From 7ee255a1d61e589fc0c093bb9d3bcf8ac4d99f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 21:53:40 +0100 Subject: [PATCH] [bitnami/sealed-secrets] Detect non-standard images (#30966) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/sealed-secrets] Detect non-standard images Signed-off-by: Carlos Rodríguez Hernández * Modify NOTES.txt Signed-off-by: Carlos Rodríguez Hernández * Modify values Signed-off-by: Carlos Rodríguez Hernández * Update CHANGELOG.md Signed-off-by: Bitnami Containers * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --------- Signed-off-by: Carlos Rodríguez Hernández Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers --- bitnami/sealed-secrets/CHANGELOG.md | 8 ++++++-- bitnami/sealed-secrets/Chart.lock | 6 +++--- bitnami/sealed-secrets/Chart.yaml | 2 +- bitnami/sealed-secrets/README.md | 15 ++++++++++----- bitnami/sealed-secrets/templates/NOTES.txt | 3 ++- bitnami/sealed-secrets/values.yaml | 5 +++++ 6 files changed, 27 insertions(+), 12 deletions(-) diff --git a/bitnami/sealed-secrets/CHANGELOG.md b/bitnami/sealed-secrets/CHANGELOG.md index 590eae3f90d4cd..307d36e5187203 100644 --- a/bitnami/sealed-secrets/CHANGELOG.md +++ b/bitnami/sealed-secrets/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 2.4.14 (2024-12-05) +## 2.5.0 (2024-12-10) -* [bitnami/sealed-secrets] Release 2.4.14 ([#30805](https://github.com/bitnami/charts/pull/30805)) +* [bitnami/sealed-secrets] Detect non-standard images ([#30966](https://github.com/bitnami/charts/pull/30966)) + +## 2.4.14 (2024-12-05) + +* [bitnami/sealed-secrets] Release 2.4.14 (#30805) ([1bc7b3f](https://github.com/bitnami/charts/commit/1bc7b3fa73b91b48644cd1f9046087b6ea5d5c05)), closes [#30805](https://github.com/bitnami/charts/issues/30805) ## 2.4.13 (2024-12-04) diff --git a/bitnami/sealed-secrets/Chart.lock b/bitnami/sealed-secrets/Chart.lock index 47c6eac2a5b070..67f67a6f07bbe6 100644 --- a/bitnami/sealed-secrets/Chart.lock +++ b/bitnami/sealed-secrets/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.2 -digest: sha256:6fd86cc5a4b5094abca1f23c8ec064e75e51eceaded94a5e20977274b2abb576 -generated: "2024-12-04T03:55:26.784408236Z" + version: 2.28.0 +digest: sha256:5b30f0fa07bb89b01c55fd6258c8ce22a611b13623d4ad83e8fdd1d4490adc74 +generated: "2024-12-10T17:27:55.547739+01:00" diff --git a/bitnami/sealed-secrets/Chart.yaml b/bitnami/sealed-secrets/Chart.yaml index fb88b8ca63b78a..a13e6aea8d029c 100644 --- a/bitnami/sealed-secrets/Chart.yaml +++ b/bitnami/sealed-secrets/Chart.yaml @@ -29,4 +29,4 @@ name: sealed-secrets sources: - https://github.com/bitnami/charts/tree/main/bitnami/sealed-secrets - https://github.com/bitnami-labs/sealed-secrets -version: 2.4.14 +version: 2.5.0 diff --git a/bitnami/sealed-secrets/README.md b/bitnami/sealed-secrets/README.md index ed203e37c3d1be..e636b5abdb530e 100644 --- a/bitnami/sealed-secrets/README.md +++ b/bitnami/sealed-secrets/README.md @@ -194,11 +194,12 @@ As an alternative, use one of the preset configurations for pod affinity, pod an ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -412,6 +413,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 2.5.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + ### To 2.0.0 This major bump changes the following security defaults: diff --git a/bitnami/sealed-secrets/templates/NOTES.txt b/bitnami/sealed-secrets/templates/NOTES.txt index f138172dcbb8e6..294b1aa68d4be3 100644 --- a/bitnami/sealed-secrets/templates/NOTES.txt +++ b/bitnami/sealed-secrets/templates/NOTES.txt @@ -54,4 +54,5 @@ Both the SealedSecret and generated Secret must have the same name and namespace {{- include "common.warnings.rollingTag" .Values.image }} {{- end }} {{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }} \ No newline at end of file +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image) "context" $) }} diff --git a/bitnami/sealed-secrets/values.yaml b/bitnami/sealed-secrets/values.yaml index cf24f0313fb6d7..9c189ead5e15a2 100644 --- a/bitnami/sealed-secrets/values.yaml +++ b/bitnami/sealed-secrets/values.yaml @@ -17,6 +17,11 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: