Revert security context, add /tmp volume and djangoSecretKey on backend

intuitem · Jan 14, 2025 · 1753a6a · 1753a6a
1 parent a49a5c4
commit 1753a6a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 27 deletions.
diff --git a/charts/ciso-assistant-next/README.md b/charts/ciso-assistant-next/README.md
@@ -1,11 +1,15 @@
 # ciso-assistant
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square)
+
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.3](https://img.shields.io/badge/AppVersion-v1.9.3-informational?style=flat-square) 
 
 A Helm chart for CISO Assistant k8s's deployment
 
 **Homepage:** <https://intuitem.com>
 
+
+
 ## Source Code
 
 * <https://github.com/intuitem/ciso-assistant-community>
@@ -34,6 +38,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus
 |-----|------|---------|-------------|
 | backend.config.databaseType | string | `"sqlite"` | Set the database type (sqlite, pgsql or externalPgsql) # Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section |
 | backend.config.djangoDebug | bool | `false` | Enable Django debug mode |
+| backend.config.djangoSecretKey | string | `"changeme"` | Set Django secret key |
 | backend.config.emailAdmin | string | `"[email protected]"` | Admin email for initial configuration |
 | backend.config.smtp.defaultFrom | string | `"[email protected]"` | Default from email address |
 | backend.config.smtp.primary.host | string | `"primary.cool-mailer.net"` | Primary SMTP hostname |
@@ -46,7 +51,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus
 | backend.config.smtp.rescue.port | int | `587` | Rescue SMTP hostname |
 | backend.config.smtp.rescue.useTls | bool | `true` | Enable TLS for rescue SMTP |
 | backend.config.smtp.rescue.username | string | `"username"` | Rescue SMTP hostname |
-| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context |
+| backend.containerSecurityContext | object | `{}` | Toggle and define container-level security context |
 | backend.env | list | `[]` | Environment variables to pass to backend |
 | backend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the backend |
 | backend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the backend |
@@ -75,7 +80,7 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus
 | externalPgsql.port | int | `5432` | Port of an external PostgreSQL to connect |
 | externalPgsql.user | string | `"ciso-assistant"` | User of an external PostgreSQL instance to connect |
 | frontend.config.bodySizeLimit | string | `"50M"` | Configure body size limit for uploads in bytes (unit suffix like K/M/G can be used) |
-| frontend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"}}` | Toggle and define container-level security context |
+| frontend.containerSecurityContext | object | `{}` | Toggle and define container-level security context |
 | frontend.env | list | `[]` | Environment variables to pass to frontend |
 | frontend.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the frontend |
 | frontend.image.registry | string | `""` (defaults to global.image.registry) | Registry to use for the frontend |
@@ -117,5 +122,6 @@ helm install ciso-assistant-release oci://ghcr.io/intuitem/ciso-assistant -f cus
 | postgresql.global.postgresql.auth.username | string | `"ciso-assistant"` | Database username |
 | postgresql.primary.persistence.size | string | `"5Gi"` | PostgreSQL persistant volume size (default 8Gi). |
 
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
diff --git a/charts/ciso-assistant-next/templates/backend/deployment.yaml b/charts/ciso-assistant-next/templates/backend/deployment.yaml
@@ -76,6 +76,11 @@ spec:
           {{- end }}
           - name: DJANGO_DEBUG
             value: {{ ternary "True" "False" .Values.backend.config.djangoDebug | quote }}
+          - name: DJANGO_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "ciso-assistant.fullname" . }}-backend
+                key: django-secret-key
           - name: CISO_ASSISTANT_SUPERUSER_EMAIL
             value: {{ .Values.backend.config.emailAdmin }}
           - name: CISO_ASSISTANT_URL
@@ -120,6 +125,8 @@ spec:
           {{- end }}
         {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }}
         volumeMounts:
+        - mountPath: /tmp
+          name: tmp-data
         {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }}
         - name: sqlite-data
           mountPath: /ciso/db
@@ -151,6 +158,9 @@ spec:
       {{- end }}
       {{- if or (and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled) .Values.backend.persistence.localStorage.enabled }}
       volumes:
+      - name: tmp-data
+        emptyDir:
+          sizeLimit: 256Mi
       {{- if and (eq .Values.backend.config.databaseType "sqlite") .Values.backend.persistence.sqlite.enabled }}
       - name: sqlite-data
         persistentVolumeClaim:

diff --git a/charts/ciso-assistant-next/templates/backend/secret.yaml b/charts/ciso-assistant-next/templates/backend/secret.yaml
@@ -8,6 +8,7 @@ metadata:
     {{- include "ciso-assistant.labels" (dict "context" . "name" .Values.backend.name "component" .Values.backend.name) | nindent 4 }}
 type: Opaque
 data:
+  django-secret-key: {{ .Values.backend.config.djangoSecretKey | b64enc | quote}}
   {{- if .Values.backend.config.smtp.primary.password }}
   email-primary-password: {{ .Values.backend.config.smtp.primary.password | b64enc | quote}}
   {{- end }}

diff --git a/charts/ciso-assistant-next/values.yaml b/charts/ciso-assistant-next/values.yaml
@@ -88,6 +88,9 @@ backend:
     ## Note : PostgreSQL database configuration at `postgresql` or `externalPgsql` section
     databaseType: sqlite
 
+    # -- Set Django secret key
+    djangoSecretKey: "changeme"
+
     # -- Enable Django debug mode
     djangoDebug: false
 
@@ -144,18 +147,18 @@ backend:
   env: []
 
   # -- Toggle and define container-level security context
-  containerSecurityContext:
-    seLinuxOptions: {}
-    runAsUser: 1001
-    runAsGroup: 1001
-    runAsNonRoot: true
-    privileged: false
-    readOnlyRootFilesystem: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop: ["ALL"]
-    seccompProfile:
-      type: "RuntimeDefault"
+  containerSecurityContext: {}
+  #  seLinuxOptions: {}
+  #  runAsUser: 1001
+  #  runAsGroup: 1001
+  #  runAsNonRoot: true
+  #  privileged: false
+  #  readOnlyRootFilesystem: true
+  #  allowPrivilegeEscalation: false
+  #  capabilities:
+  #    drop: ["ALL"]
+  #  seccompProfile:
+  #    type: "RuntimeDefault"
 
   ## Backend service configuration
   service:
@@ -213,18 +216,18 @@ frontend:
   env: []
 
   # -- Toggle and define container-level security context
-  containerSecurityContext:
-    seLinuxOptions: {}
-    runAsUser: 1001
-    runAsGroup: 1001
-    runAsNonRoot: true
-    privileged: false
-    readOnlyRootFilesystem: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop: ["ALL"]
-    seccompProfile:
-      type: "RuntimeDefault"
+  containerSecurityContext: {}
+  #  seLinuxOptions: {}
+  #  runAsUser: 1001
+  #  runAsGroup: 1001
+  #  runAsNonRoot: true
+  #  privileged: false
+  #  readOnlyRootFilesystem: true
+  #  allowPrivilegeEscalation: false
+  #  capabilities:
+  #    drop: ["ALL"]
+  #  seccompProfile:
+  #    type: "RuntimeDefault"
 
   ## Frontend service configuration
   service: