Chart and doc updates

- Add securityContext. Remove of Ingress deployment in values.yaml
- Update Ingress rules apiVersion
- Update README and deployment documentation
- Update condition for OpenShift Route

charts/tesk/README.md

@@ -59,7 +59,6 @@ See [`values.yaml`](values.yaml) for default values.
 | Key | Type | Description |
 | --- | --- | --- |
 | host_name | string | FQDN to expose the application |
-| clusterType | string |type of Kubernetes cluster; either 'kubernetes' or 'openshift'|
 | storageClass | string | Name of a user preferred storage class (default is empty) |
 | storage | string | Can be either 'openstack' or 's3' |
 | tesk.image | string | container image (including the version) to be used to run TESK API |
@@ -69,6 +68,7 @@ See [`values.yaml`](values.yaml) for default values.
 | tesk.executor_retries| int | The number of retries on error - actual task compute (executor)|
 | tesk.filer_retries| int | The number of retries on error while handling I/O (filer)|
 | tesk.debug | boolean | Activates the debugging mode |
+| tesk.securityContext.enabled | boolean | Enable securityContext |
 | transfer.wes_base_path | string | |
 | transfer.tes_base_path | string | |
 | transfer.pvc_name | string | |
@@ -79,10 +79,8 @@ See [`values.yaml`](values.yaml) for default values.
 | ftp.classic_ftp_secret | String | The name of a secret to store FTP credentials as keys. If empty, the old-style FTP secret is not created |
 | ftp.netrc_secret | String | The name of a secret to store FTP credentials as a netrc file. If empty, the netrc FTP secret is not created |
 | ftp.hostip | string | IP of the endpoint of the ftp as seen by containers in K8s (only needed, if in need of a DNS entry for locally installed FTP server) |
-| ingress.active| boolean | Decides if an ingress resource for tesk-api is created
+| ingress.rules| boolean | Apply or not the ingress rule |
+| ingress.ingressClassName | string | Name of the Ingress Class |
+| ingress.path | string |  |
 | ingress.tls_secret_name | string |  If no TLS secret name configured, TLS will be switched off. A template can be found at [deployment/tls_secret_name.yml-TEMPLATE](deployment/tls_secret_name.yml-TEMPLATE). If you are using cert-manager the secret will be created automatically.|
-| ingress.deploy_ingress.active | boolean | Activates deployment of an ingress controller
-| ingress.deploy_ingress.nginx_image | string | Image to use for the nginx ingress |
-| ingress.deploy_ingress.external_ip | string | We used externalIP to expose Ingress on 80/443 port. On OpenStack internal IP of masternode (10.x.x.x) worked for us. Could be any node, but calls to the service have to be using it. In our case DNS entry is assigned to master's external IP. Use NodePort as an alternative.|
-| ingress.deploy_ingress.node_port | integer | |
-| ingress.deploy_ingress.scope | string | The following variables are specific to each deployment. Use "Cluster" if you want Ingress to listen to all namespaces (requires ClusterAdmin). Leave it blank if you want Ingress to listen only to its own namespace. |
+| ingress.annotations | string | Annotations for the ingress rules |

charts/tesk/templates/common/tesk-deployment.yaml

@@ -87,6 +87,13 @@ spec:
               name: oauth-client-secret
               key: secret
               optional: true
+        {{- if .Values.tesk.securityContext.enabled }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
         volumeMounts:
           - name: service-info-config
             mountPath: /etc/tesk/service-info
@@ -97,3 +104,10 @@ spec:
         - name: service-info-config
           configMap:
             name: service-info-config
+      {{- if .Values.tesk.securityContext.enabled }}
+      securityContext:
+        runAsUser: 1000
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      {{- end }}   

charts/tesk/templates/ingress/ingress-rules.yaml

@@ -1,23 +1,29 @@
-{{ if .Values.ingress.active }}
-apiVersion: extensions/v1beta1
+{{ if .Values.ingress.rules }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-rules {{ if .Values.ingress.annotations }}
   annotations:
   {{- range $key, $value := .Values.ingress.annotations }}
     {{ $key }}: {{ $value | quote }}
   {{- end }} {{ end }}
-spec: {{ if .Values.ingress.tls_secret_name }}
+spec:
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{ if .Values.ingress.tls_secret_name }}
   tls:
   - hosts:
     - {{ .Values.host_name }}
-    secretName: {{ .Values.ingress.tls_secret_name }} {{ end }}
+    secretName: {{ .Values.ingress.tls_secret_name }}
+  {{ end }}
   rules:
   - host: {{ .Values.host_name }}
     http:
       paths:
       - path: {{ .Values.ingress.path }}
+        pathType: Exact
         backend:
-          serviceName: tesk-api
-          servicePort: {{ .Values.tesk.port }}
+          service:
+            name: tesk-api
+            port:
+              number: {{ .Values.tesk.port }}
 {{ end }}

charts/tesk/templates/openshift/oc-route.yaml

@@ -1,4 +1,4 @@
-{{ if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
+{{ if and (.Capabilities.APIVersions.Has "route.openshift.io/v1") (eq .Values.ingress.rules false) }}
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:

charts/tesk/values.yaml

@@ -29,6 +29,9 @@ tesk:
     executor_retries: 2
     filer_retries: 2
 
+    securityContext:
+      enabled: true
+
 transfer:
     # If you want local file systems support (i.e. 'file:' urls in inputs and outputs),
     # you have to define these 2 properties.
@@ -71,40 +74,15 @@ ftp:
     # You will be able to use it like this: ftp://ftp/file
     hostip:
 
-#
-# Configure this, only if you choose "kubernetes" as "clusterTYpe"
-#
 ingress:
-    active: false
-    # The path, where TESK API will be exposed.
-    # path: /tes
-    path: /
-    # If no TLS secret name configured, TLS will be switched off
-    tls_secret_name:
-    # Annotations for Ingress Resource.
-    annotations:
-        kubernetes.io/ingress.class: nginx
-        kubernetes.io/tls-acme: "true"
-
-        # Choose one of the following depending on your setup
-        # cert-manager.io/issuer: letsencrypt-production
-        cert-manager.io/cluster-issuer: letsencrypt-production
-    deploy_ingress:
-        # This provides installation of one specific Ingress Controller https://github.com/nginxinc/kubernetes-ingress
-        # You will most probably be better off installing one of your choice yourself, as we may not update this section frequently enough.
-        # Also it is likely the installation of an Ingress Controller will be removed completely from the chart
-        active: false
-        nginx_image: nginx/nginx-ingress:1.4.6
-        # the following variables are specific to each deployment
-        # We used externalIP to expose Ingress on 80/443 port. On OpenStack internal IP of master node (10.*) worked for us.
-        # Could be any node, but calls to the service have to be using it. In our case DNS entry is assigned to master's external IP
-        # Use NodePort as an alternative (breaks Swagger)
-        external_ip: 10.1.1.1
-        node_port: 30977
-        # the following variables are specific to each deployment
-        # use:
-        # - scope=Cluster, if you want Ingress to listen to all namespaces (requires ClusterAdmin)
-        # - scope= , if you want Ingress to listen only to its own namespace
-        scope: ""
-        #
-        #
+  rules: false
+  ingressClassName: ""
+  path: /
+  # If no TLS secret name configured, TLS will be switched off
+  tls_secret_name:
+  # Annotations for Ingress Resource.
+  annotations:
+      kubernetes.io/tls-acme: "true"
+      # Choose one of the following depending on your setup
+      # cert-manager.io/issuer: letsencrypt-production
+      cert-manager.io/cluster-issuer: letsencrypt-production