EZSCALE/website
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(helm): hardening from review

Browse Source 
- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Murray
2026-04-26 23:08:10 -04:00
parent 548fc5f1ee
commit 4ff3048dd3
9 changed files with 54 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
helm/ezscale-website/README.md
View File

@@ -37,6 +37,7 @@ openssl rsa -in "$TMP_KEYS/oauth-private.key" -pubout -out "$TMP_KEYS/oauth-publ
# 3. Gather production secrets. Read each one and store in shell vars.
DB_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
REDIS_PASS=$(openssl rand -base64 32 | tr -d '/=+' | cut -c1-32)
read -sp "STRIPE_KEY (pk_live_...): " STRIPE_KEY; echo
read -sp "STRIPE_SECRET (sk_live_...): " STRIPE_SECRET; echo
read -sp "STRIPE_WEBHOOK_SECRET (whsec_...): " STRIPE_WEBHOOK; echo
@@ -54,6 +55,7 @@ kubectl create secret generic ezscale-website-secrets \
--namespace ezscale \
--from-literal=APP_KEY="$APP_KEY" \
--from-literal=DB_PASSWORD="$DB_PASS" \
--from-literal=REDIS_PASSWORD="$REDIS_PASS" \
--from-literal=STRIPE_KEY="$STRIPE_KEY" \
--from-literal=STRIPE_SECRET="$STRIPE_SECRET" \
--from-literal=STRIPE_WEBHOOK_SECRET="$STRIPE_WEBHOOK" \

3
helm/ezscale-website/templates/_helpers.tpl
View File

@@ -35,7 +35,8 @@ Usage: {{ include "ezscale-website.image" (dict "ctx" . "role" "app") }}
*/}}
{{- define "ezscale-website.image" -}}
{{- $ctx := .ctx -}}
{{- printf "%s/%s:%s-%s" $ctx.Values.image.registry $ctx.Values.image.repository .role $ctx.Values.image.tag -}}
{{- $tag := required "image.tag is required (set via --set image.tag=vX.Y.Z)" $ctx.Values.image.tag -}}
{{- printf "%s/%s:%s-%s" $ctx.Values.image.registry $ctx.Values.image.repository .role $tag -}}
{{- end -}}
{{/* Secret name (existing or generated) */}}

5
helm/ezscale-website/templates/configmap-nginx.yaml
View File

@@ -34,7 +34,10 @@ data:
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param HTTP_PROXY "";
fastcgi_param HTTPS $http_x_forwarded_proto;
# Pass HTTPS to PHP only when X-Forwarded-Proto is non-empty.
# if_not_empty avoids the param being set to "" when the header
# is missing (which would falsely satisfy isset($_SERVER['HTTPS'])).
fastcgi_param HTTPS $http_x_forwarded_proto if_not_empty;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 300;

11
helm/ezscale-website/templates/deployment-app.yaml
View File

@@ -51,11 +51,19 @@ spec:
- name: nginx-config
mountPath: /etc/nginx/conf.d
readOnly: true
# Startup probe gives the app up to 100s for first-boot work
# (config:cache + route:cache + view:cache + opcache warmup) before
# liveness takes over.
startupProbe:
httpGet:
path: {{ .Values.healthCheck.livenessPath }}
port: http
failureThreshold: 20
periodSeconds: 5
livenessProbe:
httpGet:
path: {{ .Values.healthCheck.livenessPath }}
port: http
initialDelaySeconds: {{ .Values.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.healthCheck.periodSeconds }}
timeoutSeconds: {{ .Values.healthCheck.timeoutSeconds }}
failureThreshold: {{ .Values.healthCheck.failureThreshold }}
@@ -63,7 +71,6 @@ spec:
httpGet:
path: {{ .Values.healthCheck.readinessPath }}
port: http
initialDelaySeconds: 5
periodSeconds: 5
- name: app
image: {{ include "ezscale-website.image" (dict "ctx" . "role" "app") }}

3
helm/ezscale-website/templates/deployment-horizon.yaml
View File

@@ -41,6 +41,8 @@ spec:
readOnly: true
resources:
{{- toYaml .Values.horizon.resources | nindent 12 }}
# horizon:status hits Redis. failureThreshold: 5 + periodSeconds: 30
# gives 150s of tolerance for transient Valkey blips before restart.
livenessProbe:
exec:
command:
@@ -50,6 +52,7 @@ spec:
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
volumes:
- name: oauth-keys
secret:

14
helm/ezscale-website/templates/job-migrate.yaml
View File

@@ -41,4 +41,18 @@ spec:
name: {{ include "ezscale-website.fullname" . }}-env
- secretRef:
name: {{ include "ezscale-website.secretName" . }}
volumeMounts:
- name: oauth-keys
mountPath: /var/www/html/secrets
readOnly: true
volumes:
- name: oauth-keys
secret:
secretName: {{ include "ezscale-website.secretName" . }}
items:
- key: oauth-private.key
path: oauth-private.key
- key: oauth-public.key
path: oauth-public.key
optional: true
{{- end }}

30
helm/ezscale-website/templates/statefulset-valkey.yaml
View File

@@ -1,18 +1,4 @@
{{- if .Values.valkey.enabled }}
{{- $secretName := printf "%s-valkey" (include "ezscale-website.fullname" .) }}
{{- if .Values.valkey.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels: {{- include "ezscale-website.labels" . | nindent 4 }}
annotations:
helm.sh/resource-policy: keep
type: Opaque
stringData:
password: {{ .Values.valkey.password | quote }}
---
{{- end }}
apiVersion: v1
kind: Service
metadata:
@@ -53,6 +39,10 @@ spec:
containers:
- name: valkey
image: {{ .Values.valkey.image }}
# When requirePassword is true, REDIS_PASSWORD is sourced from the
# main chart Secret (same Secret the app/horizon/scheduler pods read
# via envFrom). Local dev can put it in secret.values; prod
# bootstraps it manually per the chart README.
command:
- valkey-server
- --appendonly
@@ -61,17 +51,17 @@ spec:
- {{ .Values.valkey.maxmemory | quote }}
- --maxmemory-policy
- allkeys-lru
{{- if .Values.valkey.password }}
{{- if .Values.valkey.requirePassword }}
- --requirepass
- $(REDIS_PASSWORD)
{{- end }}
{{- if .Values.valkey.password }}
{{- if .Values.valkey.requirePassword }}
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: password
name: {{ include "ezscale-website.secretName" . }}
key: REDIS_PASSWORD
{{- end }}
ports:
- name: redis
@@ -81,7 +71,11 @@ spec:
mountPath: /data
livenessProbe:
exec:
{{- if .Values.valkey.requirePassword }}
command: ["sh", "-c", "valkey-cli -a \"$REDIS_PASSWORD\" --no-auth-warning ping"]
{{- else }}
command: ["valkey-cli", "ping"]
{{- end }}
initialDelaySeconds: 10
periodSeconds: 10
volumeClaimTemplates:

4
helm/ezscale-website/values-us-prod.yaml
View File

@@ -43,9 +43,11 @@ mariadb:
database: ezscale_billing
username: ezscale_billing_app
# Per-app Valkey for sessions/cache/queue.
# Per-app Valkey for sessions/cache/queue. requirePassword=true means
# REDIS_PASSWORD must be present in ezscale-website-secrets.
valkey:
enabled: true
requirePassword: true
storage:
size: 10Gi
storageClassName: longhorn

6
helm/ezscale-website/values.yaml
View File

@@ -77,7 +77,11 @@ mariadb:
valkey:
enabled: true
image: valkey/valkey:9-alpine
password: "" # if empty, chart generates a random secret
# When true, valkey runs with --requirepass and reads REDIS_PASSWORD from
# the main chart Secret (same key the app/horizon/scheduler pods read via
# envFrom). The Secret MUST contain a REDIS_PASSWORD key — bootstrap it
# alongside APP_KEY in production, or include it in secret.values for dev.
requirePassword: false
maxmemory: "1gb"
storage:
size: 5Gi