diff --git a/bitnami/kubeapps/Chart.lock b/bitnami/kubeapps/Chart.lock index 47e3e91fab74eb..53671f88864653 100644 --- a/bitnami/kubeapps/Chart.lock +++ b/bitnami/kubeapps/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.19.2 + version: 19.0.2 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.4.6 + version: 15.2.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.19.0 -digest: sha256:b4965a22517e61212e78abb8d1cbe86e800c8664b3139e2047f4bd62b3e55b24 -generated: "2024-03-13T11:51:34.216594+01:00" + version: 2.19.1 +digest: sha256:d64105d1430715a1fb7d70d0374d41d3e89060a673e97ed9eb8d6e2737826f2e +generated: "2024-04-02T12:29:24.392238637+02:00" diff --git a/bitnami/kubeapps/Chart.yaml b/bitnami/kubeapps/Chart.yaml index 061c0582f8270d..136f4b7b85ec2a 100644 --- a/bitnami/kubeapps/Chart.yaml +++ b/bitnami/kubeapps/Chart.yaml @@ -27,11 +27,11 @@ dependencies: - condition: packaging.flux.enabled name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.x.x + version: 19.x.x - condition: packaging.helm.enabled name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.x.x + version: 15.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: @@ -52,4 +52,4 @@ maintainers: name: kubeapps sources: - https://github.com/bitnami/charts/tree/main/bitnami/kubeapps -version: 14.7.2 +version: 15.0.0 \ No newline at end of file diff --git a/bitnami/kubeapps/README.md b/bitnami/kubeapps/README.md index db201ea394e54b..337d7171b651d8 100644 --- a/bitnami/kubeapps/README.md +++ b/bitnami/kubeapps/README.md @@ -141,12 +141,12 @@ In the first two cases, it is needed a certificate and a key. We would expect th ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -205,11 +205,8 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `frontend.largeClientHeaderBuffers` | Set large_client_header_buffers in NGINX config | `4 32k` | | `frontend.replicaCount` | Number of frontend replicas to deploy | `2` | | `frontend.updateStrategy.type` | Frontend deployment strategy type. | `RollingUpdate` | -| `frontend.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). | `none` | -| `frontend.resources.limits.cpu` | The CPU limits for the NGINX container | `250m` | -| `frontend.resources.limits.memory` | The memory limits for the NGINX container | `128Mi` | -| `frontend.resources.requests.cpu` | The requested CPU for the NGINX container | `25m` | -| `frontend.resources.requests.memory` | The requested memory for the NGINX container | `32Mi` | +| `frontend.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). | `micro` | +| `frontend.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `frontend.extraEnvVars` | Array with extra environment variables to add to the NGINX container | `[]` | | `frontend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the NGINX container | `""` | | `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the NGINX container | `""` | @@ -222,10 +219,10 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `frontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `frontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `frontend.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `frontend.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `frontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `frontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `frontend.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `frontend.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `frontend.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `frontend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `frontend.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -283,6 +280,14 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `frontend.service.annotations` | Additional custom annotations for frontend service | `{}` | | `frontend.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | | `frontend.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `frontend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `frontend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `frontend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `frontend.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `frontend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `frontend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `frontend.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `frontend.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Dashboard parameters @@ -309,11 +314,8 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `dashboard.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Dashboard container | `""` | | `dashboard.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Dashboard container | `""` | | `dashboard.containerPorts.http` | Dashboard HTTP container port | `8080` | -| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `none` | -| `dashboard.resources.limits.cpu` | The CPU limits for the Dashboard container | `250m` | -| `dashboard.resources.limits.memory` | The memory limits for the Dashboard container | `128Mi` | -| `dashboard.resources.requests.cpu` | The requested CPU for the Dashboard container | `25m` | -| `dashboard.resources.requests.memory` | The requested memory for the Dashboard container | `32Mi` | +| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `micro` | +| `dashboard.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `dashboard.podSecurityContext.enabled` | Enabled Dashboard pods' Security Context | `true` | | `dashboard.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `dashboard.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | @@ -322,10 +324,10 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `dashboard.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `dashboard.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `dashboard.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `dashboard.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -374,6 +376,14 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `dashboard.initContainers` | Add additional init containers to the Dashboard pods | `[]` | | `dashboard.service.ports.http` | Dashboard service HTTP port | `8080` | | `dashboard.service.annotations` | Additional custom annotations for Dashboard service | `{}` | +| `dashboard.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `dashboard.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `dashboard.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `dashboard.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `dashboard.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `dashboard.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `dashboard.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `dashboard.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### AppRepository Controller parameters @@ -402,11 +412,8 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `apprepository.extraFlags` | Additional command line flags for AppRepository Controller | `[]` | | `apprepository.replicaCount` | Number of AppRepository Controller replicas to deploy | `1` | | `apprepository.updateStrategy.type` | AppRepository Controller deployment strategy type. | `RollingUpdate` | -| `apprepository.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). | `none` | -| `apprepository.resources.limits.cpu` | The CPU limits for the AppRepository Controller container | `250m` | -| `apprepository.resources.limits.memory` | The memory limits for the AppRepository Controller container | `128Mi` | -| `apprepository.resources.requests.cpu` | The requested CPU for the AppRepository Controller container | `25m` | -| `apprepository.resources.requests.memory` | The requested memory for the AppRepository Controller container | `32Mi` | +| `apprepository.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). | `micro` | +| `apprepository.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `apprepository.podSecurityContext.enabled` | Enabled AppRepository Controller pods' Security Context | `true` | | `apprepository.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `apprepository.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | @@ -415,10 +422,10 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `apprepository.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `apprepository.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `apprepository.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `apprepository.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `apprepository.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `apprepository.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `apprepository.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `apprepository.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `apprepository.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `apprepository.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `apprepository.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -447,6 +454,11 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `apprepository.hostAliases` | Custom host aliases for AppRepository Controller pods | `[]` | | `apprepository.sidecars` | Add additional sidecar containers to the AppRepository Controller pod(s) | `[]` | | `apprepository.initContainers` | Add additional init containers to the AppRepository Controller pod(s) | `[]` | +| `apprepository.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `apprepository.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `apprepository.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `apprepository.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `apprepository.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `apprepository.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `apprepository.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | | `apprepository.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | @@ -486,18 +498,15 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `authProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `authProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `authProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `authProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `authProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `authProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `authProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `authProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `authProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `authProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `authProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `authProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). | `none` | -| `authProxy.resources.limits.cpu` | The CPU limits for the OAuth2 Proxy container | `250m` | -| `authProxy.resources.limits.memory` | The memory limits for the OAuth2 Proxy container | `128Mi` | -| `authProxy.resources.requests.cpu` | The requested CPU for the OAuth2 Proxy container | `25m` | -| `authProxy.resources.requests.memory` | The requested memory for the OAuth2 Proxy container | `32Mi` | +| `authProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). | `micro` | +| `authProxy.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Pinniped Proxy parameters @@ -526,18 +535,15 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `pinnipedProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `pinnipedProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `pinnipedProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `pinnipedProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `pinnipedProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `pinnipedProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `pinnipedProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `pinnipedProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `pinnipedProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). | `none` | -| `pinnipedProxy.resources.limits.cpu` | The CPU limits for the Pinniped Proxy container | `250m` | -| `pinnipedProxy.resources.limits.memory` | The memory limits for the Pinniped Proxy container | `128Mi` | -| `pinnipedProxy.resources.requests.cpu` | The requested CPU for the Pinniped Proxy container | `25m` | -| `pinnipedProxy.resources.requests.memory` | The requested memory for the Pinniped Proxy container | `32Mi` | +| `pinnipedProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). | `micro` | +| `pinnipedProxy.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `pinnipedProxy.service.ports.pinnipedProxy` | Pinniped Proxy service port | `3333` | | `pinnipedProxy.service.annotations` | Additional custom annotations for Pinniped Proxy service | `{}` | @@ -569,10 +575,8 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `postgresql.primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `false` | | `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | | `postgresql.securityContext.enabled` | Enabled PostgreSQL replicas pods' Security Context | `false` | -| `postgresql.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). | `none` | -| `postgresql.resources.limits` | The resources limits for the PostgreSQL container | `{}` | -| `postgresql.resources.requests.cpu` | The requested CPU for the PostgreSQL container | `250m` | -| `postgresql.resources.requests.memory` | The requested memory for the PostgreSQL container | `256Mi` | +| `postgresql.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). | `micro` | +| `postgresql.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### kubeappsapis parameters @@ -607,11 +611,8 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `kubeappsapis.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the KubeappsAPIs container | `""` | | `kubeappsapis.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the KubeappsAPIs container | `""` | | `kubeappsapis.containerPorts.http` | KubeappsAPIs HTTP container port | `50051` | -| `kubeappsapis.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). | `none` | -| `kubeappsapis.resources.limits.cpu` | The CPU limits for the KubeappsAPIs container | `250m` | -| `kubeappsapis.resources.limits.memory` | The memory limits for the KubeappsAPIs container | `256Mi` | -| `kubeappsapis.resources.requests.cpu` | The requested CPU for the KubeappsAPIs container | `25m` | -| `kubeappsapis.resources.requests.memory` | The requested memory for the KubeappsAPIs container | `32Mi` | +| `kubeappsapis.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). | `micro` | +| `kubeappsapis.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `kubeappsapis.podSecurityContext.enabled` | Enabled KubeappsAPIs pods' Security Context | `true` | | `kubeappsapis.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `kubeappsapis.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | @@ -620,10 +621,10 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `kubeappsapis.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `kubeappsapis.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `kubeappsapis.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `kubeappsapis.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `kubeappsapis.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `kubeappsapis.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `kubeappsapis.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `kubeappsapis.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `kubeappsapis.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `kubeappsapis.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -672,6 +673,14 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `kubeappsapis.initContainers` | Add additional init containers to the KubeappsAPIs pod(s) | `[]` | | `kubeappsapis.service.ports.http` | KubeappsAPIs service HTTP port | `8080` | | `kubeappsapis.service.annotations` | Additional custom annotations for KubeappsAPIs service | `{}` | +| `kubeappsapis.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `kubeappsapis.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `kubeappsapis.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `kubeappsapis.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `kubeappsapis.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `kubeappsapis.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `kubeappsapis.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `kubeappsapis.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `kubeappsapis.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `kubeappsapis.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | | `kubeappsapis.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | @@ -693,18 +702,15 @@ In the first two cases, it is needed a certificate and a key. We would expect th | `ociCatalog.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the OCI Catalog container | `""` | | `ociCatalog.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the OCI Catalog container | `""` | | `ociCatalog.containerPorts.grpc` | OCI Catalog gRPC container port | `50061` | -| `ociCatalog.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `none` | -| `ociCatalog.resources.limits.cpu` | The CPU limits for the OCI Catalog container | `250m` | -| `ociCatalog.resources.limits.memory` | The memory limits for the OCI Catalog container | `256Mi` | -| `ociCatalog.resources.requests.cpu` | The requested CPU for the OCI Catalog container | `25m` | -| `ociCatalog.resources.requests.memory` | The requested memory for the OCI Catalog container | `32Mi` | +| `ociCatalog.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `micro` | +| `ociCatalog.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `ociCatalog.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `ociCatalog.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `ociCatalog.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `ociCatalog.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `ociCatalog.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `ociCatalog.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `ociCatalog.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `ociCatalog.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `ociCatalog.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `ociCatalog.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `ociCatalog.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -737,19 +743,21 @@ In the first two cases, it is needed a certificate and a key. We would expect th ### Redis® chart configuration -| Name | Description | Value | -| ----------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------- | -| `redis.auth.enabled` | Enable password authentication | `true` | -| `redis.auth.password` | Redis® password | `""` | -| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `redis.architecture` | Redis(R) architecture (`standalone` or `replication`) | `standalone` | -| `redis.master.extraFlags` | Array with additional command line flags for Redis® master | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | -| `redis.master.disableCommands` | Array with commands to deactivate on Redis® | `[]` | -| `redis.master.persistence.enabled` | Enable Redis® master data persistence using PVC | `false` | -| `redis.replica.replicaCount` | Number of Redis® replicas to deploy | `1` | -| `redis.replica.extraFlags` | Array with additional command line flags for Redis® replicas | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | -| `redis.replica.disableCommands` | Array with commands to deactivate on Redis® | `[]` | -| `redis.replica.persistence.enabled` | Enable Redis® replica data persistence using PVC | `false` | +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | +| `redis.auth.enabled` | Enable password authentication | `true` | +| `redis.auth.password` | Redis® password | `""` | +| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `redis.architecture` | Redis(R) architecture (`standalone` or `replication`) | `standalone` | +| `redis.master.extraFlags` | Array with additional command line flags for Redis® master | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | +| `redis.master.disableCommands` | Array with commands to deactivate on Redis® | `[]` | +| `redis.master.persistence.enabled` | Enable Redis® master data persistence using PVC | `false` | +| `redis.master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `redis.master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `redis.replica.replicaCount` | Number of Redis® replicas to deploy | `1` | +| `redis.replica.extraFlags` | Array with additional command line flags for Redis® replicas | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | +| `redis.replica.disableCommands` | Array with commands to deactivate on Redis® | `[]` | +| `redis.replica.persistence.enabled` | Enable Redis® replica data persistence using PVC | `false` | ```console helm install kubeapps --namespace kubeapps \ @@ -1010,6 +1018,20 @@ helm upgrade $RELEASE_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps If you find issues upgrading Kubeapps, check the [troubleshooting](#error-while-upgrading-the-chart) section. +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts`. +- The PostgreSQL subchart was updated to version 15.2.1, with the same security improvements. +- The Redis subchart was updated to version 19.0.2, with the same security improvements. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 14.0.0 This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. diff --git a/bitnami/kubeapps/templates/apprepository/deployment.yaml b/bitnami/kubeapps/templates/apprepository/deployment.yaml index 709d39232b404c..b52a9db70a90aa 100644 --- a/bitnami/kubeapps/templates/apprepository/deployment.yaml +++ b/bitnami/kubeapps/templates/apprepository/deployment.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/apprepository/networkpolicy.yaml b/bitnami/kubeapps/templates/apprepository/networkpolicy.yaml new file mode 100644 index 00000000000000..cdf2d5cb667920 --- /dev/null +++ b/bitnami/kubeapps/templates/apprepository/networkpolicy.yaml @@ -0,0 +1,59 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.packaging.helm.enabled .Values.apprepository.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "kubeapps.apprepository.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.apprepository.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: apprepository + {{- if .Values.apprepository.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.apprepository.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow connection to PostgreSQL + - ports: + - port: {{ include "kubeapps.postgresql.port" . }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.apprepository.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + {{- if .Values.apprepository.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kubeapps/templates/apprepository/rbac.yaml b/bitnami/kubeapps/templates/apprepository/rbac.yaml index b59df30fff7ddd..c2613618035ba4 100644 --- a/bitnami/kubeapps/templates/apprepository/rbac.yaml +++ b/bitnami/kubeapps/templates/apprepository/rbac.yaml @@ -12,7 +12,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -73,7 +73,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: RoleBinding metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -112,7 +112,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ printf "%s-repositories-read" .Release.Name }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -132,7 +132,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ printf "%s-repositories-write" .Release.Name }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} diff --git a/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml b/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml index 00d563529bbfd4..c3dd90a1d5df0c 100644 --- a/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml +++ b/bitnami/kubeapps/templates/apprepository/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kubeapps.apprepository.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/dashboard/configmap.yaml b/bitnami/kubeapps/templates/dashboard/configmap.yaml index af217e5660d012..2a4bf2152e811c 100644 --- a/bitnami/kubeapps/templates/dashboard/configmap.yaml +++ b/bitnami/kubeapps/templates/dashboard/configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.dashboard-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/dashboard/deployment.yaml b/bitnami/kubeapps/templates/dashboard/deployment.yaml index f01cad0516cbcd..069b526333cf90 100644 --- a/bitnami/kubeapps/templates/dashboard/deployment.yaml +++ b/bitnami/kubeapps/templates/dashboard/deployment.yaml @@ -3,12 +3,12 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.dashboard.enabled -}} +{{- if .Values.dashboard.enabled }} apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.dashboard.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/dashboard/networkpolicy.yaml b/bitnami/kubeapps/templates/dashboard/networkpolicy.yaml new file mode 100644 index 00000000000000..52181ec15a2fff --- /dev/null +++ b/bitnami/kubeapps/templates/dashboard/networkpolicy.yaml @@ -0,0 +1,71 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.dashboard.enabled .Values.dashboard.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "kubeapps.dashboard.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dashboard + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dashboard.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dashboard + {{- if .Values.dashboard.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.dashboard.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.dashboard.containerPorts.http }} + {{- if not .Values.dashboard.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.dashboard.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kubeapps/templates/dashboard/service.yaml b/bitnami/kubeapps/templates/dashboard/service.yaml index 0f9da93ba28ef1..4fbd19679b1373 100644 --- a/bitnami/kubeapps/templates/dashboard/service.yaml +++ b/bitnami/kubeapps/templates/dashboard/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.dashboard.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/frontend/configmap.yaml b/bitnami/kubeapps/templates/frontend/configmap.yaml index 44c10132b5291d..d43f521cd632b0 100644 --- a/bitnami/kubeapps/templates/frontend/configmap.yaml +++ b/bitnami/kubeapps/templates/frontend/configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.frontend-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/frontend/deployment.yaml b/bitnami/kubeapps/templates/frontend/deployment.yaml index 7ccec372bbd6b6..f6e78fe3e6fbba 100644 --- a/bitnami/kubeapps/templates/frontend/deployment.yaml +++ b/bitnami/kubeapps/templates/frontend/deployment.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/frontend/networkpolicy.yaml b/bitnami/kubeapps/templates/frontend/networkpolicy.yaml new file mode 100644 index 00000000000000..0c764ad808f92f --- /dev/null +++ b/bitnami/kubeapps/templates/frontend/networkpolicy.yaml @@ -0,0 +1,77 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.frontend.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.frontend.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: frontend + {{- if .Values.frontend.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.frontend.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.frontend.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.frontend.containerPorts.http }} + {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} + - port: {{ .Values.authProxy.containerPorts.proxy }} + {{- end }} + {{- if .Values.pinnipedProxy.enabled }} + - port: {{ .Values.pinnipedProxy.containerPorts.pinnipedProxy }} + {{- end }} + {{- if not .Values.frontend.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.frontend.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.frontend.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.frontend.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml b/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml index 6db0517e410d03..6de6e8eb66ae79 100644 --- a/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml +++ b/bitnami/kubeapps/templates/frontend/oauth2-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/frontend/service.yaml b/bitnami/kubeapps/templates/frontend/service.yaml index 13ce55b1bc31d1..f44948206a2c4a 100644 --- a/bitnami/kubeapps/templates/frontend/service.yaml +++ b/bitnami/kubeapps/templates/frontend/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} @@ -64,7 +64,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.pinniped-proxy.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: frontend {{- if or .Values.pinnipedProxy.service.annotations .Values.commonAnnotations }} diff --git a/bitnami/kubeapps/templates/ingress-api.yaml b/bitnami/kubeapps/templates/ingress-api.yaml index 54d02156268d05..0fa224942b9691 100644 --- a/bitnami/kubeapps/templates/ingress-api.yaml +++ b/bitnami/kubeapps/templates/ingress-api.yaml @@ -15,7 +15,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }}-http-api - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} @@ -75,7 +75,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/bitnami/kubeapps/templates/ingress.yaml b/bitnami/kubeapps/templates/ingress.yaml index 69f0c86113dd6b..2887b30d8d8930 100644 --- a/bitnami/kubeapps/templates/ingress.yaml +++ b/bitnami/kubeapps/templates/ingress.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/configmap.yaml b/bitnami/kubeapps/templates/kubeappsapis/configmap.yaml index 2129cc8e0cc77d..bbcd83e384b929 100644 --- a/bitnami/kubeapps/templates/kubeappsapis/configmap.yaml +++ b/bitnami/kubeapps/templates/kubeappsapis/configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-configmap" (include "kubeapps.kubeappsapis.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/deployment.yaml b/bitnami/kubeapps/templates/kubeappsapis/deployment.yaml index 21ec7e7fa3279e..61d6e603144d73 100644 --- a/bitnami/kubeapps/templates/kubeappsapis/deployment.yaml +++ b/bitnami/kubeapps/templates/kubeappsapis/deployment.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.kubeappsapis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/networkpolicy.yaml b/bitnami/kubeapps/templates/kubeappsapis/networkpolicy.yaml new file mode 100644 index 00000000000000..015ecaf2f239b8 --- /dev/null +++ b/bitnami/kubeapps/templates/kubeappsapis/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.kubeappsapis.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "kubeapps.kubeappsapis.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: kubeappsapis + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.kubeappsapis.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: kubeappsapis + {{- if .Values.kubeappsapis.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.kubeappsapis.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.kubeappsapis.containerPorts.http }} + {{- if .Values.ociCatalog.enabled }} + - port: {{ .Values.ociCatalog.containerPorts.grpc }} + {{- end }} + {{- if not .Values.kubeappsapis.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml b/bitnami/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml index 1632da6f25b919..2b87813af594f1 100644 --- a/bitnami/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml +++ b/bitnami/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml @@ -53,6 +53,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- end }} {{- end }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/service.yaml b/bitnami/kubeapps/templates/kubeappsapis/service.yaml index 85c1a6dcbe9003..a0016f1fe51630 100644 --- a/bitnami/kubeapps/templates/kubeappsapis/service.yaml +++ b/bitnami/kubeapps/templates/kubeappsapis/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.kubeappsapis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/kubeappsapis/serviceaccount.yaml b/bitnami/kubeapps/templates/kubeappsapis/serviceaccount.yaml index 170724d001a386..8d6645201d0f67 100644 --- a/bitnami/kubeapps/templates/kubeappsapis/serviceaccount.yaml +++ b/bitnami/kubeapps/templates/kubeappsapis/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/shared/config.yaml b/bitnami/kubeapps/templates/shared/config.yaml index 7f633f1f799616..76b4e09b023257 100644 --- a/bitnami/kubeapps/templates/shared/config.yaml +++ b/bitnami/kubeapps/templates/shared/config.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.clusters-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/templates/tls-secrets.yaml b/bitnami/kubeapps/templates/tls-secrets.yaml index 1d3cbe8a3f3554..368cfceb6a852b 100644 --- a/bitnami/kubeapps/templates/tls-secrets.yaml +++ b/bitnami/kubeapps/templates/tls-secrets.yaml @@ -30,7 +30,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/bitnami/kubeapps/values.yaml b/bitnami/kubeapps/values.yaml index f35019982b607b..f944c869ccc17d 100644 --- a/bitnami/kubeapps/values.yaml +++ b/bitnami/kubeapps/values.yaml @@ -26,7 +26,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -261,19 +261,18 @@ frontend: ## @param frontend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param frontend.resources.limits.cpu The CPU limits for the NGINX container - ## @param frontend.resources.limits.memory The memory limits for the NGINX container - ## @param frontend.resources.requests.cpu The requested CPU for the NGINX container - ## @param frontend.resources.requests.memory The requested memory for the NGINX container - ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param frontend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @param frontend.extraEnvVars Array with extra environment variables to add to the NGINX container ## e.g: ## extraEnvVars: @@ -322,10 +321,10 @@ frontend: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -537,6 +536,64 @@ frontend: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param frontend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param frontend.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param frontend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param frontend.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param frontend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param frontend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param frontend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param frontend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Dashboard parameters ## Dashboard parameters @@ -657,19 +714,18 @@ dashboard: ## @param dashboard.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param dashboard.resources.limits.cpu The CPU limits for the Dashboard container - ## @param dashboard.resources.limits.memory The memory limits for the Dashboard container - ## @param dashboard.resources.requests.cpu The requested CPU for the Dashboard container - ## @param dashboard.resources.requests.memory The requested memory for the Dashboard container - ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param dashboard.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param dashboard.podSecurityContext.enabled Enabled Dashboard pods' Security Context @@ -701,10 +757,10 @@ dashboard: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -876,6 +932,64 @@ dashboard: ## @param dashboard.service.annotations Additional custom annotations for Dashboard service ## annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dashboard.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dashboard.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dashboard.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dashboard.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dashboard.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dashboard.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dashboard.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dashboard.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section AppRepository Controller parameters ## AppRepository Controller parameters @@ -1032,19 +1146,18 @@ apprepository: ## @param apprepository.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param apprepository.resources.limits.cpu The CPU limits for the AppRepository Controller container - ## @param apprepository.resources.limits.memory The memory limits for the AppRepository Controller container - ## @param apprepository.resources.requests.cpu The requested CPU for the AppRepository Controller container - ## @param apprepository.resources.requests.memory The requested memory for the AppRepository Controller container - ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param apprepository.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param apprepository.podSecurityContext.enabled Enabled AppRepository Controller pods' Security Context @@ -1076,10 +1189,10 @@ apprepository: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1199,6 +1312,52 @@ apprepository: ## command: ['sh', '-c', 'echo "hello world"'] ## initContainers: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param apprepository.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param apprepository.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param apprepository.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param apprepository.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param apprepository.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] ## AppRepository Controller Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param apprepository.serviceAccount.create Specifies whether a ServiceAccount should be created @@ -1342,10 +1501,10 @@ authProxy: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1356,19 +1515,18 @@ authProxy: ## @param authProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param authProxy.resources.limits.cpu The CPU limits for the OAuth2 Proxy container - ## @param authProxy.resources.limits.memory The memory limits for the OAuth2 Proxy container - ## @param authProxy.resources.requests.cpu The requested CPU for the OAuth2 Proxy container - ## @param authProxy.resources.requests.memory The requested memory for the OAuth2 Proxy container - ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param authProxy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @section Pinniped Proxy parameters ## Pinniped Proxy configuration for converting user OIDC tokens to k8s client authorization certs @@ -1473,10 +1631,10 @@ pinnipedProxy: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1487,21 +1645,18 @@ pinnipedProxy: ## @param pinnipedProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## Pinniped Proxy containers' resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param pinnipedProxy.resources.limits.cpu The CPU limits for the Pinniped Proxy container - ## @param pinnipedProxy.resources.limits.memory The memory limits for the Pinniped Proxy container - ## @param pinnipedProxy.resources.requests.cpu The requested CPU for the Pinniped Proxy container - ## @param pinnipedProxy.resources.requests.memory The requested memory for the Pinniped Proxy container - ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param pinnipedProxy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Pinniped Proxy service parameters ## service: @@ -1612,16 +1767,19 @@ postgresql: ## @param postgresql.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param postgresql.resources.limits The resources limits for the PostgreSQL container - ## @param postgresql.resources.requests.cpu The requested CPU for the PostgreSQL container - ## @param postgresql.resources.requests.memory The requested memory for the PostgreSQL container + resourcesPreset: "micro" + ## @param postgresql.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m + resources: {} ## @section kubeappsapis parameters kubeappsapis: ## @param kubeappsapis.enabledPlugins Manually override which plugins are enabled for the Kubeapps-APIs service @@ -1768,19 +1926,18 @@ kubeappsapis: ## @param kubeappsapis.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param kubeappsapis.resources.limits.cpu The CPU limits for the KubeappsAPIs container - ## @param kubeappsapis.resources.limits.memory The memory limits for the KubeappsAPIs container - ## @param kubeappsapis.resources.requests.cpu The requested CPU for the KubeappsAPIs container - ## @param kubeappsapis.resources.requests.memory The requested memory for the KubeappsAPIs container - ## - resources: - limits: - cpu: 250m - memory: 256Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param kubeappsapis.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param kubeappsapis.podSecurityContext.enabled Enabled KubeappsAPIs pods' Security Context @@ -1812,10 +1969,10 @@ kubeappsapis: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1987,6 +2144,64 @@ kubeappsapis: ## @param kubeappsapis.service.annotations Additional custom annotations for KubeappsAPIs service ## annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param kubeappsapis.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param kubeappsapis.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param kubeappsapis.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param kubeappsapis.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param kubeappsapis.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param kubeappsapis.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param kubeappsapis.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param kubeappsapis.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## kubeappsapis Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param kubeappsapis.serviceAccount.create Specifies whether a ServiceAccount should be created @@ -2060,19 +2275,18 @@ ociCatalog: ## @param ociCatalog.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param ociCatalog.resources.limits.cpu The CPU limits for the OCI Catalog container - ## @param ociCatalog.resources.limits.memory The memory limits for the OCI Catalog container - ## @param ociCatalog.resources.requests.cpu The requested CPU for the OCI Catalog container - ## @param ociCatalog.resources.requests.memory The requested memory for the OCI Catalog container - ## - resources: - limits: - cpu: 250m - memory: 256Mi - requests: - cpu: 25m - memory: 32Mi + resourcesPreset: "micro" + ## @param ociCatalog.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param ociCatalog.containerSecurityContext.enabled Enabled containers' Security Context @@ -2090,10 +2304,10 @@ ociCatalog: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -2211,6 +2425,23 @@ redis: ## @param redis.master.persistence.enabled Enable Redis® master data persistence using PVC ## enabled: false + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param redis.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param redis.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} replica: ## @param redis.replica.replicaCount Number of Redis® replicas to deploy ##