Merge pull request #24 from eth-cscs/chart-update

Update chart with security recommendations
eth-cscs · Aug 7, 2024 · d5c82f1 · d5c82f1
2 parents 2c76823 + 2bc517a
commit d5c82f1
Show file tree

Hide file tree

Showing 8 changed files with 14 additions and 6 deletions.
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -2,11 +2,11 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.8.0
+version: 0.8.1
 appVersion: "4.1.5"
 dependencies:
   - name: f7t4jhub
-    version: 0.8.0
+    version: 0.8.1
     repository: "file://./f7t4jhub"
   - name: reloader
     version: v1.0.51

diff --git a/chart/f7t4jhub/Chart.yaml b/chart/f7t4jhub/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.8.0
+version: 0.8.1
 appVersion: "4.1.5"
diff --git a/chart/f7t4jhub/templates/deployment-hub.yaml b/chart/f7t4jhub/templates/deployment-hub.yaml
@@ -35,6 +35,8 @@ spec:
       - name: hub
         image: {{ .Values.hub.image }}
         imagePullPolicy: Always
+        securityContext:
+          readOnlyRootFilesystem: true
         command:
           - "/bin/bash"
           - "-c"

diff --git a/chart/f7t4jhub/templates/deployment-proxy.yaml b/chart/f7t4jhub/templates/deployment-proxy.yaml
@@ -18,6 +18,8 @@ spec:
       - name: proxy
         image: {{ .Values.proxy.image }}
         imagePullPolicy: Always
+        securityContext:
+          readOnlyRootFilesystem: true
         command:
           - "configurable-http-proxy"
           - "--ip=0.0.0.0"

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -13,6 +13,10 @@ reloader:
       # Set to true to create a new service account for the reloader. If false, it will use an existing one.
       create: false
 
+    # Ensures the reloader container's filesystem is mounted as read-only to enhance security.
+    securityContext:
+      readOnlyRootFilesystem: true
+
 f7t4jhub:
   setup:
     # URL for the Firecrest service (replace with your own Firecrest URL)

diff --git a/dockerfiles/Dockerfile b/dockerfiles/Dockerfile
@@ -20,7 +20,7 @@ RUN . /opt/conda/bin/activate && \
 
 RUN . /opt/conda/bin/activate && \
     conda activate $__CONDA_ENV__ && \
-    pip install --no-cache jupyterhub==4.1.5 pyfirecrest==2.1.0 SQLAlchemy==1.4.52 oauthenticator==16.0.7
+    pip install --no-cache jupyterhub==4.1.5 pyfirecrest==2.1.0 SQLAlchemy==1.4.52 oauthenticator==16.3.1
 
 COPY . firecrestspawner
 RUN . /opt/conda/bin/activate && \

diff --git a/requirements-tests.txt b/requirements-tests.txt
@@ -1,4 +1,4 @@
 pytest==7.4.2
 pytest_httpserver==1.0.10
-werkzeug==3.0.1
+werkzeug==3.0.3
 pytest-asyncio==0.23.7
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
 jupyterhub==4.1.5
 pyfirecrest==2.1.0
 SQLAlchemy==1.4.52
-oauthenticator==16.0.7
+oauthenticator==16.3.1