[bitnami/nginx] feat!: 🔒 💥 Improve security defaults (#24371)

* [bitnami/nginx] feat!: 🔒 💥 Improve security defaults Signed-off-by: Alejandro Moreno <[email protected]> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <[email protected]> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <[email protected]> * feat: ✨ Add tls support Signed-off-by: Javier Salmeron Garcia <[email protected]> * fix: 🚨 Add missing copyright Signed-off-by: Javier Salmeron Garcia <[email protected]> --------- Signed-off-by: Alejandro Moreno <[email protected]> Signed-off-by: Bitnami Containers <[email protected]> Signed-off-by: Javier J. Salmerón-García <[email protected]> Signed-off-by: Javier Salmeron Garcia <[email protected]> Co-authored-by: Bitnami Containers <[email protected]> Co-authored-by: Javier J. Salmerón-García <[email protected]>
bitnami · Apr 4, 2024 · 66f3026 · 66f3026
1 parent 417df02
commit 66f3026
Show file tree

Hide file tree

Showing 7 changed files with 264 additions and 154 deletions.
diff --git a/.vib/nginx/runtime-parameters.yaml b/.vib/nginx/runtime-parameters.yaml
@@ -12,3 +12,6 @@ service:
   ports:
     http: 80
     https: 444
+tls:
+  enabled: true
+  autoGenerated: true
diff --git a/bitnami/nginx/Chart.yaml b/bitnami/nginx/Chart.yaml
@@ -34,4 +34,4 @@ maintainers:
 name: nginx
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/nginx
-version: 15.14.2
+version: 16.0.0
diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md
diff --git a/bitnami/nginx/templates/deployment.yaml b/bitnami/nginx/templates/deployment.yaml
@@ -252,21 +252,21 @@ spec:
           {{- else if .Values.livenessProbe.enabled }}
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
             tcpSocket:
-              port: {{ ternary "http" "https" (not .Values.containerPorts.https) }}
+              port: {{ ternary "http" "https" .Values.tls.enabled }}
           {{- end }}
           {{- if .Values.customReadinessProbe }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
           {{- else if .Values.readinessProbe.enabled }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
             tcpSocket:
-              port: {{ ternary "http" "https" (not .Values.containerPorts.https) }}
+              port: {{ ternary "http" "https" .Values.tls.enabled }}
           {{- end }}
           {{- if .Values.customStartupProbe }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
           {{- else if .Values.startupProbe.enabled }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
             tcpSocket:
-              port: {{ ternary "http" "https" (not .Values.containerPorts.https) }}
+              port: {{ ternary "http" "https" .Values.tls.enabled }}
           {{- end }}
           {{- end }}
           {{- if .Values.resources }}
@@ -295,6 +295,14 @@ spec:
             - name: staticsite
               mountPath: /app
             {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: certificate
+              mountPath: /certs
+            {{- else }}
+            - name: empty-dir
+              mountPath: /certs
+              subPath: app-tls-dir
+            {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -342,6 +350,20 @@ spec:
       volumes:
         - name: empty-dir
           emptyDir: {}
+        {{- if .Values.tls.enabled }}
+        - name: certificate
+          secret:
+            {{- if .Values.tls.existingSecret }}
+            secretName: {{ .Values.tls.existingSecret }}
+            {{- else }}
+            secretName: {{ printf "%s-tls" (include "common.names.fullname" .) }}
+            items:
+              - key: tls.crt
+                path: server.crt
+              - key: tls.key
+                path: server.key
+            {{- end }}
+        {{- end }}
         {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }}
         - name: nginx-server-block
           configMap:

diff --git a/bitnami/nginx/templates/tls-secrets.yaml → ...i/nginx/templates/ingress-tls-secret.yaml b/bitnami/nginx/templates/tls-secrets.yaml → ...i/nginx/templates/ingress-tls-secret.yaml
diff --git a/bitnami/nginx/templates/tls-secret.yaml b/bitnami/nginx/templates/tls-secret.yaml
@@ -0,0 +1,35 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) }}
+{{- $ca := genCA "nginx-ca" 365 }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-tls" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  {{- if .Values.tls.autoGenerated }}
+  {{- $cert := genSignedCert (include "common.names.fullname" .) nil (list (include "common.names.fullname" .) (printf "%s.%s" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain)) 365 $ca }}
+  {{ .Values.tls.certFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certFilename "defaultValue" $cert.Cert "context" $) }}
+  {{ .Values.tls.certKeyFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certKeyFilename "defaultValue" $cert.Key "context" $) }}
+  {{ .Values.tls.certCAFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certCAFilename "defaultValue" $ca.Cert "context" $) }}
+  {{- else }}
+  {{- if .Values.tls.cert }}
+  {{ .Values.tls.certFilename }}: {{ .Values.tls.cert | b64enc }}
+  {{- end }}
+  {{- if .Values.tls.key }}
+  {{ .Values.tls.certKeyFilename }}: {{ .Values.tls.key | b64enc }}
+  {{- end }}
+  {{- if .Values.tls.ca }}
+  {{ .Values.tls.certCAFilename }}: {{ .Values.tls.ca | b64enc }}
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/bitnami/nginx/values.yaml b/bitnami/nginx/values.yaml
@@ -24,7 +24,7 @@ global:
     openshift:
       ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
       ##
-      adaptSecurityContext: disabled
+      adaptSecurityContext: auto
 ## @section Common parameters
 
 ## @param nameOverride String to partially override nginx.fullname template (will maintain the release name)
@@ -209,6 +209,36 @@ terminationGracePeriodSeconds: ""
 ## The value is evaluated as a template
 ##
 topologySpreadConstraints: []
+## TLS settings
+##
+tls:
+  ## @param tls.enabled Enable TLS transport
+  ##
+  enabled: true
+  ## @param tls.autoGenerated Auto-generate self-signed certificates
+  ##
+  autoGenerated: true
+  ## @param tls.existingSecret Name of a secret containing the certificates
+  ##
+  existingSecret: ""
+  ## @param tls.certFilename Path of the certificate file when mounted as a secret
+  ##
+  certFilename: tls.crt
+  ## @param tls.certKeyFilename Path of the certificate key file when mounted as a secret
+  ##
+  certKeyFilename: tls.key
+  ## @param tls.certCAFilename Path of the certificate CA file when mounted as a secret
+  ##
+  certCAFilename: ca.crt
+  ## @param tls.cert Content of the certificate to be added to the secret
+  ##
+  cert: ""
+  ## @param tls.key Content of the certificate key to be added to the secret
+  ##
+  key: ""
+  ## @param tls.ca Content of the certificate CA to be added to the secret
+  ##
+  ca: ""
 ## NGINX pods' Security Context.
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 ## @param podSecurityContext.enabled Enabled NGINX pods' Security Context
@@ -246,10 +276,10 @@ containerSecurityContext:
   enabled: true
   seLinuxOptions: null
   runAsUser: 1001
-  runAsGroup: 0
+  runAsGroup: 1001
   runAsNonRoot: true
   privileged: false
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
     drop: ["ALL"]
@@ -278,7 +308,7 @@ extraContainerPorts: []
 ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
 ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
 ##
-resourcesPreset: "none"
+resourcesPreset: "nano"
 ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
 ## Example:
 ## resources:
@@ -501,7 +531,7 @@ cloneStaticSiteFromGit:
     ## @param cloneStaticSiteFromGit.gitSync.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production).
     ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
     ##
-    resourcesPreset: "none"
+    resourcesPreset: "nano"
     ## @param cloneStaticSiteFromGit.gitSync.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
     ## Example:
     ## resources:
@@ -944,7 +974,7 @@ metrics:
   ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
   ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
   ##
-  resourcesPreset: "none"
+  resourcesPreset: "nano"
   ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
   ## Example:
   ## resources: