From 21b584281336fa98e01a093e3a493b432243ae4a Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Tue, 26 Nov 2024 11:01:47 +0100 Subject: [PATCH] helm: add a default for RPSS_ENABLED Signed-off-by: Simon L. --- .../templates/nextcloud-aio-apache-deployment.yaml | 4 ++-- .../templates/nextcloud-aio-clamav-deployment.yaml | 6 +++--- .../templates/nextcloud-aio-database-deployment.yaml | 6 +++--- .../nextcloud-aio-imaginary-deployment.yaml | 4 ++-- .../nextcloud-aio-nextcloud-deployment.yaml | 8 ++++---- .../nextcloud-aio-notify-push-deployment.yaml | 4 ++-- .../templates/nextcloud-aio-redis-deployment.yaml | 4 ++-- .../templates/nextcloud-aio-talk-deployment.yaml | 4 ++-- .../nextcloud-aio-talk-recording-deployment.yaml | 4 ++-- .../nextcloud-aio-whiteboard-deployment.yaml | 4 ++-- nextcloud-aio-helm-chart/update-helm.sh | 12 ++++++------ 11 files changed, 30 insertions(+), 30 deletions(-) diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml index ab674f0e372..790e810d643 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml @@ -31,7 +31,7 @@ spec: runAsUser: 33 runAsGroup: 33 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -74,7 +74,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml index 38f0a21bce5..77d60f93f1f 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml @@ -32,7 +32,7 @@ spec: runAsUser: 100 runAsGroup: 100 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -50,7 +50,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] @@ -73,7 +73,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml index 5f6b32369be..332c41fba40 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml @@ -31,7 +31,7 @@ spec: runAsUser: 999 runAsGroup: 999 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -49,7 +49,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] @@ -76,7 +76,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml index a2ff00595bc..22879334717 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml @@ -30,7 +30,7 @@ spec: runAsUser: 65534 runAsGroup: 65534 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -49,7 +49,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index a154b4215de..0a2fe740099 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -23,7 +23,7 @@ spec: labels: io.kompose.service: nextcloud-aio-nextcloud spec: - {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} # AIO-config - do not change this comment! securityContext: # The items below only work in pod context fsGroup: 33 @@ -32,7 +32,7 @@ spec: runAsUser: 33 runAsGroup: 33 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -179,12 +179,12 @@ spec: - name: WHITEBOARD_SECRET value: "{{ .Values.WHITEBOARD_SECRET }}" image: nextcloud/aio-nextcloud:20241125_091756 - {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} # AIO-config - do not change this comment! securityContext: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml index f9256d2eb20..6e93cb515e4 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml @@ -31,7 +31,7 @@ spec: runAsUser: 33 runAsGroup: 33 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -64,7 +64,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml index 375e52bd6fe..f81c13ded69 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml @@ -31,7 +31,7 @@ spec: runAsUser: 999 runAsGroup: 999 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -50,7 +50,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml index 31ecd663f15..19ecd60ee39 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml @@ -30,7 +30,7 @@ spec: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -67,7 +67,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml index 5379a069795..41b209c986c 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml @@ -32,7 +32,7 @@ spec: runAsUser: 122 runAsGroup: 122 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -55,7 +55,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml index 98979a5b62f..2a0d27c0c03 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml @@ -30,7 +30,7 @@ spec: runAsUser: 65534 runAsGroup: 65534 runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -57,7 +57,7 @@ spec: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index d9876213309..e2791ff7f7a 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -158,7 +158,7 @@ for variable in "${DEPLOYMENTS[@]}"; do if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then USER=33 GROUP=33 - echo ' {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext + echo ' {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext else USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')" GROUP="$USER" @@ -176,7 +176,7 @@ for variable in "${DEPLOYMENTS[@]}"; do runAsUser: $USER runAsGroup: $GROUP runAsNonRoot: true - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} seccompProfile: type: RuntimeDefault {{- end }} @@ -446,7 +446,7 @@ cat << EOL > /tmp/security.conf # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] @@ -460,7 +460,7 @@ cat << EOL > /tmp/security.conf # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] @@ -470,12 +470,12 @@ EOL find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^ securityContext:$/r /tmp/security.conf" \{} \; cat << EOL > /tmp/security.conf - {{- if eq .Values.RPSS_ENABLED "yes" }} # AIO-config - do not change this comment! + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} # AIO-config - do not change this comment! securityContext: # The items below only work in container context allowPrivilegeEscalation: false capabilities: - {{- if eq .Values.RPSS_ENABLED "yes" }} + {{- if eq .Values.RPSS_ENABLED "yes" | default "no" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"]