Improve security, add emptydir mounts

Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "4.3"

templates/daemonset.yaml

@@ -26,51 +26,87 @@ spec:
       {{- end }}
       priorityClassName: {{ .Values.priorityClassName | quote }}
       serviceAccountName: {{ include "duino-miner.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+
       securityContext:
+        {{- with .Values.podSecurityContext }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- else }}
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        {{- end }}
+
       containers:
         - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+
+          securityContext:
+            {{- with .Values.securityContext }}
+            {{- toYaml . | nindent 12 }}
+            {{- else }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            {{- end }}
+
           env:
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
+            - name: DUCO_DIR
+              value: {{ .Values.ducoDir | quote }}
+
+          volumeMounts:
+            - name: duco-data
+              mountPath: {{ .Values.ducoDir | quote }}
+              readOnly: false
+            - name: tmp
+              mountPath: /tmp
+              readOnly: false
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+
           {{- with .Values.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+
           {{- with .Values.readinessProbe }}
           readinessProbe:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+
           {{- with .Values.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.volumeMounts }}
+
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
       volumes:
+        - name: duco-data
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
+
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+
       {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

values.yaml

@@ -5,6 +5,13 @@ image:
   tag: "latest"                                                    # Image tag; if empty, defaults to Chart appVersion
 imagePullSecrets: []                                               # Optional secrets for private registries
 
+# Optional overrides for chart naming
+nameOverride: ""
+fullnameOverride: ""
+
+# Node selection and scheduling, deploys to all nodes by default
+nodeSelector: {}
+
 # Resource requests and limits for the miner container
 resources:
   limits:
@@ -19,7 +26,6 @@ priorityClassName: "duino-miner-lowest"
 
 # Environment variables for the Duino-Coin miner
 env:
-  DUCO_DIR: "/duino-coin/Duino-Coin PC Miner 4.3" # Directory where the miner config lives
   DUCO_USERNAME: "your_actual_username"           # Your Duino-Coin wallet or username
   DUCO_MINING_KEY: "your_actual_mining_key"       # Mining key
   DUCO_INTENSITY: "95"                            # Mining intensity (0–100)
@@ -34,9 +40,8 @@ env:
   DUCO_RASPI_CPU_IOT: "n"                         # Raspberry Pi CPU I/O tuning
   DUCO_DISCORD_RP: "n"                            # Discord Rich Presence
 
-# Optional overrides for chart naming
+# Directory where miner config is located is mounted as an EmptyDir
-nameOverride: ""
+ducoDir: "/duino-coin/Duino-Coin PC Miner 4.3"  
-fullnameOverride: ""
 
 # Service account settings
 serviceAccount:
@@ -73,10 +78,3 @@ readinessProbe:
       - "pidof python > /dev/null"
   initialDelaySeconds: 10   # Wait 10 seconds before first check to allow container startup
   periodSeconds: 30         # Check every 30 seconds
-
-# Volumes and mounts (if needed)
-volumes: []                  # Define extra volumes here
-volumeMounts: []             # Define mounts inside the container here
-
-# Node selection and scheduling
-nodeSelector: {}