From c56d0085fb3304fcc49f5056fd5d5270c1983891 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 13:25:46 -0400 Subject: [PATCH 1/7] Support for running with pod security standards in restricted mode and do not automount service accounts --- charts/questdb/templates/serviceaccount.yaml | 1 + charts/questdb/templates/statefulset.yaml | 11 ++++++++++ charts/questdb/values.yaml | 22 ++++++++++++++++++-- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/charts/questdb/templates/serviceaccount.yaml b/charts/questdb/templates/serviceaccount.yaml index 4b3b0c6..cffb1d7 100644 --- a/charts/questdb/templates/serviceaccount.yaml +++ b/charts/questdb/templates/serviceaccount.yaml @@ -1,6 +1,7 @@ {{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "questdb.serviceAccountName" . }} {{- if .Values.serviceAccount.labels }} diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml index a3956c6..2e58d9b 100644 --- a/charts/questdb/templates/statefulset.yaml +++ b/charts/questdb/templates/statefulset.yaml @@ -33,6 +33,7 @@ spec: {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ include "questdb.serviceAccountName" . }} {{- end }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} containers: - name: {{ .Chart.Name }} securityContext: @@ -49,6 +50,10 @@ spec: {{ toYaml .Values.questdb.envFrom | nindent 10 }} {{- end }} volumeMounts: + - name: tmpfs-tmp + mountPath: /tmp + - name: tmpfs-questdb + mountPath: /var/lib/questdb - name: {{ include "questdb.fullname" . }} mountPath: {{ .Values.questdb.dataDir }}/db subPath: db/ @@ -103,6 +108,8 @@ spec: - name: init-db-migration image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}" command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"] + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - name: {{ include "questdb.fullname" . }} mountPath: /mnt/questdb @@ -128,6 +135,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + - name: tmpfs-tmp + emptyDir: {} + - name: tmpfs-questdb + emptyDir: {} {{- if .Values.questdb.serverConfig.enabled }} - name: server-config {{- if eq .Values.questdb.configStorageType "Secret" }} diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml index e340e4b..89f3657 100644 --- a/charts/questdb/values.yaml +++ b/charts/questdb/values.yaml @@ -8,8 +8,24 @@ nameOverride: "" fullnameOverride: "" podAnnotations: {} -podSecurityContext: {} -securityContext: {} +podSecurityContext: + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault + +securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + extraVolumes: [] extraVolumeMounts: [] extraLabels: {} @@ -94,6 +110,7 @@ livenessProbe: {} # successThreshold: 1 # timeoutSeconds: 2 +automountServiceAccountToken: false metrics: enabled: true @@ -106,6 +123,7 @@ serviceAccount: create: false labels: {} annotations: {} + automountServiceAccountToken: false # if create is set to "true", you can specify the name of that service account below # if create is set to "false", you can use this to reference an existing service account for the StatefulSet pod From 50180424789b56b98fc89e72626dda8787bea070 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 19:42:31 -0400 Subject: [PATCH 2/7] Add OpenShift detection and automatic adjustments to pod security --- charts/questdb/templates/_helpers.tpl | 42 +++++++++++++++++++++++ charts/questdb/templates/statefulset.yaml | 6 ++-- charts/questdb/values.yaml | 5 +++ 3 files changed, 50 insertions(+), 3 deletions(-) diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl index 85d5aed..267f979 100644 --- a/charts/questdb/templates/_helpers.tpl +++ b/charts/questdb/templates/_helpers.tpl @@ -79,3 +79,45 @@ Generate log.conf file content {{ $key }} = {{ $value }} {{- end }} {{- end }} + +{{/* +Build openshift detection +*/}} +{{- define "isOpenshiftEnabled" -}} +{{- $openshiftEnabledString := (.Values.openshift).enabled | toString -}} +{{- if eq $openshiftEnabledString "true" -}} +true +{{- else if and (eq $openshiftEnabledString "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }} +true +{{- end }} +{{- end }} + +{{/* +Build securityContext +*/}} +{{- define "generateSecurityContext" -}} +{{- $context := .Values.securityContext -}} +{{- if $context -}} +{{- if (include "isOpenshiftEnabled" .) -}} +{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}} +{{- end -}} +{{- else -}} +{{ $context = dict -}} +{{- end -}} +{{ $context | toYaml }} +{{- end }} + +{{/* +Build podSecurityContext +*/}} +{{- define "generatePodSecurityContext" -}} +{{- $context := .Values.podSecurityContext -}} +{{- if $context -}} +{{- if (include "isOpenshiftEnabled" .) -}} +{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}} +{{- end -}} +{{- else -}} +{{ $context = dict -}} +{{- end -}} +{{ $context | toYaml }} +{{- end }} diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml index 2e58d9b..0a77625 100644 --- a/charts/questdb/templates/statefulset.yaml +++ b/charts/questdb/templates/statefulset.yaml @@ -29,7 +29,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- include "generatePodSecurityContext" . | nindent 8 }} {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }} serviceAccountName: {{ include "questdb.serviceAccountName" . }} {{- end }} @@ -37,7 +37,7 @@ spec: containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "generateSecurityContext" . | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: @@ -109,7 +109,7 @@ spec: image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}" command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"] securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "generateSecurityContext" . | nindent 12 }} volumeMounts: - name: {{ include "questdb.fullname" . }} mountPath: /mnt/questdb diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml index 89f3657..a1d7d8a 100644 --- a/charts/questdb/values.yaml +++ b/charts/questdb/values.yaml @@ -139,3 +139,8 @@ dataMigration: memory: "256Mi" limits: memory: "1Gi" + +# openshift +openshift: + enabled: detect + From 272fce944695f4cf20e93d0d19e2489d7b9a41db Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 20:02:55 -0400 Subject: [PATCH 3/7] Add GitHub publish action --- .github/workflows/helm_release.yaml | 35 +++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/helm_release.yaml diff --git a/.github/workflows/helm_release.yaml b/.github/workflows/helm_release.yaml new file mode 100644 index 0000000..b0c48da --- /dev/null +++ b/.github/workflows/helm_release.yaml @@ -0,0 +1,35 @@ +# from https://github.com/wkbrd/docker-registry.helm/blob/main/.github/workflows/helm_release.yaml +# Apache 2 License + +name: Release Charts +env: + HELM_VERSION_TO_INSTALL: 3.14.0 + GCR_IMAGE: ghcr.io/${{ github.repository_owner }} + +on: + workflow_dispatch: + +jobs: + release: + permissions: + contents: write + packages: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: install helm + uses: Azure/setup-helm@v4.2.0 + with: + # Version of helm + version: ${{ env.HELM_VERSION_TO_INSTALL }} # default is latest + + - name: publish to oci registry + run: | + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.repository_owner }} --password-stdin + helm package ${{ github.workspace }}/ + package=`ls -t questdb-*.tgz | head -n 1` + helm push "${package}" oci://${{ env.GCR_IMAGE }} From 4617621b6d7434551c13d192eec25506ba2949d4 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 20:07:42 -0400 Subject: [PATCH 4/7] Update helm_release.yaml --- .github/workflows/helm_release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm_release.yaml b/.github/workflows/helm_release.yaml index b0c48da..b15cc78 100644 --- a/.github/workflows/helm_release.yaml +++ b/.github/workflows/helm_release.yaml @@ -30,6 +30,6 @@ jobs: - name: publish to oci registry run: | echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.repository_owner }} --password-stdin - helm package ${{ github.workspace }}/ + helm package ${{ github.workspace }}/charts/ package=`ls -t questdb-*.tgz | head -n 1` helm push "${package}" oci://${{ env.GCR_IMAGE }} From 1ec641700b6936de3ff49eb78572719845e8bb2e Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 20:08:54 -0400 Subject: [PATCH 5/7] Update helm_release.yaml --- .github/workflows/helm_release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm_release.yaml b/.github/workflows/helm_release.yaml index b15cc78..e911cdc 100644 --- a/.github/workflows/helm_release.yaml +++ b/.github/workflows/helm_release.yaml @@ -30,6 +30,6 @@ jobs: - name: publish to oci registry run: | echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.repository_owner }} --password-stdin - helm package ${{ github.workspace }}/charts/ + helm package ${{ github.workspace }}/charts/questdb/ package=`ls -t questdb-*.tgz | head -n 1` helm push "${package}" oci://${{ env.GCR_IMAGE }} From 35aff2b8c63e219efca10f597bb5669fe283f6b7 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Mon, 16 Jun 2025 20:13:42 -0400 Subject: [PATCH 6/7] Update Chart.yaml Changed chart version --- charts/questdb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/questdb/Chart.yaml b/charts/questdb/Chart.yaml index 3220d2d..b60eadb 100644 --- a/charts/questdb/Chart.yaml +++ b/charts/questdb/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: questdb -version: 1.0.7 +version: 1.0.8-alpha1 appVersion: 8.3.3 description: Run QuestDB on Kubernetes via Helm icon: https://questdb.com/img/favicon.png From 514c9542e159b9facd5da9f4b47b9cda6b15d5b6 Mon Sep 17 00:00:00 2001 From: wkbrd <30599409+wkbrd@users.noreply.github.com> Date: Thu, 19 Jun 2025 07:43:36 -0400 Subject: [PATCH 7/7] Make mime.types able to be overridden. Make temporary volumes more scoped. --- charts/questdb/templates/_helpers.tpl | 9 ++++++++ charts/questdb/templates/config.yaml | 7 +++++++ charts/questdb/templates/statefulset.yaml | 25 ++++++++++++++++++++--- charts/questdb/values.yaml | 3 +++ 4 files changed, 41 insertions(+), 3 deletions(-) diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl index 267f979..48dba79 100644 --- a/charts/questdb/templates/_helpers.tpl +++ b/charts/questdb/templates/_helpers.tpl @@ -80,6 +80,15 @@ Generate log.conf file content {{- end }} {{- end }} +{{/* +Generate mime.types file content +*/}} +{{- define "generateMimeConfig" -}} +{{- range $key, $value := index .Values.questdb.mimeConfig.options }} +{{ $key }} {{ $value }} +{{- end }} +{{- end }} + {{/* Build openshift detection */}} diff --git a/charts/questdb/templates/config.yaml b/charts/questdb/templates/config.yaml index e085861..4f4c856 100644 --- a/charts/questdb/templates/config.yaml +++ b/charts/questdb/templates/config.yaml @@ -18,6 +18,9 @@ data: {{- if .Values.questdb.loggingConfig.enabled }} log.conf: {{ include "generateLogConfig" . | b64enc -}} {{- end }} + {{- if .Values.questdb.mimeConfig.enabled }} + mime.types: {{ include "generateMimeConfig" . | b64enc -}} + {{- end }} {{- else }} data: {{- if .Values.questdb.serverConfig.enabled }} @@ -28,5 +31,9 @@ data: log.conf: | {{- include "generateLogConfig" . | nindent 4 -}} {{- end }} + {{- if .Values.questdb.mimeConfig.enabled }} + mime.types: | + {{- include "generateMimeConfig" . | nindent 4 -}} + {{- end }} {{- end }} {{- end }} diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml index 0a77625..bf21511 100644 --- a/charts/questdb/templates/statefulset.yaml +++ b/charts/questdb/templates/statefulset.yaml @@ -52,8 +52,10 @@ spec: volumeMounts: - name: tmpfs-tmp mountPath: /tmp - - name: tmpfs-questdb - mountPath: /var/lib/questdb + - name: tmpfs-questdb-import + mountPath: /var/lib/questdb/import + - name: tmpfs-questdb-public + mountPath: /var/lib/questdb/public - name: {{ include "questdb.fullname" . }} mountPath: {{ .Values.questdb.dataDir }}/db subPath: db/ @@ -73,6 +75,11 @@ spec: mountPath: {{ .Values.questdb.dataDir }}/conf/log.conf subPath: log.conf {{- end }} + {{- if .Values.questdb.mimeConfig.enabled }} + - name: mime-config + mountPath: {{ .Values.questdb.dataDir }}/conf/mime.types + subPath: mime.types + {{- end }} {{- if .Values.extraVolumeMounts }} {{ toYaml .Values.extraVolumeMounts | nindent 10 }} {{- end }} @@ -137,7 +144,9 @@ spec: volumes: - name: tmpfs-tmp emptyDir: {} - - name: tmpfs-questdb + - name: tmpfs-questdb-import + emptyDir: {} + - name: tmpfs-questdb-public emptyDir: {} {{- if .Values.questdb.serverConfig.enabled }} - name: server-config @@ -159,6 +168,16 @@ spec: name: {{ include "questdb.fullname" . }} {{- end }} {{- end }} + {{- if .Values.questdb.mimeConfig.enabled }} + - name: mime-config + {{- if eq .Values.questdb.configStorageType "Secret" }} + secret: + secretName: {{ include "questdb.fullname" . }} + {{- else }} + configMap: + name: {{ include "questdb.fullname" . }} + {{- end }} + {{- end }} - name: migration-scripts configMap: name: {{ include "questdb.fullname" . }}-db-migrations diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml index a1d7d8a..d9db156 100644 --- a/charts/questdb/values.yaml +++ b/charts/questdb/values.yaml @@ -39,6 +39,9 @@ questdb: loggingConfig: enabled: false options: {} + mimeConfig: + enabled: false + options: {} # env supports key/value pairs that are added directly to the questdb statefulset's env env: {} # envFrom supports a list of sources that will be injected into the questdb statefulset's env