Merge pull request #36 from jouve/bump

Bump

charts/cloudnative-pg/Chart.yaml

@@ -18,12 +18,12 @@ name: cloudnative-pg
 description: CloudNativePG Helm Chart
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: 0.19.3
+version: 0.20.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning, they should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.21.1"
+appVersion: "1.22.0"
 sources:
   - https://github.com/jouve/charts
   - https://github.com/cloudnative-pg/charts

charts/cloudnative-pg/README.md

@@ -1,6 +1,6 @@
 # cloudnative-pg
 
-![Version: 0.19.1](https://img.shields.io/badge/Version-0.19.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.21.1](https://img.shields.io/badge/AppVersion-1.21.1-informational?style=flat-square)
+![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.22.0](https://img.shields.io/badge/AppVersion-1.22.0-informational?style=flat-square)
 
 CloudNativePG Helm Chart
 

charts/coredns/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.13.3
-digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0
-generated: "2023-11-19T11:36:15.598318595+01:00"
+  version: 2.14.1
+digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520
+generated: "2024-01-04T13:50:47.629934+01:00"

charts/coredns/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: coredns
-version: 1.29.4
+version: 1.29.6
 appVersion: 1.11.1
 home: https://coredns.io
 icon: https://coredns.io/images/CoreDNS_Colour_Horizontal.png
@@ -26,5 +26,7 @@ dependencies:
   version: 2.x.x
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: Added option to override defaultMode for extraSecrets
+    - kind: changed
+      description: Ignore duplicate strings in the fullname helper template
+    - kind: removed
+      description: Removed deprecated "engine: gotpl" from the Chart.yaml

charts/coredns/templates/_helpers.tpl

@@ -11,16 +11,16 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "coredns.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*

charts/distribution/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.13.3
-digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0
-generated: "2023-12-07T13:25:57.872831+01:00"
+  version: 2.14.1
+digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520
+generated: "2024-01-04T13:51:39.523897+01:00"

charts/distribution/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: distribution
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: 2.8.3
 dependencies:
 - name: common

charts/extra/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.13.3
-digest: sha256:6fbdc8a525f6f9f98ec4ac5d11b049993f2e5800fd2f44b3abb3b00b74936ee0
-generated: "2023-11-19T11:36:25.992337465+01:00"
+  version: 2.14.1
+digest: sha256:f6cbb5e3d033290dcd0145c6c1bd13aa2e0813f9267c2f5559e5469ae705c520
+generated: "2024-01-04T13:50:58.953035+01:00"

charts/extra/Chart.yaml

@@ -3,7 +3,7 @@ name: extra
 description: Deploy a list of Kubernetes resources as a release
 icon: https://raw.githubusercontent.com/KDE/breeze-icons/master/icons/actions/16/list-add.svg
 type: application
-version: 0.3.4
+version: 0.3.5
 dependencies:
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts

charts/gatekeeper-library/Chart.yaml

@@ -3,8 +3,8 @@ name: gatekeeper-library
 description: A Helm chart for Kubernetes
 icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg
 type: application
-version: 0.1.4
-appVersion: 0d95b7608c2ca835ba0418bd1199c3d8f6c9c6e1
+version: 0.2.0
+appVersion: 0b4836a00d7f6ab6a82fa3943e0f48eb07216293
 sources:
   - https://github.com/jouve/charts
   - https://github.com/open-policy-agent/gatekeeper-library

charts/gatekeeper-library/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/open-policy-agent/gatekeeper-library/library?ref=0d95b7608c2ca835ba0418bd1199c3d8f6c9c6e1
+- github.com/open-policy-agent/gatekeeper-library/library?ref=0b4836a00d7f6ab6a82fa3943e0f48eb07216293

charts/gatekeeper-library/templates/k8sallowedrepos.yaml

@@ -4,7 +4,7 @@ metadata:
   annotations:
     description: Requires container images to begin with a string from the specified list.
     metadata.gatekeeper.sh/title: Allowed Repositories
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8sallowedrepos
 spec:
   crd:
@@ -26,22 +26,19 @@ spec:
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.containers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.initContainers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
 
         violation[{"msg": msg}] {
           container := input.review.object.spec.ephemeralContainers[_]
-          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
-          not any(satisfied)
+          not strings.any_prefix_match(container.image, input.parameters.repos)
           msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
         }
       target: admission.k8s.gatekeeper.sh

charts/gatekeeper-library/templates/k8scontainerephemeralstoragelimit.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have an ephemeral storage limit set and constrains the limit to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container ephemeral storage limit
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
   name: k8scontainerephemeralstoragelimit
 spec:
   crd:
@@ -166,7 +166,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * storage_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerlimits.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Limits
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerlimits
 spec:
   crd:
@@ -79,7 +79,7 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+(\\.[0-9]+)?$", orig)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -176,7 +176,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerratios.yaml

@@ -6,7 +6,7 @@ metadata:
       Sets a maximum ratio for container resource limits to requests.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Ratios
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerratios
 spec:
   crd:
@@ -79,14 +79,14 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+$", orig)
+          regex.match("^[0-9]+$", orig)
           new := to_number(orig) * 1000
         }
 
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+[.][0-9]+$", orig)
+          regex.match("^[0-9]+[.][0-9]+$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -183,7 +183,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8scontainerrequests.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values.
       https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     metadata.gatekeeper.sh/title: Container Requests
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8scontainerrequests
 spec:
   crd:
@@ -79,7 +79,7 @@ spec:
         canonify_cpu(orig) = new {
           not is_number(orig)
           not endswith(orig, "m")
-          re_match("^[0-9]+(\\.[0-9]+)?$", orig)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", orig)
           new := to_number(orig) * 1000
         }
 
@@ -176,7 +176,7 @@ spec:
           not is_number(orig)
           suffix := get_suffix(orig)
           raw := replace(orig, suffix, "")
-          re_match("^[0-9]+(\\.[0-9]+)?$", raw)
+          regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
           new := to_number(raw) * mem_multiple(suffix)
         }
 

charts/gatekeeper-library/templates/k8sdisallowedtags.yaml

@@ -6,7 +6,7 @@ metadata:
       Requires container images to have an image tag different from the ones in the specified list.
       https://kubernetes.io/docs/concepts/containers/images/#image-names
     metadata.gatekeeper.sh/title: Disallow tags
-    metadata.gatekeeper.sh/version: 1.0.0
+    metadata.gatekeeper.sh/version: 1.0.1
   name: k8sdisallowedtags
 spec:
   crd:
@@ -57,16 +57,15 @@ spec:
         violation[{"msg": msg}] {
             container := input_containers[_]
             not is_exempt(container)
-            tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
-            any(tags)
+            tags := [tag_with_prefix | tag := input.parameters.tags[_]; tag_with_prefix := concat(":", ["", tag])]
+            strings.any_suffix_match(container.image, tags)
             msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
         }
 
         violation[{"msg": msg}] {
             container := input_containers[_]
             not is_exempt(container)
-            tag := [contains(container.image, ":")]
-            not all(tag)
+            not contains(container.image, ":")
             msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
         }
 

charts/gatekeeper-library/templates/k8sdisallowinteractivetty.yaml

@@ -0,0 +1,81 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  annotations:
+    description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset.
+    metadata.gatekeeper.sh/title: Disallow Interactive TTY Containers
+    metadata.gatekeeper.sh/version: 1.0.0
+  name: k8sdisallowinteractivetty
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDisallowInteractiveTTY
+      validation:
+        openAPIV3Schema:
+          description: Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`.
+          properties:
+            exemptImages:
+              description: |-
+                Any container that uses an image that matches an entry in this list will be excluded from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.
+              items:
+                type: string
+              type: array
+          type: object
+  targets:
+    - libs:
+        - |
+          package lib.exempt_container
+
+          is_exempt(container) {
+              exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+              img := container.image
+              exemption := exempt_images[_]
+              _matches_exemption(img, exemption)
+          }
+
+          _matches_exemption(img, exemption) {
+              not endswith(exemption, "*")
+              exemption == img
+          }
+
+          _matches_exemption(img, exemption) {
+              endswith(exemption, "*")
+              prefix := trim_suffix(exemption, "*")
+              startswith(img, prefix)
+          }
+      rego: |
+        package k8sdisallowinteractivetty
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg, "details": {}}] {
+            c := input_containers[_]
+            not is_exempt(c)
+            input_allow_interactive_fields(c)
+            msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image])
+        }
+
+        input_allow_interactive_fields(c) {
+            has_field(c, "stdin")
+            not c.stdin == false
+        }
+        input_allow_interactive_fields(c) {
+            has_field(c, "tty")
+            not c.tty == false
+        }
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        # has_field returns whether an object has a field
+        has_field(object, field) = true {
+            object[field]
+        }
+      target: admission.k8s.gatekeeper.sh