Skip to content

Pod security updates and Helm push #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Pod security updates and Helm push #219

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
c56d008
Support for running with pod security standards in restricted mode an…
wkbrd Jun 16, 2025
5018042
Add OpenShift detection and automatic adjustments to pod security
wkbrd Jun 16, 2025
272fce9
Add GitHub publish action
wkbrd Jun 17, 2025
1162f9b
Merge pull request #1 from wkbrd/publish_chart
wkbrd Jun 17, 2025
4617621
Update helm_release.yaml
wkbrd Jun 17, 2025
1ec6417
Update helm_release.yaml
wkbrd Jun 17, 2025
0e9f2f2
Merge pull request #2 from wkbrd/pod_security_updates
wkbrd Jun 17, 2025
35aff2b
Update Chart.yaml
wkbrd Jun 17, 2025
514c954
Make mime.types able to be overridden. Make temporary volumes more sc…
wkbrd Jun 19, 2025
564897a
Merge pull request #3 from wkbrd/pod_security_updates
wkbrd Jun 19, 2025
73f9b04
Merge branch 'master' of https://github.com/questdb/questdb-kubernetes
wkbrd Jul 12, 2025
ad97941
Merge branch 'master' of https://github.com/questdb/questdb-kubernete…
wkbrd Jul 12, 2025
f211331
Merge branch 'master' of https://github.com/questdb/questdb-kubernete…
wkbrd Aug 29, 2025
ea20bad
Merge branch 'master' into pod_security_updates
wkbrd Aug 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/helm_release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# from https://github.com/wkbrd/docker-registry.helm/blob/main/.github/workflows/helm_release.yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you revert changes to this file? We'll update it as part of the release process

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @sklarsa : Do you publish your chart to an OCI registry? If not, that is something that this change would enable. Using an OCI registry standardizes how software is deployed and helps improve the tooling around a secure supply chain.

# Apache 2 License

name: Release Charts
env:
HELM_VERSION_TO_INSTALL: 3.14.0
GCR_IMAGE: ghcr.io/${{ github.repository_owner }}

on:
workflow_dispatch:

jobs:
release:
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: install helm
uses: Azure/[email protected]
with:
# Version of helm
version: ${{ env.HELM_VERSION_TO_INSTALL }} # default is latest

- name: publish to oci registry
run: |
echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.repository_owner }} --password-stdin
helm package ${{ github.workspace }}/charts/questdb/
package=`ls -t questdb-*.tgz | head -n 1`
helm push "${package}" oci://${{ env.GCR_IMAGE }}
2 changes: 1 addition & 1 deletion charts/questdb/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: questdb
version: 1.0.11
version: 1.0.12-alpha1
appVersion: 9.0.3
description: Run QuestDB on Kubernetes via Helm
icon: https://questdb.com/img/favicon.png
Expand Down
51 changes: 51 additions & 0 deletions charts/questdb/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,54 @@ Generate log.conf file content
{{ $key }} = {{ $value }}
{{- end }}
{{- end }}

{{/*
Generate mime.types file content
*/}}
{{- define "generateMimeConfig" -}}
{{- range $key, $value := index .Values.questdb.mimeConfig.options }}
{{ $key }} {{ $value }}
{{- end }}
{{- end }}

{{/*
Build openshift detection
*/}}
{{- define "isOpenshiftEnabled" -}}
{{- $openshiftEnabledString := (.Values.openshift).enabled | toString -}}
{{- if eq $openshiftEnabledString "true" -}}
true
{{- else if and (eq $openshiftEnabledString "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
true
{{- end }}
{{- end }}

{{/*
Build securityContext
*/}}
{{- define "generateSecurityContext" -}}
{{- $context := .Values.securityContext -}}
{{- if $context -}}
{{- if (include "isOpenshiftEnabled" .) -}}
{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
{{- end -}}
{{- else -}}
{{ $context = dict -}}
{{- end -}}
{{ $context | toYaml }}
{{- end }}

{{/*
Build podSecurityContext
*/}}
{{- define "generatePodSecurityContext" -}}
{{- $context := .Values.podSecurityContext -}}
{{- if $context -}}
{{- if (include "isOpenshiftEnabled" .) -}}
{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
{{- end -}}
{{- else -}}
{{ $context = dict -}}
{{- end -}}
{{ $context | toYaml }}
{{- end }}
7 changes: 7 additions & 0 deletions charts/questdb/templates/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ data:
{{- if .Values.questdb.loggingConfig.enabled }}
log.conf: {{ include "generateLogConfig" . | b64enc -}}
{{- end }}
{{- if .Values.questdb.mimeConfig.enabled }}
mime.types: {{ include "generateMimeConfig" . | b64enc -}}
{{- end }}
{{- else }}
data:
{{- if .Values.questdb.serverConfig.enabled }}
Expand All @@ -28,5 +31,9 @@ data:
log.conf: |
{{- include "generateLogConfig" . | nindent 4 -}}
{{- end }}
{{- if .Values.questdb.mimeConfig.enabled }}
mime.types: |
{{- include "generateMimeConfig" . | nindent 4 -}}
{{- end }}
{{- end }}
{{- end }}
1 change: 1 addition & 0 deletions charts/questdb/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "questdb.serviceAccountName" . }}
{{- if .Values.serviceAccount.labels }}
Expand Down
34 changes: 32 additions & 2 deletions charts/questdb/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,15 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- include "generatePodSecurityContext" . | nindent 8 }}
{{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
serviceAccountName: {{ include "questdb.serviceAccountName" . }}
{{- end }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- include "generateSecurityContext" . | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
Expand All @@ -49,6 +50,12 @@ spec:
{{ toYaml .Values.questdb.envFrom | nindent 10 }}
{{- end }}
volumeMounts:
- name: tmpfs-tmp
mountPath: /tmp
- name: tmpfs-questdb-import
mountPath: /var/lib/questdb/import
- name: tmpfs-questdb-public
mountPath: /var/lib/questdb/public
Comment on lines +53 to +58
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These mounts are breaking a simple helm install questdb ./charts/questdb with the following logs:

questdb No arguments found in the configuration, start with default arguments                                             
questdb Running as questdb user                                                                                           
questdb Log configuration loaded using factory defaults.                                                                  
questdb 2025-10-03T18:34:29.594330Z A server-main QuestDB 9.0.3. Copyright (C) 2014-2025, all rights reserved.            
questdb 2025-10-03T18:34:29.684387Z A server-main linux-x86-64 [AVX512,10, 64 bits, 12 processors]                        
questdb 2025-10-03T18:34:29.684447Z A server-main fs.file-max checked [limit=2147483584]                                  
questdb 2025-10-03T18:34:29.684523Z A server-main vm.max_map_count checked [limit=1048576]                                
questdb 2025-10-03T18:34:29.688161Z I server-main Web Console is up to date                                               
questdb 2025-10-03T18:34:29.693775Z A server-main Server config: /var/lib/questdb/conf/server.conf                        
questdb Server configuration file does not exist! /var/lib/questdb/conf/server.conf

I think if we remove readOnlyRootFilesystem in the security context, we can do away with these tmp volumes and mounts. I don't believe that this is an openshift requirement and would prefer to leave this extra security-scoping to the user instead of baking into the default chart.

- name: {{ include "questdb.fullname" . }}
mountPath: {{ .Values.questdb.dataDir }}/db
subPath: db/
Expand All @@ -68,6 +75,11 @@ spec:
mountPath: {{ .Values.questdb.dataDir }}/conf/log.conf
subPath: log.conf
{{- end }}
{{- if .Values.questdb.mimeConfig.enabled }}
- name: mime-config
mountPath: {{ .Values.questdb.dataDir }}/conf/mime.types
subPath: mime.types
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{ toYaml .Values.extraVolumeMounts | nindent 10 }}
{{- end }}
Expand Down Expand Up @@ -103,6 +115,8 @@ spec:
- name: init-db-migration
image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}"
command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"]
securityContext:
{{- include "generateSecurityContext" . | nindent 12 }}
volumeMounts:
- name: {{ include "questdb.fullname" . }}
mountPath: /mnt/questdb
Expand All @@ -128,6 +142,12 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: tmpfs-tmp
emptyDir: {}
- name: tmpfs-questdb-import
emptyDir: {}
- name: tmpfs-questdb-public
emptyDir: {}
Comment on lines +145 to +150
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see above comment

{{- if .Values.questdb.serverConfig.enabled }}
- name: server-config
{{- if eq .Values.questdb.configStorageType "Secret" }}
Expand All @@ -148,6 +168,16 @@ spec:
name: {{ include "questdb.fullname" . }}
{{- end }}
{{- end }}
{{- if .Values.questdb.mimeConfig.enabled }}
- name: mime-config
{{- if eq .Values.questdb.configStorageType "Secret" }}
secret:
secretName: {{ include "questdb.fullname" . }}
{{- else }}
configMap:
name: {{ include "questdb.fullname" . }}
{{- end }}
{{- end }}
- name: migration-scripts
configMap:
name: {{ include "questdb.fullname" . }}-db-migrations
Expand Down
30 changes: 28 additions & 2 deletions charts/questdb/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,24 @@ nameOverride: ""
fullnameOverride: ""

podAnnotations: {}
podSecurityContext: {}
securityContext: {}
podSecurityContext:
fsGroup: 10001
seccompProfile:
type: RuntimeDefault

securityContext:
readOnlyRootFilesystem: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above, let's remove this and let the user add it as necessary

capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
privileged: false
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault

extraVolumes: []
extraVolumeMounts: []
extraLabels: {}
Expand All @@ -23,6 +39,9 @@ questdb:
loggingConfig:
enabled: false
options: {}
mimeConfig:
enabled: false
options: {}
# env supports key/value pairs that are added directly to the questdb statefulset's env
env: {}
# envFrom supports a list of sources that will be injected into the questdb statefulset's env
Expand Down Expand Up @@ -94,6 +113,7 @@ livenessProbe: {}
# successThreshold: 1
# timeoutSeconds: 2

automountServiceAccountToken: false

metrics:
enabled: true
Expand All @@ -106,6 +126,7 @@ serviceAccount:
create: false
labels: {}
annotations: {}
automountServiceAccountToken: false

# if create is set to "true", you can specify the name of that service account below
# if create is set to "false", you can use this to reference an existing service account for the StatefulSet pod
Expand All @@ -121,3 +142,8 @@ dataMigration:
memory: "256Mi"
limits:
memory: "1Gi"

# openshift
openshift:
enabled: detect