mirror of
https://github.com/bitnami/charts.git
synced 2026-03-08 17:27:20 +08:00
[bitnami/mariadb-galera] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23596)
* [bitnami/mariadb-galera] feat: ✨ 🔒 Add readOnlyRootFilesystem support Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump image tag Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * test: ✅ Change permissions of mariadb my.cnf file Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
b03da4d3d3
commit
7ab0f6a2bc
@@ -11,7 +11,7 @@ file:
|
||||
filetype: directory
|
||||
exists: true
|
||||
/opt/bitnami/mariadb/conf/my.cnf:
|
||||
mode: "0664"
|
||||
mode: "0644"
|
||||
filetype: file
|
||||
exists: true
|
||||
contents:
|
||||
|
||||
@@ -150,6 +150,7 @@ The following diagram shows you the options you have for using Bitnami's MariaDB
|
||||
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -266,6 +267,7 @@ The following diagram shows you the options you have for using Bitnami's MariaDB
|
||||
| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
||||
@@ -63,9 +63,7 @@ spec:
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.podSecurityContext.fsGroup }}
|
||||
runAsUser: {{ .Values.podSecurityContext.runAsUser }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
|
||||
@@ -353,6 +351,14 @@ spec:
|
||||
- name: mariadb-galera-credentials
|
||||
mountPath: /opt/bitnami/mariadb/secrets/
|
||||
{{- end }}
|
||||
- name: tmp-dir
|
||||
mountPath: /tmp
|
||||
- name: app-conf-dir
|
||||
mountPath: /opt/bitnami/mariadb/conf
|
||||
- name: app-tmp-dir
|
||||
mountPath: /opt/bitnami/mariadb/tmp
|
||||
- name: app-logs-dir
|
||||
mountPath: /opt/bitnami/mariadb/logs
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
|
||||
{{- end }}
|
||||
@@ -416,11 +422,13 @@ spec:
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.usePasswordFiles (not .Values.customPasswordFiles) }}
|
||||
volumeMounts:
|
||||
{{- if and .Values.usePasswordFiles (not .Values.customPasswordFiles) }}
|
||||
- name: mariadb-galera-credentials
|
||||
mountPath: /opt/bitnami/mysqld-exporter/secrets/
|
||||
{{- end }}
|
||||
- name: tmp-dir
|
||||
mountPath: /tmp
|
||||
{{- end }}
|
||||
{{- if .Values.sidecars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
@@ -456,6 +464,14 @@ spec:
|
||||
configMap:
|
||||
name: {{ template "mariadb-galera.initdbScriptsCM" . }}
|
||||
{{- end }}
|
||||
- name: app-conf-dir
|
||||
emptyDir: {}
|
||||
- name: app-tmp-dir
|
||||
emptyDir: {}
|
||||
- name: app-logs-dir
|
||||
emptyDir: {}
|
||||
- name: tmp-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{- toYaml .Values.extraVolumes | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -77,7 +77,7 @@ diagnosticMode:
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/mariadb-galera
|
||||
tag: 11.2.3-debian-11-r1
|
||||
tag: 11.2.3-debian-11-r16
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
@@ -289,6 +289,7 @@ podSecurityContext:
|
||||
## @param containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -299,6 +300,7 @@ containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -914,6 +916,7 @@ metrics:
|
||||
## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -924,6 +927,7 @@ metrics:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
Reference in New Issue
Block a user