diff --git a/charts/etcd/Chart.yaml b/charts/etcd/Chart.yaml
index e32e91737e5782c24e28f9b825d8180d65cde402..99a5bd12e6de6917bd1cdb1a747bf0a9c786591a 100644
--- a/charts/etcd/Chart.yaml
+++ b/charts/etcd/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: 0.1.1
+version: 0.1.2
appVersion: "v3.5.7"
diff --git a/charts/etcd/README.md b/charts/etcd/README.md
index 4fa9143adfaded31294d305c6a88df6cf450c836..97b71fa58dc81d8b199a204c54bdb2426d409ca1 100644
--- a/charts/etcd/README.md
+++ b/charts/etcd/README.md
@@ -1,6 +1,6 @@
# Etcd
-  
+  
## Changelog
@@ -58,6 +58,10 @@ helm uninstall my-release
| image.registry | string | `"quay.io/coreos"` | Image registry |
| image.repository | string | `"etcd"` | Image name |
| image.tag | string | `""` | Image tag |
+| initImage.pullPolicy | string | `"IfNotPresent"` | Init image pull policy |
+| initImage.registry | string | `"docker.io"` | Image registry |
+| initImage.repository | string | `"busybox"` | Init image name |
+| initImage.tag | string | `"latest"` | Init image tag |
| imagePullSecrets | list | `[]` | Image pull secrets |
| extraInitContainers | list | `[]` | Extra init containers |
| extaContainers | list | `[]` | Extra containers for usage as sidecars |
diff --git a/charts/etcd/RELEASENOTES.md b/charts/etcd/RELEASENOTES.md
index 215afeb6f495741bf53dcf16afb9a54e3d453df2..cccf197bd206391a232700c73c560ea3ffccfe16 100644
--- a/charts/etcd/RELEASENOTES.md
+++ b/charts/etcd/RELEASENOTES.md
@@ -4,4 +4,5 @@
| :------------ | :---------- | :----------------- |
| 0.1.0 | v3.5.6 | Initial version |
| 0.1.1 | v3.5.7 | Upgraded etcd to v3.5.7 |
+| 0.1.2 | v3.5.7 | Updated default security context |
| | | |
diff --git a/charts/etcd/templates/etcdconfig.yaml b/charts/etcd/templates/etcdconfig.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1dee68672eb46de8e2468412bd0ae32296762ec4
--- /dev/null
+++ b/charts/etcd/templates/etcdconfig.yaml
@@ -0,0 +1,29 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: {{ include "etcd.fullname" . }}
+ labels:
+ {{- include "etcd.labels" . | nindent 4 }}
+data:
+ {{- $replicaCount := int .Values.replicas }}
+ {{- $initialCluster := list }}
+ {{- $etcdFullname := include "etcd.fullname" . }}
+ {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
+ {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+ {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+ ETCD_DATA_DIR: "/data/etcd"
+ ETCD_INITIAL_CLUSTER_TOKEN: "{{ .Values.settings.clusterToken }}"
+ ETCD_INITIAL_CLUSTER_STATE: "new"
+ ETCD_LISTEN_CLIENT_URLS: "{{ $protocol }}://0.0.0.0:2379"
+ ETCD_LISTEN_PEER_URLS: "{{ $protocol }}://0.0.0.0:2380"
+ {{- if .Values.serviceMonitor.enabled }}
+ ETCD_LISTEN_METRICS_URLS: "http://0.0.0.0:12379"
+ {{- end }}
+ {{- range $e, $i := until $replicaCount }}
+ {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
+ {{- end }}
+ ETCD_INITIAL_CLUSTER: {{ join "," $initialCluster | quote }}
+ {{- if .Values.settings.https.autoTls }}
+ ETCD_AUTO_TLS: "true"
+ ETCD_PEER_AUTO_TLS: "true"
+ {{- end }}
diff --git a/charts/etcd/templates/scripts.yaml b/charts/etcd/templates/scripts.yaml
deleted file mode 100644
index b1d6133c5972f43b6a76a7272815ec2a6d5fa053..0000000000000000000000000000000000000000
--- a/charts/etcd/templates/scripts.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "etcd.fullname" . }}-scripts
- labels:
- {{- include "etcd.labels" . | nindent 4 }}
-data:
- startup.sh: |
- #!/bin/sh
- {{- $replicaCount := int .Values.replicas }}
- {{- $etcdFullname := include "etcd.fullname" . }}
- {{- $etcdInternalServiceName := printf "%s-internal" $etcdFullname }}
- {{- $initialCluster := list }}
- {{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
- {{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
- echo "Initializing Etcd instance..."
- export ETCD_DATA_DIR="/data/etcd"
- export ETCD_NAME="${HOSTNAME}"
- export ETCD_INITIAL_CLUSTER_TOKEN="{{ .Values.settings.clusterToken }}"
- export ETCD_INITIAL_CLUSTER_STATE="new"
- export ETCD_LISTEN_CLIENT_URLS="{{ $protocol }}://0.0.0.0:2379"
- export ETCD_LISTEN_PEER_URLS="{{ $protocol }}://0.0.0.0:2380"
- {{- if .Values.serviceMonitor.enabled }}
- export ETCD_LISTEN_METRICS_URLS="http://0.0.0.0:12379"
- {{- end }}
- export ETCD_ADVERTISE_CLIENT_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2379"
- export ETCD_INITIAL_ADVERTISE_PEER_URLS="{{ $protocol }}://${HOSTNAME}.{{ $servicefqdn }}:2380"
- {{- range $e, $i := until $replicaCount }}
- {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s:%d" $etcdFullname $i $protocol $etcdFullname $i $servicefqdn 2380) }}
- {{- end }}
- export ETCD_INITIAL_CLUSTER="{{ join "," $initialCluster | quote }}"
- {{- if .Values.settings.https.autoTls }}
- export ETCD_AUTO_TLS="true"
- export ETCD_PEER_AUTO_TLS="true"
- {{- end }}
- mkdir -p ${ETCD_DATA_DIR}
- chmod 700 ${ETCD_DATA_DIR}
- echo "Finished."
- echo "Starting etcd..."
- etcd $@ &
- etcdproc=$!
- trap "_terminate $etcdproc 15 {{ .Values.settings.shutdownDelay }}" 15
- trap "_terminate $etcdproc 9 {{ .Values.settings.shutdownDelay }}" 9
- wait $etcdproc
-
- # Terminates a child process
- # $1 - PID of child process
- # $2 - Kill signal number
- # $3 - Delay before terminate (leave empty if no delay desired)
- _terminate() {
- local childproc=$1
- local signal=$2
- local delay=$3
- log "Terminating entrypoint"
- etcd
- kill -s $signal $childproc
- if [ ! -z "$delay" ]; then
- log "Waiting $delay seconds before termination..."
- sleep $delay
- fi
-
- log "Bye bye"
- }
-
- healthcheck.sh: |
- #!/bin/sh
- etcdctl endpoint health {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
diff --git a/charts/etcd/templates/statefulset.yaml b/charts/etcd/templates/statefulset.yaml
index c75a0f03ba17ac8f301cc673f76bd442d9af6a66..36aabc5fde3c6f27ffa596813b6ea57700a363b4 100644
--- a/charts/etcd/templates/statefulset.yaml
+++ b/charts/etcd/templates/statefulset.yaml
@@ -1,7 +1,12 @@
+{{- $fullname := include "etcd.fullname" . }}
+{{- $etcdInternalServiceName := printf "%s-internal" $fullname }}
+{{- $protocol := (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "https" "http" }}
+{{- $servicefqdn := printf "%s.%s.svc.%s" $etcdInternalServiceName .Release.Namespace .Values.clusterDomain }}
+{{- $createPvc := and (empty .Values.storage.persistentVolumeClaimName) (.Values.storage.requestedSize) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
- name: {{ include "etcd.fullname" . }}
+ name: {{ $fullname }}
labels:
{{- include "etcd.labels" . | nindent 4 }}
spec:
@@ -9,9 +14,9 @@ spec:
{{- if .Values.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- end }}
- serviceName: {{ include "etcd.fullname" . }}-internal
+ serviceName: {{ $fullname }}-internal
podManagementPolicy: {{ .Values.podManagementPolicy }}
- updateStrategy:
+ updateStrategy:
type: {{ .Values.updateStrategyType }}
selector:
matchLabels:
@@ -19,7 +24,7 @@ spec:
template:
metadata:
annotations:
- checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
+ checksum/etcdconfig: {{ include (print $.Template.BasePath "/etcdconfig.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -33,7 +38,19 @@ spec:
serviceAccountName: {{ include "etcd.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
- initContainers:
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ image: "{{ .Values.initImage.registry }}/{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+ imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+ volumeMounts:
+ - name: {{ .Values.storage.volumeName }}
+ mountPath: /data
+ command: ["/bin/sh"]
+ args: ["-c", "mkdir -p /data/etcd && chmod 700 /data/etcd"]
{{- with .Values.extraInitContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -60,7 +77,10 @@ spec:
startupProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.startupProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -78,7 +98,10 @@ spec:
livenessProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.livenessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -96,7 +119,10 @@ spec:
readinessProbe:
exec:
command:
- - /scripts/healthcheck.sh
+ - /usr/local/bin/etcdctl
+ - endpoint
+ - health
+ - {{ (or .Values.settings.https.enabled .Values.settings.https.autoTls) | ternary "--insecure-skip-tls-verify=true --insecure-transport=false" "" }}
{{- with .Values.readinessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -110,19 +136,29 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- command:
- - /scripts/startup.sh
{{- if .Values.args }}
args:
{{- range .Values.args }}
- {{ . }}
{{- end }}
{{- end }}
- {{- with .Values.env }}
env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: ETCD_NAME
+ value: $(NODE_NAME)
+ - name: ETCD_ADVERTISE_CLIENT_URLS
+ value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2379"
+ - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
+ value: "{{ $protocol }}://$(NODE_NAME).{{ $servicefqdn }}:2380"
+ {{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
+ - configMapRef:
+ name: {{ $fullname }}
{{- range .Values.extraEnvSecrets }}
- secretRef:
name: {{ . }}
@@ -132,8 +168,6 @@ spec:
mountPath: /data
- name: tmp
mountPath: /tmp
- - name: scripts
- mountPath: /scripts
{{- range $secret := .Values.extraSecrets }}
- name: {{ $secret.name }}
mountPath: {{ $secret.mountPath }}
@@ -156,38 +190,35 @@ spec:
volumes:
- name: tmp
emptyDir: {}
- - name: scripts
- configMap:
- name: {{ include "etcd.fullname" . }}-scripts
- defaultMode: 0555
{{- range $secret := .Values.extraSecrets }}
- name: {{ $secret.name }}
secret:
secretName: {{ $secret.name }}
defaultMode: 0440
{{- end }}
- {{- if .Values.storage.persistentVolumeClaimName }}
- - name: {{ .Values.storage.volumeName }}
+{{- with .Values.storage }}
+ {{- if not $createPvc }}
+ - name: {{ .volumeName }}
+ {{- if .persistentVolumeClaimName }}
persistentVolumeClaim:
- claimName: {{ .Values.storage.persistentVolumeClaimName }}
- {{- else }}
- {{- if not .Values.storage.requestedSize }}
- - name: {{ .Values.storage.volumeName }}
+ claimName: {{ .persistentVolumeClaimName }}
+ {{- else }}
emptyDir: {}
+ {{- end }}
{{- else }}
volumeClaimTemplates:
- metadata:
- name: {{ .Values.storage.volumeName }}
+ name: {{ .volumeName }}
spec:
- {{- with .Values.storage.accessModes }}
+ {{- with .accessModes }}
accessModes:
{{- toYaml . | nindent 10 }}
{{- end }}
- {{- if .Values.storage.className }}
- storageClassName: {{ .Values.storage.className }}
+ {{- if .className }}
+ storageClassName: {{ .className }}
{{- end }}
resources:
requests:
- storage: {{ .Values.storage.requestedSize }}
+ storage: {{ .requestedSize }}
{{- end }}
- {{- end }}
\ No newline at end of file
+{{- end }}
\ No newline at end of file
diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml
index e68376369c9638661f6b355aad5aabf5fefaa1fd..8e4a2c57fab7aea9688b611ad20efee59532b67b 100644
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@@ -7,6 +7,13 @@ image:
pullPolicy: IfNotPresent
tag: ""
+# Default Init container image
+initImage:
+ registry: "docker.io"
+ repository: "busybox"
+ pullPolicy: IfNotPresent
+ tag: "latest"
+
## Pull secrets and name override options
imagePullSecrets: []
nameOverride: ""
@@ -39,6 +46,8 @@ updateStrategyType: RollingUpdate
## Pod security context uses file system group 999 (postgres)
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run PostgreSQL as non-root (postgres user), read only container without privilege escalation
securityContext:
@@ -48,6 +57,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Etcd service ports (default: Client port 2379, Peer port 2380)
service:
diff --git a/charts/mariadb/Chart.yaml b/charts/mariadb/Chart.yaml
index 83c8905fbd1931aa85c6f686e7d15c61931fc985..c819f2066163098b763227570e13a17d23fe8f6c 100644
--- a/charts/mariadb/Chart.yaml
+++ b/charts/mariadb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.8.2"
+version: "0.8.3"
appVersion: "10.11.2"
diff --git a/charts/mariadb/README.md b/charts/mariadb/README.md
index 074b07b84076ef5006fb7c7bb111b739daa238b6..af6275df5520327393dc58d3a96456864894b0dd 100644
--- a/charts/mariadb/README.md
+++ b/charts/mariadb/README.md
@@ -1,6 +1,6 @@
# MariaDB
-  
+  
## Changelog
diff --git a/charts/mariadb/RELEASENOTES.md b/charts/mariadb/RELEASENOTES.md
index 1f940a5aca4222b83f27adda17c7e6fe044d2894..267c6b1aba0827170ac1de599cb57c0a0754e7d6 100644
--- a/charts/mariadb/RELEASENOTES.md
+++ b/charts/mariadb/RELEASENOTES.md
@@ -49,4 +49,5 @@
| 0.8.0 | 10.11.2 | Upgraded MariaDB to 10.11.2 |
| 0.8.1 | 10.11.2 | Implemented alternative distribution with `Deployment` template (thx @tim-hanssen) |
| 0.8.2 | 10.11.2 | Fix default update strategy to `Recreate` for distribution with `Deployment` |
+| 0.8.3 | 10.11.2 | Updated default security context |
| | | |
diff --git a/charts/mariadb/values.yaml b/charts/mariadb/values.yaml
index a8444893fbed3226e963f47e26fc28e66b99b82f..fef36b99efd5bc0dc60ce7e52254bed4c28914b1 100644
--- a/charts/mariadb/values.yaml
+++ b/charts/mariadb/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run MariaDB as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Default database service port (default MySQL/MariaDB port)
service:
diff --git a/charts/mongodb/Chart.yaml b/charts/mongodb/Chart.yaml
index 09ea1c867e97a36ed11c46541d055a0e88a7cd3f..ab33345b4b2d4bb47342f8f5ebfef9e81969ef00 100644
--- a/charts/mongodb/Chart.yaml
+++ b/charts/mongodb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.5.12"
+version: "0.5.13"
appVersion: "6.0.5"
diff --git a/charts/mongodb/README.md b/charts/mongodb/README.md
index 688983617ade4f43b7153680d71e9ed3759b4e76..b8d54fed8ee24352dd08ca655cfd8abc4fb5d534 100644
--- a/charts/mongodb/README.md
+++ b/charts/mongodb/README.md
@@ -1,6 +1,6 @@
# MongoDB
-  
+  
## Changelog
diff --git a/charts/mongodb/RELEASENOTES.md b/charts/mongodb/RELEASENOTES.md
index 3128a4f9a5609bfe7aba159dda4e9b2be97ef16a..acf72b62ca5a7aaf5666ae23096e584a57fc77ca 100644
--- a/charts/mongodb/RELEASENOTES.md
+++ b/charts/mongodb/RELEASENOTES.md
@@ -62,4 +62,5 @@
| 0.5.10 | 6.0.4 | Upgraded to MongoDB 6.0.4 |
| 0.5.11 | 6.0.5 | Upgraded to MongoDB 6.0.5 |
| 0.5.12 | 6.0.5 | Implemented alternative distribution with `Deployment` template |
+| 0.5.13 | 6.0.5 | Updated default security context |
| | | |
diff --git a/charts/mongodb/templates/_helpers.tpl b/charts/mongodb/templates/_helpers.tpl
index 036938151a1df305d1aa793d48cd38530a9ee3bb..b20d2a36c98ad070a6a7a84f1b458512e17cdfd0 100644
--- a/charts/mongodb/templates/_helpers.tpl
+++ b/charts/mongodb/templates/_helpers.tpl
@@ -65,7 +65,7 @@ Create the name of the service account to use
Generate secret with configuration
*/}}
{{- define "mongodb.createSecureConfig" -}}
- {{- if or (or (.Values.settings.rootPassword) (.Values.settings.rootUsername)) (.Values.userDatabase) }}
+ {{- if or (or ((.Values.settings).rootPassword) ((.Values.settings).rootUsername)) (.Values.userDatabase) }}
true
{{- end }}
{{- end }}
diff --git a/charts/mongodb/values.yaml b/charts/mongodb/values.yaml
index 97b0eccc522deb7924d8b782f03a578e919d1085..e227de510d5208866418090f5f5cc342736c39a6 100644
--- a/charts/mongodb/values.yaml
+++ b/charts/mongodb/values.yaml
@@ -28,6 +28,8 @@ podAnnotations: {}
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Pod management policy
podManagementPolicy: OrderedReady
@@ -43,6 +45,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
service:
# Suffix of the headless service name
diff --git a/charts/mysql/Chart.yaml b/charts/mysql/Chart.yaml
index 3c1607e8c39de931b4e81733c2c1904d4a562f7d..59f63bdb9170a2172bb40bab49c288dc12516502 100644
--- a/charts/mysql/Chart.yaml
+++ b/charts/mysql/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.1.7"
+version: "0.1.8"
appVersion: "8.0.32-oracle"
diff --git a/charts/mysql/README.md b/charts/mysql/README.md
index 6f3416e1f22820fccb26da790d1d5d10aa3636db..dea75a0087d84a9b6b6aa87bf58ba6516a7d957f 100644
--- a/charts/mysql/README.md
+++ b/charts/mysql/README.md
@@ -1,6 +1,6 @@
# MySQL
-  
+  
## Changelog
diff --git a/charts/mysql/RELEASENOTES.md b/charts/mysql/RELEASENOTES.md
index f4fb6a2eaaf58c83d78d6a9411ce7ab8ccb32e3f..a27aa72284c66f83261f897da66c8de9cc5fd40f 100644
--- a/charts/mysql/RELEASENOTES.md
+++ b/charts/mysql/RELEASENOTES.md
@@ -10,4 +10,5 @@
| 0.1.5 | 8.0.31 | Added support for init container resources (thx @Footur) |
| 0.1.6 | 8.0.32 | Upgraded MySQL to 8.0.32 |
| 0.1.7 | 8.0.32 | Implemented alternative distribution with `Deployment` template |
+| 0.1.8 | 8.0.32 | Updated default security context |
| | | |
diff --git a/charts/mysql/values.yaml b/charts/mysql/values.yaml
index c72ff9a2bf5828b8978fb98a80e8cf22d9fc05c4..ea160f695a4c6cd5e7057501f9f3f432d153ffe8 100644
--- a/charts/mysql/values.yaml
+++ b/charts/mysql/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run MySQL as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## Default database service port (default MySQL port)
service:
diff --git a/charts/postgres/Chart.yaml b/charts/postgres/Chart.yaml
index 8605444b083efa28eef23e7e025c5d96205f252f..cb45c60513ab360bc7caa9d919a8d2706402c30f 100644
--- a/charts/postgres/Chart.yaml
+++ b/charts/postgres/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.4.3"
+version: "0.4.4"
appVersion: "15.2"
diff --git a/charts/postgres/README.md b/charts/postgres/README.md
index f963b5a258c9ece301ac0c0af299ef39a6173d54..8a0b14b9090225d7b68816659b12495825e6be2a 100644
--- a/charts/postgres/README.md
+++ b/charts/postgres/README.md
@@ -1,6 +1,6 @@
# PostgreSQL
-  
+  
## Changelog
diff --git a/charts/postgres/RELEASENOTES.md b/charts/postgres/RELEASENOTES.md
index 5de05449a9dadb165bc2100d9692d1e42e2279c7..2b070fd0a076d728b26dad6a41fc9bd96ad56562 100644
--- a/charts/postgres/RELEASENOTES.md
+++ b/charts/postgres/RELEASENOTES.md
@@ -27,4 +27,5 @@
| 0.4.1 | 15.1 | Upgraded to Postgres 15.1 |
| 0.4.2 | 15.2 | Upgraded to Postgres 15.2 |
| 0.4.3 | 15.2 | Implemented alternative distribution with `Deployment` template |
+| 0.4.4 | 15.2 | Updated default security context |
| | | |
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
index ed0d8f94eaee10c9c87ed8a104a718f4641ddfbf..3dcc0167310bf40c29066ff057cd3f441687b691 100644
--- a/charts/postgres/values.yaml
+++ b/charts/postgres/values.yaml
@@ -35,6 +35,8 @@ updateStrategyType: RollingUpdate
## Pod security context uses file system group 999 (postgres)
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run PostgreSQL as non-root (postgres user), read only container without privilege escalation
securityContext:
@@ -44,6 +46,9 @@ securityContext:
runAsNonRoot: true
runAsGroup: 999
runAsUser: 999
+ capabilities:
+ drop:
+ - ALL
## The postgres service configuration (Default is ClusterIP with port 5432)
service:
diff --git a/charts/redis/Chart.yaml b/charts/redis/Chart.yaml
index bcd07e37a80b988e2ff8ed124c6fab994ba00763..97d36156f96dfb1ed3bd8d5a31071faaa24d1bb2 100644
--- a/charts/redis/Chart.yaml
+++ b/charts/redis/Chart.yaml
@@ -8,7 +8,7 @@ maintainers:
- name: groundhog2k
# This is the chart version
-version: "0.6.8"
+version: "0.6.9"
# This is the version number of the application being deployed.
appVersion: "7.0.10"
diff --git a/charts/redis/README.md b/charts/redis/README.md
index 8bb368cdf216c66f7a79188bb973043862b359c5..c4dfafc03d5e88d9057fd7f8de271e889018e978 100644
--- a/charts/redis/README.md
+++ b/charts/redis/README.md
@@ -1,6 +1,6 @@
# Redis
-  
+  
## Changelog
diff --git a/charts/redis/RELEASENOTES.md b/charts/redis/RELEASENOTES.md
index 68be4508efb05946200f0e8db36beca049dcdf46..d5928bff9c26c7c1f873166150d2b351ec24f280 100644
--- a/charts/redis/RELEASENOTES.md
+++ b/charts/redis/RELEASENOTES.md
@@ -28,4 +28,5 @@
| 0.6.6 | 7.0.10 | Fixed redis volume deployment in non-HA mode |
| 0.6.7 | 7.0.10 | Fix default update strategy to `Recreate` for distribution with `Deployment` |
| 0.6.8 | 7.0.10 | Made internal volume name configurable |
+| 0.6.9 | 7.0.10 | Updated default security context |
| | | |
diff --git a/charts/redis/values.yaml b/charts/redis/values.yaml
index 8f124ce96b43172123c6922d05a138903466371c..cfd794e13fbd3a29c409db7f096762aabf7adb94 100644
--- a/charts/redis/values.yaml
+++ b/charts/redis/values.yaml
@@ -38,6 +38,8 @@ updateStrategyType: RollingUpdate
## Pod security options
podSecurityContext:
fsGroup: 999
+ supplementalGroups:
+ - 999
## Default security options to run Redis as non-root, read only container without privilege escalation
securityContext:
@@ -47,6 +49,9 @@ securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
+ capabilities:
+ drop:
+ - ALL
## Default redis service port (default Redis server port 6379, defaul Redis sentinel port 26379)
service: