Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-04-01 06:47:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/argo-cd] feat: 🔒 Add readOnlyRootFilesystem support (#23875)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-23 17:26:30 +01:00
committed by GitHub
parent b60af0d57f
commit e577a7d2a9
10 changed files with 78 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/argo-cd/Chart.yaml
View File

@@ -39,4 +39,4 @@ maintainers:
name: argo-cd name: argo-cd
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/argo-cd - https://github.com/bitnami/charts/tree/main/bitnami/argo-cd
version: 5.8.1 version: 5.9.0

8
bitnami/argo-cd/README.md
View File

@@ -122,6 +122,7 @@ The command removes all the Kubernetes components associated with the chart and
| `controller.containerSecurityContext.enabled` | Enabled Argo CD containers' Security Context | `true` | | `controller.containerSecurityContext.enabled` | Enabled Argo CD containers' Security Context | `true` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controller.containerSecurityContext.runAsUser` | Set Argo CD containers' Security Context runAsUser | `1001` | | `controller.containerSecurityContext.runAsUser` | Set Argo CD containers' Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsGroup` | Set Argo CD containers' Security Context runAsGroup | `0` |
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD containers' Security Context allowPrivilegeEscalation | `false` | | `controller.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD containers' Security Context allowPrivilegeEscalation | `false` |
| `controller.containerSecurityContext.capabilities.drop` | Set Argo CD containers' Security Context capabilities to be dropped | `["ALL"]` | | `controller.containerSecurityContext.capabilities.drop` | Set Argo CD containers' Security Context capabilities to be dropped | `["ALL"]` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' Security Context readOnlyRootFilesystem | `false` | | `controller.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' Security Context readOnlyRootFilesystem | `false` |
@@ -287,6 +288,7 @@ The command removes all the Kubernetes components associated with the chart and
| `applicationSet.containerSecurityContext.enabled` | Enabled Argo CD applicationSet controller containers' Security Context | `true` | | `applicationSet.containerSecurityContext.enabled` | Enabled Argo CD applicationSet controller containers' Security Context | `true` |
| `applicationSet.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `applicationSet.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `applicationSet.containerSecurityContext.runAsUser` | Set Argo CD applicationSet controller containers' Security Context runAsUser | `1001` | | `applicationSet.containerSecurityContext.runAsUser` | Set Argo CD applicationSet controller containers' Security Context runAsUser | `1001` |
| `applicationSet.containerSecurityContext.runAsGroup` | Set Argo CD applicationSet controller containers' Security Context runAsGroup | `0` |
| `applicationSet.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation | `false` | | `applicationSet.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation | `false` |
| `applicationSet.containerSecurityContext.capabilities.drop` | Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped | `["ALL"]` | | `applicationSet.containerSecurityContext.capabilities.drop` | Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped | `["ALL"]` |
| `applicationSet.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem | `false` | | `applicationSet.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem | `false` |
@@ -400,6 +402,7 @@ The command removes all the Kubernetes components associated with the chart and
| `notifications.containerSecurityContext.enabled` | Enabled Argo CD notifications controller containers' Security Context | `true` | | `notifications.containerSecurityContext.enabled` | Enabled Argo CD notifications controller containers' Security Context | `true` |
| `notifications.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `notifications.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `notifications.containerSecurityContext.runAsUser` | Set Argo CD notifications controller containers' Security Context runAsUser | `1001` | | `notifications.containerSecurityContext.runAsUser` | Set Argo CD notifications controller containers' Security Context runAsUser | `1001` |
| `notifications.containerSecurityContext.runAsGroup` | Set Argo CD notifications controller containers' Security Context runAsGroup | `0` |
| `notifications.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation | `false` | | `notifications.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation | `false` |
| `notifications.containerSecurityContext.capabilities.drop` | Set Argo CD notifications controller containers' Security Context capabilities to be dropped | `["ALL"]` | | `notifications.containerSecurityContext.capabilities.drop` | Set Argo CD notifications controller containers' Security Context capabilities to be dropped | `["ALL"]` |
| `notifications.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem | `false` | | `notifications.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem | `false` |
@@ -513,6 +516,7 @@ The command removes all the Kubernetes components associated with the chart and
| `notifications.bots.slack.containerSecurityContext.enabled` | Enabled Argo CD Slack bot containers' Security Context | `true` | | `notifications.bots.slack.containerSecurityContext.enabled` | Enabled Argo CD Slack bot containers' Security Context | `true` |
| `notifications.bots.slack.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `notifications.bots.slack.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `notifications.bots.slack.containerSecurityContext.runAsUser` | Set Argo CD Slack bot containers' Security Context runAsUser | `1001` | | `notifications.bots.slack.containerSecurityContext.runAsUser` | Set Argo CD Slack bot containers' Security Context runAsUser | `1001` |
| `notifications.bots.slack.containerSecurityContext.runAsGroup` | Set Argo CD Slack bot containers' Security Context runAsGroup | `0` |
| `notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation | `false` | | `notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation | `false` |
| `notifications.bots.slack.containerSecurityContext.capabilities.drop` | Set Argo CD Slack bot containers' Security Context capabilities to be dropped | `["ALL"]` | | `notifications.bots.slack.containerSecurityContext.capabilities.drop` | Set Argo CD Slack bot containers' Security Context capabilities to be dropped | `["ALL"]` |
| `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem | `false` | | `notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem | `false` |
@@ -571,6 +575,7 @@ The command removes all the Kubernetes components associated with the chart and
| `server.containerSecurityContext.enabled` | Enabled Argo CD server containers' Security Context | `true` | | `server.containerSecurityContext.enabled` | Enabled Argo CD server containers' Security Context | `true` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `server.containerSecurityContext.runAsUser` | Set Argo CD server containers' Security Context runAsUser | `1001` | | `server.containerSecurityContext.runAsUser` | Set Argo CD server containers' Security Context runAsUser | `1001` |
| `server.containerSecurityContext.runAsGroup` | Set Argo CD server containers' Security Context runAsGroup | `0` |
| `server.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD server containers' Security Context allowPrivilegeEscalation | `false` | | `server.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD server containers' Security Context allowPrivilegeEscalation | `false` |
| `server.containerSecurityContext.capabilities.drop` | Set Argo CD containers' server Security Context capabilities to be dropped | `["ALL"]` | | `server.containerSecurityContext.capabilities.drop` | Set Argo CD containers' server Security Context capabilities to be dropped | `["ALL"]` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' server Security Context readOnlyRootFilesystem | `false` | | `server.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' server Security Context readOnlyRootFilesystem | `false` |
@@ -730,6 +735,7 @@ The command removes all the Kubernetes components associated with the chart and
| `repoServer.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` | | `repoServer.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` |
| `repoServer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `repoServer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `repoServer.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` | | `repoServer.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` |
| `repoServer.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `0` |
| `repoServer.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` | | `repoServer.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` |
| `repoServer.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | | `repoServer.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `repoServer.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` | | `repoServer.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` |
@@ -861,6 +867,7 @@ The command removes all the Kubernetes components associated with the chart and
| `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` | | `dex.containerSecurityContext.enabled` | Enabled Dex containers' Security Context | `true` |
| `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `dex.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` | | `dex.containerSecurityContext.runAsUser` | Set Dex containers' Security Context runAsUser | `1001` |
| `dex.containerSecurityContext.runAsGroup` | Set Dex containers' Security Context runAsGroup | `0` |
| `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` | | `dex.containerSecurityContext.allowPrivilegeEscalation` | Set Dex containers' Security Context allowPrivilegeEscalation | `false` |
| `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `false` | | `dex.containerSecurityContext.readOnlyRootFilesystem` | Set Dex containers' server Security Context readOnlyRootFilesystem | `false` |
| `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` | | `dex.containerSecurityContext.runAsNonRoot` | Set Dex containers' Security Context runAsNonRoot | `true` |
@@ -1014,6 +1021,7 @@ The command removes all the Kubernetes components associated with the chart and
| `redisWait.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` | | `redisWait.containerSecurityContext.enabled` | Enabled Argo CD repo server containers' Security Context | `true` |
| `redisWait.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `redisWait.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `redisWait.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` | | `redisWait.containerSecurityContext.runAsUser` | Set Argo CD repo server containers' Security Context runAsUser | `1001` |
| `redisWait.containerSecurityContext.runAsGroup` | Set Argo CD repo server containers' Security Context runAsGroup | `0` |
| `redisWait.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` | | `redisWait.containerSecurityContext.allowPrivilegeEscalation` | Set Argo CD repo server containers' Security Context allowPrivilegeEscalation | `false` |
| `redisWait.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` | | `redisWait.containerSecurityContext.capabilities.drop` | Set Argo CD containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `redisWait.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` | | `redisWait.containerSecurityContext.readOnlyRootFilesystem` | Set Argo CD containers' repo server Security Context readOnlyRootFilesystem | `false` |

5
bitnami/argo-cd/templates/application-controller/deployment.yaml
View File

@@ -234,6 +234,9 @@ spec:
# Ref: https://argoproj.github.io/argo-cd/operator-manual/tls/#inbound-tls-certificates-used-by-argocd-repo-sever # Ref: https://argoproj.github.io/argo-cd/operator-manual/tls/#inbound-tls-certificates-used-by-argocd-repo-sever
- mountPath: /app/config/server/tls - mountPath: /app/config/server/tls
name: argocd-repo-server-tls name: argocd-repo-server-tls
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.controller.extraVolumeMounts }} {{- if .Values.controller.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
@@ -241,6 +244,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.controller.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.controller.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: empty-dir
emptyDir: {}
- name: argocd-repo-server-tls - name: argocd-repo-server-tls
secret: secret:
items: items:

14
bitnami/argo-cd/templates/applicationset/deployment.yaml
View File

@@ -161,10 +161,12 @@ spec:
- mountPath: /app/config/rbac - mountPath: /app/config/rbac
name: rbac name: rbac
{{- end }} {{- end }}
- mountPath: /app/config/gpg/keys - name: empty-dir
name: gpg-keyring mountPath: /app/config/gpg/keys
- mountPath: /tmp subPath: app-keys-dir
name: tmp - name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.applicationSet.extraVolumeMounts }} {{- if .Values.applicationSet.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.applicationSet.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.applicationSet.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
@@ -187,9 +189,7 @@ spec:
configMap: configMap:
name: argocd-rbac-cm name: argocd-rbac-cm
{{- end }} {{- end }}
- name: gpg-keyring - name: empty-dir
emptyDir: {}
- name: tmp
emptyDir: {} emptyDir: {}
{{- if .Values.applicationSet.extraVolumes }} {{- if .Values.applicationSet.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.applicationSet.extraVolumes "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.applicationSet.extraVolumes "context" $) | nindent 8 }}

24
bitnami/argo-cd/templates/dex/deployment.yaml
View File

@@ -90,10 +90,12 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: static-files - name: empty-dir
mountPath: /shared mountPath: /shared
- name: tmp-dir subPath: app-static-dir
- name: empty-dir
mountPath: /tmp mountPath: /tmp
subPath: tmp-dir
{{- end }} {{- end }}
- name: copyutil - name: copyutil
image: {{ include "argocd.image" . }} image: {{ include "argocd.image" . }}
@@ -110,8 +112,12 @@ spec:
- /opt/bitnami/argo-cd/bin/argocd - /opt/bitnami/argo-cd/bin/argocd
- /shared/argocd-dex - /shared/argocd-dex
volumeMounts: volumeMounts:
- mountPath: /shared - name: empty-dir
name: static-files mountPath: /shared
subPath: app-static-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.dex.initContainers }} {{- if .Values.dex.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.dex.initContainers "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.dex.initContainers "context" $) | nindent 8 }}
{{- end }} {{- end }}
@@ -208,10 +214,12 @@ spec:
failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }} failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: static-files - name: empty-dir
mountPath: /shared mountPath: /shared
- name: tmp-dir subPath: app-static-dir
- name: empty-dir
mountPath: /tmp mountPath: /tmp
subPath: tmp-dir
{{- if .Values.dex.extraVolumeMounts }} {{- if .Values.dex.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
@@ -219,9 +227,7 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.dex.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.dex.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: tmp-dir - name: empty-dir
emptyDir: {}
- name: static-files
emptyDir: {} emptyDir: {}
{{- if .Values.dex.extraVolumes }} {{- if .Values.dex.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }}

6
bitnami/argo-cd/templates/notifications/bots/slack/deployment.yaml
View File

@@ -138,10 +138,16 @@ spec:
{{- if .Values.notifications.bots.slack.containerSecurityContext.enabled }} {{- if .Values.notifications.bots.slack.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.notifications.bots.slack.containerSecurityContext "enabled" | toYaml | nindent 12 }} securityContext: {{- omit .Values.notifications.bots.slack.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }} {{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.notifications.bots.slack.extraVolumeMounts }} {{- if .Values.notifications.bots.slack.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.notifications.bots.slack.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.notifications.bots.slack.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
volumes: volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.notifications.bots.slack.extraVolumes }} {{- if .Values.notifications.bots.slack.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.notifications.bots.slack.extraVolumes "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.notifications.bots.slack.extraVolumes "context" $) | nindent 8 }}
{{- end }} {{- end }}

5
bitnami/argo-cd/templates/notifications/deployment.yaml
View File

@@ -147,10 +147,15 @@ spec:
{{- end }} {{- end }}
- mountPath: /app/config/server/tls - mountPath: /app/config/server/tls
name: argocd-repo-server-tls name: argocd-repo-server-tls
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.notifications.extraVolumeMounts }} {{- if .Values.notifications.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.notifications.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.notifications.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
volumes: volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.config.tlsCerts }} {{- if .Values.config.tlsCerts }}
- name: tls-certs - name: tls-certs
configMap: configMap:

19
bitnami/argo-cd/templates/repo-server/deployment.yaml
View File

@@ -86,8 +86,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: tmp-dir - name: empty-dir
mountPath: /tmp mountPath: /tmp
subPath: tmp-dir
{{- end }} {{- end }}
{{- if .Values.redisWait.enabled }} {{- if .Values.redisWait.enabled }}
- name: wait-for-redis - name: wait-for-redis
@@ -253,10 +254,12 @@ spec:
# Ref: https://argoproj.github.io/argo-cd/operator-manual/tls/#inbound-tls-certificates-used-by-argocd-repo-sever # Ref: https://argoproj.github.io/argo-cd/operator-manual/tls/#inbound-tls-certificates-used-by-argocd-repo-sever
- mountPath: /app/config/server/tls - mountPath: /app/config/server/tls
name: argocd-repo-server-tls name: argocd-repo-server-tls
- mountPath: /app/config/gpg/keys - name: empty-dir
name: gpg-keyring mountPath: /app/config/gpg/keys
- mountPath: /tmp subPath: app-keys-dir
name: tmp-dir - name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.repoServer.extraVolumeMounts }} {{- if .Values.repoServer.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.repoServer.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.repoServer.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
@@ -283,10 +286,8 @@ spec:
path: ca.crt path: ca.crt
optional: true optional: true
secretName: argocd-repo-server-tls secretName: argocd-repo-server-tls
- emptyDir: {} - name: empty-dir
name: tmp-dir emptyDir: {}
- emptyDir: {}
name: gpg-keyring
{{- if .Values.repoServer.extraVolumes }} {{- if .Values.repoServer.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.repoServer.extraVolumes "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.repoServer.extraVolumes "context" $) | nindent 8 }}
{{- end }} {{- end }}

5
bitnami/argo-cd/templates/server/deployment.yaml
View File

@@ -233,6 +233,9 @@ spec:
failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
# Mounting into a path that will be read by Argo CD # Mounting into a path that will be read by Argo CD
# Ref: https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#ssh-known-host-public-keys # Ref: https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#ssh-known-host-public-keys
- name: ssh-known-hosts - name: ssh-known-hosts
@@ -260,6 +263,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: empty-dir
emptyDir: {}
- name: ssh-known-hosts - name: ssh-known-hosts
configMap: configMap:
name: argocd-ssh-known-hosts-cm name: argocd-ssh-known-hosts-cm

16
bitnami/argo-cd/values.yaml
View File

@@ -171,6 +171,7 @@ controller:
## @param controller.containerSecurityContext.enabled Enabled Argo CD containers' Security Context ## @param controller.containerSecurityContext.enabled Enabled Argo CD containers' Security Context
## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param controller.containerSecurityContext.runAsUser Set Argo CD containers' Security Context runAsUser ## @param controller.containerSecurityContext.runAsUser Set Argo CD containers' Security Context runAsUser
## @param controller.containerSecurityContext.runAsGroup Set Argo CD containers' Security Context runAsGroup
## @param controller.containerSecurityContext.allowPrivilegeEscalation Set Argo CD containers' Security Context allowPrivilegeEscalation ## @param controller.containerSecurityContext.allowPrivilegeEscalation Set Argo CD containers' Security Context allowPrivilegeEscalation
## @param controller.containerSecurityContext.capabilities.drop Set Argo CD containers' Security Context capabilities to be dropped ## @param controller.containerSecurityContext.capabilities.drop Set Argo CD containers' Security Context capabilities to be dropped
## @param controller.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' Security Context readOnlyRootFilesystem ## @param controller.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' Security Context readOnlyRootFilesystem
@@ -182,6 +183,7 @@ controller:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -926,6 +928,7 @@ applicationSet:
## @param applicationSet.containerSecurityContext.enabled Enabled Argo CD applicationSet controller containers' Security Context ## @param applicationSet.containerSecurityContext.enabled Enabled Argo CD applicationSet controller containers' Security Context
## @param applicationSet.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param applicationSet.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param applicationSet.containerSecurityContext.runAsUser Set Argo CD applicationSet controller containers' Security Context runAsUser ## @param applicationSet.containerSecurityContext.runAsUser Set Argo CD applicationSet controller containers' Security Context runAsUser
## @param applicationSet.containerSecurityContext.runAsGroup Set Argo CD applicationSet controller containers' Security Context runAsGroup
## @param applicationSet.containerSecurityContext.allowPrivilegeEscalation Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation ## @param applicationSet.containerSecurityContext.allowPrivilegeEscalation Set Argo CD applicationSet controller containers' Security Context allowPrivilegeEscalation
## @param applicationSet.containerSecurityContext.capabilities.drop Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped ## @param applicationSet.containerSecurityContext.capabilities.drop Set Argo CD applicationSet controller containers' Security Context capabilities to be dropped
## @param applicationSet.containerSecurityContext.readOnlyRootFilesystem Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem ## @param applicationSet.containerSecurityContext.readOnlyRootFilesystem Set Argo CD applicationSet controller containers' Security Context readOnlyRootFilesystem
@@ -937,6 +940,7 @@ applicationSet:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -1395,6 +1399,7 @@ notifications:
## @param notifications.containerSecurityContext.enabled Enabled Argo CD notifications controller containers' Security Context ## @param notifications.containerSecurityContext.enabled Enabled Argo CD notifications controller containers' Security Context
## @param notifications.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param notifications.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param notifications.containerSecurityContext.runAsUser Set Argo CD notifications controller containers' Security Context runAsUser ## @param notifications.containerSecurityContext.runAsUser Set Argo CD notifications controller containers' Security Context runAsUser
## @param notifications.containerSecurityContext.runAsGroup Set Argo CD notifications controller containers' Security Context runAsGroup
## @param notifications.containerSecurityContext.allowPrivilegeEscalation Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation ## @param notifications.containerSecurityContext.allowPrivilegeEscalation Set Argo CD notifications controller containers' Security Context allowPrivilegeEscalation
## @param notifications.containerSecurityContext.capabilities.drop Set Argo CD notifications controller containers' Security Context capabilities to be dropped ## @param notifications.containerSecurityContext.capabilities.drop Set Argo CD notifications controller containers' Security Context capabilities to be dropped
## @param notifications.containerSecurityContext.readOnlyRootFilesystem Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem ## @param notifications.containerSecurityContext.readOnlyRootFilesystem Set Argo CD notifications controller containers' Security Context readOnlyRootFilesystem
@@ -1406,6 +1411,7 @@ notifications:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -1827,6 +1833,7 @@ notifications:
## @param notifications.bots.slack.containerSecurityContext.enabled Enabled Argo CD Slack bot containers' Security Context ## @param notifications.bots.slack.containerSecurityContext.enabled Enabled Argo CD Slack bot containers' Security Context
## @param notifications.bots.slack.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param notifications.bots.slack.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param notifications.bots.slack.containerSecurityContext.runAsUser Set Argo CD Slack bot containers' Security Context runAsUser ## @param notifications.bots.slack.containerSecurityContext.runAsUser Set Argo CD Slack bot containers' Security Context runAsUser
## @param notifications.bots.slack.containerSecurityContext.runAsGroup Set Argo CD Slack bot containers' Security Context runAsGroup
## @param notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation ## @param notifications.bots.slack.containerSecurityContext.allowPrivilegeEscalation Set Argo CD Slack bot containers' Security Context allowPrivilegeEscalation
## @param notifications.bots.slack.containerSecurityContext.capabilities.drop Set Argo CD Slack bot containers' Security Context capabilities to be dropped ## @param notifications.bots.slack.containerSecurityContext.capabilities.drop Set Argo CD Slack bot containers' Security Context capabilities to be dropped
## @param notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem ## @param notifications.bots.slack.containerSecurityContext.readOnlyRootFilesystem Set Argo CD Slack bot containers' Security Context readOnlyRootFilesystem
@@ -1838,6 +1845,7 @@ notifications:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -2004,6 +2012,7 @@ server:
## @param server.containerSecurityContext.enabled Enabled Argo CD server containers' Security Context ## @param server.containerSecurityContext.enabled Enabled Argo CD server containers' Security Context
## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param server.containerSecurityContext.runAsUser Set Argo CD server containers' Security Context runAsUser ## @param server.containerSecurityContext.runAsUser Set Argo CD server containers' Security Context runAsUser
## @param server.containerSecurityContext.runAsGroup Set Argo CD server containers' Security Context runAsGroup
## @param server.containerSecurityContext.allowPrivilegeEscalation Set Argo CD server containers' Security Context allowPrivilegeEscalation ## @param server.containerSecurityContext.allowPrivilegeEscalation Set Argo CD server containers' Security Context allowPrivilegeEscalation
## @param server.containerSecurityContext.capabilities.drop Set Argo CD containers' server Security Context capabilities to be dropped ## @param server.containerSecurityContext.capabilities.drop Set Argo CD containers' server Security Context capabilities to be dropped
## @param server.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' server Security Context readOnlyRootFilesystem ## @param server.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' server Security Context readOnlyRootFilesystem
@@ -2015,6 +2024,7 @@ server:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -2798,6 +2808,7 @@ repoServer:
## @param repoServer.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context ## @param repoServer.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context
## @param repoServer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param repoServer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param repoServer.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser ## @param repoServer.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser
## @param repoServer.containerSecurityContext.runAsGroup Set Argo CD repo server containers' Security Context runAsGroup
## @param repoServer.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation ## @param repoServer.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation
## @param repoServer.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped ## @param repoServer.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped
## @param repoServer.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem ## @param repoServer.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem
@@ -2809,6 +2820,7 @@ repoServer:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -3330,6 +3342,7 @@ dex:
## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context ## @param dex.containerSecurityContext.enabled Enabled Dex containers' Security Context
## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param dex.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser ## @param dex.containerSecurityContext.runAsUser Set Dex containers' Security Context runAsUser
## @param dex.containerSecurityContext.runAsGroup Set Dex containers' Security Context runAsGroup
## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation ## @param dex.containerSecurityContext.allowPrivilegeEscalation Set Dex containers' Security Context allowPrivilegeEscalation
## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem ## @param dex.containerSecurityContext.readOnlyRootFilesystem Set Dex containers' server Security Context readOnlyRootFilesystem
## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot ## @param dex.containerSecurityContext.runAsNonRoot Set Dex containers' Security Context runAsNonRoot
@@ -3341,6 +3354,7 @@ dex:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@@ -4043,6 +4057,7 @@ redisWait:
## @param redisWait.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context ## @param redisWait.containerSecurityContext.enabled Enabled Argo CD repo server containers' Security Context
## @param redisWait.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param redisWait.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param redisWait.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser ## @param redisWait.containerSecurityContext.runAsUser Set Argo CD repo server containers' Security Context runAsUser
## @param redisWait.containerSecurityContext.runAsGroup Set Argo CD repo server containers' Security Context runAsGroup
## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation ## @param redisWait.containerSecurityContext.allowPrivilegeEscalation Set Argo CD repo server containers' Security Context allowPrivilegeEscalation
## @param redisWait.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped ## @param redisWait.containerSecurityContext.capabilities.drop Set Argo CD containers' repo server Security Context capabilities to be dropped
## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem ## @param redisWait.containerSecurityContext.readOnlyRootFilesystem Set Argo CD containers' repo server Security Context readOnlyRootFilesystem
@@ -4054,6 +4069,7 @@ redisWait:
enabled: true enabled: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true runAsNonRoot: true
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false