Conversation
- Add git-chglog configuration for changelog generation - Generate CHANGELOG entries for each chart on release - Filter commits by chart path to include only relevant changes - Preserve existing CHANGELOG content while prepending new entries - Commit updated CHANGELOG.md back to repository with [skip ci] - Handle concurrent commits with rebase before push - Fix yamllint issues for long lines and truthy values
- Update deployment.yaml to reference -registry secret - Update docker-secret.yaml template names - Update test assertions for new naming - Makes the chart more generic for any container registry
- Rename docker-secret.yaml to registry-secret.yaml - Rename docker-secret_test.yaml to registry-secret_test.yaml - Update README.md.gotmpl to say 'registry pull credentials' - Improves clarity and removes Docker-specific naming
- Add non-root user (UID 1000) by default - Set readOnlyRootFilesystem to prevent writes - Drop all capabilities for minimal attack surface - Prevent privilege escalation - Can be overridden via webservice.containerSecurityContext
- Set fsGroup to 1000 for proper volume permissions - Set runAsNonRoot and runAsUser to 1000 by default - Ensures pods run as non-root with proper group ownership - Can be overridden via webservice.securityContext
- Set default CPU request to 100m and limit to 500m - Set default memory request to 128Mi and limit to 512Mi - Ensures pods have proper resource allocation for scheduling - Can be overridden via webservice.resources
- Add section explaining default security context settings - Document default resource requests and limits - Show examples of how to override defaults - Helps users understand secure defaults applied by the chart
- Add ServiceAccount template with automountServiceAccountToken control - Add serviceAccountName helper template - Update deployment to use ServiceAccount when created - Set automountServiceAccountToken to false by default for security - Add comprehensive ServiceAccount tests - Document ServiceAccount configuration in README
- Add PodDisruptionBudget template with minAvailable/maxUnavailable options - Add PDB configuration to values.yaml - Add comprehensive PDB tests - Document PDB usage in README with examples - Ensures application availability during voluntary disruptions
- Add NetworkPolicy template with customizable ingress/egress rules - Default ingress allows traffic from ingress-nginx namespace - Default egress allows all outbound traffic - Add NetworkPolicy configuration to values.yaml - Add comprehensive NetworkPolicy tests - Document NetworkPolicy usage in README with examples
- Add topologySpreadConstraints to deployment template - Add configuration examples for node and zone spreading - Add comprehensive TopologySpreadConstraints tests - Document TopologySpreadConstraints usage in README - Improves high availability by spreading pods across topology domains
- Add ServiceMonitor template with customizable scrape settings - Support for metric relabelings and custom labels - Add ServiceMonitor configuration to values.yaml - Add comprehensive ServiceMonitor tests - Document ServiceMonitor usage in README with examples - Enables Prometheus metrics collection
- Add HPA template with CPU and memory target support - Support for custom scaling behavior configuration - Add HPA configuration to values.yaml - Add comprehensive HPA tests - Document HPA usage in README with examples - Enables automatic scaling based on resource utilization
- Add startupProbe configuration to deployment template - Add startupProbe configuration to values.yaml with examples - Add comprehensive startupProbe tests - Document startupProbe in README with examples - Improves container lifecycle management for slow-starting applications
- Set serviceAccount.create to false by default - Set automountServiceAccountToken to false in deployment spec - Only create ServiceAccount when explicitly needed - Updates documentation and tests to reflect new defaults - Reduces attack surface for services that don't need API access
- Add seccompProfile with RuntimeDefault to container security context - Provides syscall-level security filtering - Blocks dangerous syscalls while maintaining compatibility - Add seccompProfile configuration to values.yaml - Add comprehensive seccompProfile tests - Document seccompProfile usage in README
- Set enableServiceLinks to false by default - Prevents injection of all services as environment variables - Reduces information leakage and attack surface - Add enableServiceLinks configuration to values.yaml - Add enableServiceLinks tests - Document service links in README
- Add default ephemeral-storage requests (1Gi) and limits (2Gi) - Prevents DoS attacks via unlimited disk usage - Add ephemeral storage configuration to values.yaml - Add ephemeral storage tests - Update resource documentation with storage limits
- Add runtimeClassName configuration to deployment spec - Enables use of gVisor, Kata, or other runtime classes - Provides stronger container isolation when available - Add runtimeClassName configuration to values.yaml - Add runtimeClassName tests - Document runtime class usage in README
Contributor
|
Please run |
2 similar comments
Contributor
|
Please run |
Contributor
|
Please run |
- Add Pod Security Standards labels to deployment metadata - Enables enforcement of security policies at namespace level - Default to restricted level for maximum security - Add Pod Security Standard configuration to values.yaml - Add Pod Security Standard tests - Document Pod Security Standards usage in README
- Add explicit hostNetwork, hostPID, hostIPC settings - Default to false for maximum security - Prevents pods from accessing host resources - Add host protection configuration to values.yaml - Add host protection tests - Document host protection in README
- Document image digest usage for immutability - Document private registry authentication - Document SealedSecrets for encrypted credentials - Add image security recommendations - No code changes, documentation only
- Dependencies are handled in Chart.yaml since apiVersion v2 - Fixes warning about deprecated requirements.yaml - No functional changes to dependencies
- Set check-version-increment to false in ct.yaml - Version bumping is handled by CI after merge to main - Allows PRs to pass linting without manual version bump
- Parse git history since last release tag for each chart - Determine bump type from commit prefixes: - BREAKING CHANGE or ! -> major - feat: -> minor - fix:, chore:, docs:, etc. -> patch - Automatically update Chart.yaml version before release - Commit version bump and CHANGELOG back to main - Add bump type to release summary - Ensures no version is skipped and consistent semver
- Remove manual version update instructions - Document conventional commit format for version bumps - Clarify that CI handles version bumping automatically
- Remove manual version bump checklist item - Add conventional commits format requirement
- Fix helm-unittest plugin version compatibility (v0.4.4) - Update unittest job to only test modified charts - Update kubeconform to only validate changed charts - Update trivy security scan to only scan changed charts - Use matrix strategy for parallel execution - Improve performance by reducing unnecessary work
Tronix117
force-pushed
the
wik-webservice/hardening
branch
from
8c4eba1 to
1b70916
Compare
Contributor
|
Please run |
- Use hashFiles to automatically invalidate cache on workflow changes - Uninstall plugin before install to avoid corruption issues - Remove hardcoded version dependencies in cache key
Contributor
|
Please run |
1 similar comment
Contributor
|
Please run |
Tronix117
force-pushed
the
wik-webservice/hardening
branch
from
ff221cd to
813ca5f
Compare
Contributor
|
Please run |
- Upgrade Helm from v3.16.3 to v3.19.4 in all workflows - v3.19.4 supports platformHooks required by helm-unittest v1.0+ - Remove plugin cache to simplify workflow
Tronix117
force-pushed
the
wik-webservice/hardening
branch
from
813ca5f to
85f76e5
Compare
Contributor
|
Please run |
- Fix ci/full-values.yaml: storage config inside volume config - Fix values.yaml: remove incorrect storage root section, update examples - Fix values.schema.json: remove storage property - Storage spec is now directly in volume definition, not separate
Contributor
|
Please run |
Contributor
|
Please run |
- Use nginxinc/nginx-unprivileged:latest instead of nginx:latest - Change port from 80 to 8080 (non-root can't bind privileged ports) - Add emptyDir volumes for nginx writable directories
Contributor
|
Please run |
- Fix hardcoded port 80 in ingress.yaml to use service.port - Update full-values.yaml to use nginx-unprivileged and port 8080
Contributor
|
Please run |
Contributor
|
Please run |
Contributor
|
Please run |
Contributor
|
Please run |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Type of Change
Charts Modified
Checklist
helm lintpasseshelm templaterenders correctlyTesting Performed
Additional Notes