From 92989b791f89e37bcdacd6f10e96607c6cbbf4e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 16:50:30 +0100 Subject: [PATCH 1/7] [bitnami/cassandra] Detect non-standard images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/cassandra/Chart.lock | 6 +++--- bitnami/cassandra/Chart.yaml | 2 +- bitnami/cassandra/README.md | 4 ++++ bitnami/cassandra/templates/NOTES.txt | 2 +- bitnami/cassandra/values.yaml | 5 +++++ 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/bitnami/cassandra/Chart.lock b/bitnami/cassandra/Chart.lock index 32216e5d899ea2..d4ede4e7ac2a9d 100644 --- a/bitnami/cassandra/Chart.lock +++ b/bitnami/cassandra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.2 -digest: sha256:6fd86cc5a4b5094abca1f23c8ec064e75e51eceaded94a5e20977274b2abb576 -generated: "2024-11-28T14:06:35.487166665Z" + version: 2.28.0 +digest: sha256:5b30f0fa07bb89b01c55fd6258c8ce22a611b13623d4ad83e8fdd1d4490adc74 +generated: "2024-12-10T16:50:27.471364+01:00" diff --git a/bitnami/cassandra/Chart.yaml b/bitnami/cassandra/Chart.yaml index ce9483d87107fb..cb0d5d4523261b 100644 --- a/bitnami/cassandra/Chart.yaml +++ b/bitnami/cassandra/Chart.yaml @@ -32,4 +32,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 12.0.5 +version: 12.1.0 diff --git a/bitnami/cassandra/README.md b/bitnami/cassandra/README.md index 93d6350ded6c9b..593937360fbd09 100644 --- a/bitnami/cassandra/README.md +++ b/bitnami/cassandra/README.md @@ -449,6 +449,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 12.1.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + It's necessary to set the `dbUser.password` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use. Please note down the password and run the command below to upgrade your chart: ```console diff --git a/bitnami/cassandra/templates/NOTES.txt b/bitnami/cassandra/templates/NOTES.txt index 5ef56bbafc3cde..94f96649708091 100644 --- a/bitnami/cassandra/templates/NOTES.txt +++ b/bitnami/cassandra/templates/NOTES.txt @@ -92,4 +92,4 @@ To connect to your database from outside the cluster execute the following comma {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- include "cassandra.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "tls" "volumePermissions") "context" $) }} -{{- include "cassandra.warnings.jvm" . }}{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file +{{- include "cassandra.warnings.jvm" . }}{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} diff --git a/bitnami/cassandra/values.yaml b/bitnami/cassandra/values.yaml index 7e2617305c252d..3495c211a1e97d 100644 --- a/bitnami/cassandra/values.yaml +++ b/bitnami/cassandra/values.yaml @@ -627,6 +627,11 @@ persistence: ## GKE, AWS & OpenStack) ## storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## @param persistence.commitStorageClass PVC Storage Class for Cassandra Commit Log volume ## Storage class to use with CASSANDRA_COMMITLOG_DIR to reduce the concurrence for writing data and commit logs ## ref: https://github.com/bitnami/containers/tree/main/bitnami/cassandra From 21850ba2b0c9eb6e99992032dc1cb64a1da58165 Mon Sep 17 00:00:00 2001 From: Jota Martos Date: Tue, 10 Dec 2024 17:34:04 +0100 Subject: [PATCH 2/7] Update values file and README Signed-off-by: Jota Martos --- bitnami/cassandra/README.md | 13 +++++++------ bitnami/cassandra/values.yaml | 11 ++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/bitnami/cassandra/README.md b/bitnami/cassandra/README.md index 593937360fbd09..377f411a35ce28 100644 --- a/bitnami/cassandra/README.md +++ b/bitnami/cassandra/README.md @@ -169,12 +169,13 @@ As the image run as non-root by default, it is necessary to adjust the ownership ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | ### Common parameters diff --git a/bitnami/cassandra/values.yaml b/bitnami/cassandra/values.yaml index 3495c211a1e97d..5b39945868e281 100644 --- a/bitnami/cassandra/values.yaml +++ b/bitnami/cassandra/values.yaml @@ -28,6 +28,12 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: auto + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## @section Common parameters ## @@ -627,11 +633,6 @@ persistence: ## GKE, AWS & OpenStack) ## storageClass: "" - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false ## @param persistence.commitStorageClass PVC Storage Class for Cassandra Commit Log volume ## Storage class to use with CASSANDRA_COMMITLOG_DIR to reduce the concurrence for writing data and commit logs ## ref: https://github.com/bitnami/containers/tree/main/bitnami/cassandra From 72b406c6d042af14d2338c70e583877e1ba6b122 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 16:38:50 +0000 Subject: [PATCH 3/7] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/cassandra/CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bitnami/cassandra/CHANGELOG.md b/bitnami/cassandra/CHANGELOG.md index f6fa9a1424450d..3033046a3d6770 100644 --- a/bitnami/cassandra/CHANGELOG.md +++ b/bitnami/cassandra/CHANGELOG.md @@ -1,8 +1,13 @@ # Changelog -## 12.0.5 (2024-11-28) +## 12.1.0 (2024-12-10) -* [bitnami/cassandra] Release 12.0.5 ([#30670](https://github.com/bitnami/charts/pull/30670)) +* [bitnami/cassandra] Detect non-standard images ([#30866](https://github.com/bitnami/charts/pull/30866)) + +## 12.0.5 (2024-11-28) + +* [bitnami/*] Remove wrong comment about imagePullPolicy (#30107) ([a51f9e4](https://github.com/bitnami/charts/commit/a51f9e4bb0fbf77199512d35de7ac8abe055d026)), closes [#30107](https://github.com/bitnami/charts/issues/30107) +* [bitnami/cassandra] Release 12.0.5 (#30670) ([bebba67](https://github.com/bitnami/charts/commit/bebba67d707601a50aada0ea1e8ebe3b5b1716cd)), closes [#30670](https://github.com/bitnami/charts/issues/30670) ## 12.0.4 (2024-10-22) From cc964ab8861b154abb9b4a933f3a3670baf43b86 Mon Sep 17 00:00:00 2001 From: Jota Martos Date: Tue, 10 Dec 2024 17:44:43 +0100 Subject: [PATCH 4/7] Update values file and README Signed-off-by: Jota Martos --- bitnami/cassandra/README.md | 2 +- bitnami/cassandra/values.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bitnami/cassandra/README.md b/bitnami/cassandra/README.md index 377f411a35ce28..cf8205778d6f8a 100644 --- a/bitnami/cassandra/README.md +++ b/bitnami/cassandra/README.md @@ -174,8 +174,8 @@ As the image run as non-root by default, it is necessary to adjust the ownership | `global.imageRegistry` | Global Docker image registry | `""` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | | `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters diff --git a/bitnami/cassandra/values.yaml b/bitnami/cassandra/values.yaml index 5b39945868e281..7d04602bd7986c 100644 --- a/bitnami/cassandra/values.yaml +++ b/bitnami/cassandra/values.yaml @@ -19,6 +19,11 @@ global: ## imagePullSecrets: [] defaultStorageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: @@ -28,11 +33,6 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: auto - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false ## @section Common parameters ## From 07b8625f52fcf664196fbee47beeb3d569801760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 17:47:46 +0100 Subject: [PATCH 5/7] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/cassandra/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bitnami/cassandra/README.md b/bitnami/cassandra/README.md index cf8205778d6f8a..7c16c424b0e2b2 100644 --- a/bitnami/cassandra/README.md +++ b/bitnami/cassandra/README.md @@ -450,10 +450,6 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading -### To 12.1.0 - -This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). - It's necessary to set the `dbUser.password` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use. Please note down the password and run the command below to upgrade your chart: ```console @@ -464,6 +460,10 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/cassandra --set dbUs | Note: you need to substitute the placeholder *[PASSWORD]* with the value obtained in the installation notes. +### To 12.1.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + ### To 12.0.0 Cassandra's version was bumped to `5.0`, [the latest GA version](https://cassandra.apache.org/_/blog/Apache-Cassandra-5.0-Announcement.html). Users can upgrade from version 4 to 5.0 through an online upgrade, minimizing downtime for applications. Nevertheless, a backup creation prior to undergoing the upgrade process is recommended. Please, refer to the [official guide](https://cassandra.apache.org/doc/latest/operating/backups.html#snapshots) for further information. @@ -560,4 +560,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. From 154eaba90c5d901938db68e56f67a54b6288d5d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 17:48:05 +0100 Subject: [PATCH 6/7] Update NOTES.txt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/cassandra/templates/NOTES.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bitnami/cassandra/templates/NOTES.txt b/bitnami/cassandra/templates/NOTES.txt index 94f96649708091..b4765ef2d0525f 100644 --- a/bitnami/cassandra/templates/NOTES.txt +++ b/bitnami/cassandra/templates/NOTES.txt @@ -92,4 +92,5 @@ To connect to your database from outside the cluster execute the following comma {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- include "cassandra.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "tls" "volumePermissions") "context" $) }} -{{- include "cassandra.warnings.jvm" . }}{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} +{{- include "cassandra.warnings.jvm" . }}{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} From 570265f5de80dc083df4deec3da0938fd69d26fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 17:48:23 +0100 Subject: [PATCH 7/7] Update values.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/cassandra/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/bitnami/cassandra/values.yaml b/bitnami/cassandra/values.yaml index 7d04602bd7986c..27d6eee6f41b08 100644 --- a/bitnami/cassandra/values.yaml +++ b/bitnami/cassandra/values.yaml @@ -33,7 +33,6 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: auto - ## @section Common parameters ##