masterElmar/koha
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: update service names and security contexts in Helm templates

Browse Source
This commit is contained in:
Elmar Kresse
2024-12-04 01:02:27 +01:00
parent a96bcea806
commit f47c3aa68b
5 changed files with 76 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
templates/configMap.yml
View File

@@ -32,7 +32,7 @@ data:
KOHA_PASS: {{ .Values.global.pass }} KOHA_PASS: {{ .Values.global.pass }}
KOHA_USER: {{ .Values.global.user }} KOHA_USER: {{ .Values.global.user }}
MANA_URL: {{ .Values.global.mana }} MANA_URL: {{ .Values.global.mana }}
MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-db" {{ end }} MYSQL_SERVER: {{ with .Values.db.server }} {{ . | quote }} {{ else }} "db" {{ end }}
MYSQL_ROOT_USER: {{ .Values.db.root_user }} MYSQL_ROOT_USER: {{ .Values.db.root_user }}
MYSQL_DATABASE: {{ with .Values.db.database }} {{ . | quote }} {{ else }} "koha_{{ .Values.instance }}" {{ end }} MYSQL_DATABASE: {{ with .Values.db.database }} {{ . | quote }} {{ else }} "koha_{{ .Values.instance }}" {{ end }}
MYSQL_ROOT_PASSWORD: {{ .Values.db.root_pass }} MYSQL_ROOT_PASSWORD: {{ .Values.db.root_pass }}
@@ -41,9 +41,9 @@ data:
ZEBRA_MARC_FORMAT: {{ .Values.zebra.marc_format }} ZEBRA_MARC_FORMAT: {{ .Values.zebra.marc_format }}
{{ if .Values.elasticsearch.enabled }} {{ if .Values.elasticsearch.enabled }}
OVERRIDE_SYSPREF_SearchEngine: "Elasticsearch" OVERRIDE_SYSPREF_SearchEngine: "Elasticsearch"
KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-es" {{ end }} KOHA_ES_NAME: {{ with .Values.elasticsearch.server }} {{ . | quote }} {{ else }} "es" {{ end }}
{{ end }} {{ end }}
{{ if .Values.memcached.enabled }} {{ if .Values.memcached.enabled }}
MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "{{ .Values.instance }}-memcached:11211" {{ end }} MEMCACHED_SERVERS: {{ with .Values.memcached.server }} {{ . | quote }} {{ else }} "memcached:11211" {{ end }}
{{ end }} {{ end }}
KOHA_PLACK_NAME: "{{ .Values.instance }}-plack" KOHA_PLACK_NAME: "koha"

80
templates/deploy.yml
View File

@@ -21,6 +21,17 @@ spec:
containers: containers:
- name: koha - name: koha
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
securityContext:
runAsUser: 0 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
env: env:
- name: USE_PLACK - name: USE_PLACK
value: "1" value: "1"
@@ -68,7 +79,7 @@ spec:
initContainers: initContainers:
- name: init-wait - name: init-wait
image: alpine image: alpine
command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 {{ .Values.instance }}-plack 5000 && exit 0 || sleep 3; done; exit 1"] command: ["sh", "-c", "for i in $(seq 1 300); do nc -zvw1 koha 5000 && exit 0 || sleep 3; done; exit 1"]
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -82,9 +93,17 @@ spec:
- name: apache - name: apache
image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }} image: {{ .Values.docker.registry }}:{{ .Values.docker.tag }}
securityContext: securityContext:
runAsUser: 0 # Set root user
#fsGroup: 1000 # www-data group
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities: capabilities:
add: add:
- NET_BIND_SERVICE - SETUID
- SETGID
- SYS_ADMIN
env: env:
- name: USE_APACHE2 - name: USE_APACHE2
value: "1" value: "1"
@@ -100,9 +119,9 @@ spec:
- name: koha-pv - name: koha-pv
mountPath: /tmp/libshare mountPath: /tmp/libshare
subPath: lib subPath: lib
ports: # ports:
- containerPort: {{ .Values.opac.port }} # - containerPort: {{ .Values.opac.port }}
- containerPort: {{ .Values.staff.port }} # - containerPort: {{ .Values.staff.port }}
volumes: volumes:
- name: koha-pv - name: koha-pv
persistentVolumeClaim: persistentVolumeClaim:
@@ -135,6 +154,17 @@ spec:
containers: containers:
- name: db - name: db
image: mariadb:10.3 image: mariadb:10.3
securityContext:
runAsUser: 999 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
envFrom: envFrom:
- configMapRef: - configMapRef:
name: koha-map name: koha-map
@@ -174,13 +204,16 @@ spec:
- name: es - name: es
image: koha/elasticsearch-icu image: koha/elasticsearch-icu
securityContext: securityContext:
allowPrivilegeEscalation: false runAsUser: 0 # Set root user
runAsNonRoot: true allowPrivilegeEscalation: true
capabilities: privileged: true
drop:
- ALL
seccompProfile: seccompProfile:
type: RuntimeDefault type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
env: env:
- name: cluster.name - name: cluster.name
value: "docker-cluster" value: "docker-cluster"
@@ -196,12 +229,16 @@ spec:
- name: set-max-map-count - name: set-max-map-count
image: alpine image: alpine
securityContext: securityContext:
allowPrivilegeEscalation: false runAsUser: 0 # Set root user
runAsNonRoot: true allowPrivilegeEscalation: true
runAsUser: 1000 privileged: true
seccompProfile:
type: Unconfined
capabilities: capabilities:
drop: add:
- ALL - SETUID
- SETGID
- SYS_ADMIN
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"] command: ["sh", "-c", "sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536"]
@@ -231,5 +268,16 @@ spec:
containers: containers:
- name: memcached - name: memcached
image: memcached image: memcached
securityContext:
runAsUser: 497 # Set root user
allowPrivilegeEscalation: true
privileged: true
seccompProfile:
type: Unconfined
capabilities:
add:
- SETUID
- SETGID
- SYS_ADMIN
command: [ "memcached", "-m", "64m" ] command: [ "memcached", "-m", "64m" ]
{{ end }} {{ end }}

4
templates/ingress.yml
View File

@@ -27,7 +27,7 @@ spec:
paths: paths:
- backend: - backend:
service: service:
name: {{ .Values.instance }}-koha name: apache2
port: port:
number: {{ .Values.staff.port }} number: {{ .Values.staff.port }}
pathType: ImplementationSpecific pathType: ImplementationSpecific
@@ -36,7 +36,7 @@ spec:
paths: paths:
- backend: - backend:
service: service:
name: {{ .Values.instance }}-koha name: apache2
port: port:
number: {{ .Values.opac.port }} number: {{ .Values.opac.port }}
pathType: ImplementationSpecific pathType: ImplementationSpecific

10
templates/service.yml
View File

@@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Values.instance }}-koha name: apache2
namespace: koha namespace: koha
labels: labels:
run: {{ .Values.instance }}-koha run: {{ .Values.instance }}-koha
@@ -21,7 +21,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Values.instance }}-plack name: koha
namespace: koha namespace: koha
labels: labels:
run: {{ .Values.instance }}-plack run: {{ .Values.instance }}-plack
@@ -38,7 +38,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Values.instance }}-es name: es
namespace: koha namespace: koha
labels: labels:
run: {{ .Values.instance }}-es run: {{ .Values.instance }}-es
@@ -56,7 +56,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Values.instance }}-db name: db
namespace: koha namespace: koha
labels: labels:
run: {{ .Values.instance }}-db run: {{ .Values.instance }}-db
@@ -74,7 +74,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ .Values.instance }}-memcached name: memcached
namespace: koha namespace: koha
labels: labels:
run: {{ .Values.instance }}-memcached run: {{ .Values.instance }}-memcached

2
values.yaml
View File

@@ -35,7 +35,7 @@ docker:
# image path will be # image path will be
# registry.gilab.com/thekesolutions/koha/myclient:19.11.08-5 # registry.gilab.com/thekesolutions/koha/myclient:19.11.08-5
registry: registry.gitlab.com/koha-community/docker/koha-docker registry: registry.gitlab.com/koha-community/docker/koha-docker
tag: latest tag: 24.05
storage: storage:
storageClassName: csi-cephfs-sc storageClassName: csi-cephfs-sc