Merge pull request #3 from MediaMarktSaturn/feature/CorrectReadme

Correct dtrack link in readme

.github/workflows/conf/checkov.yml

@@ -0,0 +1,16 @@
+---
+skip-check:
+  - CKV_K8S_31 # https://docs.bridgecrew.io/docs/bc_k8s_29 - Ensure seccomp is set to Docker/Default or Runtime/Default
+  - CKV_K8S_40 # https://docs.bridgecrew.io/docs/bc_k8s_37 - Ensure containers run with a high UID to avoid host conflict
+  - CKV_K8S_23 # https://docs.bridgecrew.io/docs/bc_k8s_22 - Minimize admission of root containers
+  - CKV_K8S_22 # https://docs.bridgecrew.io/docs/bc_k8s_21 - Use Read-Only filesystem for containers where possible
+  - CKV_K8S_29 # https://docs.bridgecrew.io/docs/ensure-securitycontext-is-applied-to-pods-and-containers  - Ensure securityContext is applied to pods and containers
+  - CKV_K8S_30 # https://docs.bridgecrew.io/docs/bc_k8s_28 - Ensure securityContext is applied to pods and containers
+  - CKV_K8S_37 # https://docs.bridgecrew.io/docs/bc_k8s_34 - Ensure admission of containers with capabilities assigned is limited
+  - CKV_K8S_15 # https://docs.bridgecrew.io/docs/bc_k8s_14 - Ensure image pull policy is set to Always
+  - CKV_K8S_43 # https://docs.bridgecrew.io/docs/bc_k8s_39 - Ensure images are selected using a digest
+  - CKV_K8S_28 # https://docs.bridgecrew.io/docs/bc_k8s_27 - Ensure admission of containers with NET_RAW capability is minimized
+  - CKV_K8S_38 # https://docs.bridgecrew.io/docs/bc_k8s_35 - Ensure service account tokens are mounted where necessary; required for side-car injection
+  - CKV_K8S_35 # https://docs.bridgecrew.io/docs/bc_k8s_33 - Use secrets as files instead of environment variable
+  - CKV_SECRET_6 # https://docs.bridgecrew.io/docs/git_secrets_6 - Base64 High Entropy String; checksums result in false positives here
+  - CKV2_K8S_6 # https://www.checkov.io/5.Policy%20Index/kubernetes.html - Minimize the admission of pods which lack an associated NetworkPolicy

.github/workflows/scripts/chart-test.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 # copy test-values into charts
 rsync -a chart-tests/ charts/

.github/workflows/scripts/checkov-chart-linting.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 set -euo pipefail
 
 pip install checkov > /dev/null 2>&1
@@ -19,7 +19,7 @@ for chart in $(ls -d charts/*/); do
       printf "\n\n=== Checking chart $chart with test case $values ===\n\n"
       rm -rf chckv
       helm template charts/$chart --values $chart_ci/$values --name-template test-release --namespace test-ns --output-dir chckv
-      checkov --config-file .github/workflows/linting/checkov.yaml -d chckv
+      checkov --config-file .github/workflows/conf/checkov.yml -d chckv
       if [ $? -ne 0 ]; then
         printf "=== Chart $chart with test case $values FAILED ===\n\n"
         CHECK_STATUS=1

README.md

@@ -2,6 +2,27 @@
 
 This repository contains Helm charts bundled and used by the MediaMarktSaturn Technology team.
 
-## [Dependency-Track](dependency-track)
+## Usage
+
+With helm cli:
+
+`helm repo add mediamarktsaturn https://helm-charts.mmst.eu`
+
+With FluxCD:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: mediamarktsaturn
+spec:
+  interval: 120m
+  url: https://helm-charts.mmst.eu
+```
+
+## Charts
+
+### [Dependency-Track](charts/dependency-track)
 
 The [OWASP Dependency-Track](https://owasp.org/www-project-dependency-track/) project with separate deployments for API-server and frontend.

charts/dependency-track/Chart.yaml

@@ -7,4 +7,4 @@ maintainers:
   - name: MediaMarktSaturn
     url: https://github.com/MediaMarktSaturn
 appVersion: 4.7.1
-version: 1.0.2
+version: 1.1.0

charts/dependency-track/templates/apiserver_statefulset.yaml

@@ -30,6 +30,7 @@ spec:
             runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
+            allowPrivilegeEscalation: false
           image: "{{ .Values.apiserver.image.repository | trim }}:{{ .Values.apiserver.image.tag | trim}}"
           imagePullPolicy: IfNotPresent
           resources: