Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-07 09:47:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/argo-cd] feat!: 🔒 💥 Improve security defaults (#24557)

Browse Source 
* [bitnami/argo-cd] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* test:  Add HOME to cli call

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test:  Bump timeout

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test:  Bump timeout

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test:  Make sure that resources are loaded

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-20 18:14:16 +01:00
committed by GitHub
parent d76c37bb4a
commit 9dd62d4d99
6 changed files with 95 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.vib/argo-cd/cypress/cypress/e2e/argo_cd.cy.js
View File

@@ -55,13 +55,16 @@ it('allows deploying a healthy app for a new project', () => {
cy.get('[qe-id="applications-list-button-create"]').click();
cy.get('.applications-list').within(() => {
cy.contains(`${applications.newApplication.name}-${random}`).click();
cy.contains(`${applications.newApplication.name}-${random}`, {timeout: 60000}).click();
});
});
// Ensure that UI shows the basic K8s objects
cy.contains('svc');
cy.contains('deploy');
cy.get('i[class*="fa-sync"]').click();
cy.get('[qe-id="application-sync-panel-button-synchronize"]').click();
cy.contains('Succeeded a few seconds ago', {timeout: 120000});
cy.get('[class*="application-details__status-panel"]').within(() => {
cy.get('[title="Healthy"]', {timeout: 60000});
cy.get('[title="Healthy"]', {timeout: 120000});
});
});

2
.vib/argo-cd/goss/goss.yaml
View File

@@ -24,7 +24,7 @@ file:
command:
{{- $password := .Vars.config.secret.argocdServerAdminPassword }}
check-argocd-cli:
exec: argocd login argo-cd-server --insecure --username admin --password {{ $password }}
exec: HOME=/tmp argocd login argo-cd-server --insecure --username admin --password {{ $password }}
exit-status: 0
{{- if .Vars.server.containerSecurityContext.enabled }}
check-no-capabilities:

6
bitnami/argo-cd/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.19.2
version: 19.0.0
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.19.0
digest: sha256:ff1e1b55a7c191f1cb2d2b6519ae7fcb7b66e0274cd574357aaf6de4c518d937
generated: "2024-03-13T10:27:07.636777+01:00"
digest: sha256:a329b6c39ad6e04448048b09637d7561cef6497f79e4acc53bb4147c3c98b5b8
generated: "2024-03-19T17:41:41.426836286+01:00"

4
bitnami/argo-cd/Chart.yaml
View File

@@ -19,7 +19,7 @@ dependencies:
- condition: redis.enabled
name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.x.x
version: 19.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
@@ -39,4 +39,4 @@ maintainers:
name: argo-cd
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/argo-cd
version: 5.10.6
version: 6.0.0

89
bitnami/argo-cd/README.md
View File

@@ -237,12 +237,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -293,7 +293,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `controller.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `controller.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `controller.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` |
| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano` |
| `controller.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `controller.podSecurityContext.enabled` | Enabled Argo CD pods' Security Context | `true` |
| `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -301,12 +301,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `controller.podSecurityContext.fsGroup` | Set Argo CD pod's Security Context fsGroup | `1001` |
| `controller.containerSecurityContext.enabled` | Enabled Argo CD containers' Security Context | `true` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `controller.containerSecurityContext.runAsUser` | Set Argo CD containers' Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsGroup` | Set Argo CD containers' Security Context runAsGroup | `0` |
| `controller.containerSecurityContext.runAsGroup` | Set Argo CD containers' Security Context runAsGroup | `1001` |
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD containers' Security Context allowPrivilegeEscalation | `false` |
| `controller.containerSecurityContext.capabilities.drop` | Set Argo CD containers' Security Context capabilities to be dropped | `["ALL"]` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' Security Context readOnlyRootFilesystem | `false` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' Security Context readOnlyRootFilesystem | `true` |
| `controller.containerSecurityContext.runAsNonRoot` | Set Argo CD container's Security Context runAsNonRoot | `true` |
| `controller.containerSecurityContext.privileged` | Set controller container's Security Context privileged | `false` |
| `controller.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -467,12 +467,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `applicationSet.podAnnotations` | Annotations for Argo CD applicationSet controller pods | `{}` |
| `applicationSet.podLabels` | Extra labels for Argo CD applicationSet controller pods | `{}` |
| `applicationSet.containerSecurityContext.enabled` | Enabled Argo CD applicationSet controller containers' Security Context | `true` |
| `applicationSet.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `applicationSet.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `applicationSet.containerSecurityContext.runAsUser` | Set Argo CD applicationSet controller containers' Security Context runAsUser | `1001` |
| `applicationSet.containerSecurityContext.runAsGroup` | Set Argo CD applicationSet controller containers' Security Context runAsGroup | `0` |
| `applicationSet.containerSecurityContext.runAsGroup` | Set Argo CD applicationSet controller containers' Security Context runAsGroup | `1001` |
| `applicationSet.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation | `false` |
| `applicationSet.containerSecurityContext.capabilities.drop` | Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped | `["ALL"]` |
| `applicationSet.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem | `false` |
| `applicationSet.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem | `true` |
| `applicationSet.containerSecurityContext.runAsNonRoot` | Set Argo CD applicationSet controller container's Security Context runAsNonRoot | `true` |
| `applicationSet.containerSecurityContext.privileged` | Set applicationSet container's Security Context privileged | `false` |
| `applicationSet.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -490,7 +490,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `applicationSet.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `applicationSet.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `applicationSet.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `applicationSet.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production). | `none` |
| `applicationSet.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production). | `nano` |
| `applicationSet.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `applicationSet.podSecurityContext.enabled` | Enabled Argo CD applicationSet controller pods' Security Context | `true` |
| `applicationSet.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -581,16 +581,16 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `notifications.podAnnotations` | Annotations for Argo CD notifications controller pods | `{}` |
| `notifications.podLabels` | Extra labels for Argo CD notifications controller pods | `{}` |
| `notifications.containerSecurityContext.enabled` | Enabled Argo CD notifications controller containers' Security Context | `true` |
| `notifications.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `notifications.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `notifications.containerSecurityContext.runAsUser` | Set Argo CD notifications controller containers' Security Context runAsUser | `1001` |
| `notifications.containerSecurityContext.runAsGroup` | Set Argo CD notifications controller containers' Security Context runAsGroup | `0` |
| `notifications.containerSecurityContext.runAsGroup` | Set Argo CD notifications controller containers' Security Context runAsGroup | `1001` |
| `notifications.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation | `false` |
| `notifications.containerSecurityContext.capabilities.drop` | Set Argo CD notifications controller containers' Security Context capabilities to be dropped | `["ALL"]` |
| `notifications.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem | `false` |
| `notifications.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem | `true` |
| `notifications.containerSecurityContext.runAsNonRoot` | Set Argo CD notifications controller container's Security Context runAsNonRoot | `true` |
| `notifications.containerSecurityContext.privileged` | Set notifications container's Security Context privileged | `false` |
| `notifications.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `notifications.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production). | `none` |
| `notifications.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production). | `nano` |
| `notifications.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `notifications.podSecurityContext.enabled` | Enabled Argo CD notifications controller pods' Security Context | `true` |
| `notifications.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -695,16 +695,16 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `notifications.bots.slack.podAnnotations` | Annotations for Argo CD Slack bot pods | `{}` |
| `notifications.bots.slack.podLabels` | Extra labels for Argo CD Slack bot pods | `{}` |
| `notifications.bots.slack.containerSecurityContext.enabled` | Enabled Argo CD Slack bot containers' Security Context | `true` |
| `notifications.bots.slack.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `notifications.bots.slack.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `notifications.bots.slack.containerSecurityContext.runAsUser` | Set Argo CD Slack bot containers' Security Context runAsUser | `1001` |
| `notifications.bots.slack.containerSecurityContext.runAsGroup` | Set Argo CD Slack bot containers' Security Context runAsGroup | `0` |
| `notifications.bots.slack.containerSecurityContext.runAsGroup` | Set Argo CD Slack bot containers' Security Context runAsGroup | `1001` |
| `notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation | `false` |
| `notifications.bots.slack.containerSecurityContext.capabilities.drop` | Set Argo CD Slack bot containers' Security Context capabilities to be dropped | `["ALL"]` |
| `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem | `false` |
| `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem | `true` |
| `notifications.bots.slack.containerSecurityContext.runAsNonRoot` | Set Argo CD Slack bot container's Security Context runAsNonRoot | `true` |
| `notifications.bots.slack.containerSecurityContext.privileged` | Set notifications container's Security Context privileged | `false` |
| `notifications.bots.slack.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `notifications.bots.slack.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production). | `none` |
| `notifications.bots.slack.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production). | `nano` |
| `notifications.bots.slack.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `notifications.bots.slack.podSecurityContext.enabled` | Enabled Argo CD Slack bot pods' Security Context | `true` |
| `notifications.bots.slack.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -746,7 +746,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `server.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `server.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `server.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `none` |
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `nano` |
| `server.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `server.podSecurityContext.enabled` | Enabled Argo CD server pods' Security Context | `true` |
| `server.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -754,12 +754,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `server.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `server.podSecurityContext.fsGroup` | Set Argo CD server pod's Security Context fsGroup | `1001` |
| `server.containerSecurityContext.enabled` | Enabled Argo CD server containers' Security Context | `true` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `server.containerSecurityContext.runAsUser` | Set Argo CD server containers' Security Context runAsUser | `1001` |
| `server.containerSecurityContext.runAsGroup` | Set Argo CD server containers' Security Context runAsGroup | `0` |
| `server.containerSecurityContext.runAsGroup` | Set Argo CD server containers' Security Context runAsGroup | `1001` |
| `server.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD server containers' Security Context allowPrivilegeEscalation | `false` |
| `server.containerSecurityContext.capabilities.drop` | Set Argo CD containers' server Security Context capabilities to be dropped | `["ALL"]` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' server Security Context readOnlyRootFilesystem | `false` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' server Security Context readOnlyRootFilesystem | `true` |
| `server.containerSecurityContext.runAsNonRoot` | Set Argo CD server containers' Security Context runAsNonRoot | `true` |
| `server.containerSecurityContext.privileged` | Set server container's Security Context privileged | `false` |
| `server.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -906,7 +906,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `repoServer.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `repoServer.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `repoServer.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `repoServer.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production). | `none` |
| `repoServer.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production). | `nano` |
| `repoServer.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `repoServer.podSecurityContext.enabled` | Enabled Argo CD repo server pods' Security Context | `true` |
| `repoServer.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -914,12 +914,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `repoServer.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `repoServer.podSecurityContext.fsGroup` | Set Argo CD repo server pod's Security Context fsGroup | `1001` |
| `repoServer.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` |
| `repoServer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `repoServer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `repoServer.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` |
| `repoServer.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `0` |
| `repoServer.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `1001` |
| `repoServer.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` |
| `repoServer.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `repoServer.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` |
| `repoServer.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `true` |
| `repoServer.containerSecurityContext.runAsNonRoot` | Set Argo CD repo server containers' Security Context runAsNonRoot | `true` |
| `repoServer.containerSecurityContext.privileged` | Set repoServer container's Security Context privileged | `false` |
| `repoServer.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -1038,7 +1038,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `dex.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `dex.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `dex.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `none` |
| `dex.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano` |
| `dex.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `dex.podSecurityContext.enabled` | Enabled Dex pods' Security Context | `true` |
| `dex.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -1046,11 +1046,11 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `dex.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `dex.podSecurityContext.fsGroup` | Set Dex pod's Security Context fsGroup | `1001` |
| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` |
| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` |
| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `0` |
| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `1001` |
| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` |
| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `false` |
| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `true` |
| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` |
| `dex.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `dex.containerSecurityContext.privileged` | Set dex container's Security Context privileged | `false` |
@@ -1170,9 +1170,9 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
### Other Parameters
@@ -1200,12 +1200,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
| `redisWait.enabled` | Enables waiting for redis | `true` |
| `redisWait.extraArgs` | Additional arguments for the redis-cli call, such as TLS | `""` |
| `redisWait.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` |
| `redisWait.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `redisWait.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `redisWait.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` |
| `redisWait.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `0` |
| `redisWait.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `1001` |
| `redisWait.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` |
| `redisWait.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `redisWait.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` |
| `redisWait.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `true` |
| `redisWait.containerSecurityContext.runAsNonRoot` | Set Argo CD repo server containers' Security Context runAsNonRoot | `true` |
| `redisWait.containerSecurityContext.privileged` | Set redisWait container's Security Context privileged | `false` |
| `redisWait.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -1242,6 +1242,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 6.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 5.0.0
This major updates the Redis&reg; subchart to its newest major, 18.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1800) you can find more information about the changes introduced in that version.

68
bitnami/argo-cd/values.yaml
View File

@@ -26,7 +26,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Override Kubernetes version
@@ -149,7 +149,7 @@ controller:
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -190,11 +190,11 @@ controller:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -947,11 +947,11 @@ applicationSet:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -997,7 +997,7 @@ applicationSet:
## @param applicationSet.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param applicationSet.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1418,11 +1418,11 @@ notifications:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -1434,7 +1434,7 @@ notifications:
## @param notifications.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param notifications.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1852,11 +1852,11 @@ notifications:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -1868,7 +1868,7 @@ notifications:
## @param notifications.bots.slack.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param notifications.bots.slack.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1990,7 +1990,7 @@ server:
## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -2031,11 +2031,11 @@ server:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -2786,7 +2786,7 @@ repoServer:
## @param repoServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param repoServer.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -2827,11 +2827,11 @@ repoServer:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -3320,7 +3320,7 @@ dex:
## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -3361,11 +3361,11 @@ dex:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities:
@@ -3939,7 +3939,7 @@ volumePermissions:
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -3960,7 +3960,7 @@ volumePermissions:
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 0
## @section Other Parameters
@@ -4076,11 +4076,11 @@ redisWait:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
capabilities: