feat(argo-cd): prepare (dex) for readOnlyRootFilesystem (#623)

2021-03-10 11:16:21 +01:00 · 2021-03-10 11:16:21 +01:00 · 650abd1eb1
parent eb16df15da
commit 650abd1eb1
3 changed files with 16 additions and 7 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 1.8.4
 description: A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 2.16.1
+version: 2.17.0
 home: https://github.com/argoproj/argo-helm
 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png
 keywords:
--- a/charts/argo-cd/templates/dex/deployment.yaml
+++ b/charts/argo-cd/templates/dex/deployment.yaml
@ -86,10 +86,12 @@ spec:
          containerPort: {{ .Values.dex.containerPortMetrics }}
          protocol: TCP
        {{- end }}
-{{- if .Values.dex.volumeMounts }}
        volumeMounts:
-{{- toYaml .Values.dex.volumeMounts | nindent 10 }}
-{{- end }}
+        - mountPath: /tmp
+          name: tmp-dir
+        {{- if .Values.dex.volumeMounts }}
+        {{- toYaml .Values.dex.volumeMounts | nindent 8 }}
+        {{- end }}
        resources:
 {{- toYaml .Values.dex.resources | nindent 10 }}
    {{- if .Values.dex.nodeSelector }}
@ -105,10 +107,12 @@ spec:
 {{- toYaml .Values.dex.affinity | nindent 8 }}
    {{- end }}
      serviceAccountName: {{ template "argo-cd.dexServiceAccountName" . }}
-{{- if .Values.dex.volumes }}
      volumes:
-{{- toYaml .Values.dex.volumes | nindent 8}}
-{{- end }}
+      - emptyDir: {}
+        name: tmp-dir
+      {{- if .Values.dex.volumes }}
+      {{- toYaml .Values.dex.volumes | nindent 6 }}
+      {{- end }}
 {{- if .Values.dex.priorityClassName }}
      priorityClassName: {{ .Values.dex.priorityClassName }}
 {{- end }}
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -75,6 +75,7 @@ controller:
    # capabilities:
    #   drop:
    #     - all
+    # readOnlyRootFilesystem: true

  ## Configures the controller port
  containerPort: 8082
@ -254,6 +255,7 @@ dex:
    # capabilities:
    #   drop:
    #     - all
+    # readOnlyRootFilesystem: true

  resources: {}
  #  limits:
@ -303,6 +305,7 @@ redis:
    # capabilities:
    #   drop:
    #     - all
+    # readOnlyRootFilesystem: true

  ## Redis Pod specific security context
  securityContext:
@ -426,6 +429,7 @@ server:
    # capabilities:
    #   drop:
    #     - all
+    # readOnlyRootFilesystem: true

  resources: {}
  #  limits:
@ -786,6 +790,7 @@ repoServer:
    # capabilities:
    #   drop:
    #     - all
+    # readOnlyRootFilesystem: true

  resources: {}
  #  limits: