chore: fix chart lint issues

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: neilime

tests/charts/application/Chart.yaml

@@ -28,3 +28,4 @@ dependencies:
   - name: mysql
     version: 14.0.3
     repository: https://charts.bitnami.com/bitnami
+    condition: mysql.enabled

tests/charts/application/templates/configmap.yaml

@@ -4,7 +4,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
   name: {{ template "test-application.fullname" . }}-config
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
 data:

tests/charts/application/templates/deployment.yaml

@@ -4,7 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "test-application.fullname" . }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
 spec:
@@ -30,46 +30,24 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "test-application.serviceAccountName" . }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 101
-        runAsGroup: 101
-        fsGroup: 101
-      volumes:
-        - name: cache-nginx
-          emptyDir: {}
-        - name: var-run
-          emptyDir: {}
-        - name: tmp
-          emptyDir: {}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- if .Values.image.digest }}
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}"
+          {{- else }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            seccompProfile:
-              type: RuntimeDefault
-            capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
+            {{- toYaml .Values.securityContext | nindent 12 }}
           envFrom:
             - configMapRef:
                 name: {{ template "test-application.fullname" . }}-config
           ports:
             - name: http
               containerPort: 8080
               protocol: TCP
-          volumeMounts:
-            - name: cache-nginx
-              mountPath: /var/cache/nginx
-            - name: var-run
-              mountPath: /var/run
-            - name: tmp
-              mountPath: /tmp
           livenessProbe:
             httpGet:
               path: /health/check

tests/charts/application/templates/hpa.yaml

@@ -5,6 +5,7 @@ apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "test-application.fullname" . }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
 spec:

tests/charts/application/templates/ingress.yaml

@@ -18,6 +18,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

tests/charts/application/templates/networkpolicy.yaml

@@ -0,0 +1,55 @@
+{{- if .Values.networkPolicy.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "test-application.fullname" . }}
+  namespace: {{ .Values.namespace | default "app-system" }}
+  labels:
+    {{- include "test-application.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "test-application.selectorLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    {{- if .Values.networkPolicy.ingress }}
+    {{- range .Values.networkPolicy.ingress }}
+    - {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- else }}
+    - from:
+        - namespaceSelector: {}
+      ports:
+        - protocol: TCP
+          port: 8080
+    {{- end }}
+  egress:
+    {{- if .Values.networkPolicy.egress }}
+    {{- range .Values.networkPolicy.egress }}
+    - {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- else }}
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mysql
+      ports:
+        - protocol: TCP
+          port: 3306
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 80
+        - protocol: TCP
+          port: 443
+    {{- end }}
+{{- end }}

tests/charts/application/templates/service.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "test-application.fullname" . }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
 spec:

tests/charts/application/templates/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "test-application.serviceAccountName" . }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

tests/charts/application/templates/tests/test-connection.yaml

@@ -4,24 +4,54 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "{{ include "test-application.fullname" . }}-test-connection"
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.namespace | default "app-system" }}
   labels:
     {{- include "test-application.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test
 spec:
   automountServiceAccountToken: false
   securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+    readOnlyRootFilesystem: true
+    runAsUser: 10001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - NET_RAW
+        - ALL
   containers:
     - name: wget
       image: busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7
-      command:
-        - /bin/sh
-        - -c
-        - |
-            echo "+ testing the application using wget"
-            set -x
-            wget -O /dev/null -q '{{ include "test-application.fullname" . }}:{{ .Values.service.port }}'
+      command: ['wget']
+      args: ['{{ include "test-application.fullname" . }}:{{ .Values.service.port }}']
+      readinessProbe:
+        exec:
+          command:
+            - wget
+            - -O
+            - /dev/null
+            - -q
+            - '{{ include "test-application.fullname" . }}:{{ .Values.service.port }}'
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 1
+        successThreshold: 1
+        failureThreshold: 3
+      livenessProbe:
+        exec:
+          command:
+            - wget
+            - -O
+            - /dev/null
+            - -q
+            - '{{ include "test-application.fullname" . }}:{{ .Values.service.port }}'
+        initialDelaySeconds: 5
+        periodSeconds: 5
+        timeoutSeconds: 1
+        successThreshold: 1
+        failureThreshold: 3
       resources:
         limits:
           cpu: "100m"

tests/charts/application/values.yaml

@@ -3,6 +3,8 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 ---
+namespace: "app-system"
+
 application:
   dbConnection: mysql
   dbHost: "mysql"
@@ -19,7 +21,7 @@ image:
   registry: "ghcr.io"
   repository: "hoverkraft-tech/ci-github-container/application-test"
   tag: ""
-  digest: "sha256:0000000000000000000000000000000000000000000000000000000000000000"
+  digest: "sha256:da3b65f32ea75f8041079d220b72da4f605738996256a7dc32715424cc117271"
 
 imagePullSecrets: []
 
@@ -38,8 +40,10 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext:
-  {}
-  # fsGroup: 2000
+  runAsNonRoot: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  fsGroup: 10001
 
 securityContext:
   capabilities:
@@ -98,6 +102,11 @@ tolerations: []
 
 affinity: {}
 
+networkPolicy:
+  enabled: true
+  ingress: []
+  egress: []
+
 # chart dependencies
 mysql:
   fullnameOverride: mysql