The shared Helm library chart behind the QuenchWorks catalog. It's the one place the security baseline is defined, so all 54 app charts inherit the exact same hardening: identical labels, identical pod and container security contexts, and a digest-only image resolver that makes shipping an unpinned image impossible.
Harden it once here, and every chart in the catalog moves together.
Published as an OCI artifact and consumed by the charts in quenchworks/charts:
oci://ghcr.io/quenchworks/charts/quench-common
# Chart.yaml
dependencies:
- name: quench-common
version: 0.0.1
repository: oci://ghcr.io/quenchworks/charts- Naming and labels:
quench-common.fullname/name/labels/selectorLabels, consistent across the whole catalog. - The digest-only image resolver:
quench-common.imageresolves an image strictly byrepository@sha256:digest. A tag-only reference is refused on purpose, so a chart can never ship an unpinned image. - Hardened pod security context:
quench-common.podSecurityContextsetsrunAsNonRoot, uid/gid/fsGroup 1001, seccompRuntimeDefault. - Hardened container security context:
quench-common.containerSecurityContextsets a read-only root filesystem, no privilege escalation, drop ALL capabilities. - A shared knob surface: the override points every chart exposes the same way, including scheduling, probes, extra env/volumes/volumeMounts, init containers, sidecars, lifecycle hooks, and security-context overrides.
Patch-bump the chart version on every change, and never overwrite a published version. App charts then move to the new version on their next release. This is a library chart, so there's nothing to helm install directly.
Pushing to main runs .github/workflows/release-common.yml: lint, package, push the OCI chart to GHCR, and cosign-sign it (keyless).
MIT.