Skip to content

fix(helm): Improve security settings and add templated image configuration #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brianredbeard wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix(helm): Improve security settings and add templated image configuration #554

brianredbeard wants to merge 6 commits into from
+23 −14

Conversation

@brianredbeard
Copy link

@brianredbeard brianredbeard commented Jan 14, 2026

Summary

  • Fix security issues: enforce HTTPS redirects, read-only root filesystem
  • Template container images from values.yaml for easier overrides
  • Fix configuration key naming to match validated patterns operator expectations
  • Clean up unnecessary fields from templates

Changes

Security Improvements

  • Change insecureEdgeTerminationPolicy from Allow to Redirect in both hello-world and config-demo routes (enforces HTTPS)
  • Set readOnlyRootFilesystem: true in config-demo deployment with emptyDir volumes for writable paths

Image Configuration

  • Add image.repository, image.tag, image.pullPolicy to values.yaml for both charts
  • Update deployments to use templated image values: {{ .Values.image.repository }}:{{ .Values.image.tag }}
  • Remove commented #imagePullPolicy lines, now explicit in values

Configuration Fixes

  • Rename localCluster to localClusterDomain in hello-world values.yaml
  • Rename project to argoProject in values-standalone.yaml applications
  • Rename projects to argoProjects in values-standalone.yaml
  • Remove unnecessary creationTimestamp: null from pod template metadata

Affected Charts

  • charts/all/hello-world
  • charts/all/config-demo
  • values-standalone.yaml

Test Plan

  • Run helm template on both charts to verify valid output
  • Deploy to test cluster and verify routes redirect HTTP to HTTPS
  • Verify image can be overridden via values

Fixes #531
Fixes #532
Fixes #533
Fixes #534
Fixes #535
Fixes #536
Fixes #537
Fixes #538
Fixes #539
Fixes #540
Fixes #541
Fixes #542

@brianredbeard
fix(helm): rename localCluster to localClusterDomain in hello-world v…
df56462 
…alues

The template hello-world-cm.yaml references .Values.global.localClusterDomain
but the values file had the key named localCluster, causing the template
to render with an empty value.
@brianredbeard
fix(helm): change insecureEdgeTerminationPolicy from Allow to Redirect
a29bf22 
Setting insecureEdgeTerminationPolicy to Allow permits unencrypted HTTP
traffic to the routes. Changing to Redirect forces all HTTP requests
to be redirected to HTTPS, improving security.

Affected routes:
- hello-world
- config-demo
@brianredbeard
fix(helm): set readOnlyRootFilesystem to true in config-demo deployment
6d18b33 
The container already has emptyDir volumes mounted for all writable paths:
- /tmp
- /var/cache/httpd
- /var/run/httpd
- /var/www/html (via configMap)

With these mounts in place, the root filesystem can safely be read-only,
improving container security posture.
@brianredbeard
fix(helm): template container images from values.yaml
68a30e9 
- Add image.repository, image.tag, image.pullPolicy to both chart values
- Update deployments to use templated image values
- Remove commented imagePullPolicy, now explicit in values
- Allows image overrides without modifying templates

Affected charts:
- hello-world
- config-demo
@brianredbeard
fix(helm): remove unnecessary creationTimestamp: null from pod template
e3d224e 
Kubernetes auto-populates creationTimestamp. Explicitly setting it to null
in templates is unnecessary and may cause validation warnings.
@brianredbeard
fix(config): standardize to argoProject key name in values-standalone…
c7fb1bd 
….yaml

The validated patterns operator expects 'argoProject' not 'project'.
Also rename 'projects' to 'argoProjects' for consistency with values-hub.yaml.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@brianredbeard