Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-05 14:57:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/harbor] feat: 🔒 Add automatic adaptation for Openshift restricted-v2 SCC (#24093)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-06 10:09:03 +01:00
committed by GitHub
parent c21a5db68d
commit e9052a282b
11 changed files with 39 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
bitnami/harbor/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies:
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.17.0
version: 18.17.1
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 14.2.3
version: 14.2.4
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.16.1
digest: sha256:6dd58522e0a8be40f46332bf520b35b66c224723c8e7ddf36f33f9910988e822
generated: "2024-03-04T10:39:13.292757+01:00"
version: 2.18.0
digest: sha256:f72194e2692d6530057c1a04ec1f0cbb0521e764b9d9b400622ca94fe5697841
generated: "2024-03-05T14:08:30.32103962+01:00"

2
bitnami/harbor/Chart.yaml
View File

@@ -55,4 +55,4 @@ maintainers:
name: harbor
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/harbor
version: 20.0.0
version: 20.1.0

11
bitnami/harbor/README.md
View File

@@ -63,11 +63,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
### Global parameters
| Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
### Common Parameters

4
bitnami/harbor/templates/core/core-dpl.yaml
View File

@@ -73,7 +73,7 @@ spec:
serviceAccountName: {{ .Values.core.serviceAccountName }}
{{- end }}
{{- if .Values.core.podSecurityContext.enabled }}
securityContext: {{- omit .Values.core.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.core.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.core.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.core.initContainers "context" $) | nindent 8 }}
@@ -83,7 +83,7 @@ spec:
image: {{ include "harbor.core.image" . }}
imagePullPolicy: {{ .Values.core.image.pullPolicy | quote }}
{{- if .Values.core.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.core.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.core.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

4
bitnami/harbor/templates/exporter/exporter-dpl.yaml
View File

@@ -71,7 +71,7 @@ spec:
serviceAccountName: {{ .Values.exporter.serviceAccountName }}
{{- end }}
{{- if .Values.exporter.podSecurityContext.enabled }}
securityContext: {{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.exporter.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.exporter.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.exporter.initContainers "context" $) | nindent 8 }}
@@ -81,7 +81,7 @@ spec:
image: {{ include "harbor.exporter.image" . }}
imagePullPolicy: {{ .Values.exporter.image.pullPolicy | quote }}
{{- if .Values.exporter.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.exporter.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

6
bitnami/harbor/templates/jobservice/jobservice-dpl.yaml
View File

@@ -73,7 +73,7 @@ spec:
serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
{{- end }}
{{- if .Values.jobservice.podSecurityContext.enabled }}
securityContext: {{- omit .Values.jobservice.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.jobservice.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
@@ -89,7 +89,7 @@ spec:
chown {{ .Values.jobservice.containerSecurityContext.runAsUser }}:{{ .Values.jobservice.podSecurityContext.fsGroup }} /var/log/jobs
find /var/log/jobs -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.jobservice.containerSecurityContext.runAsUser }}:{{ .Values.jobservice.podSecurityContext.fsGroup }}
{{- if .Values.volumePermissions.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.volumePermissions.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
@@ -112,7 +112,7 @@ spec:
image: {{ include "harbor.jobservice.image" . }}
imagePullPolicy: {{ .Values.jobservice.image.pullPolicy | quote }}
{{- if .Values.jobservice.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.jobservice.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.jobservice.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

4
bitnami/harbor/templates/nginx/deployment.yaml
View File

@@ -74,7 +74,7 @@ spec:
serviceAccountName: {{ .Values.nginx.serviceAccountName }}
{{- end }}
{{- if .Values.nginx.podSecurityContext.enabled }}
securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.nginx.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nginx.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.initContainers "context" $) | nindent 8 }}
@@ -84,7 +84,7 @@ spec:
image: {{ include "harbor.nginx.image" . }}
imagePullPolicy: {{ .Values.nginx.image.pullPolicy | quote }}
{{- if .Values.nginx.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.nginx.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

4
bitnami/harbor/templates/portal/portal-dpl.yaml
View File

@@ -68,7 +68,7 @@ spec:
serviceAccountName: {{ .Values.portal.serviceAccountName }}
{{- end }}
{{- if .Values.portal.podSecurityContext.enabled }}
securityContext: {{- omit .Values.portal.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.portal.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.portal.initContainers "context" $) | nindent 8 }}
@@ -78,7 +78,7 @@ spec:
image: {{ include "harbor.portal.image" . }}
imagePullPolicy: {{ .Values.portal.image.pullPolicy | quote }}
{{- if .Values.portal.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.portal.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.portal.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

8
bitnami/harbor/templates/registry/registry-dpl.yaml
View File

@@ -72,7 +72,7 @@ spec:
serviceAccountName: {{ .Values.registry.serviceAccountName }}
{{- end }}
{{- if .Values.registry.podSecurityContext.enabled }}
securityContext: {{- omit .Values.registry.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
@@ -87,7 +87,7 @@ spec:
mkdir -p {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}
find {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.registry.server.containerSecurityContext.runAsUser }}:{{ .Values.registry.podSecurityContext.fsGroup }}
{{- if .Values.volumePermissions.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.volumePermissions.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
@@ -110,7 +110,7 @@ spec:
image: {{ include "harbor.registry.server.image" . }}
imagePullPolicy: {{ .Values.registry.server.image.pullPolicy | quote }}
{{- if .Values.registry.server.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.registry.server.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.server.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -246,7 +246,7 @@ spec:
image: {{ include "harbor.registry.controller.image" . }}
imagePullPolicy: {{ .Values.registry.controller.image.pullPolicy | quote }}
{{- if .Values.registry.controller.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.registry.controller.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.registry.controller.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

6
bitnami/harbor/templates/trivy/trivy-sts.yaml
View File

@@ -70,7 +70,7 @@ spec:
serviceAccountName: {{ .Values.trivy.serviceAccountName }}
{{- end }}
{{- if .Values.trivy.podSecurityContext.enabled }}
securityContext: {{- omit .Values.trivy.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.trivy.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
@@ -85,7 +85,7 @@ spec:
mkdir -p {{ .Values.trivy.cacheDir }} {{ .Values.trivy.cacheDir }}/trivy {{ .Values.trivy.cacheDir }}/reports
find {{ .Values.trivy.cacheDir }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.trivy.containerSecurityContext.runAsUser }}:{{ .Values.trivy.podSecurityContext.fsGroup }}
{{- if .Values.volumePermissions.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.volumePermissions.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
@@ -107,7 +107,7 @@ spec:
image: {{ include "harbor.trivy.image" . }}
imagePullPolicy: {{ .Values.trivy.image.pullPolicy | quote }}
{{- if .Values.trivy.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.trivy.containerSecurityContext "enabled" | toYaml | nindent 12 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.trivy.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

9
bitnami/harbor/values.yaml
View File

@@ -19,6 +19,15 @@ global:
##
imagePullSecrets: []
storageClass: ""
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
## @section Common Parameters
##