[xray] 3.91.3 release

jfrog · Mar 14, 2024 · 282c0dc · 282c0dc
1 parent b9ed646
commit 282c0dc
Show file tree

Hide file tree

Showing 18 changed files with 44 additions and 46 deletions.
diff --git a/stable/xray/CHANGELOG.md b/stable/xray/CHANGELOG.md
@@ -1,6 +1,16 @@
 # JFrog Xray Chart Changelog
 All changes to this chart will be documented in this file.
 
+## [103.91.3] - Feb 21,2024
+* **IMPORTANT**
+* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default
+* Renamed sizing yaml file names from `xray-sizing-<size>.yaml` to `xray-<size>.yaml`
+* **Important change:**
+* Update postgresql tag version to `15.2.0-debian-11-r23`
+* Renamed `common.xrayUserId` to `podSecurityContext.runAsUser`
+* Renamed `common.xrayGroupId` to `podSecurityContext.runAsGroup` and `podSecurityContext.fsGroup`
+* Renamed `common.fsGroupChangePolicy` to `podSecurityContext.fsGroupChangePolicy`
+
 ## [103.89.0] - Jan 18,2023
 * Remove fallback section from keda.
 

diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 3.90.1
+appVersion: 3.91.3
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -24,4 +24,4 @@ name: xray
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 103.90.1
+version: 103.91.3
diff --git a/stable/xray/ci/default-values.yaml b/stable/xray/ci/default-values.yaml
@@ -3,7 +3,7 @@
 unifiedUpgradeAllowed: true
 databaseUpgradeReady: true
 xray:
-  jfrogUrl: http://artifactory.rt:8082
+  jfrogUrl: http://rt-artifactory.rt:8082
 common:
   persistence:
     enabled: false

diff --git a/stable/xray/ci/global-section-values.yaml b/stable/xray/ci/global-section-values.yaml
@@ -65,7 +65,7 @@ common:
          cpu: "100m"
 
 global:
-  jfrogUrl: http://artifactory.rt:8082
+  jfrogUrl: http://rt-artifactory.rt:8082
   masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
   joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
   customInitContainersBegin: |

diff --git a/stable/xray/ci/test-rabbitmq-haQuorum-values.yaml b/stable/xray/ci/test-rabbitmq-haQuorum-values.yaml
@@ -3,7 +3,7 @@
 unifiedUpgradeAllowed: true
 databaseUpgradeReady: true
 xray:
-  jfrogUrl: http://artifactory.rt:8082
+  jfrogUrl: http://rt-artifactory.rt:8082
 common:
   persistence:
     enabled: false

diff --git a/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml b/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml
@@ -3,7 +3,7 @@
 unifiedUpgradeAllowed: true
 databaseUpgradeReady: true
 xray:
-  jfrogUrl: http://artifactory.rt:8082
+  jfrogUrl: http://rt-artifactory.rt:8082
 common:
   persistence:
     enabled: false

diff --git a/stable/xray/ci/test-values.yaml b/stable/xray/ci/test-values.yaml
@@ -3,7 +3,7 @@
 unifiedUpgradeAllowed: true
 databaseUpgradeReady: true
 xray:
-  jfrogUrl: http://artifactory.rt:8082
+  jfrogUrl: http://rt-artifactory.rt:8082
   unifiedSecretInstallation: true
   openMetrics:
     enabled: true

diff --git a/stable/xray/sizing/xray-sizing-2xlarge.yaml → stable/xray/sizing/xray-2xlarge.yaml b/stable/xray/sizing/xray-sizing-2xlarge.yaml → stable/xray/sizing/xray-2xlarge.yaml
diff --git a/stable/xray/sizing/xray-sizing-large.yaml → stable/xray/sizing/xray-large.yaml b/stable/xray/sizing/xray-sizing-large.yaml → stable/xray/sizing/xray-large.yaml
diff --git a/stable/xray/sizing/xray-sizing-medium.yaml → stable/xray/sizing/xray-medium.yaml b/stable/xray/sizing/xray-sizing-medium.yaml → stable/xray/sizing/xray-medium.yaml
diff --git a/stable/xray/sizing/xray-sizing-small.yaml → stable/xray/sizing/xray-small.yaml b/stable/xray/sizing/xray-sizing-small.yaml → stable/xray/sizing/xray-small.yaml
diff --git a/stable/xray/sizing/xray-sizing-xlarge.yaml → stable/xray/sizing/xray-xlarge.yaml b/stable/xray/sizing/xray-sizing-xlarge.yaml → stable/xray/sizing/xray-xlarge.yaml
diff --git a/stable/xray/sizing/xray-sizing-xsmall.yaml → stable/xray/sizing/xray-xsmall.yaml b/stable/xray/sizing/xray-sizing-xsmall.yaml → stable/xray/sizing/xray-xsmall.yaml
diff --git a/stable/xray/templates/xray-ipa-deployment.yaml b/stable/xray/templates/xray-ipa-deployment.yaml
@@ -17,7 +17,7 @@ metadata:
     unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }}
 {{- end }}
 {{- if and .Release.IsUpgrade .Values.postgresql.enabled }}
-    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }}
+    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x" .Values.databaseUpgradeReady | quote }}
 {{- end }}
 {{- with .Values.server.statefulset.annotations }}
   annotations:
@@ -91,12 +91,7 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "xray.serviceAccountName" . }}
       {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.common.xrayUserId }}
-        fsGroup: {{ .Values.common.xrayGroupId }}
-        {{- if .Values.common.fsGroupChangePolicy }}
-        fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }}
-        {{- end }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       {{- if .Values.common.topologySpreadConstraints }}
       topologySpreadConstraints:
@@ -142,7 +137,7 @@ spec:
         - name: XRAY_JOIN_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }}
               name: {{ include "xray.joinKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -153,7 +148,7 @@ spec:
         - name: XRAY_MASTER_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }}
               name: {{ include "xray.masterKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -164,7 +159,7 @@ spec:
         - name: data-volume
           mountPath: {{ .Values.xray.persistence.mountPath | quote }}
       {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }}
-        {{- if not .Values.xray.unifiedSecretInstallation }}
+        {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }}
         - name: systemyaml
         {{- else }}
         - name: {{ include "xray.unifiedCustomSecretVolumeName" . }}

diff --git a/stable/xray/templates/xray-server-deployment.yaml b/stable/xray/templates/xray-server-deployment.yaml
@@ -17,7 +17,7 @@ metadata:
     unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }}
 {{- end }}
 {{- if and .Release.IsUpgrade .Values.postgresql.enabled }}
-    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }}
+    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x" .Values.databaseUpgradeReady | quote }}
 {{- end }}
 {{- with .Values.server.statefulset.annotations }}
   annotations:
@@ -91,12 +91,7 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "xray.serviceAccountName" . }}
       {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.common.xrayUserId }}
-        fsGroup: {{ .Values.common.xrayGroupId }}
-        {{- if .Values.common.fsGroupChangePolicy }}
-        fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }}
-        {{- end }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       {{- if .Values.common.topologySpreadConstraints }}
       topologySpreadConstraints:
@@ -142,7 +137,7 @@ spec:
         - name: XRAY_JOIN_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }}
               name: {{ include "xray.joinKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -153,7 +148,7 @@ spec:
         - name: XRAY_MASTER_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }}
               name: {{ include "xray.masterKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -164,7 +159,7 @@ spec:
         - name: data-volume
           mountPath: {{ .Values.xray.persistence.mountPath | quote }}
       {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }}
-        {{- if not .Values.xray.unifiedSecretInstallation }}
+        {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }}
         - name: systemyaml
         {{- else }}
         - name: {{ include "xray.unifiedCustomSecretVolumeName" . }}

diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml
@@ -16,7 +16,7 @@ metadata:
     unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }}
 {{- end }}
 {{- if and .Release.IsUpgrade .Values.postgresql.enabled }}
-    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }}
+    databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x" .Values.databaseUpgradeReady | quote }}
 {{- end }}
 {{- with .Values.server.statefulset.annotations }}
   annotations:
@@ -87,12 +87,7 @@ spec:
     {{- end }}
       serviceAccountName: {{ template "xray.serviceAccountName" . }}
       {{- if .Values.podSecurityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.common.xrayUserId }}
-        fsGroup: {{ .Values.common.xrayGroupId }}
-        {{- if .Values.common.fsGroupChangePolicy }}
-        fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }}
-        {{- end }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       {{- if .Values.common.topologySpreadConstraints }}
       topologySpreadConstraints:
@@ -138,7 +133,7 @@ spec:
         - name: XRAY_JOIN_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }}
               name: {{ include "xray.joinKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -149,7 +144,7 @@ spec:
         - name: XRAY_MASTER_KEY
           valueFrom:
             secretKeyRef:
-              {{- if not .Values.xray.unifiedSecretInstallation }}
+              {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }}
               name: {{ include "xray.masterKeySecretName" . }}
               {{- else }}
               name: "{{ template "xray.name" . }}-unified-secret"
@@ -160,7 +155,7 @@ spec:
         - name: data-volume
           mountPath: {{ .Values.xray.persistence.mountPath | quote }}
       {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }}
-        {{- if not .Values.xray.unifiedSecretInstallation }}
+        {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }}
         - name: systemyaml
         {{- else }}
         - name: {{ include "xray.unifiedCustomSecretVolumeName" . }}

diff --git a/stable/xray/templates/xray-unified-secret.yaml b/stable/xray/templates/xray-unified-secret.yaml
@@ -20,7 +20,7 @@ stringData:
 {{- end }}
 {{- end }}
 
-{{- if not .Values.systemYamlOverride.existingSecret }}
+{{- if and (not .Values.systemYamlOverride.existingSecret) .Values.xray.systemYaml }}
   system.yaml: |
 {{ tpl .Values.xray.systemYaml . | nindent 4 }}
 {{- end }}

diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml
@@ -105,8 +105,9 @@ xray:
   # adding minAvailable for Xray Pod Disruption Budget
   # minAvailable: 1
 
-  # unifiedSecretInstallation flag enables single unified secret holding all xray secrets
-  unifiedSecretInstallation: false
+  # unifiedSecretInstallation flag enables single unified secret holding all the xray internal(chart) secrets, It won't be affecting external secrets.
+  ## Note: unifiedSecretInstallation flag is enabled by true by default from chart version 103.91.x, Users can switch to false to continue with the old way of secret creation.
+  unifiedSecretInstallation: true
 
   ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
   schedulerName:
@@ -419,10 +420,15 @@ serviceAccount:
   ## Explicitly mounts the API credentials for the Service Account
   automountServiceAccountToken: true
 
-## By default, the Xray StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `common.xrayUserId` value.
-## If you want to disable the pod securityContext for the Xray StatefulSet, set this tag to false
+## @param podSecurityContext.enabled enable the pod's Security Context
 podSecurityContext:
   enabled: true
+  runAsNonRoot: true
+  runAsUser: 1035
+  runAsGroup: 1035
+  fsGroup: 1035
+  # fsGroupChangePolicy: "Always"
+  # seLinuxOptions: {}
 
 ## @param containerSecurityContext.enabled enable the container's Security Context
 containerSecurityContext:
@@ -443,7 +449,7 @@ postgresql:
   image:
     registry: releases-docker.jfrog.io
     repository: bitnami/postgresql
-    tag: 13.10.0-debian-11-r14
+    tag: 15.2.0-debian-11-r23
   postgresqlUsername: xray
   postgresqlPassword: ""
   postgresqlDatabase: xraydb
@@ -812,9 +818,6 @@ rabbitmq:
 common:
   ## Note that by default we use appVersion to get image tag
   # xrayVersion:
-  xrayUserId: 1035
-  xrayGroupId: 1035
-  # fsGroupChangePolicy: "Always"
 
   # Spread Xray pods evenly across your nodes or some other topology
   topologySpreadConstraints: []