https://github.com/quenchworks/common
quench-common: the shared Helm library chart for the QuenchWorks catalog (hardened pod/container security contexts + a digest-only image resolver).
https://github.com/quenchworks/common
hardened helm helm-charts helm-library-chart kubernetes security
Last synced: 13 days ago
JSON representation
quench-common: the shared Helm library chart for the QuenchWorks catalog (hardened pod/container security contexts + a digest-only image resolver).
- Host: GitHub
- URL: https://github.com/quenchworks/common
- Owner: quenchworks
- License: mit
- Created: 2026-06-11T17:11:05.000Z (23 days ago)
- Default Branch: main
- Last Pushed: 2026-06-17T07:11:38.000Z (18 days ago)
- Last Synced: 2026-06-22T00:18:12.816Z (13 days ago)
- Topics: hardened, helm, helm-charts, helm-library-chart, kubernetes, security
- Language: Go Template
- Homepage: https://quench-works.com/
- Size: 12.7 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# quench-common
The shared Helm **library chart** behind the [QuenchWorks](https://github.com/quenchworks) catalog. It's the one place the security baseline is defined, so all 54 app charts inherit the exact same hardening: identical labels, identical pod and container security contexts, and a digest-only image resolver that makes shipping an unpinned image impossible.
Harden it once here, and every chart in the catalog moves together.
Published as an OCI artifact and consumed by the charts in [quenchworks/charts](https://github.com/quenchworks/charts):
```
oci://ghcr.io/quenchworks/charts/quench-common
```
## How charts depend on it
```yaml
# Chart.yaml
dependencies:
- name: quench-common
version: 0.0.1
repository: oci://ghcr.io/quenchworks/charts
```
## What it provides
- **Naming and labels**: `quench-common.fullname` / `name` / `labels` / `selectorLabels`, consistent across the whole catalog.
- **The digest-only image resolver**: `quench-common.image` resolves an image strictly by `repository@sha256:digest`. A tag-only reference is refused on purpose, so a chart can never ship an unpinned image.
- **Hardened pod security context**: `quench-common.podSecurityContext` sets `runAsNonRoot`, uid/gid/fsGroup 1001, seccomp `RuntimeDefault`.
- **Hardened container security context**: `quench-common.containerSecurityContext` sets a read-only root filesystem, no privilege escalation, drop ALL capabilities.
- **A shared knob surface**: the override points every chart exposes the same way, including scheduling, probes, extra env/volumes/volumeMounts, init containers, sidecars, lifecycle hooks, and security-context overrides.
## Versioning
Patch-bump the chart `version` on every change, and never overwrite a published version. App charts then move to the new version on their next release. This is a library chart, so there's nothing to `helm install` directly.
## Release
Pushing to `main` runs `.github/workflows/release-common.yml`: lint, package, push the OCI chart to GHCR, and cosign-sign it (keyless).
## License
MIT.
