fix(argo-cd): Sync redis / redis-ha readOnlyRootFilesystem from upstream (#2294)

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
2023-10-12 11:50:51 +02:00 · 2023-10-12 11:50:51 +02:00 · 052454f233
parent 37069f92c9
commit 052454f233
3 changed files with 15 additions and 3 deletions
--- a/charts/argo-cd/Chart.yaml
+++ b/charts/argo-cd/Chart.yaml
@ -3,7 +3,7 @@ appVersion: v2.8.4
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.46.7
+version: 5.46.8
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@ -26,5 +26,5 @@ annotations:
    fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
    url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
-    - kind: security
-      description: updated redis dependency to 7.0.13-alpine to fix CVE-2022-48174
+    - kind: fixed
+      description: Sync redis / redis-ha readOnlyRootFilesystem=true option from upstream. This was part of Argo CD 2.8.0.
--- a/charts/argo-cd/README.md
+++ b/charts/argo-cd/README.md
@ -1001,12 +1001,14 @@ The main options are listed here:
 |-----|------|---------|-------------|
 | redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
 | redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
+| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
 | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
 | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
 | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
 | redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter |
 | redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. |
 | redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. |
+| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context |
 | redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy |
 | redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. |
 | redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping |
--- a/charts/argo-cd/values.yaml
+++ b/charts/argo-cd/values.yaml
@ -1279,6 +1279,7 @@ redis:
  # -- Redis container-level security context
  # @default -- See [values.yaml]
  containerSecurityContext:
+    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
@ -1416,8 +1417,13 @@ redis-ha:
    additionalAffinities: {}
    # -- Assign custom [affinity] rules to the haproxy pods.
    affinity: |
+
    # -- [Tolerations] for use with node taints for haproxy pods.
    tolerations: []
+    # -- HAProxy container-level security context
+    # @default -- See [values.yaml]
+    containerSecurityContext:
+      readOnlyRootFilesystem: true

  # -- Whether the Redis server pods should be forced to run on separate nodes.
  hardAntiAffinity: true
@ -1445,6 +1451,10 @@ redis-ha:
    # -- Enforcement policy, hard or soft
    # @default -- `""` (defaults to `ScheduleAnyway`)
    whenUnsatisfiable: ""
+  # -- Redis HA statefulset container-level security context
+  # @default -- See [values.yaml]
+  containerSecurityContext:
+    readOnlyRootFilesystem: true

 # External Redis parameters
 externalRedis: