Inject Pod and Container Security Context (#137)

* Inject Pod and Container Security Context * remove kafka-topic-creator sub chart --------- Co-authored-by: Ravi Singal <[email protected]>
hypertrace · Sep 24, 2024 · 22b7b23 · 22b7b23
1 parent b6894eb
commit 22b7b23
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 45 deletions.
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -24,9 +24,3 @@ version: 0.1.0
 # This is the appVersion which will correspond to build version tag. The "helm package" command will take care of setting
 # this.
 appVersion: 0.1.0
-
-dependencies:
-  - name: kafka-topic-creator
-    condition: kafka-topic-creator.enabled
-    repository: "https://storage.googleapis.com/hypertrace-helm-charts"
-    version: 0.2.x
diff --git a/helm/templates/hypertrace-collector/deployment.yaml b/helm/templates/hypertrace-collector/deployment.yaml
@@ -93,7 +93,7 @@ spec:
               port: 13133
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-        {{- with .Values.securityContext }}
+        {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
         {{- end }}
diff --git a/helm/templates/hypertrace-metrics-collector/deployment.yaml b/helm/templates/hypertrace-metrics-collector/deployment.yaml
@@ -94,7 +94,7 @@ spec:
               port: 13133
           resources:
             {{- toYaml .Values.metrics.resources | nindent 12 }}
-        {{- with .Values.metrics.securityContext }}
+        {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
         {{- end }}

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -100,17 +100,18 @@ podAnnotations: {}
 podSecurityContext:
   runAsUser: 65532
   fsGroup: 65532
+  runAsNonRoot: true
+  fsGroupChangePolicy: "OnRootMismatch"
+  seccompProfile:
+    type: RuntimeDefault
 
-securityContext:
+containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
     add:
       - NET_BIND_SERVICE
-  runAsNonRoot: true
-  seccompProfile:
-    type: RuntimeDefault
 
 affinity: {}
 
@@ -211,21 +212,6 @@ metrics:
 
   podAnnotations: {}
 
-  podSecurityContext:
-    runAsUser: 65532
-    fsGroup: 65532
-
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - ALL
-      add:
-        - NET_BIND_SERVICE
-    runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
-
   affinity: {}
 
   hostNetwork: false
@@ -383,21 +369,3 @@ configMap:
           receivers: [otlp]
           processors: [filter/metrics, hypertrace_metrics_remover, batch, hypertrace_metrics_resource_attrs_to_attrs]
           exporters: [prometheus]
-
-kafka-topic-creator:
-  enabled: true
-  jobName: jaeger-spans-kafka-topic-creator
-  helmHook: pre-install,pre-upgrade
-  kafka:
-    topics:
-      jaeger-spans:
-        replicationFactor: 1
-        partitions: 8
-        configs:
-          retention.bytes: 4294967296
-          retention.ms: 86400000
-  zookeeper:
-    address: zookeeper:2181
-  imagePullSecrets: []
-  podAnnotations:
-    sidecar.istio.io/inject: "false"