Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-08 00:37:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/rabbitmq-cluster-operator] feat!: 🔒 💥 Improve security defaults (#24335)

Browse Source 
* [bitnami/rabbitmq-cluster-operator] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* add upgrading doc

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

---------

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Alejandro Moreno
2024-03-15 11:23:17 +01:00
committed by GitHub
parent 8f997c4da7
commit 043a43b64d
4 changed files with 25 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/rabbitmq-cluster-operator/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
generated: "2024-03-05T15:31:47.119308256+01:00"
version: 2.19.0
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2024-03-11T13:31:48.244372+01:00"

2
bitnami/rabbitmq-cluster-operator/Chart.yaml
View File

@@ -37,4 +37,4 @@ maintainers:
name: rabbitmq-cluster-operator
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq-cluster-operator
version: 3.20.1
version: 4.0.0

27
bitnami/rabbitmq-cluster-operator/README.md
View File

@@ -136,12 +136,12 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -200,7 +200,7 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
| `clusterOperator.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `clusterOperator.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `clusterOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `clusterOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production). | `none` |
| `clusterOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production). | `nano` |
| `clusterOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `clusterOperator.podSecurityContext.enabled` | Enabled RabbitMQ Cluster Operator pods' Security Context | `true` |
| `clusterOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -340,7 +340,7 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
| `msgTopologyOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `msgTopologyOperator.existingWebhookCertSecret` | name of a secret containing the certificates (use it to avoid certManager creating one) | `""` |
| `msgTopologyOperator.existingWebhookCertCABundle` | PEM-encoded CA Bundle of the existing secret provided in existingWebhookCertSecret (only if useCertManager=false) | `""` |
| `msgTopologyOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production). | `none` |
| `msgTopologyOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production). | `nano` |
| `msgTopologyOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `msgTopologyOperator.podSecurityContext.enabled` | Enabled RabbitMQ Messaging Topology Operator pods' Security Context | `true` |
| `msgTopologyOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -590,6 +590,15 @@ tar xf rabbitmq-cluster-operator-VERSION.tar.gz
kubectl apply -f rabbitmq-cluster-operator/crds
```
### To 4.0.0
This major bump changes the following security defaults:
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 2.0.0
This new version adds the following components:
@@ -629,4 +638,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.

6
bitnami/rabbitmq-cluster-operator/values.yaml
View File

@@ -27,7 +27,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
##
@@ -210,7 +210,7 @@ clusterOperator:
## @param clusterOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param clusterOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -752,7 +752,7 @@ msgTopologyOperator:
## @param msgTopologyOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param msgTopologyOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources: