migrate _deploymentHelpers and use common.security in template

On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>
openmfp · Nov 25, 2024 · de0971f · de0971f
1 parent 3ab471c
commit de0971f
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 7 deletions.
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -17,9 +17,6 @@ tasks:
     deps: []
     cmds:
       - "ct lint --target-branch main --validate-maintainers=false --charts={{.CHARTS}}"
-  # package:
-  #   cmds: 
-  #     - helm package ./charts/openmfp
   helmtest:
     cmds:
       - "for chart in $(echo {{.CHARTS}} | tr ',' ' '); do helm unittest $chart; done"

diff --git a/charts/account-operator/charts/account-operator-crds-0.1.5.tgz b/charts/account-operator/charts/account-operator-crds-0.1.5.tgz
diff --git a/charts/account-operator/charts/common-0.1.5.tgz b/charts/account-operator/charts/common-0.1.5.tgz
diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml
@@ -37,9 +37,7 @@ spec:
           - "--health-probe-bind-address=:{{ .Values.health.port }}"
           image: {{ .Values.image.name }}:{{ .Chart.AppVersion }}
           name: manager
-          securityContext:
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
+          {{ include "common.security" . | nindent 10 }}
           ports:
           - containerPort: {{ .Values.metrics.port }}
             name: metrics

diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap
@@ -298,6 +298,7 @@ operator match the snapshot:
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
+              automountServiceAccountToken: true
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
@@ -356,6 +357,9 @@ operator match the snapshot:
               securityContext:
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
+              serviceAccountName: RELEASE-NAME
               volumeMounts: null
           serviceAccountName: RELEASE-NAME-account-operator
           terminationGracePeriodSeconds: 10
@@ -668,6 +672,7 @@ operator match the snapshot (with kubeconfigSecret):
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
+              automountServiceAccountToken: true
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
@@ -728,6 +733,9 @@ operator match the snapshot (with kubeconfigSecret):
               securityContext:
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
+              serviceAccountName: RELEASE-NAME
               volumeMounts:
                 - mountPath: /api-kubeconfig
                   name: external-api-server
@@ -1048,6 +1056,7 @@ operator match the snapshot with webhook enabled:
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
+              automountServiceAccountToken: true
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
@@ -1109,6 +1118,9 @@ operator match the snapshot with webhook enabled:
               securityContext:
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
+              serviceAccountName: RELEASE-NAME
               volumeMounts:
                 - mountPath: /certs
                   name: cert

diff --git a/charts/account-operator/tests/deployment_test.yaml b/charts/account-operator/tests/deployment_test.yaml
@@ -15,4 +15,20 @@ tests:
       webhooks:
         enabled: true
     asserts:
-      - matchSnapshot: {}
+      - matchSnapshot: {}
+  - it: deployment with security context
+    template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+      - equal:
+          path: spec.template.spec.containers[0].serviceAccountName
+          value: RELEASE-NAME
+      - equal:
+          path: spec.template.spec.containers[0].automountServiceAccountToken
+          value: true
diff --git a/charts/common/templates/_deploymentHelpers.tpl b/charts/common/templates/_deploymentHelpers.tpl
@@ -0,0 +1,125 @@
+{{- define "common.deploymentBasics" }}
+strategy:
+  rollingUpdate:
+    maxSurge: {{ (and .Values.deployment .Values.deployment.maxSurge) | default 5 }}
+    maxUnavailable: {{ (and .Values.deployment .Values.deployment.maxUnavailable) | default 0 }}
+  type: {{ .Values.deployment.strategy }}
+revisionHistoryLimit: 3
+selector:
+  matchLabels:
+    app: {{ .Release.Name }}
+{{- end }}
+{{- define "common.podBasics" }}
+name: {{ .Release.Name }}
+image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
+{{ include "common.resources" . }}
+{{ include "common.ports" . }}
+{{- end }}
+{{- define "common.resources" }}
+resources:
+  limits:
+    {{- if ((.Values.resources).limits).cpu }}
+    cpu: {{ ((.Values.resources).limits).cpu | quote }}
+    {{- end }}
+    memory: {{ ((.Values.resources).limits).memory | default "512Mi" | quote }}
+  requests:
+    cpu: {{ ((.Values.resources).requests).cpu | default "40m" }}
+    memory: {{ ((.Values.resources).requests).memory | default "50Mi" | quote }}
+{{- end }}
+{{- define "common.ports" }}
+ports:
+  - name: http
+    containerPort: {{ .Values.port | default 8080 }}
+    protocol: TCP
+  - name: metrics
+    containerPort: {{ .Values.metricsPort | default 2112 }}
+    protocol: TCP
+  - name: health-port
+    containerPort: {{ (.Values.health).port | default 3389 }}
+    protocol: TCP
+{{- end}}
+
+{{- define "common.technicalIssuers" }}
+{{- $technicalIssuers := list }}
+{{- range $issuer, $config := .Values.trustedIssuers }}
+{{- if $config.isTechnicalIssuer }}
+{{- $technicalIssuers = append $technicalIssuers  $config.url}}
+{{- end}}
+{{- end}}
+{{- join "," $technicalIssuers }}
+{{- end}}
+
+{{- define "common.basicEnvironment" }}
+- name: LOG_LEVEL
+  value: {{ (.Values.log).level | default "info" }}
+- name: REGION
+  value: {{ .Values.region }}
+- name: ENVIRONMENT
+  value: {{ .Values.environment }}
+- name: SENTRY_ENVIRONMENT
+  value: {{ .Values.sentry.environment | default .Values.environment }}
+- name: IMAGE_TAG
+  value: "{{ .Values.image.tag }}"
+- name: IMAGE_NAME
+  value: "{{ .Values.image.name }}"
+{{- $technicalIssuers := include "common.technicalIssuers" . }}
+{{- if $technicalIssuers }}
+- name: TECHNICAL_ISSUERS
+  value: {{ $technicalIssuers }}
+{{- end }}
+{{- include "common.sentry-env" . }}
+- name: DIRECTIVES_AUTHORIZATION_ENABLED
+  value: "{{ ((.Values.directives).authorization).enabled | default false }}"
+{{- end }}
+{{- define "common.basicService" }}
+- name: PORT
+  value: "{{ .Values.port }}"
+{{- end }}
+{{- define "common.basicJob" }}
+- name: ISTIO_QUIT_API
+  value: http://127.0.0.1:15020
+{{- end }}
+{{- define "common.collectorEnvironment" }}
+- name: COLLECTOR_SERVICE_NAME
+  value: {{ .Release.Name }}.{{ .Release.Namespace }}
+- name: COLLECTOR_SERVICE_VERSION
+  value: {{ .Release.Revision | quote }}
+- name: COLLECTOR_ENDPOINT
+  value: {{ (and .Values.otel .Values.otel.collectorEndpoint) | default "localhost:4317" }}
+{{- end }}
+{{- define "common.healthEnvironment" }}
+- name: HEALTH_PORT
+  value: "{{ (.Values.health).port | default 3389 }}"
+{{- end }}
+{{- define "common.healthAndReadiness" }}
+{{ include "common.operatorHealthAndReadyness" . }}
+{{- end }}
+{{- define "common.operatorHealthAndReadyness" }}
+livenessProbe:
+  httpGet:
+    path: {{ ((.Values.health).liveness).path | default "/healthz" }}
+    port: health-port
+  failureThreshold: {{ ((.Values.health).liveness).failureThreshold | default 1 }}
+  periodSeconds: {{ (.Values.health).periodSeconds | default 10 }}
+startupProbe:
+  httpGet:
+    path: {{ ((.Values.health).startup).path | default "/healthz" }}
+    port: health-port
+  failureThreshold: {{ ((.Values.health).startup).failureThreshold | default 30 }}
+  periodSeconds: {{ (.Values.health).periodSeconds | default 10 }}
+readinessProbe:
+  httpGet:
+    path: {{ ((.Values.health).readiness).path | default "/readyz" }}
+    port: health-port
+  initialDelaySeconds: {{ ((.Values.health).readiness).initialDelaySeconds | default 45 }}
+  periodSeconds: {{ (.Values.health).periodSeconds | default 10 }}
+{{- end }}
+{{- define "common.security" }}
+securityContext:
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+serviceAccountName: {{ .Release.Name }}
+automountServiceAccountToken: {{ not (eq (.Values.security).mountServiceAccountToken false) }}
+{{- end }}