diff --git a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml index 62c2272b..dedc68fa 100644 --- a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml +++ b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml @@ -10,11 +10,20 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.from }} + from: +{{ toYaml .Values.streamnative_console.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.to }} + to: +{{ toYaml .Values.streamnative_console.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "7750" - "9527" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml index 4f6c8640..69ca9348 100644 --- a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml +++ b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml @@ -107,7 +107,7 @@ spec: failureThreshold: {{ .Values.streamnative_console.probe.startup.failureThreshold }} {{- end }} workingDir: "/pulsar-manager/console" - command: ["/pulsar-manager/entrypoint.sh"] + command: ["/bin/sh", "-c"] args: - | if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then @@ -134,6 +134,7 @@ spec: if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN) fi + /pulsar-manager/entrypoint.sh env: - name: SPRING_CONFIGURATION_FILE value: /pulsar-manager/pulsar-manager/application.properties @@ -256,6 +257,16 @@ spec: volumeMounts: - name: streamnative-console-data mountPath: /data + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + - name: tmp-storage + mountPath: /tmp + - name: run-postgresql-tmpfs + mountPath: /run/postgresql + - name: pulsar-manager-conf + mountPath: /pulsar-manager/pulsar-manager + - name: psql + mountPath: /pulsar-manager/psql + {{- end }} {{- if .Values.streamnative_console.login.sso.pulsarJwt.enabled }} - mountPath: /pulsar-manager/keys name: token-keys @@ -291,6 +302,21 @@ spec: resources: {{ toYaml .Values.streamnative_console.resources | indent 12 }} {{- end }} + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-logs + mountPath: /var/log/nginx + - name: nginx-tmp + mountPath: /var/lib/nginx/tmp + - name: nginx-run + mountPath: /run + - name: nginx-lib-log + mountPath: /var/lib/nginx/logs + - name: tmp-storage + mountPath: /tmp + {{- end }} {{- if .Values.streamnative_console.probe.readiness.enabled }} readinessProbe: httpGet: @@ -329,6 +355,28 @@ spec: - name: backend containerPort: {{ .Values.streamnative_console.ports.backend }} volumes: + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + - name: tmp-storage + emptyDir: {} + - name: run-postgresql-tmpfs + emptyDir: + medium: Memory + - name: nginx-conf + emptyDir: {} + - name: nginx-logs + emptyDir: {} + - name: nginx-tmp + emptyDir: {} + - name: nginx-run + emptyDir: + medium: Memory + - name: pulsar-manager-conf + emptyDir: {} + - name: nginx-lib-log + emptyDir: {} + - name: psql + emptyDir: {} + {{- end }} {{- if not (and .Values.volumes.persistence .Values.streamnative_console.volumes.persistence) }} - name: streamnative-console-data emptyDir: {} diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index dd72863f..1c2e4be0 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -177,7 +177,7 @@ images: pullPolicy: IfNotPresent streamnative_console: repository: docker-proxy.streamnative.io/streamnative/private-cloud-console - tag: "v2.3.21" + tag: "v2.3.23" pullPolicy: IfNotPresent hasCommand: false node_exporter: @@ -2193,12 +2193,22 @@ streamnative_console: # type: pd-standard # fsType: xfs # provisioner: kubernetes.io/gce-pd - containerSecurityContext: {} + containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - "ALL" securityContext: runAsNonRoot: true runAsGroup: 1000 fsGroup: 1000 runAsUser: 1000 + authorizationPolicy: {} ## Cloud Console service ## templates/streamnative-console-service.yaml diff --git a/charts/sn-platform/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml b/charts/sn-platform/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml index 62c2272b..dedc68fa 100644 --- a/charts/sn-platform/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml +++ b/charts/sn-platform/templates/streamnative-console/streamnative-console-authorizationpolicy.yaml @@ -10,11 +10,20 @@ metadata: namespace: {{ template "pulsar.namespace" . }} spec: rules: - - to: + - {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.from }} + from: +{{ toYaml .Values.streamnative_console.authorizationPolicy.from | indent 4 }} + {{- end }} + {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.to }} + to: +{{ toYaml .Values.streamnative_console.authorizationPolicy.to | indent 4 }} + {{- else }} + to: - operation: ports: - "7750" - "9527" + {{- end }} action: ALLOW selector: matchLabels: diff --git a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml index 4aac7631..94cb6789 100644 --- a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml +++ b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml @@ -107,9 +107,51 @@ spec: failureThreshold: {{ .Values.streamnative_console.probe.startup.failureThreshold }} {{- end }} workingDir: "/pulsar-manager/console" - command: ["/pulsar-manager/entrypoint.sh"] + command: ["/bin/sh", "-c"] args: - | + if [ -f "/pulsar-manager/secrets/vault/PROXY_brokerClientAuthenticationParameters" ]; then + export PROXY_brokerClientAuthenticationParameters=$(cat /pulsar-manager/secrets/vault/PROXY_brokerClientAuthenticationParameters) + fi + if [ -f "/pulsar-manager/secrets/vault/PULSAR_PREFIX_OIDCTokenAudienceID" ]; then + export PULSAR_PREFIX_OIDCTokenAudienceID=$(cat /pulsar-manager/secrets/vault/PULSAR_PREFIX_OIDCTokenAudienceID) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_MOUNT_ACCESSOR" ]; then + export VAULT_APPROLE_MOUNT_ACCESSOR=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_MOUNT_ACCESSOR) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_ROLE_ID" ]; then + export VAULT_APPROLE_ROLE_ID=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_ROLE_ID) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SECRET_ID" ]; then + export VAULT_APPROLE_SECRET_ID=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SECRET_ID) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_NAME" ]; then + export VAULT_APPROLE_SUPER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_NAME) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_TOKEN" ]; then + export VAULT_APPROLE_SUPER_TOKEN=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_TOKEN) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_HOST" ]; then + export VAULT_HOST=$(cat /pulsar-manager/secrets/vault/VAULT_HOST) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_SUPER_USER_NAME" ]; then + export VAULT_SUPER_USER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_SUPER_USER_NAME) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_SUPER_USER_PASSWORD" ]; then + export VAULT_SUPER_USER_PASSWORD=$(cat /pulsar-manager/secrets/vault/VAULT_SUPER_USER_PASSWORD) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_USERPASS_MOUNT_ACCESSOR" ]; then + export VAULT_USERPASS_MOUNT_ACCESSOR=$(cat /pulsar-manager/secrets/vault/VAULT_USERPASS_MOUNT_ACCESSOR) + fi + if [ -f "/pulsar-manager/secrets/vault/VAULT_USERPASS_SUPER_NAME" ]; then + export VAULT_USERPASS_SUPER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_USERPASS_SUPER_NAME) + fi + if [ -f "/pulsar-manager/secrets/vault/AULT_SUPER_USER_TOKEN" ]; then + export AULT_SUPER_USER_TOKEN=$(cat /pulsar-manager/secrets/vault/AULT_SUPER_USER_TOKEN) + fi + if [ -f "/pulsar-manager/secrets/vault/brokerClientAuthenticationParameters" ]; then + export brokerClientAuthenticationParameters=$(cat /pulsar-manager/secrets/vault/brokerClientAuthenticationParameters) + fi if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then export GOOGLE_CLIENT_ID=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID) fi @@ -134,6 +176,7 @@ spec: if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN) fi + /pulsar-manager/entrypoint.sh env: - name: SPRING_CONFIGURATION_FILE value: /pulsar-manager/pulsar-manager/application.properties @@ -262,6 +305,21 @@ spec: volumeMounts: - name: streamnative-console-data mountPath: /data + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + - name: tmp-storage + mountPath: /tmp + - name: run-postgresql-tmpfs + mountPath: /run/postgresql + - name: pulsar-manager-conf + mountPath: /pulsar-manager/pulsar-manager + - name: psql + mountPath: /pulsar-manager/psql + {{- end }} + {{- if .Values.auth.vault.enabled }} + - mountPath: /pulsar-manager/secrets/vault + name: vault-secret + readOnly: true + {{- end }} {{- if .Values.streamnative_console.login.sso.pulsarJwt.enabled }} - mountPath: /pulsar-manager/keys name: token-keys @@ -297,6 +355,21 @@ spec: resources: {{ toYaml .Values.streamnative_console.resources | indent 12 }} {{- end }} + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-logs + mountPath: /var/log/nginx + - name: nginx-tmp + mountPath: /var/lib/nginx/tmp + - name: nginx-run + mountPath: /run + - name: nginx-lib-log + mountPath: /var/lib/nginx/logs + - name: tmp-storage + mountPath: /tmp + {{- end }} {{- if .Values.streamnative_console.probe.readiness.enabled }} readinessProbe: httpGet: @@ -335,6 +408,28 @@ spec: - name: backend containerPort: {{ .Values.streamnative_console.ports.backend }} volumes: + {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }} + - name: tmp-storage + emptyDir: {} + - name: run-postgresql-tmpfs + emptyDir: + medium: Memory + - name: nginx-conf + emptyDir: {} + - name: nginx-logs + emptyDir: {} + - name: nginx-tmp + emptyDir: {} + - name: nginx-run + emptyDir: + medium: Memory + - name: pulsar-manager-conf + emptyDir: {} + - name: nginx-lib-log + emptyDir: {} + - name: psql + emptyDir: {} + {{- end }} {{- if not (and .Values.volumes.persistence .Values.streamnative_console.volumes.persistence) }} - name: streamnative-console-data emptyDir: {} @@ -364,6 +459,12 @@ spec: secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.JWT_BROKER_SECRET_KEY }} {{- end }} {{- end }} + {{- if .Values.auth.vault.enabled }} + - name: vault-secret + secret: + secretName: {{ template "pulsar.vault-secret-key-name" . }} + defaultMode: 440 + {{- end }} {{- if .Values.streamnative_console.login.sso.google.enabled }} - name: google-oauth2-secret secret: diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml index 6ecf89f3..008be1b0 100644 --- a/charts/sn-platform/values.yaml +++ b/charts/sn-platform/values.yaml @@ -204,7 +204,7 @@ images: pullPolicy: IfNotPresent streamnative_console: repository: docker-proxy.streamnative.io/streamnative/private-cloud-console - tag: "v2.3.21" + tag: "v2.3.23" pullPolicy: IfNotPresent hasCommand: false node_exporter: @@ -2283,12 +2283,22 @@ streamnative_console: # type: pd-standard # fsType: xfs # provisioner: kubernetes.io/gce-pd - containerSecurityContext: {} + containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - "ALL" securityContext: runAsNonRoot: true runAsGroup: 1000 fsGroup: 1000 runAsUser: 1000 + authorizationPolicy: {} ## Cloud Console service ## templates/streamnative-console-service.yaml