From 550fbdc01cd0be150d049bfebccd5ad4b8f81f7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Thu, 22 Feb 2024 12:41:40 +0100 Subject: [PATCH] [bitnami/mongodb] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23746) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/mongodb] feat: :sparkles: :lock: Add readOnlyRootFilesystem support Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * test: :white_check_mark: Adapt configuration file to new ownership Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Signed-off-by: Javier J. Salmerón-García Co-authored-by: Bitnami Containers --- .vib/mongodb/goss/goss.yaml | 2 +- bitnami/mongodb/Chart.yaml | 2 +- bitnami/mongodb/README.md | 4 +++ .../templates/arbiter/statefulset.yaml | 19 ++++++++++-- bitnami/mongodb/templates/backup/cronjob.yaml | 8 +++++ .../mongodb/templates/hidden/statefulset.yaml | 29 +++++++++++++++++++ .../templates/replicaset/statefulset.yaml | 26 +++++++++++++++++ .../mongodb/templates/standalone/dep-sts.yaml | 23 +++++++++++++++ bitnami/mongodb/values.yaml | 10 ++++++- 9 files changed, 118 insertions(+), 5 deletions(-) diff --git a/.vib/mongodb/goss/goss.yaml b/.vib/mongodb/goss/goss.yaml index c4dc0ea6e5..297603042c 100644 --- a/.vib/mongodb/goss/goss.yaml +++ b/.vib/mongodb/goss/goss.yaml @@ -10,7 +10,7 @@ file: /opt/bitnami/mongodb/conf/mongodb.conf: exists: true filetype: file - mode: "0660" + mode: "0644" contents: - /port:.*{{ .Vars.containerPorts.mongodb }}/ command: diff --git a/bitnami/mongodb/Chart.yaml b/bitnami/mongodb/Chart.yaml index 3d4671bc19..f729abc16c 100644 --- a/bitnami/mongodb/Chart.yaml +++ b/bitnami/mongodb/Chart.yaml @@ -39,4 +39,4 @@ maintainers: name: mongodb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mongodb -version: 14.11.1 +version: 14.12.0 diff --git a/bitnami/mongodb/README.md b/bitnami/mongodb/README.md index 45a7644fce..065e047fdc 100644 --- a/bitnami/mongodb/README.md +++ b/bitnami/mongodb/README.md @@ -260,6 +260,7 @@ There are no services load balancing requests between MongoDB(®) nodes; inst | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -405,6 +406,7 @@ There are no services load balancing requests between MongoDB(®) nodes; inst | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -497,6 +499,7 @@ There are no services load balancing requests between MongoDB(®) nodes; inst | `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -584,6 +587,7 @@ There are no services load balancing requests between MongoDB(®) nodes; inst | `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/bitnami/mongodb/templates/arbiter/statefulset.yaml b/bitnami/mongodb/templates/arbiter/statefulset.yaml index d9bef3bbca..f48eaccb48 100644 --- a/bitnami/mongodb/templates/arbiter/statefulset.yaml +++ b/bitnami/mongodb/templates/arbiter/statefulset.yaml @@ -101,6 +101,9 @@ spec: fieldRef: fieldPath: metadata.name volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume mountPath: /certs/CAs @@ -238,8 +241,19 @@ spec: {{- else if ne .Values.arbiter.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }} {{- end }} - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumeMounts .Values.tls.enabled }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - name: config mountPath: /opt/bitnami/mongodb/conf/mongodb.conf @@ -252,12 +266,13 @@ spec: {{- if .Values.arbiter.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} - {{- end }} {{- if .Values.arbiter.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} {{- end }} {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/bitnami/mongodb/templates/backup/cronjob.yaml b/bitnami/mongodb/templates/backup/cronjob.yaml index d419eef3b2..79466e919e 100644 --- a/bitnami/mongodb/templates/backup/cronjob.yaml +++ b/bitnami/mongodb/templates/backup/cronjob.yaml @@ -79,6 +79,9 @@ spec: fieldRef: fieldPath: status.hostIP volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume mountPath: /certs/CAs @@ -139,6 +142,9 @@ spec: - "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz" {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -159,6 +165,8 @@ spec: {{- end }} restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/bitnami/mongodb/templates/hidden/statefulset.yaml b/bitnami/mongodb/templates/hidden/statefulset.yaml index fd99a27ec1..5b2a807d84 100644 --- a/bitnami/mongodb/templates/hidden/statefulset.yaml +++ b/bitnami/mongodb/templates/hidden/statefulset.yaml @@ -111,6 +111,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: datadir mountPath: {{ .Values.hidden.persistence.mountPath }} {{- end }} @@ -145,6 +148,9 @@ spec: mountPath: /certs - name: common-scripts mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir command: - /bitnami/scripts/generate-certs.sh args: @@ -187,6 +193,9 @@ spec: - name: scripts mountPath: /scripts/auto-discovery.sh subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -392,6 +401,18 @@ spec: - name: certs mountPath: /certs {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir {{- if .Values.hidden.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -441,10 +462,16 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: certs mountPath: /certs {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/redis-cluster/tmp + subPath: app-tmp-dir {{- if .Values.metrics.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -486,6 +513,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/bitnami/mongodb/templates/replicaset/statefulset.yaml b/bitnami/mongodb/templates/replicaset/statefulset.yaml index 9cef1cb935..55158e8fb0 100644 --- a/bitnami/mongodb/templates/replicaset/statefulset.yaml +++ b/bitnami/mongodb/templates/replicaset/statefulset.yaml @@ -113,6 +113,9 @@ spec: volumeMounts: - name: datadir mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.tls.enabled }} - name: generate-tls-certs @@ -145,6 +148,9 @@ spec: mountPath: /certs - name: common-scripts mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir command: - /bitnami/scripts/generate-certs.sh args: @@ -187,6 +193,9 @@ spec: - name: scripts mountPath: /scripts/auto-discovery.sh subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- end }} containers: @@ -363,6 +372,18 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir - name: datadir mountPath: {{ .Values.persistence.mountPath }} subPath: {{ .Values.persistence.subPath }} @@ -442,6 +463,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -487,6 +511,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/bitnami/mongodb/templates/standalone/dep-sts.yaml b/bitnami/mongodb/templates/standalone/dep-sts.yaml index f7a6ef6f91..29dd406bca 100644 --- a/bitnami/mongodb/templates/standalone/dep-sts.yaml +++ b/bitnami/mongodb/templates/standalone/dep-sts.yaml @@ -111,6 +111,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: {{ .Values.persistence.name | default "datadir" }} mountPath: {{ .Values.persistence.mountPath }} {{- end }} @@ -128,6 +131,9 @@ spec: fieldRef: fieldPath: status.hostIP volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume mountPath: /certs/CAs @@ -303,6 +309,18 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir - name: {{ .Values.persistence.name | default "datadir" }} mountPath: {{ .Values.persistence.mountPath }} subPath: {{ .Values.persistence.subPath }} @@ -370,6 +388,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -415,6 +436,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/bitnami/mongodb/values.yaml b/bitnami/mongodb/values.yaml index c2c1cc30d7..b676c422f6 100644 --- a/bitnami/mongodb/values.yaml +++ b/bitnami/mongodb/values.yaml @@ -120,7 +120,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mongodb - tag: 7.0.5-debian-12-r4 + tag: 7.0.5-debian-12-r5 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -561,6 +561,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -572,6 +573,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1191,6 +1193,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1202,6 +1205,7 @@ backup: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1589,6 +1593,7 @@ arbiter: ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1600,6 +1605,7 @@ arbiter: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1930,6 +1936,7 @@ hidden: ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1941,6 +1948,7 @@ hidden: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false