diff --git a/bitnami/apisix/CHANGELOG.md b/bitnami/apisix/CHANGELOG.md index ffe7f12eaa3e25..360f3fb20b1c58 100644 --- a/bitnami/apisix/CHANGELOG.md +++ b/bitnami/apisix/CHANGELOG.md @@ -1,8 +1,12 @@ # Changelog -## 3.6.1 (2024-11-30) +## 3.7.0 (2024-12-10) -* [bitnami/apisix] Release 3.6.1 ([#30695](https://github.com/bitnami/charts/pull/30695)) +* [bitnami/apisix] Detect non-standard images ([#30861](https://github.com/bitnami/charts/pull/30861)) + +## 3.6.1 (2024-11-30) + +* [bitnami/apisix] Release 3.6.1 (#30695) ([292979c](https://github.com/bitnami/charts/commit/292979cddcab9e5228ff2e52f06f7559530ea7cd)), closes [#30695](https://github.com/bitnami/charts/issues/30695) ## 3.6.0 (2024-11-29) diff --git a/bitnami/apisix/Chart.lock b/bitnami/apisix/Chart.lock index 302c2beee579c9..9c597022c751f6 100644 --- a/bitnami/apisix/Chart.lock +++ b/bitnami/apisix/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: etcd repository: oci://registry-1.docker.io/bitnamicharts - version: 10.5.3 + version: 10.6.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.2 -digest: sha256:03a92a36148cb5824d13f61b2e8e65c63edefd72e8392da4fc75c9a01d783538 -generated: "2024-11-29T11:33:04.089124622+01:00" + version: 2.28.0 +digest: sha256:75e5fc42d1448ed63ad28f0a1284ae9f53e5ebda58969799b220828380fa8414 +generated: "2024-12-10T16:47:53.291235+01:00" diff --git a/bitnami/apisix/Chart.yaml b/bitnami/apisix/Chart.yaml index d01907fc5f19c8..3095cc7bccbaa9 100644 --- a/bitnami/apisix/Chart.yaml +++ b/bitnami/apisix/Chart.yaml @@ -45,4 +45,4 @@ sources: - https://github.com/bitnami/charts/tree/main/bitnami/apisix - https://github.com/bitnami/charts/tree/main/bitnami/apisix-dashboard - https://github.com/bitnami/charts/tree/main/bitnami/apisix-ingress-controller -version: 3.6.1 +version: 3.7.0 diff --git a/bitnami/apisix/README.md b/bitnami/apisix/README.md index 214c5d777d8d81..665af3535a279c 100644 --- a/bitnami/apisix/README.md +++ b/bitnami/apisix/README.md @@ -279,13 +279,14 @@ As an alternative, use one of the preset configurations for pod affinity, pod an ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -1096,6 +1097,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 3.7.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + ### To 3.0.0 This major bump changes the following security defaults: diff --git a/bitnami/apisix/templates/NOTES.txt b/bitnami/apisix/templates/NOTES.txt index 1d4db6e34081fe..9476b075ade4cf 100644 --- a/bitnami/apisix/templates/NOTES.txt +++ b/bitnami/apisix/templates/NOTES.txt @@ -206,3 +206,4 @@ The Ingress Class name to use the APISIX Ingress Controller is: {{ .Values.ingre {{- include "apisix.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "controlPlane" "dashboard" "dataPlane" "ingressController") "context" $) }} {{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.dashboard.image .Values.ingressController.image .Values.waitContainer.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.dashboard.image .Values.ingressController.image .Values.waitContainer.image) "context" $) }} diff --git a/bitnami/apisix/values.yaml b/bitnami/apisix/values.yaml index 69da893f8e443b..a540c08e55bded 100644 --- a/bitnami/apisix/values.yaml +++ b/bitnami/apisix/values.yaml @@ -21,6 +21,11 @@ global: imagePullSecrets: [] defaultStorageClass: "" storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: