mirror of
https://github.com/bitnami/charts.git
synced 2026-03-10 15:07:49 +08:00
[bitnami/mongodb-sharded] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23747)
* [bitnami/mongodb-sharded] feat: ✨ 🔒 Add readOnlyRootFilesystem support Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Disable readonlyrootfs in metrics Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
5f4dd68b9e
commit
d1384e5355
@@ -35,4 +35,4 @@ maintainers:
|
||||
name: mongodb-sharded
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb-sharded
|
||||
version: 7.7.3
|
||||
version: 7.8.0
|
||||
|
||||
@@ -215,6 +215,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `configsvr.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `configsvr.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `configsvr.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `configsvr.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `configsvr.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `configsvr.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `configsvr.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -310,6 +311,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `mongos.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `mongos.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `mongos.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `mongos.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `mongos.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `mongos.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `mongos.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -391,6 +393,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `shardsvr.dataNode.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -482,6 +485,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `shardsvr.arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
@@ -531,6 +535,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
|
||||
@@ -99,6 +99,9 @@ spec:
|
||||
{{- if .Values.configsvr.persistence.subPath }}
|
||||
subPath: {{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- end }}
|
||||
{{- with .Values.configsvr.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
@@ -252,6 +255,18 @@ spec:
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.configsvr.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/logs
|
||||
subPath: app-logs-dir
|
||||
- name: replicaset-entrypoint-configmap
|
||||
mountPath: /entrypoint
|
||||
- name: datadir
|
||||
@@ -322,11 +337,14 @@ spec:
|
||||
{{- end }}
|
||||
/bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ .Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ .Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ .Values.metrics.extraArgs }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
mountPath: /bitnami/mongodb/secrets/
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
@@ -368,6 +386,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
- name: replicaset-entrypoint-configmap
|
||||
configMap:
|
||||
name: {{ printf "%s-replicaset-entrypoint" (include "common.names.fullname" .) }}
|
||||
|
||||
@@ -233,6 +233,18 @@ spec:
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
mountPath: /bitnami/mongodb/secrets/
|
||||
@@ -288,11 +300,14 @@ spec:
|
||||
{{- end }}
|
||||
/bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ .Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ .Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ .Values.metrics.extraArgs }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
mountPath: /bitnami/mongodb/secrets/
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
@@ -327,13 +342,15 @@ spec:
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $.Values.mongos.sidecars }}
|
||||
{{- with .Values.mongos.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $.Values.common.sidecars }}
|
||||
{{- with .Values.common.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
secret:
|
||||
|
||||
@@ -228,6 +228,18 @@ spec:
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.arbiter.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if or $.Values.shardsvr.arbiter.config $.Values.shardsvr.arbiter.configCM }}
|
||||
- name: config
|
||||
mountPath: /bitnami/mongodb/conf/
|
||||
@@ -291,11 +303,14 @@ spec:
|
||||
{{- end }}
|
||||
/bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ $.Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ $.Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ $.Values.metrics.extraArgs }}
|
||||
{{- end }}
|
||||
{{- if $.Values.auth.usePasswordFile }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if $.Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
mountPath: /bitnami/mongodb/secrets/
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ $.Values.metrics.containerPorts.metrics }}
|
||||
@@ -337,6 +352,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if or $.Values.shardsvr.arbiter.config $.Values.shardsvr.arbiter.configCM }}
|
||||
- name: config
|
||||
configMap:
|
||||
|
||||
@@ -97,6 +97,9 @@ spec:
|
||||
resources: {{- include "common.resources.preset" (dict "type" $.Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: datadir
|
||||
mountPath: {{ $.Values.shardsvr.persistence.mountPath }}
|
||||
{{- if $.Values.shardsvr.persistence.subPath }}
|
||||
@@ -259,6 +262,18 @@ spec:
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.dataNode.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/mongodb/logs
|
||||
subPath: app-logs-dir
|
||||
- name: replicaset-entrypoint-configmap
|
||||
mountPath: /entrypoint
|
||||
- name: datadir
|
||||
@@ -329,11 +344,14 @@ spec:
|
||||
{{- end }}
|
||||
/bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ $.Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ $.Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ $.Values.metrics.extraArgs }}
|
||||
{{- end }}
|
||||
{{- if $.Values.auth.usePasswordFile }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if $.Values.auth.usePasswordFile }}
|
||||
- name: secrets
|
||||
mountPath: /bitnami/mongodb/secrets/
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ $.Values.metrics.containerPorts.metrics }}
|
||||
@@ -375,6 +393,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
- name: replicaset-entrypoint-configmap
|
||||
configMap:
|
||||
name: {{ printf "%s-replicaset-entrypoint" (include "common.names.fullname" $) }}
|
||||
|
||||
@@ -643,6 +643,7 @@ configsvr:
|
||||
## @param configsvr.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param configsvr.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param configsvr.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param configsvr.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param configsvr.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param configsvr.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param configsvr.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -654,6 +655,7 @@ configsvr:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -997,6 +999,7 @@ mongos:
|
||||
## @param mongos.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param mongos.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param mongos.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param mongos.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param mongos.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param mongos.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param mongos.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -1008,6 +1011,7 @@ mongos:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -1304,6 +1308,7 @@ shardsvr:
|
||||
## @param shardsvr.dataNode.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param shardsvr.dataNode.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param shardsvr.dataNode.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param shardsvr.dataNode.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param shardsvr.dataNode.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param shardsvr.dataNode.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -1315,6 +1320,7 @@ shardsvr:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -1628,6 +1634,7 @@ shardsvr:
|
||||
## @param shardsvr.arbiter.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param shardsvr.arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param shardsvr.arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param shardsvr.arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param shardsvr.arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param shardsvr.arbiter.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -1639,6 +1646,7 @@ shardsvr:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -1773,6 +1781,7 @@ metrics:
|
||||
## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
|
||||
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
|
||||
## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
|
||||
## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
|
||||
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
|
||||
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
@@ -1784,6 +1793,7 @@ metrics:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
Reference in New Issue
Block a user