[bitnami/common] New helper to detect non-standard images

bitnami/common/CHANGELOG.md

@@ -1,8 +1,13 @@
 # Changelog
 
-## 2.27.2 (2024-11-27)
+## 2.28.0 (2024-12-10)
 
-* [bitnami/common]: bump patch version ([#30639](https://github.com/bitnami/charts/pull/30639))
+* [bitnami/common] New helper to detect non-standard images ([#30851](https://github.com/bitnami/charts/pull/30851))
+
+## <small>2.27.2 (2024-11-27)</small>
+
+* [bitnami/common] Fix appVersion (#30628) ([b87d39e](https://github.com/bitnami/charts/commit/b87d39e27a0889c74b20c3d2fe5ae0c4a2417bfd)), closes [#30628](https://github.com/bitnami/charts/issues/30628)
+* [bitnami/common]: bump patch version (#30639) ([623e584](https://github.com/bitnami/charts/commit/623e5846ff827b7ecbcffa2dc51e2e94b14ef8fd)), closes [#30639](https://github.com/bitnami/charts/issues/30639)
 
 ## <small>2.27.1 (2024-11-26)</small>
 

bitnami/common/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
   licenses: Apache-2.0
 apiVersion: v2
 # Please make sure that version and appVersion are always the same.
-appVersion: 2.27.2
+appVersion: 2.28.0
 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself.
 home: https://bitnami.com
 icon: https://bitnami.com/downloads/logos/bitnami-mark.png
@@ -23,4 +23,4 @@ name: common
 sources:
   - https://github.com/bitnami/charts/tree/main/bitnami/common
 type: library
-version: 2.27.2
+version: 2.28.0

bitnami/common/templates/_errors.tpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0
 
 {{/* vim: set filetype=mustache: */}}
 {{/*
-Through error when upgrading using empty passwords values that must not be empty.
+Throw error when upgrading using empty passwords values that must not be empty.
 
 Usage:
 {{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
@@ -26,3 +26,60 @@ Required password params:
     {{- printf $errorString $validationErrors | fail -}}
   {{- end -}}
 {{- end -}}
+
+{{/*
+Throw error when original container images are replaced.
+The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
+a warning message will be shown instead.
+
+Usage:
+{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
+*/}}
+{{- define "common.errors.insecureImages" -}}
+{{- $relocatedImages := list -}}
+{{- $replacedImages := list -}}
+{{- $retaggedImages := list -}}
+{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
+{{- $originalImages := .context.Chart.Annotations.images -}}
+{{- range .images -}}
+  {{- $registryName := default .registry $globalRegistry -}}
+  {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
+  {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
+  {{- if not (contains $fullImageNameNoTag $originalImages) -}}
+    {{- if not (contains $registryName $originalImages) -}}
+      {{- $relocatedImages = append $relocatedImages $fullImageName  -}}
+    {{- else if not (contains .repository $originalImages) -}}
+      {{- $replacedImages = append $replacedImages $fullImageName  -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
+    {{- $retaggedImages = append $retaggedImages $fullImageName  -}}
+  {{- end -}}
+{{- end -}}
+
+{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
+  {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
+{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
+  {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
+  {{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
+  {{- range (concat $relocatedImages $replacedImages) -}}
+    {{- $errorString = print $errorString "\n  - " . -}}
+  {{- end -}}
+  {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}}
+    {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
+    {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
+    {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
+    {{- print $errorString | fail -}}
+  {{- else if gt (len $replacedImages) 0 -}}
+    {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
+    {{- print $errorString -}}
+  {{- end -}}
+{{- else if gt (len $retaggedImages) 0 -}}
+  {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}}
+  {{- $warnString = print $warnString "\n\nRetagged images:" -}}
+  {{- range $retaggedImages -}}
+    {{- $warnString = print $warnString "\n  - " . -}}
+  {{- end -}}
+  {{- print $warnString -}}
+{{- end -}}
+{{- end -}}