mirror of
https://github.com/bitnami/charts.git
synced 2026-03-15 14:57:16 +08:00
[bitnami/jenkins] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23915)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
03aea73e72
commit
11b99af423
@@ -35,4 +35,4 @@ maintainers:
|
||||
name: jenkins
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/jenkins
|
||||
version: 12.9.2
|
||||
version: 12.10.0
|
||||
|
||||
@@ -157,6 +157,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `configAsCode.autoReload.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `configAsCode.autoReload.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -226,6 +227,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
||||
@@ -61,6 +61,38 @@ spec:
|
||||
{{- end }}
|
||||
{{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) (or .Values.tls.autoGenerated .Values.tls.existingSecret) .Values.initContainers }}
|
||||
initContainers:
|
||||
- name: copy-plugins
|
||||
image: {{ include "jenkins.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -ec
|
||||
- |-
|
||||
#!/bin/bash
|
||||
|
||||
. /opt/bitnami/scripts/libfs.sh
|
||||
|
||||
if ! is_dir_empty /opt/bitnami/jenkins/plugins; then
|
||||
cp -r /opt/bitnami/jenkins/plugins/* /plugins
|
||||
fi
|
||||
{{- if .Values.resources }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- else if ne .Values.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/certs
|
||||
subPath: app-certs-dir
|
||||
- name: empty-dir
|
||||
mountPath: /plugins
|
||||
subPath: app-plugins-dir
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if or .Values.tls.autoGenerated .Values.tls.existingSecret }}
|
||||
- name: init-certs
|
||||
image: {{ include "jenkins.image" . }}
|
||||
@@ -112,8 +144,9 @@ spec:
|
||||
volumeMounts:
|
||||
- name: certs
|
||||
mountPath: /certs
|
||||
- name: shared-certs
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/certs
|
||||
subPath: app-certs-dir
|
||||
{{- end }}
|
||||
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
|
||||
- name: volume-permissions
|
||||
@@ -137,6 +170,9 @@ spec:
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: jenkins-data
|
||||
mountPath: /bitnami/jenkins
|
||||
{{- end }}
|
||||
@@ -302,11 +338,24 @@ spec:
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/plugins
|
||||
subPath: app-plugins-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/logs
|
||||
subPath: app-logs-dir
|
||||
- name: jenkins-data
|
||||
mountPath: /bitnami/jenkins
|
||||
{{- if or .Values.tls.autoGenerated .Values.tls.existingSecret }}
|
||||
- name: shared-certs
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/jenkins/certs
|
||||
subPath: app-certs-dir
|
||||
{{- end }}
|
||||
{{- if .Values.configAsCode.enabled }}
|
||||
- name: config-as-code-mountpoint
|
||||
@@ -437,10 +486,14 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: jenkins-data
|
||||
mountPath: /bitnami/jenkins
|
||||
- name: tmp-config-as-code
|
||||
- name: empty-dir
|
||||
mountPath: /old_copy
|
||||
subPath: app-casc-tmp-dir
|
||||
{{- if .Values.configAsCode.autoReload.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.configAsCode.autoReload.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
@@ -449,6 +502,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
- name: jenkins-data
|
||||
{{- if .Values.persistence.enabled }}
|
||||
persistentVolumeClaim:
|
||||
@@ -460,17 +515,11 @@ spec:
|
||||
- name: certs
|
||||
secret:
|
||||
secretName: {{ include "jenkins.tlsSecretName" . }}
|
||||
- name: shared-certs
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.configAsCode.enabled }}
|
||||
- name: config-as-code-mountpoint
|
||||
configMap:
|
||||
name: {{ template "jenkins.configAsCodeCM" . }}
|
||||
{{- if .Values.configAsCode.autoReload.enabled }}
|
||||
- name: tmp-config-as-code
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or .Values.initScripts .Values.initScriptsCM .Values.initScriptsSecret }}
|
||||
- name: custom-init-scripts
|
||||
|
||||
@@ -308,6 +308,7 @@ configAsCode:
|
||||
## @param configAsCode.autoReload.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param configAsCode.autoReload.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param configAsCode.autoReload.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param configAsCode.autoReload.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param configAsCode.autoReload.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param configAsCode.autoReload.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param configAsCode.autoReload.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -319,6 +320,7 @@ configAsCode:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -583,6 +585,7 @@ podSecurityContext:
|
||||
## @param containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -594,6 +597,7 @@ containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
Reference in New Issue
Block a user