From 5b5068bc5ccf46e291e4b2a81b30fe805b2c8716 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 16:57:37 +0100 Subject: [PATCH 1/4] [bitnami/etcd] Detect non-standard images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/etcd/Chart.lock | 6 +++--- bitnami/etcd/Chart.yaml | 2 +- bitnami/etcd/README.md | 4 ++++ bitnami/etcd/templates/NOTES.txt | 2 +- bitnami/etcd/values.yaml | 5 +++++ 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/bitnami/etcd/Chart.lock b/bitnami/etcd/Chart.lock index ce189ead9a3c2f..dcb4c96521a33c 100644 --- a/bitnami/etcd/Chart.lock +++ b/bitnami/etcd/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.2 -digest: sha256:6fd86cc5a4b5094abca1f23c8ec064e75e51eceaded94a5e20977274b2abb576 -generated: "2024-12-03T22:30:27.702569392Z" + version: 2.28.0 +digest: sha256:5b30f0fa07bb89b01c55fd6258c8ce22a611b13623d4ad83e8fdd1d4490adc74 +generated: "2024-12-10T16:57:34.815344+01:00" diff --git a/bitnami/etcd/Chart.yaml b/bitnami/etcd/Chart.yaml index 90a4a44d434f67..e9b21830134385 100644 --- a/bitnami/etcd/Chart.yaml +++ b/bitnami/etcd/Chart.yaml @@ -32,4 +32,4 @@ maintainers: name: etcd sources: - https://github.com/bitnami/charts/tree/main/bitnami/etcd -version: 10.6.1 +version: 10.7.0 diff --git a/bitnami/etcd/README.md b/bitnami/etcd/README.md index 6db16b1b0cef5f..92b98ecf011e01 100644 --- a/bitnami/etcd/README.md +++ b/bitnami/etcd/README.md @@ -703,6 +703,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 10.7.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + ### To 10.0.0 This major bump changes the following security defaults: diff --git a/bitnami/etcd/templates/NOTES.txt b/bitnami/etcd/templates/NOTES.txt index 3b456e422c12e6..457622deeef40b 100644 --- a/bitnami/etcd/templates/NOTES.txt +++ b/bitnami/etcd/templates/NOTES.txt @@ -118,4 +118,4 @@ To connect to your etcd server from outside the cluster execute the following co {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- include "etcd.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "disasterRecovery.cronjob" "" "volumePermissions") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} \ No newline at end of file +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }}{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} diff --git a/bitnami/etcd/values.yaml b/bitnami/etcd/values.yaml index 29b09fc75621a7..bba17f89ca2ba2 100644 --- a/bitnami/etcd/values.yaml +++ b/bitnami/etcd/values.yaml @@ -21,6 +21,11 @@ global: imagePullSecrets: [] defaultStorageClass: "" storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: From 29d2b7d2324daa199a77face699324ffeada3d0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 18:06:02 +0100 Subject: [PATCH 2/4] Update NOTES.txt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/etcd/templates/NOTES.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bitnami/etcd/templates/NOTES.txt b/bitnami/etcd/templates/NOTES.txt index 457622deeef40b..7acb2b45d5773f 100644 --- a/bitnami/etcd/templates/NOTES.txt +++ b/bitnami/etcd/templates/NOTES.txt @@ -118,4 +118,5 @@ To connect to your etcd server from outside the cluster execute the following co {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- include "etcd.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "disasterRecovery.cronjob" "" "volumePermissions") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }}{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} From 272bc4a3c13c60044479d98105693e05abaee3ed Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 17:11:20 +0000 Subject: [PATCH 3/4] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/etcd/CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/bitnami/etcd/CHANGELOG.md b/bitnami/etcd/CHANGELOG.md index 0d46574ae2d6f6..487133067be202 100644 --- a/bitnami/etcd/CHANGELOG.md +++ b/bitnami/etcd/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 10.6.1 (2024-12-04) +## 10.7.0 (2024-12-10) -* [bitnami/etcd] Release 10.6.1 ([#30746](https://github.com/bitnami/charts/pull/30746)) +* [bitnami/etcd] Detect non-standard images ([#30895](https://github.com/bitnami/charts/pull/30895)) + +## 10.6.1 (2024-12-04) + +* [bitnami/etcd] Release 10.6.1 (#30746) ([9d81d81](https://github.com/bitnami/charts/commit/9d81d81ddbf73b9453468972a8c1501879888d32)), closes [#30746](https://github.com/bitnami/charts/issues/30746) ## 10.6.0 (2024-12-02) From c4907addbaed378e6771231f29a74ab74dda30f5 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 17:11:22 +0000 Subject: [PATCH 4/4] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/etcd/README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/bitnami/etcd/README.md b/bitnami/etcd/README.md index 92b98ecf011e01..4441fef9c82228 100644 --- a/bitnami/etcd/README.md +++ b/bitnami/etcd/README.md @@ -344,13 +344,14 @@ If you encounter errors when working with persistent volumes, refer to our [trou ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters