[bitnami/nats] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23613)

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

bitnami/nats/Chart.yaml

@@ -31,4 +31,4 @@ maintainers:
 name: nats
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/nats
-version: 7.15.0
+version: 7.16.0

bitnami/nats/README.md

@@ -135,6 +135,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                                                                                                       | `true`           |
 | `containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                           | `nil`            |
 | `containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                                                                                                 | `1001`           |
+| `containerSecurityContext.runAsGroup`               | Set containers' Security Context runAsGroup                                                                                                                                                                | `0`              |
 | `containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                                                                                              | `true`           |
 | `containerSecurityContext.privileged`               | Set container's Security Context privileged                                                                                                                                                                | `false`          |
 | `containerSecurityContext.readOnlyRootFilesystem`   | Set container's Security Context readOnlyRootFilesystem                                                                                                                                                    | `false`          |

bitnami/nats/templates/deployment.yaml

@@ -144,6 +144,14 @@ spec:
           resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
           {{- end }}
           volumeMounts:
+            - name: tmp-dir
+              mountPath: /tmp
+            - name: app-conf-dir
+              mountPath: /opt/bitnami/nats/conf
+            - name: app-tmp-dir
+              mountPath: /opt/bitnami/nats/tmp
+            - name: app-logs-dir
+              mountPath: /opt/bitnami/nats/logs
             - name: config
               mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf
               subPath: {{ .Values.natsFilename }}.conf
@@ -188,6 +196,14 @@ spec:
         {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
         {{- end }}
       volumes:
+        - name: app-conf-dir
+          emptyDir: {}
+        - name: app-tmp-dir
+          emptyDir: {}
+        - name: app-logs-dir
+          emptyDir: {}
+        - name: tmp-dir
+          emptyDir: {}
         - name: config
           secret:
             secretName: {{ include "nats.secretName" . }}

bitnami/nats/templates/statefulset.yaml

@@ -149,6 +149,14 @@ spec:
           resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
           {{- end }}
           volumeMounts:
+            - name: tmp-dir
+              mountPath: /tmp
+            - name: app-conf-dir
+              mountPath: /opt/bitnami/nats/conf
+            - name: app-tmp-dir
+              mountPath: /opt/bitnami/nats/tmp
+            - name: app-logs-dir
+              mountPath: /opt/bitnami/nats/logs
             - name: config
               mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf
               subPath: {{ .Values.natsFilename }}.conf
@@ -197,6 +205,14 @@ spec:
         {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
         {{- end }}
       volumes:
+        - name: app-conf-dir
+          emptyDir: {}
+        - name: app-tmp-dir
+          emptyDir: {}
+        - name: app-logs-dir
+          emptyDir: {}
+        - name: tmp-dir
+          emptyDir: {}
         - name: config
           secret:
             secretName: {{ include "nats.secretName" . }}

bitnami/nats/values.yaml

@@ -65,7 +65,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/nats
-  tag: 2.10.10-debian-11-r2
+  tag: 2.10.11-debian-12-r1
   digest: ""
   ## Specify a imagePullPolicy
   ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -336,6 +336,7 @@ podSecurityContext:
 ## @param containerSecurityContext.enabled Enabled containers' Security Context
 ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
 ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
+## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
 ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
 ## @param containerSecurityContext.privileged Set container's Security Context privileged
 ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -347,6 +348,7 @@ containerSecurityContext:
   enabled: true
   seLinuxOptions: null
   runAsUser: 1001
+  runAsGroup: 0
   runAsNonRoot: true
   privileged: false
   readOnlyRootFilesystem: false