|
|
@@ -307,7 +307,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
|
|
|
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
|
|
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
|
|
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
|
|
-| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `none` |
|
|
|
+| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `nano` |
|
|
|
| `web.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
|
|
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
|
|
|
| `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
|
|
@@ -317,11 +317,11 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
|
|
|
| `web.containerSecurityContext.enabled` | web container securityContext | `true` |
|
|
|
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
|
|
| `web.containerSecurityContext.runAsUser` | User ID for the web container | `1001` |
|
|
|
-| `web.containerSecurityContext.runAsGroup` | Group ID for the web container | `0` |
|
|
|
+| `web.containerSecurityContext.runAsGroup` | Group ID for the web container | `1001` |
|
|
|
| `web.containerSecurityContext.runAsNonRoot` | Set web container's Security Context runAsNonRoot | `true` |
|
|
|
| `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` |
|
|
|
| `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` |
|
|
|
-| `web.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
|
|
+| `web.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
|
|
| `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
|
|
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
|
|
| `web.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
|
|
@@ -411,7 +411,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
|
|
|
| `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
|
|
| `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
|
|
| `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
|
|
-| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` |
|
|
|
+| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `nano` |
|
|
|
| `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
|
|
| `worker.podSecurityContext.enabled` | Enabled worker pods' Security Context | `true` |
|
|
|
| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
|
|
@@ -531,7 +531,7 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
|
|
|
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
|
|
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
|
|
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
|
|
|
-| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
|
|
+| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
|
|
|
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
|
|
| `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` |
|
|
|
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
|
|
@@ -540,15 +540,17 @@ The [Bitnami Concourse](https://github.com/bitnami/containers/tree/main/bitnami/
|
|
|
|
|
|
### Concourse database parameters
|
|
|
|
|
|
-| Name | Description | Value |
|
|
|
-| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------- |
|
|
|
-| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
|
|
|
-| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
|
|
|
-| `postgresql.auth.username` | Name for a custom user to create | `bn_concourse` |
|
|
|
-| `postgresql.auth.password` | Password for the custom user to create | `""` |
|
|
|
-| `postgresql.auth.database` | Name for a custom database to create | `bitnami_concourse` |
|
|
|
-| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
|
|
-| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
|
|
+| Name | Description | Value |
|
|
|
+| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
|
|
|
+| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
|
|
|
+| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
|
|
|
+| `postgresql.auth.username` | Name for a custom user to create | `bn_concourse` |
|
|
|
+| `postgresql.auth.password` | Password for the custom user to create | `""` |
|
|
|
+| `postgresql.auth.database` | Name for a custom database to create | `bitnami_concourse` |
|
|
|
+| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
|
|
+| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
|
|
+| `postgresql.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` |
|
|
|
+| `postgresql.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
|
|
|
|
|
### External PostgreSQL configuration
|
|
|
|
|
|
@@ -595,6 +597,17 @@ Find more information about how to deal with common errors related to Bitnami's
|
|
|
|
|
|
## Upgrading
|
|
|
|
|
|
+### To 4.0.0
|
|
|
+
|
|
|
+This major bump changes the following security defaults:
|
|
|
+
|
|
|
+- `runAsGroup` is changed from `0` to `1001` in `web` node.
|
|
|
+- `readOnlyRootFilesystem` is set to `true`
|
|
|
+- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
|
|
+- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
|
|
+
|
|
|
+This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
|
|
+
|
|
|
### To 3.0.0
|
|
|
|
|
|
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.
|
Javier J. Salmerón-García