diff --git a/charts/lighthouse/Makefile b/charts/lighthouse/Makefile index bdc7b8b28..27d57a0d0 100644 --- a/charts/lighthouse/Makefile +++ b/charts/lighthouse/Makefile @@ -6,7 +6,7 @@ OS := $(shell uname) HELMDOCS := $(GOPATH)/bin/helm-docs $(HELMDOCS): - pushd /tmp; $(GO_MOD) get -u github.com/norwoodj/helm-docs/cmd/helm-docs@v0.15.0; popd + pushd /tmp; $(GO_MOD) install github.com/norwoodj/helm-docs/cmd/helm-docs@v0.15.0; popd build: clean $(HELMDOCS) rm -rf requirements.lock diff --git a/charts/lighthouse/README.md b/charts/lighthouse/README.md index b05af9ed2..02adf02a9 100644 --- a/charts/lighthouse/README.md +++ b/charts/lighthouse/README.md @@ -43,7 +43,7 @@ helm uninstall my-lighthouse --namespace lighthouse ## Values | Key | Type | Description | Default | -| --------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | +|-----------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------| | `cluster.crds.create` | bool | Create custom resource definitions | `true` | | `configMaps.config` | string | Raw `config.yaml` content | `nil` | | `configMaps.configUpdater` | object | Settings used to configure the `config-updater` plugin | `{"orgAndRepo":"","path":""}` | @@ -62,23 +62,25 @@ helm uninstall my-lighthouse --namespace lighthouse | `externalPlugins[1].requiredResources[0].name` | string | | `"lighthouse-webui-plugin"` | | `externalPlugins[1].requiredResources[0].namespace` | string | | `"jx"` | | `foghorn.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the foghorn pods | `{}` | +| `foghorn.containerSecurityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the foghorn containers | `{}` | | `foghorn.image.pullPolicy` | string | Template for computing the foghorn controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `foghorn.image.repository` | string | Template for computing the foghorn controller docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-foghorn"` | | `foghorn.image.tag` | string | Template for computing the foghorn controller docker image tag | `"{{ .Values.image.tag }}"` | -| `foghorn.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `foghorn.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `foghorn.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the foghorn pods | `{}` | | `foghorn.replicaCount` | int | Number of replicas | `1` | | `foghorn.resources.limits` | object | Resource limits applied to the foghorn pods | `{"cpu":"100m","memory":"256Mi"}` | | `foghorn.resources.requests` | object | Resource requests applied to the foghorn pods | `{"cpu":"80m","memory":"128Mi"}` | +| `foghorn.securityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the foghorn pods | `{}` | | `foghorn.terminationGracePeriodSeconds` | int | Termination grace period for foghorn pods | `180` | | `foghorn.tolerations` | list | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the foghorn pods | `[]` | -| `gcJobs.backoffLimit` | int | Set the backoff limit for failed cronJobs | `6` | +| `gcJobs.backoffLimit` | int | Drives the job's backoff limit | `6` | | `gcJobs.concurrencyPolicy` | string | Drives the job's concurrency policy | `"Forbid"` | | `gcJobs.failedJobsHistoryLimit` | int | Drives the failed jobs history limit | `1` | | `gcJobs.image.pullPolicy` | string | Template for computing the gc job docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `gcJobs.image.repository` | string | Template for computing the gc job docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-gc-jobs"` | | `gcJobs.image.tag` | string | Template for computing the gc job docker image tag | `"{{ .Values.image.tag }}"` | -| `gcJobs.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `gcJobs.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `gcJobs.maxAge` | string | Max age from which `LighthouseJob`s will be deleted | `"168h"` | | `gcJobs.schedule` | string | Cron expression to periodically delete `LighthouseJob`s | `"0/30 * * * *"` | | `gcJobs.successfulJobsHistoryLimit` | int | Drives the successful jobs history limit | `3` | @@ -89,32 +91,36 @@ helm uninstall my-lighthouse --namespace lighthouse | `hmacSecretName` | string | Existing hmac secret to use for webhooks | `""` | | `hmacToken` | string | Secret used for webhooks | `""` | | `hmacTokenEnabled` | bool | Enables the use of a hmac token. This should always be enabled if possible - though some git providers don't support it such as bitbucket cloud | `true` | +| `hmacTokenVolumeMount` | object | Mount hmac token as a volume instead of using an environment variable Secret reference | `{"enabled":false}` | | `image.parentRepository` | string | Docker registry to pull images from | `"ghcr.io/jenkins-x"` | | `image.pullPolicy` | string | Image pull policy | `"IfNotPresent"` | | `image.tag` | string | Docker images tag the following tag is latest on the main branch, it's a specific version on a git tag | `"latest"` | -| `jenkinscontroller.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the tekton controller pods | `{}` | -| `jenkinscontroller.image.pullPolicy` | string | Template for computing the tekton controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | +| `jenkinscontroller.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the jenkins controller pods | `{}` | +| `jenkinscontroller.containerSecurityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the jenkins controller containers | `{}` | +| `jenkinscontroller.image.pullPolicy` | string | Template for computing the jenkins controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `jenkinscontroller.image.repository` | string | Template for computing the Jenkins controller docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-jenkins-controller"` | -| `jenkinscontroller.image.tag` | string | Template for computing the tekton controller docker image tag | `"{{ .Values.image.tag }}"` | +| `jenkinscontroller.image.tag` | string | Template for computing the jenkins controller docker image tag | `"{{ .Values.image.tag }}"` | | `jenkinscontroller.jenkinsToken` | string | The token for authenticating the Jenkins user | `nil` | | `jenkinscontroller.jenkinsURL` | string | The URL of the Jenkins instance | `nil` | | `jenkinscontroller.jenkinsUser` | string | The username for the Jenkins user | `nil` | -| `jenkinscontroller.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | -| `jenkinscontroller.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the tekton controller pods | `{}` | -| `jenkinscontroller.podAnnotations` | object | Annotations applied to the tekton controller pods | `{}` | -| `jenkinscontroller.resources.limits` | object | Resource limits applied to the tekton controller pods | `{"cpu":"100m","memory":"256Mi"}` | -| `jenkinscontroller.resources.requests` | object | Resource requests applied to the tekton controller pods | `{"cpu":"80m","memory":"128Mi"}` | -| `jenkinscontroller.service` | object | Service settings for the tekton controller | `{"annotations":{}}` | -| `jenkinscontroller.terminationGracePeriodSeconds` | int | Termination grace period for tekton controller pods | `180` | -| `jenkinscontroller.tolerations` | list | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the tekton controller pods | `[]` | +| `jenkinscontroller.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | +| `jenkinscontroller.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the jenkins controller pods | `{}` | +| `jenkinscontroller.podAnnotations` | object | Annotations applied to the jenkins controller pods | `{}` | +| `jenkinscontroller.resources.limits` | object | Resource limits applied to the jenkins controller pods | `{"cpu":"100m","memory":"256Mi"}` | +| `jenkinscontroller.resources.requests` | object | Resource requests applied to the jenkins controller pods | `{"cpu":"80m","memory":"128Mi"}` | +| `jenkinscontroller.securityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the jenkins controller pods | `{}` | +| `jenkinscontroller.service` | object | Service settings for the jenkins controller | `{"annotations":{}}` | +| `jenkinscontroller.terminationGracePeriodSeconds` | int | Termination grace period for jenkins controller pods | `180` | +| `jenkinscontroller.tolerations` | list | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the jenkins controller pods | `[]` | | `keeper.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the keeper pods | `{}` | +| `keeper.containerSecurityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the keeper containers | `{}` | | `keeper.datadog.enabled` | string | Enables datadog | `"true"` | | `keeper.env` | object | Lets you define keeper specific environment variables | `{}` | | `keeper.image.pullPolicy` | string | Template for computing the keeper controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `keeper.image.repository` | string | Template for computing the keeper controller docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-keeper"` | | `keeper.image.tag` | string | Template for computing the keeper controller docker image tag | `"{{ .Values.image.tag }}"` | | `keeper.livenessProbe` | object | Liveness probe configuration | `{"initialDelaySeconds":120,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | -| `keeper.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `keeper.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `keeper.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the keeper pods | `{}` | | `keeper.podAnnotations` | object | Annotations applied to the keeper pods | `{}` | | `keeper.probe` | object | Liveness and readiness probes settings | `{"path":"/"}` | @@ -122,6 +128,7 @@ helm uninstall my-lighthouse --namespace lighthouse | `keeper.replicaCount` | int | Number of replicas | `1` | | `keeper.resources.limits` | object | Resource limits applied to the keeper pods | `{"cpu":"400m","memory":"512Mi"}` | | `keeper.resources.requests` | object | Resource requests applied to the keeper pods | `{"cpu":"100m","memory":"128Mi"}` | +| `keeper.securityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the keeper pods | `{}` | | `keeper.service` | object | Service settings for the keeper controller | `{"externalPort":80,"internalPort":8888,"type":"ClusterIP"}` | | `keeper.statusContextLabel` | string | Label used to report status to git provider | `"Lighthouse Merge Status"` | | `keeper.terminationGracePeriodSeconds` | int | Termination grace period for keeper pods | `30` | @@ -132,6 +139,7 @@ helm uninstall my-lighthouse --namespace lighthouse | `logStackSkip` | string | Comma separated stack frames to skip from the log | `""` | | `oauthSecretName` | string | Existing Git token secret | `""` | | `oauthToken` | string | Git token (used when GitHub app authentication is not enabled) | `""` | +| `oauthTokenVolumeMount` | object | Mount Git token as a volume instead of using an environment variable Secret reference (used when GitHub app authentication is not enabled) | `{"enabled":false}` | | `poller.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the poller pods | `{}` | | `poller.contextMatchPattern` | string | Regex pattern to use to match commit status context | `""` | | `poller.datadog.enabled` | string | Enables datadog | `"true"` | @@ -142,7 +150,7 @@ helm uninstall my-lighthouse --namespace lighthouse | `poller.image.tag` | string | Template for computing the poller controller docker image tag | `"{{ .Values.image.tag }}"` | | `poller.internalPort` | int | | `8888` | | `poller.livenessProbe` | object | Liveness probe configuration | `{"initialDelaySeconds":120,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | -| `poller.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `poller.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `poller.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the poller pods | `{}` | | `poller.podAnnotations` | object | Annotations applied to the poller pods | `{}` | | `poller.probe` | object | Liveness and readiness probes settings | `{"path":"/"}` | @@ -153,25 +161,28 @@ helm uninstall my-lighthouse --namespace lighthouse | `poller.resources.requests` | object | Resource requests applied to the poller pods | `{"cpu":"100m","memory":"128Mi"}` | | `poller.terminationGracePeriodSeconds` | int | Termination grace period for poller pods | `30` | | `poller.tolerations` | list | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the poller pods | `[]` | -| `scope` | string | set scope to either `cluster` or `namespace` for permissions | `cluster` | +| `scope` | string | limit permissions to namespace privileges | `"cluster"` | | `tektoncontroller.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the tekton controller pods | `{}` | +| `tektoncontroller.containerSecurityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the tekton controller containers | `{}` | | `tektoncontroller.dashboardTemplate` | string | Go template expression for URLs in the dashboard if not using Tekton dashboard | `""` | | `tektoncontroller.dashboardURL` | string | the dashboard URL (e.g. Tekton dashboard) | `""` | +| `tektoncontroller.enableRerunStatusUpdate` | bool | Enable updating the status at the git provider when PipelineRuns are rerun | `false` | | `tektoncontroller.image.pullPolicy` | string | Template for computing the tekton controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `tektoncontroller.image.repository` | string | Template for computing the tekton controller docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-tekton-controller"` | | `tektoncontroller.image.tag` | string | Template for computing the tekton controller docker image tag | `"{{ .Values.image.tag }}"` | -| `tektoncontroller.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `tektoncontroller.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `tektoncontroller.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the tekton controller pods | `{}` | | `tektoncontroller.podAnnotations` | object | Annotations applied to the tekton controller pods | `{}` | | `tektoncontroller.replicaCount` | int | Number of replicas | `1` | | `tektoncontroller.resources.limits` | object | Resource limits applied to the tekton controller pods | `{"cpu":"100m","memory":"256Mi"}` | | `tektoncontroller.resources.requests` | object | Resource requests applied to the tekton controller pods | `{"cpu":"80m","memory":"128Mi"}` | +| `tektoncontroller.securityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the tekton controller pods | `{}` | | `tektoncontroller.service` | object | Service settings for the tekton controller | `{"annotations":{}}` | | `tektoncontroller.terminationGracePeriodSeconds` | int | Termination grace period for tekton controller pods | `180` | -| `tektoncontroller.enableRerunStatusUpdate` | bool | Enable updating the status at the git provider when PipelineRuns are rerun | `false` | | `tektoncontroller.tolerations` | list | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the tekton controller pods | `[]` | | `user` | string | Git user name (used when GitHub app authentication is not enabled) | `""` | | `webhooks.affinity` | object | [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the webhooks pods | `{}` | +| `webhooks.containerSecurityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the webhooks containers | `{}` | | `webhooks.customDeploymentTriggerCommand` | string | deployments can configure the ability to allow custom lighthouse triggers using their own unique chat prefix, for example extending the default `/test` trigger prefix let them specify `customDeploymentTriggerPrefix: foo` which means they can also use their own custom trigger /foo mycoolthing | `""` | | `webhooks.image.pullPolicy` | string | Template for computing the webhooks controller docker image pull policy | `"{{ .Values.image.pullPolicy }}"` | | `webhooks.image.repository` | string | Template for computing the webhooks controller docker image repository | `"{{ .Values.image.parentRepository }}/lighthouse-webhooks"` | @@ -180,9 +191,11 @@ helm uninstall my-lighthouse --namespace lighthouse | `webhooks.ingress.enabled` | bool | Enable webhooks ingress | `false` | | `webhooks.ingress.hosts` | list | Webhooks ingress host names | `[]` | | `webhooks.ingress.ingressClassName` | string | Webhooks ingress ingressClassName | `nil` | +| `webhooks.ingress.tls.enabled` | bool | Enable webhooks ingress tls | `false` | +| `webhooks.ingress.tls.secretName` | string | Specify webhooks ingress tls secretName | `""` | | `webhooks.labels` | object | allow optional labels to be added to the webhook deployment | `{}` | | `webhooks.livenessProbe` | object | Liveness probe configuration | `{"initialDelaySeconds":60,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | -| `webhooks.logLevel` | string | The logging level: trace, debug, info, warn, panic, fatal | `"info"` | +| `webhooks.logLevel` | string | The logging level: trace, debug, info, warn, error, panic, fatal | `"info"` | | `webhooks.nodeSelector` | object | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the webhooks pods | `{}` | | `webhooks.podAnnotations` | object | Annotations applied to the webhooks pods | `{}` | | `webhooks.podLabels` | object | | `{}` | @@ -191,6 +204,7 @@ helm uninstall my-lighthouse --namespace lighthouse | `webhooks.replicaCount` | int | Number of replicas | `1` | | `webhooks.resources.limits` | object | Resource limits applied to the webhooks pods | `{"cpu":"100m","memory":"512Mi"}` | | `webhooks.resources.requests` | object | Resource requests applied to the webhooks pods | `{"cpu":"80m","memory":"128Mi"}` | +| `webhooks.securityContext` | object | [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the webhooks pods | `{}` | | `webhooks.service` | object | Service settings for the webhooks controller | `{"annotations":{},"externalPort":80,"internalPort":8080,"type":"ClusterIP"}` | | `webhooks.serviceName` | string | Allows overriding the service name, this is here for compatibility reasons, regular users should clear this out | `"hook"` | | `webhooks.terminationGracePeriodSeconds` | int | Termination grace period for webhooks pods | `180` | diff --git a/charts/lighthouse/templates/foghorn-deployment.yaml b/charts/lighthouse/templates/foghorn-deployment.yaml index e6f8026dd..e6beeb41b 100644 --- a/charts/lighthouse/templates/foghorn-deployment.yaml +++ b/charts/lighthouse/templates/foghorn-deployment.yaml @@ -78,6 +78,8 @@ spec: value: {{ quote $pval }} {{- end }} {{- end }} + securityContext: +{{ toYaml .Values.foghorn.containerSecurityContext | indent 12 }} resources: {{ toYaml .Values.foghorn.resources | indent 12 }} volumeMounts: @@ -123,3 +125,7 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} +{{- with .Values.foghorn.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} diff --git a/charts/lighthouse/templates/jenkins-controller-deployment.yaml b/charts/lighthouse/templates/jenkins-controller-deployment.yaml index 4508c6d79..733faa52a 100644 --- a/charts/lighthouse/templates/jenkins-controller-deployment.yaml +++ b/charts/lighthouse/templates/jenkins-controller-deployment.yaml @@ -46,6 +46,8 @@ spec: - name: {{ $pkey }} value: {{ quote $pval }} {{- end }} + securityContext: + {{- toYaml .Values.jenkinscontroller.containerSecurityContext | nindent 12 }} resources: {{- toYaml .Values.jenkinscontroller.resources | nindent 12 }} volumeMounts: @@ -63,4 +65,6 @@ spec: {{- toYaml .Values.jenkinscontroller.affinity | nindent 8 }} tolerations: {{- toYaml .Values.jenkinscontroller.tolerations | nindent 8 }} + securityContext: + {{- toYaml .Values.jenkinscontroller.securityContext | nindent 8 }} {{- end }} diff --git a/charts/lighthouse/templates/keeper-deployment.yaml b/charts/lighthouse/templates/keeper-deployment.yaml index 84711e28e..bcc192499 100644 --- a/charts/lighthouse/templates/keeper-deployment.yaml +++ b/charts/lighthouse/templates/keeper-deployment.yaml @@ -102,6 +102,8 @@ spec: - secretRef: name: jx-boot-job-env-vars optional: true + securityContext: +{{ toYaml .Values.keeper.containerSecurityContext | indent 10 }} resources: {{ toYaml .Values.keeper.resources | indent 10 }} volumeMounts: @@ -136,3 +138,7 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} +{{- with .Values.keeper.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} diff --git a/charts/lighthouse/templates/tekton-controller-deployment.yaml b/charts/lighthouse/templates/tekton-controller-deployment.yaml index ab3182bdc..e52c7f08a 100644 --- a/charts/lighthouse/templates/tekton-controller-deployment.yaml +++ b/charts/lighthouse/templates/tekton-controller-deployment.yaml @@ -50,6 +50,8 @@ spec: - secretRef: name: jx-boot-job-env-vars optional: true + securityContext: + {{- toYaml .Values.tektoncontroller.containerSecurityContext | nindent 12 }} resources: {{- toYaml .Values.tektoncontroller.resources | nindent 12 }} terminationGracePeriodSeconds: {{ .Values.tektoncontroller.terminationGracePeriodSeconds }} @@ -59,4 +61,6 @@ spec: {{- toYaml .Values.tektoncontroller.affinity | nindent 8 }} tolerations: {{- toYaml .Values.tektoncontroller.tolerations | nindent 8 }} + securityContext: + {{- toYaml .Values.tektoncontroller.securityContext | nindent 8 }} {{- end }} diff --git a/charts/lighthouse/templates/webhooks-deployment.yaml b/charts/lighthouse/templates/webhooks-deployment.yaml index 753642ef9..b34154ef5 100644 --- a/charts/lighthouse/templates/webhooks-deployment.yaml +++ b/charts/lighthouse/templates/webhooks-deployment.yaml @@ -120,6 +120,8 @@ spec: periodSeconds: {{ .Values.webhooks.readinessProbe.periodSeconds }} successThreshold: {{ .Values.webhooks.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.webhooks.readinessProbe.timeoutSeconds }} + securityContext: +{{ toYaml .Values.webhooks.containerSecurityContext | indent 12 }} resources: {{ toYaml .Values.webhooks.resources | indent 12 }} volumeMounts: @@ -165,3 +167,8 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} +{{- with .Values.webhooks.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} + diff --git a/charts/lighthouse/values.yaml b/charts/lighthouse/values.yaml index 1999c5692..d81bce0d7 100644 --- a/charts/lighthouse/values.yaml +++ b/charts/lighthouse/values.yaml @@ -88,7 +88,7 @@ externalPlugins: name: lighthouse-webui-plugin gcJobs: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # gcJobs.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # gcJobs.maxAge -- Max age from which `LighthouseJob`s will be deleted @@ -120,7 +120,7 @@ gcJobs: pullPolicy: "{{ .Values.image.pullPolicy }}" webhooks: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # webhooks.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # webhooks.replicaCount -- Number of replicas @@ -197,6 +197,12 @@ webhooks: # webhooks.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the webhooks pods tolerations: [] + # webhooks.securityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the webhooks pods + securityContext: {} + + # webhooks.containerSecurityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the webhooks containers + containerSecurityContext: {} + ingress: # webhooks.ingress.enabled -- Enable webhooks ingress enabled: false @@ -222,7 +228,7 @@ webhooks: customDeploymentTriggerCommand: "" foghorn: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # foghorn.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # foghorn.replicaCount -- Number of replicas @@ -261,9 +267,15 @@ foghorn: # foghorn.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the foghorn pods tolerations: [] + # foghorn.securityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the foghorn pods + securityContext: {} + + # foghorn.containerSecurityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the foghorn containers + containerSecurityContext: {} + tektoncontroller: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # tektoncontroller.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # tektoncontroller.dashboardURL -- the dashboard URL (e.g. Tekton dashboard) @@ -302,6 +314,12 @@ tektoncontroller: # tektoncontroller.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the tekton controller pods tolerations: [] + # tektoncontroller.securityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the tekton controller pods + securityContext: {} + + # tektoncontroller.containerSecurityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the tekton controller containers + containerSecurityContext: {} + resources: # tektoncontroller.resources.limits -- Resource limits applied to the tekton controller pods limits: @@ -318,7 +336,7 @@ tektoncontroller: annotations: {} jenkinscontroller: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # jenkinscontroller.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # jenkinscontroller.jenkinsURL -- The URL of the Jenkins instance @@ -330,48 +348,54 @@ jenkinscontroller: # jenkinscontroller.jenkinsToken -- The token for authenticating the Jenkins user jenkinsToken: - # jenkinscontroller.terminationGracePeriodSeconds -- Termination grace period for tekton controller pods + # jenkinscontroller.terminationGracePeriodSeconds -- Termination grace period for jenkins controller pods terminationGracePeriodSeconds: 180 image: # jenkinscontroller.image.repository -- Template for computing the Jenkins controller docker image repository repository: "{{ .Values.image.parentRepository }}/lighthouse-jenkins-controller" - # jenkinscontroller.image.tag -- Template for computing the tekton controller docker image tag + # jenkinscontroller.image.tag -- Template for computing the jenkins controller docker image tag tag: "{{ .Values.image.tag }}" - # jenkinscontroller.image.pullPolicy -- Template for computing the tekton controller docker image pull policy + # jenkinscontroller.image.pullPolicy -- Template for computing the jenkins controller docker image pull policy pullPolicy: "{{ .Values.image.pullPolicy }}" - # jenkinscontroller.podAnnotations -- Annotations applied to the tekton controller pods + # jenkinscontroller.podAnnotations -- Annotations applied to the jenkins controller pods podAnnotations: {} - # jenkinscontroller.nodeSelector -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the tekton controller pods + # jenkinscontroller.nodeSelector -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) applied to the jenkins controller pods nodeSelector: {} - # jenkinscontroller.affinity -- [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the tekton controller pods + # jenkinscontroller.affinity -- [Affinity rules](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) applied to the jenkins controller pods affinity: {} - # jenkinscontroller.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the tekton controller pods + # jenkinscontroller.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the jenkins controller pods tolerations: [] + # jenkinscontroller.securityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the jenkins controller pods + securityContext: {} + + # jenkinscontroller.containerSecurityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the jenkins controller containers + containerSecurityContext: {} + resources: - # jenkinscontroller.resources.limits -- Resource limits applied to the tekton controller pods + # jenkinscontroller.resources.limits -- Resource limits applied to the jenkins controller pods limits: cpu: 100m memory: 256Mi - # jenkinscontroller.resources.requests -- Resource requests applied to the tekton controller pods + # jenkinscontroller.resources.requests -- Resource requests applied to the jenkins controller pods requests: cpu: 80m memory: 128Mi - # jenkinscontroller.service -- Service settings for the tekton controller + # jenkinscontroller.service -- Service settings for the jenkins controller service: annotations: {} keeper: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # keeper.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # keeper.statusContextLabel -- Label used to report status to git provider @@ -446,8 +470,14 @@ keeper: # keeper.tolerations -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) applied to the keeper pods tolerations: [] + # keeper.securityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the keeper pods + securityContext: {} + + # keeper.containerSecurityContext -- [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) applied to the keeper containers + containerSecurityContext: {} + poller: - # logLevel -- The logging level: trace, debug, info, warn, error, fatal + # poller.logLevel -- The logging level: trace, debug, info, warn, error, panic, fatal logLevel: "info" # poller.enabled -- Whether to enable or disable the poller component