Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-11 07:17:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/rabbitmq-cluster-operator] feat!: 🔒 💥 Improve security defaults (#24335)

Browse Source 
* [bitnami/rabbitmq-cluster-operator] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* add upgrading doc

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

---------

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Alejandro Moreno
2024-03-15 11:23:17 +01:00
committed by GitHub
parent 8f997c4da7
commit 043a43b64d
4 changed files with 25 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/rabbitmq-cluster-operator/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: common - name: common
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0 version: 2.19.0
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2024-03-05T15:31:47.119308256+01:00" generated: "2024-03-11T13:31:48.244372+01:00"

2
bitnami/rabbitmq-cluster-operator/Chart.yaml
View File

@@ -37,4 +37,4 @@ maintainers:
name: rabbitmq-cluster-operator name: rabbitmq-cluster-operator
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq-cluster-operator - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq-cluster-operator
version: 3.20.1 version: 4.0.0

25
bitnami/rabbitmq-cluster-operator/README.md
View File

@@ -136,12 +136,12 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
### Global parameters ### Global parameters
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` | | `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | | `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | | `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters ### Common parameters
@@ -200,7 +200,7 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
| `clusterOperator.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `clusterOperator.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `clusterOperator.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `clusterOperator.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `clusterOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `clusterOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `clusterOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production). | `none` | | `clusterOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production). | `nano` |
| `clusterOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `clusterOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `clusterOperator.podSecurityContext.enabled` | Enabled RabbitMQ Cluster Operator pods' Security Context | `true` | | `clusterOperator.podSecurityContext.enabled` | Enabled RabbitMQ Cluster Operator pods' Security Context | `true` |
| `clusterOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `clusterOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -340,7 +340,7 @@ This solution allows to easily deploy multiple RabbitMQ instances compared to th
| `msgTopologyOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `msgTopologyOperator.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `msgTopologyOperator.existingWebhookCertSecret` | name of a secret containing the certificates (use it to avoid certManager creating one) | `""` | | `msgTopologyOperator.existingWebhookCertSecret` | name of a secret containing the certificates (use it to avoid certManager creating one) | `""` |
| `msgTopologyOperator.existingWebhookCertCABundle` | PEM-encoded CA Bundle of the existing secret provided in existingWebhookCertSecret (only if useCertManager=false) | `""` | | `msgTopologyOperator.existingWebhookCertCABundle` | PEM-encoded CA Bundle of the existing secret provided in existingWebhookCertSecret (only if useCertManager=false) | `""` |
| `msgTopologyOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production). | `none` | | `msgTopologyOperator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production). | `nano` |
| `msgTopologyOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `msgTopologyOperator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `msgTopologyOperator.podSecurityContext.enabled` | Enabled RabbitMQ Messaging Topology Operator pods' Security Context | `true` | | `msgTopologyOperator.podSecurityContext.enabled` | Enabled RabbitMQ Messaging Topology Operator pods' Security Context | `true` |
| `msgTopologyOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `msgTopologyOperator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -590,6 +590,15 @@ tar xf rabbitmq-cluster-operator-VERSION.tar.gz
kubectl apply -f rabbitmq-cluster-operator/crds kubectl apply -f rabbitmq-cluster-operator/crds
``` ```
### To 4.0.0
This major bump changes the following security defaults:
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 2.0.0 ### To 2.0.0
This new version adds the following components: This new version adds the following components:

6
bitnami/rabbitmq-cluster-operator/values.yaml
View File

@@ -27,7 +27,7 @@ global:
openshift: openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
## ##
adaptSecurityContext: disabled adaptSecurityContext: auto
## @section Common parameters ## @section Common parameters
## ##
@@ -210,7 +210,7 @@ clusterOperator:
## @param clusterOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production). ## @param clusterOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if clusterOperator.resources is set (clusterOperator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## ##
resourcesPreset: "none" resourcesPreset: "nano"
## @param clusterOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## @param clusterOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example: ## Example:
## resources: ## resources:
@@ -752,7 +752,7 @@ msgTopologyOperator:
## @param msgTopologyOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production). ## @param msgTopologyOperator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if msgTopologyOperator.resources is set (msgTopologyOperator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
## ##
resourcesPreset: "none" resourcesPreset: "nano"
## @param msgTopologyOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## @param msgTopologyOperator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example: ## Example:
## resources: ## resources: