From 1164ac38c12db9d579e4c6abc39a7488667c587f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 12:42:18 +0100 Subject: [PATCH 1/2] [bitnami/common] New helper to detect non-standard images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/common/Chart.yaml | 4 +- bitnami/common/templates/_errors.tpl | 59 +++++++++++++++++++++++++++- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/bitnami/common/Chart.yaml b/bitnami/common/Chart.yaml index 320b12cea90165..0aec83e0b3ecf6 100644 --- a/bitnami/common/Chart.yaml +++ b/bitnami/common/Chart.yaml @@ -6,7 +6,7 @@ annotations: licenses: Apache-2.0 apiVersion: v2 # Please make sure that version and appVersion are always the same. -appVersion: 2.27.2 +appVersion: 2.28.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com icon: https://bitnami.com/downloads/logos/bitnami-mark.png @@ -23,4 +23,4 @@ name: common sources: - https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.27.2 +version: 2.28.0 diff --git a/bitnami/common/templates/_errors.tpl b/bitnami/common/templates/_errors.tpl index e9653651936c2e..93f3ffc9bed242 100644 --- a/bitnami/common/templates/_errors.tpl +++ b/bitnami/common/templates/_errors.tpl @@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0 {{/* vim: set filetype=mustache: */}} {{/* -Through error when upgrading using empty passwords values that must not be empty. +Throw error when upgrading using empty passwords values that must not be empty. Usage: {{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} @@ -26,3 +26,60 @@ Required password params: {{- printf $errorString $validationErrors | fail -}} {{- end -}} {{- end -}} + +{{/* +Throw error when original container images are replaced. +The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, +a warning message will be shown instead. + +Usage: +{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.errors.insecureImages" -}} +{{- $relocatedImages := list -}} +{{- $replacedImages := list -}} +{{- $retaggedImages := list -}} +{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $registryName := default .registry $globalRegistry -}} + {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} + {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} + {{- if not (contains $fullImageNameNoTag $originalImages) -}} + {{- if not (contains $registryName $originalImages) -}} + {{- $relocatedImages = append $relocatedImages $fullImageName -}} + {{- else if not (contains .repository $originalImages) -}} + {{- $replacedImages = append $replacedImages $fullImageName -}} + {{- end -}} + {{- end -}} + {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} + {{- $retaggedImages = append $retaggedImages $fullImageName -}} + {{- end -}} +{{- end -}} + +{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} + {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} +{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} + {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} + {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} + {{- range (concat $relocatedImages $replacedImages) -}} + {{- $errorString = print $errorString "\n - " . -}} + {{- end -}} + {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}} + {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} + {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} + {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} + {{- print $errorString | fail -}} + {{- else if gt (len $replacedImages) 0 -}} + {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} + {{- print $errorString -}} + {{- end -}} +{{- else if gt (len $retaggedImages) 0 -}} + {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}} + {{- $warnString = print $warnString "\n\nRetagged images:" -}} + {{- range $retaggedImages -}} + {{- $warnString = print $warnString "\n - " . -}} + {{- end -}} + {{- print $warnString -}} +{{- end -}} +{{- end -}} \ No newline at end of file From 4cd3e47d1876fc0fdfdb579f2b7c50c758c86885 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 11:46:43 +0000 Subject: [PATCH 2/2] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/common/CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bitnami/common/CHANGELOG.md b/bitnami/common/CHANGELOG.md index 0370678023af17..07144e7be07aae 100644 --- a/bitnami/common/CHANGELOG.md +++ b/bitnami/common/CHANGELOG.md @@ -1,8 +1,13 @@ # Changelog -## 2.27.2 (2024-11-27) +## 2.28.0 (2024-12-10) -* [bitnami/common]: bump patch version ([#30639](https://github.com/bitnami/charts/pull/30639)) +* [bitnami/common] New helper to detect non-standard images ([#30851](https://github.com/bitnami/charts/pull/30851)) + +## 2.27.2 (2024-11-27) + +* [bitnami/common] Fix appVersion (#30628) ([b87d39e](https://github.com/bitnami/charts/commit/b87d39e27a0889c74b20c3d2fe5ae0c4a2417bfd)), closes [#30628](https://github.com/bitnami/charts/issues/30628) +* [bitnami/common]: bump patch version (#30639) ([623e584](https://github.com/bitnami/charts/commit/623e5846ff827b7ecbcffa2dc51e2e94b14ef8fd)), closes [#30639](https://github.com/bitnami/charts/issues/30639) ## 2.27.1 (2024-11-26)