Commit new App releases for TrueCharts

Signed-off-by: TrueCharts-Bot <bot@truecharts.org>

stable/unifi/9.0.42/CHANGELOG.md

@@ -1,6 +1,15 @@
 # Changelog<br>
 
 
+<a name="unifi-9.0.42"></a>
+### [unifi-9.0.42](https://github.com/truecharts/apps/compare/unifi-9.0.41...unifi-9.0.42) (2022-02-02)
+
+#### Fix
+
+* run as non-root ([#1831](https://github.com/truecharts/apps/issues/1831))
+
+
+
 <a name="unifi-9.0.41"></a>
 ### [unifi-9.0.41](https://github.com/truecharts/apps/compare/unifi-9.0.40...unifi-9.0.41) (2022-02-02)
 
@@ -88,12 +97,3 @@
 
 * update helm general non-major helm releases ([#1693](https://github.com/truecharts/apps/issues/1693))
 
-
-
-<a name="unifi-9.0.32"></a>
-### [unifi-9.0.32](https://github.com/truecharts/apps/compare/unifi-9.0.31...unifi-9.0.32) (2022-01-04)
-
-#### Chore
-
-* update helm general non-major helm releases
-

stable/unifi/9.0.42/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://truecharts.org
   version: 8.14.4
 digest: sha256:174540169e6b40685bffe5c1bcc04b46e4fea44e824666dc750f5b640e9d410a
-generated: "2022-02-02T14:02:37.870923372Z"
+generated: "2022-02-02T20:20:30.362708519Z"

stable/unifi/9.0.42/Chart.yaml

@@ -21,7 +21,7 @@ sources:
 - https://github.com/jacobalberty/unifi-docker
 - https://unifi-network.ui.com
 type: application
-version: 9.0.41
+version: 9.0.42
 annotations:
   truecharts.org/catagories: |
     - Networking

stable/unifi/9.0.42/helm-values.md

@@ -11,18 +11,15 @@ You will, however, be able to use all values referenced in the common chart here
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| env.PUID | int | `568` |  |
-| env.UNIFI_GID | string | `"{{ .Values.env.PUID }}"` |  |
-| env.UNIFI_UID | string | `"{{ .Values.podSecurityContext.fsGroup }}"` |  |
+| env | object | `{}` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"tccr.io/truecharts/unifi"` |  |
 | image.tag | string | `"v6.5.55@sha256:c74556ef862dab1534ed848d6efa57f40a11399172230aec57e5e850ce542921"` |  |
 | persistence.config.enabled | bool | `true` |  |
 | persistence.config.mountPath | string | `"/unifi"` |  |
-| podSecurityContext.runAsGroup | int | `0` |  |
-| podSecurityContext.runAsUser | int | `0` |  |
+| podSecurityContext.runAsGroup | int | `999` |  |
+| podSecurityContext.runAsUser | int | `999` |  |
 | securityContext.readOnlyRootFilesystem | bool | `false` |  |
-| securityContext.runAsNonRoot | bool | `false` |  |
 | service.comm.enabled | bool | `true` |  |
 | service.comm.ports.comm.enabled | bool | `true` |  |
 | service.comm.ports.comm.port | int | `8080` |  |

stable/unifi/9.0.42/ix_values.yaml

@@ -48,18 +48,12 @@ service:
 
 securityContext:
   readOnlyRootFilesystem: false
-  runAsNonRoot: false
 
 podSecurityContext:
-  runAsGroup: 0
-  runAsUser: 0
+  runAsGroup: 999
+  runAsUser: 999
 
-env:
-  # TZ:
-  PUID: 568
-  # Permissions Settings
-  UNIFI_GID: "{{ .Values.env.PUID }}"
-  UNIFI_UID: "{{ .Values.podSecurityContext.fsGroup }}"
+env: {}
 
 persistence:
   config:

stable/unifi/9.0.42/questions.yaml

@@ -188,13 +188,6 @@ questions:
           schema:
             type: string
             default: "002"
-        - variable: PUID
-          label: "PUID"
-          description: "Sets the PUID env var for LinuxServer.io (compatible) containers"
-          schema:
-            type: int
-            default: 568
-
 
   - variable: envList
     label: "Image environment"
@@ -2002,7 +1995,7 @@ questions:
                 label: "runAsNonRoot"
                 schema:
                   type: boolean
-                  default: false
+                  default: true
               - variable: capabilities
                 label: "Capabilities"
                 schema:
@@ -2042,13 +2035,13 @@ questions:
           description: "The UserID of the user running the application"
           schema:
             type: int
-            default: 0
+            default: 999
         - variable: runAsGroup
           label: "runAsGroup"
           description: The groupID this App of the user running the application"
           schema:
             type: int
-            default: 0
+            default: 999
         - variable: fsGroup
           label: "fsGroup"
           description: "The group that should own ALL storage."

stable/unifi/9.0.42/security.md

@@ -18,7 +18,6 @@ hide:
 | Type         |    Misconfiguration ID   |   Check  |  Severity |                   Explaination                   | Links  |
 |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
 | Kubernetes Security Check         |    KSV003   |   Default capabilities not dropped  |  LOW | <details><summary>Expand...</summary> The container should drop all default capabilities and add only those that are needed for its execution. <br> <hr> <br> Container &#39;RELEASE-NAME-unifi&#39; of Deployment &#39;RELEASE-NAME-unifi&#39; should add &#39;ALL&#39; to &#39;securityContext.capabilities.drop&#39; </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/">https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/</a><br><a href="https://avd.aquasec.com/appshield/ksv003">https://avd.aquasec.com/appshield/ksv003</a><br></details>  |
-| Kubernetes Security Check         |    KSV012   |   Runs as root user  |  MEDIUM | <details><summary>Expand...</summary> &#39;runAsNonRoot&#39; forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container &#39;RELEASE-NAME-unifi&#39; of Deployment &#39;RELEASE-NAME-unifi&#39; should set &#39;securityContext.runAsNonRoot&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details>  |
 | Kubernetes Security Check         |    KSV012   |   Runs as root user  |  MEDIUM | <details><summary>Expand...</summary> &#39;runAsNonRoot&#39; forces the running image to run as a non-root user to ensure least privileges. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-unifi&#39; should set &#39;securityContext.runAsNonRoot&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted">https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted</a><br><a href="https://avd.aquasec.com/appshield/ksv012">https://avd.aquasec.com/appshield/ksv012</a><br></details>  |
 | Kubernetes Security Check         |    KSV014   |   Root file system is not read-only  |  LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container &#39;RELEASE-NAME-unifi&#39; of Deployment &#39;RELEASE-NAME-unifi&#39; should set &#39;securityContext.readOnlyRootFilesystem&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details>  |
 | Kubernetes Security Check         |    KSV014   |   Root file system is not read-only  |  LOW | <details><summary>Expand...</summary> An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. <br> <hr> <br> Container &#39;autopermissions&#39; of Deployment &#39;RELEASE-NAME-unifi&#39; should set &#39;securityContext.readOnlyRootFilesystem&#39; to true </details>| <details><summary>Expand...</summary><a href="https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/">https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/</a><br><a href="https://avd.aquasec.com/appshield/ksv014">https://avd.aquasec.com/appshield/ksv014</a><br></details>  |