Merge pull request #4 from rackerlabs/chart-drop-priv

chart: drop security permissions and don't use privileged port

Author: cardoe

.github/workflows/ci.yml

@@ -81,4 +81,4 @@ jobs:
 
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/release.yml

@@ -53,5 +53,5 @@ jobs:
             -e "s/^version:.*/version: ${PKG_VER}/" \
             -i charts/cert-manager-webhook-rackspace/Chart.yaml
           helm package -u -d . charts/cert-manager-webhook-rackspace
-          helm push cert-manager-webhook-rackspace-${PKG_VER}.tgz "oci://ghcr.io/$GITHUB_REPOSITORY"
+          helm push cert-manager-webhook-rackspace-${PKG_VER}.tgz "oci://ghcr.io/$GITHUB_REPOSITORY_OWNER/charts"
 

charts/cert-manager-webhook-rackspace/Chart.yaml

@@ -3,3 +3,6 @@ appVersion: "0.0.0"
 description: Rackspace Cloud DNS webhook for cert-manager support
 name: cert-manager-webhook-rackspace
 version: 0.1.0
+maintainers:
+  - name: cardoe
+    email: [email protected]

charts/cert-manager-webhook-rackspace/templates/deployment.yaml

@@ -28,12 +28,13 @@ spec:
           args:
             - --tls-cert-file=/tls/tls.crt
             - --tls-private-key-file=/tls/tls.key
+            - --secure-port=8443
           env:
             - name: GROUP_NAME
               value: {{ .Values.groupName | quote }}
           ports:
             - name: https
-              containerPort: 443
+              containerPort: 8443
               protocol: TCP
           livenessProbe:
             httpGet:
@@ -45,6 +46,10 @@ spec:
               scheme: HTTPS
               path: /healthz
               port: https
+        {{- with .Values.securityContext }}
+          securityContext:
+{{ toYaml . | indent 12 }}
+        {{- end }}
           volumeMounts:
             - name: certs
               mountPath: /tls
@@ -55,6 +60,10 @@ spec:
         - name: certs
           secret:
             secretName: {{ include "cert-manager-webhook-rackspace.servingCertificate" . }}
+    {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+    {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

charts/cert-manager-webhook-rackspace/values.yaml

@@ -14,6 +14,8 @@ certManager:
 
 image:
   repository: ghcr.io/rackerlabs/cert-manager-webhook-rackspace
+  # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }}
+  tag: ""
   pullPolicy: IfNotPresent
 
 nameOverride: ""
@@ -40,3 +42,13 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: ["ALL"]
+
+podSecurityContext:
+  runAsGroup: 1000
+  runAsUser: 1000
+  runAsNonRoot: true