Skip to content

some ssecurity update #1248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tuteng merged 3 commits into from
Oct 24, 2025
Merged

some ssecurity update #1248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
29faf68
update
urfreespace Oct 24, 2025
d639027
update
urfreespace Oct 24, 2025
93d3abf
update
urfreespace Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/sn-platform-slim/templates/proxy/_proxy.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ Define proxy certs volumes
secret:
{{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
defaultMode: 0400
items:
- key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
path: ca.crt
{{- else }}
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand All @@ -61,6 +63,7 @@ Define proxy certs volumes
- name: proxy-certs
secret:
secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}"
defaultMode: 0400
items:
- key: tls.crt
path: tls.crt
Expand All @@ -71,6 +74,7 @@ Define proxy certs volumes
- name: broker-ca
secret:
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/sn-platform-slim/templates/toolset/_toolset.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ Define toolset token volumes
- name: client-token
secret:
secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}"
defaultMode: 0400
items:
- key: TOKEN
path: client/token
Expand Down Expand Up @@ -79,6 +80,7 @@ Define toolset tls certs volumes
- name: toolset-certs
secret:
secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}"
defaultMode: 0400
items:
- key: tls.crt
path: tls.crt
Expand All @@ -87,6 +89,7 @@ Define toolset tls certs volumes
- name: ca
secret:
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand All @@ -97,11 +100,13 @@ Define toolset tls certs volumes
secret:
{{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
defaultMode: 0400
items:
- key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
path: ca.crt
{{- else }}
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand Down
20 changes: 20 additions & 0 deletions charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,26 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
sleep 10000000000
livenessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
Expand Down
6 changes: 6 additions & 0 deletions charts/sn-platform-slim/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1609,6 +1609,9 @@ proxy:
annotations: {}
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
tolerations: []
gracePeriod: 30
resources:
Expand Down Expand Up @@ -1732,6 +1735,9 @@ toolset:
-XX:MaxDirectMemorySize=128M
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
serviceAccount:
# Specifies whether to use a service account to run this component
use: true
Expand Down
4 changes: 4 additions & 0 deletions charts/sn-platform/templates/proxy/_proxy.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ Define proxy certs volumes
secret:
{{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
defaultMode: 0400
items:
- key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
path: ca.crt
{{- else }}
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand All @@ -61,6 +63,7 @@ Define proxy certs volumes
- name: proxy-certs
secret:
secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}"
defaultMode: 0400
items:
- key: tls.crt
path: tls.crt
Expand All @@ -71,6 +74,7 @@ Define proxy certs volumes
- name: broker-ca
secret:
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand Down
5 changes: 5 additions & 0 deletions charts/sn-platform/templates/toolset/_toolset.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ Define toolset token volumes
- name: client-token
secret:
secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}"
defaultMode: 0400
items:
- key: TOKEN
path: client/token
Expand Down Expand Up @@ -99,6 +100,7 @@ Define toolset tls certs volumes
- name: toolset-certs
secret:
secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}"
defaultMode: 0400
items:
- key: tls.crt
path: tls.crt
Expand All @@ -107,6 +109,7 @@ Define toolset tls certs volumes
- name: ca
secret:
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand All @@ -123,11 +126,13 @@ Define toolset tls certs volumes
secret:
{{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
defaultMode: 0400
items:
- key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
path: ca.crt
{{- else }}
secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
defaultMode: 0400
items:
- key: ca.crt
path: ca.crt
Expand Down
40 changes: 40 additions & 0 deletions charts/sn-platform/templates/toolset/toolset-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,26 @@ spec:
bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
sleep 10000000000
livenessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
Expand Down Expand Up @@ -162,6 +182,26 @@ spec:
{{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
{{- include "pulsar.toolset.kafka.settings" . | nindent 10 }}
sleep 10000000000
livenessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- sh
- -c
- "ps aux | grep -v grep | grep sleep"
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
envFrom:
- configMapRef:
name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
Expand Down
6 changes: 6 additions & 0 deletions charts/sn-platform/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1685,6 +1685,9 @@ proxy:
annotations: {}
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
tolerations: []
gracePeriod: 30
resources:
Expand Down Expand Up @@ -1812,6 +1815,9 @@ toolset:
-XX:MaxDirectMemorySize=128M
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
serviceAccount:
# Specifies whether to use a service account to run this component
use: true
Expand Down
Loading