From 29faf6895b64aa27a712bfe776910e4ce3594a45 Mon Sep 17 00:00:00 2001 From: lili Date: Fri, 24 Oct 2025 10:37:14 +0800 Subject: [PATCH 1/3] update Signed-off-by: lili --- .../templates/toolset/_toolset.tpl | 5 +++++ .../toolset/toolset-statefulset.yaml | 20 +++++++++++++++++++ charts/sn-platform-slim/values.yaml | 3 +++ 3 files changed, 28 insertions(+) diff --git a/charts/sn-platform-slim/templates/toolset/_toolset.tpl b/charts/sn-platform-slim/templates/toolset/_toolset.tpl index 04d71f61b..303f63997 100644 --- a/charts/sn-platform-slim/templates/toolset/_toolset.tpl +++ b/charts/sn-platform-slim/templates/toolset/_toolset.tpl @@ -43,6 +43,7 @@ Define toolset token volumes - name: client-token secret: secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" + defaultMode: 0400 items: - key: TOKEN path: client/token @@ -79,6 +80,7 @@ Define toolset tls certs volumes - name: toolset-certs secret: secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}" + defaultMode: 0400 items: - key: tls.crt path: tls.crt @@ -87,6 +89,7 @@ Define toolset tls certs volumes - name: ca secret: secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt @@ -97,11 +100,13 @@ Define toolset tls certs volumes secret: {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }} secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }} + defaultMode: 0400 items: - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }} path: ca.crt {{- else }} secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt diff --git a/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml b/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml index 08f1e020a..298559bdc 100644 --- a/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml +++ b/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml @@ -118,6 +118,26 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} sleep 10000000000 + livenessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index 1c2e4be0d..dd030c2e2 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -1732,6 +1732,9 @@ toolset: -XX:MaxDirectMemorySize=128M securityContext: runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 serviceAccount: # Specifies whether to use a service account to run this component use: true From d6390270eb7cfcbe8e2bcd176619755ff9a691eb Mon Sep 17 00:00:00 2001 From: lili Date: Fri, 24 Oct 2025 10:40:23 +0800 Subject: [PATCH 2/3] update Signed-off-by: lili --- .../templates/toolset/_toolset.tpl | 5 +++ .../toolset/toolset-statefulset.yaml | 40 +++++++++++++++++++ charts/sn-platform/values.yaml | 3 ++ 3 files changed, 48 insertions(+) diff --git a/charts/sn-platform/templates/toolset/_toolset.tpl b/charts/sn-platform/templates/toolset/_toolset.tpl index d303bc7ff..ccc0866ef 100644 --- a/charts/sn-platform/templates/toolset/_toolset.tpl +++ b/charts/sn-platform/templates/toolset/_toolset.tpl @@ -58,6 +58,7 @@ Define toolset token volumes - name: client-token secret: secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" + defaultMode: 0400 items: - key: TOKEN path: client/token @@ -99,6 +100,7 @@ Define toolset tls certs volumes - name: toolset-certs secret: secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}" + defaultMode: 0400 items: - key: tls.crt path: tls.crt @@ -107,6 +109,7 @@ Define toolset tls certs volumes - name: ca secret: secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt @@ -123,11 +126,13 @@ Define toolset tls certs volumes secret: {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }} secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }} + defaultMode: 0400 items: - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }} path: ca.crt {{- else }} secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt diff --git a/charts/sn-platform/templates/toolset/toolset-statefulset.yaml b/charts/sn-platform/templates/toolset/toolset-statefulset.yaml index a6ef33715..5c1b7c175 100644 --- a/charts/sn-platform/templates/toolset/toolset-statefulset.yaml +++ b/charts/sn-platform/templates/toolset/toolset-statefulset.yaml @@ -118,6 +118,26 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} sleep 10000000000 + livenessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" @@ -162,6 +182,26 @@ spec: {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.toolset.kafka.settings" . | nindent 10 }} sleep 10000000000 + livenessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + exec: + command: + - sh + - -c + - "ps aux | grep -v grep | grep sleep" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml index 008be1b0c..3fb683c2e 100644 --- a/charts/sn-platform/values.yaml +++ b/charts/sn-platform/values.yaml @@ -1812,6 +1812,9 @@ toolset: -XX:MaxDirectMemorySize=128M securityContext: runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 serviceAccount: # Specifies whether to use a service account to run this component use: true From 93d3abf322a9b302ed5249c8a1038a52eb1c3d14 Mon Sep 17 00:00:00 2001 From: lili Date: Fri, 24 Oct 2025 10:42:41 +0800 Subject: [PATCH 3/3] update Signed-off-by: lili --- charts/sn-platform-slim/templates/proxy/_proxy.tpl | 4 ++++ charts/sn-platform-slim/values.yaml | 3 +++ charts/sn-platform/templates/proxy/_proxy.tpl | 4 ++++ charts/sn-platform/values.yaml | 3 +++ 4 files changed, 14 insertions(+) diff --git a/charts/sn-platform-slim/templates/proxy/_proxy.tpl b/charts/sn-platform-slim/templates/proxy/_proxy.tpl index 07159c3cb..417f866cd 100644 --- a/charts/sn-platform-slim/templates/proxy/_proxy.tpl +++ b/charts/sn-platform-slim/templates/proxy/_proxy.tpl @@ -48,11 +48,13 @@ Define proxy certs volumes secret: {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }} secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }} + defaultMode: 0400 items: - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }} path: ca.crt {{- else }} secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt @@ -61,6 +63,7 @@ Define proxy certs volumes - name: proxy-certs secret: secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}" + defaultMode: 0400 items: - key: tls.crt path: tls.crt @@ -71,6 +74,7 @@ Define proxy certs volumes - name: broker-ca secret: secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml index dd030c2e2..4d5199c12 100644 --- a/charts/sn-platform-slim/values.yaml +++ b/charts/sn-platform-slim/values.yaml @@ -1609,6 +1609,9 @@ proxy: annotations: {} securityContext: runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 tolerations: [] gracePeriod: 30 resources: diff --git a/charts/sn-platform/templates/proxy/_proxy.tpl b/charts/sn-platform/templates/proxy/_proxy.tpl index 3f0b70881..fed6eff5c 100644 --- a/charts/sn-platform/templates/proxy/_proxy.tpl +++ b/charts/sn-platform/templates/proxy/_proxy.tpl @@ -48,11 +48,13 @@ Define proxy certs volumes secret: {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }} secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }} + defaultMode: 0400 items: - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }} path: ca.crt {{- else }} secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt @@ -61,6 +63,7 @@ Define proxy certs volumes - name: proxy-certs secret: secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}" + defaultMode: 0400 items: - key: tls.crt path: tls.crt @@ -71,6 +74,7 @@ Define proxy certs volumes - name: broker-ca secret: secretName: "{{ template "pulsar.tls.ca.secret.name" . }}" + defaultMode: 0400 items: - key: ca.crt path: ca.crt diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml index 3fb683c2e..06f329377 100644 --- a/charts/sn-platform/values.yaml +++ b/charts/sn-platform/values.yaml @@ -1685,6 +1685,9 @@ proxy: annotations: {} securityContext: runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + fsGroup: 10000 tolerations: [] gracePeriod: 30 resources: