apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0 (#186)

Browse Source 
* [Security] Workaround for CVE-2021-44228 Log4J RCE when Log4J >= 2.10.0

- prevents the exploit by disabling message pattern lookups

* Bump the chart version
This commit is contained in:
Lari Hotari 2021-12-10 18:30:01 +02:00 committed by GitHub
parent a16c6bbf19
commit b4b2fa7b80
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/pulsar/Chart.yaml
View File

@ -21,7 +21,7 @@ apiVersion: v1
appVersion: "2.7.2" appVersion: "2.7.2"
description: Apache Pulsar Helm chart for Kubernetes description: Apache Pulsar Helm chart for Kubernetes
name: pulsar name: pulsar
version: 2.7.5 version: 2.7.6
home: https://pulsar.apache.org home: https://pulsar.apache.org
sources: sources:
- https://github.com/apache/pulsar - https://github.com/apache/pulsar

2
charts/pulsar/templates/autorecovery-statefulset.yaml
View File

@ -139,7 +139,7 @@ spec:
- > - >
bin/apply-config-from-env.py conf/bookkeeper.conf; bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.autorecovery.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.autorecovery.zookeeper.tls.settings" . | nindent 10 }}
exec bin/bookkeeper autorecovery OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/bookkeeper autorecovery
ports: ports:
- name: http - name: http
containerPort: {{ .Values.autorecovery.ports.http }} containerPort: {{ .Values.autorecovery.ports.http }}

2
charts/pulsar/templates/bookkeeper-statefulset.yaml
View File

@ -167,7 +167,7 @@ spec:
- > - >
bin/apply-config-from-env.py conf/bookkeeper.conf; bin/apply-config-from-env.py conf/bookkeeper.conf;
{{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }}
exec bin/pulsar bookie; OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie;
{{- if and .Values.rbac.enabled .Values.rbac.psp }} {{- if and .Values.rbac.enabled .Values.rbac.psp }}
securityContext: securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false

2
charts/pulsar/templates/broker-statefulset.yaml
View File

@ -209,7 +209,7 @@ spec:
bin/pulsar zookeeper-shell -server {{ template "pulsar.zookeeper.connect" . }} get {{ template "pulsar.broker.znode" . }}; bin/pulsar zookeeper-shell -server {{ template "pulsar.zookeeper.connect" . }} get {{ template "pulsar.broker.znode" . }};
done; done;
cat conf/pulsar_env.sh; cat conf/pulsar_env.sh;
exec bin/pulsar broker; OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar broker;
ports: ports:
# prometheus needs to access /metrics endpoint # prometheus needs to access /metrics endpoint
- name: http - name: http

2
charts/pulsar/templates/proxy-statefulset.yaml
View File

@ -180,7 +180,7 @@ spec:
- > - >
bin/apply-config-from-env.py conf/proxy.conf && bin/apply-config-from-env.py conf/proxy.conf &&
echo "OK" > status && echo "OK" > status &&
exec bin/pulsar proxy OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar proxy
ports: ports:
# prometheus needs to access /metrics endpoint # prometheus needs to access /metrics endpoint
- name: http - name: http

2
charts/pulsar/templates/zookeeper-statefulset.yaml
View File

@ -115,7 +115,7 @@ spec:
bin/apply-config-from-env.py conf/zookeeper.conf; bin/apply-config-from-env.py conf/zookeeper.conf;
{{- include "pulsar.zookeeper.tls.settings" . | nindent 10 }} {{- include "pulsar.zookeeper.tls.settings" . | nindent 10 }}
bin/generate-zookeeper-config.sh conf/zookeeper.conf; bin/generate-zookeeper-config.sh conf/zookeeper.conf;
exec bin/pulsar zookeeper; OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar zookeeper;
ports: ports:
# prometheus needs to access /metrics endpoint # prometheus needs to access /metrics endpoint
- name: http - name: http