From 0bbd7a8ff6ef39d94c0c97e09eb0fba499958310 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 20 Feb 2024 16:32:24 +0100 Subject: [PATCH] [bitnami/nats] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23613) Signed-off-by: Javier Salmeron Garcia --- bitnami/nats/Chart.yaml | 2 +- bitnami/nats/README.md | 1 + bitnami/nats/templates/deployment.yaml | 16 ++++++++++++++++ bitnami/nats/templates/statefulset.yaml | 16 ++++++++++++++++ bitnami/nats/values.yaml | 4 +++- 5 files changed, 37 insertions(+), 2 deletions(-) diff --git a/bitnami/nats/Chart.yaml b/bitnami/nats/Chart.yaml index 7288529bf9..ba5d52ee25 100644 --- a/bitnami/nats/Chart.yaml +++ b/bitnami/nats/Chart.yaml @@ -31,4 +31,4 @@ maintainers: name: nats sources: - https://github.com/bitnami/charts/tree/main/bitnami/nats -version: 7.15.0 +version: 7.16.0 diff --git a/bitnami/nats/README.md b/bitnami/nats/README.md index d9aec3501f..ef51a45970 100644 --- a/bitnami/nats/README.md +++ b/bitnami/nats/README.md @@ -135,6 +135,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/bitnami/nats/templates/deployment.yaml b/bitnami/nats/templates/deployment.yaml index a7c4720d7e..3138be22b3 100644 --- a/bitnami/nats/templates/deployment.yaml +++ b/bitnami/nats/templates/deployment.yaml @@ -144,6 +144,14 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: tmp-dir + mountPath: /tmp + - name: app-conf-dir + mountPath: /opt/bitnami/nats/conf + - name: app-tmp-dir + mountPath: /opt/bitnami/nats/tmp + - name: app-logs-dir + mountPath: /opt/bitnami/nats/logs - name: config mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf subPath: {{ .Values.natsFilename }}.conf @@ -188,6 +196,14 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: app-conf-dir + emptyDir: {} + - name: app-tmp-dir + emptyDir: {} + - name: app-logs-dir + emptyDir: {} + - name: tmp-dir + emptyDir: {} - name: config secret: secretName: {{ include "nats.secretName" . }} diff --git a/bitnami/nats/templates/statefulset.yaml b/bitnami/nats/templates/statefulset.yaml index 4e782b1687..da53b7241e 100644 --- a/bitnami/nats/templates/statefulset.yaml +++ b/bitnami/nats/templates/statefulset.yaml @@ -149,6 +149,14 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: tmp-dir + mountPath: /tmp + - name: app-conf-dir + mountPath: /opt/bitnami/nats/conf + - name: app-tmp-dir + mountPath: /opt/bitnami/nats/tmp + - name: app-logs-dir + mountPath: /opt/bitnami/nats/logs - name: config mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf subPath: {{ .Values.natsFilename }}.conf @@ -197,6 +205,14 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: app-conf-dir + emptyDir: {} + - name: app-tmp-dir + emptyDir: {} + - name: app-logs-dir + emptyDir: {} + - name: tmp-dir + emptyDir: {} - name: config secret: secretName: {{ include "nats.secretName" . }} diff --git a/bitnami/nats/values.yaml b/bitnami/nats/values.yaml index 5f09176880..076e5dec7c 100644 --- a/bitnami/nats/values.yaml +++ b/bitnami/nats/values.yaml @@ -65,7 +65,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/nats - tag: 2.10.10-debian-11-r2 + tag: 2.10.11-debian-12-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -336,6 +336,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -347,6 +348,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false