Skip to content

Commit

Permalink
fix(argo-cd): Sync redis / redis-ha readOnlyRootFilesystem from upstr…
Browse files Browse the repository at this point in the history
…eam (#2294)

Signed-off-by: Marco Maurer <[email protected]>
  • Loading branch information
mkilchhofer authored Oct 12, 2023
1 parent 37069f9 commit 052454f
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 3 deletions.
6 changes: 3 additions & 3 deletions charts/argo-cd/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: v2.8.4
kubeVersion: ">=1.23.0-0"
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
name: argo-cd
version: 5.46.7
version: 5.46.8
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
sources:
Expand All @@ -26,5 +26,5 @@ annotations:
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
artifacthub.io/changes: |
- kind: security
description: updated redis dependency to 7.0.13-alpine to fix CVE-2022-48174
- kind: fixed
description: Sync redis / redis-ha readOnlyRootFilesystem=true option from upstream. This was part of Argo CD 2.8.0.
2 changes: 2 additions & 0 deletions charts/argo-cd/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1001,12 +1001,14 @@ The main options are listed here:
|-----|------|---------|-------------|
| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
| redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
| redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter |
| redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. |
| redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. |
| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context |
| redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy |
| redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. |
| redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping |
Expand Down
10 changes: 10 additions & 0 deletions charts/argo-cd/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1279,6 +1279,7 @@ redis:
# -- Redis container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
Expand Down Expand Up @@ -1416,8 +1417,13 @@ redis-ha:
additionalAffinities: {}
# -- Assign custom [affinity] rules to the haproxy pods.
affinity: |
# -- [Tolerations] for use with node taints for haproxy pods.
tolerations: []
# -- HAProxy container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true

# -- Whether the Redis server pods should be forced to run on separate nodes.
hardAntiAffinity: true
Expand Down Expand Up @@ -1445,6 +1451,10 @@ redis-ha:
# -- Enforcement policy, hard or soft
# @default -- `""` (defaults to `ScheduleAnyway`)
whenUnsatisfiable: ""
# -- Redis HA statefulset container-level security context
# @default -- See [values.yaml]
containerSecurityContext:
readOnlyRootFilesystem: true

# External Redis parameters
externalRedis:
Expand Down

0 comments on commit 052454f

Please sign in to comment.