set proper security contexts for main.sdlc, move Geth dir from root

skudasov · skudasov · commit ef5fe616702d · 2025-11-03T22:24:10.000+01:00
diff --git a/lib/charts/chainlink/templates/chainlink-cm.yaml b/lib/charts/chainlink/templates/chainlink-cm.yaml
@@ -14,7 +14,7 @@ data:
   init.sql: |
     CREATE EXTENSION pg_stat_statements;
   default.toml: |
-    RootDir = './clroot'
+    RootDir = '/home/chainlink'
 
     [Log]
     JSONConsole = true
diff --git a/lib/charts/chainlink/templates/chainlink-deployment.yaml b/lib/charts/chainlink/templates/chainlink-deployment.yaml
@@ -103,6 +103,14 @@ spec:
             initialDelaySeconds: 15
             periodSeconds: 5
             failureThreshold: 20
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 14933
+            runAsGroup: 14933
+            capabilities:
+              drop:
+                - ALL
           resources:
             requests:
               memory: {{ $.Values.chainlink.resources.requests.memory }}
@@ -123,4 +131,4 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
 ---
-{{- end }}
+{{- end }}
diff --git a/lib/charts/chainlink/templates/pg-deployment.yaml b/lib/charts/chainlink/templates/pg-deployment.yaml
@@ -50,6 +50,11 @@ spec:
             name: {{ $.Release.Name }}-{{ $cfg.name }}-cm
       containers:
         - name: chainlink-db
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 999
           {{- $image := $.Values.db.image.image }}
           {{- $tag := $.Values.db.image.version }}
           {{- if $cfg.db }}
@@ -127,13 +132,17 @@ spec:
               name: {{ $.Release.Name }}-{{ $cfg.name }}-config-map
               subPath: init.sql
           {{ if $.Values.db.stateful }}
-          volumeMounts:
             - mountPath: /var/lib/postgresql/data
               name: postgres
               subPath: postgres-db
           {{ end }}
         {{- if $.Values.db.enablePrometheusPostgresExporter }}
         - name: prometheus-postgres-exporter
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 999
           image: {{ $.Values.prometheusPostgresExporter.image.image }}
           args: ["--collector.statio_user_indexes"]
           resources:
@@ -163,4 +172,4 @@ spec:
 {{ toYaml . | indent 8 }}
 {{- end }}
 ---
-{{- end }}
+{{- end }}
diff --git a/lib/charts/geth/templates/geth-deployment.yml b/lib/charts/geth/templates/geth-deployment.yml
@@ -28,6 +28,9 @@ spec:
         {{ $key }}: {{ $value | quote }}
         {{- end }}
     spec:
+      securityContext:
+        runAsUser: 999
+        fsGroup: 999
       restartPolicy: Always
       enableServiceLinks: false
       volumes:
@@ -37,30 +40,30 @@ spec:
       containers:
       - name: geth-network
         image: "{{ .Values.geth.image.image }}:{{ .Values.geth.image.version }}"
-        command: [ "sh", "./root/init.sh" ]
+        command: [ "sh", "./chain/init.sh" ]
         volumeMounts:
         - name: geth
-          mountPath: /root/.ethereum/devchain/
+          mountPath: /chain/.ethereum/devchain/
         - name : configmap-volume
-          mountPath: /root/init.sh
+          mountPath: /chain/init.sh
           subPath: init.sh
         - name: configmap-volume
-          mountPath: /root/config
+          mountPath: /chain/config
         - name: configmap-volume
-          mountPath: /root/.ethereum/devchain/keystore/key1
+          mountPath: /chain/.ethereum/devchain/keystore/key1
           subPath: key1
         - name: configmap-volume
-          mountPath: /root/.ethereum/devchain/keystore/key2
+          mountPath: /chain/.ethereum/devchain/keystore/key2
           subPath: key2
         - name: configmap-volume
-          mountPath: /root/.ethereum/devchain/keystore/key3
+          mountPath: /chain/.ethereum/devchain/keystore/key3
           subPath: key3
         args:
           - '--dev'
           - '--password'
-          - '/root/config/password.txt'
+          - '/chain/config/password.txt'
           - '--datadir'
-          - '/root/.ethereum/devchain'
+          - '/chain/.ethereum/devchain'
           - '--unlock'
           - '0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266'
           - '--mine'
@@ -121,4 +124,4 @@ spec:
 {{- with .Values.tolerations }}
       tolerations:
 {{ toYaml . | indent 8 }}
-{{- end }}
+{{- end }}
