@@ -8,16 +8,15 @@ keywords: migrate dockerfile, hardened base image, multi-stage build, non-root c
88
99{{< summary-bar feature_name="Docker Hardened Images" >}}
1010
11- This guide helps you migrate your existing Dockerfiles to use Docker Hardened
12- Images (DHIs) [ manually] ( #step-1-update-the-base-image-in-your-dockerfile ) ,
13- or with [ Gordon] ( #use-gordon ) .
14- DHIs are minimal and security-focused, which may require
15- adjustments to your base images, build process, and runtime configuration.
11+ This guide helps you migrate your existing Dockerfiles and Helm-based
12+ deployments to use Docker Hardened Images (DHIs). For Dockerfiles, you can
13+ migrate [ manually] ( #step-1-update-the-base-image-in-your-dockerfile ) , or with
14+ [ Gordon] ( #use-gordon ) .
1615
17- This guide focuses on migrating framework images, such as images for building
18- applications from source using languages like Go, Python, or Node.js. If you're
19- migrating application images, such as databases, proxies, or other prebuilt
20- services, many of the same principles still apply.
16+ The Dockerfile migration section focuses on migrating framework images, such as
17+ images for building applications from source using languages like Go, Python, or
18+ Node.js. If you're migrating application images, such as databases, proxies, or
19+ other prebuilt services, many of the same principles still apply.
2120
2221## Migration considerations
2322
@@ -245,7 +244,98 @@ ENTRYPOINT [ "python", "/app/image.py" ]
245244
246245### Use Gordon
247246
248- Alternatively, you can request assistance to
249- [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to migrate your Dockerfile:
247+ Alternatively, you can request assistance to
248+ [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to
249+ migrate your Dockerfile:
250250
251251{{% include "gordondhi.md" %}}
252+
253+ ## Migrate Bitnami Helm charts
254+
255+ If you're using Bitnami Helm charts in your Kubernetes deployments, you can
256+ migrate to use Docker Hardened Images with minimal changes to your existing
257+ chart configurations.
258+
259+ By default, Bitnami Helm charts enforce the use of Bitnami container images
260+ and block non-Bitnami images. This security mechanism can cause installation
261+ errors if you replace the default image with another, such as a DHI.
262+
263+ To allow other images, including DHIs, set the following in your Helm chart
264+ configuration:
265+
266+ ``` yaml
267+ global :
268+ security :
269+ allowInsecureImages : true
270+ ` ` `
271+
272+ You can pass this via a values file. In addition to
273+ ` global.security.allowInsecureImages`, you also need to set `image.repository`
274+ and `image.tag`. The following is an example for Redis, where you would replace
275+ `<your-namespace>` and `<dhi-image-tag>` with your DHI namespace and the tag :
276+
277+ ` ` ` yaml{title="values.yaml"}
278+ global:
279+ security:
280+ allowInsecureImages: true
281+ image:
282+ repository: <your-namespace>/dhi-redis
283+ tag: <dhi-image-tag>
284+ ` ` `
285+
286+ Then install or upgrade your Helm chart with the `-f values.yaml` flag :
287+
288+ ` ` ` console
289+ $ helm install redis bitnami/redis -f values.yaml
290+ ` ` `
291+
292+ This lets Bitnami charts run with your DHI, while keeping the usual override
293+ mechanism intact.
294+
295+ # ## Mirroring charts with Bitnami chart-syncer
296+
297+ If your organization deploys multiple Bitnami charts or needs to control chart
298+ availability, you may want to mirror charts into your own registry instead of
299+ pulling them directly from Bitnami. Tools like [Bitnami
300+ charts-syncer](https://github.com/bitnami/charts-syncer) help automate this
301+ process.
302+
303+ The following example shows how to use `charts-syncer` to mirror Bitnami charts.
304+ Create a `config.yaml` file with the following content, replacing
305+ ` example.registry.com` and `my-dhi` with your own OCI registry and repository.
306+
307+ ` ` ` yaml
308+ # Mirror Bitnami Redis chart to your internal OCI registry
309+ # and rewrite image registry/repository to your DHI location.
310+
311+ # Where to read charts from (Bitnami charts as OCI artifacts on Docker Hub)
312+ source:
313+ repo:
314+ kind: OCI
315+ url: https://registry-1.docker.io/bitnamicharts
316+ charts:
317+ - redis # list of charts to mirror (name only, no version)
318+
319+ # Where to push charts and how to rewrite image coordinates
320+ target:
321+ # (A) Rewrite image fields in values.yaml:
322+ # image.registry -> REGISTRY below
323+ # image.repository -> REPOSITORY prefix below
324+ #
325+ # NOTE: charts-syncer does NOT change the tag; you’ll set it at install time.
326+ containerRegistry: example.registry.com # your OCI image registry (for DHIs)
327+ containerRepository: my-dhi # prefix/path for images (e.g., my-dhi/redis)
328+
329+ # (B) Where the mirrored charts will live
330+ repo:
331+ kind: OCI
332+ url: https://example.registry.com/helm
333+ ` ` `
334+
335+ After creating the `config.yaml`, you can run charts-syncer. Based on your
336+ source and destination, you may need to sign in first using `docker login` or
337+ ` helm registry login` .
338+
339+ ` ` ` console
340+ $ charts-syncer sync --config /config.yaml
341+ ` ` `
0 commit comments