[skip-ci] Update artifacts

Merge pull request #386 from d3adb5/feat/set-rootfs-ro
feat: set read-only root filesystem at container level
2026-04-26 20:06:34 +00:00 · 2023-02-26 11:35:45 +00:00 · 2023-02-26 12:16:42 +01:00 · 2023-02-26 10:59:11 +00:00 · 2023-02-26 11:39:45 +01:00 · 2023-02-08 14:15:28 -08:00
13 changed files with 95 additions and 44 deletions
--- a/deployments/kubernetes/chart/reloader/Chart.yaml
+++ b/deployments/kubernetes/chart/reloader/Chart.yaml
@@ -3,8 +3,8 @@
 apiVersion: v1
 name: reloader
 description: Reloader chart that runs on kubernetes
-version: v1.0.5
-appVersion: v1.0.5
+version: v1.0.7
+appVersion: v1.0.7
 keywords:
  - Reloader
  - kubernetes
--- a/deployments/kubernetes/chart/reloader/templates/deployment.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/deployment.yaml
@@ -128,8 +128,6 @@ spec:

        ports:
        - name: http
-          containerPort: 9091
-        - name: metrics
          containerPort: 9090
        livenessProbe:
          httpGet:
@@ -142,15 +140,19 @@ spec:
        readinessProbe:
          httpGet:
            path: /metrics
-            port: metrics
+            port: http
          timeoutSeconds: {{ .Values.reloader.deployment.readinessProbe.timeoutSeconds | default "5" }}
          failureThreshold: {{ .Values.reloader.deployment.readinessProbe.failureThreshold | default "5" }}
          periodSeconds: {{ .Values.reloader.deployment.readinessProbe.periodSeconds | default "10" }}
          successThreshold: {{ .Values.reloader.deployment.readinessProbe.successThreshold | default "1" }}

-      {{- with .Values.reloader.deployment.containerSecurityContext }}
-        securityContext: {{ toYaml . | nindent 10 }}
-      {{- end }}
+        {{- $containerSecurityContext := .Values.reloader.deployment.containerSecurityContext | default dict }}
+        {{- if .Values.reloader.readOnlyRootFileSystem }}
+          {{- $_ := set $containerSecurityContext "readOnlyRootFilesystem" true }}
+        {{- end }}
+
+        securityContext:
+          {{- toYaml $containerSecurityContext | nindent 10 }}

      {{- if eq .Values.reloader.readOnlyRootFileSystem true }}
        volumeMounts:
--- a/deployments/kubernetes/chart/reloader/tests/deployment_test.yaml
+++ b/deployments/kubernetes/chart/reloader/tests/deployment_test.yaml
@@ -0,0 +1,50 @@
+suite: Deployment
+
+templates:
+  - deployment.yaml
+
+tests:
+  - it: sets readOnlyRootFilesystem in container securityContext when reloader.readOnlyRootFileSystem is true
+    set:
+      reloader:
+        readOnlyRootFileSystem: true
+        deployment:
+          containerSecurityContext:
+            readOnlyRootFilesystem: false
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: sets readOnlyRootFilesystem in container securityContext even if reloader.deployment.containerSecurityContext is null
+    set:
+      reloader:
+        readOnlyRootFileSystem: true
+        deployment:
+          containerSecurityContext: null
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: does not override readOnlyRootFilesystem in container securityContext based on reloader.readOnlyRootFileSystem
+    set:
+      reloader:
+        readOnlyRootFileSystem: false
+        deployment:
+          containerSecurityContext:
+            readOnlyRootFilesystem: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+
+  - it: template is still valid with no defined containerSecurityContext
+    set:
+      reloader:
+        readOnlyRootFileSystem: false
+        deployment:
+          containerSecurityContext: null
+    asserts:
+      - isEmpty:
+          path: spec.template.spec.containers[0].securityContext
--- a/deployments/kubernetes/chart/reloader/values.yaml
+++ b/deployments/kubernetes/chart/reloader/values.yaml
@@ -66,10 +66,10 @@ reloader:
    labels:
      provider: stakater
      group: com.stakater.platform
-      version: v1.0.5
+      version: v1.0.7
    image:
      name: stakater/reloader
-      tag: v1.0.5
+      tag: v1.0.7
      pullPolicy: IfNotPresent
    # Support for extra environment variables.
    env:
--- a/deployments/kubernetes/manifests/clusterrole.yaml
+++ b/deployments/kubernetes/manifests/clusterrole.yaml
@@ -9,7 +9,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
--- a/deployments/kubernetes/manifests/clusterrolebinding.yaml
+++ b/deployments/kubernetes/manifests/clusterrolebinding.yaml
@@ -9,7 +9,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
--- a/deployments/kubernetes/manifests/deployment.yaml
+++ b/deployments/kubernetes/manifests/deployment.yaml
@@ -8,13 +8,13 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
    group: com.stakater.platform
    provider: stakater
-    version: v1.0.5
+    version: v1.0.7
  name: reloader-reloader
  namespace: default
 spec:
@@ -28,23 +28,21 @@ spec:
    metadata:
      labels:
        app: reloader-reloader
-        chart: "reloader-v1.0.5"
+        chart: "reloader-v1.0.7"
        release: "reloader"
        heritage: "Helm"
        app.kubernetes.io/managed-by: "Helm"
        group: com.stakater.platform
        provider: stakater
-        version: v1.0.5
+        version: v1.0.7
    spec:
      containers:
-      - image: "stakater/reloader:v1.0.5"
+      - image: "stakater/reloader:v1.0.7"
        imagePullPolicy: IfNotPresent
        name: reloader-reloader

        ports:
        - name: http
-          containerPort: 9091
-        - name: metrics
          containerPort: 9090
        livenessProbe:
          httpGet:
@@ -57,11 +55,14 @@ spec:
        readinessProbe:
          httpGet:
            path: /metrics
-            port: metrics
+            port: http
          timeoutSeconds: 5
          failureThreshold: 5
          periodSeconds: 10
          successThreshold: 1
+
+        securityContext:
+          {}
      securityContext: 
        runAsNonRoot: true
        runAsUser: 65534
--- a/deployments/kubernetes/manifests/serviceaccount.yaml
+++ b/deployments/kubernetes/manifests/serviceaccount.yaml
@@ -8,7 +8,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
--- a/deployments/kubernetes/reloader.yaml
+++ b/deployments/kubernetes/reloader.yaml
@@ -8,7 +8,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
@@ -25,7 +25,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
@@ -80,7 +80,7 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
@@ -104,13 +104,13 @@ metadata:
    meta.helm.sh/release-name: "reloader"
  labels:
    app: reloader-reloader
-    chart: "reloader-v1.0.5"
+    chart: "reloader-v1.0.7"
    release: "reloader"
    heritage: "Helm"
    app.kubernetes.io/managed-by: "Helm"
    group: com.stakater.platform
    provider: stakater
-    version: v1.0.5
+    version: v1.0.7
  name: reloader-reloader
  namespace: default
 spec:
@@ -124,23 +124,21 @@ spec:
    metadata:
      labels:
        app: reloader-reloader
-        chart: "reloader-v1.0.5"
+        chart: "reloader-v1.0.7"
        release: "reloader"
        heritage: "Helm"
        app.kubernetes.io/managed-by: "Helm"
        group: com.stakater.platform
        provider: stakater
-        version: v1.0.5
+        version: v1.0.7
    spec:
      containers:
-      - image: "stakater/reloader:v1.0.5"
+      - image: "stakater/reloader:v1.0.7"
        imagePullPolicy: IfNotPresent
        name: reloader-reloader

        ports:
        - name: http
-          containerPort: 9091
-        - name: metrics
          containerPort: 9090
        livenessProbe:
          httpGet:
@@ -153,11 +151,14 @@ spec:
        readinessProbe:
          httpGet:
            path: /metrics
-            port: metrics
+            port: http
          timeoutSeconds: 5
          failureThreshold: 5
          periodSeconds: 10
          successThreshold: 1
+
+        securityContext:
+          {}
      securityContext: 
        runAsNonRoot: true
        runAsUser: 65534
--- a/internal/pkg/cmd/reloader.go
+++ b/internal/pkg/cmd/reloader.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"os"
 	"strings"

@@ -177,7 +178,8 @@ func startReloader(cmd *cobra.Command, args []string) {
 		go leadership.RunLeaderElection(lock, ctx, cancel, podName, controllers)
 	}

-	logrus.Fatal(leadership.Healthz())
+	leadership.SetupLivenessEndpoint()
+	logrus.Fatal(http.ListenAndServe(constants.DefaultHttpListenAddr, nil))
 }

 func getIgnoredNamespacesList(cmd *cobra.Command) (util.List, error) {
--- a/internal/pkg/constants/constants.go
+++ b/internal/pkg/constants/constants.go
@@ -1,6 +1,9 @@
 package constants

 const (
+	// DefaultHttpListenAddr is the default listening address for global http server
+	DefaultHttpListenAddr = ":9090"
+
 	// ConfigmapEnvVarPostfix is a postfix for configmap envVar
 	ConfigmapEnvVarPostfix = "CONFIGMAP"
 	// SecretEnvVarPostfix is a postfix for secret envVar
--- a/internal/pkg/leadership/leadership.go
+++ b/internal/pkg/leadership/leadership.go
@@ -15,8 +15,6 @@ import (
 	coordinationv1 "k8s.io/client-go/kubernetes/typed/coordination/v1"
 )

-const healthPort string = ":9091"
-
 var (
 	// Used for liveness probe
 	m       sync.Mutex
@@ -88,12 +86,11 @@ func stopControllers(stopChannels []chan struct{}) {
 	}
 }

-// Healthz serves the liveness probe endpoint. If leadership election is
+// Healthz sets up the liveness probe endpoint. If leadership election is
 // enabled and a replica stops leading the liveness probe will fail and the
 // kubelet will restart the container.
-func Healthz() error {
+func SetupLivenessEndpoint() {
 	http.HandleFunc("/live", healthz)
-	return http.ListenAndServe(healthPort, nil)
 }

 func healthz(w http.ResponseWriter, req *http.Request) {
--- a/internal/pkg/metrics/prometheus.go
+++ b/internal/pkg/metrics/prometheus.go
@@ -3,7 +3,6 @@ package metrics
 import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/sirupsen/logrus"
 	"net/http"
 )

@@ -33,11 +32,7 @@ func NewCollectors() Collectors {
 func SetupPrometheusEndpoint() Collectors {
 	collectors := NewCollectors()
 	prometheus.MustRegister(collectors.Reloaded)
-
-	go func() {
-		http.Handle("/metrics", promhttp.Handler())
-		logrus.Fatal(http.ListenAndServe(":9090", nil))
-	}()
+	http.Handle("/metrics", promhttp.Handler())

 	return collectors
 }
Author	SHA1	Message	Date
stakater-user	fdc8a61fc6	[skip-ci] Update artifacts	2023-02-26 11:35:45 +00:00
Faizan Ahmad	c7f507a4b9	Merge pull request #386 from d3adb5/feat/set-rootfs-ro feat: set read-only root filesystem at container level	2023-02-26 12:16:42 +01:00
stakater-user	70aef8a871	[skip-ci] Update artifacts	2023-02-26 10:59:11 +00:00
Faizan Ahmad	54d0681340	Merge pull request #385 from d3adb5/chore/stop-listening-on-9091 chore: listen on only 9090 for /metrics and /live	2023-02-26 11:39:45 +01:00
d3adb5	5a9ccbf01f	fix: properly capitalize 'filesystem' in values Use the proper capitalization in the reference to the value reloader.readOnlyRootFileSystem: FileSystem instead of Filesystem.	2023-02-08 14:15:28 -08:00
d3adb5	451e4f636b	feat: set read-only root filesystem at container level Change the securityContext field of the Reloader container if reloader.readOnlyFilesystem is set to true. The change takes effect even if not container securityContext is defined. Closes #339.	2023-02-07 00:16:16 -08:00
d3adb5	2f8999e3cb	chore: listen on only 9090 for /metrics and /live Previously, 9091 and 9090 both led to the same web server, meaning both /metrics and /live were reachable and fully functional through both. This commit changes that so that only port 9090 is used for both. Closes #381.	2023-02-07 00:15:17 -08:00