flexibility in using Helm chart: args, env, probes & better security …

…and namespaces usage (#126)

* flexibility in using Helm chart: args, env, probes & better security and namespaces usage

* flexibility in using Helm chart: args, env, probes & better security and namespaces usage

* Helm: securityContext and probes fully managed from values file & cosmetic changes & limit-rpm added to an ingress

* flexibility in using Helm chart: args, env, probes & better security and namespaces usage

* flexibility in using Helm chart: args, env, probes & better security and namespaces usage

README.md

@@ -45,6 +45,13 @@ helm upgrade --install sealed-secrets-web bakito/sealed-secrets-web \
   --set disableLoadSecrets=true
 ```
 
+To render templates locally:
+
+```sh
+cd chart
+helm template . -f values.yaml
+```
+
 You can check helm values available at https://github.com/bakito/sealed-secrets-web/blob/main/chart/values.yaml
 Also, check available application options at https://github.com/bakito/sealed-secrets-web/blob/main/pkg/config/types.go#L14-L22
 

chart/Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v2
-appVersion: v3.0.6
+appVersion: v3.0.7
 description: A web interface for Sealed Secrets by Bitnami.
 home: https://github.com/bakito/sealed-secrets-web
 icon: https://raw.githubusercontent.com/bakito/sealed-secrets-web/master/assets/logo.png
 maintainers:
   - name: bakito
     url: https://github.com/bakito
 name: sealed-secrets-web
-version: 3.0.6
+version: 3.0.7
 #annotations:
 #  artifacthub.io/changes: |
 #    -

chart/README.md

@@ -1,6 +1,6 @@
 # sealed-secrets-web
 
-![Version: 3.0.6](https://img.shields.io/badge/Version-3.0.6-informational?style=flat-square) ![AppVersion: v3.0.6](https://img.shields.io/badge/AppVersion-v3.0.6-informational?style=flat-square)
+![Version: 3.0.7](https://img.shields.io/badge/Version-3.0.7-informational?style=flat-square) ![AppVersion: v3.0.7](https://img.shields.io/badge/AppVersion-v3.0.7-informational?style=flat-square)
 
 A web interface for Sealed Secrets by Bitnami.
 
@@ -16,19 +16,21 @@ helm install sealed-secrets-web bakito/sealed-secrets-web
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Assign custom [affinity] rules to the deployment |
+| deployment.args | object | `{"defaultArgsEnabled":true}` | Default process arguments are used, while additional can be added too |
+| deployment.livenessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/_health","port":"http"}}` | Liveness Probes |
+| deployment.readinessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/_health","port":"http"}}` | Readiness Probes |
+| deployment.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"runAsGroup":1000,"runAsUser":1001}` | Hardening security |
 | disableLoadSecrets | bool | `false` | If set to true secrets cannot be read from this tool, only seal new ones |
 | fullnameOverride | string | `""` | String to fully override "argo-rollouts.fullname" template |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"ghcr.io/bakito/sealed-secrets-web"` | Repository to use |
 | image.tag | string | `nil` | Overrides the image tag (default is the chart appVersion) |
 | imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Registry secret names as an array. |
 | includeLocalNamespaceOnly | bool | `false` | If set to true, the application has only the permission to view sealed secrets in the current namespace |
-| ingress.annotations | object | `{}` | Ingress annotations |
 | ingress.className | string | `""` | Ingress class name |
 | ingress.defaultTls | bool | `false` | set this to true and leave tls an empty array to use the default TLS certificate (works at least in openshift) |
 | ingress.enabled | bool | `false` | Enable ingress support |
-| ingress.hosts | list | `[]` | Ingress hosts |
-| ingress.tls | list | `[]` | Ingress tls |
+| ingress.hosts | list | `[{"paths":[{"path":"/","pathType":"Prefix"}]}]` | Ingress hosts |
 | initialSecretFile | string | `nil` | Define you custom initial secret file |
 | nameOverride | string | `""` | String to partially override "argo-rollouts.fullname" template |
 | nodeSelector | object | `{}` | [Node selector] |

chart/templates/deployment.yaml

@@ -27,20 +27,42 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.deployment.args }}
           args:
+          {{- if .Values.deployment.args.defaultArgsEnabled }}
           {{- include "sealed-secrets-web.imageArgs" . | nindent 12 }}
+          {{- end }}
+          {{- if .Values.deployment.args.additionalArgs }}
+          {{- toYaml .Values.deployment.args.additionalArgs | nindent 12 }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.deployment.env }}
+          env:
+          {{- if .Values.deployment.env.sealedSecretsControllerNamespace }}
+          - name: SEALED_SECRETS_CONTROLLER_NAMESPACE
+            value: {{ .Values.deployment.env.sealedSecretsControllerNamespace }}
+          {{- end }}
+          {{- if .Values.deployment.env.sealedSecretsControllerName }}
+          - name: SEALED_SECRETS_CONTROLLER_NAME
+            value: {{ .Values.deployment.env.sealedSecretsControllerName }}
+          {{- end }}
+          {{- end }}
           ports:
             - name: http
               containerPort: 8080
               protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /_health
-              port: http
+          {{- with .Values.deployment.readinessProbe }}
           readinessProbe:
-            httpGet:
-              path: /_health
-              port: http
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.deployment.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.deployment.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           {{- if .Values.volumeMounts }}

chart/templates/service-account.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "sealed-secrets-web.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace }}
   labels:
     {{- include "sealed-secrets-web.labels" . | nindent 4 }}
 {{ end }}

chart/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "sealed-secrets-web.fullname" . }}
+  namespace: {{ $.Release.Namespace }}
   labels:
     {{- include "sealed-secrets-web.labels" . | nindent 4 }}
 spec:

chart/values.yaml

@@ -72,23 +72,29 @@ ingress:
   className: ""
 
   # -- Ingress annotations
-  annotations: { }
-  # nginx.ingress.kubernetes.io/rewrite-target: /$2
-  # nginx.ingress.kubernetes.io/use-regex: "true"
-  # nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+  # annotations:
+  #   # -- Specifies number of requests accepted from a given IP each minute
+  #   nginx.ingress.kubernetes.io/limit-rpm: "180"
+  #   nginx.ingress.kubernetes.io/rewrite-target: /$2
+  #   nginx.ingress.kubernetes.io/use-regex: "true"
+  #   nginx.ingress.kubernetes.io/ssl-redirect: 'true'
 
   # -- Ingress hosts
-  hosts: [ ]
-  #- paths:
-  #    - path: /ssw(/|$)(.*)
-  #      pathType: Prefix
+  hosts:
+  - paths:
+    - path: /
+      pathType: Prefix
+    # host: example.internal
+
   # -- set this to true and leave tls an empty array to use the default TLS certificate (works at least in openshift)
   defaultTls: false
 
   # -- Ingress tls
-  tls: [ ]
-  #  - hosts: [ my-domain.com ]
-  #    secretName: sealed-secrets-web-tls
+  # tls:
+  # - hosts:
+  #   - example.internal
+  #   - another-example.internal
+  #   secretName: sealed-secrets-web-tls
 
 # -- Resource limits and requests for the pods.
 resources: { }
@@ -99,6 +105,50 @@ resources: { }
 #   cpu: 100m
 #   memory: 128Mi
 
+deployment:
+  # -- Readiness Probes
+  readinessProbe:
+    failureThreshold: 3
+    # periodSeconds: 5
+    # successThreshold: 1
+    # timeoutSeconds: 10
+    # initialDelaySeconds: 30
+    httpGet:
+      path: /_health
+      port: http
+
+  # -- Liveness Probes
+  livenessProbe:
+    failureThreshold: 3
+    # periodSeconds: 10
+    # successThreshold: 1
+    # timeoutSeconds: 10
+    # initialDelaySeconds: 15
+    httpGet:
+      path: /_health
+      port: http
+
+  # -- Hardening security
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    runAsGroup: 1000
+    runAsUser: 1001
+
+  # -- Default process arguments are used, while additional can be added too
+  args:
+    defaultArgsEnabled: true
+    # additionalArgs:
+    # - --disable-load-secrets
+    # - --format=yaml
+
+  # -- Using environment variables
+  # env:
+  #   sealedSecretsControllerNamespace: sealed-secrets
+  #   sealedSecretsControllerName: sealed-secrets
 
 # -- [Node selector]
 nodeSelector: { }