Merge pull request #101 from defenseunicorns/synchrony

defenseunicorns · Jan 15, 2025 · d2bf16a · d2bf16a
2 parents 69b6d77 + 969cca4
commit d2bf16a
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/chart/templates/pepr-exceptions.yaml b/chart/templates/pepr-exceptions.yaml
@@ -0,0 +1,21 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+{{- if .Values.synchrony.enabled }}
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: confluence-exceptions
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - description: exempt synchrony
+      matcher:
+        kind: pod
+        name: ^confluence-synchrony*
+        namespace: confluence
+      policies:
+        - RequireNonRootUser
+        - DropAllCapabilities
+        - DisallowPrivileged
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -69,6 +69,14 @@ spec:
         port: 80
         targetPort: 8090
     allow:
+      {{- if .Values.synchrony.enabled }}
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+      {{- end }}
+
       - direction: Egress
         remoteNamespace: keycloak
         remoteSelector:

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -24,6 +24,9 @@ sso:
   defaultClientScopes: []
   requiredGroups: []
 
+synchrony:
+  enabled: false # Enable for collaborative editing
+
 # custom:
 #    # Notice no `remoteGenerated` field here on custom internal rule
 #   - direction: Ingress

diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -30,6 +30,9 @@ volumes:
         - ReadWriteOnce
     nfsPermissionFixer:
       enabled: false
+  synchronyHome:
+    persistentVolumeClaim:
+      create: false # Enable for collaborative editing
 
 ingress:
   nginx: false
@@ -111,6 +114,14 @@ confluence:
     - "--add-opens java.management/sun.management=ALL-UNNAMED"
     - "--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED"
 
+synchrony:
+  enabled: false # Enable for collaborative editing
+  securityContext:
+    runAsUser: 2002
+    runAsGroup: 2002
+    runAsNonRoot: true
+    fsGroup: 2002
+
 # This allows for clustering to work
 podAnnotations:
   traffic.sidecar.istio.io/excludeOutboundPorts: 5801,5701,25500,54327