From 2ca0b5805f3ef72b298b3a401221a3adad0a2d93 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 11 Oct 2024 05:43:06 -0500 Subject: [PATCH] nonroot! --- .../default/it-tools/app/helmrelease.yaml | 50 +++++++++++-------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/kubernetes/apps/default/it-tools/app/helmrelease.yaml b/kubernetes/apps/default/it-tools/app/helmrelease.yaml index cf460c2b..7c7c2e02 100644 --- a/kubernetes/apps/default/it-tools/app/helmrelease.yaml +++ b/kubernetes/apps/default/it-tools/app/helmrelease.yaml @@ -3,53 +3,55 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app it-tools + name: it-tools spec: interval: 30m chart: spec: chart: app-template version: 3.5.1 + interval: 30m sourceRef: kind: HelmRepository name: bjw-s namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - strategy: rollback + values: controllers: it-tools: + replicas: 1 + strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" + pod: + securityContext: + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + fsGroupChangePolicy: "OnRootMismatch" containers: app: image: - repository: ghcr.io/corentinth/it-tools - tag: 2024.5.13-a0bc346 - env: - TZ: America/Chicago - probes: - liveness: - enabled: true - readiness: - enabled: true + repository: ghcr.io/bjw-s-labs/it-tools + tag: 2024.5.13 resources: requests: - cpu: 100m + cpu: 5m + memory: 32Mi limits: - memory: 500Mi + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL service: app: - controller: *app + controller: it-tools ports: http: - port: 80 + port: 8080 ingress: app: enabled: true @@ -68,3 +70,7 @@ spec: tls: - hosts: - *host + + persistence: + tmp: + type: emptyDir