wip

2025-02-23 09:34:01 -06:00 · 2025-02-23 09:34:01 -06:00 · 01e146db7c
commit 01e146db7c
parent 5507c7c7dc
6 changed files with 129 additions and 8 deletions
--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@ -1,6 +1,10 @@
 apiVersion: v2
+maintainers:
+  - name: Waylon Walker
+    email: waylon@waylonwalker.com
+kubeVersion: ">=1.19.0"
 icon: https://raw.githubusercontent.com/waylon/k8s-basic/master/helm-chart/logo.png
-name: k8s-pages
+name: k8s-basic
 description: A helm chart for basic container deployment
 type: application
 version: 1.0.0
--- a/helm-chart/templates/NOTES.txt
+++ b/helm-chart/templates/NOTES.txt
@ -0,0 +1,23 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your application has been deployed with the following configuration:
+- Name: {{ .Values.name }}
+- Domain: {{ .Values.domain }}
+- Port: {{ .Values.port }}
+
+To access your application:
+  https://{{ .Values.name }}.{{ .Values.domain }}
+
+To check the status of your pods:
+  kubectl get pods -n {{ .Values.namespace | default .Values.name }} -l service={{ .Values.name }}
+
+To view the logs:
+  kubectl logs -n {{ .Values.namespace | default .Values.name }} -l service={{ .Values.name }}
+
+For troubleshooting:
+1. Check pod status:
+   kubectl describe pod -n {{ .Values.namespace | default .Values.name }} -l service={{ .Values.name }}
+2. Check ingress status:
+   kubectl describe ingress -n {{ .Values.namespace | default .Values.name }} {{ .Values.name }}
+3. Check service status:
+   kubectl describe service -n {{ .Values.namespace | default .Values.name }} {{ .Values.name }}
--- a/helm-chart/templates/deployment.yaml
+++ b/helm-chart/templates/deployment.yaml
@ -15,9 +15,13 @@ spec:
      labels:
        service: {{ .Values.name }}
    spec:
+      securityContext:
+{{ toYaml .Values.podSecurityContext | indent 8 }}
      containers:
        - image: {{ .Values.image.repository }}/{{ .Values.image.name | default .Values.name }}:{{ .Values.image.tag }}
          name: {{ .Values.name }}
+          securityContext:
+{{ toYaml .Values.containerSecurityContext | indent 12 }}
          ports:
            - containerPort: {{ .Values.port }}
              protocol: TCP
@ -30,21 +34,39 @@ spec:
              memory: {{ .Values.memoryLimit }}
          livenessProbe:
            httpGet:
-              path: /health
+              path: {{ .Values.probes.liveness.path }}
              port: {{ .Values.port }}
-            initialDelaySeconds: 15
-            periodSeconds: 20
+            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
+            timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
+            failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
+            successThreshold: {{ .Values.probes.liveness.successThreshold }}
          readinessProbe:
            httpGet:
-              path: /ready
+              path: {{ .Values.probes.readiness.path }}
              port: {{ .Values.port }}
-            initialDelaySeconds: 5
-            periodSeconds: 10
+            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
+            timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
+            failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
+            successThreshold: {{ .Values.probes.readiness.successThreshold }}
          startupProbe:
            httpGet:
-              path: /ready
+              path: {{ .Values.probes.readiness.path }}
              port: {{ .Values.port }}
            failureThreshold: 30
            periodSeconds: 10
      imagePullSecrets:
        - name: {{ .Values.imagePullSecret }}
+{{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+{{- end }}
--- a/helm-chart/templates/networkpolicy.yaml
+++ b/helm-chart/templates/networkpolicy.yaml
@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Values.namespace | default .Values.name }}
+  labels:
+    service: {{ .Values.name }}
+spec:
+  podSelector:
+    matchLabels:
+      service: {{ .Values.name }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: ingress-nginx
+      ports:
+        - protocol: TCP
+          port: {{ .Values.port }}
+  egress:
+    - to:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
--- a/helm-chart/templates/pdb.yaml
+++ b/helm-chart/templates/pdb.yaml
@ -0,0 +1,12 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Values.name }}
+  namespace: {{ .Values.namespace | default .Values.name }}
+  labels:
+    service: {{ .Values.name }}
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      service: {{ .Values.name }}
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -15,3 +15,32 @@ cpuLimit: 500m
 memoryRequest: 100Mi
 memoryLimit: 500Mi
 targetMemoryUtilization: 400
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 10000
+  fsGroup: 10000
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+
+probes:
+  liveness:
+    path: /health
+    initialDelaySeconds: 15
+    periodSeconds: 20
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+  readiness:
+    path: /ready
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 3
+    failureThreshold: 3
+    successThreshold: 1
+
+nodeSelector: {}
+tolerations: []
+affinity: {}