From cec7b82e3d97e0619df1ad89fc07c07037ea0788 Mon Sep 17 00:00:00 2001 From: David Gomez Date: Tue, 2 Apr 2024 16:04:44 +0200 Subject: [PATCH 01/10] [bitnami/magento] Update MariaDB to branch 11.3 Signed-off-by: David Gomez --- bitnami/magento/Chart.lock | 10 +++++----- bitnami/magento/Chart.yaml | 4 ++-- bitnami/magento/README.md | 4 ++++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/bitnami/magento/Chart.lock b/bitnami/magento/Chart.lock index 610130e42d0450..1f39983ac5cd38 100644 --- a/bitnami/magento/Chart.lock +++ b/bitnami/magento/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 15.2.3 + version: 18.0.0 - name: elasticsearch repository: oci://registry-1.docker.io/bitnamicharts - version: 19.19.3 + version: 19.21.2 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:a03226f45b598fca0e40f8804aa3fe287ff7ec4fc7100195b467535bbe180163 -generated: "2024-03-05T14:34:42.174163373+01:00" + version: 2.19.1 +digest: sha256:087870a6e3441e213429716db6ef9eaf5eb260e3314f4f2dfc89057c53faf9b0 +generated: "2024-04-02T16:04:22.095392+02:00" diff --git a/bitnami/magento/Chart.yaml b/bitnami/magento/Chart.yaml index 021ced065b06c8..83a6b2a76e4975 100644 --- a/bitnami/magento/Chart.yaml +++ b/bitnami/magento/Chart.yaml @@ -23,7 +23,7 @@ dependencies: repository: oci://registry-1.docker.io/bitnamicharts tags: - magento-database - version: 15.x.x + version: 18.x.x - condition: elasticsearch.enabled name: elasticsearch repository: oci://registry-1.docker.io/bitnamicharts @@ -48,4 +48,4 @@ maintainers: name: magento sources: - https://github.com/bitnami/charts/tree/main/bitnami/magento -version: 25.5.0 +version: 26.0.0 diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index abf22a82777ce1..1d94a9d908986e 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -600,6 +600,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Notable changes +### To 26.0.0 + +This major release bumps the and MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade. + ### To 23.0.0 This major release bumps the MariaDB version to 10.6. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading/) for upgrading to MariaDB 10.6. No major issues are expected during the upgrade. From da5356dc7e7a39678c7cad1496f975a30b06404f Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Tue, 2 Apr 2024 16:37:10 +0200 Subject: [PATCH 02/10] [bitnami/magento] feat!: :lock: :boom: Improve security defaults Signed-off-by: Javier Salmeron Garcia --- .vib/magento/vib-action.config | 1 + bitnami/magento/Chart.lock | 6 +- bitnami/magento/Chart.yaml | 2 +- bitnami/magento/README.md | 132 +++++----- bitnami/magento/templates/_helpers.tpl | 11 + bitnami/magento/templates/deployment.yaml | 8 +- .../networkpolicy-backend-ingress.yaml | 80 ------ .../templates/networkpolicy-egress.yaml | 35 --- .../templates/networkpolicy-ingress.yaml | 63 ----- bitnami/magento/templates/networkpolicy.yaml | 90 +++++++ bitnami/magento/values.yaml | 242 +++++++++++------- 11 files changed, 327 insertions(+), 343 deletions(-) create mode 100644 .vib/magento/vib-action.config delete mode 100644 bitnami/magento/templates/networkpolicy-backend-ingress.yaml delete mode 100644 bitnami/magento/templates/networkpolicy-egress.yaml delete mode 100644 bitnami/magento/templates/networkpolicy-ingress.yaml create mode 100644 bitnami/magento/templates/networkpolicy.yaml diff --git a/.vib/magento/vib-action.config b/.vib/magento/vib-action.config new file mode 100644 index 00000000000000..98dc98a97ebe2a --- /dev/null +++ b/.vib/magento/vib-action.config @@ -0,0 +1 @@ +verification-mode=SERIAL \ No newline at end of file diff --git a/bitnami/magento/Chart.lock b/bitnami/magento/Chart.lock index 1f39983ac5cd38..144103b322fa5d 100644 --- a/bitnami/magento/Chart.lock +++ b/bitnami/magento/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 18.0.0 - name: elasticsearch repository: oci://registry-1.docker.io/bitnamicharts - version: 19.21.2 + version: 20.0.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.19.1 -digest: sha256:087870a6e3441e213429716db6ef9eaf5eb260e3314f4f2dfc89057c53faf9b0 -generated: "2024-04-02T16:04:22.095392+02:00" +digest: sha256:6ac1ef1f7d9e56775e492722e94ffd21fd88240500c2e25ef3eaafaeb30349a7 +generated: "2024-04-02T16:35:08.972929184+02:00" diff --git a/bitnami/magento/Chart.yaml b/bitnami/magento/Chart.yaml index 83a6b2a76e4975..bd9668f8411978 100644 --- a/bitnami/magento/Chart.yaml +++ b/bitnami/magento/Chart.yaml @@ -27,7 +27,7 @@ dependencies: - condition: elasticsearch.enabled name: elasticsearch repository: oci://registry-1.docker.io/bitnamicharts - version: 19.x.x + version: 20.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index 1d94a9d908986e..7ab186cea79e72 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -265,12 +265,12 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -348,8 +348,9 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Magento pods' group ID | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -383,65 +384,67 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per ### NetworkPolicy parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | magento Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | magento Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` | -| `networkPolicy.ingress.namespaceSelector` | magento Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` | -| `networkPolicy.ingress.podSelector` | magento Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` | -| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb, elasticsearch) only accessible by magento's pods. | `false` | -| `networkPolicy.ingressRules.customBackendSelector` | magento Backend selector labels. These labels will be used to identify the backend pods. | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes magento only accessible from a particular origin | `false` | -| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | magento Namespace selector label that is allowed to access magento. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | magento Pods selector label that is allowed to access magento. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.customRules` | magento Custom network policy ingress rule | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | magento Custom network policy rule | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Database parameters -| Name | Description | Value | -| ------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------- | -| `mariadb.enabled` | Whether to deploy a mariadb server to satisfy the applications database requirements. | `true` | -| `mariadb.image.registry` | MariaDB image registry | `REGISTRY_NAME` | -| `mariadb.image.repository` | MariaDB image repository | `REPOSITORY_NAME/mariadb` | -| `mariadb.image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | -| `mariadb.auth.rootPassword` | Password for the MariaDB `root` user | `""` | -| `mariadb.auth.database` | Database name to create | `bitnami_magento` | -| `mariadb.auth.username` | Database user to create | `bn_magento` | -| `mariadb.auth.password` | Password for the database | `""` | -| `mariadb.primary.persistence.enabled` | Enable database persistence using PVC | `true` | -| `mariadb.primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | -| `mariadb.primary.persistence.accessModes` | Database Persistent Volume Access Modes | `["ReadWriteOnce"]` | -| `mariadb.primary.persistence.size` | Database Persistent Volume Size | `8Gi` | -| `mariadb.primary.persistence.hostPath` | Set path in case you want to use local host path volumes (not recommended in production) | `""` | -| `mariadb.primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | -| `externalDatabase.host` | Host of the existing database | `""` | -| `externalDatabase.port` | Port of the existing database | `3306` | -| `externalDatabase.user` | Existing username in the external db | `bn_magento` | -| `externalDatabase.password` | Password for the above username | `""` | -| `externalDatabase.database` | Name of the existing database | `bitnami_magento` | -| `externalDatabase.existingSecret` | Name of an existing secret resource containing the DB password | `""` | +| Name | Description | Value | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `mariadb.enabled` | Whether to deploy a mariadb server to satisfy the applications database requirements. | `true` | +| `mariadb.image.registry` | MariaDB image registry | `REGISTRY_NAME` | +| `mariadb.image.repository` | MariaDB image repository | `REPOSITORY_NAME/mariadb` | +| `mariadb.image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | +| `mariadb.auth.rootPassword` | Password for the MariaDB `root` user | `""` | +| `mariadb.auth.database` | Database name to create | `bitnami_magento` | +| `mariadb.auth.username` | Database user to create | `bn_magento` | +| `mariadb.auth.password` | Password for the database | `""` | +| `mariadb.primary.persistence.enabled` | Enable database persistence using PVC | `true` | +| `mariadb.primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | +| `mariadb.primary.persistence.accessModes` | Database Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `mariadb.primary.persistence.size` | Database Persistent Volume Size | `8Gi` | +| `mariadb.primary.persistence.hostPath` | Set path in case you want to use local host path volumes (not recommended in production) | `""` | +| `mariadb.primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | +| `mariadb.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | +| `mariadb.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalDatabase.host` | Host of the existing database | `""` | +| `externalDatabase.port` | Port of the existing database | `3306` | +| `externalDatabase.user` | Existing username in the external db | `bn_magento` | +| `externalDatabase.password` | Password for the above username | `""` | +| `externalDatabase.database` | Name of the existing database | `bitnami_magento` | +| `externalDatabase.existingSecret` | Name of an existing secret resource containing the DB password | `""` | ### Elasticsearch parameters -| Name | Description | Value | -| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------- | -| `elasticsearch.enabled` | Whether to deploy a elasticsearch server to use as magento's search engine | `true` | -| `elasticsearch.image.registry` | Elasticsearch image registry | `REGISTRY_NAME` | -| `elasticsearch.image.repository` | Elasticsearch image repository | `REPOSITORY_NAME/elasticsearch` | -| `elasticsearch.image.digest` | Elasticsearch image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `elasticsearch.sysctlImage.enabled` | Enable kernel settings modifier image for Elasticsearch | `true` | -| `elasticsearch.master.replicaCount` | Desired number of Elasticsearch master-eligible nodes | `1` | -| `elasticsearch.coordinating.replicaCount` | Desired number of Elasticsearch coordinating-only nodes | `1` | -| `elasticsearch.data.replicaCount` | Desired number of Elasticsearch data nodes | `1` | -| `elasticsearch.ingest.replicaCount` | Desired number of Elasticsearch ingest nodes | `1` | -| `externalElasticsearch.host` | Host of the external elasticsearch server | `""` | -| `externalElasticsearch.port` | Port of the external elasticsearch server | `""` | +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------- | +| `elasticsearch.enabled` | Whether to deploy a elasticsearch server to use as magento's search engine | `true` | +| `elasticsearch.image.registry` | Elasticsearch image registry | `REGISTRY_NAME` | +| `elasticsearch.image.repository` | Elasticsearch image repository | `REPOSITORY_NAME/elasticsearch` | +| `elasticsearch.image.digest` | Elasticsearch image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `elasticsearch.sysctlImage.enabled` | Enable kernel settings modifier image for Elasticsearch | `true` | +| `elasticsearch.master.replicaCount` | Desired number of Elasticsearch master-eligible nodes | `1` | +| `elasticsearch.master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `small` | +| `elasticsearch.master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `elasticsearch.coordinating.replicaCount` | Desired number of Elasticsearch coordinating-only nodes | `1` | +| `elasticsearch.coordinating.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if coordinating.resources is set (coordinating.resources is recommended for production). | `small` | +| `elasticsearch.coordinating.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `elasticsearch.data.replicaCount` | Desired number of Elasticsearch data nodes | `1` | +| `elasticsearch.data.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if data.resources is set (data.resources is recommended for production). | `medium` | +| `elasticsearch.data.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `elasticsearch.ingest.replicaCount` | Desired number of Elasticsearch ingest nodes | `1` | +| `elasticsearch.ingest.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ingest.resources is set (ingest.resources is recommended for production). | `small` | +| `elasticsearch.ingest.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalElasticsearch.host` | Host of the external elasticsearch server | `""` | +| `externalElasticsearch.port` | Port of the external elasticsearch server | `""` | ### Persistence parameters @@ -675,7 +678,14 @@ You can disable the initContainer using the `elasticsearch.sysctlImage.enabled=f ### To 24.0.0 -This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade. +This major bump changes the following security defaults: + +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. +- MariaDB version bumped to 11.1 + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 22.0.0 diff --git a/bitnami/magento/templates/_helpers.tpl b/bitnami/magento/templates/_helpers.tpl index 1fe7564b4d8707..3b9bbce6fcf2c8 100644 --- a/bitnami/magento/templates/_helpers.tpl +++ b/bitnami/magento/templates/_helpers.tpl @@ -37,6 +37,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "elasticsearch" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Return Elasticsearch port +*/}} +{{- define "magento.elasticsearch.port" -}} +{{- if .Values.elasticsearch.enabled -}} + {{- print .Values.elasticsearch.service.ports.restAPI -}} +{{- else -}} + {{- print .Values.externalElasticsearch.port -}} +{{- end -}} +{{- end -}} + {{/* Get the user defined LoadBalancerIP for this release. Note, returns 127.0.0.1 if using ClusterIP. diff --git a/bitnami/magento/templates/deployment.yaml b/bitnami/magento/templates/deployment.yaml index f44ad07b0db2d2..d1c7c390681aaf 100644 --- a/bitnami/magento/templates/deployment.yaml +++ b/bitnami/magento/templates/deployment.yaml @@ -148,13 +148,7 @@ spec: value: "" {{- end }} - name: ELASTICSEARCH_PORT_NUMBER - {{- if .Values.elasticsearch.enabled }} - value: "9200" - {{- else if .Values.externalElasticsearch.port }} - value: {{ .Values.externalElasticsearch.port | quote }} - {{- else }} - value: "" - {{- end }} + value: {{ include "magento.elasticsearch.port" . | quote }} - name: MAGENTO_SKIP_BOOTSTRAP value: {{ ternary "yes" "no" .Values.magentoSkipInstall | quote }} {{- $port:=.Values.service.ports.http | toString }} diff --git a/bitnami/magento/templates/networkpolicy-backend-ingress.yaml b/bitnami/magento/templates/networkpolicy-backend-ingress.yaml deleted file mode 100644 index 0e86a37764a18d..00000000000000 --- a/bitnami/magento/templates/networkpolicy-backend-ingress.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend-mariadb" (include "common.names.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: mariadb - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} -{{- end }} -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} ---- -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend-elasticseach" (include "common.names.fullname" .) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: elasticsearch - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} -{{- end }} -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} ---- -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend-elasticseach-nodes" (include "common.names.fullname" .) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: elasticsearch - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: elasticsearch - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/bitnami/magento/templates/networkpolicy-egress.yaml b/bitnami/magento/templates/networkpolicy-egress.yaml deleted file mode 100644 index c7957a5c25c526..00000000000000 --- a/bitnami/magento/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/instance: {{ .Release.Name }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/magento/templates/networkpolicy-ingress.yaml b/bitnami/magento/templates/networkpolicy-ingress.yaml deleted file mode 100644 index cf31f0e14a0921..00000000000000 --- a/bitnami/magento/templates/networkpolicy-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - ingress: - {{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingress.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingress.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/bitnami/magento/templates/networkpolicy.yaml b/bitnami/magento/templates/networkpolicy.yaml new file mode 100644 index 00000000000000..b593e2506ae234 --- /dev/null +++ b/bitnami/magento/templates/networkpolicy.yaml @@ -0,0 +1,90 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to MariaDB + - ports: + - port: {{ include "magento.databasePort" . }} + {{- if .Values.mariadb.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: mariadb + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + # Allow outbound connections to Elasticsearch + - ports: + - port: {{ include "magento.elasticsearch.port" . | int }} + {{- if .Values.elasticsearch.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.containerPorts.https }} + {{- range .Values.extraContainerPorts }} + - port: {{ . }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/magento/values.yaml b/bitnami/magento/values.yaml index 33ba522d1dd8d8..3a47688bed94ad 100644 --- a/bitnami/magento/values.yaml +++ b/bitnami/magento/values.yaml @@ -26,7 +26,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) @@ -319,6 +319,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -328,8 +329,9 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -408,100 +410,61 @@ podAnnotations: {} podLabels: {} ## @section NetworkPolicy parameters -## Add networkpolicies +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector magento Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector magento Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector magento Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector magento Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. - ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb, elasticsearch) only accessible by magento's pods. - ## @param networkPolicy.ingressRules.customBackendSelector magento Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes magento only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector magento Namespace selector label that is allowed to access magento. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector magento Pods selector label that is allowed to access magento. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules magento Custom network policy ingress rule - ## - ingressRules: - ## mariadb and elacticsearch backends only can be accessed from magento - ## - backendOnlyAccessibleByFrontend: false - ## Additional custom backend selector - ## e.g: - ## customBackendSelector: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customBackendSelector: {} - ## Allow only from the indicated: - ## - accessOnlyFrom: - enabled: false - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: access - ## - namespaceSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules magento Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Database parameters ## MariaDB chart configuration @@ -574,6 +537,27 @@ mariadb: ## Use an existing PVC ## existingClaim: "" + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## External database configuration ## externalDatabase: @@ -626,21 +610,93 @@ elasticsearch: ## master: replicaCount: 1 + ## Elasticsearch resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param elasticsearch.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param elasticsearch.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Elasticsearch coordinating-only node parameters ## @param elasticsearch.coordinating.replicaCount Desired number of Elasticsearch coordinating-only nodes ## coordinating: replicaCount: 1 + ## Elasticsearch resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param elasticsearch.coordinating.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if coordinating.resources is set (coordinating.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param elasticsearch.coordinating.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Elasticsearch data node parameters ## @param elasticsearch.data.replicaCount Desired number of Elasticsearch data nodes ## data: replicaCount: 1 + ## Elasticsearch resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param elasticsearch.data.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if data.resources is set (data.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "medium" + ## @param elasticsearch.data.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Elasticsearch ingest node parameters ## @param elasticsearch.ingest.replicaCount Desired number of Elasticsearch ingest nodes ## ingest: replicaCount: 1 + ## Elasticsearch resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param elasticsearch.ingest.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ingest.resources is set (ingest.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param elasticsearch.ingest.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## External elasticsearch configuration ## externalElasticsearch: From fd03a019aa5805aa7f4c12fddcf0af2e02dbe553 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 3 Apr 2024 11:20:37 +0200 Subject: [PATCH 03/10] docs: :memo: Improve MariaDB update notes Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index 7ab186cea79e72..d97fb4b4b0bde6 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -683,10 +683,11 @@ This major bump changes the following security defaults: - `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). - `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. - The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. -- MariaDB version bumped to 11.1 This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. +Also, this major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade. + ### To 22.0.0 This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade. From 2b0e8542d8bc0dc258003766a7cd061ea43f0155 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 3 Apr 2024 11:57:34 +0200 Subject: [PATCH 04/10] fix: :bug: Use .containerPort in networkPolicy Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/templates/networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/magento/templates/networkpolicy.yaml b/bitnami/magento/templates/networkpolicy.yaml index b593e2506ae234..6b981422cd2c36 100644 --- a/bitnami/magento/templates/networkpolicy.yaml +++ b/bitnami/magento/templates/networkpolicy.yaml @@ -60,7 +60,7 @@ spec: - port: {{ .Values.containerPorts.http }} - port: {{ .Values.containerPorts.https }} {{- range .Values.extraContainerPorts }} - - port: {{ . }} + - port: {{ .containerPort }} {{- end }} {{- if not .Values.networkPolicy.allowExternal }} from: From 017cda078d63cd5805b547d9863cc20f9d2c9327 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Wed, 3 Apr 2024 17:24:07 +0200 Subject: [PATCH 05/10] fix: :wrench: Add missing resource preset Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/README.md | 2 +- bitnami/magento/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index d97fb4b4b0bde6..0109e6962731be 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -340,7 +340,7 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per | `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | | `affinity` | Affinity for pod assignment | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enable Magento pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | diff --git a/bitnami/magento/values.yaml b/bitnami/magento/values.yaml index 3a47688bed94ad..e4cf8482af2f0b 100644 --- a/bitnami/magento/values.yaml +++ b/bitnami/magento/values.yaml @@ -288,7 +288,7 @@ nodeSelector: {} ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "small" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: From bb729b4271da2bddb3c0dcf735ba11742f310d6e Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Thu, 4 Apr 2024 08:02:04 +0000 Subject: [PATCH 06/10] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/magento/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index 35a2351655ab70..acf813851c956d 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -340,7 +340,7 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per | `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | | `affinity` | Affinity for pod assignment | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enable Magento pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -348,8 +348,9 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Magento pods' group ID | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | From f838a31a8a9c5b09ca5e5288d9b37a2abe834c95 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 13:15:04 +0200 Subject: [PATCH 07/10] chore: :arrow_up: Bump elasticsearch subchart Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/Chart.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bitnami/magento/Chart.lock b/bitnami/magento/Chart.lock index 144103b322fa5d..2b8755a132ec34 100644 --- a/bitnami/magento/Chart.lock +++ b/bitnami/magento/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 18.0.0 + version: 18.0.1 - name: elasticsearch repository: oci://registry-1.docker.io/bitnamicharts - version: 20.0.1 + version: 20.0.2 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.19.1 -digest: sha256:6ac1ef1f7d9e56775e492722e94ffd21fd88240500c2e25ef3eaafaeb30349a7 -generated: "2024-04-02T16:35:08.972929184+02:00" +digest: sha256:df139ceb0fa0567a601c5294902f7b1629cdbc3641ea23bee88479b2dacaa049 +generated: "2024-04-04T13:14:38.519751044+02:00" From 0063a97ebc70694452766be5057642be22446e7a Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 13:35:44 +0200 Subject: [PATCH 08/10] fix: :lock: Do not share same readiness/liveness probe Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/templates/deployment.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bitnami/magento/templates/deployment.yaml b/bitnami/magento/templates/deployment.yaml index d1c7c390681aaf..a1c61a19a0174d 100644 --- a/bitnami/magento/templates/deployment.yaml +++ b/bitnami/magento/templates/deployment.yaml @@ -218,12 +218,8 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: /index.php + tcpSocket: port: http - httpHeaders: - - name: Host - value: {{ include "magento.host" . | quote }} {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} From 37b477776ea1892dcd27d1f11f796b4e4582efbc Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 16:13:47 +0200 Subject: [PATCH 09/10] chore: :wrench: Bump instance size Signed-off-by: Javier Salmeron Garcia --- bitnami/magento/README.md | 2 +- bitnami/magento/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/magento/README.md b/bitnami/magento/README.md index acf813851c956d..3ab44f670d14c9 100644 --- a/bitnami/magento/README.md +++ b/bitnami/magento/README.md @@ -340,7 +340,7 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per | `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | | `affinity` | Affinity for pod assignment | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `medium` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enable Magento pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | diff --git a/bitnami/magento/values.yaml b/bitnami/magento/values.yaml index 98adc561b619d6..0ab5d90a86e3d1 100644 --- a/bitnami/magento/values.yaml +++ b/bitnami/magento/values.yaml @@ -288,7 +288,7 @@ nodeSelector: {} ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "small" +resourcesPreset: "medium" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: From d0b6e06738be54d17ccbe355f03c068d6fa0a7a8 Mon Sep 17 00:00:00 2001 From: Javier Salmeron Garcia Date: Thu, 4 Apr 2024 17:17:39 +0200 Subject: [PATCH 10/10] test: :white_check_mark: Increase timeout Signed-off-by: Javier Salmeron Garcia --- .vib/magento/cypress/cypress/e2e/magento.cy.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.vib/magento/cypress/cypress/e2e/magento.cy.js b/.vib/magento/cypress/cypress/e2e/magento.cy.js index 9d855a5cf467e1..5ffda5e3b798af 100644 --- a/.vib/magento/cypress/cypress/e2e/magento.cy.js +++ b/.vib/magento/cypress/cypress/e2e/magento.cy.js @@ -19,7 +19,7 @@ it('allows admin to add a product to the store', () => { cy.contains('Salable Quantity'); cy.contains('Add Product').click(); cy.fixture('products').then((product) => { - cy.get('[name="product[name]"]').type( + cy.get('[name="product[name]"]', {timeout: 60000}).type( `${product.newProduct.productName}.${random}` ); cy.get('[name="product[price]"]').type(product.newProduct.price); @@ -30,7 +30,7 @@ it('allows admin to add a product to the store', () => { }); cy.get('.product-image').should('be.visible'); cy.get('#save-button').click(); - cy.get('#menu-magento-catalog-catalog').click(); + cy.get('#menu-magento-catalog-catalog', {timeout: 60000}).click(); cy.contains('Products').click(); cy.fixture('products').then((product) => { cy.contains(`${product.newProduct.productName}.${random}`);