Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-02 08:05:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/mongodb] feat: 🔒 Add readOnlyRootFilesystem support (#23746)

Browse Source 
* [bitnami/mongodb] feat:  🔒 Add readOnlyRootFilesystem support

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* test:  Adapt configuration file to new ownership

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-22 12:41:40 +01:00
committed by GitHub
parent 2da202b8f0
commit 550fbdc01c
9 changed files with 118 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.vib/mongodb/goss/goss.yaml
View File

@@ -10,7 +10,7 @@ file:
/opt/bitnami/mongodb/conf/mongodb.conf:
exists: true
filetype: file
mode: "0660"
mode: "0644"
contents:
- /port:.*{{ .Vars.containerPorts.mongodb }}/
command:

2
bitnami/mongodb/Chart.yaml
View File

@@ -39,4 +39,4 @@ maintainers:
name: mongodb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb
version: 14.11.1
version: 14.12.0

4
bitnami/mongodb/README.md
View File

@@ -260,6 +260,7 @@ There are no services load balancing requests between MongoDB(&reg;) nodes; inst
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -405,6 +406,7 @@ There are no services load balancing requests between MongoDB(&reg;) nodes; inst
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -497,6 +499,7 @@ There are no services load balancing requests between MongoDB(&reg;) nodes; inst
| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -584,6 +587,7 @@ There are no services load balancing requests between MongoDB(&reg;) nodes; inst
| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |

19
bitnami/mongodb/templates/arbiter/statefulset.yaml
View File

@@ -101,6 +101,9 @@ spec:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
mountPath: /certs/CAs
@@ -238,8 +241,19 @@ spec:
{{- else if ne .Values.arbiter.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumeMounts .Values.tls.enabled }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
subPath: app-logs-dir
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
- name: config
mountPath: /opt/bitnami/mongodb/conf/mongodb.conf
@@ -252,12 +266,13 @@ spec:
{{- if .Values.arbiter.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.arbiter.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }}
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
volumes:
- name: empty-dir
emptyDir: {}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}

8
bitnami/mongodb/templates/backup/cronjob.yaml
View File

@@ -79,6 +79,9 @@ spec:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
mountPath: /certs/CAs
@@ -139,6 +142,9 @@ spec:
- "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz"
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -159,6 +165,8 @@ spec:
{{- end }}
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
volumes:
- name: empty-dir
emptyDir: {}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}

29
bitnami/mongodb/templates/hidden/statefulset.yaml
View File

@@ -111,6 +111,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: datadir
mountPath: {{ .Values.hidden.persistence.mountPath }}
{{- end }}
@@ -145,6 +148,9 @@ spec:
mountPath: /certs
- name: common-scripts
mountPath: /bitnami/scripts
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
command:
- /bitnami/scripts/generate-certs.sh
args:
@@ -187,6 +193,9 @@ spec:
- name: scripts
mountPath: /scripts/auto-discovery.sh
subPath: auto-discovery.sh
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- end }}
containers:
@@ -392,6 +401,18 @@ spec:
- name: certs
mountPath: /certs
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
subPath: app-logs-dir
{{- if .Values.hidden.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -441,10 +462,16 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
{{- end }}
- name: empty-dir
mountPath: /opt/bitnami/redis-cluster/tmp
subPath: app-tmp-dir
{{- if .Values.metrics.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -486,6 +513,8 @@ spec:
{{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}

26
bitnami/mongodb/templates/replicaset/statefulset.yaml
View File

@@ -113,6 +113,9 @@ spec:
volumeMounts:
- name: datadir
mountPath: {{ .Values.persistence.mountPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.tls.enabled }}
- name: generate-tls-certs
@@ -145,6 +148,9 @@ spec:
mountPath: /certs
- name: common-scripts
mountPath: /bitnami/scripts
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
command:
- /bitnami/scripts/generate-certs.sh
args:
@@ -187,6 +193,9 @@ spec:
- name: scripts
mountPath: /scripts/auto-discovery.sh
subPath: auto-discovery.sh
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- end }}
containers:
@@ -363,6 +372,18 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
subPath: app-logs-dir
- name: datadir
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
@@ -442,6 +463,9 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -487,6 +511,8 @@ spec:
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}

23
bitnami/mongodb/templates/standalone/dep-sts.yaml
View File

@@ -111,6 +111,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: {{ .Values.persistence.name | default "datadir" }}
mountPath: {{ .Values.persistence.mountPath }}
{{- end }}
@@ -128,6 +131,9 @@ spec:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
mountPath: /certs/CAs
@@ -303,6 +309,18 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
subPath: app-logs-dir
- name: {{ .Values.persistence.name | default "datadir" }}
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
@@ -370,6 +388,9 @@ spec:
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -415,6 +436,8 @@ spec:
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}

10
bitnami/mongodb/values.yaml
View File

@@ -120,7 +120,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/mongodb
tag: 7.0.5-debian-12-r4
tag: 7.0.5-debian-12-r5
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -561,6 +561,7 @@ podSecurityContext:
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -572,6 +573,7 @@ containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -1191,6 +1193,7 @@ backup:
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged
## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1202,6 +1205,7 @@ backup:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -1589,6 +1593,7 @@ arbiter:
## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context
## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged
## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1600,6 +1605,7 @@ arbiter:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -1930,6 +1936,7 @@ hidden:
## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context
## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged
## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1941,6 +1948,7 @@ hidden:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false