[bitnami/magento] feat!: 🔒 💥 Improve security defaults (#24822)

* [bitnami/magento] Update MariaDB to branch 11.3

Signed-off-by: David Gomez <[email protected]>

* [bitnami/magento] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* docs: 📝 Improve MariaDB update notes

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* fix: 🐛 Use .containerPort in networkPolicy

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* fix: 🔧 Add missing resource preset

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <[email protected]>

* chore: ⬆️ Bump elasticsearch subchart

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* fix: 🔒 Do not share same readiness/liveness probe

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* chore: 🔧 Bump instance size

Signed-off-by: Javier Salmeron Garcia <[email protected]>

* test: ✅ Increase timeout

Signed-off-by: Javier Salmeron Garcia <[email protected]>

---------

Signed-off-by: David Gomez <[email protected]>
Signed-off-by: Javier Salmeron Garcia <[email protected]>
Signed-off-by: Javier J. Salmerón-García <[email protected]>
Signed-off-by: Bitnami Containers <[email protected]>
Co-authored-by: Javier Salmeron Garcia <[email protected]>
Co-authored-by: Bitnami Containers <[email protected]>

.vib/magento/cypress/cypress/e2e/magento.cy.js

@@ -19,7 +19,7 @@ it('allows admin to add a product to the store', () => {
   cy.contains('Salable Quantity');
   cy.contains('Add Product').click();
   cy.fixture('products').then((product) => {
-    cy.get('[name="product[name]"]').type(
+    cy.get('[name="product[name]"]', {timeout: 60000}).type(
       `${product.newProduct.productName}.${random}`
     );
     cy.get('[name="product[price]"]').type(product.newProduct.price);
@@ -30,7 +30,7 @@ it('allows admin to add a product to the store', () => {
   });
   cy.get('.product-image').should('be.visible');
   cy.get('#save-button').click();
-  cy.get('#menu-magento-catalog-catalog').click();
+  cy.get('#menu-magento-catalog-catalog', {timeout: 60000}).click();
   cy.contains('Products').click();
   cy.fixture('products').then((product) => {
     cy.contains(`${product.newProduct.productName}.${random}`);

.vib/magento/vib-action.config

@@ -0,0 +1 @@
+verification-mode=SERIAL

bitnami/magento/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.2.3
+  version: 18.0.1
 - name: elasticsearch
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.19.3
+  version: 20.0.2
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.18.0
-digest: sha256:a03226f45b598fca0e40f8804aa3fe287ff7ec4fc7100195b467535bbe180163
-generated: "2024-03-05T14:34:42.174163373+01:00"
+  version: 2.19.1
+digest: sha256:df139ceb0fa0567a601c5294902f7b1629cdbc3641ea23bee88479b2dacaa049
+generated: "2024-04-04T13:14:38.519751044+02:00"

bitnami/magento/Chart.yaml

@@ -23,11 +23,11 @@ dependencies:
   repository: oci://registry-1.docker.io/bitnamicharts
   tags:
   - magento-database
-  version: 15.x.x
+  version: 18.x.x
 - condition: elasticsearch.enabled
   name: elasticsearch
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.x.x
+  version: 20.x.x
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   tags:
@@ -48,4 +48,4 @@ maintainers:
 name: magento
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/magento
-version: 25.5.0
+version: 26.0.0

bitnami/magento/templates/_helpers.tpl

@@ -37,6 +37,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" .Release.Name "elasticsearch" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Return Elasticsearch port
+*/}}
+{{- define "magento.elasticsearch.port" -}}
+{{- if .Values.elasticsearch.enabled -}}
+    {{- print .Values.elasticsearch.service.ports.restAPI -}}
+{{- else -}}
+    {{- print .Values.externalElasticsearch.port -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Get the user defined LoadBalancerIP for this release.
 Note, returns 127.0.0.1 if using ClusterIP.

bitnami/magento/templates/deployment.yaml

@@ -148,13 +148,7 @@ spec:
               value: ""
               {{- end }}
             - name: ELASTICSEARCH_PORT_NUMBER
-              {{- if .Values.elasticsearch.enabled }}
-              value: "9200"
-              {{- else if .Values.externalElasticsearch.port }}
-              value: {{ .Values.externalElasticsearch.port | quote }}
-              {{- else }}
-              value: ""
-              {{- end }}
+              value: {{ include "magento.elasticsearch.port" . | quote }}
             - name: MAGENTO_SKIP_BOOTSTRAP
               value: {{ ternary "yes" "no" .Values.magentoSkipInstall | quote }}
             {{- $port:=.Values.service.ports.http | toString }}
@@ -224,12 +218,8 @@ spec:
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
           {{- else if .Values.livenessProbe.enabled }}
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
-            httpGet:
-              path: /index.php
+            tcpSocket:
               port: http
-              httpHeaders:
-                - name: Host
-                  value: {{ include "magento.host" . | quote }}
           {{- end }}
           {{- if .Values.customReadinessProbe }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}

bitnami/magento/templates/networkpolicy.yaml

@@ -0,0 +1,90 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow outbound connections to MariaDB
+    - ports:
+        - port: {{ include "magento.databasePort" . }}
+      {{- if .Values.mariadb.enabled }}
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: mariadb
+              app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- end }}
+    # Allow outbound connections to Elasticsearch
+    - ports:
+        - port: {{ include "magento.elasticsearch.port" . | int }}
+      {{- if .Values.elasticsearch.enabled }}
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: elasticsearch
+              app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- end }}
+    {{- if .Values.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    - ports:
+        - port: {{ .Values.containerPorts.http }}
+        - port: {{ .Values.containerPorts.https }}
+        {{- range .Values.extraContainerPorts }}
+        - port: {{ .containerPort }}
+        {{- end }}
+      {{- if not .Values.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+        - podSelector:
+            matchLabels:
+              {{ template "common.names.fullname" . }}-client: "true"
+        {{- if .Values.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}