Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-10 15:07:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/concourse] feat!: 🔒 💥 Improve security defaults (#24541)

Browse Source 
* [bitnami/concourse] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* test:  Bump timeouts

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-04-01 13:15:15 +02:00
committed by GitHub
parent 2e4b5defda
commit 00e0013229
10 changed files with 87 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.vib/concourse/goss/web/goss.yaml
View File

@@ -10,11 +10,11 @@ command:
{{- $port := .Vars.service.web.ports.http }}
{{ if not ( has "air-gapped" .Vars.target_platform_properties ) }}
create-pipeline-trigger-job:
exec: fly -t {{ $target }} login -c http://concourse-web:{{ $port }} -u {{ $user }} -p '{{ $pwd }}' && (echo '{{ $example_pipeline }}' | base64 -d) > /tmp/pipeline.yaml && fly -t {{ $target }} set-pipeline -p {{ $pipeline }} -c /tmp/pipeline.yaml -n && fly -t {{ $target }} unpause-pipeline -p {{ $pipeline }} && fly -t {{ $target }} trigger-job -j {{ $pipeline }}/job && sleep 35 && fly -t {{ $target }} jobs -p {{ $pipeline }}
exec: export HOME=/tmp && fly -t {{ $target }} login -c http://concourse-web:{{ $port }} -u {{ $user }} -p '{{ $pwd }}' && (echo '{{ $example_pipeline }}' | base64 -d) > /tmp/pipeline.yaml && fly -t {{ $target }} set-pipeline -p {{ $pipeline }} -c /tmp/pipeline.yaml -n && fly -t {{ $target }} unpause-pipeline -p {{ $pipeline }} && fly -t {{ $target }} trigger-job -j {{ $pipeline }}/job && sleep 90 && fly -t {{ $target }} jobs -p {{ $pipeline }}
exit-status: 0
stdout:
- "succeeded"
timeout: 40000
timeout: 120000
{{ end }}
check-db-config:
exec: $(echo $CONCOURSE_POSTGRES_DATABASE | grep -q {{ .Vars.postgresql.auth.database }}) && $(echo $CONCOURSE_POSTGRES_USER | grep -q {{ .Vars.postgresql.auth.username }}) && $(echo $CONCOURSE_POSTGRES_PASSWORD | grep -q {{ .Vars.postgresql.auth.password }})
@@ -29,7 +29,7 @@ command:
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
exit-status: 0
{{ if .Vars.web.serviceAccount.automountServiceAccountToken }}
{{ if .Vars.web.automountServiceAccountToken }}
check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0

2
.vib/concourse/goss/worker/goss.yaml
View File

@@ -27,7 +27,7 @@ command:
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
exit-status: 0
{{ if .Vars.worker.serviceAccount.automountServiceAccountToken }}
{{ if .Vars.worker.automountServiceAccountToken }}
check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0

4
.vib/concourse/runtime-parameters.yaml
View File

@@ -24,7 +24,7 @@ web:
runAsUser: 1002
serviceAccount:
create: true
automountServiceAccountToken: true
automountServiceAccountToken: true
worker:
enabled: true
replicaCount: 2
@@ -43,7 +43,7 @@ worker:
runAsUser: 0
serviceAccount:
create: true
automountServiceAccountToken: true
automountServiceAccountToken: true
service:
web:
type: LoadBalancer

6
bitnami/concourse/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.4.6
version: 15.0.0
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.19.0
digest: sha256:5807236346107066b65e0db811188f2e4fd37b1d6f354b5c715dbe3b6f093dab
generated: "2024-03-11T20:18:04.489727336Z"
digest: sha256:9b5b943fc90cefa3409114160adac070eb612d2844334aef527e1615d5cd63fa
generated: "2024-03-19T11:38:48.893891135+01:00"

4
bitnami/concourse/Chart.yaml
View File

@@ -15,7 +15,7 @@ dependencies:
- condition: postgresql.enabled
name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.X.X
version: 15.X.X
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
@@ -37,4 +37,4 @@ maintainers:
name: concourse
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/concourse
version: 3.7.3
version: 4.0.0

41
bitnami/concourse/README.md
View File

@@ -307,7 +307,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `none` |
| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `nano` |
| `web.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
| `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -317,11 +317,11 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
| `web.containerSecurityContext.enabled` | web container securityContext | `true` |
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `web.containerSecurityContext.runAsUser` | User ID for the web container | `1001` |
| `web.containerSecurityContext.runAsGroup` | Group ID for the web container | `0` |
| `web.containerSecurityContext.runAsGroup` | Group ID for the web container | `1001` |
| `web.containerSecurityContext.runAsNonRoot` | Set web container's Security Context runAsNonRoot | `true` |
| `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` |
| `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` |
| `web.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `web.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `web.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
@@ -411,7 +411,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
| `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` |
| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `nano` |
| `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `worker.podSecurityContext.enabled` | Enabled worker pods' Security Context | `true` |
| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -531,7 +531,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
@@ -540,15 +540,17 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
### Concourse database parameters
| Name | Description | Value |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------- |
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `bn_concourse` |
| `postgresql.auth.password` | Password for the custom user to create | `""` |
| `postgresql.auth.database` | Name for a custom database to create | `bitnami_concourse` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
| Name | Description | Value |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `bn_concourse` |
| `postgresql.auth.password` | Password for the custom user to create | `""` |
| `postgresql.auth.database` | Name for a custom database to create | `bitnami_concourse` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
| `postgresql.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` |
| `postgresql.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
### External PostgreSQL configuration
@@ -595,6 +597,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 4.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001` in `web` node.
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 3.0.0
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.

8
bitnami/concourse/templates/web/deployment.yaml
View File

@@ -126,6 +126,9 @@ spec:
args:
- migrate
- --migrate-to-latest-version
{{- if .Values.web.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.web.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
- name: CONCOURSE_POSTGRES_PASSWORD
valueFrom:
@@ -383,6 +386,9 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: concourse-keys
mountPath: /bitnami/concourse/concourse-keys
readOnly: true
@@ -403,6 +409,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.web.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: concourse-configuration
configMap:
name: {{ include "concourse.web.configmapName" . }}

13
bitnami/concourse/templates/worker/deployment.yaml
View File

@@ -214,8 +214,16 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: concourse-work-dir
# In this kind of deployment, the state is ephemeral
- name: empty-dir
mountPath: /bitnami/concourse/workdir
subPath: app-work-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /var/run/containerd
subPath: containerd-dir
- name: concourse-keys
mountPath: /bitnami/concourse/concourse-keys
readOnly: true
@@ -226,8 +234,7 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.worker.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
# In this kind of deployment, the state is ephemeral
- name: concourse-work-dir
- name: empty-dir
emptyDir: {}
- name: concourse-keys
secret:

8
bitnami/concourse/templates/worker/statefulset.yaml
View File

@@ -240,6 +240,12 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /var/run/containerd
subPath: containerd-dir
- name: concourse-keys
mountPath: /bitnami/concourse/concourse-keys
readOnly: true
@@ -252,6 +258,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.worker.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: concourse-keys
secret:
secretName: {{ include "concourse.worker.secretName" . }}

28
bitnami/concourse/values.yaml
View File

@@ -503,7 +503,7 @@ web:
## @param web.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param web.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -546,11 +546,11 @@ web:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
@@ -881,7 +881,7 @@ worker:
## @param worker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param worker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1412,7 +1412,7 @@ volumePermissions:
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1457,6 +1457,24 @@ postgresql:
database: bitnami_concourse
existingSecret: ""
architecture: standalone
primary:
## PostgreSQL Primary resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "nano"
## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## @section External PostgreSQL configuration
## All of these values are only used when postgresql.enabled is set to false
## @param externalDatabase.host Database host