Skip to content

Commit

Permalink
RHIDP-1690: Fix SNYK findings
Browse files Browse the repository at this point in the history
  • Loading branch information
coreydaley committed Jun 12, 2024
1 parent fff6de9 commit cb7b1b4
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 1 deletion.
2 changes: 1 addition & 1 deletion charts/backstage/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,4 @@ sources:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.16.1
version: 2.16.2
21 changes: 21 additions & 0 deletions charts/backstage/templates/tests/test-connection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,28 @@ metadata:
spec:
containers:
- name: curl
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 10000
resources:
requests:
cpu: 10m
memory: 20Mi
limits:
cpu: 10m
memory: 20Mi
livenessProbe:
exec:
command:
- command
- -v
- curl
image: quay.io/curl/curl:latest
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args:
- |
Expand Down
46 changes: 46 additions & 0 deletions charts/backstage/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,21 @@ upstream:
auth:
keys:
- secret: ${BACKEND_SECRET}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
resources:
requests:
cpu: 250m
memory: 1Gi
limits:
cpu: 1000m
memory: 4Gi
readinessProbe:
failureThreshold: 3
httpGet:
Expand Down Expand Up @@ -101,6 +116,8 @@ upstream:
# The initContainer below will install dynamic plugins in this volume mount.
- name: dynamic-plugins-root
mountPath: /opt/app-root/src/dynamic-plugins-root
- name: diststatic
mountPath: /opt/app-root/src/packages/app/dist/static
extraVolumes:
# -- Ephemeral volume that will contain the dynamic plugins installed by the initContainer below at start.
- name: dynamic-plugins-root
Expand Down Expand Up @@ -128,8 +145,27 @@ upstream:
defaultMode: 420
optional: true
secretName: dynamic-plugins-npmrc
- name: npmcacache
emptyDir: {}
- name: diststatic
emptyDir: {}
initContainers:
- name: install-dynamic-plugins
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 200m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
readOnlyRootFilesystem: true
seccompProfile:
type: "RuntimeDefault"
# -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount.
# It could be replaced by a custom image based on this one.
# @default -- `quay.io/janus-idp/backstage-showcase:latest`
Expand All @@ -152,6 +188,8 @@ upstream:
name: dynamic-plugins-npmrc
readOnly: true
subPath: .npmrc
- mountPath: /opt/app-root/src/.npm/_cacache
name: npmcacache
workingDir: /opt/app-root/src
installDir: /opt/app-root/src
podAnnotations:
Expand All @@ -170,10 +208,18 @@ upstream:
adminPasswordKey: postgres-password
userPasswordKey: password
primary:
# TODO: https://issues.redhat.com/browse/RHIDP-2645
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
resources:
requests:
cpu: 256m
memory: 1Gi
limits:
cpu: 512m
memory: 2Gi
persistence:
enabled: true
size: 1Gi
Expand Down

0 comments on commit cb7b1b4

Please sign in to comment.