From 9aea75c4d754206e0cf65fee9125e61d17983c1b Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Mon, 1 Apr 2024 18:31:20 +0200 Subject: [PATCH 1/7] [bitnami/phpmyadmin] feat!: :lock: :boom: Improve security defaults Signed-off-by: Javier Salmeron Garcia --- bitnami/phpmyadmin/Chart.lock | 8 +- bitnami/phpmyadmin/Chart.yaml | 4 +- bitnami/phpmyadmin/README.md | 12 ++ bitnami/phpmyadmin/templates/deployment.yaml | 68 +++++++- .../networkpolicy-backend-ingress.yaml | 30 ---- .../templates/networkpolicy-egress.yaml | 35 ---- .../templates/networkpolicy-ingress.yaml | 63 -------- .../phpmyadmin/templates/networkpolicy.yaml | 80 +++++++++ bitnami/phpmyadmin/values.yaml | 152 ++++++++---------- 9 files changed, 228 insertions(+), 224 deletions(-) delete mode 100644 bitnami/phpmyadmin/templates/networkpolicy-backend-ingress.yaml delete mode 100644 bitnami/phpmyadmin/templates/networkpolicy-egress.yaml delete mode 100644 bitnami/phpmyadmin/templates/networkpolicy-ingress.yaml create mode 100644 bitnami/phpmyadmin/templates/networkpolicy.yaml diff --git a/bitnami/phpmyadmin/Chart.lock b/bitnami/phpmyadmin/Chart.lock index 3678554cee52f0..dcf1c4d7e3d34f 100644 --- a/bitnami/phpmyadmin/Chart.lock +++ b/bitnami/phpmyadmin/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 15.2.3 + version: 17.0.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:3999d49f4f166eae2a4f56f74427f0e3a8f42b8d9e0fd1c8b421a41aa16491b8 -generated: "2024-03-05T15:18:09.689833573+01:00" + version: 2.19.1 +digest: sha256:fd451d9a827462d9fc81218b0b3fb9fbf9f39f28a7655c39522e353d9d3fff28 +generated: "2024-04-01T18:26:11.821266789+02:00" diff --git a/bitnami/phpmyadmin/Chart.yaml b/bitnami/phpmyadmin/Chart.yaml index 3480a5c6038e00..ff8474b134a247 100644 --- a/bitnami/phpmyadmin/Chart.yaml +++ b/bitnami/phpmyadmin/Chart.yaml @@ -17,7 +17,7 @@ dependencies: repository: oci://registry-1.docker.io/bitnamicharts tags: - phpmyadmin-database - version: 15.x.x + version: 17.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: @@ -36,4 +36,4 @@ maintainers: name: phpmyadmin sources: - https://github.com/bitnami/charts/tree/main/bitnami/phpmyadmin -version: 14.6.0 +version: 15.0.0 diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index 90542581ea2484..6795f13d7a60a1 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -404,6 +404,18 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 14.0.0 This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade. diff --git a/bitnami/phpmyadmin/templates/deployment.yaml b/bitnami/phpmyadmin/templates/deployment.yaml index e20b0ee11b364b..15d3b0c9697f51 100644 --- a/bitnami/phpmyadmin/templates/deployment.yaml +++ b/bitnami/phpmyadmin/templates/deployment.yaml @@ -65,8 +65,44 @@ spec: {{- if .Values.serviceAccount.create }} serviceAccountName: {{ template "phpmyadmin.serviceAccountName" . }} {{- end }} + initContainers: + - name: prepare-base-dir + image: {{ include "phpmyadmin.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libfs.sh + + info "Copying base dir to empty dir" + # In order to not break the application functionality (such as upgrades or plugins) we need + # to make the base directory writable, so we need to copy it to an empty dir volume + cp -r --preserve=mode /opt/bitnami/phpmyadmin /emptydir/app-base-dir + + info "Copying symlinks to stdout/stderr" + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/apache/logs; then + cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir + fi + info "Copy operation completed" + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if .Values.initContainers }} - initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -172,6 +208,30 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/apache/conf + subPath: apache-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/logs + subPath: apache-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/var/run + subPath: apcahe-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/etc + subPath: php-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/php/tmp + subPath: php-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/var + subPath: php-var-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/phpmyadmin + subPath: app-base-dir {{- if .Values.db.enableSsl }} - name: ssl-certs mountPath: /db_certs @@ -204,11 +264,17 @@ spec: {{- else if ne .Values.metrics.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.db.enableSsl }} - name: ssl-certs secret: diff --git a/bitnami/phpmyadmin/templates/networkpolicy-backend-ingress.yaml b/bitnami/phpmyadmin/templates/networkpolicy-backend-ingress.yaml deleted file mode 100644 index 71332563d32e6b..00000000000000 --- a/bitnami/phpmyadmin/templates/networkpolicy-backend-ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: mariadb - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} -{{- end }} diff --git a/bitnami/phpmyadmin/templates/networkpolicy-egress.yaml b/bitnami/phpmyadmin/templates/networkpolicy-egress.yaml deleted file mode 100644 index 9c8a44225aa030..00000000000000 --- a/bitnami/phpmyadmin/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/instance: {{ .Release.Name }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/phpmyadmin/templates/networkpolicy-ingress.yaml b/bitnami/phpmyadmin/templates/networkpolicy-ingress.yaml deleted file mode 100644 index c05c1e6e9a02e7..00000000000000 --- a/bitnami/phpmyadmin/templates/networkpolicy-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - ingress: - {{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingress.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingress.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/phpmyadmin/templates/networkpolicy.yaml b/bitnami/phpmyadmin/templates/networkpolicy.yaml new file mode 100644 index 00000000000000..589a4023637b65 --- /dev/null +++ b/bitnami/phpmyadmin/templates/networkpolicy.yaml @@ -0,0 +1,80 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to MariaDB + - ports: + - port: {{ .Values.db.port }} + {{- if .Values.db.bundleTestDB }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: mariadb + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.containerPorts.https }} + {{- range .Values.extraContainerPorts }} + - port: {{ . }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/phpmyadmin/values.yaml b/bitnami/phpmyadmin/values.yaml index 3e104ddbf787c6..286c9d00666792 100644 --- a/bitnami/phpmyadmin/values.yaml +++ b/bitnami/phpmyadmin/values.yaml @@ -63,7 +63,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/phpmyadmin - tag: 5.2.1-debian-12-r20 + tag: 5.2.1-debian-12-r24 digest: "" ## Specify a imagePullPolicy ## @@ -122,6 +122,13 @@ hostAliases: containerPorts: http: 8080 https: 8443 +## @param extraContainerPorts Optionally specify extra list of additional ports for WordPress container(s) +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] ## @param updateStrategy.type Strategy to use to update Pods ## updateStrategy: @@ -148,6 +155,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -159,9 +167,10 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -179,7 +188,7 @@ replicas: 1 ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "micro" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -624,7 +633,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -727,93 +736,58 @@ metrics: selector: {} ## @section NetworkPolicy parameters -## Add networkpolicies +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by phpMyAdmin's pods. - ## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes phpMyAdmin only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access phpMyAdmin. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access phpMyAdmin. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule - ## - ingressRules: - ## mariadb backend only can be accessed from phpMyAdmin - ## - backendOnlyAccessibleByFrontend: false - customBackendSelector: {} - ## Allow only from the indicated: - ## - accessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule - ## - egressRules: - ## Deny connections to external. This is not compatible with an external database. - ## - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} From b82e8489ba60f4a295bf95d9000c145d51abd39f Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Mon, 1 Apr 2024 16:32:56 +0000 Subject: [PATCH 2/7] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/phpmyadmin/README.md | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index 6795f13d7a60a1..456c9d01883f61 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -203,6 +203,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `hostAliases` | Deployment pod host aliases | `[]` | | `containerPorts.http` | HTTP port to expose at container level | `8080` | | `containerPorts.https` | HTTPS port to expose at container level | `8443` | +| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | | `updateStrategy.type` | Strategy to use to update Pods | `RollingUpdate` | | `podSecurityContext.enabled` | Enable phpMyAdmin pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -212,14 +213,15 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `replicas` | Number of replicas | `1` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `startupProbe.enabled` | Enable startupProbe | `false` | | `startupProbe.httpGet.path` | Request path for startupProbe | `/` | @@ -334,7 +336,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.service.type` | Prometheus metrics service type | `ClusterIP` | | `metrics.service.port` | Prometheus metrics service port | `9117` | @@ -358,23 +360,15 @@ As an alternative, you can use of the preset configurations for pod affinity, po ### NetworkPolicy parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` | -| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` | -| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` | -| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by phpMyAdmin's pods. | `false` | -| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes phpMyAdmin only accessible from a particular origin | `false` | -| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access phpMyAdmin. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access phpMyAdmin. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | For more information please refer to the [bitnami/phpmyadmin](https://github.com/bitnami/containers/tree/main/bitnami/phpmyadmin) image documentation. From c38e8156de41df577411241e1f4d32424602b2b0 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 3 Apr 2024 17:32:57 +0200 Subject: [PATCH 3/7] fix: :bug: Add missing reference to extraContainerPorts in YAML Signed-off-by: Javier Salmeron Garcia --- bitnami/phpmyadmin/README.md | 2 +- bitnami/phpmyadmin/templates/deployment.yaml | 3 +++ bitnami/phpmyadmin/values.yaml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index 456c9d01883f61..b951f72c7729a6 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -203,7 +203,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `hostAliases` | Deployment pod host aliases | `[]` | | `containerPorts.http` | HTTP port to expose at container level | `8080` | | `containerPorts.https` | HTTPS port to expose at container level | `8443` | -| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | +| `extraContainerPorts` | Optionally specify extra list of additional ports for phpMyAdmin container(s) | `[]` | | `updateStrategy.type` | Strategy to use to update Pods | `RollingUpdate` | | `podSecurityContext.enabled` | Enable phpMyAdmin pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | diff --git a/bitnami/phpmyadmin/templates/deployment.yaml b/bitnami/phpmyadmin/templates/deployment.yaml index 15d3b0c9697f51..2fc6a65e1218ca 100644 --- a/bitnami/phpmyadmin/templates/deployment.yaml +++ b/bitnami/phpmyadmin/templates/deployment.yaml @@ -187,6 +187,9 @@ spec: - name: https containerPort: {{ .Values.containerPorts.https }} protocol: TCP + {{- if .Values.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} {{- if .Values.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} {{- else if .Values.startupProbe.enabled }} diff --git a/bitnami/phpmyadmin/values.yaml b/bitnami/phpmyadmin/values.yaml index e620921dbfa83e..5258a4d8fd6ffc 100644 --- a/bitnami/phpmyadmin/values.yaml +++ b/bitnami/phpmyadmin/values.yaml @@ -122,7 +122,7 @@ hostAliases: containerPorts: http: 8080 https: 8443 -## @param extraContainerPorts Optionally specify extra list of additional ports for WordPress container(s) +## @param extraContainerPorts Optionally specify extra list of additional ports for phpMyAdmin container(s) ## e.g: ## extraContainerPorts: ## - name: myservice From acd0053bb936ff88f2482675454656d25dd3b7f0 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Wed, 3 Apr 2024 15:36:00 +0000 Subject: [PATCH 4/7] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/phpmyadmin/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index c613f870cc11cf..2cdc823496e219 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -203,6 +203,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `hostAliases` | Deployment pod host aliases | `[]` | | `containerPorts.http` | HTTP port to expose at container level | `8080` | | `containerPorts.https` | HTTPS port to expose at container level | `8443` | +| `extraContainerPorts` | Optionally specify extra list of additional ports for phpMyAdmin container(s) | `[]` | | `updateStrategy.type` | Strategy to use to update Pods | `RollingUpdate` | | `podSecurityContext.enabled` | Enable phpMyAdmin pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -212,14 +213,15 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `replicas` | Number of replicas | `1` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `startupProbe.enabled` | Enable startupProbe | `false` | | `startupProbe.httpGet.path` | Request path for startupProbe | `/` | @@ -334,7 +336,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.service.type` | Prometheus metrics service type | `ClusterIP` | | `metrics.service.port` | Prometheus metrics service port | `9117` | From 1793e7ce7b27efdf8f7cdbaf33fed49f3678a1eb Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 16:29:01 +0200 Subject: [PATCH 5/7] chore: :wrench: Bump instance size Signed-off-by: Javier Salmeron Garcia --- bitnami/phpmyadmin/README.md | 2 +- bitnami/phpmyadmin/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index 2cdc823496e219..c7dafecb2092c3 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -221,7 +221,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `replicas` | Number of replicas | `1` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `startupProbe.enabled` | Enable startupProbe | `false` | | `startupProbe.httpGet.path` | Request path for startupProbe | `/` | diff --git a/bitnami/phpmyadmin/values.yaml b/bitnami/phpmyadmin/values.yaml index cdc242eae5a80d..78511e89ea5623 100644 --- a/bitnami/phpmyadmin/values.yaml +++ b/bitnami/phpmyadmin/values.yaml @@ -188,7 +188,7 @@ replicas: 1 ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "micro" +resourcesPreset: "small" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: From 814f24a50dda01c4f6ac811a14be35d60af4b4f9 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 17:18:45 +0200 Subject: [PATCH 6/7] test: :white_check_mark: Increase timeout Signed-off-by: Javier Salmeron Garcia --- .vib/phpmyadmin/cypress/cypress/support/commands.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vib/phpmyadmin/cypress/cypress/support/commands.js b/.vib/phpmyadmin/cypress/cypress/support/commands.js index f1c0f38d515192..bfe18e20b4e088 100644 --- a/.vib/phpmyadmin/cypress/cypress/support/commands.js +++ b/.vib/phpmyadmin/cypress/cypress/support/commands.js @@ -21,7 +21,7 @@ Cypress.Commands.add( 'login', (username = Cypress.env('username'), password = Cypress.env('password')) => { cy.visit('/'); - cy.contains('Log in'); + cy.contains('Log in', {timeout: 60000}); cy.get('#input_username').type(username); cy.get('#input_password').type(password); cy.contains('input', 'Log in').click(); From 27eeab1ae0589d4c21ae25fe5dc0d98cefd85f2e Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 17:59:41 +0200 Subject: [PATCH 7/7] fix: :bug: Copy php var structure Signed-off-by: Javier Salmeron Garcia --- bitnami/phpmyadmin/README.md | 2 +- bitnami/phpmyadmin/templates/deployment.yaml | 5 +++++ bitnami/phpmyadmin/values.yaml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/bitnami/phpmyadmin/README.md b/bitnami/phpmyadmin/README.md index c7dafecb2092c3..2cdc823496e219 100644 --- a/bitnami/phpmyadmin/README.md +++ b/bitnami/phpmyadmin/README.md @@ -221,7 +221,7 @@ As an alternative, you can use of the preset configurations for pod affinity, po | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `replicas` | Number of replicas | `1` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `startupProbe.enabled` | Enable startupProbe | `false` | | `startupProbe.httpGet.path` | Request path for startupProbe | `/` | diff --git a/bitnami/phpmyadmin/templates/deployment.yaml b/bitnami/phpmyadmin/templates/deployment.yaml index 2fc6a65e1218ca..1b7b15f1b2da01 100644 --- a/bitnami/phpmyadmin/templates/deployment.yaml +++ b/bitnami/phpmyadmin/templates/deployment.yaml @@ -97,6 +97,11 @@ spec: if ! is_dir_empty /opt/bitnami/apache/logs; then cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir fi + info "Copying php var directory" + # PhpMyAdmin will fail to start if the php var folder is not populated + if ! is_dir_empty /opt/bitnami/php/var; then + cp -r /opt/bitnami/php/var /emptydir/php-var-dir + fi info "Copy operation completed" volumeMounts: - name: empty-dir diff --git a/bitnami/phpmyadmin/values.yaml b/bitnami/phpmyadmin/values.yaml index 78511e89ea5623..cdc242eae5a80d 100644 --- a/bitnami/phpmyadmin/values.yaml +++ b/bitnami/phpmyadmin/values.yaml @@ -188,7 +188,7 @@ replicas: 1 ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "small" +resourcesPreset: "micro" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: