chore(deps): update docker.io/datashield/rock-base docker tag to v6.3.1

.github/workflows/ci.yaml

@@ -63,6 +63,13 @@ jobs:
       matrix:
         k8s-version: [1.28.13, 1.29.8, 1.30.4, 1.31.0]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit # change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          disable-telemetry: true
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.mega-linter.yml

@@ -1,7 +1,7 @@
 # Configuration file for MegaLinter
 # See all available variables at https://megalinter.io/configuration/ and in linters documentation
 
 APPLY_FIXES: none # all, none, or list of linter keys
 # ENABLE: # If you use ENABLE variable, all other languages/formats/tooling-formats will be disabled by default
 # ENABLE_LINTERS: # If you use ENABLE_LINTERS variable, all other linters will be disabled by default
 # DISABLE:
@@ -23,6 +23,7 @@
 # DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass
 REPOSITORY_TRIVY_ARGUMENTS:
   - "--severity=MEDIUM,HIGH,CRITICAL"
+  - "--skip-dirs=hack/"
 
 YAML_YAMLLINT_CONFIG_FILE: .yamllint.yaml
 

.renovaterc.json

@@ -3,7 +3,9 @@
   "extends": ["config:best-practices"],
   "gitIgnoredAuthors": ["github-actions"],
   "postUpgradeTasks": {
-    "commands": [".github/renovate-post-upgrade.sh {{depName}} {{newVersion}} {{newDigest}}"]
+    "commands": [
+      ".github/renovate-post-upgrade.sh {{depName}} {{newVersion}} {{newDigest}}"
+    ]
   },
   "customManagers": [
     {

.trivyignore

@@ -0,0 +1 @@
+AVD-KSV-0014

charts/datashield/Chart.yaml

@@ -23,7 +23,7 @@ dependencies:
     version: 2.26.0
 deprecated: false
 kubeVersion: ">= 1.19.0"
-version: 0.7.1
+version: 0.7.2
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/containsSecurityUpdates: "false"
@@ -36,5 +36,5 @@ annotations:
   artifacthub.io/changes: |-
     # When using the list of objects option the valid supported kinds are
     # added, changed, deprecated, removed, fixed and security.
-    - kind: fixed
-      description: "Added missing bitnami/common dependency"
+    - kind: changed
+      description: "Updated docker.io/datashield/rock-base to 6.3.1"

charts/datashield/README.md

@@ -45,7 +45,7 @@ helm install --create-namespace -n datashield datashield oci://ghcr.io/miracum/c
 | opal.ingress.annotations                         | object | `{"nginx.ingress.kubernetes.io/backend-protocol":"HTTPS","nginx.ingress.kubernetes.io/force-ssl-redirect":"true"}`                              | extra annotations to apply to the Ingress resource                                                                                                                                                                                                                                                                                            |
 | opal.ingress.className                           | string | `""`                                                                                                                                            | ingressClassName to use                                                                                                                                                                                                                                                                                                                       |
 | opal.ingress.enabled                             | bool   | `false`                                                                                                                                         | create an Ingress for the application                                                                                                                                                                                                                                                                                                         |
-| opal.ingress.hosts                               | list   | `[{"host":"opal.127.0.0.1.nip.io","paths":[{"path":"/","pathType":"ImplementationSpecific","portName":"https"}]}]`                              | list of ingress hosts                                                                                                                                                                                                                                                                                                                         |
+| opal.ingress.hosts                               | list   | `[{"host":"opal.127.0.0.1.nip.io","paths":[{"path":"/","pathType":"ImplementationSpecific","portName":"http"}]}]`                               | list of ingress hosts                                                                                                                                                                                                                                                                                                                         |
 | opal.ingress.tls                                 | list   | `[]`                                                                                                                                            | TLS configuration                                                                                                                                                                                                                                                                                                                             |
 | opal.javaOpts                                    | string | `"-XX:+UseG1GC -XX:+UseContainerSupport"`                                                                                                       | sets the value for the `JAVA_OPTS` environment variable                                                                                                                                                                                                                                                                                       |
 | opal.nodeSelector                                | object | `{}`                                                                                                                                            | pod node selector                                                                                                                                                                                                                                                                                                                             |

charts/datashield/ci/kitchen-sink-test-values.yaml

@@ -4,7 +4,3 @@ rock:
 opal:
   ingress:
     enabled: true
-
-dsPoll:
-  enabled: true
-  queueServerUrl: "http://localhost/"

charts/datashield/templates/rock/networkpolicy.yaml

@@ -16,5 +16,9 @@ spec:
             matchLabels:
               {{- include "datashield.selectorLabels" . | nindent 14 }}
               app.kubernetes.io/component: opal
+        - podSelector:
+            matchLabels:
+              {{- include "datashield.selectorLabels" . | nindent 14 }}
+              app.kubernetes.io/component: test-connection
       ports:
         - port: http

charts/datashield/templates/tests/test-connection.yaml

@@ -15,8 +15,9 @@ spec:
   containers:
     - name: probe-opal-endpoint
       image: "{{ $.Values.curl.image.registry }}/{{ $.Values.curl.image.repository }}:{{ $.Values.curl.image.tag }}"
-      command: ["curl", "--fail-with-body"]
-      args: ["http://{{ include "datashield.fullname" . }}-opal:{{ .Values.opal.service.port }}/"]
+      command: ["curl"]
+
+      args: ["--fail-with-body", "-vvv", "http://{{ include "datashield.fullname" . }}-opal:{{ .Values.opal.service.port }}/"]
       {{- with .Values.restrictedContainerSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -34,8 +35,8 @@ spec:
           command: ["true"]
     - name: probe-rock-endpoint
       image: "{{ $.Values.curl.image.registry }}/{{ $.Values.curl.image.repository }}:{{ $.Values.curl.image.tag }}"
-      command: ["curl", "--fail-with-body"]
-      args: ["http://{{ include "datashield.fullname" . }}-rock:{{ .Values.rock.service.port }}/_check"]
+      command: ["curl"]
+      args: ["--fail-with-body", "-vvv", "http://{{ include "datashield.fullname" . }}-rock:{{ .Values.rock.service.port }}/_check"]
       {{- with .Values.restrictedContainerSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

charts/datashield/values.yaml

@@ -42,7 +42,7 @@ opal:
         paths:
           - path: /
             pathType: ImplementationSpecific
-            portName: https
+            portName: http
     # -- TLS configuration
     tls: []
     #  - secretName: chart-example-tls
@@ -135,6 +135,7 @@ opal:
     runAsNonRoot: true
     runAsUser: 101
     runAsGroup: 65534
+    readOnlyRootFilesystem: false
     seccompProfile:
       type: RuntimeDefault
 
@@ -243,7 +244,7 @@ rock:
   image:
     registry: docker.io
     repository: datashield/rock-base
-    tag: 6.3.0@sha256:b04924a9321daf0f7a77e7d43c0365baf7312cd665a39483e9d3a487dc65a15e
+    tag: 6.3.1@sha256:ee04ae43894d8f78ee4c173c0cc474f7b7e823c8fa707ed0a1822ec9ef7e8108
     pullPolicy: IfNotPresent
 
   # -- rock cluster name. Evaluated as a template

charts/policies/Chart.yaml

@@ -10,8 +10,8 @@ sources:
 maintainers:
   - name: miracum
 deprecated: false
-kubeVersion: ">= 1.25.0"
-version: 0.1.2
+kubeVersion: ">= 1.19.0"
+version: 0.1.3
 annotations:
   artifacthub.io/license: Apache-2.0
   artifacthub.io/containsSecurityUpdates: "false"
@@ -23,4 +23,4 @@ annotations:
   # added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
     - kind: changed
-      description: added curl to checked images
+      description: lowered minimum kubeVersion