Merge branch 'release/1.3.0'

.github/workflows/push_pr_main.yaml

@@ -49,6 +49,16 @@ jobs:
       - name: Run integration tests
         run: bash run_tests.sh --integration
 
+  integration-tests-mariadb-rootless:
+    name: Integration Tests Mariadb
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run integration tests
+        run: ROOTLESS=true bash run_tests.sh --integration
+
   integration-tests-postgresql:
     name: Integration Tests Postgresql
     runs-on: ubuntu-latest
@@ -58,3 +68,13 @@ jobs:
 
       - name: Run integration tests
         run: bash run_tests.sh --integration -d postgresql
+
+  integration-tests-postgresql-rootless:
+    name: Integration Tests Postgresql
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run integration tests
+        run: ROOTLESS=true bash run_tests.sh --integration -d postgresql

.gitlab-ci.yml

@@ -32,21 +32,35 @@ test Helm Charts:
     - bash run_tests.sh --unit
 
 integration Tests Helm Charts Mariadb:
+  variables:
+    ROOTLESS: false
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind
   script:
     - |
       apk update && apk add -U curl bash
       sleep 10 # Wait for docker service
       bash run_tests.sh --integration
 
+integration Tests Helm Charts Mariadb Rootless:
+  variables:
+    ROOTLESS: true
+  extends: integration Tests Helm Charts Mariadb
+
 integration Tests Helm Charts Postgresql:
+  variables:
+    ROOTLESS: false
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind
   script:
     - |
       apk update && apk add -U curl bash
       sleep 10 # Wait for docker service
       bash run_tests.sh --integration -d postgresql
 
+integration Tests Helm Charts Postgresql Rootless:
+  variables:
+    ROOTLESS: true
+  extends: integration Tests Helm Charts Postgresql
+
 publish:
   stage: publish
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/helm

CHANGELOG.md

@@ -3,7 +3,13 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/1.2.0...HEAD)
+## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/1.3.0...HEAD)
+
+## [1.3.0] - 2024-11-13
+
+### Added
+
+- Added non-root image support
 
 ## [1.2.0] - 2024-10-30
 

Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.0
+version: 1.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

README.md

@@ -4,7 +4,7 @@
     <img src="./.assets/helm_passbolt.png" alt="passbolt sails kubernetes" width="500"/>
 </h3>
 
-![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.9.1-1-ce](https://img.shields.io/badge/AppVersion-4.9.1--1--ce-informational?style=flat-square)
+![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.9.1-1-ce](https://img.shields.io/badge/AppVersion-4.9.1--1--ce-informational?style=flat-square)
 
 Passbolt is an open source, security first password manager with strong focus on
 collaboration.
@@ -74,6 +74,25 @@ helm install my-release my-repo
 The above command deploys passbolt with default settings on your kubernetes cluster.
 Check the [configuration](#Configuration) section to check which parameters you can fine tune.
 
+## Use passbolt non-root image
+
+In case you want to use the non-root passbolt image, there are a few changes that you have to introduce on your values file:
+
+```bash
+app:
+  image:
+    tag: <NON_ROOT_TAG>
+
+service:
+  ports:
+    https:
+      targetPort: 4433
+    http:
+      targetPort: 8080
+```
+
+With these changes you should be able to run passbolt on a container executed by www-data user.
+
 ## Creating first user
 
 Once the chart is deployed, you can create your first user by running the following command:

README.md.gotmpl

@@ -74,6 +74,25 @@ helm install my-release my-repo
 The above command deploys passbolt with default settings on your kubernetes cluster.
 Check the [configuration](#Configuration) section to check which parameters you can fine tune.
 
+## Use passbolt non-root image
+
+In case you want to use the non-root passbolt image, there are a few changes that you have to introduce on your values file:
+
+```bash
+app:
+  image:
+    tag: <NON_ROOT_TAG>
+
+service:
+  ports:
+    https:
+      targetPort: 4433
+    http:
+      targetPort: 8080
+```
+
+With these changes you should be able to run passbolt on a container executed by www-data user.
+
 ## Creating first user
 
 Once the chart is deployed, you can create your first user by running the following command:

templates/tests/integration-tests-runner.yaml

@@ -20,7 +20,9 @@ spec:
           bash /tests/run_tests.sh
       env:
         - name: TESTS_DEBUG
-          value: {{ quote .Values.integrationTests.debug  }}
+          value: {{ quote .Values.integrationTests.debug | default false }}
+        - name: ROOTLESS
+          value: {{ quote .Values.integrationTests.rootless | default false }}
       volumeMounts:
         - name: integration-tests-runner
           mountPath: "/tests/run_tests.sh"

tests/integration/fixtures/create-cluster-with-passbolt.sh

@@ -12,82 +12,116 @@ SSL_KEY_PATH="/tmp/ssl.key"
 SSL_CERT_PATH="/tmp/ssl.crt"
 
 function createKindCluster {
-	echo "Creating kind cluster: $KIND_CLUSTER_NAME"
-	"$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME"
+  echo "Creating kind cluster: $KIND_CLUSTER_NAME"
+  "$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME"
 }
 
 function installNginxIngress {
-	"$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-	"$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
+  "$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+  "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
+}
+
+function http_port {
+  if [ "$ROOTLESS" == true ]; then
+    echo 8080
+  else
+    echo 80
+  fi
+}
+
+function https_port {
+  if [ "$ROOTLESS" == true ]; then
+    echo 4433
+  else
+    echo 443
+  fi
+}
+
+function image_tag {
+  tag="$(awk -F ' ' '/^    tag:/ {print $2}' values.yaml)"
+  if [ "$ROOTLESS" == true ]; then
+    echo "$tag"-non-root
+  else
+    echo "$tag"
+  fi
 }
 
 function upgradePassboltChart {
-	local private_key=""
-	local public_key=""
-	local fingerprint=""
-	local jwt_private_key=""
-	local jwt_public_key=""
-	private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s 
-	public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}")
-	fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}')
-	jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}")
-	jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}")
-	"$HELM_BINARY" upgrade -i passbolt . \
-		-f $HELM_TESTING_VALUES \
-		-n default \
-		--set integrationTests.debug="$DEBUG" \
-		--set gpgServerKeyPrivate="$private_key" \
-		--set gpgServerKeyPublic="$public_key" \
-		--set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \
-		--set jwtServerPrivate="$jwt_private_key" \
-		--set jwtServerPublic="$jwt_public_key"
+  local private_key=""
+  local public_key=""
+  local fingerprint=""
+  local jwt_private_key=""
+  local jwt_public_key=""
+  private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s 
+  public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}")
+  fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}')
+  jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}")
+  jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}")
+  "$HELM_BINARY" upgrade -i passbolt . \
+    -f "$HELM_TESTING_VALUES" \
+    -n default \
+    --set integrationTests.debug="$DEBUG" \
+    --set integrationTests.rootless="$ROOTLESS" \
+    --set app.image.tag="$(image_tag)" \
+    --set gpgServerKeyPrivate="$private_key" \
+    --set gpgServerKeyPublic="$public_key" \
+    --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \
+    --set jwtServerPrivate="$jwt_private_key" \
+    --set jwtServerPublic="$jwt_public_key" \
+    --set service.ports.https.targetPort="$(https_port)" \
+    --set service.ports.http.targetPort="$(http_port)"
 }
 
 function installPassboltChart {
-	if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then
-		"$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami
-		"$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
-		"$HELM_BINARY" dependency build
-	fi
-	if "$HELM_BINARY" status passbolt; then
-		upgradePassboltChart
-	else
-		"$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default --set integrationTests.debug="$DEBUG"
-	fi
-	"$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default
+  if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then
+    "$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami
+    "$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
+    "$HELM_BINARY" dependency build
+  fi
+  if "$HELM_BINARY" status passbolt; then
+    upgradePassboltChart
+  else
+    "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \
+      --set service.ports.https.targetPort="$(https_port)" \
+      --set service.ports.http.targetPort="$(http_port)" \
+      --set app.image.tag="$(image_tag)" \
+      --set integrationTests.debug="$DEBUG" \
+      --set integrationTests.rootless="$ROOTLESS"
+  fi
+  "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default
 }
 
 function createAndInstallSSLCertificates {
-	local domain="${1-passbolt.local}"
-	local ssl_key_path="$SSL_KEY_PATH"
-	local ssl_cert_path="$SSL_CERT_PATH"
-	"$MKCERT_BINARY" -install
-	"$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain"
-	"$KUBECTL_BINARY" create secret generic mkcert-ca \
-		--from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \
-		--from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \
-		-n default
+  local domain="${1-passbolt.local}"
+  local ssl_key_path="$SSL_KEY_PATH"
+  local ssl_cert_path="$SSL_CERT_PATH"
+  "$MKCERT_BINARY" -install
+  "$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain"
+  "$KUBECTL_BINARY" create secret generic mkcert-ca \
+    --from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \
+    --from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \
+    -n default
 }
 
 function createSecretWithTLS {
-	local secret_name="$K8S_LOCAL_TLS_SECRET"
-	local ssl_key_path="$SSL_KEY_PATH"
-	local ssl_cert_path="$SSL_CERT_PATH"
-	if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then
-		"$KUBECTL_BINARY" delete secret $secret_name -n default
-	fi
-	"$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default
+  local secret_name="$K8S_LOCAL_TLS_SECRET"
+  local ssl_key_path="$SSL_KEY_PATH"
+  local ssl_cert_path="$SSL_CERT_PATH"
+  if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then
+    "$KUBECTL_BINARY" delete secret $secret_name -n default
+  fi
+  "$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default
 }
 function createInfraAndInstallPassboltChart {
-	if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then
-		createKindCluster
-		createAndInstallSSLCertificates
-		createSecretWithTLS
-		installNginxIngress
-		installPassboltChart
-	else
-		echo "Cluster $KIND_CLUSTER_NAME already exists"
-	fi
+  if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then
+    createKindCluster
+    createAndInstallSSLCertificates
+    createSecretWithTLS
+    installNginxIngress
+    installPassboltChart
+  else
+    echo "Cluster $KIND_CLUSTER_NAME already exists"
+  fi
 }
 
 createInfraAndInstallPassboltChart