fix(alertmanager-matrix): adjust for more security

alertmanager-matrix/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alertmanager-matrix
 description: Service for managing and receiving Alertmanager alerts on Matrix
 type: application
-version: 0.1.7
+version: 0.1.8
 # renovate: image=docker.io/silkeh/alertmanager_matrix
 appVersion: "0.4.3"
 maintainers:

alertmanager-matrix/README.adoc

@@ -2,7 +2,7 @@
 
 = alertmanager-matrix
 
-image::https://img.shields.io/badge/Version-0.1.7-informational?style=flat-square[Version: 0.1.7]
+image::https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square[Version: 0.1.8]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
 image::https://img.shields.io/badge/AppVersion-0.4.3-informational?style=flat-square[AppVersion: 0.4.3]
 == Maintainers
@@ -280,7 +280,7 @@ helm uninstall alertmanager-matrix-release
 | logging.enabled
 | bool
 | `false`
-| Deploy Flow for [Logging-Operator](https://kube-logging.github.io/docs/)
+| Deploy Flow for logging-operator
 
 | logging.globalOutputRefs
 | list

alertmanager-matrix/ci/ct-security-values.yaml

@@ -0,0 +1,44 @@
+replicaCount: 1
+
+logging:
+  enabled: true
+  dedot: "-"
+  additionalFilters:
+    - grep:
+        exclude:
+          - key: "message"
+            pattern: '/^Sending message to /'
+
+bot:
+  matrix:
+    homeserver: "http://localhost:8008"
+    userID: "bot"
+    token: "SECRET_TOKEN"
+    rooms:
+      - "!not_existing:matrix.org"
+      - "!also_not_existing:matrix.org"
+  alertmanager: "http://localhost:9093"
+  showLabels: true
+
+serviceAccount:
+  create: true
+
+podSecurityContext:
+  fsGroup: 1000
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsUser: 1000
+  runAsGroup: 1000
+
+resources:
+  requests:
+    memory: 128Mi
+    cpu: 100m
+  limits:
+    memory: 256Mi
+    cpu: 4

alertmanager-matrix/templates/_helpers.tpl

@@ -62,7 +62,6 @@ app{{.Values.logging.dedot }}kubernetes{{.Values.logging.dedot }}io/instance: {{
 {{- end }}
 {{- end }}
 
-
 {{/*
 Create the name of the service account to use
 */}}

alertmanager-matrix/templates/deployment.yaml

@@ -68,6 +68,12 @@ spec:
             {{- end }}
             - name: ROOMS
               value: {{ .Values.bot.matrix.rooms | join "," | quote }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+          livenessProbe:
+            tcpSocket:
+              port: http
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

alertmanager-matrix/values.yaml

@@ -83,22 +83,6 @@ bot:
          <br/>
       {{- end -}}
 
-# Logging
-# This Helm chart could also deploy Flow for the logging-operator
-logging:
-  # -- Deploy Flow for [Logging-Operator](https://kube-logging.github.io/docs/)
-  enabled: false
-  # -- if an filter (here or global) for dedot is active - for disable set `null`
-  dedot:
-  # -- Add other filters to Flow
-  additionalFilters: []
-  # -- Flows localOutputRefs for use of Outputs
-  localOutputRefs: []
-  # -- Flows globalOutputRefs for use of ClusterOutputs
-  globalOutputRefs:
-    - "default"
-
-
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -166,3 +150,19 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+# Logging
+# This HelmChart could also deploy Flow for the [Logging-Operator](https://kube-logging.github.io/docs/)
+# Configuration is optimzed for deliever to elasticsearch
+logging:
+  # -- Deploy Flow for logging-operator
+  enabled: false
+  # -- if an filter (here or global) for dedot is active - for disable set `null`
+  dedot:
+  # -- Add other filters to Flow
+  additionalFilters: []
+  # -- Flows localOutputRefs for use of Outputs
+  localOutputRefs: []
+  # -- Flows globalOutputRefs for use of ClusterOutputs
+  globalOutputRefs:
+    - "default"

ct.yaml

@@ -1,4 +1,4 @@
 target-branch: main
-since: HEAD~2
+since: HEAD~1
 chart-dirs:
   - .