diff --git a/apis/ui/v1alpha1/types.go b/apis/ui/v1alpha1/types.go index 78f02319..6cc70434 100644 --- a/apis/ui/v1alpha1/types.go +++ b/apis/ui/v1alpha1/types.go @@ -79,6 +79,7 @@ type ReplicaRange struct { type AppRef struct { Service ObjectRef `json:"service"` AuthSecret LocalObjectRef `json:"authSecret"` + TLS TLS `json:"tls"` } type AuthzproxySpec struct { @@ -96,3 +97,7 @@ type AuthzproxyParams struct { PlatformURL string `json:"platformURL"` PlatformCABundle string `json:"platformCABundle"` } + +type TLS struct { + Enabled bool `json:"enabled"` +} diff --git a/charts/dbgate/README.md b/charts/dbgate/README.md index b22befb5..cc5a14a1 100644 --- a/charts/dbgate/README.md +++ b/charts/dbgate/README.md @@ -88,12 +88,13 @@ The following table lists the configurable parameters of the `dbgate` chart and | app.service.name | | "" | | app.service.namespace | | "" | | app.authSecret.name | | "" | +| app.tls.enabled | | false | | bind.name | | "" | | bind.namespace | | "" | | authzproxy.enabled | | false | | authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy | | authzproxy.tag | KubeDB operator container image tag | "v0.0.1" | -| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} | | authzproxy.resources | Compute Resources required by this container | {} | | authzproxy.params.listen | | 8000 | | authzproxy.params.metricsAddr | | 8080 | diff --git a/charts/phpmyadmin/README.md b/charts/phpmyadmin/README.md index ec66d543..0cba007d 100644 --- a/charts/phpmyadmin/README.md +++ b/charts/phpmyadmin/README.md @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `phpmyadmin` chart | serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | | podAnnotations | | {} | | podSecurityContext | | {} | -| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}} | | service.type | | ClusterIP | | service.port | | 80 | | resources | | {} | @@ -87,6 +87,7 @@ The following table lists the configurable parameters of the `phpmyadmin` chart | app.service.name | | "" | | app.service.namespace | | "" | | app.authSecret.name | | "" | +| app.tls.enabled | | false | | bind.name | | "" | | bind.namespace | | "" | | authzproxy.enabled | | false | diff --git a/charts/phpmyadmin/templates/deployment.yaml b/charts/phpmyadmin/templates/deployment.yaml index 004361d2..4de1d92e 100644 --- a/charts/phpmyadmin/templates/deployment.yaml +++ b/charts/phpmyadmin/templates/deployment.yaml @@ -84,6 +84,10 @@ spec: secretKeyRef: name: {{ .Values.app.authSecret.name }} key: password + {{- if .Values.app.tls.enabled }} + - name: PMA_SSL + value: "1" + {{- end }} ports: - name: http containerPort: 8080 diff --git a/charts/phpmyadmin/values.yaml b/charts/phpmyadmin/values.yaml index 146e3b74..59566bcf 100644 --- a/charts/phpmyadmin/values.yaml +++ b/charts/phpmyadmin/values.yaml @@ -46,9 +46,9 @@ securityContext: # +doc-gen:break allowPrivilegeEscalation: false capabilities: drop: ["ALL"] - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: true - runAsUser: 65534 + runAsUser: 1000 seccompProfile: type: RuntimeDefault @@ -126,6 +126,8 @@ app: namespace: "" authSecret: name: "" + tls: + enabled: false bind: name: "" namespace: ""