diff --git a/bitnami/consul/Chart.yaml b/bitnami/consul/Chart.yaml index 76f14ba460..3063f9ad3d 100644 --- a/bitnami/consul/Chart.yaml +++ b/bitnami/consul/Chart.yaml @@ -32,4 +32,4 @@ maintainers: name: consul sources: - https://github.com/bitnami/charts/tree/main/bitnami/consul -version: 10.19.1 +version: 10.20.0 diff --git a/bitnami/consul/README.md b/bitnami/consul/README.md index df878c9527..2bab7dca58 100644 --- a/bitnami/consul/README.md +++ b/bitnami/consul/README.md @@ -143,9 +143,10 @@ helm delete --purge my-release | `containerSecurityContext.enabled` | Enabled Consul containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set Consul containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set Consul containers' Security Context runAsGroup | `0` | | `containerSecurityContext.allowPrivilegeEscalation` | Set Consul containers' Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.capabilities.drop` | Set containers' repo server Security Context capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set containers' repo server Security Context readOnlyRootFilesystem | `false` | | `containerSecurityContext.runAsNonRoot` | Set Consul containers' Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -249,34 +250,40 @@ helm delete --purge my-release ### Metrics parameters -| Name | Description | Value | -| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | HashiCorp Consul Prometheus Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | HashiCorp Consul Prometheus Exporter image repository | `REPOSITORY_NAME/consul-exporter` | -| `metrics.image.digest` | HashiCorp Consul Prometheus Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | HashiCorp Consul Prometheus Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | HashiCorp Consul Prometheus Exporter image pull secrets | `[]` | -| `metrics.containerSecurityContext.enabled` | HashiCorp Consul Prometheus Exporter securityContext | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | User ID for the HashiCorp Consul Prometheus Exporter | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Force the container to be run as non root | `true` | -| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | -| `metrics.service.loadBalancerIP` | Service Load Balancer IP | `""` | -| `metrics.service.annotations` | Provide any additional annotations which may be required. | `{}` | -| `metrics.podAnnotations` | Metrics exporter pod Annotation and Labels | `{}` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator, set to true to create a Service Monitor Entry | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics relabelings to add to the scrape endpoint | `[]` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | HashiCorp Consul Prometheus Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | HashiCorp Consul Prometheus Exporter image repository | `REPOSITORY_NAME/consul-exporter` | +| `metrics.image.digest` | HashiCorp Consul Prometheus Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | HashiCorp Consul Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | HashiCorp Consul Prometheus Exporter image pull secrets | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Consul containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set Consul containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Consul containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Consul containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | Set containers' repo server Security Context capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set containers' repo server Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Consul containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `metrics.service.loadBalancerIP` | Service Load Balancer IP | `""` | +| `metrics.service.annotations` | Provide any additional annotations which may be required. | `{}` | +| `metrics.podAnnotations` | Metrics exporter pod Annotation and Labels | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator, set to true to create a Service Monitor Entry | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics relabelings to add to the scrape endpoint | `[]` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/bitnami/consul/templates/statefulset.yaml b/bitnami/consul/templates/statefulset.yaml index 24c845c7da..9ada1baae1 100644 --- a/bitnami/consul/templates/statefulset.yaml +++ b/bitnami/consul/templates/statefulset.yaml @@ -95,6 +95,9 @@ spec: volumeMounts: - name: data mountPath: /bitnami/consul + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -252,6 +255,18 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/consul/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/consul/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/consul/logs + subPath: app-logs-dir {{- if .Values.tlsEncryptionSecretName }} - name: consul-tls-certs mountPath: "/opt/bitnami/consul/certificates/" @@ -314,6 +329,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.configuration .Values.existingConfigmap }} - name: consul-config configMap: diff --git a/bitnami/consul/values.yaml b/bitnami/consul/values.yaml index bfee9b7746..a138c3a3e4 100644 --- a/bitnami/consul/values.yaml +++ b/bitnami/consul/values.yaml @@ -73,7 +73,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/consul - tag: 1.17.3-debian-12-r2 + tag: 1.17.3-debian-12-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -289,9 +289,10 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled Consul containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set Consul containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set Consul containers' Security Context runAsGroup ## @param containerSecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped -## @param containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem +## @param containerSecurityContext.capabilities.drop Set containers' repo server Security Context capabilities to be dropped +## @param containerSecurityContext.readOnlyRootFilesystem Set containers' repo server Security Context readOnlyRootFilesystem ## @param containerSecurityContext.runAsNonRoot Set Consul containers' Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile @@ -300,6 +301,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -769,16 +771,30 @@ metrics: pullSecrets: [] ## Container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled HashiCorp Consul Prometheus Exporter securityContext + ## @param metrics.containerSecurityContext.enabled Enabled Consul containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param metrics.containerSecurityContext.runAsUser User ID for the HashiCorp Consul Prometheus Exporter - ## @param metrics.containerSecurityContext.runAsNonRoot Force the container to be run as non root + ## @param metrics.containerSecurityContext.runAsUser Set Consul containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set Consul containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Consul containers' Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop Set containers' repo server Security Context capabilities to be dropped + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set containers' repo server Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.runAsNonRoot Set Consul containers' Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readOnlyRootFilesystem: false ## Consul Prometheus exporter service type ## service: