Merge pull request #554 from brianredbeard/brb-pr554

fix(helm): Improve security settings and add templated image configuration

Author: mbaldessari

charts/all/config-demo/templates/config-demo-deployment.yaml

@@ -12,7 +12,6 @@ spec:
       deploymentconfig: config-demo
   template:
     metadata:
-      creationTimestamp: null
       labels:
         app: config-demo
         deploymentconfig: config-demo
@@ -24,8 +23,8 @@ spec:
           type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
-        #imagePullPolicy: Always
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
         - containerPort: 8080
           name: http
@@ -51,7 +50,7 @@ spec:
             memory: 256Mi
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           capabilities:
             drop:

charts/all/config-demo/templates/config-demo-route.yaml

@@ -13,5 +13,5 @@ spec:
     weight: 100
   wildcardPolicy: None
   tls:
-    insecureEdgeTerminationPolicy: Allow
+    insecureEdgeTerminationPolicy: Redirect
     termination: edge

charts/all/config-demo/values.yaml

@@ -13,3 +13,8 @@ global:
 
 clusterGroup:
   isHubCluster: true
+
+image:
+  repository: registry.access.redhat.com/ubi10/httpd-24
+  tag: "10.0-1755779646"
+  pullPolicy: IfNotPresent

charts/all/hello-world/templates/hello-world-deployment.yaml

@@ -23,8 +23,8 @@ spec:
           type: RuntimeDefault
       containers:
       - name: apache
-        image: registry.access.redhat.com/ubi10/httpd-24:10.0-1755779646
-        #imagePullPolicy: Always
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
         - containerPort: 8080
           name: http

charts/all/hello-world/templates/hello-world-route.yaml

@@ -13,5 +13,5 @@ spec:
     weight: 100
   wildcardPolicy: None
   tls:
-    insecureEdgeTerminationPolicy: Allow
+    insecureEdgeTerminationPolicy: Redirect
     termination: edge

charts/all/hello-world/values.yaml

@@ -1,4 +1,9 @@
 ---
 global:
   hubClusterDomain: hub.example.com
-  localCluster: local.example.com
+  localClusterDomain: local.example.com
+
+image:
+  repository: registry.access.redhat.com/ubi10/httpd-24
+  tag: "10.0-1755779646"
+  pullPolicy: IfNotPresent

values-standalone.yaml

@@ -7,7 +7,7 @@ clusterGroup:
     - config-demo
     - hello-world
   subscriptions: {}
-  projects:
+  argoProjects:
     - hub
     - config-demo
     - hello-world
@@ -26,24 +26,24 @@ clusterGroup:
     vault:
       name: vault
       namespace: vault
-      project: hub
+      argoProject: hub
       chart: hashicorp-vault
       chartVersion: 0.1.*
     golang-external-secrets:
       name: golang-external-secrets
       namespace: golang-external-secrets
-      project: hub
+      argoProject: hub
       chart: golang-external-secrets
       chartVersion: 0.1.*
     config-demo:
       name: config-demo
       namespace: config-demo
-      project: config-demo
+      argoProject: config-demo
       path: charts/all/config-demo
     hello-world:
       name: hello-world
       namespace: hello-world
-      project: hello-world
+      argoProject: hello-world
       path: charts/all/hello-world
   imperative:
     # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm