170 merge xnat-web sub chart; 169 Secrets management for DB and plugins#171
Merged
170 merge xnat-web sub chart; 169 Secrets management for DB and plugins#171
Conversation
… secret for automating postgres secret if not present (currently disabled)
rectified highlighted issues with helm lint and snyk iac tests added git hooks for automated lint and other testing
…admin/admin) xnat-web shorten init container names by removing .Chart.Name prefix Use YAML syntax to make some args more readable in Deployment Clean up XNAT home folder generation code removing failing chmod operations Remove default resources settings from the values file as per best practice Modify xnat-web startup to allow more time for database migrations, etc
…able move all plugin configuration to a ConfigMap and apply Secrets on pod initialisation fix Admin account Secret from being overwritten on helm update sanitise some volume mount paths for more logical and readable code fix xnat connection test
fixed issue with "xnat-web" in helm parser issue bad character U+002D, issue with hyphen shortened .Values lines within templates for xnat-web references
fix volume permission readOnly for logging side container
dean-taylor
added
bug
|
Do we want the out-of-the-box values file to include a sensible default for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Additions.
Initial deployment security hardening enhancement ensures a Secrets based initial complex password for the initial Admin user. This has replaced the default credentials and removes the need to restrict access during the pre-configuration process.
ISSUE 170
Merged xnat-web sub-chart into xnat/templates/xnat-web
Work around the parser issue of a key containing a hyphen "xnat-web"
Update helper templates and template paths for the new structure
ISSUE 169
Update secrets integration into PostgreSQL configuration.
While secrets can be added via the manifest directly as done previously the addition of a preexisting secret has been provided.
To facilitate configuration and secret merge operations an init container utilises a ConfigMap automatically generated from the config directory in the root folder and with the use of the
envsubstcommand merges Secrets within environment variables. These files are then presented via a read only EmptyDir volume at the required mount point/data/xnat/home/config.Alterations to some of the default values files have also been updated.
Current best practise involving security hardening has been implemented, including mandating the containers be run as non-root users. This could have implications with deployments that have not set the
runAsUser,runAsGroup,fsGroupsettings and have filesystems with static UID/GID mappings. E.g. An NFS static provisioned Volume.