[xray] 3.107.16 release

jfrog · Dec 13, 2024 · 77fe110 · 77fe110
1 parent 8c86f25
commit 77fe110
Show file tree

Hide file tree

Showing 11 changed files with 201 additions and 40 deletions.
diff --git a/stable/xray/CHANGELOG.md b/stable/xray/CHANGELOG.md
@@ -1,8 +1,17 @@
 # JFrog Xray Chart Changelog
 All changes to this chart will be documented in this file.
 
-## [103.107.11] - September 26, 2024
+## [103.107.16] - November 27, 2024
 * Added support to read rabbitmq and database secrets from mounted secret files
+* **Important changes**
+* Upgrade rabbitmq chart version to 14.6.6
+* Added catalog as a dependency chart
+* **Breaking changes**
+* Upgrade postgres chart version to 15.5.20
+    * This has many changes related to key names and path in values yaml
+    * The effected keys present in default yaml have been aligned to the new path in 15.5.20
+    * if you have customised any keys, make sure to validate it with the 15.5.20 chart
+    * Delete the postgresql statefulset and postgresql secret before the upgrade. for more information, please refer the [xray upgrade docs](https://jfrog.com/help/r/jfrog-installation-setup-documentation/upgrading-xray)
 
 ## [103.105.0] - August 22, 2024
 * Added support for `serviceAccount.annotations`to be passed to chart [GH-1841](https://github.com/jfrog/charts/pull/1841)

diff --git a/stable/xray/Chart.lock b/stable/xray/Chart.lock
@@ -1,9 +1,12 @@
 dependencies:
 - name: postgresql
   repository: https://charts.jfrog.io/
-  version: 10.3.18
+  version: 15.5.20
 - name: rabbitmq
   repository: https://charts.jfrog.io/
-  version: 11.9.3
-digest: sha256:07d819a08ebaae2057071eb70bad38ad8209bd611c73d906e3313cd5c20806d1
-generated: "2023-02-20T19:44:20.844286+05:30"
+  version: 14.6.6
+- name: catalog
+  repository: https://charts.jfrog.io/
+  version: 101.7.3
+digest: sha256:64d23e13fb197b92e3c3dfe7497a933c87656b575182485b4d28ca8a0b5967ca
+generated: "2024-12-02T15:25:33.588122+05:30"
diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml
@@ -1,14 +1,18 @@
 apiVersion: v2
-appVersion: 3.107.11
+appVersion: 3.107.16
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
   repository: https://charts.jfrog.io/
-  version: 10.3.18
+  version: 15.5.20
 - condition: rabbitmq.enabled
   name: rabbitmq
   repository: https://charts.jfrog.io/
-  version: 11.9.3
+  version: 14.6.6
+- condition: catalog.enabled
+  name: catalog
+  repository: https://charts.jfrog.io/
+  version: 101.7.3
 description: Universal component scan for security and license inventory and impact
   analysis
 home: https://www.jfrog.com/xray/
@@ -24,4 +28,4 @@ name: xray
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 103.107.11
+version: 103.107.16
diff --git a/stable/xray/ci/default-values.yaml b/stable/xray/ci/default-values.yaml
@@ -9,9 +9,12 @@ common:
     enabled: false
 # To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
 postgresql:
-  postgresqlPassword: password
-  persistence:
-    enabled: false
+  auth:
+    # jfrog-ignore
+    password: "password1"
+  primary:
+    persistence:
+      enabled: false
 
 rabbitmq:
   auth:

diff --git a/stable/xray/files/system.yaml b/stable/xray/files/system.yaml
@@ -13,13 +13,13 @@ shared:
   logging:
     consoleLog:
       enabled: {{ .Values.xray.consoleLog }}
-  jfrogUrl: "{{ tpl (required "\n\nxray.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > User Management > Settings > Connection details" (include "xray.jfrogUrl" .)) . }}"
+  jfrogUrl: "{{ tpl (required "\n\nxray.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > Platform Security > General > Connection details" (include "xray.jfrogUrl" .)) . }}"
   database:
   {{- if .Values.postgresql.enabled }}
     type: "postgresql"
     driver: "org.postgresql.Driver"
-    username: "{{ .Values.postgresql.postgresqlUsername }}"
-    url: "postgres://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}?sslmode=disable"
+    username: "{{ .Values.postgresql.auth.username }}"
+    url: "postgres://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.primary.service.ports.postgresql }}/{{ .Values.postgresql.auth.database }}?sslmode=disable"
   {{- else }}
     type: {{ .Values.database.type }}
     driver: {{ .Values.database.driver }}

diff --git a/stable/xray/templates/catalog-db-create-hook.yaml b/stable/xray/templates/catalog-db-create-hook.yaml
@@ -0,0 +1,69 @@
+{{- if and .Values.catalog.createCatalogDb.enabled .Values.catalog.enabled .Values.postgresql.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    app: {{ template "xray.name" . }}
+    chart: {{ template "xray.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "xray.fullname" . }}-catalog-create-db
+  annotations:
+    "helm.sh/hook": "post-upgrade,post-install"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      labels:
+        app: {{ template "xray.name" . }}
+        chart: {{ template "xray.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+    spec:
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
+      {{- include "xray.imagePullSecrets" . | indent 6 }}
+      {{- end }}
+      serviceAccountName: {{ template "xray.serviceAccountName" . }}
+      restartPolicy: OnFailure
+      terminationGracePeriodSeconds: 0
+      containers:
+        - name: catalog-create-db
+          image: {{ .Values.catalog.createCatalogDb.image }}
+          imagePullPolicy: IfNotPresent
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- toYaml (omit .Values.containerSecurityContext "enabled") | nindent 12 }}
+          {{- end }}
+          {{- if .Values.initContainers.resources }}
+          resources: {{- toYaml .Values.initContainers.resources | nindent 12 }}
+          {{- end }}
+          command:
+          - 'bash'
+          - '-c'
+          - |
+            echo "Waiting for postgresql to come up"
+            ready=false;
+            while ! $ready; do echo waiting;
+              timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.primary.service.ports.postgresql }}"; exit_status=$?;
+              if [[ $exit_status -eq 0 ]]; then ready=true; echo "database ok"; fi; sleep 1; 
+            done;
+
+            psql "postgres://{{ .Values.catalog.database.user }}:${PGPASSWORD}@{{ .Release.Name }}-postgresql:5432/catalogdb?sslmode=disable" -c "\q" 2>/dev/null
+            exit_status=$?
+            if [[ $exit_status -eq 0 ]]; then
+                ready=true
+                echo "catalogdb database is available"
+                exit 0
+            fi
+
+            psql -h {{ .Release.Name }}-postgresql --username "{{ .Values.postgresql.auth.username }}" -d {{ .Values.postgresql.auth.database }} -c "CREATE DATABASE catalogdb;" -c "GRANT ALL PRIVILEGES ON DATABASE catalogdb TO {{ .Values.postgresql.auth.username }};"
+          env:
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: password
+{{- end -}}
diff --git a/stable/xray/templates/keys-warnings.yaml b/stable/xray/templates/keys-warnings.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.postgresql.enabled }}
+    {{- if .Values.postgresql.postgresqlPassword  }}
+        {{- fail "\n\nThe key 'postgresql.postgresqlPassword' is not supported in the latest packaged version of Postgres in this chart.\nUse the new key 'postgresql.auth.postgresPassword' to proceed with installation.\n" }}
+    {{- end }}
+    {{- if .Values.postgresql.postgresqlExtendedConf  }}
+        {{- fail "\n\nThe key 'postgresql.postgresqlExtendedConf' is not supported in the latest packaged version of postgres in this chart.\nUse the new key 'postgresql.primary.extendedConfiguration' to proceed with installation.\n" }}
+    {{- end }}
+    {{- if .Values.global.postgresqlPassword  }}
+        {{- fail "\n\nThe key 'global.postgresqlPassword' is not supported in the latest packaged version of postgres in this chart.\nUse the new key 'global.auth.postgresPassword' to proceed with installation.\n" }}
+    {{- end }}
+{{- end }}
diff --git a/stable/xray/templates/xray-ipa-deployment.yaml b/stable/xray/templates/xray-ipa-deployment.yaml
@@ -212,7 +212,7 @@ spec:
               key: db-password
         {{- else if .Values.postgresql.enabled }}
               name: {{ .Release.Name }}-postgresql
-              key: postgresql-password
+              key: password
         {{- end }}
         {{- end }}
         volumeMounts:
@@ -274,7 +274,7 @@ spec:
           echo "Waiting for postgresql to come up"
           ready=false;
           while ! $ready; do echo waiting;
-            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.service.port }}"; exit_status=$?;
+            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.primary.service.ports.postgresql }}"; exit_status=$?;
             if [[ $exit_status -eq 0 ]]; then ready=true; echo "database ok"; fi; sleep 1; 
           done
       {{- end }}

diff --git a/stable/xray/templates/xray-server-deployment.yaml b/stable/xray/templates/xray-server-deployment.yaml
@@ -209,7 +209,7 @@ spec:
               key: db-password
         {{- else if .Values.postgresql.enabled }}
               name: {{ .Release.Name }}-postgresql
-              key: postgresql-password
+              key: password
         {{- end }}
         {{- end }}
         volumeMounts:
@@ -271,7 +271,7 @@ spec:
           echo "Waiting for postgresql to come up"
           ready=false;
           while ! $ready; do echo waiting;
-            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.service.port }}"; exit_status=$?;
+            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.primary.service.ports.postgresql }}"; exit_status=$?;
             if [[ $exit_status -eq 0 ]]; then ready=true; echo "database ok"; fi; sleep 1; 
           done
       {{- end }}

diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml
@@ -209,7 +209,7 @@ spec:
               key: db-password
         {{- else if .Values.postgresql.enabled }}
               name: {{ .Release.Name }}-postgresql
-              key: postgresql-password
+              key: password
         {{- end }}
         {{- end }}
         volumeMounts:
@@ -271,7 +271,7 @@ spec:
           echo "Waiting for postgresql to come up"
           ready=false;
           while ! $ready; do echo waiting;
-            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.service.port }}"; exit_status=$?;
+            timeout 2s bash -c "</dev/tcp/{{ .Release.Name }}-postgresql/{{ .Values.postgresql.primary.service.ports.postgresql }}"; exit_status=$?;
             if [[ $exit_status -eq 0 ]]; then ready=true; echo "database ok"; fi; sleep 1; 
           done
       {{- end }}

diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml
@@ -382,6 +382,7 @@ containerSecurityContext:
 
 
 # PostgreSQL
+## Please note bundled postgresql is not recommended for production use.
 ## Configuration values for the postgresql dependency
 ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
 ##
@@ -391,33 +392,37 @@ postgresql:
     registry: releases-docker.jfrog.io
     repository: bitnami/postgresql
     tag: 15.6.0-debian-11-r16
-  postgresqlUsername: xray
-  postgresqlPassword: ""
-  postgresqlDatabase: xraydb
-  postgresqlExtendedConf:
-    listenAddresses: "*"
-    maxConnections: "1500"
-  service:
-    port: 5432
-  persistence:
-    enabled: true
-    size: 300Gi
-    # existingClaim:
+  auth:
+    username: "xray"
+    password: ""
+    database: "xraydb"
   primary:
+    extendedConfiguration: |
+      max_connections = 1500
+      listen_addresses = '*'
+    persistence:
+      size: 300Gi
+    service:
+      ports:
+        postgresql: 5432
     nodeSelector: {}
     affinity: {}
     tolerations: []
+    ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+    ## Example:
+    ## resources:
+    ##   requests:
+    ##     cpu: 2
+    ##     memory: 512Mi
+    ##   limits:
+    ##     cpu: 3
+    ##     memory: 1024Mi
+    ##
+    resources: {}
   readReplicas:
     nodeSelector: {}
     affinity: {}
     tolerations: []
-  resources: {}
-  #  requests:
-  #    memory: "1Gi"
-  #    cpu: "250m"
-  #  limits:
-  #    memory: "2Gi"
-  #    cpu: "1"
 
 ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false),
 database:
@@ -1692,3 +1697,60 @@ autoscalingIpa:
      - name: policyEnforcer
        value: "100"
 ###################################################################################
+
+
+# This will install catalog chart as a dependency chart in xray.
+catalog:
+  customInitContainers: |
+    {{- if and (.Values.createCatalogDb.enabled) (not .Values.database.secrets.user) (not .Values.database.secrets.url) (not .Values.database.secrets.password) -}}
+    {{- if contains (printf "%s-postgresql" .Release.Name) (tpl .Values.database.url .) -}}
+    - name: "wait-for-catalog-database"
+      image: {{ .Values.createCatalogDb.image }}
+      imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }}
+      {{- if .Values.containerSecurityContext.enabled }}
+      securityContext:
+        {{- toYaml (omit .Values.containerSecurityContext "enabled") | nindent 12 }}
+      {{- end }}
+      {{- if .Values.initContainers.resources }}
+      resources: {{- toYaml .Values.initContainers.resources | nindent 12 }}
+      {{- end }}
+      command:
+      - '/bin/bash'
+      - '-c'
+      - |
+        echo "Waiting for PostgreSQL and catalogdb to become available"
+        ready=false
+        start_time=$(date +%s)
+        while ! $ready; do 
+            echo "Checking PostgreSQL connection and database availability..."
+            psql "postgres://{{ .Values.database.user }}:{{ .Values.database.password }}@{{ .Release.Name }}-postgresql:5432/catalogdb?sslmode=disable" -c "\q" 2>/dev/null
+            exit_status=$?
+            if [[ $exit_status -eq 0 ]]; then
+                ready=true
+                echo "catalogdb database is available"
+            else
+                echo "Database not ready, retrying..."
+                current_time=$(date +%s)
+                elapsed_time=$(( current_time - start_time ))
+                if [[ $elapsed_time -ge 600 ]]; then
+                    echo "Timeout reached: PostgreSQL did not become available within 10 minutes."
+                    exit 1
+                fi
+            fi
+            sleep 1
+        done
+    {{- end -}}
+    {{- end -}}
+  enabled: false
+  ## Catalog db creation in xray bundled postgresql. If set to true, then the catalog db will be created in xray bundled postgresql.
+  createCatalogDb:
+    enabled: true
+    image: releases-docker.jfrog.io/postgres:15.6-alpine
+  ## Change database connection details to external database. Bundled postgresql is not recomended for production use.
+  ## When using bundled postgresql, provide the same credentials as used by xray. 
+  ## Xray post upgrade hook will create the catalog db in the bundled postgresql.
+  ## Catalog customInitContainers will wait for the database to be available before starting the catalog. (Only applicable for bundled postgresql)
+  database:
+    url: "postgres://{{ .Release.Name }}-postgresql:5432/catalogdb?sslmode=disable"
+    user: xray
+    password: ""