diff --git a/chart/kubeapps/CHANGELOG.md b/chart/kubeapps/CHANGELOG.md
index 58c4cf33a64..8aacea50bf8 100644
--- a/chart/kubeapps/CHANGELOG.md
+++ b/chart/kubeapps/CHANGELOG.md
@@ -1,8 +1,28 @@
# Changelog
-## 17.0.2 (2024-10-31)
+## 17.1.1 (2024-12-24)
-* [bitnami/kubeapps] Release 17.0.2 ([#30164](https://github.com/bitnami/charts/pull/30164))
+* [bitnami/kubeapps] Release 17.1.1 ([#31153](https://github.com/bitnami/charts/pull/31153))
+
+## 17.1.0 (2024-12-10)
+
+* [bitnami/*] Add Bitnami Premium to NOTES.txt (#30854) ([3dfc003](https://github.com/bitnami/charts/commit/3dfc00376df6631f0ce54b8d440d477f6caa6186)), closes [#30854](https://github.com/bitnami/charts/issues/30854)
+* [bitnami/*] docs: :memo: Add "Backup & Restore" section (#30711) ([35ab536](https://github.com/bitnami/charts/commit/35ab5363741e7548f4076f04da6e62d10153c60c)), closes [#30711](https://github.com/bitnami/charts/issues/30711)
+* [bitnami/kubeapps] Detect non-standard images (#30914) ([2ff6384](https://github.com/bitnami/charts/commit/2ff6384c57f0d270bbe8651fc9908fca1978aa28)), closes [#30914](https://github.com/bitnami/charts/issues/30914)
+
+## 17.0.3 (2024-11-08)
+
+* [bitnami/kubeapps] Unify seLinuxOptions default value (#30343) ([bdebc92](https://github.com/bitnami/charts/commit/bdebc9238ffec5d47e805966811a3be84e4f0d79)), closes [#30343](https://github.com/bitnami/charts/issues/30343)
+
+## 17.0.2 (2024-10-31)
+
+* [bitnami/*] Remove wrong comment about imagePullPolicy (#30107) ([a51f9e4](https://github.com/bitnami/charts/commit/a51f9e4bb0fbf77199512d35de7ac8abe055d026)), closes [#30107](https://github.com/bitnami/charts/issues/30107)
+* [bitnami/kubeapps] Release 17.0.2 (#30164) ([be30b31](https://github.com/bitnami/charts/commit/be30b315457e24fedb63ba336c73929fa8294c55)), closes [#30164](https://github.com/bitnami/charts/issues/30164)
+* Update documentation links to techdocs.broadcom.com (#29931) ([f0d9ad7](https://github.com/bitnami/charts/commit/f0d9ad78f39f633d275fc576d32eae78ded4d0b8)), closes [#29931](https://github.com/bitnami/charts/issues/29931)
+
+## 17.0.1 (2024-10-14)
+
+* [bitnami/kubeapps] Release 17.0.1 (#29886) ([a1f4eb7](https://github.com/bitnami/charts/commit/a1f4eb71c2190feed6e047d7e28ba18e0e491e86)), closes [#29886](https://github.com/bitnami/charts/issues/29886)
## 17.0.0 (2024-10-03)
diff --git a/chart/kubeapps/Chart.lock b/chart/kubeapps/Chart.lock
index 93e54bb92c1..85bb3f4251c 100644
--- a/chart/kubeapps/Chart.lock
+++ b/chart/kubeapps/Chart.lock
@@ -1,12 +1,12 @@
dependencies:
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
- version: 20.2.1
+ version: 20.6.1
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
- version: 16.1.0
+ version: 16.3.4
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
- version: 2.26.0
-digest: sha256:8765098cabaca39ce13d856f5260df97667201dac6d2209280e5de9ad1a33006
-generated: "2024-10-31T19:49:51.754205675Z"
+ version: 2.28.0
+digest: sha256:6aaeb8efc03e1868a06b2c61c6665694eb3510bc7689a95269cda2fb912fb7fd
+generated: "2024-12-24T09:59:54.365449196Z"
diff --git a/chart/kubeapps/Chart.yaml b/chart/kubeapps/Chart.yaml
index 8a2e2bdc432..ea6de454dab 100644
--- a/chart/kubeapps/Chart.yaml
+++ b/chart/kubeapps/Chart.yaml
@@ -6,21 +6,21 @@ annotations:
licenses: Apache-2.0
images: |
- name: kubeapps-apis
- image: docker.io/bitnami/kubeapps-apis:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-apis:2.12.1-debian-12-r0
- name: kubeapps-apprepository-controller
- image: docker.io/bitnami/kubeapps-apprepository-controller:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-apprepository-controller:2.12.1-debian-12-r0
- name: kubeapps-asset-syncer
- image: docker.io/bitnami/kubeapps-asset-syncer:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-asset-syncer:2.12.1-debian-12-r0
- name: kubeapps-dashboard
- image: docker.io/bitnami/kubeapps-dashboard:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-dashboard:2.12.1-debian-12-r0
- name: kubeapps-oci-catalog
- image: docker.io/bitnami/kubeapps-oci-catalog:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-oci-catalog:2.12.1-debian-12-r0
- name: kubeapps-pinniped-proxy
- image: docker.io/bitnami/kubeapps-pinniped-proxy:2.12.0-debian-12-r0
+ image: docker.io/bitnami/kubeapps-pinniped-proxy:2.12.1-debian-12-r0
- name: nginx
- image: docker.io/bitnami/nginx:1.27.2-debian-12-r2
+ image: docker.io/bitnami/nginx:1.27.3-debian-12-r0
- name: oauth2-proxy
- image: docker.io/bitnami/oauth2-proxy:7.7.1-debian-12-r1
+ image: docker.io/bitnami/oauth2-proxy:7.7.1-debian-12-r4
apiVersion: v2
appVersion: DEVEL
dependencies:
@@ -52,4 +52,4 @@ maintainers:
name: kubeapps
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kubeapps
-version: 17.0.2
+version: 17.1.1
diff --git a/chart/kubeapps/README.md b/chart/kubeapps/README.md
index 4d6fbc1ccb1..90e60538856 100644
--- a/chart/kubeapps/README.md
+++ b/chart/kubeapps/README.md
@@ -63,7 +63,11 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
-To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+
+### Backup and restore
+
+To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html).
### Configuring Initial Repositories
@@ -141,13 +145,14 @@ In the first two cases, it is needed a certificate and a key. We would expect th
### Global parameters
-| Name | Description | Value |
-| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `global.imageRegistry` | Global Docker image registry | `""` |
-| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
-| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
-| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
-| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
+| Name | Description | Value |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `global.imageRegistry` | Global Docker image registry | `""` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
+| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
+| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
+| `global.security.allowInsecureImages` | Allows skipping image verification | `false` |
+| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -218,7 +223,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `frontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `frontend.podSecurityContext.fsGroup` | Set frontend pod's Security Context fsGroup | `1001` |
| `frontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `frontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `frontend.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `frontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -326,7 +331,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `dashboard.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `dashboard.podSecurityContext.fsGroup` | Set Dashboard pod's Security Context fsGroup | `1001` |
| `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -427,7 +432,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `apprepository.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `apprepository.podSecurityContext.fsGroup` | Set AppRepository Controller pod's Security Context fsGroup | `1001` |
| `apprepository.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `apprepository.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `apprepository.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `apprepository.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -506,7 +511,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `authProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Auth Proxy container(s) | `[]` |
| `authProxy.containerPorts.proxy` | Auth Proxy HTTP container port | `3000` |
| `authProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `authProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `authProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `authProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -543,7 +548,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `pinnipedProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Pinniped Proxy container(s) | `[]` |
| `pinnipedProxy.containerPorts.pinnipedProxy` | Pinniped Proxy container port | `3333` |
| `pinnipedProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `pinnipedProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `pinnipedProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -629,7 +634,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `kubeappsapis.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `kubeappsapis.podSecurityContext.fsGroup` | Set KubeappsAPIs pod's Security Context fsGroup | `1001` |
| `kubeappsapis.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `kubeappsapis.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `kubeappsapis.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -718,7 +723,7 @@ In the first two cases, it is needed a certificate and a key. We would expect th
| `ociCatalog.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `micro` |
| `ociCatalog.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `ociCatalog.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `ociCatalog.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `ociCatalog.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `ociCatalog.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -1010,7 +1015,11 @@ After that you should be able to access the new version of Kubeapps. If the abov
Feel free to [open an issue](https://github.com/vmware-tanzu/kubeapps/issues/new) if you have any questions!
-## Upgrading Kubeapps
+## Upgrading
+
+### To 17.1.0
+
+This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). Kubeapps
You can upgrade Kubeapps from the Kubeapps web interface. Select the namespace in which Kubeapps is installed (`kubeapps` if you followed the instructions in this guide) and click on the "Upgrade" button. Select the new version and confirm.
diff --git a/chart/kubeapps/templates/NOTES.txt b/chart/kubeapps/templates/NOTES.txt
index 9a5fe40d26d..16661e862ba 100644
--- a/chart/kubeapps/templates/NOTES.txt
+++ b/chart/kubeapps/templates/NOTES.txt
@@ -2,6 +2,8 @@ CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
+Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.
+
{{- $postgresqlSecretName := include "kubeapps.postgresql.secretName" . -}}
{{- $redisSecretName := include "kubeapps.redis.secretName" . -}}
@@ -86,4 +88,5 @@ To access Kubeapps from outside your K8s cluster, follow the steps below:
{{- include "kubeapps.checkRollingTags" . }}
{{- include "kubeapps.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "apprepository" "authProxy" "dashboard" "frontend" "kubeappsapis" "ociCatalog" "pinnipedProxy" "postgresql") "context" $) }}
-{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.frontend.image .Values.dashboard.image .Values.apprepository.image .Values.apprepository.syncImage .Values.authProxy.image .Values.pinnipedProxy.image .Values.kubeappsapis.image .Values.ociCatalog.image) "context" $) }}
\ No newline at end of file
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.frontend.image .Values.dashboard.image .Values.apprepository.image .Values.apprepository.syncImage .Values.authProxy.image .Values.pinnipedProxy.image .Values.kubeappsapis.image .Values.ociCatalog.image) "context" $) }}
+{{- include "common.errors.insecureImages" (dict "images" (list .Values.frontend.image .Values.dashboard.image .Values.apprepository.image .Values.apprepository.syncImage .Values.authProxy.image .Values.pinnipedProxy.image .Values.kubeappsapis.image .Values.ociCatalog.image) "context" $) }}
diff --git a/chart/kubeapps/values.yaml b/chart/kubeapps/values.yaml
index e416f64c016..27def7c8d58 100644
--- a/chart/kubeapps/values.yaml
+++ b/chart/kubeapps/values.yaml
@@ -20,6 +20,11 @@ global:
imagePullSecrets: []
defaultStorageClass: ""
storageClass: ""
+ ## Security parameters
+ ##
+ security:
+ ## @param global.security.allowInsecureImages Allows skipping image verification
+ allowInsecureImages: false
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
@@ -213,7 +218,7 @@ frontend:
image:
registry: docker.io
repository: bitnami/nginx
- tag: 1.27.2-debian-12-r2
+ tag: 1.27.3-debian-12-r0
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -320,7 +325,7 @@ frontend:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -765,7 +770,7 @@ dashboard:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1205,7 +1210,7 @@ apprepository:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1419,7 +1424,7 @@ authProxy:
image:
registry: docker.io
repository: bitnami/oauth2-proxy
- tag: 7.7.1-debian-12-r1
+ tag: 7.7.1-debian-12-r4
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -1526,7 +1531,7 @@ authProxy:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1655,7 +1660,7 @@ pinnipedProxy:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1992,7 +1997,7 @@ kubeappsapis:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -2336,7 +2341,7 @@ ociCatalog:
##
containerSecurityContext:
enabled: true
- seLinuxOptions: null
+ seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
diff --git a/script/chart-template-test.sh b/script/chart-template-test.sh
index 5679dd9c17f..01c81d402a0 100755
--- a/script/chart-template-test.sh
+++ b/script/chart-template-test.sh
@@ -17,7 +17,7 @@ sed -i.bk -e "s/kubeVersion.*//g" "${CHART_DIR}Chart.yaml"
helm dep up "${CHART_DIR}"
# test with the minimum supported helm version
-helm template "${CHART_DIR}" --debug
+helm template "${CHART_DIR}" --debug --set global.security.allowInsecureImages=yes
# test with the latest stable helm version
-helm-stable template "${CHART_DIR}" --debug
+helm-stable template "${CHART_DIR}" --debug --set global.security.allowInsecureImages=yes