feat: expand default secContext (#658)

ory · Dec 12, 2023 · e5b2ccb · e5b2ccb
1 parent 9607ce5
commit e5b2ccb
Show file tree

Hide file tree

Showing 23 changed files with 266 additions and 94 deletions.
diff --git a/docs/helm/kratos.md b/docs/helm/kratos.md
@@ -158,6 +158,10 @@ There are three options to provide identity schemas:
 
 Note: You are free to name `<schema-id>` and `<schema-name>` whatever you want.
 
+> **Important:** Those code snippets are known to be smetimes rendered
+> incorrectly by github-pages. Please always refer to the source files in the
+> repostiory when in doubt.
+
 1. Write json to `kratos.identitySchemas`:
 
 ```yaml

diff --git a/hacks/values/kratos-selfservice-ui-node.yaml b/hacks/values/kratos-selfservice-ui-node.yaml
@@ -20,3 +20,6 @@ test:
   busybox:
     repository: docker.io/library/busybox
     tag: 1.36
+
+config:
+  csrfCookieName: "some-random-cookie-name"
diff --git a/helm/charts/hydra-maester/templates/deployment.yaml b/helm/charts/hydra-maester/templates/deployment.yaml
@@ -112,3 +112,7 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
diff --git a/helm/charts/hydra-maester/values.yaml b/helm/charts/hydra-maester/values.yaml
@@ -65,7 +65,19 @@ deployment:
   #   mountPath: /etc/secrets/my-secret
   #   readOnly: true
 
-  # -- Default security context
+  ## -- pod securityContext
+  podSecurityContext:
+    fsGroupChangePolicy: "OnRootMismatch"
+    runAsNonRoot: true
+    runAsUser: 65534
+    fsGroup: 65534
+    runAsGroup: 65534
+    seccompProfile:
+      type: RuntimeDefault
+    sysctls: []
+    supplementalGroups: []
+
+  ## -- container securityContext
   securityContext:
     capabilities:
       drop:
@@ -74,9 +86,12 @@ deployment:
       type: RuntimeDefault
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    runAsUser: 1000
+    runAsUser: 65534
+    runAsGroup: 65534
     allowPrivilegeEscalation: false
     privileged: false
+    seLinuxOptions:
+      level: "s0:c123,c456"
 
   # -- Node labels for pod assignment.
   nodeSelector: {}

diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml
@@ -198,7 +198,16 @@ deployment:
   initContainerSecurityContext: {}
 
   ## -- pod securityContext for hydra & migration init
-  podSecurityContext: {}
+  podSecurityContext:
+    fsGroupChangePolicy: "OnRootMismatch"
+    runAsNonRoot: true
+    runAsUser: 65534
+    fsGroup: 65534
+    runAsGroup: 65534
+    seccompProfile:
+      type: RuntimeDefault
+    sysctls: []
+    supplementalGroups: []
 
   ## -- container securityContext for hydra & migration init
   securityContext:
@@ -209,9 +218,12 @@ deployment:
       type: RuntimeDefault
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    runAsUser: 100
+    runAsUser: 65534
+    runAsGroup: 65534
     allowPrivilegeEscalation: false
     privileged: false
+    seLinuxOptions:
+      level: "s0:c123,c456"
 
   lifecycle: {}
 

diff --git a/helm/charts/keto/templates/deployment-watcher.yaml b/helm/charts/keto/templates/deployment-watcher.yaml
@@ -40,6 +40,8 @@ spec:
     spec:
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: watcher
           {{- if .Values.securityContext }}

diff --git a/helm/charts/keto/templates/deployment.yaml b/helm/charts/keto/templates/deployment.yaml
@@ -1,5 +1,4 @@
 {{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}}
-{{- $podSecurityContext := ternary .Values.deployment.podSecurityContext .Values.podSecurityContext (not (empty .Values.deployment.podSecurityContext )) -}}
 {{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}}
 {{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}}
 {{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}}
@@ -105,12 +104,12 @@ spec:
       serviceAccountName: {{ include "keto.serviceAccountName" . }}
       automountServiceAccountToken: {{ $automountServiceAccountToken }}
       securityContext:
-        {{- toYaml $podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
-          {{- if .Values.securityContext }}
+          {{- with .Values.securityContext }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

diff --git a/helm/charts/keto/templates/job-migration.yaml b/helm/charts/keto/templates/job-migration.yaml
@@ -48,6 +48,8 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "keto.job.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
       - name: {{ .Chart.Name }}-automigrate
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -63,7 +65,7 @@ spec:
         args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ]
         {{- end }}
         {{- if .Values.job.lifecycle }}
-{{ tpl .Values.job.lifecycle . | indent 8 }}
+          {{- tpl .Values.job.lifecycle . | nindent 8 }}
         {{- end }}
         volumeMounts:
           - name: {{ include "keto.name" . }}-config-volume

diff --git a/helm/charts/keto/values.yaml b/helm/charts/keto/values.yaml
@@ -30,7 +30,19 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-# -- Default security context configuration
+## -- pod securityContext for hydra & migration init
+podSecurityContext:
+  fsGroupChangePolicy: "OnRootMismatch"
+  runAsNonRoot: true
+  runAsUser: 65534
+  fsGroup: 65534
+  runAsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
+  sysctls: []
+  supplementalGroups: []
+
+## -- container securityContext for hydra & migration init
 securityContext:
   capabilities:
     drop:
@@ -39,9 +51,12 @@ securityContext:
     type: RuntimeDefault
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  runAsUser: 100
+  runAsUser: 65534
+  runAsGroup: 65534
   allowPrivilegeEscalation: false
   privileged: false
+  seLinuxOptions:
+    level: "s0:c123,c456"
 
 # -- Values for initialization job
 job:

diff --git a/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl b/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl
@@ -43,3 +43,14 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{/*
+Create a secret name which can be overridden.
+*/}}
+{{- define "kratos-selfservice-ui-node.secretname" -}}
+{{- if .Values.secret.nameOverride -}}
+{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{ include "kratos-selfservice-ui-node.fullname" . }}
+{{- end -}}
+{{- end -}}
diff --git a/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml b/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   {{- end }}
   labels:
-{{ include "kratos-selfservice-ui-node.labels" . | indent 4 }}
+    {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }}
     {{- with .Values.deployment.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -24,7 +24,7 @@ spec:
   template:
     metadata:
       labels:
-{{ include "kratos-selfservice-ui-node.labels" . | indent 8 }}
+        {{- include "kratos-selfservice-ui-node.labels" . | nindent 8 }}
         {{- with .Values.deployment.labels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -40,7 +40,7 @@ spec:
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       {{- with .Values.deployment.extraVolumes }}
       volumes:
-{{ toYaml . | indent 6}}
+        {{- toYaml . | nindent 6 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -61,8 +61,20 @@ spec:
             value: {{ .Values.kratosAdminUrl | quote }}
           - name: SECURITY_MODE
             value: {{ .Values.securityMode | quote }}
+          - name: COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+                key: secretsCookie
+          - name: CSRF_COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+                key: secretsCSRFCookie
+          - name: CSRF_COOKIE_NAME
+            value: {{ .Values.config.csrfCookieName | quote }}
           {{- if .Values.deployment.extraEnv }}
-{{ toYaml .Values.deployment.extraEnv | indent 10 }}
+            {{- toYaml .Values.deployment.extraEnv | nindent 10 }}
           {{- end }}
           {{- with .Values.deployment.extraVolumeMounts }}
           volumeMounts:
@@ -106,3 +118,5 @@ spec:
       dnsConfig:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
diff --git a/helm/charts/kratos-selfservice-ui-node/templates/secret.yaml b/helm/charts/kratos-selfservice-ui-node/templates/secret.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.secret.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.secret.secretAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+data:
+  # Generate a random secret if the user doesn't give one. User given secret has priority
+  secretsCookie: {{ ( .Values.config.secrets.cookie | default ( randAlphaNum 32 )) | required "Value config.secrets.cookie can not be empty!" | b64enc | quote }}
+  secretsCSRFCookie: {{ ( .Values.config.secrets.csrfCookie | default ( randAlphaNum 32 )) | required "Value config.secrets.csrfCookie can not be empty!" | b64enc | quote }}
+{{- end }}
diff --git a/helm/charts/kratos-selfservice-ui-node/values.yaml b/helm/charts/kratos-selfservice-ui-node/values.yaml
@@ -11,13 +11,18 @@ image:
   # SELFSERVICE image
   repository: oryd/kratos-selfservice-ui-node
   # -- ORY KRATOS VERSION
-  tag: "v0.13.0-4"
+  tag: "v0.13.0-20"
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+# -- Application config
+config:
+  csrfCookieName: ""
+  secrets: {}
+
 # -- Service configuration
 service:
   type: ClusterIP
@@ -27,6 +32,23 @@ service:
   # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
   name: http
 
+secret:
+  # -- switch to false to prevent creating the secret
+  enabled: true
+  # -- Provide custom name of existing secret, or custom name of secret to be created
+  nameOverride: ""
+  # nameOverride: "myCustomSecret"
+  # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
+  secretAnnotations:
+    # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
+    # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
+    helm.sh/hook-weight: "0"
+    helm.sh/hook: "pre-install, pre-upgrade"
+    helm.sh/hook-delete-policy: "before-hook-creation"
+    helm.sh/resource-policy: "keep"
+  # -- switch to false to prevent checksum annotations being maintained and propogated to the pods
+  hashSumEnabled: true
+
 # -- Ingress configration
 ingress:
   enabled: false
@@ -45,18 +67,33 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-# -- Deployment level securityContext
+# -- Container level security context
 securityContext:
   capabilities:
     drop:
       - ALL
-  seccompProfile:
-    type: RuntimeDefault
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 10000
+  runAsGroup: 10000
   allowPrivilegeEscalation: false
   privileged: false
+  seccompProfile:
+    type: RuntimeDefault
+  seLinuxOptions:
+    level: "s0:c123,c456"
+
+# -- Pod level security context
+podSecurityContext:
+  fsGroupChangePolicy: "OnRootMismatch"
+  runAsNonRoot: true
+  runAsUser: 10000
+  fsGroup: 10000
+  runAsGroup: 10000
+  seccompProfile:
+    type: RuntimeDefault
+  sysctls: []
+  supplementalGroups: []
 
 # -- Deployment configuration
 deployment:

diff --git a/helm/charts/kratos/templates/cleanup-cron-job.yaml b/helm/charts/kratos/templates/cleanup-cron-job.yaml
@@ -54,7 +54,7 @@ spec:
             - name: cleanup
               image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
-              {{- with .Values.cronjob.cleanup.securityContext }}
+              {{- with .Values.securityContext }}
               securityContext:
                 {{- toYaml . | nindent 16 }}
               {{- end }}
@@ -91,7 +91,7 @@ spec:
           nodeSelector:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.cronjob.cleanup.podSecurityContext }}
+          {{- with .Values.podSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/charts/kratos/templates/deployment-kratos.yaml b/helm/charts/kratos/templates/deployment-kratos.yaml
@@ -90,7 +90,7 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.deployment.initContainerSecurityContext }}
+          {{- with .Values.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -260,7 +260,7 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-    {{- with .Values.deployment.podSecurityContext }}
+    {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
     {{- end }}

diff --git a/helm/charts/kratos/templates/deployment-watcher.yaml b/helm/charts/kratos/templates/deployment-watcher.yaml
@@ -40,6 +40,10 @@ spec:
     spec:
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       serviceAccountName: {{ include "kratos.serviceAccountName" . }}-watcher
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: watcher
           {{- if .Values.securityContext }}