[bitnami/appsmith] feat!: 🔒 💥 Improve security defaults (#24574)

* [bitnami/appsmith] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: ⬆️ Bump subchart deps Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: ⬆️ Bump deps Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
2026-03-15 06:47:24 +08:00 · 2024-03-22 11:13:35 +01:00
parent 4baa241ef6
commit 2cbdb11d0f
10 changed files with 283 additions and 97 deletions
--- a/bitnami/appsmith/templates/rts/deployment.yaml
+++ b/bitnami/appsmith/templates/rts/deployment.yaml
@@ -164,6 +164,30 @@ spec:
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.rts.lifecycleHooks "context" $) | nindent 12 }}
          {{- end }}
          volumeMounts:
+            - name: empty-dir
+              mountPath: /opt/bitnami/appsmith/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/appsmith/logs
+              subPath: app-logs-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/appsmith/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/nginx/conf
+              subPath: nginx-conf-dir
+            - name: empty-dir
+              mountPath: /certs
+              subPath: nginx-certs-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/nginx/tmp
+              subPath: nginx-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/nginx/logs
+              subPath: nginx-logs-dir
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
          {{- if .Values.rts.extraVolumeMounts }}
          {{- include "common.tplvalues.render" (dict "value" .Values.rts.extraVolumeMounts "context" $) | nindent 12 }}
          {{- end }}
@@ -171,6 +195,8 @@ spec:
        {{- include "common.tplvalues.render" (dict "value" .Values.rts.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
+        - name: empty-dir
+          emptyDir: {}
        {{- if .Values.rts.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.rts.extraVolumes "context" $) | nindent 8 }}
        {{- end }}
--- a/bitnami/appsmith/templates/rts/networkpolicy.yaml
+++ b/bitnami/appsmith/templates/rts/networkpolicy.yaml
@@ -37,10 +37,18 @@ spec:
    - ports:
        - port: {{ .Values.rts.service.ports.http }}
        - port: {{ .Values.backend.service.ports.http }}
-        - port: {{ include "appsmith.mongodb.port" . }}
      to:
        - podSelector:
            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+    - ports:
+        - port: {{ include "appsmith.mongodb.port" . }}
+      {{- if .Values.mongodb.enabled }}
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mongodb
+              app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- end }}
    {{- if .Values.rts.networkPolicy.extraEgress }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
    {{- end }}
@@ -48,7 +56,6 @@ spec:
  ingress:
    - ports:
        - port: {{ .Values.rts.containerPorts.http }}
-        - port: {{ .Values.rts.service.ports.http }}
      {{- if not .Values.rts.networkPolicy.allowExternal }}
      from:
        - podSelector: