From 66f30268ae7ee8feb598f810839013a49abe2153 Mon Sep 17 00:00:00 2001 From: Alejandro Moreno Date: Thu, 4 Apr 2024 17:31:27 +0200 Subject: [PATCH] =?UTF-8?q?[bitnami/nginx]=20feat!:=20=F0=9F=94=92=20?= =?UTF-8?q?=F0=9F=92=A5=20Improve=20security=20defaults=20(#24371)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/nginx] feat!: 🔒 💥 Improve security defaults Signed-off-by: Alejandro Moreno * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * feat: :sparkles: Add tls support Signed-off-by: Javier Salmeron Garcia * fix: :rotating_light: Add missing copyright Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Alejandro Moreno Signed-off-by: Bitnami Containers Signed-off-by: Javier J. Salmerón-García Signed-off-by: Javier Salmeron Garcia Co-authored-by: Bitnami Containers Co-authored-by: Javier J. Salmerón-García --- .vib/nginx/runtime-parameters.yaml | 3 + bitnami/nginx/Chart.yaml | 2 +- bitnami/nginx/README.md | 308 ++++++++++-------- bitnami/nginx/templates/deployment.yaml | 28 +- ...s-secrets.yaml => ingress-tls-secret.yaml} | 0 bitnami/nginx/templates/tls-secret.yaml | 35 ++ bitnami/nginx/values.yaml | 42 ++- 7 files changed, 264 insertions(+), 154 deletions(-) rename bitnami/nginx/templates/{tls-secrets.yaml => ingress-tls-secret.yaml} (100%) create mode 100644 bitnami/nginx/templates/tls-secret.yaml diff --git a/.vib/nginx/runtime-parameters.yaml b/.vib/nginx/runtime-parameters.yaml index 5589336e9284d4..b4cd9b3ec47d81 100644 --- a/.vib/nginx/runtime-parameters.yaml +++ b/.vib/nginx/runtime-parameters.yaml @@ -12,3 +12,6 @@ service: ports: http: 80 https: 444 +tls: + enabled: true + autoGenerated: true \ No newline at end of file diff --git a/bitnami/nginx/Chart.yaml b/bitnami/nginx/Chart.yaml index acb3c52f06ffae..23069cd3bbb447 100644 --- a/bitnami/nginx/Chart.yaml +++ b/bitnami/nginx/Chart.yaml @@ -34,4 +34,4 @@ maintainers: name: nginx sources: - https://github.com/bitnami/charts/tree/main/bitnami/nginx -version: 15.14.2 +version: 16.0.0 diff --git a/bitnami/nginx/README.md b/bitnami/nginx/README.md index bb178c47e3ce9d..85a89cb7e51000 100644 --- a/bitnami/nginx/README.md +++ b/bitnami/nginx/README.md @@ -137,11 +137,11 @@ For annotations, please see [this document](https://github.com/kubernetes/ingres ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -179,114 +179,123 @@ For annotations, please see [this document](https://github.com/kubernetes/ingres ### NGINX deployment parameters -| Name | Description | Value | -| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `replicaCount` | Number of NGINX replicas to deploy | `1` | -| `revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` | -| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | -| `podLabels` | Additional labels for NGINX pods | `{}` | -| `podAnnotations` | Annotations for NGINX pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | -| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | -| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | -| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | -| `priorityClassName` | NGINX pods' priorityClassName | `""` | -| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `terminationGracePeriodSeconds` | In seconds, time the given to the NGINX pod needs to terminate gracefully | `""` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `true` | -| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | -| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `containerPorts.http` | Sets http port inside NGINX container | `8080` | -| `containerPorts.https` | Sets https port inside NGINX container | `""` | -| `extraContainerPorts` | Array of additional container ports for the Nginx container | `[]` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | -| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `lifecycleHooks` | Optional lifecycleHooks for the NGINX container | `{}` | -| `startupProbe.enabled` | Enable startupProbe | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `livenessProbe.enabled` | Enable livenessProbe | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `customStartupProbe` | Custom liveness probe for the Web component | `{}` | -| `customLivenessProbe` | Override default liveness probe | `{}` | -| `customReadinessProbe` | Override default readiness probe | `{}` | -| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | -| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | -| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | -| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | -| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | -| `extraVolumes` | Array to add extra volumes | `[]` | -| `extraVolumeMounts` | Array to add extra mount | `[]` | -| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | -| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `false` | -| `sidecars` | Sidecar parameters | `[]` | -| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | -| `initContainers` | Extra init containers | `[]` | -| `pdb.create` | Created a PodDisruptionBudget | `false` | -| `pdb.minAvailable` | Min number of pods that must still be available after the eviction. | `1` | -| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction. | `0` | +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of NGINX replicas to deploy | `1` | +| `revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` | +| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | +| `podLabels` | Additional labels for NGINX pods | `{}` | +| `podAnnotations` | Annotations for NGINX pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | +| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | +| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | +| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | +| `priorityClassName` | NGINX pods' priorityClassName | `""` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the NGINX pod needs to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `tls.enabled` | Enable TLS transport | `true` | +| `tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `tls.existingSecret` | Name of a secret containing the certificates | `""` | +| `tls.certFilename` | Path of the certificate file when mounted as a secret | `tls.crt` | +| `tls.certKeyFilename` | Path of the certificate key file when mounted as a secret | `tls.key` | +| `tls.certCAFilename` | Path of the certificate CA file when mounted as a secret | `ca.crt` | +| `tls.cert` | Content of the certificate to be added to the secret | `""` | +| `tls.key` | Content of the certificate key to be added to the secret | `""` | +| `tls.ca` | Content of the certificate CA to be added to the secret | `""` | +| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `containerPorts.http` | Sets http port inside NGINX container | `8080` | +| `containerPorts.https` | Sets https port inside NGINX container | `""` | +| `extraContainerPorts` | Array of additional container ports for the Nginx container | `[]` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `lifecycleHooks` | Optional lifecycleHooks for the NGINX container | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customStartupProbe` | Custom liveness probe for the Web component | `{}` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | +| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `extraVolumes` | Array to add extra volumes | `[]` | +| `extraVolumeMounts` | Array to add extra mount | `[]` | +| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `false` | +| `sidecars` | Sidecar parameters | `[]` | +| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | +| `initContainers` | Extra init containers | `[]` | +| `pdb.create` | Created a PodDisruptionBudget | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction. | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction. | `0` | ### Custom NGINX application parameters -| Name | Description | Value | -| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------- | -| `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` | -| `cloneStaticSiteFromGit.image.registry` | Git image registry | `REGISTRY_NAME` | -| `cloneStaticSiteFromGit.image.repository` | Git image repository | `REPOSITORY_NAME/git` | -| `cloneStaticSiteFromGit.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` | -| `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` | -| `cloneStaticSiteFromGit.branch` | Git branch to checkout | `""` | -| `cloneStaticSiteFromGit.interval` | Interval for sidecar container pull from the Git repository | `60` | -| `cloneStaticSiteFromGit.gitClone.command` | Override default container command for git-clone-repository | `[]` | -| `cloneStaticSiteFromGit.gitClone.args` | Override default container args for git-clone-repository | `[]` | -| `cloneStaticSiteFromGit.gitSync.command` | Override default container command for git-repo-syncer | `[]` | -| `cloneStaticSiteFromGit.gitSync.args` | Override default container args for git-repo-syncer | `[]` | -| `cloneStaticSiteFromGit.gitSync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). | `none` | -| `cloneStaticSiteFromGit.gitSync.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `cloneStaticSiteFromGit.extraEnvVars` | Additional environment variables to set for the in the containers that clone static site from git | `[]` | -| `cloneStaticSiteFromGit.extraEnvVarsSecret` | Secret with extra environment variables | `""` | -| `cloneStaticSiteFromGit.extraVolumeMounts` | Add extra volume mounts for the Git containers | `[]` | -| `serverBlock` | Custom server block to be added to NGINX configuration | `""` | -| `existingServerBlockConfigmap` | ConfigMap with custom server block to be added to NGINX configuration | `""` | -| `staticSiteConfigmap` | Name of existing ConfigMap with the server static site content | `""` | -| `staticSitePVC` | Name of existing PVC with the server static site content | `""` | +| Name | Description | Value | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` | +| `cloneStaticSiteFromGit.image.registry` | Git image registry | `REGISTRY_NAME` | +| `cloneStaticSiteFromGit.image.repository` | Git image repository | `REPOSITORY_NAME/git` | +| `cloneStaticSiteFromGit.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` | +| `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` | +| `cloneStaticSiteFromGit.branch` | Git branch to checkout | `""` | +| `cloneStaticSiteFromGit.interval` | Interval for sidecar container pull from the Git repository | `60` | +| `cloneStaticSiteFromGit.gitClone.command` | Override default container command for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitClone.args` | Override default container args for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitSync.command` | Override default container command for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.args` | Override default container args for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). | `nano` | +| `cloneStaticSiteFromGit.gitSync.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `cloneStaticSiteFromGit.extraEnvVars` | Additional environment variables to set for the in the containers that clone static site from git | `[]` | +| `cloneStaticSiteFromGit.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `cloneStaticSiteFromGit.extraVolumeMounts` | Add extra volume mounts for the Git containers | `[]` | +| `serverBlock` | Custom server block to be added to NGINX configuration | `""` | +| `existingServerBlockConfigmap` | ConfigMap with custom server block to be added to NGINX configuration | `""` | +| `staticSiteConfigmap` | Name of existing ConfigMap with the server static site content | `""` | +| `staticSitePVC` | Name of existing PVC with the server static site content | `""` | ### Traffic Exposure parameters @@ -344,39 +353,39 @@ For annotations, please see [this document](https://github.com/kubernetes/ingres ### Metrics parameters -| Name | Description | Value | -| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a Prometheus exporter sidecar container | `false` | -| `metrics.image.registry` | NGINX Prometheus exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | NGINX Prometheus exporter image repository | `REPOSITORY_NAME/nginx-exporter` | -| `metrics.image.digest` | NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` | -| `metrics.extraArgs` | Extra arguments for Prometheus exporter | `[]` | -| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9113` | -| `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` | -| `metrics.securityContext.enabled` | Enabled NGINX Exporter containers' Security Context | `false` | -| `metrics.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.securityContext.runAsUser` | Set NGINX Exporter container's Security Context runAsUser | `1001` | -| `metrics.service.port` | NGINX Prometheus exporter service port | `9113` | -| `metrics.service.annotations` | Annotations for the Prometheus exporter service | `{}` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.serviceMonitor.enabled` | Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so PodMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | -| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | +| Name | Description | Value | +| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a Prometheus exporter sidecar container | `false` | +| `metrics.image.registry` | NGINX Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | NGINX Prometheus exporter image repository | `REPOSITORY_NAME/nginx-exporter` | +| `metrics.image.digest` | NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` | +| `metrics.extraArgs` | Extra arguments for Prometheus exporter | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9113` | +| `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` | +| `metrics.securityContext.enabled` | Enabled NGINX Exporter containers' Security Context | `false` | +| `metrics.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.securityContext.runAsUser` | Set NGINX Exporter container's Security Context runAsUser | `1001` | +| `metrics.service.port` | NGINX Prometheus exporter service port | `9113` | +| `metrics.service.annotations` | Annotations for the Prometheus exporter service | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.serviceMonitor.enabled` | Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so PodMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -405,6 +414,17 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 16.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 11.0.0 This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository. @@ -495,4 +515,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/bitnami/nginx/templates/deployment.yaml b/bitnami/nginx/templates/deployment.yaml index 4f5cfecc6d8b81..64c3077fa44ba1 100644 --- a/bitnami/nginx/templates/deployment.yaml +++ b/bitnami/nginx/templates/deployment.yaml @@ -252,21 +252,21 @@ spec: {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} tcpSocket: - port: {{ ternary "http" "https" (not .Values.containerPorts.https) }} + port: {{ ternary "http" "https" .Values.tls.enabled }} {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} {{- else if .Values.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} tcpSocket: - port: {{ ternary "http" "https" (not .Values.containerPorts.https) }} + port: {{ ternary "http" "https" .Values.tls.enabled }} {{- end }} {{- if .Values.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} {{- else if .Values.startupProbe.enabled }} startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} tcpSocket: - port: {{ ternary "http" "https" (not .Values.containerPorts.https) }} + port: {{ ternary "http" "https" .Values.tls.enabled }} {{- end }} {{- end }} {{- if .Values.resources }} @@ -295,6 +295,14 @@ spec: - name: staticsite mountPath: /app {{- end }} + {{- if .Values.tls.enabled }} + - name: certificate + mountPath: /certs + {{- else }} + - name: empty-dir + mountPath: /certs + subPath: app-tls-dir + {{- end }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -342,6 +350,20 @@ spec: volumes: - name: empty-dir emptyDir: {} + {{- if .Values.tls.enabled }} + - name: certificate + secret: + {{- if .Values.tls.existingSecret }} + secretName: {{ .Values.tls.existingSecret }} + {{- else }} + secretName: {{ printf "%s-tls" (include "common.names.fullname" .) }} + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + {{- end }} {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} - name: nginx-server-block configMap: diff --git a/bitnami/nginx/templates/tls-secrets.yaml b/bitnami/nginx/templates/ingress-tls-secret.yaml similarity index 100% rename from bitnami/nginx/templates/tls-secrets.yaml rename to bitnami/nginx/templates/ingress-tls-secret.yaml diff --git a/bitnami/nginx/templates/tls-secret.yaml b/bitnami/nginx/templates/tls-secret.yaml new file mode 100644 index 00000000000000..dcb5b5044ecbee --- /dev/null +++ b/bitnami/nginx/templates/tls-secret.yaml @@ -0,0 +1,35 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) }} +{{- $ca := genCA "nginx-ca" 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + {{- if .Values.tls.autoGenerated }} + {{- $cert := genSignedCert (include "common.names.fullname" .) nil (list (include "common.names.fullname" .) (printf "%s.%s" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain)) 365 $ca }} + {{ .Values.tls.certFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certFilename "defaultValue" $cert.Cert "context" $) }} + {{ .Values.tls.certKeyFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certKeyFilename "defaultValue" $cert.Key "context" $) }} + {{ .Values.tls.certCAFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certCAFilename "defaultValue" $ca.Cert "context" $) }} + {{- else }} + {{- if .Values.tls.cert }} + {{ .Values.tls.certFilename }}: {{ .Values.tls.cert | b64enc }} + {{- end }} + {{- if .Values.tls.key }} + {{ .Values.tls.certKeyFilename }}: {{ .Values.tls.key | b64enc }} + {{- end }} + {{- if .Values.tls.ca }} + {{ .Values.tls.certCAFilename }}: {{ .Values.tls.ca | b64enc }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/nginx/values.yaml b/bitnami/nginx/values.yaml index d9cfef2eadc449..70cc6a7e10229f 100644 --- a/bitnami/nginx/values.yaml +++ b/bitnami/nginx/values.yaml @@ -24,7 +24,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param nameOverride String to partially override nginx.fullname template (will maintain the release name) @@ -209,6 +209,36 @@ terminationGracePeriodSeconds: "" ## The value is evaluated as a template ## topologySpreadConstraints: [] +## TLS settings +## +tls: + ## @param tls.enabled Enable TLS transport + ## + enabled: true + ## @param tls.autoGenerated Auto-generate self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Name of a secret containing the certificates + ## + existingSecret: "" + ## @param tls.certFilename Path of the certificate file when mounted as a secret + ## + certFilename: tls.crt + ## @param tls.certKeyFilename Path of the certificate key file when mounted as a secret + ## + certKeyFilename: tls.key + ## @param tls.certCAFilename Path of the certificate CA file when mounted as a secret + ## + certCAFilename: ca.crt + ## @param tls.cert Content of the certificate to be added to the secret + ## + cert: "" + ## @param tls.key Content of the certificate key to be added to the secret + ## + key: "" + ## @param tls.ca Content of the certificate CA to be added to the secret + ## + ca: "" ## NGINX pods' Security Context. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled NGINX pods' Security Context @@ -246,10 +276,10 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -278,7 +308,7 @@ extraContainerPorts: [] ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "nano" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -501,7 +531,7 @@ cloneStaticSiteFromGit: ## @param cloneStaticSiteFromGit.gitSync.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param cloneStaticSiteFromGit.gitSync.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -944,7 +974,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: