace: NAMESPACE
     spec:
       revisionHistoryLimit: 3
       selector:

charts/extension-manager-operator/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.2.0
 - name: common
   repository: oci://ghcr.io/openmfp/helm-charts
-  version: 0.2.8
-digest: sha256:00b76610b045f6ca44675ce287d551823ca67c7bac847bebdb5ae5c3fed0a318
-generated: "2025-02-10T18:48:47.676919501Z"
+  version: 0.2.10
+digest: sha256:c8a77b63c1295e33c8d4ac0cc03bec78b6e57d7c52681a673427eb3e40371da1
+generated: "2025-02-13T13:12:03.358427145+02:00"

charts/extension-manager-operator/Chart.yaml

@@ -2,13 +2,13 @@ apiVersion: v2
 name: extension-manager-operator
 description: A Helm chart for extension-manager-operator which manages resources like ContentConfigurations and exposes REST `/validate` endpoint
 type: application
-version: 0.23.5
+version: 0.24.0
 appVersion: "0.116.0"
 dependencies:
   - name: extension-manager-operator-crds
     version: 0.2.0
     condition: crds.enabled
     repository: oci://ghcr.io/openmfp/helm-charts
   - name: common
-    version: 0.2.8
+    version: 0.2.10
     repository: oci://ghcr.io/openmfp/helm-charts

charts/extension-manager-operator/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
   {{- end }}
@@ -34,6 +35,7 @@ spec:
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ include "common.imagePullPolicy" . }}
           name: manager
+          {{- include "common.container.securityContext" . | nindent 10 }}
           ports:
           {{- include "common.PortsMetricsHealth" . | nindent 10 -}}
           {{- include "common.operatorHealthAndReadyness" . | nindent 10 -}}
@@ -43,6 +45,7 @@ spec:
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ include "common.imagePullPolicy" . }}
           name: server
+          {{- include "common.resources" . | nindent 10 }}
           {{- include "common.container.securityContext" . | nindent 10 }}
           ports:
           - containerPort: {{ .Values.validationServer.port }}

charts/extension-manager-operator/templates/service-account.yaml

@@ -2,4 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "common.entity.name" . }}
+  namespace: {{ .Release.Namespace }}
 {{- include "common.imagePullSecret" . }}

charts/extension-manager-operator/tests/__snapshot__/deployment_test.yaml.snap

@@ -68,6 +68,7 @@ operator match the snapshot:
     kind: Deployment
     metadata:
       name: extension-manager-operator
+      namespace: NAMESPACE
     spec:
       revisionHistoryLimit: 3
       selector:
@@ -117,6 +118,11 @@ operator match the snapshot:
                 requests:
                   cpu: 40m
                   memory: 50Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               startupProbe:
                 failureThreshold: 30
                 httpGet:
@@ -148,6 +154,13 @@ operator match the snapshot:
                   port: 8081
                 initialDelaySeconds: 5
                 periodSeconds: 10
+              resources:
+                limits:
+                  cpu: 260m
+                  memory: 512Mi
+                requests:
+                  cpu: 40m
+                  memory: 50Mi
               securityContext:
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
@@ -172,3 +185,4 @@ operator match the snapshot:
     kind: ServiceAccount
     metadata:
       name: extension-manager-operator
+      namespace: NAMESPACE

charts/extension-manager-operator/tests/deployment_test.yaml

@@ -101,9 +101,6 @@ tests:
             - name: my-secret
   - it: with validationServer
     template: deployment.yaml
-    set:
-      validationServer:
-        enabled: true
     asserts:
       - equal:
           path: spec.template.spec.containers[1].name