Configurable images, imagePullSecrets, and securityContext per component#212
Open
prateekkanurkar-cmd wants to merge 3 commits into
Open
Configurable images, imagePullSecrets, and securityContext per component#212prateekkanurkar-cmd wants to merge 3 commits into
prateekkanurkar-cmd wants to merge 3 commits into
Conversation
…-securitycontext # Conflicts: # .gitignore # helm/charts/redis/templates/deployment.yaml # helm/values.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
values.yaml—repository,tag, andpullPolicy. No more hardcodedredis:7-alpinebaked into the chart template.imagePullSecretsis configurable both globally (global.imagePullSecrets) and per component (celery-beat.imagePullSecrets,celery-worker.imagePullSecrets,redis.imagePullSecrets,autoUpdate.imagePullSecrets). Per-component secrets are merged on top of the global list, so a private mirror can be set once globally and one component can add its own pull secret without losing the global one.podSecurityContextandsecurityContextare configurable per component, with sensible defaults:runAsNonRoot: true,runAsUser: 33(matches thewww-dataUID baked into the agent image),runAsUser: 999for redis (matchesredis:7.2.8-alpine's built-in user),allowPrivilegeEscalation: false,capabilities.drop: [ALL]. These satisfy thepsp-pods-allowed-user-rangesGatekeeper policy that was rejecting pod admission on clusters with PSP enforcement.helm/charts/*.tgzandhelm/values.yaml.backup.*added to.gitignoreso the auto-regenerated subchart tarballs and the deploy-script's timestamped backups stop polluting the working tree.Test plan
helm lint helm/cleanhelm templaterenders valid YAML; programmatic check confirms every Deployment and CronJob hasrunAsNonRoot: trueandrunAsUser != 0at both pod and container levelreadOnlyRootFilesystem, andimagePullSecretsmerging (global+ per-component) all flow through correctlyautoUpdate.enabled=falsecorrectly suppresses the restart CronJobjfrog-dev-aks/drdroidnamespace: celery-beat 1/1, celery-worker 3/3, redis 1/1, all with 0 restarts; original Gatekeeper PSP denials and CrashLoopBackOff are gone