flexibility in using Helm chart: args, env, probes & better security and namespaces usage #126
Conversation
…and namespaces usage
…and namespaces usage
|
@laimison thank you very much for the PR. I agree with your demand of being able to have more flexibility, but I have a simpler approach than mapping evry single property. for example defining proves and security context in the values and importing the whole yaml into the deployment. |
chart/templates/deployment.yaml
Outdated
| @@ -1,3 +1,4 @@ | |||
| {{ if .Values.deployment.create }} | |||
There was a problem hiding this comment.
why ould you not want to create the deployment, when you install this chart?
There was a problem hiding this comment.
Thanks for suggestions, these are great. I will amend PR once have a moment.
In terms of this item, I just added it, in case people find something not flexible enough as me. They can use their Deployment and submit PR here. So there is no gap in waiting when chart can offer what they need.
If you want, I can exclude this change. By default, deployment has to be created based on values.yaml.
There was a problem hiding this comment.
I'd rader have this conditon removed as I do not see the use case.
But anyway thank you very much for your initiative. I'm looking forward to the update.
Don,'t forget to run make docs before pushing to have the readme updated.
There was a problem hiding this comment.
Changes have been submitted and PR is ready for review. Please check if you want to have limit-rpm - requests limit per IP on Ingress and if version increase is okay. Nothing else additional.
chart/templates/deployment.yaml
Outdated
| ports: | ||
| - name: http | ||
| containerPort: 8080 | ||
| protocol: TCP | ||
| livenessProbe: | ||
| readinessProbe: | ||
| failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} |
There was a problem hiding this comment.
I prefer having the whole probe config in the values and include the whole yaml as mentioned in the comment
chart/templates/deployment.yaml
Outdated
| httpGet: | ||
| path: /_health | ||
| port: http | ||
| readinessProbe: | ||
| livenessProbe: | ||
| failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} |
chart/templates/deployment.yaml
Outdated
| httpGet: | ||
| path: /_health | ||
| port: http | ||
| {{- if .Values.deployment.securityContext }} | ||
| securityContext: | ||
| {{- if .Values.deployment.securityContext.allowPrivilegeEscalation }} |
chart/values.yaml
Outdated
| # - path: /ssw(/|$)(.*) | ||
| # pathType: Prefix | ||
| hosts: | ||
| - host: example.internal |
There was a problem hiding this comment.
I agree with changing the example, but would not set a default host in the values.
chart/templates/deployment.yaml
Outdated
| {{- end }} | ||
| {{- if .Values.deployment.env }} | ||
| env: | ||
| {{- if .Values.deployment.env.SEALEDSECRETSCONTROLLERNAMESPACE }} |
There was a problem hiding this comment.
use better readable camelCase keys for the env variable in the values it only need to be uppercase in the variable name, not the helm values.
…metic changes & limit-rpm added to an ingress
chart/values.yaml
Outdated
| # nginx.ingress.kubernetes.io/ssl-redirect: 'true' | ||
| annotations: | ||
| # -- Specifies number of requests accepted from a given IP each minute | ||
| nginx.ingress.kubernetes.io/limit-rpm: "180" |
There was a problem hiding this comment.
could you leave this empty default?
You can keep the rpm commented out.
chart/values.yaml
Outdated
| - ALL | ||
| privileged: false | ||
| runAsGroup: 1000 | ||
| runAsUser: 1000 |
There was a problem hiding this comment.
The Dockerfile runs with user 1001 https://github.com/bakito/sealed-secrets-web/blob/main/Dockerfile#L32
Can you change this also to the same value?
chart/values.yaml
Outdated
| failureThreshold: 3 | ||
| successThreshold: 1 | ||
| timeoutSeconds: 10 | ||
| initialDelaySeconds: 15 |
chart/values.yaml
Outdated
| periodSeconds: 5 | ||
| successThreshold: 1 | ||
| timeoutSeconds: 10 | ||
| initialDelaySeconds: 30 |
There was a problem hiding this comment.
can you remove this part?
failureThreshold: 3
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 10
initialDelaySeconds: 30
30 sec us much too high for this application as it starts fast.
The kubernetes default should be enough
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
If someone needs it changed, it can be overwritten in the values.
There was a problem hiding this comment.
addressed and PR is for review now, many thanks
…and namespaces usage
…and namespaces usage
|
@laimison thank you very much for your contribution |
|
@bakito thanks for your time and merge. Let me know when/if there are some plans to release new version of this chart so I believe it will be listed using command |
|
@laimison I released 3.0.6 yesterday https://artifacthub.io/packages/helm/bakito/sealed-secrets-web |
|
@bakito perfect, thank you! |
Hi,
I have added more ways to use the chart. Those ways are optional and don't change the way templates are rendered now, except:
this block bellow is added by default on Deployment - it improves security:
Also, missing parameters for probes are added.
Let me know, if PR looks good or needs adjustments to be agreed eg not forcing better security in values.yaml file at
deployment.securityContext.I have tested this on cluster.
I would like to add these improvements to be able to use this chart and depend on it. So I hope flexibilities and improvements can help other people too. It would be great to have helm chart released.
Let me know your thoughts and also things I should be aware of.
Thanks