Merge pull request #29 from dominikkaminski/feature/service-account-s…

…ecurity-context

HELM-58 Improve security (ServiceAccount, securityContext) and harmonize indent

charts/xwiki/templates/ingress.yaml

@@ -42,20 +42,20 @@ spec:
       http:
         paths:
           {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: {{ .pathType }}
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+            - path: {{ .path }}
+              {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+              pathType: {{ .pathType }}
               {{- end }}
+              backend:
+                {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+                service:
+                  name: {{ $fullName }}
+                  port:
+                    number: {{ $svcPort }}
+                {{- else }}
+                serviceName: {{ $fullName }}
+                servicePort: {{ $svcPort }}
+                {{- end }}
           {{- end }}
     {{- end }}
-{{- end -}}
+{{- end -}}

charts/xwiki/templates/istio-certificate.yaml

@@ -12,5 +12,5 @@ spec:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   dnsNames:
-  - {{ .Values.istio.host | quote }}
-{{- end }}
+    - {{ .Values.istio.host | quote }}
+{{- end }}

charts/xwiki/templates/istio-gateway.yaml

@@ -9,24 +9,24 @@ spec:
   selector:
     istio: {{ .Values.istio.gateway.selectorIstio | quote }} # use Istio default gateway implementation
   servers:
-  - hosts:
-    - {{ .Values.istio.host | quote }}
-    port:
-      number: 80
-      name: http
-      protocol: HTTP
-  {{- if .Values.istio.tls.enabled }}
-    tls:
-      httpsRedirect: {{ .Values.istio.tls.httpsRedirect }}
-  - port:
-      number: 443
-      name: https
-      protocol: HTTPS
-    tls:
-      credentialName: {{ (include "xwiki.istio.credentialName" .) }}
-      minProtocolVersion: {{ .Values.istio.tls.minProtocolVersion }}
-      mode: {{ .Values.istio.tls.mode }}
-    hosts:
-    - {{ .Values.istio.host | quote }}
-  {{- end }}
-{{- end }}
+    - hosts:
+        - {{ .Values.istio.host | quote }}
+      port:
+        number: 80
+        name: http
+        protocol: HTTP
+    {{- if .Values.istio.tls.enabled }}
+      tls:
+        httpsRedirect: {{ .Values.istio.tls.httpsRedirect }}
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        credentialName: {{ (include "xwiki.istio.credentialName" .) }}
+        minProtocolVersion: {{ .Values.istio.tls.minProtocolVersion }}
+        mode: {{ .Values.istio.tls.mode }}
+      hosts:
+        - {{ .Values.istio.host | quote }}
+    {{- end }}
+{{- end }}

charts/xwiki/templates/istio.yaml

@@ -5,23 +5,23 @@ metadata:
   name: {{ printf "%s-vs" (include "xwiki.fullname" .) }}
 spec:
   hosts:
-  - {{ .Values.istio.host | quote }}
+    - {{ .Values.istio.host | quote }}
   gateways:
-  - {{ template "xwiki.istio.gatewayName" . }}
+    - {{ template "xwiki.istio.gatewayName" . }}
   http:
-  - match:
-    - uri:
-        prefix: /
-    route:
-    - destination:
-        port:
-          number: {{ .Values.service.externalPort }}
-        host: {{ template "xwiki.fullname" . }}
-      headers:
-        request:
-          set:
-            # Required for some extensions (Realtime Editor/Websocket)
-            x-forwarded-host: {{ .Values.istio.host | quote }}
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            port:
+              number: {{ .Values.service.externalPort }}
+            host: {{ template "xwiki.fullname" . }}
+          headers:
+            request:
+              set:
+                # Required for some extensions (Realtime Editor/Websocket)
+                x-forwarded-host: {{ .Values.istio.host | quote }}
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
@@ -38,4 +38,4 @@ spec:
           path: {{ .path }}
           ttl: {{ .ttl }}
       {{- end }}
-{{- end -}}
+{{- end -}}

charts/xwiki/templates/podmonitor.yaml

@@ -10,5 +10,5 @@ spec:
     matchLabels:
       {{- include "xwiki.selectorLabels" . | nindent 4 }}
   podMetricsEndpoints:
-    - port: monitoring
-{{- end }}
+      - port: monitoring
+{{- end }}

charts/xwiki/templates/service.yaml

@@ -13,16 +13,16 @@ spec:
     {{- end }}
   {{- end }}
   ports:
-  - port: {{ .Values.service.externalPort }}
-    targetPort: {{ .Values.service.internalPort }}
-    protocol: TCP
-    name: {{ .Values.service.name }}
+    - port: {{ .Values.service.externalPort }}
+      targetPort: {{ .Values.service.internalPort }}
+      protocol: TCP
+      name: {{ .Values.service.name }}
   {{- if .Values.prometheus.javaagent.enabled }}
-  - port: {{ .Values.prometheus.javaagent.port }}
-    targetPort: {{ .Values.prometheus.javaagent.port }}
-    protocol: TCP
-    name: monitoring
+    - port: {{ .Values.prometheus.javaagent.port }}
+      targetPort: {{ .Values.prometheus.javaagent.port }}
+      protocol: TCP
+      name: monitoring
   {{- end }}
   sessionAffinity: {{ .Values.service.sessionAffinity }}
   selector:
-    {{- include "xwiki.selectorLabels" . | nindent 4 }}
+    {{- include "xwiki.selectorLabels" . | nindent 4 }}

charts/xwiki/templates/solr-service.yaml

@@ -8,11 +8,11 @@ metadata:
 spec:
   type: {{ .Values.solr.service.type }}
   ports:
-  - port: {{ .Values.solr.service.externalPort }}
-    targetPort: {{ .Values.solr.service.internalPort }}
-    protocol: TCP
-    name: {{ .Values.solr.service.name }}
+    - port: {{ .Values.solr.service.externalPort }}
+      targetPort: {{ .Values.solr.service.internalPort }}
+      protocol: TCP
+      name: {{ .Values.solr.service.name }}
   sessionAffinity: {{ .Values.solr.service.sessionAffinity }}
   selector:
     {{- include "solr.selectorLabels" . | nindent 4 }}
-{{- end }}
+{{- end }}

charts/xwiki/templates/solr-statefulset.yaml

@@ -19,44 +19,44 @@ spec:
         {{- include "solr.labels" . | nindent 8 }}
     spec:
       initContainers:
-      - name: download-cores
-        image: curlimages/curl:8.2.1
-        env:
-        {{- range .Values.solr.extraEnvVars }}
-        - name: {{ .name  }}
-          value: {{ .value | quote }}
-        {{- end }}
-        command: ['/bin/sh', '-c']
-        volumeMounts:
-          - name: xwiki-solr-data
-            mountPath: /tmp/cores
-        securityContext:
-          runAsGroup: 1001
-          runAsUser: 1001
-        args:
-        - |
-          SOLR_CORE_URL="https://maven.xwiki.org/releases/org/xwiki/platform/xwiki-platform-search-solr-server-core/15.5/xwiki-platform-search-solr-server-core-15.5.jar"
-          SOLR_MINIMAL_CORE_URL="https://maven.xwiki.org/releases/org/xwiki/platform/xwiki-platform-search-solr-server-core-minimal/15.5/xwiki-platform-search-solr-server-core-minimal-15.5.zip"
-          cd /tmp
-          curl $SOLR_CORE_URL -o ./xwiki-server-core.zip && \
-          curl $SOLR_MINIMAL_CORE_URL -o ./xwiki-minimal-core.zip
-          unzip -qqo ./xwiki-server-core.zip  -d ./cores/xwiki
-          unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_events
-          unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_extension_index
-          unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_ratings
+        - name: download-cores
+          image: curlimages/curl:8.2.1
+          env:
+          {{- range .Values.solr.extraEnvVars }}
+            - name: {{ .name  }}
+              value: {{ .value | quote }}
+          {{- end }}
+          command: ['/bin/sh', '-c']
+          volumeMounts:
+            - name: xwiki-solr-data
+              mountPath: /tmp/cores
+          securityContext:
+            runAsGroup: 1001
+            runAsUser: 1001
+          args:
+            - |
+              SOLR_CORE_URL="https://maven.xwiki.org/releases/org/xwiki/platform/xwiki-platform-search-solr-server-core/15.5/xwiki-platform-search-solr-server-core-15.5.jar"
+              SOLR_MINIMAL_CORE_URL="https://maven.xwiki.org/releases/org/xwiki/platform/xwiki-platform-search-solr-server-core-minimal/15.5/xwiki-platform-search-solr-server-core-minimal-15.5.zip"
+              cd /tmp
+              curl $SOLR_CORE_URL -o ./xwiki-server-core.zip && \
+              curl $SOLR_MINIMAL_CORE_URL -o ./xwiki-minimal-core.zip
+              unzip -qqo ./xwiki-server-core.zip  -d ./cores/xwiki
+              unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_events
+              unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_extension_index
+              unzip -qqo ./xwiki-minimal-core.zip -d ./cores/xwiki_ratings
       containers:
-      - name: {{ printf "%s-solr" .Chart.Name }}
-        image: {{ .Values.solr.image }}
-        securityContext:
-          allowPrivilegeEscalation: false
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        ports:
-        - containerPort: {{ .Values.solr.service.internalPort }}
-        resources:
-          {{ toYaml .Values.solr.resources | indent 12 }}
-        volumeMounts:
-        - name: xwiki-solr-data
-          mountPath: /var/solr/data
+        - name: {{ printf "%s-solr" .Chart.Name }}
+          image: {{ .Values.solr.image }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - containerPort: {{ .Values.solr.service.internalPort }}
+          resources:
+            {{ toYaml .Values.solr.resources | indent 12 }}
+          volumeMounts:
+            - name: xwiki-solr-data
+              mountPath: /var/solr/data
       securityContext:
         fsGroup: 1001
     {{- with .Values.solr.nodeSelector }}
@@ -72,12 +72,12 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       volumes:
-      - name: xwiki-solr-data
-        {{- if and .Values.solr.persistence.enabled .Values.solr.persistence.existingClaim }}
-        persistentVolumeClaim:
-          claimName: {{ tpl .Values.solr.persistence.existingClaim $ }}
+        - name: xwiki-solr-data
+          {{- if and .Values.solr.persistence.enabled .Values.solr.persistence.existingClaim }}
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.solr.persistence.existingClaim $ }}
   {{- else if not .Values.solr.persistence.enabled }}
-        emptyDir: {}
+          emptyDir: {}
   {{- else }}
   volumeClaimTemplates:
     - metadata:

charts/xwiki/templates/xwiki-sa.yaml

@@ -1,31 +1,31 @@
-{{- if (.Values.cluster.enabled) }}
 {{- $fullName := include "xwiki.fullname" . -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ $fullName }}-sa
+{{- if (.Values.cluster.enabled) }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ $fullName }}-pod-reader
 rules:
-- apiGroups: [""] 
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 #kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ $fullName }}-api-access
 subjects:
-- kind: ServiceAccount
-  name: {{ $fullName }}-sa
-  namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: {{ $fullName }}-sa
+    namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
   #kind: ClusterRole
   name: {{ $fullName }}-pod-reader
   apiGroup: rbac.authorization.k8s.io
-{{- end }}
+{{- end }}