mirror of
https://github.com/bitnami/charts.git
synced 2026-02-11 04:37:23 +08:00
[bitnami/consul] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23785)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
6de23ae57b
commit
9c3b76207c
@@ -32,4 +32,4 @@ maintainers:
|
||||
name: consul
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/consul
|
||||
version: 10.19.1
|
||||
version: 10.20.0
|
||||
|
||||
@@ -143,9 +143,10 @@ helm delete --purge my-release
|
||||
| `containerSecurityContext.enabled` | Enabled Consul containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `containerSecurityContext.runAsUser` | Set Consul containers' Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsGroup` | Set Consul containers' Security Context runAsGroup | `0` |
|
||||
| `containerSecurityContext.allowPrivilegeEscalation` | Set Consul containers' Security Context allowPrivilegeEscalation | `false` |
|
||||
| `containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` |
|
||||
| `containerSecurityContext.capabilities.drop` | Set containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set containers' repo server Security Context readOnlyRootFilesystem | `false` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set Consul containers' Security Context runAsNonRoot | `true` |
|
||||
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -249,34 +250,40 @@ helm delete --purge my-release
|
||||
|
||||
### Metrics parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
|
||||
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
|
||||
| `metrics.image.registry` | HashiCorp Consul Prometheus Exporter image registry | `REGISTRY_NAME` |
|
||||
| `metrics.image.repository` | HashiCorp Consul Prometheus Exporter image repository | `REPOSITORY_NAME/consul-exporter` |
|
||||
| `metrics.image.digest` | HashiCorp Consul Prometheus Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `metrics.image.pullPolicy` | HashiCorp Consul Prometheus Exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.image.pullSecrets` | HashiCorp Consul Prometheus Exporter image pull secrets | `[]` |
|
||||
| `metrics.containerSecurityContext.enabled` | HashiCorp Consul Prometheus Exporter securityContext | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | User ID for the HashiCorp Consul Prometheus Exporter | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Force the container to be run as non root | `true` |
|
||||
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `metrics.service.loadBalancerIP` | Service Load Balancer IP | `""` |
|
||||
| `metrics.service.annotations` | Provide any additional annotations which may be required. | `{}` |
|
||||
| `metrics.podAnnotations` | Metrics exporter pod Annotation and Labels | `{}` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
|
||||
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator, set to true to create a Service Monitor Entry | `false` |
|
||||
| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` |
|
||||
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
|
||||
| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` |
|
||||
| `metrics.serviceMonitor.metricRelabelings` | Metrics relabelings to add to the scrape endpoint | `[]` |
|
||||
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
|
||||
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
|
||||
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
|
||||
| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` |
|
||||
| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` |
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
|
||||
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
|
||||
| `metrics.image.registry` | HashiCorp Consul Prometheus Exporter image registry | `REGISTRY_NAME` |
|
||||
| `metrics.image.repository` | HashiCorp Consul Prometheus Exporter image repository | `REPOSITORY_NAME/consul-exporter` |
|
||||
| `metrics.image.digest` | HashiCorp Consul Prometheus Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `metrics.image.pullPolicy` | HashiCorp Consul Prometheus Exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.image.pullSecrets` | HashiCorp Consul Prometheus Exporter image pull secrets | `[]` |
|
||||
| `metrics.containerSecurityContext.enabled` | Enabled Consul containers' Security Context | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | Set Consul containers' Security Context runAsUser | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Set Consul containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Consul containers' Security Context allowPrivilegeEscalation | `false` |
|
||||
| `metrics.containerSecurityContext.capabilities.drop` | Set containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set containers' repo server Security Context readOnlyRootFilesystem | `false` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set Consul containers' Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
|
||||
| `metrics.service.loadBalancerIP` | Service Load Balancer IP | `""` |
|
||||
| `metrics.service.annotations` | Provide any additional annotations which may be required. | `{}` |
|
||||
| `metrics.podAnnotations` | Metrics exporter pod Annotation and Labels | `{}` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
|
||||
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator, set to true to create a Service Monitor Entry | `false` |
|
||||
| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` |
|
||||
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
|
||||
| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` |
|
||||
| `metrics.serviceMonitor.metricRelabelings` | Metrics relabelings to add to the scrape endpoint | `[]` |
|
||||
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
|
||||
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
|
||||
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
|
||||
| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` |
|
||||
| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` |
|
||||
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
|
||||
|
||||
|
||||
@@ -95,6 +95,9 @@ spec:
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /bitnami/consul
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
|
||||
@@ -252,6 +255,18 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/consul/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/consul/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/consul/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if .Values.tlsEncryptionSecretName }}
|
||||
- name: consul-tls-certs
|
||||
mountPath: "/opt/bitnami/consul/certificates/"
|
||||
@@ -314,6 +329,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if or .Values.configuration .Values.existingConfigmap }}
|
||||
- name: consul-config
|
||||
configMap:
|
||||
|
||||
@@ -73,7 +73,7 @@ diagnosticMode:
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/consul
|
||||
tag: 1.17.3-debian-12-r2
|
||||
tag: 1.17.3-debian-12-r4
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
@@ -289,9 +289,10 @@ podSecurityContext:
|
||||
## @param containerSecurityContext.enabled Enabled Consul containers' Security Context
|
||||
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param containerSecurityContext.runAsUser Set Consul containers' Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsGroup Set Consul containers' Security Context runAsGroup
|
||||
## @param containerSecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation
|
||||
## @param containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem
|
||||
## @param containerSecurityContext.capabilities.drop Set containers' repo server Security Context capabilities to be dropped
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set containers' repo server Security Context readOnlyRootFilesystem
|
||||
## @param containerSecurityContext.runAsNonRoot Set Consul containers' Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
@@ -300,6 +301,7 @@ containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
@@ -769,16 +771,30 @@ metrics:
|
||||
pullSecrets: []
|
||||
## Container security context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param metrics.containerSecurityContext.enabled HashiCorp Consul Prometheus Exporter securityContext
|
||||
## @param metrics.containerSecurityContext.enabled Enabled Consul containers' Security Context
|
||||
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param metrics.containerSecurityContext.runAsUser User ID for the HashiCorp Consul Prometheus Exporter
|
||||
## @param metrics.containerSecurityContext.runAsNonRoot Force the container to be run as non root
|
||||
## @param metrics.containerSecurityContext.runAsUser Set Consul containers' Security Context runAsUser
|
||||
## @param metrics.containerSecurityContext.runAsGroup Set Consul containers' Security Context runAsGroup
|
||||
## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation
|
||||
## @param metrics.containerSecurityContext.capabilities.drop Set containers' repo server Security Context capabilities to be dropped
|
||||
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set containers' repo server Security Context readOnlyRootFilesystem
|
||||
## @param metrics.containerSecurityContext.runAsNonRoot Set Consul containers' Security Context runAsNonRoot
|
||||
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
readOnlyRootFilesystem: false
|
||||
## Consul Prometheus exporter service type
|
||||
##
|
||||
service:
|
||||
|
||||
Reference in New Issue
Block a user