From 9f119d37e4a453a482094a387138e34dcce099e6 Mon Sep 17 00:00:00 2001 From: Corey Daley Date: Mon, 10 Jun 2024 15:59:11 -0400 Subject: [PATCH] RHIDP-1690: Fix SNYK findings --- charts/backstage/Chart.yaml | 2 +- .../templates/tests/test-connection.yaml | 20 ++++++++ charts/backstage/values.yaml | 46 +++++++++++++++++++ 3 files changed, 67 insertions(+), 1 deletion(-) diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml index 81431227..e579c9a1 100644 --- a/charts/backstage/Chart.yaml +++ b/charts/backstage/Chart.yaml @@ -45,4 +45,4 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.16.1 +version: 2.16.2 diff --git a/charts/backstage/templates/tests/test-connection.yaml b/charts/backstage/templates/tests/test-connection.yaml index a382602e..5446fbd4 100644 --- a/charts/backstage/templates/tests/test-connection.yaml +++ b/charts/backstage/templates/tests/test-connection.yaml @@ -12,7 +12,27 @@ metadata: spec: containers: - name: curl + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + runAsNonRoot: true + resources: + requests: + cpu: 10m + memory: 20Mi + limits: + cpu: 10m + memory: 20Mi + livenessProbe: + exec: + command: + - command + - -v + - curl image: quay.io/curl/curl:latest + imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c"] args: - | diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml index 7d8c64c2..369bb779 100644 --- a/charts/backstage/values.yaml +++ b/charts/backstage/values.yaml @@ -61,6 +61,21 @@ upstream: auth: keys: - secret: ${BACKEND_SECRET} + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" + resources: + requests: + cpu: 250m + memory: 1Gi + limits: + cpu: 1000m + memory: 4Gi readinessProbe: failureThreshold: 3 httpGet: @@ -101,6 +116,8 @@ upstream: # The initContainer below will install dynamic plugins in this volume mount. - name: dynamic-plugins-root mountPath: /opt/app-root/src/dynamic-plugins-root + - name: diststatic + mountPath: /opt/app-root/src/packages/app/dist/static extraVolumes: # -- Ephemeral volume that will contain the dynamic plugins installed by the initContainer below at start. - name: dynamic-plugins-root @@ -128,8 +145,27 @@ upstream: defaultMode: 420 optional: true secretName: dynamic-plugins-npmrc + - name: npmcacache + emptyDir: {} + - name: diststatic + emptyDir: {} initContainers: - name: install-dynamic-plugins + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 200m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: "RuntimeDefault" # -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount. # It could be replaced by a custom image based on this one. # @default -- `quay.io/janus-idp/backstage-showcase:latest` @@ -152,6 +188,8 @@ upstream: name: dynamic-plugins-npmrc readOnly: true subPath: .npmrc + - mountPath: /opt/app-root/src/.npm/_cacache + name: npmcacache workingDir: /opt/app-root/src installDir: /opt/app-root/src podAnnotations: @@ -170,10 +208,18 @@ upstream: adminPasswordKey: postgres-password userPasswordKey: password primary: + # TODO: https://issues.redhat.com/browse/RHIDP-2645 podSecurityContext: enabled: false containerSecurityContext: enabled: false + resources: + requests: + cpu: 256m + memory: 1Gi + limits: + cpu: 512m + memory: 2Gi persistence: enabled: true size: 1Gi