refactor: standardize namespace and PVC names in Helm templates

2024-11-22 03:53:42 +01:00
parent 74dcdd16d4
commit a96bcea806
7 changed files with 51 additions and 302 deletions
--- a/templates/deploy.yml
+++ b/templates/deploy.yml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: koha
-  namespace: koha-{{ .Values.instance }}
+  namespace: koha
  labels:
    app: koha
    component: plack
@@ -24,6 +24,8 @@ spec:
          env:
            - name: USE_PLACK
              value: "1"
+            - name: USE_BACKEND
+              value: "1"
          envFrom:
            - configMapRef:
                name: koha-map
@@ -41,13 +43,13 @@ spec:
      volumes:
        - name: koha-pv
          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-pvc
+            claimName: koha-pvc
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: koha-apache
-  namespace: koha-{{ .Values.instance }}
+  namespace: koha
  labels:
    app: koha
    component: apache
@@ -67,16 +69,27 @@ spec:
        - name: init-wait
          image: alpine
          command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            runAsUser: 1000  # Set a non-root user
+            seccompProfile:
+              type: RuntimeDefault
      containers:
        - name: apache
          image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
          securityContext:
            capabilities:
              add:
-                - ALL
+                - NET_BIND_SERVICE
          env:
            - name: USE_APACHE2
              value: "1"
+            - name: USE_BACKEND
+              value: "0"
          envFrom:
            - configMapRef:
                name: koha-map
@@ -93,14 +106,14 @@ spec:
      volumes:
        - name: koha-pv
          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-pvc
+            claimName: koha-pvc
 {{ if not .Values.db.external }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: koha-mysql
-  namespace: koha-{{ .Values.instance }}
+  namespace: koha
  labels:
    app: koha
    component: db
@@ -133,7 +146,7 @@ spec:
      volumes:
        - name: koha-mysql-pv
          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-mysql-pvc
+            claimName: koha-mysql-pvc
 {{ end }}
 {{ if and .Values.elasticsearch.enabled (not .Values.elasticsearch.external) }}
 ---
@@ -141,7 +154,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: koha-es
-  namespace: koha-{{ .Values.instance }}
+  namespace: koha
  labels:
    app: koha
    component: es
@@ -161,10 +174,13 @@ spec:
        - name: es
          image: koha/elasticsearch-icu
          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
            capabilities:
-              add:
-                - IPC_LOCK
-                - SYS_RESOURCE
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
          env:
            - name: cluster.name
              value: "docker-cluster"
@@ -180,159 +196,23 @@ spec:
        - name: set-max-map-count
          image: alpine
          securityContext:
-            privileged: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault          
          command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"]
 {{ end }}
-{{ if .Values.sip.enabled }}
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: koha-sip
-  namespace: koha-{{ .Values.instance }}
-  labels:
-    app: koha
-    component: sip
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: koha
-      component: sip
-  template:
-    metadata:
-      labels:
-        app: koha
-        component: sip
-    spec:
-      initContainers:
-        - name: init-wait
-          image: alpine
-          command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
-      containers:
-        - name: sip
-          image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
-          env:
-            - name: USE_SIP
-              value: "1"
-          envFrom:
-            - configMapRef:
-                name: koha-map
-          volumeMounts:
-            - name: koha-pv
-              mountPath: /etc/koha/sites
-              subPath: sites
-            - name: koha-pv
-              mountPath: /tmp/libshare
-              subPath: lib
-          ports:
-            - containerPort: 6001
-      volumes:
-        - name: koha-pv
-          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-pvc
-{{ end }}
-{{ if .Values.z3950.enabled }}
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: koha-z3950
-  namespace: koha-{{ .Values.instance }}
-  labels:
-    app: koha
-    component: z3950
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: koha
-      component: z3950
-  template:
-    metadata:
-      labels:
-        app: koha
-        component: z3950
-    spec:
-      initContainers:
-        - name: init-wait
-          image: alpine
-          command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
-      containers:
-        - name: z3950
-          image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
-          env:
-            - name: USE_Z3950
-              value: "1"
-          envFrom:
-            - configMapRef:
-                name: koha-map
-          volumeMounts:
-            - name: koha-pv
-              mountPath: /etc/koha/sites
-              subPath: sites
-            - name: koha-pv
-              mountPath: /tmp/libshare
-              subPath: lib
-          ports:
-            - containerPort: 2100
-      volumes:
-        - name: koha-pv
-          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-pvc
-{{ end }}
-{{ if .Values.ncip.enabled }}
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: koha-ncip
-  namespace: koha-{{ .Values.instance }}
-  labels:
-    app: koha
-    component: ncip
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: koha
-      component: ncip
-  template:
-    metadata:
-      labels:
-        app: koha
-        component: ncip
-    spec:
-      initContainers:
-        - name: init-wait
-          image: alpine
-          command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
-      containers:
-        - name: ncip
-          image: bywater/koha-ncip-server:v19.05-latest
-          env:
-            - name: KOHA_CONF
-              value: "/conf/{{ .Values.instance }}/koha-conf.xml"
-          volumeMounts:
-            - name: koha-pv
-              mountPath: /conf
-              subPath: sites
-            - name: koha-pv
-              mountPath: /usr/share/koha/lib
-              subPath: lib
-      volumes:
-        - name: koha-pv
-          persistentVolumeClaim:
-            claimName: koha-{{ .Values.instance }}-pvc
-{{ end }}
-
 {{ if and .Values.memcached.enabled (not .Values.memcached.external) }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: koha-memcached
-  namespace: koha-{{ .Values.instance }}
+  namespace: koha
  labels:
    app: koha
    component: memcached