diff --git a/charts/gohoarder/Chart.yaml b/charts/gohoarder/Chart.yaml index 7503bb0..b2b165c 100644 --- a/charts/gohoarder/Chart.yaml +++ b/charts/gohoarder/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: gohoarder description: A universal package cache proxy supporting npm, PyPI, and Go modules with security scanning type: application -version: 0.0.2 -appVersion: "0.0.2" +version: 0.0.3 +appVersion: "0.0.3" keywords: - package-manager - cache diff --git a/charts/gohoarder/templates/deployment-frontend.yaml b/charts/gohoarder/templates/deployment-frontend.yaml index 5d91921..97dbe60 100644 --- a/charts/gohoarder/templates/deployment-frontend.yaml +++ b/charts/gohoarder/templates/deployment-frontend.yaml @@ -26,7 +26,30 @@ spec: {{- end }} serviceAccountName: {{ include "gohoarder.serviceAccountName" . }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + fsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + initContainers: + - name: copy-static-files + image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}" + command: ['sh', '-c'] + args: + - | + # Copy built frontend files to writable volume + cp -rp /usr/share/nginx/html/* /html/ + # Copy nginx config to writable volume + cp -rp /etc/nginx/conf.d/* /conf/ + volumeMounts: + - name: nginx-html + mountPath: /html + - name: nginx-conf + mountPath: /conf + securityContext: + runAsUser: 101 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL containers: - name: frontend securityContext: @@ -35,6 +58,7 @@ spec: drop: - ALL readOnlyRootFilesystem: false + runAsUser: 101 image: "{{ .Values.image.frontend.repository }}:{{ .Values.image.frontend.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.frontend.pullPolicy }} ports: @@ -64,6 +88,10 @@ spec: mountPath: /var/cache/nginx - name: nginx-run mountPath: /var/run + - name: nginx-html + mountPath: /usr/share/nginx/html + - name: nginx-conf + mountPath: /etc/nginx/conf.d volumes: - name: tmp emptyDir: {} @@ -71,6 +99,10 @@ spec: emptyDir: {} - name: nginx-run emptyDir: {} + - name: nginx-html + emptyDir: {} + - name: nginx-conf + emptyDir: {} {{- with .Values.frontend.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/gohoarder/templates/deployment-scanner.yaml b/charts/gohoarder/templates/deployment-scanner.yaml index 61e8287..6edb27f 100644 --- a/charts/gohoarder/templates/deployment-scanner.yaml +++ b/charts/gohoarder/templates/deployment-scanner.yaml @@ -42,9 +42,14 @@ spec: chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder chmod 750 /var/cache/gohoarder /var/lib/gohoarder volumeMounts: - {{- include "gohoarder.storageVolume" . | nindent 8 }} - {{- include "gohoarder.metadataVolume" . | nindent 8 }} - {{- include "gohoarder.trivyCacheVolume" . | nindent 8 }} + - name: storage + mountPath: /var/cache/gohoarder + - name: metadata + mountPath: /var/lib/gohoarder/metadata + {{- if .Values.security.scanners.trivy.enabled }} + - name: trivy-cache + mountPath: {{ .Values.security.scanners.trivy.cacheDb }} + {{- end }} - name: tmp mountPath: /tmp/gohoarder securityContext: diff --git a/charts/gohoarder/templates/deployment-server.yaml b/charts/gohoarder/templates/deployment-server.yaml index bdb90e5..7b027dc 100644 --- a/charts/gohoarder/templates/deployment-server.yaml +++ b/charts/gohoarder/templates/deployment-server.yaml @@ -39,8 +39,10 @@ spec: chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder chmod 750 /var/cache/gohoarder /var/lib/gohoarder volumeMounts: - {{- include "gohoarder.storageVolume" . | nindent 8 }} - {{- include "gohoarder.metadataVolume" . | nindent 8 }} + - name: storage + mountPath: /var/cache/gohoarder + - name: metadata + mountPath: /var/lib/gohoarder/metadata - name: tmp mountPath: /tmp/gohoarder securityContext: diff --git a/charts/gohoarder/values.yaml b/charts/gohoarder/values.yaml index bc24d54..26737f0 100644 --- a/charts/gohoarder/values.yaml +++ b/charts/gohoarder/values.yaml @@ -51,17 +51,17 @@ image: server: repository: ghcr.io/lukaszraczylo/gohoarder-server pullPolicy: IfNotPresent - tag: "0.0.2" + tag: "0.0.3" frontend: repository: ghcr.io/lukaszraczylo/gohoarder-frontend pullPolicy: IfNotPresent - tag: "0.0.2" + tag: "0.0.3" scanner: repository: ghcr.io/lukaszraczylo/gohoarder-scanner pullPolicy: IfNotPresent - tag: "0.0.2" + tag: "0.0.3" # Service Account serviceAccount: diff --git a/charts/packages/gohoarder-0.0.3.tgz b/charts/packages/gohoarder-0.0.3.tgz new file mode 100644 index 0000000..fe85497 Binary files /dev/null and b/charts/packages/gohoarder-0.0.3.tgz differ diff --git a/index.yaml b/index.yaml index 61e85e2..fcaefac 100644 --- a/index.yaml +++ b/index.yaml @@ -1,6 +1,33 @@ apiVersion: v1 entries: gohoarder: + - apiVersion: v2 + appVersion: 0.0.3 + created: "2026-01-03T01:03:31.232406402Z" + description: A universal package cache proxy supporting npm, PyPI, and Go modules + with security scanning + digest: dde1dfcbb9268689e54d12b12f337c870748392905d2b84f0b218a816d8d6255 + home: https://github.com/lukaszraczylo/gohoarder + icon: https://raw.githubusercontent.com/lukaszraczylo/gohoarder/main/docs/logo.png + keywords: + - package-manager + - cache + - proxy + - npm + - pypi + - go-modules + - security + - vulnerability-scanning + maintainers: + - email: lukasz@raczylo.com + name: Lukasz Raczylo + name: gohoarder + sources: + - https://github.com/lukaszraczylo/gohoarder + type: application + urls: + - https://github.com/lukaszraczylo/helm-charts/releases/download/gohoarder-0.0.3/gohoarder-0.0.3.tgz + version: 0.0.3 - apiVersion: v2 appVersion: 0.0.2 created: "2026-01-03T00:29:54.106039869Z" @@ -1678,4 +1705,4 @@ entries: urls: - https://github.com/lukaszraczylo/helm-charts/releases/download/kubemirror-0.2.8/kubemirror-0.2.8.tgz version: 0.2.8 -generated: "2026-01-03T00:29:54.104537639Z" +generated: "2026-01-03T01:03:31.230925033Z"