fix(argo-cd): Sync redis / redis-ha readOnlyRootFilesystem from upstream (#2294)

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
main argo-cd-5.46.8
Marco Maurer (-Kilchhofer) 2023-10-12 11:50:51 +02:00 committed by GitHub
parent 37069f92c9
commit 052454f233
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 3 deletions

View File

@ -3,7 +3,7 @@ appVersion: v2.8.4
kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 5.46.7
version: 5.46.8
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
@ -26,5 +26,5 @@ annotations:
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: |
- kind: security
description: updated redis dependency to 7.0.13-alpine to fix CVE-2022-48174
- kind: fixed
description: Sync redis / redis-ha readOnlyRootFilesystem=true option from upstream. This was part of Argo CD 2.8.0.

View File

@ -1001,12 +1001,14 @@ The main options are listed here:
|-----|------|---------|-------------|
| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
| redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
| redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter |
| redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. |
| redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. |
| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context |
| redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy |
| redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. |
| redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping |

View File

@ -1279,6 +1279,7 @@ redis:
# -- Redis container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
@ -1416,8 +1417,13 @@ redis-ha:
additionalAffinities: {}
# -- Assign custom [affinity] rules to the haproxy pods.
affinity: |
# -- [Tolerations] for use with node taints for haproxy pods.
tolerations: []
# -- HAProxy container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true
# -- Whether the Redis server pods should be forced to run on separate nodes.
hardAntiAffinity: true
@ -1445,6 +1451,10 @@ redis-ha:
# -- Enforcement policy, hard or soft
# @default -- `""` (defaults to `ScheduleAnyway`)
whenUnsatisfiable: ""
# -- Redis HA statefulset container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true
# External Redis parameters
externalRedis: