streamnative · tuteng · Oct 23, 2025 · Oct 21, 2025 · Oct 22, 2025 · Oct 22, 2025
@@ -10,11 +10,20 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.streamnative_console.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.streamnative_console.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "7750"
         - "9527"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

@@ -107,7 +107,7 @@ spec:
             failureThreshold: {{ .Values.streamnative_console.probe.startup.failureThreshold }}
           {{- end }}
           workingDir: "/pulsar-manager/console"
-          command: ["/pulsar-manager/entrypoint.sh"]
+          command: ["/bin/sh", "-c"]
           args:
             - |
               if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then
@@ -134,6 +134,7 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
             value: /pulsar-manager/pulsar-manager/application.properties
@@ -256,6 +257,16 @@ spec:
           volumeMounts:
           - name: streamnative-console-data
             mountPath: /data
+          {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+          - name: tmp-storage
+            mountPath: /tmp
+          - name: run-postgresql-tmpfs
+            mountPath: /run/postgresql
+          - name: pulsar-manager-conf
+            mountPath: /pulsar-manager/pulsar-manager
+          - name: psql
+            mountPath: /pulsar-manager/psql
+          {{- end }}
           {{- if .Values.streamnative_console.login.sso.pulsarJwt.enabled }}
           - mountPath: /pulsar-manager/keys
             name: token-keys
@@ -291,6 +302,21 @@ spec:
           resources:
 {{ toYaml .Values.streamnative_console.resources | indent 12 }}
           {{- end }}
+          {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+          volumeMounts:
+          - name: nginx-conf
+            mountPath: /etc/nginx/conf.d
+          - name: nginx-logs
+            mountPath: /var/log/nginx
+          - name: nginx-tmp
+            mountPath: /var/lib/nginx/tmp
+          - name: nginx-run
+            mountPath: /run
+          - name: nginx-lib-log
+            mountPath: /var/lib/nginx/logs
+          - name: tmp-storage
+            mountPath: /tmp
+          {{- end }}
           {{- if .Values.streamnative_console.probe.readiness.enabled }}
           readinessProbe:
             httpGet:
@@ -329,6 +355,28 @@ spec:
           - name: backend
             containerPort: {{ .Values.streamnative_console.ports.backend }}
       volumes:
+      {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+      - name: tmp-storage
+        emptyDir: {}
+      - name: run-postgresql-tmpfs
+        emptyDir:
+          medium: Memory
+      - name: nginx-conf
+        emptyDir: {}
+      - name: nginx-logs
+        emptyDir: {}
+      - name: nginx-tmp
+        emptyDir: {}
+      - name: nginx-run
+        emptyDir:
+          medium: Memory
+      - name: pulsar-manager-conf
+        emptyDir: {}
+      - name: nginx-lib-log
+        emptyDir: {}
+      - name: psql
+        emptyDir: {}
+      {{- end }}
       {{- if not (and .Values.volumes.persistence .Values.streamnative_console.volumes.persistence) }}
       - name: streamnative-console-data
         emptyDir: {}

@@ -177,7 +177,7 @@ images:
     pullPolicy: IfNotPresent
   streamnative_console:
     repository: docker-proxy.streamnative.io/streamnative/private-cloud-console
-    tag: "v2.3.21"
+    tag: "v2.3.23"
     pullPolicy: IfNotPresent
     hasCommand: false
   node_exporter:
@@ -2193,12 +2193,22 @@ streamnative_console:
         # type: pd-standard
         # fsType: xfs
         # provisioner: kubernetes.io/gce-pd
-  containerSecurityContext: {}
+  containerSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    capabilities:
+      drop:
+      - "ALL"
   securityContext:
     runAsNonRoot: true
     runAsGroup: 1000
     fsGroup: 1000
     runAsUser: 1000
+  authorizationPolicy: {}
 
   ## Cloud Console service
   ## templates/streamnative-console-service.yaml

@@ -10,11 +10,20 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.streamnative_console.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.streamnative_console.authorizationPolicy .Values.streamnative_console.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.streamnative_console.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "7750"
         - "9527"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

@@ -107,9 +107,51 @@ spec:
             failureThreshold: {{ .Values.streamnative_console.probe.startup.failureThreshold }}
           {{- end }}
           workingDir: "/pulsar-manager/console"
-          command: ["/pulsar-manager/entrypoint.sh"]
+          command: ["/bin/sh", "-c"]
           args:
             - |
+              if [ -f "/pulsar-manager/secrets/vault/PROXY_brokerClientAuthenticationParameters" ]; then
+                export PROXY_brokerClientAuthenticationParameters=$(cat /pulsar-manager/secrets/vault/PROXY_brokerClientAuthenticationParameters)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/PULSAR_PREFIX_OIDCTokenAudienceID" ]; then
+                export PULSAR_PREFIX_OIDCTokenAudienceID=$(cat /pulsar-manager/secrets/vault/PULSAR_PREFIX_OIDCTokenAudienceID)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_MOUNT_ACCESSOR" ]; then
+                export VAULT_APPROLE_MOUNT_ACCESSOR=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_MOUNT_ACCESSOR)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_ROLE_ID" ]; then
+                export VAULT_APPROLE_ROLE_ID=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_ROLE_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SECRET_ID" ]; then
+                export VAULT_APPROLE_SECRET_ID=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SECRET_ID)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_NAME" ]; then
+                export VAULT_APPROLE_SUPER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_NAME)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_TOKEN" ]; then
+                export VAULT_APPROLE_SUPER_TOKEN=$(cat /pulsar-manager/secrets/vault/VAULT_APPROLE_SUPER_TOKEN)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_HOST" ]; then
+                export VAULT_HOST=$(cat /pulsar-manager/secrets/vault/VAULT_HOST)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_SUPER_USER_NAME" ]; then
+                export VAULT_SUPER_USER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_SUPER_USER_NAME)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_SUPER_USER_PASSWORD" ]; then
+                export VAULT_SUPER_USER_PASSWORD=$(cat /pulsar-manager/secrets/vault/VAULT_SUPER_USER_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_USERPASS_MOUNT_ACCESSOR" ]; then
+                export VAULT_USERPASS_MOUNT_ACCESSOR=$(cat /pulsar-manager/secrets/vault/VAULT_USERPASS_MOUNT_ACCESSOR)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/VAULT_USERPASS_SUPER_NAME" ]; then
+                export VAULT_USERPASS_SUPER_NAME=$(cat /pulsar-manager/secrets/vault/VAULT_USERPASS_SUPER_NAME)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/AULT_SUPER_USER_TOKEN" ]; then
+                export AULT_SUPER_USER_TOKEN=$(cat /pulsar-manager/secrets/vault/AULT_SUPER_USER_TOKEN)
+              fi
+              if [ -f "/pulsar-manager/secrets/vault/brokerClientAuthenticationParameters" ]; then
+                export brokerClientAuthenticationParameters=$(cat /pulsar-manager/secrets/vault/brokerClientAuthenticationParameters)
+              fi
               if [ -f "/pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID" ]; then
                 export GOOGLE_CLIENT_ID=$(cat /pulsar-manager/secrets/google-oauth2/GOOGLE_CLIENT_ID)
               fi
@@ -134,6 +176,7 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
             value: /pulsar-manager/pulsar-manager/application.properties
@@ -262,6 +305,21 @@ spec:
           volumeMounts:
           - name: streamnative-console-data
             mountPath: /data
+          {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+          - name: tmp-storage
+            mountPath: /tmp
+          - name: run-postgresql-tmpfs
+            mountPath: /run/postgresql
+          - name: pulsar-manager-conf
+            mountPath: /pulsar-manager/pulsar-manager
+          - name: psql
+            mountPath: /pulsar-manager/psql
+          {{- end }}
+          {{- if .Values.auth.vault.enabled }}
+          - mountPath: /pulsar-manager/secrets/vault
+            name: vault-secret
+            readOnly: true
+          {{- end }}
           {{- if .Values.streamnative_console.login.sso.pulsarJwt.enabled }}
           - mountPath: /pulsar-manager/keys
             name: token-keys
@@ -297,6 +355,21 @@ spec:
           resources:
 {{ toYaml .Values.streamnative_console.resources | indent 12 }}
           {{- end }}
+          {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+          volumeMounts:
+          - name: nginx-conf
+            mountPath: /etc/nginx/conf.d
+          - name: nginx-logs
+            mountPath: /var/log/nginx
+          - name: nginx-tmp
+            mountPath: /var/lib/nginx/tmp
+          - name: nginx-run
+            mountPath: /run
+          - name: nginx-lib-log
+            mountPath: /var/lib/nginx/logs
+          - name: tmp-storage
+            mountPath: /tmp
+          {{- end }}
           {{- if .Values.streamnative_console.probe.readiness.enabled }}
           readinessProbe:
             httpGet:
@@ -335,6 +408,28 @@ spec:
           - name: backend
             containerPort: {{ .Values.streamnative_console.ports.backend }}
       volumes:
+      {{- if and .Values.streamnative_console.containerSecurityContext .Values.streamnative_console.containerSecurityContext.readOnlyRootFilesystem }}
+      - name: tmp-storage
+        emptyDir: {}
+      - name: run-postgresql-tmpfs
+        emptyDir:
+          medium: Memory
+      - name: nginx-conf
+        emptyDir: {}
+      - name: nginx-logs
+        emptyDir: {}
+      - name: nginx-tmp
+        emptyDir: {}
+      - name: nginx-run
+        emptyDir:
+          medium: Memory
+      - name: pulsar-manager-conf
+        emptyDir: {}
+      - name: nginx-lib-log
+        emptyDir: {}
+      - name: psql
+        emptyDir: {}
+      {{- end }}
       {{- if not (and .Values.volumes.persistence .Values.streamnative_console.volumes.persistence) }}
       - name: streamnative-console-data
         emptyDir: {}
@@ -364,6 +459,12 @@ spec:
           secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.JWT_BROKER_SECRET_KEY }}
           {{- end }}
       {{- end }}
+      {{- if .Values.auth.vault.enabled }}
+      - name: vault-secret
+        secret:
+          secretName: {{ template "pulsar.vault-secret-key-name" . }}
+          defaultMode: 440
+      {{- end }}
       {{- if .Values.streamnative_console.login.sso.google.enabled }}
       - name: google-oauth2-secret
         secret:

@@ -204,7 +204,7 @@ images:
     pullPolicy: IfNotPresent
   streamnative_console:
     repository: docker-proxy.streamnative.io/streamnative/private-cloud-console
-    tag: "v2.3.21"
+    tag: "v2.3.23"
     pullPolicy: IfNotPresent
     hasCommand: false
   node_exporter:
@@ -2283,12 +2283,22 @@ streamnative_console:
         # type: pd-standard
         # fsType: xfs
         # provisioner: kubernetes.io/gce-pd
-  containerSecurityContext: {}
+  containerSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    capabilities:
+      drop:
+      - "ALL"
   securityContext:
     runAsNonRoot: true
     runAsGroup: 1000
     fsGroup: 1000
     runAsUser: 1000
+  authorizationPolicy: {}
 
   ## Cloud Console service
   ## templates/streamnative-console-service.yaml