feat: added extraEnv and extraEnvFrom to helm chart, readonly-fs

ReuDa · ReuDa · commit 11ef722d0262 · 2023-05-12T11:11:32.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -31,7 +31,7 @@ RUN go build \
 FROM alpine:3.17
 
 ARG USERNAME=steadybit
-ARG USER_UID=1000
+ARG USER_UID=10000
 
 RUN adduser -u $USER_UID -D $USERNAME
 
diff --git a/Makefile b/Makefile
@@ -35,6 +35,11 @@ charttesting:
     helm unittest $$dir; \
   done
 
+## chartlint: Lint charts
+.PHONY: chartlint
+chartlint:
+	ct lint --config chartTesting.yaml
+
 # ==================================================================================== #
 # BUILD
 # ==================================================================================== #
diff --git a/charts/steadybit-extension-http/Chart.yaml b/charts/steadybit-extension-http/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: steadybit-extension-http
 description: Steadybit action implementation to check HTTP endpoints.
-version: 1.0.5
+version: 1.0.6
 appVersion: latest
 home: https://www.steadybit.com/
 icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png
diff --git a/charts/steadybit-extension-http/templates/deployment.yaml b/charts/steadybit-extension-http/templates/deployment.yaml
@@ -30,6 +30,13 @@ spec:
               cpu: {{ .Values.resources.limits.cpu }}
           env:
             {{- include "extensionlib.deployment.env" (list .) | nindent 12 }}
+            {{- with .Values.extraEnv }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with .Values.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             {{- include "extensionlib.deployment.volumeMounts" (list .) | nindent 12 }}
           livenessProbe:
@@ -40,6 +47,11 @@ spec:
             httpGet:
               path: /health/readiness
               port: 8081
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 10000
+            runAsGroup: 10000
       volumes:
         {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
       {{- with .Values.nodeSelector }}
diff --git a/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap
@@ -44,6 +44,11 @@ manifest should match snapshot with TLS:
                 requests:
                   cpu: 50m
                   memory: 64Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsGroup: 10000
+                runAsNonRoot: true
+                runAsUser: 10000
               volumeMounts:
                 - mountPath: /etc/extension/certificates/server-cert
                   name: certificate-server-cert
@@ -53,6 +58,62 @@ manifest should match snapshot with TLS:
               secret:
                 optional: false
                 secretName: server-cert
+manifest should match snapshot with extra env vars:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels: null
+      name: RELEASE-NAME-steadybit-extension-http
+      namespace: NAMESPACE
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: steadybit-extension-http
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: steadybit-extension-http
+        spec:
+          containers:
+            - env:
+                - name: STEADYBIT_LOG_LEVEL
+                  value: INFO
+                - name: STEADYBIT_LOG_FORMAT
+                  value: text
+                - name: FOO
+                  value: bar
+              envFrom:
+                - configMapRef: null
+                  name: env-configmap
+                - name: env-secrets
+                  secretRef: null
+              image: ghcr.io/steadybit/extension-http:latest
+              imagePullPolicy: Always
+              livenessProbe:
+                httpGet:
+                  path: /health/liveness
+                  port: 8081
+              name: extension
+              readinessProbe:
+                httpGet:
+                  path: /health/readiness
+                  port: 8081
+              resources:
+                limits:
+                  cpu: 200m
+                  memory: 128Mi
+                requests:
+                  cpu: 50m
+                  memory: 64Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsGroup: 10000
+                runAsNonRoot: true
+                runAsUser: 10000
+              volumeMounts: null
+          volumes: null
 manifest should match snapshot with mutual TLS:
   1: |
     apiVersion: apps/v1
@@ -101,6 +162,11 @@ manifest should match snapshot with mutual TLS:
                 requests:
                   cpu: 50m
                   memory: 64Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsGroup: 10000
+                runAsNonRoot: true
+                runAsUser: 10000
               volumeMounts:
                 - mountPath: /etc/extension/certificates/client-cert-a
                   name: certificate-client-cert-a
@@ -159,5 +225,10 @@ manifest should match snapshot without TLS:
                 requests:
                   cpu: 50m
                   memory: 64Mi
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsGroup: 10000
+                runAsNonRoot: true
+                runAsUser: 10000
               volumeMounts: null
           volumes: null
diff --git a/charts/steadybit-extension-http/tests/deployment_test.yaml b/charts/steadybit-extension-http/tests/deployment_test.yaml
@@ -25,3 +25,15 @@ tests:
               - client-cert-a
     asserts:
       - matchSnapshot: {}
+  - it: manifest should match snapshot with extra env vars
+    set:
+      extraEnv:
+        - name: FOO
+          value: "bar"
+      extraEnvFrom:
+        - configMapRef:
+          name: env-configmap
+        - secretRef:
+          name: env-secrets
+    asserts:
+      - matchSnapshot: {}
diff --git a/charts/steadybit-extension-http/values.yaml b/charts/steadybit-extension-http/values.yaml
@@ -55,3 +55,19 @@ topologySpreadConstraints: []
 
 # affinity -- Affinities to influence pod assignment.
 affinity: {}
+
+# extraEnv -- Array with extra environment variables to add to the container
+# e.g:
+# extraEnv:
+#   - name: FOO
+#     value: "bar"
+extraEnv: []
+
+# extraEnvFrom -- Array with extra environment variables sources to add to the container
+# e.g:
+# extraEnvFrom:
+#  - configMapRef:
+#    name: env-configmap
+#  - secretRef:
+#    name: env-secrets
+extraEnvFrom: []
