From 9dd62d4d995f470ac105578b0084e18f047d4cd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?=
 <jsalmeron@vmware.com>
Date: Wed, 20 Mar 2024 18:14:16 +0100
Subject: [PATCH] [bitnami/argo-cd] feat!: :lock: :boom: Improve security
 defaults (#24557)

* [bitnami/argo-cd] feat!: :lock: :boom: Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* test: :white_check_mark: Add HOME to cli call

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test: :white_check_mark: Bump timeout

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test: :white_check_mark: Bump timeout

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test: :white_check_mark: Make sure that resources are loaded

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
---
 .../argo-cd/cypress/cypress/e2e/argo_cd.cy.js |  7 +-
 .vib/argo-cd/goss/goss.yaml                   |  2 +-
 bitnami/argo-cd/Chart.lock                    |  6 +-
 bitnami/argo-cd/Chart.yaml                    |  4 +-
 bitnami/argo-cd/README.md                     | 89 +++++++++++--------
 bitnami/argo-cd/values.yaml                   | 68 +++++++-------
 6 files changed, 95 insertions(+), 81 deletions(-)

diff --git a/.vib/argo-cd/cypress/cypress/e2e/argo_cd.cy.js b/.vib/argo-cd/cypress/cypress/e2e/argo_cd.cy.js
index 1c2d3d5599..8a8cac8e2b 100644
--- a/.vib/argo-cd/cypress/cypress/e2e/argo_cd.cy.js
+++ b/.vib/argo-cd/cypress/cypress/e2e/argo_cd.cy.js
@@ -55,13 +55,16 @@ it('allows deploying a healthy app for a new project', () => {
     cy.get('[qe-id="applications-list-button-create"]').click();
 
     cy.get('.applications-list').within(() => {
-      cy.contains(`${applications.newApplication.name}-${random}`).click();
+      cy.contains(`${applications.newApplication.name}-${random}`, {timeout: 60000}).click();
     });
   });
+  // Ensure that UI shows the basic K8s objects
+  cy.contains('svc');
+  cy.contains('deploy');
   cy.get('i[class*="fa-sync"]').click();
   cy.get('[qe-id="application-sync-panel-button-synchronize"]').click();
   cy.contains('Succeeded a few seconds ago', {timeout: 120000});
   cy.get('[class*="application-details__status-panel"]').within(() => {
-    cy.get('[title="Healthy"]', {timeout: 60000});
+    cy.get('[title="Healthy"]', {timeout: 120000});
   });
 });
diff --git a/.vib/argo-cd/goss/goss.yaml b/.vib/argo-cd/goss/goss.yaml
index a1e1962cec..12ccde73bc 100644
--- a/.vib/argo-cd/goss/goss.yaml
+++ b/.vib/argo-cd/goss/goss.yaml
@@ -24,7 +24,7 @@ file:
 command:
   {{- $password := .Vars.config.secret.argocdServerAdminPassword }}
   check-argocd-cli:
-    exec: argocd login argo-cd-server --insecure --username admin --password {{ $password }}
+    exec: HOME=/tmp argocd login argo-cd-server --insecure --username admin --password {{ $password }}
     exit-status: 0
   {{- if .Vars.server.containerSecurityContext.enabled }}
   check-no-capabilities:
diff --git a/bitnami/argo-cd/Chart.lock b/bitnami/argo-cd/Chart.lock
index ff6002ba15..40e8af2742 100644
--- a/bitnami/argo-cd/Chart.lock
+++ b/bitnami/argo-cd/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.19.2
+  version: 19.0.0
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 2.19.0
-digest: sha256:ff1e1b55a7c191f1cb2d2b6519ae7fcb7b66e0274cd574357aaf6de4c518d937
-generated: "2024-03-13T10:27:07.636777+01:00"
+digest: sha256:a329b6c39ad6e04448048b09637d7561cef6497f79e4acc53bb4147c3c98b5b8
+generated: "2024-03-19T17:41:41.426836286+01:00"
diff --git a/bitnami/argo-cd/Chart.yaml b/bitnami/argo-cd/Chart.yaml
index f52466e4ce..0b845ae18c 100644
--- a/bitnami/argo-cd/Chart.yaml
+++ b/bitnami/argo-cd/Chart.yaml
@@ -19,7 +19,7 @@ dependencies:
 - condition: redis.enabled
   name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.x.x
+  version: 19.x.x
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   tags:
@@ -39,4 +39,4 @@ maintainers:
 name: argo-cd
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/argo-cd
-version: 5.10.6
+version: 6.0.0
\ No newline at end of file
diff --git a/bitnami/argo-cd/README.md b/bitnami/argo-cd/README.md
index 184f1ac431..76c5c63e1e 100644
--- a/bitnami/argo-cd/README.md
+++ b/bitnami/argo-cd/README.md
@@ -237,12 +237,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 
 ### Global parameters
 
-| Name                                                  | Description                                                                                                                                                                                                                                                                                                                                                         | Value      |
-| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
-| `global.imageRegistry`                                | Global Docker image registry                                                                                                                                                                                                                                                                                                                                        | `""`       |
-| `global.imagePullSecrets`                             | Global Docker registry secret names as an array                                                                                                                                                                                                                                                                                                                     | `[]`       |
-| `global.storageClass`                                 | Global StorageClass for Persistent Volume(s)                                                                                                                                                                                                                                                                                                                        | `""`       |
-| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
+| Name                                                  | Description                                                                                                                                                                                                                                                                                                                                                         | Value  |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `global.imageRegistry`                                | Global Docker image registry                                                                                                                                                                                                                                                                                                                                        | `""`   |
+| `global.imagePullSecrets`                             | Global Docker registry secret names as an array                                                                                                                                                                                                                                                                                                                     | `[]`   |
+| `global.storageClass`                                 | Global StorageClass for Persistent Volume(s)                                                                                                                                                                                                                                                                                                                        | `""`   |
+| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
 
 ### Common parameters
 
@@ -293,7 +293,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `controller.customStartupProbe`                                | Custom startupProbe that overrides the default one                                                                                                                                                                               | `{}`             |
 | `controller.customLivenessProbe`                               | Custom livenessProbe that overrides the default one                                                                                                                                                                              | `{}`             |
 | `controller.customReadinessProbe`                              | Custom readinessProbe that overrides the default one                                                                                                                                                                             | `{}`             |
-| `controller.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none`           |
+| `controller.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano`           |
 | `controller.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                | `{}`             |
 | `controller.podSecurityContext.enabled`                        | Enabled Argo CD pods' Security Context                                                                                                                                                                                           | `true`           |
 | `controller.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                               | `Always`         |
@@ -301,12 +301,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `controller.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                                      | `[]`             |
 | `controller.podSecurityContext.fsGroup`                        | Set Argo CD pod's Security Context fsGroup                                                                                                                                                                                       | `1001`           |
 | `controller.containerSecurityContext.enabled`                  | Enabled Argo CD containers' Security Context                                                                                                                                                                                     | `true`           |
-| `controller.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                 | `nil`            |
+| `controller.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                 | `{}`             |
 | `controller.containerSecurityContext.runAsUser`                | Set Argo CD containers' Security Context runAsUser                                                                                                                                                                               | `1001`           |
-| `controller.containerSecurityContext.runAsGroup`               | Set Argo CD containers' Security Context runAsGroup                                                                                                                                                                              | `0`              |
+| `controller.containerSecurityContext.runAsGroup`               | Set Argo CD containers' Security Context runAsGroup                                                                                                                                                                              | `1001`           |
 | `controller.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD containers' Security Context allowPrivilegeEscalation                                                                                                                                                                | `false`          |
 | `controller.containerSecurityContext.capabilities.drop`        | Set Argo CD containers' Security Context capabilities to be dropped                                                                                                                                                              | `["ALL"]`        |
-| `controller.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' Security Context readOnlyRootFilesystem                                                                                                                                                                  | `false`          |
+| `controller.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' Security Context readOnlyRootFilesystem                                                                                                                                                                  | `true`           |
 | `controller.containerSecurityContext.runAsNonRoot`             | Set Argo CD container's Security Context runAsNonRoot                                                                                                                                                                            | `true`           |
 | `controller.containerSecurityContext.privileged`               | Set controller container's Security Context privileged                                                                                                                                                                           | `false`          |
 | `controller.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                                                                                                                 | `RuntimeDefault` |
@@ -467,12 +467,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `applicationSet.podAnnotations`                                    | Annotations for Argo CD applicationSet controller pods                                                                                                                                                                                   | `{}`             |
 | `applicationSet.podLabels`                                         | Extra labels for Argo CD applicationSet controller pods                                                                                                                                                                                  | `{}`             |
 | `applicationSet.containerSecurityContext.enabled`                  | Enabled Argo CD applicationSet controller containers' Security Context                                                                                                                                                                   | `true`           |
-| `applicationSet.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                         | `nil`            |
+| `applicationSet.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                         | `{}`             |
 | `applicationSet.containerSecurityContext.runAsUser`                | Set Argo CD applicationSet controller containers' Security Context runAsUser                                                                                                                                                             | `1001`           |
-| `applicationSet.containerSecurityContext.runAsGroup`               | Set Argo CD applicationSet controller containers' Security Context runAsGroup                                                                                                                                                            | `0`              |
+| `applicationSet.containerSecurityContext.runAsGroup`               | Set Argo CD applicationSet controller containers' Security Context runAsGroup                                                                                                                                                            | `1001`           |
 | `applicationSet.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation                                                                                                                                              | `false`          |
 | `applicationSet.containerSecurityContext.capabilities.drop`        | Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped                                                                                                                                            | `["ALL"]`        |
-| `applicationSet.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem                                                                                                                                                | `false`          |
+| `applicationSet.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem                                                                                                                                                | `true`           |
 | `applicationSet.containerSecurityContext.runAsNonRoot`             | Set Argo CD applicationSet controller container's Security Context runAsNonRoot                                                                                                                                                          | `true`           |
 | `applicationSet.containerSecurityContext.privileged`               | Set applicationSet container's Security Context privileged                                                                                                                                                                               | `false`          |
 | `applicationSet.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                                                                                                                         | `RuntimeDefault` |
@@ -490,7 +490,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `applicationSet.readinessProbe.successThreshold`                   | Success threshold for readinessProbe                                                                                                                                                                                                     | `1`              |
 | `applicationSet.customLivenessProbe`                               | Custom livenessProbe that overrides the default one                                                                                                                                                                                      | `{}`             |
 | `applicationSet.customReadinessProbe`                              | Custom readinessProbe that overrides the default one                                                                                                                                                                                     | `{}`             |
-| `applicationSet.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production). | `none`           |
+| `applicationSet.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production). | `nano`           |
 | `applicationSet.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                        | `{}`             |
 | `applicationSet.podSecurityContext.enabled`                        | Enabled Argo CD applicationSet controller pods' Security Context                                                                                                                                                                         | `true`           |
 | `applicationSet.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                                       | `Always`         |
@@ -581,16 +581,16 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `notifications.podAnnotations`                                               | Annotations for Argo CD notifications controller pods                                                                                                                                                                                                        | `{}`             |
 | `notifications.podLabels`                                                    | Extra labels for Argo CD notifications controller pods                                                                                                                                                                                                       | `{}`             |
 | `notifications.containerSecurityContext.enabled`                             | Enabled Argo CD notifications controller containers' Security Context                                                                                                                                                                                        | `true`           |
-| `notifications.containerSecurityContext.seLinuxOptions`                      | Set SELinux options in container                                                                                                                                                                                                                             | `nil`            |
+| `notifications.containerSecurityContext.seLinuxOptions`                      | Set SELinux options in container                                                                                                                                                                                                                             | `{}`             |
 | `notifications.containerSecurityContext.runAsUser`                           | Set Argo CD notifications controller containers' Security Context runAsUser                                                                                                                                                                                  | `1001`           |
-| `notifications.containerSecurityContext.runAsGroup`                          | Set Argo CD notifications controller containers' Security Context runAsGroup                                                                                                                                                                                 | `0`              |
+| `notifications.containerSecurityContext.runAsGroup`                          | Set Argo CD notifications controller containers' Security Context runAsGroup                                                                                                                                                                                 | `1001`           |
 | `notifications.containerSecurityContext.allowPrivilegeEscalation`            | Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation                                                                                                                                                                   | `false`          |
 | `notifications.containerSecurityContext.capabilities.drop`                   | Set Argo CD notifications controller containers' Security Context capabilities to be dropped                                                                                                                                                                 | `["ALL"]`        |
-| `notifications.containerSecurityContext.readOnlyRootFilesystem`              | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem                                                                                                                                                                     | `false`          |
+| `notifications.containerSecurityContext.readOnlyRootFilesystem`              | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem                                                                                                                                                                     | `true`           |
 | `notifications.containerSecurityContext.runAsNonRoot`                        | Set Argo CD notifications controller container's Security Context runAsNonRoot                                                                                                                                                                               | `true`           |
 | `notifications.containerSecurityContext.privileged`                          | Set notifications container's Security Context privileged                                                                                                                                                                                                    | `false`          |
 | `notifications.containerSecurityContext.seccompProfile.type`                 | Set container's Security Context seccomp profile                                                                                                                                                                                                             | `RuntimeDefault` |
-| `notifications.resourcesPreset`                                              | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production).                       | `none`           |
+| `notifications.resourcesPreset`                                              | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production).                       | `nano`           |
 | `notifications.resources`                                                    | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                                            | `{}`             |
 | `notifications.podSecurityContext.enabled`                                   | Enabled Argo CD notifications controller pods' Security Context                                                                                                                                                                                              | `true`           |
 | `notifications.podSecurityContext.fsGroupChangePolicy`                       | Set filesystem group change policy                                                                                                                                                                                                                           | `Always`         |
@@ -695,16 +695,16 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `notifications.bots.slack.podAnnotations`                                    | Annotations for Argo CD Slack bot pods                                                                                                                                                                                                                       | `{}`             |
 | `notifications.bots.slack.podLabels`                                         | Extra labels for Argo CD Slack bot pods                                                                                                                                                                                                                      | `{}`             |
 | `notifications.bots.slack.containerSecurityContext.enabled`                  | Enabled Argo CD Slack bot containers' Security Context                                                                                                                                                                                                       | `true`           |
-| `notifications.bots.slack.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                                             | `nil`            |
+| `notifications.bots.slack.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                                             | `{}`             |
 | `notifications.bots.slack.containerSecurityContext.runAsUser`                | Set Argo CD Slack bot containers' Security Context runAsUser                                                                                                                                                                                                 | `1001`           |
-| `notifications.bots.slack.containerSecurityContext.runAsGroup`               | Set Argo CD Slack bot containers' Security Context runAsGroup                                                                                                                                                                                                | `0`              |
+| `notifications.bots.slack.containerSecurityContext.runAsGroup`               | Set Argo CD Slack bot containers' Security Context runAsGroup                                                                                                                                                                                                | `1001`           |
 | `notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation                                                                                                                                                                                  | `false`          |
 | `notifications.bots.slack.containerSecurityContext.capabilities.drop`        | Set Argo CD Slack bot containers' Security Context capabilities to be dropped                                                                                                                                                                                | `["ALL"]`        |
-| `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem                                                                                                                                                                                    | `false`          |
+| `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem                                                                                                                                                                                    | `true`           |
 | `notifications.bots.slack.containerSecurityContext.runAsNonRoot`             | Set Argo CD Slack bot container's Security Context runAsNonRoot                                                                                                                                                                                              | `true`           |
 | `notifications.bots.slack.containerSecurityContext.privileged`               | Set notifications container's Security Context privileged                                                                                                                                                                                                    | `false`          |
 | `notifications.bots.slack.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                                                                                                                                             | `RuntimeDefault` |
-| `notifications.bots.slack.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production). | `none`           |
+| `notifications.bots.slack.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production). | `nano`           |
 | `notifications.bots.slack.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                                            | `{}`             |
 | `notifications.bots.slack.podSecurityContext.enabled`                        | Enabled Argo CD Slack bot pods' Security Context                                                                                                                                                                                                             | `true`           |
 | `notifications.bots.slack.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                                                           | `Always`         |
@@ -746,7 +746,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `server.customStartupProbe`                                | Custom startupProbe that overrides the default one                                                                                                                                                                       | `{}`                     |
 | `server.customLivenessProbe`                               | Custom livenessProbe that overrides the default one                                                                                                                                                                      | `{}`                     |
 | `server.customReadinessProbe`                              | Custom readinessProbe that overrides the default one                                                                                                                                                                     | `{}`                     |
-| `server.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `none`                   |
+| `server.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `nano`                   |
 | `server.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                        | `{}`                     |
 | `server.podSecurityContext.enabled`                        | Enabled Argo CD server pods' Security Context                                                                                                                                                                            | `true`                   |
 | `server.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                       | `Always`                 |
@@ -754,12 +754,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `server.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                              | `[]`                     |
 | `server.podSecurityContext.fsGroup`                        | Set Argo CD server pod's Security Context fsGroup                                                                                                                                                                        | `1001`                   |
 | `server.containerSecurityContext.enabled`                  | Enabled Argo CD server containers' Security Context                                                                                                                                                                      | `true`                   |
-| `server.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                         | `nil`                    |
+| `server.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                         | `{}`                     |
 | `server.containerSecurityContext.runAsUser`                | Set Argo CD server containers' Security Context runAsUser                                                                                                                                                                | `1001`                   |
-| `server.containerSecurityContext.runAsGroup`               | Set Argo CD server containers' Security Context runAsGroup                                                                                                                                                               | `0`                      |
+| `server.containerSecurityContext.runAsGroup`               | Set Argo CD server containers' Security Context runAsGroup                                                                                                                                                               | `1001`                   |
 | `server.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD server containers' Security Context allowPrivilegeEscalation                                                                                                                                                 | `false`                  |
 | `server.containerSecurityContext.capabilities.drop`        | Set Argo CD containers' server Security Context capabilities to be dropped                                                                                                                                               | `["ALL"]`                |
-| `server.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' server Security Context readOnlyRootFilesystem                                                                                                                                                   | `false`                  |
+| `server.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' server Security Context readOnlyRootFilesystem                                                                                                                                                   | `true`                   |
 | `server.containerSecurityContext.runAsNonRoot`             | Set Argo CD server containers' Security Context runAsNonRoot                                                                                                                                                             | `true`                   |
 | `server.containerSecurityContext.privileged`               | Set server container's Security Context privileged                                                                                                                                                                       | `false`                  |
 | `server.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                                                                                                         | `RuntimeDefault`         |
@@ -906,7 +906,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `repoServer.customStartupProbe`                                | Custom startupProbe that overrides the default one                                                                                                                                                                               | `{}`             |
 | `repoServer.customLivenessProbe`                               | Custom livenessProbe that overrides the default one                                                                                                                                                                              | `{}`             |
 | `repoServer.customReadinessProbe`                              | Custom readinessProbe that overrides the default one                                                                                                                                                                             | `{}`             |
-| `repoServer.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production). | `none`           |
+| `repoServer.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production). | `nano`           |
 | `repoServer.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                | `{}`             |
 | `repoServer.podSecurityContext.enabled`                        | Enabled Argo CD repo server pods' Security Context                                                                                                                                                                               | `true`           |
 | `repoServer.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                               | `Always`         |
@@ -914,12 +914,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `repoServer.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                                      | `[]`             |
 | `repoServer.podSecurityContext.fsGroup`                        | Set Argo CD repo server pod's Security Context fsGroup                                                                                                                                                                           | `1001`           |
 | `repoServer.containerSecurityContext.enabled`                  | Enabled Argo CD repo server containers' Security Context                                                                                                                                                                         | `true`           |
-| `repoServer.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                 | `nil`            |
+| `repoServer.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                                 | `{}`             |
 | `repoServer.containerSecurityContext.runAsUser`                | Set Argo CD repo server containers' Security Context runAsUser                                                                                                                                                                   | `1001`           |
-| `repoServer.containerSecurityContext.runAsGroup`               | Set Argo CD repo server containers' Security Context runAsGroup                                                                                                                                                                  | `0`              |
+| `repoServer.containerSecurityContext.runAsGroup`               | Set Argo CD repo server containers' Security Context runAsGroup                                                                                                                                                                  | `1001`           |
 | `repoServer.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation                                                                                                                                                    | `false`          |
 | `repoServer.containerSecurityContext.capabilities.drop`        | Set Argo CD containers' repo server Security Context capabilities to be dropped                                                                                                                                                  | `["ALL"]`        |
-| `repoServer.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem                                                                                                                                                      | `false`          |
+| `repoServer.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem                                                                                                                                                      | `true`           |
 | `repoServer.containerSecurityContext.runAsNonRoot`             | Set Argo CD repo server containers' Security Context runAsNonRoot                                                                                                                                                                | `true`           |
 | `repoServer.containerSecurityContext.privileged`               | Set repoServer container's Security Context privileged                                                                                                                                                                           | `false`          |
 | `repoServer.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                                                                                                                 | `RuntimeDefault` |
@@ -1038,7 +1038,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `dex.customStartupProbe`                                | Custom startupProbe that overrides the default one                                                                                                                                                                 | `{}`                  |
 | `dex.customLivenessProbe`                               | Custom livenessProbe that overrides the default one                                                                                                                                                                | `{}`                  |
 | `dex.customReadinessProbe`                              | Custom readinessProbe that overrides the default one                                                                                                                                                               | `{}`                  |
-| `dex.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `none`                |
+| `dex.resourcesPreset`                                   | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). | `nano`                |
 | `dex.resources`                                         | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                  | `{}`                  |
 | `dex.podSecurityContext.enabled`                        | Enabled Dex pods' Security Context                                                                                                                                                                                 | `true`                |
 | `dex.podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                                                                                                                 | `Always`              |
@@ -1046,11 +1046,11 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `dex.podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                                                                                                        | `[]`                  |
 | `dex.podSecurityContext.fsGroup`                        | Set Dex pod's Security Context fsGroup                                                                                                                                                                             | `1001`                |
 | `dex.containerSecurityContext.enabled`                  | Enabled Dex containers' Security Context                                                                                                                                                                           | `true`                |
-| `dex.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                   | `nil`                 |
+| `dex.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                                                                                                   | `{}`                  |
 | `dex.containerSecurityContext.runAsUser`                | Set Dex containers' Security Context runAsUser                                                                                                                                                                     | `1001`                |
-| `dex.containerSecurityContext.runAsGroup`               | Set Dex containers' Security Context runAsGroup                                                                                                                                                                    | `0`                   |
+| `dex.containerSecurityContext.runAsGroup`               | Set Dex containers' Security Context runAsGroup                                                                                                                                                                    | `1001`                |
 | `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation                                                                                                                                                      | `false`               |
-| `dex.containerSecurityContext.readOnlyRootFilesystem`   | Set Dex containers' server Security Context readOnlyRootFilesystem                                                                                                                                                 | `false`               |
+| `dex.containerSecurityContext.readOnlyRootFilesystem`   | Set Dex containers' server Security Context readOnlyRootFilesystem                                                                                                                                                 | `true`                |
 | `dex.containerSecurityContext.runAsNonRoot`             | Set Dex containers' Security Context runAsNonRoot                                                                                                                                                                  | `true`                |
 | `dex.containerSecurityContext.capabilities.drop`        | Set Argo CD containers' repo server Security Context capabilities to be dropped                                                                                                                                    | `["ALL"]`             |
 | `dex.containerSecurityContext.privileged`               | Set dex container's Security Context privileged                                                                                                                                                                    | `false`               |
@@ -1170,9 +1170,9 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `volumePermissions.image.digest`                            | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                                                                                                                             | `""`                       |
 | `volumePermissions.image.pullPolicy`                        | OS Shell + Utility image pull policy                                                                                                                                                                                                           | `IfNotPresent`             |
 | `volumePermissions.image.pullSecrets`                       | OS Shell + Utility image pull secrets                                                                                                                                                                                                          | `[]`                       |
-| `volumePermissions.resourcesPreset`                         | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none`                     |
+| `volumePermissions.resourcesPreset`                         | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano`                     |
 | `volumePermissions.resources`                               | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                              | `{}`                       |
-| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container                                                                                                                                                                                                               | `nil`                      |
+| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container                                                                                                                                                                                                               | `{}`                       |
 | `volumePermissions.containerSecurityContext.runAsUser`      | Set init container's Security Context runAsUser                                                                                                                                                                                                | `0`                        |
 
 ### Other Parameters
@@ -1200,12 +1200,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `redisWait.enabled`                                           | Enables waiting for redis                                                                             | `true`                  |
 | `redisWait.extraArgs`                                         | Additional arguments for the redis-cli call, such as TLS                                              | `""`                    |
 | `redisWait.containerSecurityContext.enabled`                  | Enabled Argo CD repo server containers' Security Context                                              | `true`                  |
-| `redisWait.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                      | `nil`                   |
+| `redisWait.containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                      | `{}`                    |
 | `redisWait.containerSecurityContext.runAsUser`                | Set Argo CD repo server containers' Security Context runAsUser                                        | `1001`                  |
-| `redisWait.containerSecurityContext.runAsGroup`               | Set Argo CD repo server containers' Security Context runAsGroup                                       | `0`                     |
+| `redisWait.containerSecurityContext.runAsGroup`               | Set Argo CD repo server containers' Security Context runAsGroup                                       | `1001`                  |
 | `redisWait.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation                         | `false`                 |
 | `redisWait.containerSecurityContext.capabilities.drop`        | Set Argo CD containers' repo server Security Context capabilities to be dropped                       | `["ALL"]`               |
-| `redisWait.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem                           | `false`                 |
+| `redisWait.containerSecurityContext.readOnlyRootFilesystem`   | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem                           | `true`                  |
 | `redisWait.containerSecurityContext.runAsNonRoot`             | Set Argo CD repo server containers' Security Context runAsNonRoot                                     | `true`                  |
 | `redisWait.containerSecurityContext.privileged`               | Set redisWait container's Security Context privileged                                                 | `false`                 |
 | `redisWait.containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                      | `RuntimeDefault`        |
@@ -1242,6 +1242,17 @@ Find more information about how to deal with common errors related to Bitnami's
 
 ## Upgrading
 
+### To 6.0.0
+
+This major bump changes the following security defaults:
+
+- `runAsGroup` is changed from `0` to `1001`
+- `readOnlyRootFilesystem` is set to `true`
+- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
+- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
+
+This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
+
 ### To 5.0.0
 
 This major updates the Redis&reg; subchart to its newest major, 18.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1800) you can find more information about the changes introduced in that version.
diff --git a/bitnami/argo-cd/values.yaml b/bitnami/argo-cd/values.yaml
index 390a14a770..7c1b0bf88e 100644
--- a/bitnami/argo-cd/values.yaml
+++ b/bitnami/argo-cd/values.yaml
@@ -26,7 +26,7 @@ global:
     openshift:
       ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
       ##
-      adaptSecurityContext: disabled
+      adaptSecurityContext: auto
 ## @section Common parameters
 
 ## @param kubeVersion Override Kubernetes version
@@ -149,7 +149,7 @@ controller:
   ## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -190,11 +190,11 @@ controller:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -947,11 +947,11 @@ applicationSet:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -997,7 +997,7 @@ applicationSet:
   ## @param applicationSet.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if applicationSet.resources is set (applicationSet.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param applicationSet.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -1418,11 +1418,11 @@ notifications:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -1434,7 +1434,7 @@ notifications:
   ## @param notifications.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.resources is set (notifications.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param notifications.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -1852,11 +1852,11 @@ notifications:
       ##
       containerSecurityContext:
         enabled: true
-        seLinuxOptions: null
+        seLinuxOptions: {}
         runAsUser: 1001
-        runAsGroup: 0
+        runAsGroup: 1001
         runAsNonRoot: true
-        readOnlyRootFilesystem: false
+        readOnlyRootFilesystem: true
         allowPrivilegeEscalation: false
         privileged: false
         capabilities:
@@ -1868,7 +1868,7 @@ notifications:
       ## @param notifications.bots.slack.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if notifications.bots.slack.resources is set (notifications.bots.slack.resources is recommended for production).
       ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
       ##
-      resourcesPreset: "none"
+      resourcesPreset: "nano"
       ## @param notifications.bots.slack.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
       ## Example:
       ## resources:
@@ -1990,7 +1990,7 @@ server:
   ## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -2031,11 +2031,11 @@ server:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -2786,7 +2786,7 @@ repoServer:
   ## @param repoServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if repoServer.resources is set (repoServer.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param repoServer.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -2827,11 +2827,11 @@ repoServer:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -3320,7 +3320,7 @@ dex:
   ## @param dex.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param dex.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -3361,11 +3361,11 @@ dex:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities:
@@ -3939,7 +3939,7 @@ volumePermissions:
   ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources:
@@ -3960,7 +3960,7 @@ volumePermissions:
   ##   "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
   ##
   containerSecurityContext:
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 0
 ## @section Other Parameters
 
@@ -4076,11 +4076,11 @@ redisWait:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     privileged: false
     capabilities: