Skip to content

Commit

Permalink
Fix security policy in init container (#159)
Browse files Browse the repository at this point in the history
* Fix security policy

Signed-off-by: Siri Chongasamethaworn <[email protected]>

* trim trail sapce

Signed-off-by: Siri Chongasamethaworn <[email protected]>

---------

Signed-off-by: Siri Chongasamethaworn <[email protected]>
  • Loading branch information
KongZ authored Apr 29, 2024
1 parent ecc1084 commit 1e7274b
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 22 deletions.
4 changes: 2 additions & 2 deletions charts/graylog/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: graylog
home: https://www.graylog.org
version: 2.3.6
appVersion: 5.0.3
version: 2.3.7
appVersion: 5.2.6
description: Graylog is the centralized log management solution built to open
standards for capturing, storing, and enabling real-time analysis of terabytes
of machine data.
Expand Down
7 changes: 3 additions & 4 deletions charts/graylog/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,15 @@ spec:
{{- if .Values.graylog.init.kubectlLocation }}
wget {{ .Values.graylog.init.kubectlLocation }} -O /k8s/kubectl
{{- else }}
wget https://storage.googleapis.com/kubernetes-release/release/{{ .Values.graylog.init.kubectlVersion | default .Capabilities.KubeVersion.Version }}/bin/linux/amd64/kubectl -O /k8s/kubectl
{{.Capabilities.KubeVersion}}
wget https://dl.k8s.io/release/{{ .Values.graylog.init.kubectlVersion | default (regexReplaceAll "-.+" .Capabilities.KubeVersion.Version "") }}/bin/linux/amd64/kubectl -O /k8s/kubectl
{{- end }}
chmod +x /k8s/kubectl

GRAYLOG_HOME=/usr/share/graylog
chown -R 1100:1100 ${GRAYLOG_HOME}/data/
{{- if .Values.graylog.securityContext }}
securityContext:
{{- toYaml .Values.graylog.securityContext | nindent 12 }}
{{- end }}
runAsUser: 0 # We require permission to change the volume owner
env:
{{- range $key, $value := .Values.graylog.init.env }}
- name: {{ $key }}
Expand Down
37 changes: 21 additions & 16 deletions charts/graylog/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ graylog:
##
image:
repository: "graylog/graylog"
tag: "5.0.3"
tag: "5.2.6"
pullPolicy: "IfNotPresent"

## Graylog default Java option
Expand Down Expand Up @@ -220,19 +220,30 @@ graylog:
##
type: ClusterIP

## Override startupProbe config (path not allowed).
## In a typical Graylog deployment, it can take up to 60 seconds for OpenSearch and MongoDB to become fully available.
## This wait time can be reduced if your system has faster startup times.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
##
startupProbe:
periodSeconds: 60
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 5

## Override livenessProbe config (path not allowed)
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
##
livenessProbe:
initialDelaySeconds: 0
periodSeconds: 30
failureThreshold: 3
successThreshold: 1
timeoutSeconds: 5

## Override readinessProbe config (path not allowed)
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
##
readinessProbe:
initialDelaySeconds: 0
periodSeconds: 10
Expand Down Expand Up @@ -491,10 +502,10 @@ graylog:
repository: "alpine"
pullPolicy: "IfNotPresent"

## Set kubectl location to download and use on init-container. If the value is not set, the https://storage.googleapis.com/kubernetes-release/ will be used.
## Set kubectl location to download and use on init-container. If the value is not set, the https://dl.k8s.io/release/ will be used.
##
kubectlLocation: ""
## Set kubectl command version to download from https://storage.googleapis.com/kubernetes-release/. If the value is not set, default value is .Capabilities.KubeVersion.Version
## Set kubectl command version to download from https://dl.k8s.io/release/. If the value is not set, default value is .Capabilities.KubeVersion.Version
##
# kubectlVersion: "v1.20"

Expand Down Expand Up @@ -586,21 +597,15 @@ opensearch:
value: "false"
- name: plugins.security.disabled
value: "true"
# - name: OPENSEARCH_JAVA_OPTS
# value: "-Xms512m -Xmx512m"

# - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
# - "discovery.seed_hosts=opensearch2,opensearch3"
# - "cluster.initial_master_nodes=opensearch1,opensearch2,opensearch3"
# - "bootstrap.memory_lock=true"
# - "action.auto_create_index=false"
# resources:
# requests:
# cpu: "100m"
# memory: "512M"
## Set default resource very low. This help reduce resources usage on GitHub Action when performing chart-testing.
opensearchJavaOpts: "-Xmx128M -Xms128M"
resources:
requests:
cpu: "100m"
memory: "100Mi"
# limits:
# cpu: "1000m"
# memory: "512M"
# memory: "512Mi"
# volumeClaimTemplate:
# resources:
# requests:
Expand Down

0 comments on commit 1e7274b

Please sign in to comment.