masterElmar/koha
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: update service names and security contexts in Helm templates

Browse Source
This commit is contained in:
Elmar Kresse
2024-12-04 01:02:27 +01:00
parent a96bcea806
commit f47c3aa68b
5 changed files with 76 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
templates/configMap.yml
View File

@@ -32,7 +32,7 @@ data:
KOHA_PASS: {{ .Values.global.pass }}
KOHA_USER: {{ .Values.global.user }}
MANA_URL: {{ .Values.global.mana }}
MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-db" {{ end }}
MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "db" {{ end }}
MYSQL_ROOT_USER: {{ .Values.db.root_user }}
MYSQL_DATABASE: {{ with .Values.db.database }} {{ . | quote }} {{ else }} "koha_{{ .Values.instance }}" {{ end }}
MYSQL_ROOT_PASSWORD: {{ .Values.db.root_pass }}
@@ -41,9 +41,9 @@ data:
ZEBRA_MARC_FORMAT: {{ .Values.zebra.marc_format }}
{{ if .Values.elasticsearch.enabled }}
OVERRIDE_SYSPREF_SearchEngine: "Elasticsearch"
KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-es" {{ end }}
KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "es" {{ end }}
{{ end }}
{{ if .Values.memcached.enabled }}
MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-memcached:11211" {{ end }}
MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "memcached:11211" {{ end }}
{{ end }}
KOHA_PLACK_NAME: "{{ .Values.instance }}-plack"
KOHA_PLACK_NAME: "koha"

80
templates/deploy.yml
View File

@@ -21,6 +21,17 @@ spec:
containers:
- name: koha
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
securityContext:
runAsUser: 0 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
env:
- name: USE_PLACK
value: "1"
@@ -68,7 +79,7 @@ spec:
initContainers:
- name: init-wait
image: alpine
command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"]
command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 koha 5000 && exit 0 || sleep 3; done; exit 1"]
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -82,9 +93,17 @@ spec:
- name: apache
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
securityContext:
runAsUser: 0 # Set root user
#fsGroup: 1000 # www-data group
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- NET_BIND_SERVICE
- SETUID
- SETGID
- SYS_ADMIN
env:
- name: USE_APACHE2
value: "1"
@@ -100,9 +119,9 @@ spec:
- name: koha-pv
mountPath: /tmp/libshare
subPath: lib
ports:
- containerPort: {{ .Values.opac.port }}
- containerPort: {{ .Values.staff.port }}
# ports:
# - containerPort: {{ .Values.opac.port }}
# - containerPort: {{ .Values.staff.port }}
volumes:
- name: koha-pv
persistentVolumeClaim:
@@ -135,6 +154,17 @@ spec:
containers:
- name: db
image: mariadb:10.3
securityContext:
runAsUser: 999 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
envFrom:
- configMapRef:
name: koha-map
@@ -174,13 +204,16 @@ spec:
- name: es
image: koha/elasticsearch-icu
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
runAsUser: 0 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: RuntimeDefault
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
env:
- name: cluster.name
value: "docker-cluster"
@@ -196,12 +229,16 @@ spec:
- name: set-max-map-count
image: alpine
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsUser: 0 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
drop:
- ALL
add:
- SETUID
- SETGID
- SYS_ADMIN
seccompProfile:
type: RuntimeDefault
command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"]
@@ -231,5 +268,16 @@ spec:
containers:
- name: memcached
image: memcached
securityContext:
runAsUser: 497 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
command: [ "memcached", "-m", "64m" ]
{{ end }}

4
templates/ingress.yml
View File

@@ -27,7 +27,7 @@ spec:
paths:
- backend:
service:
name: {{ .Values.instance }}-koha
name: apache2
port:
number: {{ .Values.staff.port }}
pathType: ImplementationSpecific
@@ -36,7 +36,7 @@ spec:
paths:
- backend:
service:
name: {{ .Values.instance }}-koha
name: apache2
port:
number: {{ .Values.opac.port }}
pathType: ImplementationSpecific

10
templates/service.yml
View File

@@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.instance }}-koha
name: apache2
namespace: koha
labels:
run: {{ .Values.instance }}-koha
@@ -21,7 +21,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.instance }}-plack
name: koha
namespace: koha
labels:
run: {{ .Values.instance }}-plack
@@ -38,7 +38,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.instance }}-es
name: es
namespace: koha
labels:
run: {{ .Values.instance }}-es
@@ -56,7 +56,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.instance }}-db
name: db
namespace: koha
labels:
run: {{ .Values.instance }}-db
@@ -74,7 +74,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.instance }}-memcached
name: memcached
namespace: koha
labels:
run: {{ .Values.instance }}-memcached

2
values.yaml
View File

@@ -35,7 +35,7 @@ docker:
# image path will be
# registry.gilab.com/thekesolutions/koha/myclient:19.11.08-5
registry: registry.gitlab.com/koha-community/docker/koha-docker
tag: latest
tag: 24.05
storage:
storageClassName: csi-cephfs-sc