feat: switch to Chainguard zero-CVE images and fix config mount path

Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: valkey
 description: Valkey is an open source, high-performance data structure server compatible with Redis. It supports strings, hashes, lists, sets, and sorted sets.
 type: application
-version: 0.1.24
+version: 0.2.0
 appVersion: "9.0.0"
 annotations:
   artifacthub.io/signKey: |
@@ -17,15 +17,24 @@ annotations:
       url: https://github.com/start-codex/valkey-helm-chart
   artifacthub.io/images: |
     - name: valkey
-      image: docker.io/valkey/valkey:9.0.0
-    - name: os-shell
-      image: docker.io/alpine:3.22.2
+      image: cgr.dev/chainguard/valkey:latest
+    - name: wolfi-base
+      image: cgr.dev/chainguard/wolfi-base:latest
     - name: redis-exporter
       image: docker.io/oliver006/redis_exporter:v1.80.0
     - name: kubectl
-      image: docker.io/alpine/k8s:1.31.13
-  artifacthub.io/containsSecurityUpdates: "false"
+      image: cgr.dev/chainguard/kubectl:latest
+  artifacthub.io/containsSecurityUpdates: "true"
   artifacthub.io/prerelease: "false"
+  artifacthub.io/changes: |
+    - kind: security
+      description: Switch to Chainguard images for zero CVE (valkey, kubectl, wolfi-base)
+    - kind: changed
+      description: Update container user from 999 to 65532 (Chainguard default)
+    - kind: changed
+      description: Simplify health check scripts for distroless compatibility
+    - kind: changed
+      description: Update pre-upgrade hook to work without shell
 keywords:
   - valkey
   - redis

templates/_helpers.tpl

@@ -269,11 +269,9 @@ Return the Valkey configuration
 Return if Valkey authentication is enabled
 */}}
 {{- define "valkey.auth.enabled" -}}
-{{- if .Values.auth.enabled }}
-{{- true }}
-{{- else }}
-{{- false }}
-{{- end }}
+{{- if .Values.auth.enabled -}}
+true
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -429,11 +427,9 @@ Return the Valkey password
 Return true if TLS is enabled
 */}}
 {{- define "valkey.tls.enabled" -}}
-{{- if .Values.tls.enabled }}
-    {{- true -}}
-{{- else }}
-    {{- false -}}
-{{- end }}
+{{- if .Values.tls.enabled -}}
+true
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -484,11 +480,9 @@ Return the path to the CA cert file
 Return if metrics are enabled
 */}}
 {{- define "valkey.metrics.enabled" -}}
-{{- if .Values.metrics.enabled }}
-    {{- true -}}
-{{- else }}
-    {{- false -}}
-{{- end }}
+{{- if .Values.metrics.enabled -}}
+true
+{{- end -}}
 {{- end -}}
 
 {{/*

templates/configmap.yaml

@@ -22,13 +22,6 @@ data:
   {{- if .Values.sentinel.enabled }}
   sentinel.conf: |
     {{- .Values.sentinel.configuration | nindent 4 }}
-    sentinel monitor valkey-master {{ include "valkey.master.serviceName" . }} {{ include "valkey.port" . }} {{ .Values.sentinel.quorum }}
-    sentinel down-after-milliseconds valkey-master {{ .Values.sentinel.downAfterMilliseconds }}
-    sentinel failover-timeout valkey-master {{ .Values.sentinel.failoverTimeout }}
-    sentinel parallel-syncs valkey-master {{ .Values.sentinel.parallelSyncs }}
-    {{- if include "valkey.auth.enabled" . }}
-    sentinel auth-pass valkey-master $VALKEY_PASSWORD
-    {{- end }}
   {{- end }}
   {{- end }}
 {{- end }}

templates/health-configmap.yaml

@@ -12,190 +12,67 @@ metadata:
   {{- end }}
 data:
   ping_readiness_local.sh: |-
-    #!/bin/bash
-
+    #!/usr/bin/bash
     [[ -n "$VALKEY_PASSWORD" ]] && export REDISCLI_AUTH="$VALKEY_PASSWORD"
-    response=$(
-      timeout -s 15 $1 \
-      valkey-cli \
-        -h localhost \
-{{- if .Values.tls.enabled }}
-        -p {{ .Values.tls.port | default 6380 }} \
-        --tls \
-      {{- if .Values.tls.caCertFilename }}
-        --cacert {{ include "valkey.tls.caCertFilename" . }} \
-      {{- end }}
-      {{- if .Values.tls.authClients }}
-        --cert {{ include "valkey.tls.certFilename" . }} \
-        --key {{ include "valkey.tls.certKeyFilename" . }} \
-      {{- end }}
-{{- else }}
-        -p 6379 \
-{{- end }}
-        ping
-    )
-    if [ "$?" -eq "124" ]; then
-      echo "Timed out"
-      exit 1
-    fi
+    response=$(valkey-cli -h localhost -p {{ if .Values.tls.enabled }}{{ .Values.tls.port | default 6380 }}{{ else }}6379{{ end }} ping 2>&1)
     if [ "$response" != "PONG" ]; then
       echo "$response"
       exit 1
     fi
   ping_liveness_local.sh: |-
-    #!/bin/bash
-
+    #!/usr/bin/bash
     [[ -n "$VALKEY_PASSWORD" ]] && export REDISCLI_AUTH="$VALKEY_PASSWORD"
-    response=$(
-      timeout -s 15 $1 \
-      valkey-cli \
-        -h localhost \
-{{- if .Values.tls.enabled }}
-        -p {{ .Values.tls.port | default 6380 }} \
-        --tls \
-      {{- if .Values.tls.caCertFilename }}
-        --cacert {{ include "valkey.tls.caCertFilename" . }} \
-      {{- end }}
-      {{- if .Values.tls.authClients }}
-        --cert {{ include "valkey.tls.certFilename" . }} \
-        --key {{ include "valkey.tls.certKeyFilename" . }} \
-      {{- end }}
-{{- else }}
-        -p 6379 \
-{{- end }}
-        ping
-    )
-    if [ "$?" -eq "124" ]; then
-      echo "Timed out"
-      exit 1
-    fi
-    responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}')
-    if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then
-      echo "$response"
-      exit 1
+    response=$(valkey-cli -h localhost -p {{ if .Values.tls.enabled }}{{ .Values.tls.port | default 6380 }}{{ else }}6379{{ end }} ping 2>&1)
+    if [ "$response" = "PONG" ] || [[ "$response" == LOADING* ]] || [[ "$response" == MASTERDOWN* ]]; then
+      exit 0
     fi
+    echo "$response"
+    exit 1
 {{- if eq .Values.architecture "sentinel" }}
   ping_sentinel.sh: |-
-    #!/bin/bash
-
+    #!/usr/bin/bash
 {{- if .Values.auth.sentinel }}
     [[ -f $VALKEY_PASSWORD_FILE ]] && export VALKEY_PASSWORD="$(< "${VALKEY_PASSWORD_FILE}")"
     [[ -n "$VALKEY_PASSWORD" ]] && export VALKEYCLI_AUTH="$VALKEY_PASSWORD"
 {{- end }}
-    response=$(
-      timeout -s 15 $1 \
-      valkey-cli \
-        -h localhost \
-{{- if (include "valkey.tls.enabled" .) }}
-        -p $VALKEY_SENTINEL_TLS_PORT_NUMBER \
-        --tls \
-      {{- if .Values.tls.caCertFilename }}
-        --cacert "$VALKEY_SENTINEL_TLS_CA_FILE" \
-      {{- end }}
-      {{- if .Values.tls.authClients }}
-        --cert "$VALKEY_SENTINEL_TLS_CERT_FILE" \
-        --key "$VALKEY_SENTINEL_TLS_KEY_FILE" \
-      {{- end }}
-{{- else }}
-        -p $VALKEY_SENTINEL_PORT \
-{{- end }}
-        ping
-    )
-    if [ "$?" -eq "124" ]; then
-      echo "Timed out"
-      exit 1
-    fi
+    SENTINEL_PORT=${VALKEY_SENTINEL_PORT:-26379}
+    response=$(valkey-cli -h localhost -p $SENTINEL_PORT ping 2>&1)
     if [ "$response" != "PONG" ]; then
       echo "$response"
       exit 1
     fi
-  parse_sentinels.awk: |-
-    /ip/ {FOUND_IP=1}
-    /port/ {FOUND_PORT=1}
-    /runid/ {FOUND_RUNID=1}
-    !/ip|port|runid/ {
-      if (FOUND_IP==1) {
-        IP=$1; FOUND_IP=0;
-      }
-      else if (FOUND_PORT==1) {
-        PORT=$1;
-        FOUND_PORT=0;
-      } else if (FOUND_RUNID==1) {
-        printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0;
-      }
-    }
-{{- end }}
   ping_readiness_master.sh: |-
-    #!/bin/bash
-
+    #!/usr/bin/bash
     [[ -f $VALKEY_MASTER_PASSWORD_FILE ]] && export VALKEY_MASTER_PASSWORD="$(< "${VALKEY_MASTER_PASSWORD_FILE}")"
     [[ -n "$VALKEY_MASTER_PASSWORD" ]] && export VALKEYCLI_AUTH="$VALKEY_MASTER_PASSWORD"
-    response=$(
-      timeout -s 15 $1 \
-      valkey-cli \
-        -h $VALKEY_MASTER_HOST \
-        -p $VALKEY_MASTER_PORT_NUMBER \
-{{- if (include "valkey.tls.enabled" .) }}
-        --tls \
-      {{- if .Values.tls.caCertFilename }}
-        --cacert {{ include "valkey.tls.caCertFilename" . }} \
-      {{- end }}
-      {{- if .Values.tls.authClients }}
-        --cert {{ include "valkey.tls.certFilename" . }} \
-        --key {{ include "valkey.tls.certKeyFilename" . }} \
-      {{- end }}
-{{- end }}
-        ping
-    )
-    if [ "$?" -eq "124" ]; then
-      echo "Timed out"
-      exit 1
-    fi
+    response=$(valkey-cli -h $VALKEY_MASTER_HOST -p $VALKEY_MASTER_PORT_NUMBER ping 2>&1)
     if [ "$response" != "PONG" ]; then
       echo "$response"
       exit 1
     fi
   ping_liveness_master.sh: |-
-    #!/bin/bash
-
+    #!/usr/bin/bash
     [[ -f $VALKEY_MASTER_PASSWORD_FILE ]] && export VALKEY_MASTER_PASSWORD="$(< "${VALKEY_MASTER_PASSWORD_FILE}")"
     [[ -n "$VALKEY_MASTER_PASSWORD" ]] && export VALKEYCLI_AUTH="$VALKEY_MASTER_PASSWORD"
-    response=$(
-      timeout -s 15 $1 \
-      valkey-cli \
-        -h $VALKEY_MASTER_HOST \
-        -p $VALKEY_MASTER_PORT_NUMBER \
-{{- if (include "valkey.tls.enabled" .) }}
-        --tls \
-      {{- if .Values.tls.caCertFilename }}
-        --cacert {{ include "valkey.tls.caCertFilename" . }} \
-      {{- end }}
-      {{- if .Values.tls.authClients }}
-        --cert {{ include "valkey.tls.certFilename" . }} \
-        --key {{ include "valkey.tls.certKeyFilename" . }} \
-      {{- end }}
-{{- end }}
-        ping
-    )
-    if [ "$?" -eq "124" ]; then
-      echo "Timed out"
-      exit 1
-    fi
-    responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}')
-    if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then
-      echo "$response"
-      exit 1
+    response=$(valkey-cli -h $VALKEY_MASTER_HOST -p $VALKEY_MASTER_PORT_NUMBER ping 2>&1)
+    if [ "$response" = "PONG" ] || [[ "$response" == LOADING* ]]; then
+      exit 0
     fi
+    echo "$response"
+    exit 1
   ping_readiness_local_and_master.sh: |-
+    #!/usr/bin/bash
     script_dir="$(dirname "$0")"
     exit_status=0
-    "$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
-    "$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
+    "$script_dir/ping_readiness_local.sh" || exit_status=$?
+    "$script_dir/ping_readiness_master.sh" || exit_status=$?
     exit $exit_status
   ping_liveness_local_and_master.sh: |-
+    #!/usr/bin/bash
     script_dir="$(dirname "$0")"
     exit_status=0
-    "$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
-    "$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
+    "$script_dir/ping_liveness_local.sh" || exit_status=$?
+    "$script_dir/ping_liveness_master.sh" || exit_status=$?
     exit $exit_status
-{{- end }}
+{{- end }}
+{{- end }}

templates/master/application.yaml

@@ -65,7 +65,7 @@ spec:
           image: {{ .Values.volumePermissions.image.registry }}/{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}
           imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy }}
           command:
-            - /bin/bash
+            - /bin/sh
             - -ec
             - |
               chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /data
@@ -85,7 +85,7 @@ spec:
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           command:
-            - /bin/bash
+            - /usr/bin/bash
           args:
             - -c
             - |
@@ -94,9 +94,9 @@ spec:
               # Copy config and add requirepass
               cp /etc/valkey/valkey.conf /tmp/valkey.conf
               echo "requirepass $VALKEY_PASSWORD" >> /tmp/valkey.conf
-              valkey-server /tmp/valkey.conf
+              exec valkey-server /tmp/valkey.conf
               {{- else }}
-              valkey-server /etc/valkey/valkey.conf
+              exec valkey-server /etc/valkey/valkey.conf
               {{- end }}
           env:
             {{- if .Values.auth.enabled }}
@@ -118,7 +118,7 @@ spec:
             failureThreshold: 3
             exec:
               command:
-                - sh
+                - /usr/bin/bash
                 - -c
                 - /health/ping_liveness_local.sh 5
           readinessProbe:
@@ -129,7 +129,7 @@ spec:
             failureThreshold: 3
             exec:
               command:
-                - sh
+                - /usr/bin/bash
                 - -c
                 - /health/ping_readiness_local.sh 1
           {{- if eq .Values.architecture "sentinel" }}
@@ -147,8 +147,8 @@ spec:
             - name: valkey-data
               mountPath: /data
             - name: config
-              mountPath: /opt/valkey/etc/valkey.conf
-              subPath: valkey.conf
+              mountPath: /etc/valkey/valkey.conf
+              subPath: {{ if eq .Values.architecture "sentinel" }}master.conf{{ else }}valkey.conf{{ end }}
             - name: tmp
               mountPath: /tmp
         {{- if .Values.metrics.enabled }}
@@ -233,7 +233,7 @@ spec:
             defaultMode: 0755
         - name: config
           configMap:
-            name: {{ if eq .Values.architecture "sentinel" }}{{ printf "%s-master" (include "valkey.fullname" .) }}{{ else }}{{ include "valkey.fullname" . }}{{ end }}
+            name: {{ include "valkey.fullname" . }}
         - name: tmp
           emptyDir: {}
   {{- if or (and (eq .Values.architecture "sentinel") .Values.master.persistence.enabled) (and (ne .Values.architecture "sentinel") .Values.standalone.persistence.enabled) }}