diff --git a/charts/tf-controller/README.md b/charts/tf-controller/README.md index 1964941d..ad4a3422 100644 --- a/charts/tf-controller/README.md +++ b/charts/tf-controller/README.md @@ -31,7 +31,7 @@ __Note__: If you need to use the `imagePullSecrets` it would be best to set `ser | awsPackage.install | bool | `true` | | | awsPackage.repository | string | `"ghcr.io/tf-controller/aws-primitive-modules"` | | | awsPackage.tag | string | `"v4.38.0-v1alpha11"` | | -| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"pollingInterval":"30s","sourceInterval":"30s"}` | Branch Planner-specific configurations | +| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"podSecurityContext":{"fsGroup":1337},"pollingInterval":"30s","resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"sourceInterval":"30s"}` | Branch Planner-specific configurations | | caCertValidityDuration | string | `"168h0m"` | Argument for `--ca-cert-validity-duration` (Controller) | | certRotationCheckFrequency | string | `"30m0s"` | Argument for `--cert-rotation-check-frequency` (Controller) | | certValidityDuration | string | `"6h0m"` | Argument for `--cert-validity-duration` (Controller) | diff --git a/charts/tf-controller/templates/planner-deployment.yaml b/charts/tf-controller/templates/planner-deployment.yaml index ef1ab455..04e09316 100644 --- a/charts/tf-controller/templates/planner-deployment.yaml +++ b/charts/tf-controller/templates/planner-deployment.yaml @@ -41,13 +41,12 @@ spec: image: "{{ .Values.branchPlanner.image.repository }}:{{ default .Chart.AppVersion .Values.branchPlanner.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} name: {{ .Chart.Name }} - ports: - - containerPort: 8080 - name: http-prom + resources: + {{- toYaml .Values.branchPlanner.resources | nindent 10 }} securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- toYaml .Values.branchPlanner.securityContext | nindent 10 }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.branchPlanner.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "tf-controller.serviceAccountName" . }} terminationGracePeriodSeconds: 10 {{- with .Values.nodeSelector }} diff --git a/charts/tf-controller/values.yaml b/charts/tf-controller/values.yaml index 8de0d63e..9bd27580 100644 --- a/charts/tf-controller/values.yaml +++ b/charts/tf-controller/values.yaml @@ -179,3 +179,25 @@ branchPlanner: pollingInterval: 30s # Interval value to use for Source objects for branch planner Terraform objects. sourceInterval: 30s + # Pod-level security context + podSecurityContext: + fsGroup: 1337 + # Container-level security context + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + # Resource limits and requests + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 200m + memory: 64Mi diff --git a/runner-azure.Dockerfile b/runner-azure.Dockerfile index 737bfba0..267b068a 100644 --- a/runner-azure.Dockerfile +++ b/runner-azure.Dockerfile @@ -45,7 +45,7 @@ RUN apk add --no-cache libcrypto3=3.1.1-r3 && \ apk add --no-cache busybox # Install az cli -ARG AZCLI_VERSION=2.40.0 +ARG AZCLI_VERSION=2.50.0 RUN apk add --no-cache py3-pip && \ apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev RUN pip install --upgrade pip && \