From 63209cebf1223039466bbd638172f30f8c16bdd1 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Wed, 24 Sep 2025 11:10:34 -0500 Subject: [PATCH 1/2] Add securityContext and targetPort configurations --- .secrets.baseline | 6 +- helm/access-backend/Chart.yaml | 2 +- helm/access-backend/README.md | 3 +- helm/access-backend/templates/deployment.yaml | 2 +- helm/access-backend/values.yaml | 1 + helm/ambassador/Chart.yaml | 2 +- helm/ambassador/README.md | 4 +- helm/ambassador/templates/deployment.yaml | 2 +- helm/ambassador/templates/service.yaml | 2 +- helm/ambassador/values.yaml | 1 + helm/arborist/Chart.yaml | 2 +- helm/arborist/README.md | 4 +- helm/arborist/templates/deployment.yaml | 2 +- helm/arborist/values.yaml | 1 + helm/argo-wrapper/Chart.yaml | 2 +- helm/argo-wrapper/README.md | 4 +- helm/argo-wrapper/templates/deployment.yaml | 5 +- helm/argo-wrapper/values.yaml | 1 + helm/audit/Chart.yaml | 2 +- helm/audit/README.md | 4 +- helm/audit/templates/deployment.yaml | 8 +- helm/audit/values.yaml | 1 + helm/cedar/Chart.yaml | 2 +- helm/cedar/README.md | 2 +- helm/cedar/templates/deployment.yaml | 6 +- helm/cohort-middleware/Chart.yaml | 2 +- helm/cohort-middleware/README.md | 3 +- .../templates/deployment.yaml | 3 +- helm/cohort-middleware/templates/service.yaml | 2 +- helm/cohort-middleware/values.yaml | 1 + helm/common/Chart.yaml | 2 +- helm/common/README.md | 2 +- helm/common/templates/_db_setup_job.tpl | 6 + helm/dicom-server/Chart.yaml | 2 +- helm/dicom-server/README.md | 2 +- helm/dicom-server/templates/deployment.yaml | 7 +- helm/etl/Chart.yaml | 2 +- helm/etl/README.md | 5 +- helm/etl/templates/etl-job.yaml | 8 + helm/etl/values.yaml | 16 ++ helm/fence/Chart.yaml | 2 +- helm/fence/README.md | 6 +- helm/fence/templates/fence-deployment.yaml | 6 +- helm/fence/templates/presigned-url-fence.yaml | 4 +- helm/fence/values.yaml | 5 +- helm/gen3-analysis/Chart.yaml | 2 +- helm/gen3-analysis/README.md | 4 +- helm/gen3-analysis/templates/deployment.yaml | 7 +- helm/gen3-analysis/values.yaml | 1 + helm/gen3-user-data-library/Chart.yaml | 2 +- helm/gen3-user-data-library/README.md | 3 +- .../templates/deployment.yaml | 6 +- helm/gen3-user-data-library/values.yaml | 1 + helm/gen3/Chart.yaml | 58 +++--- helm/gen3/README.md | 58 +++--- helm/gen3/templates/nginx-config.yaml | 68 +++++++ .../gen3/templates/tests/service-account.yaml | 32 ---- helm/guppy/Chart.yaml | 2 +- helm/guppy/README.md | 6 +- helm/guppy/templates/deployment.yaml | 11 +- helm/guppy/values.yaml | 16 ++ helm/hatchery/Chart.yaml | 2 +- helm/hatchery/README.md | 4 +- helm/hatchery/templates/deployment.yaml | 2 +- helm/hatchery/values.yaml | 1 + helm/indexd/Chart.yaml | 2 +- helm/indexd/README.md | 4 +- helm/indexd/templates/deployment.yaml | 2 +- helm/indexd/templates/pre-install.yaml | 2 + helm/indexd/values.yaml | 1 + helm/manifestservice/Chart.yaml | 2 +- helm/manifestservice/README.md | 6 +- .../manifestservice/templates/deployment.yaml | 9 +- helm/manifestservice/templates/service.yaml | 2 +- helm/manifestservice/values.yaml | 17 ++ helm/metadata/Chart.yaml | 2 +- helm/metadata/README.md | 8 +- helm/metadata/templates/deployment.yaml | 9 +- helm/metadata/templates/secrets.yaml | 16 -- helm/metadata/values.yaml | 3 +- helm/ohif-viewer/Chart.yaml | 2 +- helm/ohif-viewer/README.md | 2 +- helm/ohif-viewer/templates/deployment.yaml | 7 +- helm/orthanc/Chart.yaml | 2 +- helm/orthanc/README.md | 2 +- helm/orthanc/templates/deployment.yaml | 3 +- helm/peregrine/Chart.yaml | 2 +- helm/peregrine/README.md | 4 +- helm/peregrine/templates/deployment.yaml | 2 +- helm/peregrine/values.yaml | 1 + helm/portal/Chart.yaml | 2 +- helm/portal/README.md | 4 +- helm/portal/templates/deployment.yaml | 18 +- helm/portal/templates/job.yaml | 5 +- helm/portal/templates/nginx-conf.yaml | 180 ++++++++++++++++++ helm/portal/templates/service.yaml | 2 +- helm/portal/values.yaml | 1 + helm/requestor/Chart.yaml | 2 +- helm/requestor/README.md | 4 +- helm/requestor/templates/deployment.yaml | 7 +- helm/requestor/values.yaml | 1 + helm/revproxy/Chart.yaml | 2 +- helm/revproxy/README.md | 6 +- helm/revproxy/nginx/nginx.conf | 11 +- helm/revproxy/templates/configMaps.yaml | 2 +- helm/revproxy/templates/deployment.yaml | 11 +- helm/revproxy/templates/service.yaml | 2 +- helm/revproxy/values.yaml | 5 + helm/sheepdog/Chart.yaml | 2 +- helm/sheepdog/README.md | 10 +- helm/sheepdog/templates/deployment.yaml | 9 +- helm/sheepdog/templates/service.yaml | 2 +- helm/sheepdog/values.yaml | 19 +- helm/sower/Chart.yaml | 2 +- helm/sower/README.md | 4 +- helm/sower/templates/deployment.yaml | 6 +- helm/sower/values.yaml | 1 + helm/ssjdispatcher/Chart.yaml | 2 +- helm/ssjdispatcher/README.md | 4 +- helm/ssjdispatcher/templates/deployment.yaml | 6 +- helm/ssjdispatcher/values.yaml | 1 + helm/wts/Chart.yaml | 2 +- helm/wts/README.md | 4 +- helm/wts/templates/deployment.yaml | 6 +- helm/wts/values.yaml | 1 + 125 files changed, 637 insertions(+), 264 deletions(-) create mode 100644 helm/gen3/templates/nginx-config.yaml delete mode 100644 helm/gen3/templates/tests/service-account.yaml create mode 100644 helm/portal/templates/nginx-conf.yaml diff --git a/.secrets.baseline b/.secrets.baseline index 1f43a7c3e..11f68ea1a 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -153,14 +153,14 @@ "filename": "helm/portal/values.yaml", "hashed_secret": "08eeb737b239bdb7362a875b90e22c10b8826b20", "is_verified": false, - "line_number": 506 + "line_number": 507 }, { "type": "Base64 High Entropy String", "filename": "helm/portal/values.yaml", "hashed_secret": "eb9739c6625f06b4ab73035223366dda6262ae77", "is_verified": false, - "line_number": 508 + "line_number": 509 } ], "helm/revproxy/nginx/helpers.js": [ @@ -173,5 +173,5 @@ } ] }, - "generated_at": "2025-07-16T21:27:02Z" + "generated_at": "2025-09-24T16:09:34Z" } diff --git a/helm/access-backend/Chart.yaml b/helm/access-backend/Chart.yaml index a49e9d7e9..652d372a0 100644 --- a/helm/access-backend/Chart.yaml +++ b/helm/access-backend/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.9 +version: 0.1.10 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/access-backend/README.md b/helm/access-backend/README.md index c8b3ada16..2bedfcf59 100644 --- a/helm/access-backend/README.md +++ b/helm/access-backend/README.md @@ -1,6 +1,6 @@ # access-backend -![Version: 0.1.9](https://img.shields.io/badge/Version-0.1.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) +![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) A Helm chart for Kubernetes @@ -124,6 +124,7 @@ A Helm chart for Kubernetes | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | securityContext | object | `{}` | | | service.port | int | `80` | | +| service.targetPort | int | `80` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.automount | bool | `true` | | diff --git a/helm/access-backend/templates/deployment.yaml b/helm/access-backend/templates/deployment.yaml index a0e3cfd9e..cefdb4dec 100644 --- a/helm/access-backend/templates/deployment.yaml +++ b/helm/access-backend/templates/deployment.yaml @@ -69,7 +69,7 @@ spec: port: 80 ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/helm/access-backend/values.yaml b/helm/access-backend/values.yaml index e53974459..efbf4f7c3 100644 --- a/helm/access-backend/values.yaml +++ b/helm/access-backend/values.yaml @@ -266,6 +266,7 @@ service: type: ClusterIP # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 + targetPort: 80 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: diff --git a/helm/ambassador/Chart.yaml b/helm/ambassador/Chart.yaml index a6f534ad7..2e7db9879 100644 --- a/helm/ambassador/Chart.yaml +++ b/helm/ambassador/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.25 +version: 0.1.26 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/ambassador/README.md b/helm/ambassador/README.md index b98cb2220..df11dac5a 100644 --- a/helm/ambassador/README.md +++ b/helm/ambassador/README.md @@ -1,6 +1,6 @@ # ambassador -![Version: 0.1.25](https://img.shields.io/badge/Version-0.1.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.2](https://img.shields.io/badge/AppVersion-1.4.2-informational?style=flat-square) +![Version: 0.1.26](https://img.shields.io/badge/Version-0.1.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.2](https://img.shields.io/badge/AppVersion-1.4.2-informational?style=flat-square) A Helm chart for deploying ambassador for gen3 @@ -48,7 +48,7 @@ A Helm chart for deploying ambassador for gen3 | resources.requests.memory | string | `"100Mi"` | The amount of memory requested | | securityContext | map | `{}` | Container-level security context. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":8877,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":8877,"targetPort":8080,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `8877` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/ambassador/templates/deployment.yaml b/helm/ambassador/templates/deployment.yaml index dae93e31e..78f524628 100644 --- a/helm/ambassador/templates/deployment.yaml +++ b/helm/ambassador/templates/deployment.yaml @@ -68,7 +68,7 @@ spec: value: "true" ports: - name: http - containerPort: 8080 + containerPort: {{ .Values.service.targetPort }} - name: https containerPort: 8443 - name: admin diff --git a/helm/ambassador/templates/service.yaml b/helm/ambassador/templates/service.yaml index 8fc57bfe9..b25331452 100644 --- a/helm/ambassador/templates/service.yaml +++ b/helm/ambassador/templates/service.yaml @@ -22,7 +22,7 @@ metadata: spec: ports: - port: 80 - targetPort: 8080 + targetPort: http name: proxy selector: {{- include "ambassador.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/helm/ambassador/values.yaml b/helm/ambassador/values.yaml index e8ac8ff07..4bce716a4 100644 --- a/helm/ambassador/values.yaml +++ b/helm/ambassador/values.yaml @@ -78,6 +78,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 8877 + targetPort: 8080 # -- (string) Namespace to use for user resources. userNamespace: "jupyter-pods" diff --git a/helm/arborist/Chart.yaml b/helm/arborist/Chart.yaml index 3ef9a1bb6..ee3b52af6 100644 --- a/helm/arborist/Chart.yaml +++ b/helm/arborist/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.24 +version: 0.1.25 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/arborist/README.md b/helm/arborist/README.md index 632f7590d..7fd8a2b4e 100644 --- a/helm/arborist/README.md +++ b/helm/arborist/README.md @@ -1,6 +1,6 @@ # arborist -![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.25](https://img.shields.io/badge/Version-0.1.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 arborist @@ -93,7 +93,7 @@ A Helm chart for gen3 arborist | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | securityContext | map | `{}` | Security context to apply to the container | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/arborist/templates/deployment.yaml b/helm/arborist/templates/deployment.yaml index a542d5abf..3ad5d93e2 100644 --- a/helm/arborist/templates/deployment.yaml +++ b/helm/arborist/templates/deployment.yaml @@ -54,7 +54,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: diff --git a/helm/arborist/values.yaml b/helm/arborist/values.yaml index 8a624bd49..7d152f975 100644 --- a/helm/arborist/values.yaml +++ b/helm/arborist/values.yaml @@ -185,6 +185,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/argo-wrapper/Chart.yaml b/helm/argo-wrapper/Chart.yaml index 41fc6a4c4..bf2f75a2b 100644 --- a/helm/argo-wrapper/Chart.yaml +++ b/helm/argo-wrapper/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.19 +version: 0.1.20 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/argo-wrapper/README.md b/helm/argo-wrapper/README.md index 3672d075a..138d2d43d 100644 --- a/helm/argo-wrapper/README.md +++ b/helm/argo-wrapper/README.md @@ -1,6 +1,6 @@ # argo-wrapper -![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.20](https://img.shields.io/badge/Version-0.1.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Argo Wrapper Service @@ -58,7 +58,7 @@ A Helm chart for gen3 Argo Wrapper Service | s3Bucket | string | `"argo-artifact-downloadable"` | S3 bucket name for Argo artifacts (allows pre-signed URLs). | | scalingGroups | list | `[{"user1":"workflow1"},{"user2":"workflow2"},{"user3":"workflow3"}]` | The workflow scaling groups to be used by Argo. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":8000,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":8000,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `8000` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | diff --git a/helm/argo-wrapper/templates/deployment.yaml b/helm/argo-wrapper/templates/deployment.yaml index 9038c94d4..74fa5f2b5 100644 --- a/helm/argo-wrapper/templates/deployment.yaml +++ b/helm/argo-wrapper/templates/deployment.yaml @@ -56,13 +56,14 @@ spec: livenessProbe: httpGet: path: /test - port: 8000 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 8000 + - containerPort: {{ .Values.service.targetPort }} + name: http protocol: TCP {{- with .Values.volumeMounts }} volumeMounts: diff --git a/helm/argo-wrapper/values.yaml b/helm/argo-wrapper/values.yaml index f57c6dd62..6f152cd75 100644 --- a/helm/argo-wrapper/values.yaml +++ b/helm/argo-wrapper/values.yaml @@ -109,6 +109,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 8000 + targetPort: 80 # -- (map) Configuration for network policies created by this chart. Only relevant if "global.netPolicy.enabled" is set to true netPolicy: diff --git a/helm/audit/Chart.yaml b/helm/audit/Chart.yaml index e3b4c48df..605a1330b 100644 --- a/helm/audit/Chart.yaml +++ b/helm/audit/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.30 +version: 0.1.31 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/audit/README.md b/helm/audit/README.md index 37baeae6b..fc08dabae 100644 --- a/helm/audit/README.md +++ b/helm/audit/README.md @@ -1,6 +1,6 @@ # audit -![Version: 0.1.30](https://img.shields.io/badge/Version-0.1.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes @@ -122,7 +122,7 @@ A Helm chart for Kubernetes | server.sqs.region | string | `"us-east-1"` | SQS queue AWS region. | | server.sqs.url | string | `"http://sqs.com"` | The URL for the SQS queue. | | server.type | string | `"aws_sqs"` | Whether audit should use the api or aws_sqs. | -| service | map | `{"port":80,"type":"ClusterIP"}` | Configuration for the service | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Configuration for the service | | service.port | int | `80` | Port on which the service is exposed | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"audit-service-sa"}` | Service account to use or create. | diff --git a/helm/audit/templates/deployment.yaml b/helm/audit/templates/deployment.yaml index 75b359cad..8f22451c0 100644 --- a/helm/audit/templates/deployment.yaml +++ b/helm/audit/templates/deployment.yaml @@ -34,6 +34,8 @@ spec: {{- include "common.extraLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "audit.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - name: config-volume secret: @@ -46,20 +48,20 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} name: http protocol: TCP livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: http resources: {{- toYaml .Values.resources | nindent 12 }} env: diff --git a/helm/audit/values.yaml b/helm/audit/values.yaml index 9bd1befcb..566de2e85 100644 --- a/helm/audit/values.yaml +++ b/helm/audit/values.yaml @@ -185,6 +185,7 @@ service: type: ClusterIP # -- (int) Port on which the service is exposed port: 80 + targetPort: 80 # -- (map) Configuration for network policies created by this chart. Only relevant if "global.netPolicy.enabled" is set to true netPolicy: diff --git a/helm/cedar/Chart.yaml b/helm/cedar/Chart.yaml index 43e138f6a..0aea66792 100644 --- a/helm/cedar/Chart.yaml +++ b/helm/cedar/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.12 +version: 0.1.13 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/cedar/README.md b/helm/cedar/README.md index 30d7e7076..f2f97fe6b 100644 --- a/helm/cedar/README.md +++ b/helm/cedar/README.md @@ -1,6 +1,6 @@ # cedar -![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 cedar wrapper diff --git a/helm/cedar/templates/deployment.yaml b/helm/cedar/templates/deployment.yaml index 44467dbc8..35a0029e5 100644 --- a/helm/cedar/templates/deployment.yaml +++ b/helm/cedar/templates/deployment.yaml @@ -94,19 +94,19 @@ spec: - /src/start.sh ports: - name: http - containerPort: 8000 + containerPort: {{ .Values.service.targetPort }} protocol: TCP readinessProbe: httpGet: path: /_status/ - port: 8000 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 livenessProbe: httpGet: path: /_status/ - port: 8000 + port: http initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 30 diff --git a/helm/cohort-middleware/Chart.yaml b/helm/cohort-middleware/Chart.yaml index 325d3d0e5..816522b7c 100644 --- a/helm/cohort-middleware/Chart.yaml +++ b/helm/cohort-middleware/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.11 +version: 0.1.12 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/cohort-middleware/README.md b/helm/cohort-middleware/README.md index 5ad5e49cf..3c0bb3105 100644 --- a/helm/cohort-middleware/README.md +++ b/helm/cohort-middleware/README.md @@ -1,6 +1,6 @@ # cohort-middleware -![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 cohort-middleware @@ -101,6 +101,7 @@ A Helm chart for gen3 cohort-middleware | resources.requests.memory | string | `"128Mi"` | | | securityContext | object | `{}` | | | service.port | int | `80` | | +| service.targetPort | int | `8080` | | | service.type | string | `"ClusterIP"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.automount | bool | `true` | | diff --git a/helm/cohort-middleware/templates/deployment.yaml b/helm/cohort-middleware/templates/deployment.yaml index ff220a5fb..017f8d4d3 100644 --- a/helm/cohort-middleware/templates/deployment.yaml +++ b/helm/cohort-middleware/templates/deployment.yaml @@ -54,7 +54,8 @@ spec: mountPath: /config/development.yaml subPath: development.yaml ports: - - containerPort: 8080 + - containerPort: {{ .Values.service.targetPort }} + name: http livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: diff --git a/helm/cohort-middleware/templates/service.yaml b/helm/cohort-middleware/templates/service.yaml index c40a19239..3a945e8fa 100644 --- a/helm/cohort-middleware/templates/service.yaml +++ b/helm/cohort-middleware/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 8080 + targetPort: http protocol: TCP name: http selector: diff --git a/helm/cohort-middleware/values.yaml b/helm/cohort-middleware/values.yaml index bb2822976..d80ddfe17 100644 --- a/helm/cohort-middleware/values.yaml +++ b/helm/cohort-middleware/values.yaml @@ -136,6 +136,7 @@ service: type: ClusterIP # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 + targetPort: 8080 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml index 5efa24b30..a220155a4 100644 --- a/helm/common/Chart.yaml +++ b/helm/common/Chart.yaml @@ -15,7 +15,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.23 +version: 0.1.24 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/common/README.md b/helm/common/README.md index c62d1e6f6..1bf51d26a 100644 --- a/helm/common/README.md +++ b/helm/common/README.md @@ -1,6 +1,6 @@ # common -![Version: 0.1.23](https://img.shields.io/badge/Version-0.1.23-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for provisioning databases in gen3 diff --git a/helm/common/templates/_db_setup_job.tpl b/helm/common/templates/_db_setup_job.tpl index b0b3d8009..d637057ad 100644 --- a/helm/common/templates/_db_setup_job.tpl +++ b/helm/common/templates/_db_setup_job.tpl @@ -44,6 +44,12 @@ spec: app: gen3job spec: serviceAccountName: {{ .Chart.Name }}-dbcreate-sa + {{- if $.Values.podSecurityContext }} + securityContext: + {{- range $k, $v := $.Values.podSecurityContext }} + {{ $k }}: {{ $v }} + {{- end }} + {{- end }} restartPolicy: Never containers: - name: db-setup diff --git a/helm/dicom-server/Chart.yaml b/helm/dicom-server/Chart.yaml index 93b076e70..e7b2a1078 100644 --- a/helm/dicom-server/Chart.yaml +++ b/helm/dicom-server/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.19 +version: 0.1.20 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/dicom-server/README.md b/helm/dicom-server/README.md index b9262c8d9..7804ccd8e 100644 --- a/helm/dicom-server/README.md +++ b/helm/dicom-server/README.md @@ -1,6 +1,6 @@ # dicom-server -![Version: 0.1.19](https://img.shields.io/badge/Version-0.1.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.20](https://img.shields.io/badge/Version-0.1.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Dicom Server diff --git a/helm/dicom-server/templates/deployment.yaml b/helm/dicom-server/templates/deployment.yaml index fec47c2f0..58b8d248b 100644 --- a/helm/dicom-server/templates/deployment.yaml +++ b/helm/dicom-server/templates/deployment.yaml @@ -48,19 +48,20 @@ spec: readinessProbe: httpGet: path: /system - port: 8042 + port: http initialDelaySeconds: 5 periodSeconds: 20 timeoutSeconds: 30 livenessProbe: httpGet: path: /system - port: 8042 + port: http initialDelaySeconds: 5 periodSeconds: 60 timeoutSeconds: 30 ports: - - containerPort: 8042 + - containerPort: {{ .Values.service.targetPort }} + name: http env: - name: PGHOST valueFrom: diff --git a/helm/etl/Chart.yaml b/helm/etl/Chart.yaml index 4cb17ae39..30a808bce 100644 --- a/helm/etl/Chart.yaml +++ b/helm/etl/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.15 +version: 0.1.16 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/etl/README.md b/helm/etl/README.md index f232c3fd8..5a6bf0628 100644 --- a/helm/etl/README.md +++ b/helm/etl/README.md @@ -1,6 +1,6 @@ # etl -![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.16](https://img.shields.io/badge/Version-0.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 etl @@ -8,6 +8,7 @@ A Helm chart for gen3 etl | Key | Type | Default | Description | |-----|------|---------|-------------| +| env | string | `nil` | | | esEndpoint | string | `"gen3-elasticsearch-master"` | | | esGarbageCollect | map | `{"custom_image":null,"enabled":false,"schedule":"0 0 * * *","slack_webhook":"None"}` | Configuration options for es garbage cronjob. | | esGarbageCollect.custom_image | string | `nil` | To set a custom image for the es garbage collect cronjob. Default is the Gen3 Awshelper image. | @@ -100,10 +101,12 @@ A Helm chart for gen3 etl | imagePullSecrets | list | `[]` | Docker image pull secrets. | | legacySupport | bool | `false` | | | podAnnotations | map | `{}` | Annotations to add to the pod | +| podSecurityContext | map | `{}` | Security context for the pod | | resources | map | `{"spark":{"requests":{"memory":"128Mi"}},"tube":{"requests":{"memory":"128Mi"}}}` | Resource requests and limits for the containers in the pod | | resources.spark.requests | map | `{"memory":"128Mi"}` | The amount of resources that the container requests | | resources.spark.requests.memory | string | `"128Mi"` | The amount of memory requested | | resources.tube.requests | map | `{"memory":"128Mi"}` | The amount of resources that the container requests | | resources.tube.requests.memory | string | `"128Mi"` | The amount of memory requested | | schedule | string | `"*/30 * * * *"` | | +| securityContext | map | `{}` | Security context for the containers in the pod | | suspendCronjob | bool | `true` | | diff --git a/helm/etl/templates/etl-job.yaml b/helm/etl/templates/etl-job.yaml index 5a4aee8b1..b0622c8fb 100644 --- a/helm/etl/templates/etl-job.yaml +++ b/helm/etl/templates/etl-job.yaml @@ -36,6 +36,8 @@ spec: operator: In values: - ONDEMAND + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 12 }} volumes: {{- if .Values.legacySupport }} - name: config-volume @@ -111,6 +113,12 @@ spec: ports: - containerPort: 80 env: + {{- with .Values.env }} + {{- range $key, $value := . }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} - name: DB_HOST valueFrom: secretKeyRef: diff --git a/helm/etl/values.yaml b/helm/etl/values.yaml index 75ea1d365..d0f552e6b 100644 --- a/helm/etl/values.yaml +++ b/helm/etl/values.yaml @@ -43,6 +43,8 @@ resources: esEndpoint: gen3-elasticsearch-master +env: + etlMapping: mappings: - name: dev_case @@ -152,3 +154,17 @@ suspendCronjob: true legacySupport: false etlForced: "TRUE" + +# -- (map) Security context for the pod +podSecurityContext: {} + +# -- (map) Security context for the containers in the pod +securityContext: + {} + + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 diff --git a/helm/fence/Chart.yaml b/helm/fence/Chart.yaml index 841c660b0..c769729b7 100644 --- a/helm/fence/Chart.yaml +++ b/helm/fence/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.59 +version: 0.1.60 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/fence/README.md b/helm/fence/README.md index 6dea09e62..c50257e47 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -1,6 +1,6 @@ # fence -![Version: 0.1.59](https://img.shields.io/badge/Version-0.1.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.60](https://img.shields.io/badge/Version-0.1.60-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Fence @@ -171,7 +171,7 @@ A Helm chart for gen3 Fence | nodeSelector | map | `{}` | Node Selector for the pods | | partOf | string | `"Authentication"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | | podAnnotations | map | `{}` | Annotations to add to the pod | -| podSecurityContext | map | `{"fsGroup":101}` | Security context for the pod | +| podSecurityContext | map | `{}` | Security context for the pod | | postgres | map | `{"database":null,"dbCreate":null,"dbRestore":false,"host":null,"password":null,"port":"5432","separate":false,"username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you | | postgres.database | string | `nil` | Database name for postgres. This is a service override, defaults to - | | postgres.dbCreate | bool | `nil` | Whether the database should be created. Default to global.postgres.dbCreate | @@ -196,7 +196,7 @@ A Helm chart for gen3 Fence | secrets.awsSecretAccessKey | str | `nil` | AWS access key ID. Overrides global key. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{"eks.amazonaws.com/role-arn":null},"create":true,"name":"fence-sa"}` | Service account to use or create. | diff --git a/helm/fence/templates/fence-deployment.yaml b/helm/fence/templates/fence-deployment.yaml index 8ff37c4f6..3eac9adb1 100644 --- a/helm/fence/templates/fence-deployment.yaml +++ b/helm/fence/templates/fence-deployment.yaml @@ -39,6 +39,8 @@ spec: spec: enableServiceLinks: false serviceAccountName: {{ include "fence.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: @@ -47,7 +49,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP - name: https containerPort: 443 @@ -87,7 +89,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP - name: https containerPort: 443 diff --git a/helm/fence/templates/presigned-url-fence.yaml b/helm/fence/templates/presigned-url-fence.yaml index 4244e3c4c..c8ba108df 100644 --- a/helm/fence/templates/presigned-url-fence.yaml +++ b/helm/fence/templates/presigned-url-fence.yaml @@ -38,6 +38,8 @@ spec: userhelper: "yes" spec: serviceAccountName: {{ include "fence.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: {{- toYaml .Values.volumes | nindent 8 }} containers: @@ -46,7 +48,7 @@ spec: imagePullPolicy: Always ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP - name: https containerPort: 443 diff --git a/helm/fence/values.yaml b/helm/fence/values.yaml index 5aa31526c..ed6434ab5 100644 --- a/helm/fence/values.yaml +++ b/helm/fence/values.yaml @@ -258,8 +258,8 @@ serviceAccount: podAnnotations: {} # -- (map) Security context for the pod -podSecurityContext: - fsGroup: 101 +podSecurityContext: {} + # fsGroup: 101 # -- (map) Security context for the containers in the pod securityContext: @@ -277,6 +277,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/gen3-analysis/Chart.yaml b/helm/gen3-analysis/Chart.yaml index 19eb571df..dd4c4c7f4 100644 --- a/helm/gen3-analysis/Chart.yaml +++ b/helm/gen3-analysis/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3-analysis/README.md b/helm/gen3-analysis/README.md index 79e2e5ab5..c8c74a0d0 100644 --- a/helm/gen3-analysis/README.md +++ b/helm/gen3-analysis/README.md @@ -1,6 +1,6 @@ # gen3-analysis -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 gen3-analysis Service @@ -88,7 +88,7 @@ A Helm chart for gen3 gen3-analysis Service | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"targetPort":8000,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | diff --git a/helm/gen3-analysis/templates/deployment.yaml b/helm/gen3-analysis/templates/deployment.yaml index b4b55bda9..ac1a13cbf 100644 --- a/helm/gen3-analysis/templates/deployment.yaml +++ b/helm/gen3-analysis/templates/deployment.yaml @@ -60,16 +60,17 @@ spec: livenessProbe: httpGet: path: /_status - port: 8000 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 + port: http ports: - - containerPort: 8000 + - containerPort: {{ .Values.service.targetPort }} + name: http {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/helm/gen3-analysis/values.yaml b/helm/gen3-analysis/values.yaml index d49136c94..8053a7c99 100644 --- a/helm/gen3-analysis/values.yaml +++ b/helm/gen3-analysis/values.yaml @@ -189,6 +189,7 @@ resources: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 8000 # -- (int) The port number that the service exposes. port: - protocol: TCP diff --git a/helm/gen3-user-data-library/Chart.yaml b/helm/gen3-user-data-library/Chart.yaml index 18a7e3f83..3c643ea70 100644 --- a/helm/gen3-user-data-library/Chart.yaml +++ b/helm/gen3-user-data-library/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.5 +version: 0.1.6 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3-user-data-library/README.md b/helm/gen3-user-data-library/README.md index 2d2f9f997..f20ae1f89 100644 --- a/helm/gen3-user-data-library/README.md +++ b/helm/gen3-user-data-library/README.md @@ -1,6 +1,6 @@ # gen3-user-data-library -![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square) +![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: main](https://img.shields.io/badge/AppVersion-main-informational?style=flat-square) A Helm chart for Kubernetes @@ -85,6 +85,7 @@ A Helm chart for Kubernetes | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | | service.port | int | `80` | | +| service.targetPort | int | `80` | | | service.type | string | `"ClusterIP"` | | | volumeMounts[0].mountPath | string | `"/gen3userdatalibrary/.env"` | | | volumeMounts[0].name | string | `"gen3-user-data-library-g3auto-volume"` | | diff --git a/helm/gen3-user-data-library/templates/deployment.yaml b/helm/gen3-user-data-library/templates/deployment.yaml index 4d7632060..6ad788201 100644 --- a/helm/gen3-user-data-library/templates/deployment.yaml +++ b/helm/gen3-user-data-library/templates/deployment.yaml @@ -87,19 +87,19 @@ spec: optional: false imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} name: http livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: http {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/helm/gen3-user-data-library/values.yaml b/helm/gen3-user-data-library/values.yaml index 85327ced0..951533522 100644 --- a/helm/gen3-user-data-library/values.yaml +++ b/helm/gen3-user-data-library/values.yaml @@ -72,6 +72,7 @@ service: type: ClusterIP # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports port: 80 + targetPort: 80 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index c04244838..c54c7ea5e 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -5,23 +5,23 @@ description: Helm chart to deploy Gen3 Data Commons # Dependencies dependencies: - name: access-backend - version: 0.1.9 + version: 0.1.10 repository: "file://../access-backend" condition: access-backend.enabled - name: ambassador - version: 0.1.25 + version: 0.1.26 repository: "file://../ambassador" condition: ambassador.enabled - name: arborist - version: 0.1.24 + version: 0.1.25 repository: "file://../arborist" condition: arborist.enabled - name: argo-wrapper - version: 0.1.19 + version: 0.1.20 repository: "file://../argo-wrapper" condition: argo-wrapper.enabled - name: audit - version: 0.1.30 + version: 0.1.31 repository: "file://../audit" condition: audit.enabled - name: aws-es-proxy @@ -29,15 +29,15 @@ dependencies: repository: "file://../aws-es-proxy" condition: aws-es-proxy.enabled - name: cedar - version: 0.1.12 + version: 0.1.13 repository: "file://../cedar" condition: cedar.enabled - name: cohort-middleware - version: 0.1.11 + version: 0.1.12 repository: "file://../cohort-middleware" condition: cohort-middleware.enabled - name: common - version: 0.1.23 + version: 0.1.24 repository: file://../common - name: dashboard version: 0.1.8 @@ -48,7 +48,7 @@ dependencies: repository: "file://../datareplicate" condition: datareplicate.enabled - name: etl - version: 0.1.15 + version: 0.1.16 repository: file://../etl condition: etl.enabled - name: frontend-framework @@ -56,63 +56,63 @@ dependencies: repository: "file://../frontend-framework" condition: frontend-framework.enabled - name: fence - version: 0.1.59 + version: 0.1.60 repository: "file://../fence" condition: fence.enabled - name: gen3-user-data-library - version: 0.1.5 + version: 0.1.6 repository: "file://../gen3-user-data-library" condition: gen3-user-data-library.enabled - name: guppy - version: 0.1.25 + version: 0.1.26 repository: "file://../guppy" condition: guppy.enabled - name: hatchery - version: 0.1.52 + version: 0.1.53 repository: "file://../hatchery" condition: hatchery.enabled - name: indexd - version: 0.1.33 + version: 0.1.34 repository: "file://../indexd" condition: indexd.enabled - name: manifestservice - version: 0.1.32 + version: 0.1.33 repository: "file://../manifestservice" condition: manifestservice.enabled - name: metadata - version: 0.1.30 + version: 0.1.31 repository: "file://../metadata" condition: metadata.enabled - name: peregrine - version: 0.1.31 + version: 0.1.32 repository: "file://../peregrine" condition: peregrine.enabled - name: portal - version: 0.1.45 + version: 0.1.46 repository: "file://../portal" condition: portal.enabled - name: requestor - version: 0.1.24 + version: 0.1.25 repository: "file://../requestor" condition: requestor.enabled - name: revproxy - version: 0.1.43 + version: 0.1.44 repository: "file://../revproxy" condition: revproxy.enabled - name: sheepdog - version: 0.1.29 + version: 0.1.30 repository: "file://../sheepdog" condition: sheepdog.enabled - name: ssjdispatcher - version: 0.1.31 + version: 0.1.32 repository: "file://../ssjdispatcher" condition: ssjdispatcher.enabled - name: sower - version: 0.1.34 + version: 0.1.35 condition: sower.enabled repository: "file://../sower" - name: wts - version: 0.1.30 + version: 0.1.31 repository: "file://../wts" condition: wts.enabled - name: gen3-network-policies @@ -120,19 +120,19 @@ dependencies: repository: "file://../gen3-network-policies" condition: global.netPolicy.enabled - name: dicom-server - version: 0.1.19 + version: 0.1.20 repository: file://../dicom-server condition: dicom-server.enabled - name: ohif-viewer - version: 0.1.3 + version: 0.1.4 repository: file://../ohif-viewer condition: ohif-viewer.enabled - name: orthanc - version: 0.1.4 + version: 0.1.5 repository: file://../orthanc condition: orthanc.enabled - name: gen3-analysis - version: 0.1.1 + version: 0.1.2 repository: file://../gen3-analysis condition: gen3-analysis.enabled @@ -169,7 +169,7 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.59 +version: 0.2.60 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3/README.md b/helm/gen3/README.md index 68b79f497..586a66b62 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -1,6 +1,6 @@ # gen3 -![Version: 0.2.59](https://img.shields.io/badge/Version-0.2.59-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.2.60](https://img.shields.io/badge/Version-0.2.60-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) Helm chart to deploy Gen3 Data Commons @@ -18,40 +18,40 @@ Helm chart to deploy Gen3 Data Commons | Repository | Name | Version | |------------|------|---------| -| file://../access-backend | access-backend | 0.1.9 | -| file://../ambassador | ambassador | 0.1.25 | -| file://../arborist | arborist | 0.1.24 | -| file://../argo-wrapper | argo-wrapper | 0.1.19 | -| file://../audit | audit | 0.1.30 | +| file://../access-backend | access-backend | 0.1.10 | +| file://../ambassador | ambassador | 0.1.26 | +| file://../arborist | arborist | 0.1.25 | +| file://../argo-wrapper | argo-wrapper | 0.1.20 | +| file://../audit | audit | 0.1.31 | | file://../aws-es-proxy | aws-es-proxy | 0.1.30 | -| file://../cedar | cedar | 0.1.12 | -| file://../cohort-middleware | cohort-middleware | 0.1.11 | -| file://../common | common | 0.1.23 | +| file://../cedar | cedar | 0.1.13 | +| file://../cohort-middleware | cohort-middleware | 0.1.12 | +| file://../common | common | 0.1.24 | | file://../dashboard | dashboard | 0.1.8 | | file://../datareplicate | datareplicate | 0.0.29 | -| file://../dicom-server | dicom-server | 0.1.19 | -| file://../etl | etl | 0.1.15 | -| file://../fence | fence | 0.1.59 | +| file://../dicom-server | dicom-server | 0.1.20 | +| file://../etl | etl | 0.1.16 | +| file://../fence | fence | 0.1.60 | | file://../frontend-framework | frontend-framework | 0.1.13 | -| file://../gen3-analysis | gen3-analysis | 0.1.1 | +| file://../gen3-analysis | gen3-analysis | 0.1.2 | | file://../gen3-network-policies | gen3-network-policies | 0.1.2 | -| file://../gen3-user-data-library | gen3-user-data-library | 0.1.5 | -| file://../guppy | guppy | 0.1.25 | -| file://../hatchery | hatchery | 0.1.52 | -| file://../indexd | indexd | 0.1.33 | -| file://../manifestservice | manifestservice | 0.1.32 | -| file://../metadata | metadata | 0.1.30 | +| file://../gen3-user-data-library | gen3-user-data-library | 0.1.6 | +| file://../guppy | guppy | 0.1.26 | +| file://../hatchery | hatchery | 0.1.53 | +| file://../indexd | indexd | 0.1.34 | +| file://../manifestservice | manifestservice | 0.1.33 | +| file://../metadata | metadata | 0.1.31 | | file://../neuvector | neuvector | 0.1.2 | -| file://../ohif-viewer | ohif-viewer | 0.1.3 | -| file://../orthanc | orthanc | 0.1.4 | -| file://../peregrine | peregrine | 0.1.31 | -| file://../portal | portal | 0.1.45 | -| file://../requestor | requestor | 0.1.24 | -| file://../revproxy | revproxy | 0.1.43 | -| file://../sheepdog | sheepdog | 0.1.29 | -| file://../sower | sower | 0.1.34 | -| file://../ssjdispatcher | ssjdispatcher | 0.1.31 | -| file://../wts | wts | 0.1.30 | +| file://../ohif-viewer | ohif-viewer | 0.1.4 | +| file://../orthanc | orthanc | 0.1.5 | +| file://../peregrine | peregrine | 0.1.32 | +| file://../portal | portal | 0.1.46 | +| file://../requestor | requestor | 0.1.25 | +| file://../revproxy | revproxy | 0.1.44 | +| file://../sheepdog | sheepdog | 0.1.30 | +| file://../sower | sower | 0.1.35 | +| file://../ssjdispatcher | ssjdispatcher | 0.1.32 | +| file://../wts | wts | 0.1.31 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | | https://helm.elastic.co | elasticsearch | 7.10.2 | diff --git a/helm/gen3/templates/nginx-config.yaml b/helm/gen3/templates/nginx-config.yaml new file mode 100644 index 000000000..4698aaa28 --- /dev/null +++ b/helm/gen3/templates/nginx-config.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-config +data: + nginx.conf: | + user gen3; + worker_processes auto; + error_log /var/log/nginx/error.log notice; + pid /var/lib/nginx/nginx.pid; + + # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. + include /usr/share/nginx/modules/*.conf; + + events { + worker_connections 1024; + } + + http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + + # Suppress logging for known health checks + map $http_user_agent $loggable { + default 1; + "ELB-HealthChecker/2.0" 0; + ~^Uptime-Kuma 0; + ~^kube-probe 0; + ~GoogleStackdriverMonitoring 0; + } + + access_log /var/log/nginx/access.log main if=$loggable; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + types_hash_max_size 4096; + + # increase max from default 1m + client_max_body_size 200m; + + + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + + listen 8080; + server_name localhost; + proxy_read_timeout 400; + proxy_send_timeout 400; + proxy_connect_timeout 400; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + } \ No newline at end of file diff --git a/helm/gen3/templates/tests/service-account.yaml b/helm/gen3/templates/tests/service-account.yaml deleted file mode 100644 index 95b67cfdf..000000000 --- a/helm/gen3/templates/tests/service-account.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kubectl-access - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: kubectl-access-role - namespace: {{ .Release.Namespace }} -rules: - - apiGroups: [""] - resources: ["pods", "pods/exec", "configmaps", "deployments"] - verbs: ["get", "list", "create"] - - apiGroups: ["batch"] - resources: ["cronjobs", "jobs"] - verbs: ["get", "list", "create", "delete", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kubectl-access-binding - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kubectl-access-role -subjects: - - kind: ServiceAccount - name: kubectl-access - namespace: {{ .Release.Namespace }} diff --git a/helm/guppy/Chart.yaml b/helm/guppy/Chart.yaml index 00a4346c2..3dd680dc0 100644 --- a/helm/guppy/Chart.yaml +++ b/helm/guppy/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.25 +version: 0.1.26 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/guppy/README.md b/helm/guppy/README.md index cde485207..76620b50d 100644 --- a/helm/guppy/README.md +++ b/helm/guppy/README.md @@ -1,6 +1,6 @@ # guppy -![Version: 0.1.25](https://img.shields.io/badge/Version-0.1.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.26](https://img.shields.io/badge/Version-0.1.26-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Guppy Service @@ -73,6 +73,7 @@ A Helm chart for gen3 Guppy Service | indices | list | `[{"index":"dev_case","type":"case"},{"index":"dev_file","type":"file"}]` | Elasticsearch index configurations | | metricsEnabled | bool | `nil` | Whether Metrics are enabled. | | partOf | string | `"Explorer-Tab"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | +| podSecurityContext | map | `{}` | Security context for the pod | | release | string | `"production"` | Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". | | replicaCount | int | `1` | Number of replicas for the deployment. | | resources | map | `{"limits":{"memory":"2Gi"},"requests":{"memory":"500Mi"}}` | Resource requests and limits for the containers in the pod | @@ -84,8 +85,9 @@ A Helm chart for gen3 Guppy Service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information to access the db restore job S3 bucket. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}],"targetPort":8000,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":8000}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | diff --git a/helm/guppy/templates/deployment.yaml b/helm/guppy/templates/deployment.yaml index a80ae0fb4..f6ba7ef18 100644 --- a/helm/guppy/templates/deployment.yaml +++ b/helm/guppy/templates/deployment.yaml @@ -43,6 +43,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.volumes}} volumes: {{- toYaml . | nindent 8}} @@ -50,10 +52,12 @@ spec: containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} livenessProbe: httpGet: path: /_status - port: 8000 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 @@ -61,9 +65,10 @@ spec: readinessProbe: httpGet: path: /_status - port: 8000 + port: http ports: - - containerPort: 8000 + - containerPort: {{ .Values.service.targetPort }} + name: http env: - name: GUPPY_PORT value: "8000" diff --git a/helm/guppy/values.yaml b/helm/guppy/values.yaml index 505e38218..746c2002b 100644 --- a/helm/guppy/values.yaml +++ b/helm/guppy/values.yaml @@ -174,6 +174,7 @@ resources: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 8000 # -- (int) The port number that the service exposes. port: - protocol: TCP @@ -211,3 +212,18 @@ partOf: "Explorer-Tab" selectorLabels: # -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl commonLabels: + + +# -- (map) Security context for the pod +podSecurityContext: {} + +# -- (map) Security context for the containers in the pod +securityContext: + {} + + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 diff --git a/helm/hatchery/Chart.yaml b/helm/hatchery/Chart.yaml index 71b6f38de..ef63577b7 100644 --- a/helm/hatchery/Chart.yaml +++ b/helm/hatchery/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.52 +version: 0.1.53 # This is the version number of the application being deployed. This version number should be diff --git a/helm/hatchery/README.md b/helm/hatchery/README.md index 97695daac..6a156902b 100644 --- a/helm/hatchery/README.md +++ b/helm/hatchery/README.md @@ -1,6 +1,6 @@ # hatchery -![Version: 0.1.52](https://img.shields.io/badge/Version-0.1.52-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.53](https://img.shields.io/badge/Version-0.1.53-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Hatchery @@ -107,7 +107,7 @@ A Helm chart for gen3 Hatchery | resources.requests | map | `{"memory":"12Mi"}` | The amount of resources that the container requests | | resources.requests.memory | string | `"12Mi"` | The amount of memory requested | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":8000,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":"hatchery-sa"}` | Service account to use or create. | diff --git a/helm/hatchery/templates/deployment.yaml b/helm/hatchery/templates/deployment.yaml index 85f67c2af..100e9b293 100644 --- a/helm/hatchery/templates/deployment.yaml +++ b/helm/hatchery/templates/deployment.yaml @@ -53,7 +53,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http - containerPort: 8000 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: diff --git a/helm/hatchery/values.yaml b/helm/hatchery/values.yaml index 6f08d6ab4..d62d049e5 100644 --- a/helm/hatchery/values.yaml +++ b/helm/hatchery/values.yaml @@ -138,6 +138,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 8000 # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/indexd/Chart.yaml b/helm/indexd/Chart.yaml index aee6db3ca..46c78c539 100644 --- a/helm/indexd/Chart.yaml +++ b/helm/indexd/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.33 +version: 0.1.34 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/indexd/README.md b/helm/indexd/README.md index 7b023109b..ea318a9e3 100644 --- a/helm/indexd/README.md +++ b/helm/indexd/README.md @@ -1,6 +1,6 @@ # indexd -![Version: 0.1.33](https://img.shields.io/badge/Version-0.1.33-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.34](https://img.shields.io/badge/Version-0.1.34-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 indexd @@ -97,7 +97,7 @@ A Helm chart for gen3 indexd | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID to access the db restore job S3 bucket. Overrides global key. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":false,"name":""}` | Service account to use or create. | diff --git a/helm/indexd/templates/deployment.yaml b/helm/indexd/templates/deployment.yaml index 968ce9b55..7789daa5e 100644 --- a/helm/indexd/templates/deployment.yaml +++ b/helm/indexd/templates/deployment.yaml @@ -92,7 +92,7 @@ spec: {{- end }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: diff --git a/helm/indexd/templates/pre-install.yaml b/helm/indexd/templates/pre-install.yaml index 8e18baf1c..bbbb7dae6 100644 --- a/helm/indexd/templates/pre-install.yaml +++ b/helm/indexd/templates/pre-install.yaml @@ -15,6 +15,8 @@ spec: app: gen3job spec: automountServiceAccountToken: false + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/helm/indexd/values.yaml b/helm/indexd/values.yaml index fab646876..79766cce5 100644 --- a/helm/indexd/values.yaml +++ b/helm/indexd/values.yaml @@ -213,6 +213,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Resource requests and limits for the containers in the pod resources: diff --git a/helm/manifestservice/Chart.yaml b/helm/manifestservice/Chart.yaml index 901139629..392601b03 100644 --- a/helm/manifestservice/Chart.yaml +++ b/helm/manifestservice/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.32 +version: 0.1.33 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/manifestservice/README.md b/helm/manifestservice/README.md index aa03515f9..35b3cc665 100644 --- a/helm/manifestservice/README.md +++ b/helm/manifestservice/README.md @@ -1,6 +1,6 @@ # manifestservice -![Version: 0.1.32](https://img.shields.io/badge/Version-0.1.32-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.33](https://img.shields.io/badge/Version-0.1.33-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for Kubernetes @@ -67,6 +67,7 @@ A Helm chart for Kubernetes | manifestserviceG3auto.prefix | string | `"test"` | Directory name to use within the s3 bucket. | | metricsEnabled | bool | `nil` | Whether Metrics are enabled. | | partOf | string | `"Workspace-tab"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | +| podSecurityContext | map | `{}` | Security context for the pod | | release | string | `"production"` | Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". | | replicaCount | int | `1` | Number of replicas for the deployment. | | resources | map | `{"limits":{"memory":"512Mi"},"requests":{"memory":"12Mi"}}` | Resource requests and limits for the containers in the pod | @@ -78,8 +79,9 @@ A Helm chart for Kubernetes | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Secret information for External Secrets. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | +| securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/manifestservice/templates/deployment.yaml b/helm/manifestservice/templates/deployment.yaml index 9c0b0faf3..129d02b80 100644 --- a/helm/manifestservice/templates/deployment.yaml +++ b/helm/manifestservice/templates/deployment.yaml @@ -37,6 +37,8 @@ spec: {{- end }} spec: serviceAccountName: {{ include "manifestservice.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -87,15 +89,16 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: http diff --git a/helm/manifestservice/templates/service.yaml b/helm/manifestservice/templates/service.yaml index 173ba48c2..41e3b0e28 100644 --- a/helm/manifestservice/templates/service.yaml +++ b/helm/manifestservice/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 80 + targetPort: http protocol: TCP name: http selector: diff --git a/helm/manifestservice/values.yaml b/helm/manifestservice/values.yaml index 981fe70d6..f24f49be3 100644 --- a/helm/manifestservice/values.yaml +++ b/helm/manifestservice/values.yaml @@ -99,6 +99,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Service account to use or create. serviceAccount: @@ -200,3 +201,19 @@ partOf: "Workspace-tab" selectorLabels: # -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl commonLabels: + + +# -- (map) Security context for the pod +podSecurityContext: + {} + # fsGroup: 2000 + +# -- (map) Security context for the containers in the pod +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 \ No newline at end of file diff --git a/helm/metadata/Chart.yaml b/helm/metadata/Chart.yaml index 55dd19282..41b4be7de 100644 --- a/helm/metadata/Chart.yaml +++ b/helm/metadata/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.30 +version: 0.1.31 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/metadata/README.md b/helm/metadata/README.md index c631cddbc..7da7f2737 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -1,6 +1,6 @@ # metadata -![Version: 0.1.30](https://img.shields.io/badge/Version-0.1.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Metadata Service @@ -79,10 +79,10 @@ A Helm chart for gen3 Metadata Service | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | -| image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/metadata-service","tag":"feat_es-7"}` | Docker image information. | +| image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/metadata-service","tag":"master"}` | Docker image information. | | image.pullPolicy | string | `"Always"` | Docker pull policy. | | image.repository | string | `"quay.io/cdis/metadata-service"` | Docker repository. | -| image.tag | string | `"feat_es-7"` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `"master"` | Overrides the image tag whose default is the chart appVersion. | | initContainerName | string | `"metadata-db-migrate"` | Name of the init container. | | initResources | map | `{"requests":{"memory":"100Mi"}}` | Resource limits for the init container. | | initResources.requests | map | `{"memory":"100Mi"}` | The maximum amount of resources that the container is allowed to use | @@ -112,7 +112,7 @@ A Helm chart for gen3 Metadata Service | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAnnotations."getambassador.io/config" | string | `"---\napiVersion: ambassador/v1\nambassador_id: \"gen3\"\nkind: Mapping\nname: metadata_mapping\nprefix: /index/\nservice: http://metadata-service:80\n"` | | diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index d0706daae..8bc95ee1f 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -43,6 +43,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - name: config-volume-g3auto secret: @@ -103,16 +105,17 @@ spec: livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: http ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/helm/metadata/templates/secrets.yaml b/helm/metadata/templates/secrets.yaml index 0bd639d73..e69de29bb 100644 --- a/helm/metadata/templates/secrets.yaml +++ b/helm/metadata/templates/secrets.yaml @@ -1,16 +0,0 @@ -{{- if or (not .Values.global.externalSecrets.deploy) (and .Values.global.externalSecrets.deploy .Values.externalSecrets.createK8sMetadataSecret) }} -apiVersion: v1 -kind: Secret -metadata: - name: metadata-g3auto -stringData: - {{- $randomPass := printf "%s%s" "gateway:" (randAlphaNum 32) }} - base64Authz.txt: {{ $randomPass | quote | b64enc }} - metadata.env: | - DEBUG={{ .Values.debug}} - DB_HOST={{ .Values.postgres.host }} - DB_USER={{ .Values.postgres.user }} - DB_PASSWORD={{ include "metadata.postgres.password" . }} - DB_DATABASE={{ .Values.postgres.dbname }} - ADMIN_LOGINS={{ $randomPass }} -{{- end }} \ No newline at end of file diff --git a/helm/metadata/values.yaml b/helm/metadata/values.yaml index 3db3bae4e..b00cbb33a 100644 --- a/helm/metadata/values.yaml +++ b/helm/metadata/values.yaml @@ -169,7 +169,7 @@ image: # -- (string) Docker pull policy. pullPolicy: Always # -- (string) Overrides the image tag whose default is the chart appVersion. - tag: "feat_es-7" + tag: "master" debug: false @@ -323,6 +323,7 @@ serviceAnnotations: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 80 # -- (int) The port number that the service exposes. port: - protocol: TCP diff --git a/helm/ohif-viewer/Chart.yaml b/helm/ohif-viewer/Chart.yaml index 6ea132776..d3f04be86 100644 --- a/helm/ohif-viewer/Chart.yaml +++ b/helm/ohif-viewer/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/ohif-viewer/README.md b/helm/ohif-viewer/README.md index 85e308582..610e68f0a 100644 --- a/helm/ohif-viewer/README.md +++ b/helm/ohif-viewer/README.md @@ -1,6 +1,6 @@ # ohif-viewer -![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Ohif Viewer diff --git a/helm/ohif-viewer/templates/deployment.yaml b/helm/ohif-viewer/templates/deployment.yaml index 5b1452fde..73b119977 100644 --- a/helm/ohif-viewer/templates/deployment.yaml +++ b/helm/ohif-viewer/templates/deployment.yaml @@ -47,19 +47,20 @@ spec: readinessProbe: httpGet: path: / - port: 8080 + port: http initialDelaySeconds: 5 periodSeconds: 20 timeoutSeconds: 30 livenessProbe: httpGet: path: / - port: 8080 + port: http initialDelaySeconds: 5 periodSeconds: 60 timeoutSeconds: 30 ports: - - containerPort: 8080 + - containerPort: {{ .Values.service.targetPort }} + name: http env: - name: PORT value: "8080" diff --git a/helm/orthanc/Chart.yaml b/helm/orthanc/Chart.yaml index ec4f4ac2b..46be7e3d2 100644 --- a/helm/orthanc/Chart.yaml +++ b/helm/orthanc/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.4 +version: 0.1.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/orthanc/README.md b/helm/orthanc/README.md index c850f3afb..cf0472b5c 100644 --- a/helm/orthanc/README.md +++ b/helm/orthanc/README.md @@ -1,6 +1,6 @@ # orthanc -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Dicom Server diff --git a/helm/orthanc/templates/deployment.yaml b/helm/orthanc/templates/deployment.yaml index 492706a2d..f70575a97 100644 --- a/helm/orthanc/templates/deployment.yaml +++ b/helm/orthanc/templates/deployment.yaml @@ -67,7 +67,8 @@ spec: periodSeconds: 60 timeoutSeconds: 30 ports: - - containerPort: 8042 + - containerPort: {{ .Values.service.targetPort }} + name: http env: - name: PGHOST valueFrom: diff --git a/helm/peregrine/Chart.yaml b/helm/peregrine/Chart.yaml index 26d6a504c..a6a8a8797 100644 --- a/helm/peregrine/Chart.yaml +++ b/helm/peregrine/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.31 +version: 0.1.32 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/peregrine/README.md b/helm/peregrine/README.md index 742375e3b..64d8d8319 100644 --- a/helm/peregrine/README.md +++ b/helm/peregrine/README.md @@ -1,6 +1,6 @@ # peregrine -![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.32](https://img.shields.io/badge/Version-0.1.32-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Peregrine service @@ -92,7 +92,7 @@ A Helm chart for gen3 Peregrine service | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/peregrine/templates/deployment.yaml b/helm/peregrine/templates/deployment.yaml index 512a93eb9..dfae900d5 100644 --- a/helm/peregrine/templates/deployment.yaml +++ b/helm/peregrine/templates/deployment.yaml @@ -159,7 +159,7 @@ spec: {{- end }} ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: diff --git a/helm/peregrine/values.yaml b/helm/peregrine/values.yaml index bd1a155dd..8aa604c57 100644 --- a/helm/peregrine/values.yaml +++ b/helm/peregrine/values.yaml @@ -173,6 +173,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Configuration for network policies created by this chart. Only relevant if "global.netPolicy.enabled" is set to true netPolicy: diff --git a/helm/portal/Chart.yaml b/helm/portal/Chart.yaml index a19d55762..5d3b54f2a 100644 --- a/helm/portal/Chart.yaml +++ b/helm/portal/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.45 +version: 0.1.46 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/portal/README.md b/helm/portal/README.md index e41465d81..a435dcf10 100644 --- a/helm/portal/README.md +++ b/helm/portal/README.md @@ -1,6 +1,6 @@ # portal -![Version: 0.1.45](https://img.shields.io/badge/Version-0.1.45-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.46](https://img.shields.io/badge/Version-0.1.46-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 data-portal @@ -96,7 +96,7 @@ A Helm chart for gen3 data-portal | revisionHistoryLimit | int | `2` | Number of old revisions to retain | | securityContext | map | `{}` | Security context to apply to the container | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/portal/templates/deployment.yaml b/helm/portal/templates/deployment.yaml index 9b26eed7e..a21add5f4 100644 --- a/helm/portal/templates/deployment.yaml +++ b/helm/portal/templates/deployment.yaml @@ -39,6 +39,8 @@ spec: {{- include "common.extraLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -64,6 +66,9 @@ spec: name: "privacy-policy" optional: true {{- end }} + - name: nginx-config + configMap: + name: portal-nginx - name: extra-images-config configMap: name: portal-extra-images @@ -130,6 +135,8 @@ spec: containers: - name: portal image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} imagePullPolicy: {{ .Values.image.pullPolicy }} # livenessProbe: # httpGet: @@ -146,14 +153,15 @@ spec: {{- else }} path: / {{- end }} - port: 80 + port: http initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 30 resources: {{- toYaml .Values.resources | nindent 12 }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http - containerPort: 443 # command: # - /bin/bash @@ -260,6 +268,12 @@ spec: - name: "config-volume" mountPath: "/data-portal/data/config/gitops.json" subPath: "gitops.json" + - name: "nginx-config" + mountPath: "/etc/nginx/conf.d/nginx.conf" + subPath: "nginx.conf" + - name: "nginx-config" + mountPath: "/etc/nginx/nginx.conf" + subPath: "main" - name: "config-volume" mountPath: "/data-portal/custom/logo/gitops-logo.png" subPath: "gitops-logo.png" diff --git a/helm/portal/templates/job.yaml b/helm/portal/templates/job.yaml index bd78d8005..2af65deb9 100644 --- a/helm/portal/templates/job.yaml +++ b/helm/portal/templates/job.yaml @@ -102,14 +102,15 @@ spec: {{- else }} path: / {{- end }} - port: 80 + port: http initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 30 resources: {{- toYaml .Values.resources | nindent 12 }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http - containerPort: 443 command: - /bin/bash diff --git a/helm/portal/templates/nginx-conf.yaml b/helm/portal/templates/nginx-conf.yaml new file mode 100644 index 000000000..143272c5b --- /dev/null +++ b/helm/portal/templates/nginx-conf.yaml @@ -0,0 +1,180 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: portal-nginx +data: + main: | + # For more information on configuration, see: + # * Official English Documentation: http://nginx.org/en/docs/ + # * Official Russian Documentation: http://nginx.org/ru/docs/ + + user nginx; + worker_processes auto; + error_log /var/log/nginx/error.log notice; + pid /run/nginx.pid; + + # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. + include /usr/share/nginx/modules/*.conf; + + events { + worker_connections 1024; + } + + http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + listen 8000; + listen [::]:8000; + server_name _; + root /usr/share/nginx/html; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + error_page 404 /404.html; + location = /404.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } + + # Settings for a TLS enabled server. + # + # server { + # listen 443 ssl; + # listen [::]:443 ssl; + # http2 on; + # server_name _; + # root /usr/share/nginx/html; + # + # ssl_certificate "/etc/pki/nginx/server.crt"; + # ssl_certificate_key "/etc/pki/nginx/private/server.key"; + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 10m; + # ssl_ciphers PROFILE=SYSTEM; + # ssl_prefer_server_ciphers on; + # + # # Load configuration files for the default server block. + # include /etc/nginx/default.d/*.conf; + # + # error_page 404 /404.html; + # location = /404.html { + # } + # + # error_page 500 502 503 504 /50x.html; + # location = /50x.html { + # } + # } + } + nginx.conf: | + ## + # Note that this file actually winds up at + # /etc/nginx/conf.d/nginx.conf + # , and is loaded by /etc/nginx/nginx.conf in an http{} block + ## + + ## + # Logging Settings + # The http_x_* headers are set by the gen3 reverse proxy: + # kube/services/revproxy/ + ## + log_format json '{"gen3log": "nginx", ' + '"date_access": "$time_iso8601", ' + '"user_id": "$http_x_userid", ' + '"request_id": "$http_x_reqid", ' + '"session_id": "$http_x_sessionid", ' + '"visitor_id": "$http_x_visitorid", ' + '"network_client_ip": "$http_x_forwarded_for", ' + '"network_bytes_write": $body_bytes_sent, ' + '"http_response_time": "$request_time", ' + '"http_status_code": $status, ' + '"http_request": "$request_uri", ' + '"http_verb": "$request_method", ' + '"http_referer": "$http_referer", ' + '"http_useragent": "$http_user_agent", ' + '"message": "$request"}'; + + log_format aws '$http_x_forwarded_for - $http_x_userid [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /dev/stdout json; + + server { + listen 8080 default_server; + ssl_certificate /mnt/ssl/nginx.crt; + ssl_certificate_key /mnt/ssl/nginx.key; + server_tokens off; + + root /data-portal; + index index.html index.htm; + + # dev.html signals dev mode - for developer testing + rewrite ^(\/\w+)?\/dev.html.+$ $1/dev.html; + + # Block all access to things like .git or .htaccess + location ~ /\. { + deny all; + } + + # Block all access to package and config files + # Note if WAF is deployed this should already be handled by WAF + location ~ package.json$ { + deny all; + } + location ~ package-lock.json$ { + deny all; + } + location ^~ /npm-debug.log { + deny all; + } + location ^~ /tsconfig.json { + deny all; + } + location ^~ /webpack.config.js { + deny all; + } + location ^~ /yarn.lock { + deny all; + } + location ^~ /nginx.conf { + deny all; + } + + location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires -1; + # access_log logs/static.log; # I don't usually include a static log + } + + location ~* \.(?:css|js)$ { + try_files $uri =404; + expires 1y; + access_log off; + add_header Cache-Control "public"; + } + + # Any route that doesn't have a file extension (e.g. /devices) + location / { + try_files $uri /index.html; + } + } \ No newline at end of file diff --git a/helm/portal/templates/service.yaml b/helm/portal/templates/service.yaml index 971503f49..182b26638 100644 --- a/helm/portal/templates/service.yaml +++ b/helm/portal/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 80 + targetPort: http protocol: TCP name: http selector: diff --git a/helm/portal/values.yaml b/helm/portal/values.yaml index 575ae2080..796870808 100644 --- a/helm/portal/values.yaml +++ b/helm/portal/values.yaml @@ -144,6 +144,7 @@ service: type: ClusterIP # -- (int) The port number that the service exposes. port: 80 + targetPort: 80 # -- (map) Node selector to apply to the pod nodeSelector: {} diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml index 2bd172287..83346cf21 100644 --- a/helm/requestor/Chart.yaml +++ b/helm/requestor/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.24 +version: 0.1.25 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/requestor/README.md b/helm/requestor/README.md index ea206d03a..e20b4c33b 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -1,6 +1,6 @@ # requestor -![Version: 0.1.24](https://img.shields.io/badge/Version-0.1.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.25](https://img.shields.io/badge/Version-0.1.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Requestor Service @@ -104,7 +104,7 @@ A Helm chart for gen3 Requestor Service | secrets.awsAccessKeyId | str | `nil` | AWS access key ID. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":[{"name":"http","port":80,"protocol":"TCP","targetPort":80}],"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `[{"name":"http","port":80,"protocol":"TCP","targetPort":80}]` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml index 18e9d0b02..8f079cda8 100644 --- a/helm/requestor/templates/deployment.yaml +++ b/helm/requestor/templates/deployment.yaml @@ -93,16 +93,17 @@ spec: livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 80 + port: http ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http {{- with .Values.volumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/helm/requestor/values.yaml b/helm/requestor/values.yaml index 7b196c724..2187029c8 100644 --- a/helm/requestor/values.yaml +++ b/helm/requestor/values.yaml @@ -230,6 +230,7 @@ args: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 80 # -- (int) The port number that the service exposes. port: - protocol: TCP diff --git a/helm/revproxy/Chart.yaml b/helm/revproxy/Chart.yaml index 43f6cc588..baf4fe07b 100644 --- a/helm/revproxy/Chart.yaml +++ b/helm/revproxy/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.43 +version: 0.1.44 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/revproxy/README.md b/helm/revproxy/README.md index 8d8279a1a..660b0686c 100644 --- a/helm/revproxy/README.md +++ b/helm/revproxy/README.md @@ -1,6 +1,6 @@ # revproxy -![Version: 0.1.43](https://img.shields.io/badge/Version-0.1.43-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.44](https://img.shields.io/badge/Version-0.1.44-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 revproxy @@ -73,6 +73,8 @@ A Helm chart for gen3 revproxy | netPolicy | map | `{"egressApps":["portal","sowerjob"],"ingressApps":["portal","sowerjob"]}` | Configuration for network policies created by this chart. Only relevant if "global.netPolicy.enabled" is set to true | | netPolicy.egressApps | array | `["portal","sowerjob"]` | List of apps that this app requires egress to | | netPolicy.ingressApps | array | `["portal","sowerjob"]` | List of app labels that require ingress to this service | +| nginx.resolver | string | `"kube-dns.kube-system.svc.cluster.local"` | | +| nginx.user | string | `"nginx"` | | | nodeSelector | map | `{}` | Node selector labels. | | partOf | string | `"Front-End"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | | podAnnotations | map | `{}` | Annotations to add to the pod. | @@ -95,7 +97,7 @@ A Helm chart for gen3 revproxy | revproxyElb | map | `{"gen3SecretsFolder":"Gen3Secrets","sslCert":"","targetPortHTTP":80,"targetPortHTTPS":443}` | Configuration for depricated revproxy service ELB. | | securityContext | map | `{}` | Container-level security context. | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"NodePort"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"NodePort"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"NodePort"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":""}` | Service account to use or create. | diff --git a/helm/revproxy/nginx/nginx.conf b/helm/revproxy/nginx/nginx.conf index c38743d93..61a798cd7 100644 --- a/helm/revproxy/nginx/nginx.conf +++ b/helm/revproxy/nginx/nginx.conf @@ -1,4 +1,4 @@ -user nginx; +user {{ .Values.nginx.user }}; worker_processes 4; pid /var/run/nginx.pid; @@ -38,6 +38,13 @@ http { port_in_redirect off; server_tokens off; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + # For websockets map $http_upgrade $connection_upgrade { default upgrade; @@ -214,7 +221,7 @@ map $http_user_agent $loggable { # see https://www.nginx.com/blog/dns-service-discovery-nginx-plus/ # https://distinctplace.com/2017/04/19/nginx-resolver-explained/ # - resolver kube-dns.kube-system.svc.cluster.local ipv6=off; + resolver {{ .Values.nginx.resolver }} ipv6=off; set $access_token ""; set $csrf_check "ok-tokenauth"; diff --git a/helm/revproxy/templates/configMaps.yaml b/helm/revproxy/templates/configMaps.yaml index eb0d5655e..ff7b802bb 100644 --- a/helm/revproxy/templates/configMaps.yaml +++ b/helm/revproxy/templates/configMaps.yaml @@ -40,5 +40,5 @@ metadata: data: {{- range $path, $bytes := .Files.Glob "nginx/*" }} {{ ($a := split "/" $path)._1 }}: | - {{- $bytes | toString | nindent 4 }} + {{- tpl ($bytes | toString) $ | nindent 4 }} {{- end}} diff --git a/helm/revproxy/templates/deployment.yaml b/helm/revproxy/templates/deployment.yaml index e5a50b5c9..95b765b71 100644 --- a/helm/revproxy/templates/deployment.yaml +++ b/helm/revproxy/templates/deployment.yaml @@ -57,6 +57,8 @@ spec: topologyKey: "kubernetes.io/hostname" automountServiceAccountToken: false volumes: + - emptyDir: {} + name: nginx-logs - name: revproxy-conf configMap: name: revproxy-nginx-conf @@ -74,19 +76,20 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http - containerPort: 443 - containerPort: 6567 livenessProbe: httpGet: path: /_status - port: 80 + port: http initialDelaySeconds: 5 periodSeconds: 3000 readinessProbe: httpGet: path: /_status - port: 80 + port: http resources: {{- toYaml .Values.resources | nindent 12 }} env: @@ -123,6 +126,8 @@ spec: key: base64Authz.txt optional: true volumeMounts: + - mountPath: /var/log/nginx + name: nginx-logs - name: "revproxy-conf" readOnly: true mountPath: "/etc/nginx/nginx.conf" diff --git a/helm/revproxy/templates/service.yaml b/helm/revproxy/templates/service.yaml index c752de6b8..71878a5e7 100644 --- a/helm/revproxy/templates/service.yaml +++ b/helm/revproxy/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: 80 + targetPort: http protocol: TCP name: http selector: diff --git a/helm/revproxy/values.yaml b/helm/revproxy/values.yaml index 5434c4a42..e485ec4ab 100644 --- a/helm/revproxy/values.yaml +++ b/helm/revproxy/values.yaml @@ -154,6 +154,7 @@ securityContext: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: NodePort + targetPort: 80 # -- (int) The port number that the service exposes. port: 80 @@ -254,3 +255,7 @@ extraServices: # - name: "protein-paint" # path: /protein-paint # serviceName: protein-paint + +nginx: + user: nginx + resolver: kube-dns.kube-system.svc.cluster.local \ No newline at end of file diff --git a/helm/sheepdog/Chart.yaml b/helm/sheepdog/Chart.yaml index 3edb55d31..6a759b52a 100644 --- a/helm/sheepdog/Chart.yaml +++ b/helm/sheepdog/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.29 +version: 0.1.30 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/sheepdog/README.md b/helm/sheepdog/README.md index b16a9da11..45ace6fdb 100644 --- a/helm/sheepdog/README.md +++ b/helm/sheepdog/README.md @@ -1,6 +1,6 @@ # sheepdog -![Version: 0.1.29](https://img.shields.io/badge/Version-0.1.29-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.30](https://img.shields.io/badge/Version-0.1.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Sheepdog Service @@ -65,13 +65,14 @@ A Helm chart for gen3 Sheepdog Service | global.publicDataSets | bool | `true` | Whether public datasets are enabled. | | global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | | global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | -| image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/sheepdog","tag":"bug_auth-audience"}` | Docker image information. | +| image | map | `{"pullPolicy":"Always","repository":"quay.io/cdis/sheepdog","tag":"master"}` | Docker image information. | | image.pullPolicy | string | `"Always"` | Docker pull policy. | | image.repository | string | `"quay.io/cdis/sheepdog"` | Docker repository. | -| image.tag | string | `"bug_auth-audience"` | Overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `"master"` | Overrides the image tag whose default is the chart appVersion. | | metricsEnabled | bool | `nil` | Whether Metrics are enabled. | | partOf | string | `"Core-Service"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | | podAnnotations | map | `{"gen3.io/network-ingress":"sheepdog"}` | Annotations to add to the pod | +| podSecurityContext | map | `{}` | Security context for the pod | | postgres | map | `{"database":null,"dbCreate":null,"dbRestore":false,"host":null,"password":null,"port":"5432","separate":false,"username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you | | postgres.database | string | `nil` | Database name for postgres. This is a service override, defaults to - | | postgres.dbCreate | bool | `nil` | Whether the database should be created. Default to global.postgres.dbCreate | @@ -94,8 +95,9 @@ A Helm chart for gen3 Sheepdog Service | secrets | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null}` | Values for sheepdog secret. | | secrets.awsAccessKeyId | str | `nil` | AWS access key ID to access the db restore job S3 bucket. Overrides global key. | | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID to access the db restore job S3 bucket. Overrides global key. | +| securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":80,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | strategy | map | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}` | Rolling update deployment strategy | diff --git a/helm/sheepdog/templates/deployment.yaml b/helm/sheepdog/templates/deployment.yaml index 2ec3ab2df..74d98408b 100644 --- a/helm/sheepdog/templates/deployment.yaml +++ b/helm/sheepdog/templates/deployment.yaml @@ -48,6 +48,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - name: config-volume secret: @@ -119,12 +121,13 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 80 + - containerPort: {{ .Values.service.targetPort }} + name: http - containerPort: 443 livenessProbe: httpGet: path: /_status?timeout=20 - port: 80 + port: http initialDelaySeconds: 30 periodSeconds: 60 timeoutSeconds: 30 @@ -132,7 +135,7 @@ spec: initialDelaySeconds: 30 httpGet: path: /_status?timeout=2 - port: 80 + port: http # command: ["/bin/bash" ] # args: # - "-c" diff --git a/helm/sheepdog/templates/service.yaml b/helm/sheepdog/templates/service.yaml index eff84f425..accebdecc 100644 --- a/helm/sheepdog/templates/service.yaml +++ b/helm/sheepdog/templates/service.yaml @@ -8,7 +8,7 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} protocol: TCP name: http selector: diff --git a/helm/sheepdog/values.yaml b/helm/sheepdog/values.yaml index 65a24e738..0e6eb9b55 100644 --- a/helm/sheepdog/values.yaml +++ b/helm/sheepdog/values.yaml @@ -173,7 +173,7 @@ image: # -- (string) Docker pull policy. pullPolicy: Always # -- (string) Overrides the image tag whose default is the chart appVersion. - tag: "bug_auth-audience" + tag: "master" # Environment Variables authNamespace: "" @@ -205,6 +205,7 @@ resources: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 80 # -- (int) The port number that the service exposes. port: 80 @@ -227,3 +228,19 @@ partOf: "Core-Service" selectorLabels: # -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl commonLabels: + + +# -- (map) Security context for the pod +podSecurityContext: + {} + # fsGroup: 2000 + +# -- (map) Security context for the containers in the pod +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 \ No newline at end of file diff --git a/helm/sower/Chart.yaml b/helm/sower/Chart.yaml index 3a0826bb8..9794929cf 100644 --- a/helm/sower/Chart.yaml +++ b/helm/sower/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.34 +version: 0.1.35 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/sower/README.md b/helm/sower/README.md index bfb84ea0c..c4ada911a 100644 --- a/helm/sower/README.md +++ b/helm/sower/README.md @@ -1,6 +1,6 @@ # sower -![Version: 0.1.34](https://img.shields.io/badge/Version-0.1.34-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.35](https://img.shields.io/badge/Version-0.1.35-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 sower @@ -103,7 +103,7 @@ A Helm chart for gen3 sower | secrets.awsSecretAccessKey | str | `nil` | AWS access key ID. Overrides global key. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":8000,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":"sower-service-account"}` | Service account to use or create. | diff --git a/helm/sower/templates/deployment.yaml b/helm/sower/templates/deployment.yaml index 5d7f6f059..e94da3071 100644 --- a/helm/sower/templates/deployment.yaml +++ b/helm/sower/templates/deployment.yaml @@ -61,19 +61,19 @@ spec: value: {{ .Values.global.hostname }} ports: - name: http - containerPort: 8000 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: path: /_status - port: 8000 + port: http initialDelaySeconds: 5 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 + port: http resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/helm/sower/values.yaml b/helm/sower/values.yaml index 346bb5d69..d11d666ad 100644 --- a/helm/sower/values.yaml +++ b/helm/sower/values.yaml @@ -148,6 +148,7 @@ securityContext: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 8000 # -- (int) The port number that the service exposes. port: 80 diff --git a/helm/ssjdispatcher/Chart.yaml b/helm/ssjdispatcher/Chart.yaml index 2d6a4dd77..585a09300 100644 --- a/helm/ssjdispatcher/Chart.yaml +++ b/helm/ssjdispatcher/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.31 +version: 0.1.32 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/ssjdispatcher/README.md b/helm/ssjdispatcher/README.md index 2ddd1feb7..1e4b9c8f9 100644 --- a/helm/ssjdispatcher/README.md +++ b/helm/ssjdispatcher/README.md @@ -1,6 +1,6 @@ # ssjdispatcher -![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.32](https://img.shields.io/badge/Version-0.1.32-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 ssjdispatcher @@ -97,7 +97,7 @@ A Helm chart for gen3 ssjdispatcher | resources.requests.memory | string | `"128Mi"` | The amount of memory requested | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"port":80,"type":"ClusterIP"}` | Kubernetes service information. | +| service | map | `{"port":80,"targetPort":8000,"type":"ClusterIP"}` | Kubernetes service information. | | service.port | int | `80` | The port number that the service exposes. | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | | serviceAccount | map | `{"annotations":{},"create":true,"name":"ssjdispatcher-sa"}` | Service account to use or create. | diff --git a/helm/ssjdispatcher/templates/deployment.yaml b/helm/ssjdispatcher/templates/deployment.yaml index 85305e5f0..8baa9e64e 100644 --- a/helm/ssjdispatcher/templates/deployment.yaml +++ b/helm/ssjdispatcher/templates/deployment.yaml @@ -69,19 +69,19 @@ spec: key: job_images ports: - name: http - containerPort: 8000 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: path: /_status - port: 8000 + port: http initialDelaySeconds: 5 periodSeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /_status - port: 8000 + port: http resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/helm/ssjdispatcher/values.yaml b/helm/ssjdispatcher/values.yaml index f445a4834..a89d5ec23 100644 --- a/helm/ssjdispatcher/values.yaml +++ b/helm/ssjdispatcher/values.yaml @@ -128,6 +128,7 @@ securityContext: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 8000 # -- (int) The port number that the service exposes. port: 80 diff --git a/helm/wts/Chart.yaml b/helm/wts/Chart.yaml index 16ceea0d9..582066a88 100644 --- a/helm/wts/Chart.yaml +++ b/helm/wts/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.30 +version: 0.1.31 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/wts/README.md b/helm/wts/README.md index ba122bdfa..695ae20ea 100644 --- a/helm/wts/README.md +++ b/helm/wts/README.md @@ -1,6 +1,6 @@ # wts -![Version: 0.1.30](https://img.shields.io/badge/Version-0.1.30-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.31](https://img.shields.io/badge/Version-0.1.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 workspace token service @@ -98,7 +98,7 @@ A Helm chart for gen3 workspace token service | secrets.awsSecretAccessKey | str | `nil` | AWS secret access key ID. Overrides global key. | | securityContext | map | `{}` | Security context for the containers in the pod | | selectorLabels | map | `nil` | Will completely override the selectorLabels defined in the common chart's _label_setup.tpl | -| service | map | `{"httpPort":80,"httpsPort":443,"type":"ClusterIP"}` | Configuration for the service | +| service | map | `{"httpPort":80,"httpsPort":443,"targetPort":80,"type":"ClusterIP"}` | Configuration for the service | | service.httpPort | int | `80` | Port on which the service is exposed | | service.httpsPort | int | `443` | Secure port on which the service is exposed | | service.type | string | `"ClusterIP"` | Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". | diff --git a/helm/wts/templates/deployment.yaml b/helm/wts/templates/deployment.yaml index 779eee7e6..d98cd2e5c 100644 --- a/helm/wts/templates/deployment.yaml +++ b/helm/wts/templates/deployment.yaml @@ -79,18 +79,18 @@ spec: subPath: appcreds.json ports: - name: http - containerPort: 80 + containerPort: {{ .Values.service.targetPort }} protocol: TCP livenessProbe: httpGet: path: /_status - port: 80 + port: http failureThreshold: 10 initialDelaySeconds: 5 readinessProbe: httpGet: path: /_status - port: 80 + port: http env: - name: OIDC_CLIENT_ID valueFrom: diff --git a/helm/wts/values.yaml b/helm/wts/values.yaml index 1c32ed396..f9f9207c6 100644 --- a/helm/wts/values.yaml +++ b/helm/wts/values.yaml @@ -184,6 +184,7 @@ securityContext: service: # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName". type: ClusterIP + targetPort: 80 # -- (int) Port on which the service is exposed httpPort: 80 # -- (int) Secure port on which the service is exposed From 4fd09d11d0c6edd0541b3f52d659af09747a0507 Mon Sep 17 00:00:00 2001 From: Jawad Qureshi Date: Mon, 6 Oct 2025 15:51:57 -0500 Subject: [PATCH 2/2] Add postgresql 15+ support in dbcreate job, fix metadata and fence cronjob to work with openshift --- helm/common/templates/_db_setup_job.tpl | 26 ++++++++------ .../fence-delete-expired-clients-cron.yaml | 20 +++-------- helm/metadata/README.md | 4 +-- helm/metadata/templates/deployment.yaml | 8 ++--- helm/metadata/values.yaml | 34 +++++++++---------- 5 files changed, 44 insertions(+), 48 deletions(-) diff --git a/helm/common/templates/_db_setup_job.tpl b/helm/common/templates/_db_setup_job.tpl index d637057ad..89d8c2b0c 100644 --- a/helm/common/templates/_db_setup_job.tpl +++ b/helm/common/templates/_db_setup_job.tpl @@ -151,19 +151,25 @@ spec: if psql -lqt | cut -d \| -f 1 | grep -qw $SERVICE_PGDB; then gen3_log_info "Database exists" PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo" - - # Update secret to signal that db is ready, and services can start kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}' else - echo "database does not exist" - psql -tc "SELECT 1 FROM pg_database WHERE datname = '$SERVICE_PGDB'" | grep -q 1 || psql -c "CREATE DATABASE \"$SERVICE_PGDB\";" - gen3_log_info psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';" - psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';" - psql -c "GRANT ALL ON DATABASE \"$SERVICE_PGDB\" TO \"$SERVICE_PGUSER\" WITH GRANT OPTION;" - psql -d $SERVICE_PGDB -c "CREATE EXTENSION ltree; ALTER ROLE \"$SERVICE_PGUSER\" WITH LOGIN" - PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo" + echo "Database does not exist — creating..." + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$SERVICE_PGDB'" | grep -q 1 || \ + psql -c "CREATE DATABASE \"$SERVICE_PGDB\";" + psql -tc "SELECT 1 FROM pg_user WHERE usename = '$SERVICE_PGUSER'" | grep -q 1 || \ + psql -c "CREATE USER \"$SERVICE_PGUSER\" WITH PASSWORD '$SERVICE_PGPASS';" + + echo "Granting privileges to $SERVICE_PGUSER..." + psql -c "GRANT ALL PRIVILEGES ON DATABASE \"$SERVICE_PGDB\" TO \"$SERVICE_PGUSER\";" + psql -d $SERVICE_PGDB -c "ALTER SCHEMA public OWNER TO \"$SERVICE_PGUSER\";" + psql -d $SERVICE_PGDB -c "GRANT ALL ON SCHEMA public TO \"$SERVICE_PGUSER\";" + psql -d $SERVICE_PGDB -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO \"$SERVICE_PGUSER\";" + psql -d $SERVICE_PGDB -c "ALTER ROLE \"$SERVICE_PGUSER\" WITH LOGIN;" - # Update secret to signal that db has been created, and services can start + echo "Creating ltree extension..." + psql -d $SERVICE_PGDB -c "CREATE EXTENSION IF NOT EXISTS ltree;" + + PGPASSWORD=$SERVICE_PGPASS psql -d $SERVICE_PGDB -h $PGHOST -p $PGPORT -U $SERVICE_PGUSER -c "\conninfo" kubectl patch secret/{{ .Chart.Name }}-dbcreds -p '{"data":{"dbcreated":"dHJ1ZQo="}}' fi {{- end}} diff --git a/helm/fence/templates/fence-delete-expired-clients-cron.yaml b/helm/fence/templates/fence-delete-expired-clients-cron.yaml index de3c214df..dc7aaef17 100644 --- a/helm/fence/templates/fence-delete-expired-clients-cron.yaml +++ b/helm/fence/templates/fence-delete-expired-clients-cron.yaml @@ -18,13 +18,10 @@ spec: labels: app: gen3job spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 12 }} volumes: - - name: yaml-merge - configMap: - name: "fence-yaml-merge" - - name: config-volume - secret: - secretName: "fence-config" + {{- toYaml .Values.volumes | nindent 10 }} containers: - name: fence image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -44,19 +41,12 @@ spec: optional: true {{- toYaml .Values.env | nindent 16 }} volumeMounts: - - name: "config-volume" - readOnly: true - mountPath: "/var/www/fence/fence-config-secret.yaml" - subPath: fence-config.yaml - - name: "yaml-merge" - readOnly: true - mountPath: "/var/www/fence/yaml_merge.py" - subPath: yaml_merge.py + {{- toYaml .Values.initVolumeMounts | nindent 12 }} command: ["/bin/bash"] args: - "-c" - | - python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config-secret.yaml /var/www/fence/fence-config.yaml + python /var/www/fence/yaml_merge.py /var/www/fence/fence-config-secret.yaml /var/www/fence/fence-config-public.yaml /var/www/fence/fence-config.yaml if [[ "$slackWebHook" =~ ^http ]]; then fence-create client-delete-expired --slack-webhook $slackWebHook --warning-days 7 else diff --git a/helm/metadata/README.md b/helm/metadata/README.md index 7da7f2737..ffd4b5d29 100644 --- a/helm/metadata/README.md +++ b/helm/metadata/README.md @@ -87,7 +87,7 @@ A Helm chart for gen3 Metadata Service | initResources | map | `{"requests":{"memory":"100Mi"}}` | Resource limits for the init container. | | initResources.requests | map | `{"memory":"100Mi"}` | The maximum amount of resources that the container is allowed to use | | initResources.requests.memory | string | `"100Mi"` | The maximum amount of memory the container can use | -| initVolumeMounts | list | `[{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/mds/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"}]` | Volumes to mount to the init container. | +| initVolumeMounts | list | `nil` | Volumes to mount to the init container. | | metricsEnabled | bool | `nil` | Whether Metrics are enabled. | | partOf | string | `"Discovery-Tab"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | | postgres | map | `{"database":null,"dbCreate":null,"dbRestore":false,"host":null,"password":null,"port":"5432","separate":false,"username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you | @@ -120,4 +120,4 @@ A Helm chart for gen3 Metadata Service | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | useAggMds | bool | `"False"` | Set to true to aggregate metadata from multiple other Metadata Service instances. | -| volumeMounts | list | `[{"mountPath":"/src/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/mds/.env","name":"config-volume-g3auto","readOnly":true,"subPath":"metadata.env"},{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"}]` | Volumes to mount to the container. | +| volumeMounts | list | `[{"mountPath":"/aggregate_config.json","name":"config-volume","readOnly":true,"subPath":"aggregate_config.json"}]` | Volumes to mount to the container. | diff --git a/helm/metadata/templates/deployment.yaml b/helm/metadata/templates/deployment.yaml index 8bc95ee1f..878e8b5e4 100644 --- a/helm/metadata/templates/deployment.yaml +++ b/helm/metadata/templates/deployment.yaml @@ -46,9 +46,9 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: - - name: config-volume-g3auto - secret: - secretName: metadata-g3auto + # - name: config-volume-g3auto + # secret: + # secretName: metadata-g3auto - name: config-volume configMap: name: agg-mds-config @@ -128,7 +128,6 @@ spec: - name: {{ .Values.initContainerName }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.initVolumeMounts }} env: - name: DB_HOST valueFrom: @@ -160,6 +159,7 @@ spec: name: metadata-dbcreds key: dbcreated optional: false + {{- with .Values.initVolumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} diff --git a/helm/metadata/values.yaml b/helm/metadata/values.yaml index b00cbb33a..e7da6976d 100644 --- a/helm/metadata/values.yaml +++ b/helm/metadata/values.yaml @@ -254,15 +254,15 @@ aggMdsConfig: | # -- (list) Volumes to mount to the container. volumeMounts: - - name: config-volume-g3auto - readOnly: true - mountPath: /src/.env - subPath: metadata.env + # - name: config-volume-g3auto + # readOnly: true + # mountPath: /src/.env + # subPath: metadata.env # Added an additional volume mount for new images using the / directory, while retaining the 'src' mount for backward compatibility. - - name: config-volume-g3auto - readOnly: true - mountPath: /mds/.env - subPath: metadata.env + # - name: config-volume-g3auto + # readOnly: true + # mountPath: /mds/.env + # subPath: metadata.env - name: config-volume readOnly: true mountPath: /aggregate_config.json @@ -284,15 +284,15 @@ resources: initContainerName: metadata-db-migrate # -- (list) Volumes to mount to the init container. initVolumeMounts: - - name: config-volume-g3auto - readOnly: true - mountPath: /src/.env - subPath: metadata.env - # Added an additional volume mount for new images using the / directory, while retaining the 'src' mount for backward compatibility. - - name: config-volume-g3auto - readOnly: true - mountPath: /mds/.env - subPath: metadata.env + # - name: config-volume-g3auto + # readOnly: true + # mountPath: /src/.env + # subPath: metadata.env + # # Added an additional volume mount for new images using the / directory, while retaining the 'src' mount for backward compatibility. + # - name: config-volume-g3auto + # readOnly: true + # mountPath: /mds/.env + # subPath: metadata.env # -- (map) Resource limits for the init container. initResources: # -- (map) The maximum amount of resources that the container is allowed to use