Skip to content

fix(helm): Improve security settings and add templated image configuration#554

Merged
mbaldessari merged 6 commits intovalidatedpatterns:mainfrom
brianredbeard:brb-pr554
Jan 19, 2026
Merged

fix(helm): Improve security settings and add templated image configuration#554
mbaldessari merged 6 commits intovalidatedpatterns:mainfrom
brianredbeard:brb-pr554

Conversation

@brianredbeard
Copy link
Contributor

@brianredbeard brianredbeard commented Jan 14, 2026

Summary

  • Fix security issues: enforce HTTPS redirects, read-only root filesystem
  • Template container images from values.yaml for easier overrides
  • Fix configuration key naming to match validated patterns operator expectations
  • Clean up unnecessary fields from templates

Changes

Security Improvements

  • Change insecureEdgeTerminationPolicy from Allow to Redirect in both hello-world and config-demo routes (enforces HTTPS)
  • Set readOnlyRootFilesystem: true in config-demo deployment with emptyDir volumes for writable paths

Image Configuration

  • Add image.repository, image.tag, image.pullPolicy to values.yaml for both charts
  • Update deployments to use templated image values: {{ .Values.image.repository }}:{{ .Values.image.tag }}
  • Remove commented #imagePullPolicy lines, now explicit in values

Configuration Fixes

  • Rename localCluster to localClusterDomain in hello-world values.yaml
  • Rename project to argoProject in values-standalone.yaml applications
  • Rename projects to argoProjects in values-standalone.yaml
  • Remove unnecessary creationTimestamp: null from pod template metadata

Affected Charts

  • charts/all/hello-world
  • charts/all/config-demo
  • values-standalone.yaml

Test Plan

  • Run helm template on both charts to verify valid output
  • Deploy to test cluster and verify routes redirect HTTP to HTTPS
  • Verify image can be overridden via values

Fixes #531
Fixes #532
Fixes #533
Fixes #534
Fixes #535
Fixes #536
Fixes #537
Fixes #538
Fixes #539
Fixes #540
Fixes #541
Fixes #542

@brianredbeard
fix(helm): rename localCluster to localClusterDomain in hello-world v…
df56462 
…alues

The template hello-world-cm.yaml references .Values.global.localClusterDomain
but the values file had the key named localCluster, causing the template
to render with an empty value.
@brianredbeard
fix(helm): change insecureEdgeTerminationPolicy from Allow to Redirect
a29bf22 
Setting insecureEdgeTerminationPolicy to Allow permits unencrypted HTTP
traffic to the routes. Changing to Redirect forces all HTTP requests
to be redirected to HTTPS, improving security.

Affected routes:
- hello-world
- config-demo
@brianredbeard
fix(helm): set readOnlyRootFilesystem to true in config-demo deployment
6d18b33 
The container already has emptyDir volumes mounted for all writable paths:
- /tmp
- /var/cache/httpd
- /var/run/httpd
- /var/www/html (via configMap)

With these mounts in place, the root filesystem can safely be read-only,
improving container security posture.
@brianredbeard
fix(helm): template container images from values.yaml
68a30e9 
- Add image.repository, image.tag, image.pullPolicy to both chart values
- Update deployments to use templated image values
- Remove commented imagePullPolicy, now explicit in values
- Allows image overrides without modifying templates

Affected charts:
- hello-world
- config-demo
@brianredbeard
fix(helm): remove unnecessary creationTimestamp: null from pod template
e3d224e 
Kubernetes auto-populates creationTimestamp. Explicitly setting it to null
in templates is unnecessary and may cause validation warnings.
@brianredbeard
fix(config): standardize to argoProject key name in values-standalone…
c7fb1bd 
….yaml

The validated patterns operator expects 'argoProject' not 'project'.
Also rename 'projects' to 'argoProjects' for consistency with values-hub.yaml.
@mbaldessari mbaldessari merged commit 49656f1 into validatedpatterns:main Jan 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment