./unhelm.sh cockroachdb.ystack.values.yaml

Author: solsson

cockroachdb.ystack.values.yaml

@@ -17,3 +17,7 @@ tls:
     selfSigner:
       enabled: false
       caProvided: false
+
+statefulset:
+  serviceAccount:
+    create: false

cockroachdb/ystack/cockroachdb/templates/job.init.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-init
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
@@ -22,11 +22,19 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: init
     spec:
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       restartPolicy: OnFailure
       terminationGracePeriodSeconds: 0
+      serviceAccountName: default
       containers:
         - name: cluster-init
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           # Run the command in an `while true` loop because this Job is bound
           # to come up before the CockroachDB Pods (due to the time needed to
@@ -64,3 +72,7 @@ spec:
 
               initCluster;
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]

cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-budget
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml

@@ -10,7 +10,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/service.public.yaml

@@ -9,7 +9,7 @@ metadata:
   name: cockroachdb-public
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/statefulset.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
@@ -29,6 +29,7 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: cockroachdb
     spec:
+      serviceAccountName: default
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -54,7 +55,7 @@ spec:
       terminationGracePeriodSeconds: 60
       containers:
         - name: db
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           args:
             - shell
@@ -115,10 +116,24 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 5
             failureThreshold: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
       volumes:
         - name: datadir
           persistentVolumeClaim:
             claimName: datadir
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+        runAsNonRoot: true
   volumeClaimTemplates:
     - metadata:
         name: datadir

cockroachdb/ystack/cockroachdb/templates/tests/client.yaml

@@ -11,7 +11,7 @@ spec:
   restartPolicy: Never
   containers:
     - name: client-test
-      image: "cockroachdb/cockroach:v23.1.4"
+      image: "cockroachdb/cockroach:v23.1.12"
       imagePullPolicy: "IfNotPresent"
       command:
         - /cockroach/cockroach

cockroachdb/ystack/unhelm-namespace-placeholder.txt

@@ -10,7 +10,7 @@ Note the following instances of namespace strings that Kustomize won't replace
           value: cockroachdb.unhelm-namespace-placeholder.svc.cluster.local
         - name: COCKROACH_CHANNEL
           value: kubernetes-helm
-        image: cockroachdb/cockroach:v23.1.4
+        image: cockroachdb/cockroach:v23.1.12
         imagePullPolicy: IfNotPresent
         livenessProbe:
 --
@@ -36,4 +36,4 @@ Note the following instances of namespace strings that Kustomize won't replace
     - "26257"
     - -e
     - SHOW DATABASES;
-    image: cockroachdb/cockroach:v23.1.4
+    image: cockroachdb/cockroach:v23.1.12