diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml index df5f4d7..3b45398 100644 --- a/charts/coturn/Chart.yaml +++ b/charts/coturn/Chart.yaml @@ -3,7 +3,7 @@ name: coturn type: application description: A Helm chart to deploy coturn home: "https://github.com/small-hack/coturn-chart" -version: 5.1.1 +version: 5.2.0 # renovate: image=coturn/coturn appVersion: 4.6.2 diff --git a/charts/coturn/README.md b/charts/coturn/README.md index 293fcaa..522598c 100644 --- a/charts/coturn/README.md +++ b/charts/coturn/README.md @@ -1,6 +1,6 @@ # coturn -![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square) +![Version: 5.2.0](https://img.shields.io/badge/Version-5.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square) A Helm chart to deploy coturn @@ -30,6 +30,11 @@ A Helm chart to deploy coturn | certificate.enabled | bool | `false` | Enables auto issuing certificates over cert-manager certificates https://cert-manager.io/docs/concepts/certificate/ | | certificate.issuerName | string | `"letsencrypt-staging"` | name of cert-manager issuer to use for cert generation. change to production issuer when you're stable | | certificate.secret | string | `"turn-tls"` | name of secret to create for ssl cert | +| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | allow priviledged access | +| containerSecurityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod | +| containerSecurityContext.capabilities.drop | list | `["ALL"]` | linux cabilities to disallow for the coturn k8s pod | +| containerSecurityContext.enabled | bool | `true` | Enables Security Context | +| containerSecurityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem | | coturn.auth.existingSecret | string | `""` | existing secret with keys username/password for coturn | | coturn.auth.password | string | `""` | password for the main user of the turn server | | coturn.auth.secretKeys.password | string | `"password"` | key in existing secret for turn server user's password | @@ -67,11 +72,12 @@ A Helm chart to deploy coturn | mysql.enabled | bool | `false` | enables bitnami mysql subchart, you can disable to use external db | | mysql.initdbScriptsConfigMap | string | `"initdb-scripts-config"` | ConfigMap with the initdb scripts (Note: Overrides initdbScripts) | | nameOverride | string | `""` | different name for the helm release | -| persistence.accessMode | string | `"ReadWriteOnce"` | access mode for the PVC, ignored if persistence.existingClaim passed in | -| persistence.annotations | object | `{}` | annotations for the PVC, ignored if persistence.existingClaim passed in | -| persistence.existingClaim | string | `""` | existing PVC to use instead of creating one on the fly | -| persistence.size | string | `"1Mi"` | size of the PVC, ignored if persistence.existingClaim passed in | -| persistence.storageClass | string | `""` | storageClass for the PVC, ignored if persistence.existingClaim passed in | +| podSecurityContext.enabled | bool | `true` | Enables Pod Security Context | +| podSecurityContext.fsGroup | int | `1000` | all processes of the container are also part of the supplementary groupID | +| podSecurityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID | +| podSecurityContext.runAsNonRoot | bool | `true` | for all Containers in the Pod, all processes run as non-root | +| podSecurityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID | +| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Filter a process's system calls | | postgresql.enabled | bool | `false` | enables bitnami postgresql subchart, you can disable to use external db | | postgresql.global.postgresql.auth.database | string | `"coturn"` | database to create, ignored if existingSecret is passed in | | postgresql.global.postgresql.auth.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials | @@ -85,15 +91,6 @@ A Helm chart to deploy coturn | postgresql.primary.initdb.scriptsConfigMap | string | `""` | ConfigMap with scripts to be run at first boot | | replicas | int | `1` | | | resources | object | `{}` | ref: kubernetes.io/docs/concepts/configuration/manage-resources-containers | -| securityContext.allowPrivilegeEscalation | bool | `true` | allow priviledged access | -| securityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod | -| securityContext.capabilities.drop | list | `["ALL"]` | linux cabilities to disallow for the coturn k8s pod | -| securityContext.fsGroup | int | `1000` | all processes of the container are also part of the supplementary groupID | -| securityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem | -| securityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID | -| securityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID | | service.externalTrafficPolicy | string | `""` | I don't actually know what this is 🤔 open a PR if you know was originally "Local" | | service.type | string | `"ClusterIP"` | The type of service to deploy for routing Coturn traffic. ClusterIP: Recommended for DaemonSet configurations. This will create a standard Kubernetes service for Coturn within the cluster. No external networking will be configured as the DaemonSet will handle binding to each Node's host networking NodePort: Recommended for Deployment configurations. This will open TURN ports on every node and route traffic on these ports to the Coturn pods. You will need to make sure your cloud provider supports the cluster config setting, apiserver.service-node-port-range, as this range must contain the ports defined above for the service to be created. LoadBalancer: This was what was originally set for this chart in the upstream of this fork, but with no details | ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/coturn/templates/deployment.yaml b/charts/coturn/templates/deployment.yaml index 97c97ee..af95607 100644 --- a/charts/coturn/templates/deployment.yaml +++ b/charts/coturn/templates/deployment.yaml @@ -20,12 +20,16 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + {{- with .Values.podSecurityContext }} securityContext: - readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }} - allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }} - capabilities: - add: {{ .Values.securityContext.capabilities.add }} - drop: {{ .Values.securityContext.capabilities.drop }} + runAsNonRoot: {{ .runAsNonRoot }} + runAsUser: {{ .runAsUser }} + runAsGroup: {{ .runAsGroup }} + fsGroup: {{ .fsGroup }} + seccompProfile: {{- .seccompProfile | toYaml | nindent 10 }} + {{- end }} + {{- end }} initContainers: {{- if or .Values.postgresql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "postgresql")) }} - name: postgresql-isready @@ -53,6 +57,15 @@ spec: - "sh" - "-c" - "until pg_isready -h $DATABASE_HOSTNAME -U $POSTGRES_USER ; do sleep 2 ; done" + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} {{- else if or .Values.mysql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "mysql")) }} - name: mysql-isready image: {{ include "db.isReady.image.repository" . }}:{{ include "db.isReady.image.tag" . }} @@ -88,6 +101,15 @@ spec: - "sh" - "-c" - "until mysql -h $DATABASE_HOSTNAME -u $MYSQL_USER -p$MYSQL_PASSWORD -e 'SELECT VERSION();' ; do sleep 2 ; done" + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} {{- end }} - name: add-secret-values-to-config image: "mikefarah/yq:latest" @@ -179,6 +201,15 @@ spec: mountPath: /extra - name: {{ .Release.Name }}-config mountPath: /data + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} containers: - name: "coturn" image: {{ include "coturn.image" . }} @@ -217,6 +248,16 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + add: {{- .capabilities.add | toYaml | nindent 16 }} + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} volumes: {{- if .Values.certificate.enabled }} - name: tls @@ -230,12 +271,7 @@ spec: configMap: name: {{ .Release.Name }}-extra-config - name: {{ .Release.Name }}-config - persistentVolumeClaim: - {{- if .Values.persistence.existingClaim }} - claimName: {{ .Values.persistence.existingClaim }} - {{ else }} - claimName: {{ .Release.Name }}-config - {{- end }} + emptyDir: {} - name: var-tmp emptyDir: {} {{- if and (not .Values.externalDatabase.enabled) (not .Values.postgresql.enabled) (not .Values.mysql.enabled) }} diff --git a/charts/coturn/templates/pvc.yaml b/charts/coturn/templates/pvc.yaml deleted file mode 100644 index a8b4744..0000000 --- a/charts/coturn/templates/pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if not .Values.persistence.existingClaim -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ .Release.Name }}-config - labels: - app.kubernetes.io/name: {{ include "coturn.name" . }} - helm.sh/chart: {{ include "coturn.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/component: app -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end -}} diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index ce96a20..e5e345c 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -112,7 +112,6 @@ postgresql: # -- ConfigMap with scripts to be run at first boot scriptsConfigMap: "" - # MySQL chart configuration # see: https://github.com/bitnami/charts/tree/main/bitnami/mysql mysql: @@ -137,18 +136,6 @@ mysql: # -- ConfigMap with the initdb scripts (Note: Overrides initdbScripts) initdbScriptsConfigMap: initdb-scripts-config -persistence: - # -- existing PVC to use instead of creating one on the fly - existingClaim: "" - # -- annotations for the PVC, ignored if persistence.existingClaim passed in - annotations: {} - # -- access mode for the PVC, ignored if persistence.existingClaim passed in - accessMode: "ReadWriteOnce" - # -- size of the PVC, ignored if persistence.existingClaim passed in - size: "1Mi" - # -- storageClass for the PVC, ignored if persistence.existingClaim passed in - storageClass: "" - # most coturn config parameters that you really need coturn: # -- hostname for the coturn server realm @@ -189,19 +176,30 @@ coturn: # k8s pod security context: # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -securityContext: +podSecurityContext: + # -- Enables Pod Security Context + enabled: true + # -- for all Containers in the Pod, all processes run as non-root + runAsNonRoot: true # -- for all Containers in the Pod, all processes run w/ this userID runAsUser: 1000 # -- for all Containers in the Pod, all processes run w/ this GroupID runAsGroup: 1000 # -- all processes of the container are also part of the supplementary groupID fsGroup: 1000 - # -- allow modificatin to root filesystem - readOnlyRootFilesystem: false - # -- allow priviledged access - allowPrivilegeEscalation: true + seccompProfile: + # -- Filter a process's system calls + type: "RuntimeDefault" + +containerSecurityContext: + # -- Enables Security Context + enabled: true capabilities: # -- linux cabilities to allow for the coturn k8s pod add: ["NET_BIND_SERVICE"] # -- linux cabilities to disallow for the coturn k8s pod drop: ["ALL"] + # -- allow modificatin to root filesystem + readOnlyRootFilesystem: false + # -- allow priviledged access + allowPrivilegeEscalation: false