From 68e64f2f33757a33cb0183be35730f303b90e1ad Mon Sep 17 00:00:00 2001 From: chgl Date: Thu, 25 Aug 2022 02:34:02 +0200 Subject: [PATCH] Minor Helm chart dependency updates and security improvements --- .github/workflows/chart-test.yaml | 2 +- charts/hapi-fhir-jpaserver/Chart.lock | 6 +-- charts/hapi-fhir-jpaserver/Chart.yaml | 32 +++++------ charts/hapi-fhir-jpaserver/README.md | 11 ++-- .../templates/deployment.yaml | 18 +++---- .../templates/service.yaml | 4 +- .../templates/servicemonitor.yaml | 2 +- .../templates/tests/test-endpoints.yaml | 53 ++++++++++++------- charts/hapi-fhir-jpaserver/values.yaml | 25 ++++++++- 9 files changed, 90 insertions(+), 63 deletions(-) diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml index 1d32194..f4357fb 100644 --- a/.github/workflows/chart-test.yaml +++ b/.github/workflows/chart-test.yaml @@ -15,7 +15,7 @@ jobs: - name: Install helm-docs working-directory: /tmp env: - HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.9.1/helm-docs_1.9.1_Linux_x86_64.tar.gz + HELM_DOCS_URL: https://github.com/norwoodj/helm-docs/releases/download/v1.11.0/helm-docs_1.11.0_Linux_x86_64.tar.gz run: | curl -LSs $HELM_DOCS_URL | tar xz && \ mv ./helm-docs /usr/local/bin/helm-docs && \ diff --git a/charts/hapi-fhir-jpaserver/Chart.lock b/charts/hapi-fhir-jpaserver/Chart.lock index e8c97e8..411bc27 100644 --- a/charts/hapi-fhir-jpaserver/Chart.lock +++ b/charts/hapi-fhir-jpaserver/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 11.6.2 -digest: sha256:1b96efc47b5dbe28bf34bcb694697325f3d2755a39ce2f1c371b2c9de9fac9d3 -generated: "2022-06-03T11:48:19.1684784+02:00" + version: 11.8.1 +digest: sha256:671325f8b3d0b85183fa241190e72705fb124a41254a5db6445bcc105e1ca7ec +generated: "2022-08-25T02:14:58.3432514+02:00" diff --git a/charts/hapi-fhir-jpaserver/Chart.yaml b/charts/hapi-fhir-jpaserver/Chart.yaml index 9cebc38..e172526 100644 --- a/charts/hapi-fhir-jpaserver/Chart.yaml +++ b/charts/hapi-fhir-jpaserver/Chart.yaml @@ -7,11 +7,11 @@ sources: - https://github.com/hapifhir/hapi-fhir-jpaserver-starter dependencies: - name: postgresql - version: 11.6.2 + version: 11.8.1 repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled -appVersion: v6.0.1 -version: 0.9.0 +appVersion: v6.x +version: 0.10.0 annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/changes: | @@ -19,27 +19,21 @@ annotations: # added, changed, deprecated, removed, fixed, and security. - kind: changed description: | - BREAKING CHANGE: updated HAPI FHIR starter image to v6.0.1. - See for all application changes. + updated included PostgreSQL-subchart to v11.8.1. + Fixes `coalesce.go:220: warning: cannot overwrite table with non table for fhirserver.postgresql.primary.topologySpreadConstraints (map[])` warning - kind: changed description: | - updated included PostgreSQL-subchart to v11.6.2 - - kind: fixed - description: | - use a fixed image for the wait-for-database container (docker.io/bitnami/postgresql:14.3.0-debian-10-r20) - instead of relying on the PostgreSQL sub-chart values + set `securityContext.seccompProfile.type=RuntimeDefault` for included PostgreSQL as well as all `initContainer` and Helm + test pods to comply with the "restricted" Pod Security Standard: - kind: changed description: | - expose actuator/metrics endpoint on a separate port (8081) + use curl as the image for running Helm test pods + - kind: changed + description: | + renamed `metrics` port to `http-metrics` for istio compliant naming - kind: added description: | - support for monitoring metrics using ServiceMonitor CRDs + Helm test job to test metrics endpoint - kind: changed description: | - switched liveness and readiness probes to Spring Boot actuator endpoints - - kind: changed - description: | - BREAKING CHANGE: removed included `NetworkPolicy`, which is subject to more thorough rework - - kind: added - description: | - allow configuring `topologySpreadConstraints` for the deployment + use full digest instead of just a tag for the server image reference diff --git a/charts/hapi-fhir-jpaserver/README.md b/charts/hapi-fhir-jpaserver/README.md index 20d0d6f..9b72dc5 100644 --- a/charts/hapi-fhir-jpaserver/README.md +++ b/charts/hapi-fhir-jpaserver/README.md @@ -1,6 +1,6 @@ # HAPI FHIR JPA Server Starter Helm Chart -![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.0.1](https://img.shields.io/badge/AppVersion-v6.0.1-informational?style=flat-square) +![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v6.x](https://img.shields.io/badge/AppVersion-v6.x-informational?style=flat-square) This helm chart will help you install the HAPI FHIR JPA Server in a Kubernetes environment. @@ -32,7 +32,7 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy to use | | image.registry | string | `"docker.io"` | registry where the HAPI FHIR server image is hosted | | image.repository | string | `"hapiproject/hapi"` | the path inside the repository | -| image.tag | string | `""` | defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor | +| image.tag | string | `"v6.0.1@sha256:63c98d8be3dadc77b47dca3115490f22bf99512f363f779f7bbcb42f569aeac3"` | the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. | | imagePullSecrets | list | `[]` | image pull secrets to use when pulling the image | | ingress.annotations | object | `{}` | provide any additional annotations which may be required. Evaluated as a template. | | ingress.enabled | bool | `false` | whether to create an Ingress to expose the FHIR server HTTP endpoint | @@ -60,6 +60,8 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas | postgresql.enabled | bool | `true` | enable an included PostgreSQL DB. see for details if set to `false`, the values under `externalDatabase` are used | | postgresql.primary.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | postgresql.primary.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| postgresql.primary.containerSecurityContext.runAsNonRoot | bool | `true` | | +| postgresql.primary.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | readinessProbe.failureThreshold | int | `5` | | | readinessProbe.initialDelaySeconds | int | `30` | | | readinessProbe.periodSeconds | int | `20` | | @@ -69,9 +71,12 @@ helm install --render-subchart-notes hapi-fhir-jpaserver hapifhir/hapi-fhir-jpas | resources | object | `{}` | configure the FHIR server's resource requests and limits | | securityContext.allowPrivilegeEscalation | bool | `false` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.privileged | bool | `false` | | | securityContext.readOnlyRootFilesystem | bool | `true` | | +| securityContext.runAsGroup | int | `65532` | | | securityContext.runAsNonRoot | bool | `true` | | | securityContext.runAsUser | int | `65532` | | +| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | service.port | int | `8080` | port where the server will be exposed at | | service.type | string | `"ClusterIP"` | service type | | startupProbe.failureThreshold | int | `10` | | @@ -95,4 +100,4 @@ INFO[2021-11-20T12:38:04Z] Generating README Documentation for chart /usr/src/ap ``` ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.9.1](https://github.com/norwoodj/helm-docs/releases/v1.9.1) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/hapi-fhir-jpaserver/templates/deployment.yaml b/charts/hapi-fhir-jpaserver/templates/deployment.yaml index 741eb71..fa88745 100644 --- a/charts/hapi-fhir-jpaserver/templates/deployment.yaml +++ b/charts/hapi-fhir-jpaserver/templates/deployment.yaml @@ -30,18 +30,12 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: - name: wait-for-db-to-be-ready - image: docker.io/bitnami/postgresql:14.3.0-debian-10-r20 + image: docker.io/bitnami/postgresql:14.5.0@sha256:4355265e33e9c2a786aa145884d4b36ffd4c41c516b35d60df0b7495141ec738 imagePullPolicy: IfNotPresent + {{- with .Values.restrictedContainerSecurityContext }} securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - privileged: false - capabilities: - drop: - - ALL - runAsNonRoot: true - runAsUser: 1001 - runAsGroup: 1001 + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: PGHOST value: "{{ include "hapi-fhir-jpaserver.database.host" . }}" @@ -60,13 +54,13 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }} + image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http containerPort: 8080 protocol: TCP - - name: metrics + - name: http-metrics containerPort: 8081 protocol: TCP startupProbe: diff --git a/charts/hapi-fhir-jpaserver/templates/service.yaml b/charts/hapi-fhir-jpaserver/templates/service.yaml index d7ecaa5..b18b1e7 100644 --- a/charts/hapi-fhir-jpaserver/templates/service.yaml +++ b/charts/hapi-fhir-jpaserver/templates/service.yaml @@ -12,8 +12,8 @@ spec: protocol: TCP name: http - port: {{ .Values.metrics.service.port }} - targetPort: metrics + targetPort: http-metrics protocol: TCP - name: metrics + name: http-metrics selector: {{- include "hapi-fhir-jpaserver.selectorLabels" . | nindent 4 }} diff --git a/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml b/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml index e161fee..8bfad8b 100644 --- a/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml +++ b/charts/hapi-fhir-jpaserver/templates/servicemonitor.yaml @@ -13,7 +13,7 @@ metadata: {{- end }} spec: endpoints: - - port: metrics + - port: http-metrics path: /actuator/prometheus {{- if .Values.metrics.serviceMonitor.interval }} interval: {{ .Values.metrics.serviceMonitor.interval }} diff --git a/charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml b/charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml index 911f59d..30aab5a 100644 --- a/charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml +++ b/charts/hapi-fhir-jpaserver/templates/tests/test-endpoints.yaml @@ -11,17 +11,13 @@ spec: restartPolicy: Never containers: - name: test-metadata-endpoint - image: busybox:1 - command: ['wget', '-O', '-'] - args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/metadata'] + image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b + command: ["curl", "--fail-with-body"] + args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/metadata?_summary=true"] + {{- with .Values.restrictedContainerSecurityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 22222 - runAsNonRoot: true + {{- toYaml . | nindent 8 }} + {{- end }} resources: limits: cpu: 100m @@ -36,17 +32,34 @@ spec: exec: command: ["true"] - name: test-patient-endpoint - image: busybox:1 - command: ['wget', '-O', '-'] - args: ['http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1'] + image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b + command: ["curl", "--fail-with-body"] + args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.service.port }}/fhir/Patient?_count=1&_summary=true"] + {{- with .Values.restrictedContainerSecurityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 22222 - runAsNonRoot: true + {{- toYaml . | nindent 8 }} + {{- end }} + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + livenessProbe: + exec: + command: ["true"] + readinessProbe: + exec: + command: ["true"] + - name: test-metrics-endpoint + image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b + command: ["curl", "--fail-with-body"] + args: ["http://{{ include "hapi-fhir-jpaserver.fullname" . }}:{{ .Values.metrics.service.port }}/actuator/prometheus"] + {{- with .Values.restrictedContainerSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} resources: limits: cpu: 100m diff --git a/charts/hapi-fhir-jpaserver/values.yaml b/charts/hapi-fhir-jpaserver/values.yaml index 55863c8..231b781 100644 --- a/charts/hapi-fhir-jpaserver/values.yaml +++ b/charts/hapi-fhir-jpaserver/values.yaml @@ -6,8 +6,8 @@ image: registry: docker.io # -- the path inside the repository repository: hapiproject/hapi - # -- defaults to `Chart.appVersion`. As of v5.7.0, this is the `distroless` flavor - tag: "" + # -- the image tag. As of v5.7.0, this is the `distroless` flavor by default, add `-tomcat` to use the Tomcat-based image. + tag: "v6.0.1@sha256:63c98d8be3dadc77b47dca3115490f22bf99512f363f779f7bbcb42f569aeac3" # -- image pullPolicy to use pullPolicy: IfNotPresent @@ -39,6 +39,10 @@ securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65532 + runAsGroup: 65532 + privileged: false + seccompProfile: + type: RuntimeDefault # service to expose the server service: @@ -123,6 +127,9 @@ postgresql: capabilities: drop: - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault readinessProbe: failureThreshold: 5 @@ -187,3 +194,17 @@ metrics: # scrapeTimeout: 10s service: port: 8081 + +# @ignore +restrictedContainerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault