From a719ee81a4d3fba2bfa4503f7324a8ca7742fad6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Rodr=C3=ADguez=20Hern=C3=A1ndez?= Date: Tue, 10 Dec 2024 16:52:26 +0100 Subject: [PATCH 1/3] [bitnami/clickhouse] Detect non-standard images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Carlos Rodríguez Hernández --- bitnami/clickhouse/Chart.lock | 8 ++++---- bitnami/clickhouse/Chart.yaml | 2 +- bitnami/clickhouse/README.md | 4 ++++ bitnami/clickhouse/templates/NOTES.txt | 1 + bitnami/clickhouse/values.yaml | 5 +++++ 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/bitnami/clickhouse/Chart.lock b/bitnami/clickhouse/Chart.lock index 69dd158dfec93e..4b588681474595 100644 --- a/bitnami/clickhouse/Chart.lock +++ b/bitnami/clickhouse/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 13.6.0 + version: 13.6.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.0 -digest: sha256:854216c5219a1622745fbf2d6bd60fd2446fc59f7be2655ab5f8c410a053fd4b -generated: "2024-11-08T19:11:49.997675914Z" + version: 2.28.0 +digest: sha256:baec1f58a73706aa14d6e35c0de77bd7db42063f56d0a0f01384680fdddaa818 +generated: "2024-12-10T16:52:22.463579+01:00" diff --git a/bitnami/clickhouse/Chart.yaml b/bitnami/clickhouse/Chart.yaml index c60d70525eb500..154a55d552e597 100644 --- a/bitnami/clickhouse/Chart.yaml +++ b/bitnami/clickhouse/Chart.yaml @@ -33,4 +33,4 @@ maintainers: name: clickhouse sources: - https://github.com/bitnami/charts/tree/main/bitnami/clickhouse -version: 7.0.2 +version: 7.1.0 diff --git a/bitnami/clickhouse/README.md b/bitnami/clickhouse/README.md index 8e9d01f307408a..142195628828e8 100644 --- a/bitnami/clickhouse/README.md +++ b/bitnami/clickhouse/README.md @@ -630,6 +630,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 7.1.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + ### To 7.0.0 This major updates the Zookeeper version from 3.8.x to 3.9.x. Instead of overwritting it in this chart values, it will automatically use the version defined in the zookeeper subchart. diff --git a/bitnami/clickhouse/templates/NOTES.txt b/bitnami/clickhouse/templates/NOTES.txt index 467595945b5b49..37407119709878 100644 --- a/bitnami/clickhouse/templates/NOTES.txt +++ b/bitnami/clickhouse/templates/NOTES.txt @@ -60,3 +60,4 @@ Credentials: {{- include "clickhouse.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "" "volumePermissions") "context" $) }} {{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} diff --git a/bitnami/clickhouse/values.yaml b/bitnami/clickhouse/values.yaml index 9271058407e105..fd87673ca04b99 100644 --- a/bitnami/clickhouse/values.yaml +++ b/bitnami/clickhouse/values.yaml @@ -21,6 +21,11 @@ global: imagePullSecrets: [] defaultStorageClass: "" storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: From d209eb59db10f42f73d506c7ef22f8658c35fb4f Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 17:01:00 +0000 Subject: [PATCH 2/3] Update CHANGELOG.md Signed-off-by: Bitnami Containers --- bitnami/clickhouse/CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/bitnami/clickhouse/CHANGELOG.md b/bitnami/clickhouse/CHANGELOG.md index 0b2949fd0cd73b..db9464582fa3b2 100644 --- a/bitnami/clickhouse/CHANGELOG.md +++ b/bitnami/clickhouse/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 7.0.2 (2024-11-26) +## 7.1.0 (2024-12-10) -* [bitnami/clickhouse] Release 7.0.2 ([#30633](https://github.com/bitnami/charts/pull/30633)) +* [bitnami/clickhouse] Detect non-standard images ([#30871](https://github.com/bitnami/charts/pull/30871)) + +## 7.0.2 (2024-11-26) + +* [bitnami/clickhouse] Release 7.0.2 (#30633) ([ec3a99c](https://github.com/bitnami/charts/commit/ec3a99ca9eea5bebe982e22d6b18b83bfbdfc14a)), closes [#30633](https://github.com/bitnami/charts/issues/30633) ## 7.0.1 (2024-11-25) From ee11918cc71a580a3fbb34268b4c7375fffa7d10 Mon Sep 17 00:00:00 2001 From: Bitnami Containers Date: Tue, 10 Dec 2024 17:01:02 +0000 Subject: [PATCH 3/3] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --- bitnami/clickhouse/README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/bitnami/clickhouse/README.md b/bitnami/clickhouse/README.md index 142195628828e8..0ca8d7350b2ade 100644 --- a/bitnami/clickhouse/README.md +++ b/bitnami/clickhouse/README.md @@ -283,13 +283,14 @@ The [Bitnami ClickHouse](https://github.com/bitnami/containers/tree/main/bitnami ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters