@@ -8,16 +8,15 @@ keywords: migrate dockerfile, hardened base image, multi-stage build, non-root c
88
99{{< summary-bar feature_name="Docker Hardened Images" >}}
1010
11- This guide helps you migrate your existing Dockerfiles to use Docker Hardened
12- Images (DHIs) [ manually] ( #step-1-update-the-base-image-in-your-dockerfile ) ,
13- or with [ Gordon] ( #use-gordon ) .
14- DHIs are minimal and security-focused, which may require
15- adjustments to your base images, build process, and runtime configuration.
11+ This guide helps you migrate your existing Dockerfiles and Helm-based
12+ deployments to use Docker Hardened Images (DHIs). For Dockerfiles, you can
13+ migrate [ manually] ( #step-1-update-the-base-image-in-your-dockerfile ) , or with
14+ [ Gordon] ( #use-gordon ) .
1615
17- This guide focuses on migrating framework images, such as images for building
18- applications from source using languages like Go, Python, or Node.js. If you're
19- migrating application images, such as databases, proxies, or other prebuilt
20- services, many of the same principles still apply.
16+ The Dockerfile migration section focuses on migrating framework images, such as
17+ images for building applications from source using languages like Go, Python, or
18+ Node.js. If you're migrating application images, such as databases, proxies, or
19+ other prebuilt services, many of the same principles still apply.
2120
2221## Migration considerations
2322
@@ -245,7 +244,59 @@ ENTRYPOINT [ "python", "/app/image.py" ]
245244
246245### Use Gordon
247246
248- Alternatively, you can request assistance to
249- [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to migrate your Dockerfile:
247+ Alternatively, you can request assistance to
248+ [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to
249+ migrate your Dockerfile:
250250
251251{{% include "gordondhi.md" %}}
252+
253+ ## Migrate Bitnami Helm charts
254+
255+ If you're using Bitnami Helm charts in your Kubernetes deployments, you can
256+ migrate to use Docker Hardened Images with minimal changes to your existing
257+ chart configurations.
258+
259+ By default, Bitnami Helm charts enforce the use of Bitnami container images
260+ and block non-Bitnami images. This security mechanism can cause installation
261+ errors if you replace the default image with another, such as a DHI.
262+
263+ To allow other images, including DHIs, set the following in your Helm chart
264+ configuration:
265+
266+ ``` yaml
267+ global :
268+ security :
269+ allowInsecureImages : true
270+ ` ` `
271+
272+ You can pass this via a values file. The following is an example for Redis:
273+
274+ ` ` ` yaml{title="values.yaml"}
275+ global :
276+ security :
277+ allowInsecureImages : true
278+ image :
279+ repository : <your-namespace>/dhi-redis
280+ tag : <dhi-image-tag>
281+ ` ` `
282+
283+ Then install or upgrade your Helm chart with:
284+
285+ ` ` ` console
286+ $ helm install redis bitnami/redis -f values.yaml
287+ ```
288+
289+ This lets Bitnami charts run with your DHI, while keeping the usual override
290+ mechanism intact.
291+
292+ ### Using Bitnami charts-syncer with DHI
293+
294+ Using [ Bitnami charts-syncer] ( https://github.com/bitnami/charts-syncer ) is
295+ helpful when you want to maintain your own internal Helm chart catalog and
296+ ensure charts are consistently mirrored and linked to your DHI repositories. It
297+ automates chart mirroring and registry rewriting. However, you will still need
298+ to manually set the ` image.tag ` and add `global.security.allowInsecureImages:
299+ true` to the chart to bypass Bitnami's security validation. If you're only
300+ deploying a few DHIs, using a direct ` values.yaml ` override, ` --set ` flag, or
301+ even a ` kubectl patch ` for raw YAML manifests is often simpler than running
302+ charts-syncer.
0 commit comments