diff --git a/stable/artifactory-cpp-ce/CHANGELOG.md b/stable/artifactory-cpp-ce/CHANGELOG.md index 942bca1d0..41ec88fee 100644 --- a/stable/artifactory-cpp-ce/CHANGELOG.md +++ b/stable/artifactory-cpp-ce/CHANGELOG.md @@ -1,7 +1,17 @@ # JFrog Artifactory CE for C++ Chart Changelog All changes to this chart will be documented in this file -## [107.71.4] - Jul 20, 2023 +## [107.90.10] - Feb 20, 2024 +* Updated `artifactory.installerInfo` content + +## [107.80.0] - Feb 1, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.74.0] - Nov 23, 2023 +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.66.0] - Jul 20, 2023 * Disabled federation services when splitServicesToContainers=true ## [107.45.0] - Aug 25, 2022 diff --git a/stable/artifactory-cpp-ce/Chart.yaml b/stable/artifactory-cpp-ce/Chart.yaml index 1789b2afb..aec5c0f38 100644 --- a/stable/artifactory-cpp-ce/Chart.yaml +++ b/stable/artifactory-cpp-ce/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.71.4 + version: 107.90.10 description: JFrog Artifactory CE for C++ home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-cpp-ce/logo/conan.png @@ -13,7 +13,7 @@ keywords: - container - registry - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: helm@jfrog.com name: Chart Maintainers at JFrog @@ -21,4 +21,4 @@ name: artifactory-cpp-ce sources: - https://github.com/jfrog/charts type: application -version: 107.71.4 +version: 107.90.10 diff --git a/stable/artifactory-cpp-ce/README.md b/stable/artifactory-cpp-ce/README.md index e54180b58..afe4c23bf 100644 --- a/stable/artifactory-cpp-ce/README.md +++ b/stable/artifactory-cpp-ce/README.md @@ -6,7 +6,7 @@ JFrog Artifactory CE for C++ is a free Artifactory edition to host C/C++ package ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ ## Chart Details This chart will do the following: @@ -30,7 +30,7 @@ helm repo update ### Install Chart To install the chart with the release name `artifactory-cpp-ce`: ```bash -helm upgrade --install artifactory-cpp-ce --set artifactory.postgresql.postgresqlPassword= --namespace artifactory-cpp-ce jfrog/artifactory-cpp-ce +helm upgrade --install artifactory-cpp-ce --set artifactory.postgresql.postgresqlPassword= jfrog/artifactory-cpp-ce --namespace artifactory-cpp-ce --create-namespace ``` ### Accessing Artifactory CE for C++ @@ -39,7 +39,7 @@ helm upgrade --install artifactory-cpp-ce --set artifactory.postgresql.postgresq ### Updating Artifactory CE for C++ Once you have a new chart version, you can upgrade your deployment with ```bash -helm upgrade artifactory-cpp-ce --namespace artifactory-cpp-ce jfrog/artifactory-cpp-ce +helm upgrade artifactory-cpp-ce jfrog/artifactory-cpp-ce --namespace artifactory-cpp-ce --create-namespace ``` ### Special Upgrade Notes @@ -85,7 +85,7 @@ helm upgrade --install artifactory-cpp-ce \ --set artifactory.ingress.enabled=true \ --set artifactory.ingress.hosts[0]="artifactory.company.com" \ --set artifactory.artifactory.service.type=NodePort \ - --namespace artifactory-cpp-ce jfrog/artifactory-cpp-ce + jfrog/artifactory-cpp-ce --namespace artifactory-cpp-ce --create-namespace ``` To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: diff --git a/stable/artifactory-cpp-ce/logo/conan.png b/stable/artifactory-cpp-ce/logo/conan.png index 5da5117ae..b8a584c49 100644 Binary files a/stable/artifactory-cpp-ce/logo/conan.png and b/stable/artifactory-cpp-ce/logo/conan.png differ diff --git a/stable/artifactory-cpp-ce/values.yaml b/stable/artifactory-cpp-ce/values.yaml index dc7bfc450..10f1b08e2 100644 --- a/stable/artifactory-cpp-ce/values.yaml +++ b/stable/artifactory-cpp-ce/values.yaml @@ -35,7 +35,7 @@ artifactory: # other: "" installer: platform: art-cpp-ce-helm - installerInfo: '{"productId": "Helm_artifactory-cpp/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' + installerInfo: '{"productId":"Helm_artifactory-cpp/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' ## Nginx ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory nginx: @@ -69,8 +69,7 @@ postgresql: enabled: true router: image: - tag: 7.81.0 -logger: + tag: 7.118.2 +initContainers: image: - tag: 9.2.750.1697534106 -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 + tag: 9.4.949.1716471857 diff --git a/stable/artifactory-ha/.helmignore b/stable/artifactory-ha/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/stable/artifactory-ha/.helmignore +++ b/stable/artifactory-ha/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/stable/artifactory-ha/CHANGELOG.md b/stable/artifactory-ha/CHANGELOG.md index a2458c707..28f5dd520 100644 --- a/stable/artifactory-ha/CHANGELOG.md +++ b/stable/artifactory-ha/CHANGELOG.md @@ -1,9 +1,118 @@ # JFrog Artifactory-ha Chart Changelog -All changes to this chart will be documented in this file +All changes to this chart will be documented in this file. + +## [107.90.10] - July 18, 2024 +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) +* Added new `nginx.hosts` to use Nginx server_name directive instead of `ingress.hosts` +* Added a deprecation notice of ingress.hosts when `ngnix.enabled` is true +* Added new evidence service +* Corrected database connection values based on sizing +* **IMPORTANT** +* Separate access from artifactory tomcat to run on its own dedicated tomcat + * With this change access will be running in its own dedicated container + * This will give the ability to control resources and java options specific to access + Can be done by passing the following, + `access.javaOpts.other` + `access.resources` + `access.extraEnvironmentVariables` +* Updating the example link for downloading the DB driver +* Added Binary Provider recommendations + +## [107.89.0] - May 30, 2024 +* Fix the indentation of the commented-out sections in the values.yaml file + +## [107.88.0] - May 29, 2024 +* **IMPORTANT** +* Refactored `nginx.artifactoryConf` and `nginx.mainConf` configuration (moved to files/nginx-artifactory-conf.yaml and files/nginx-main-conf.yaml instead of keys in values.yaml) + +## [107.87.0] - May 29, 2024 +* Renamed `.Values.artifactory.openMetrics` to `.Values.artifactory.metrics` +* Align all liveness and readiness probes (Removed hard-coded values) + +## [107.85.0] - May 29, 2024 +* Changed `migration.enabled` to false by default. For 6.x to 7.x migration, this flag needs to be set to `true` + +## [107.84.0] - May 29, 2024 +* Added image section for `initContainers` instead of `initContainerImage` +* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` +* Removed loggers.image section +* Added support for `global.verisons.initContainers` to override `initContainers.image.tag` +* Fixed an issue with extraSystemYaml merge +* **IMPORTANT** +* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` +* Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser` +* Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup` +* Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy` +* Renamed `artifactory.seLinuxOptions` to `artifactory.podSecurityContext.seLinuxOptions` +* Added flag `allowNonPostgresql` defaults to false +* Update postgresql tag version to `15.6.0-debian-12-r5` +* Added a check if `initContainerImage` exists +* Fixed a wrong imagePullPolicy configuration +* Fixed an issue to generate unified secret to support artifactory fullname [GH-1882](https://github.com/jfrog/charts/issues/1882) +* Fixed an issue template render on loggers [GH-1883](https://github.com/jfrog/charts/issues/1883) +* Override metadata and observability image tag with `global.verisons.artifactory` value +* Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) +* Added .Values.artifactory.unifiedSecretsPrependReleaseName` for unified secret to prepend release name +* Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml + +## [107.83.0] - Mar 12, 2024 +* Added image section for `metadata` and `observability` + +## [107.82.0] - Mar 04, 2024 +* Added `disableRouterBypass` flag as experimental feature, to disable the artifactoryPath /artifactory/ and route all traffic through the Router. +* Removed Replicator Service + +## [107.81.0] - Feb 20, 2024 +* **IMPORTANT** +* Refactored systemYaml configuration (moved to files/system.yaml instead of key in values.yaml) +* Added ability to provide `extraSystemYaml` configuration in values.yaml which will merge with the existing system yaml when `systemYamlOverride` is not given [GH-1848](https://github.com/jfrog/charts/pull/1848) +* Added option to modify the new cache configs, maxFileSizeLimit and skipDuringUpload +* Added IPV4/IPV6 Dualstack flag support for Artifactory and nginx service +* Added `singleStackIPv6Cluster` flag, which manages the Nginx configuration to enable listening on IPv6 and proxying +* Fixing broken link for creating additional kubernetes resources. Refer [here](https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-ha-values.yaml) +* Refactored installerInfo configuration (moved to files/installer-info.json instead of key in values.yaml) + +## [107.80.0] - Feb 20, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.79.0] - Feb 20, 2024 +* **IMPORTANT** +* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default +* Added support for azure-blob-storage-v2-direct config +* Added option to set Nginx to write access_log to container STDOUT +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true + +## [107.77.0] - April 22, 2024 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) +* **IMPORTANT** +* setSecurityContext has been renamed to podSecurityContext. +* Moved podSecurityContext to values.yaml +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) +* Added nginx.customCommand to use custom commands for the nginx container + +## [107.76.0] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml -## [107.71.4] - Oct 31, 2023 +## [107.70.0] - Nov 30, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) -* Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml. +* Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml +* Fixed - Artifactory primary service condition +* Fixed - SecurityContext with runAsGroup in artifactory-ha [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift ## [107.69.0] - Sep 18, 2023 * Adjust rtfs context diff --git a/stable/artifactory-ha/Chart.yaml b/stable/artifactory-ha/Chart.yaml index 9c7641205..94f34cae1 100644 --- a/stable/artifactory-ha/Chart.yaml +++ b/stable/artifactory-ha/Chart.yaml @@ -1,5 +1,7 @@ +annotations: + artifactoryServiceVersion: 7.90.13 apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - condition: postgresql.enabled name: postgresql @@ -13,7 +15,7 @@ keywords: - artifactory - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -21,4 +23,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.71.4 +version: 107.90.10 diff --git a/stable/artifactory-ha/README.md b/stable/artifactory-ha/README.md index de40eebce..49155926e 100644 --- a/stable/artifactory-ha/README.md +++ b/stable/artifactory-ha/README.md @@ -8,7 +8,7 @@ Below you will find the basic instructions for installing, uninstalling, and del ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory HA license ## Chart Details @@ -37,7 +37,14 @@ helm repo update ### Install Chart To install the chart with the release name `artifactory`: ```bash -helm upgrade --install artifactory-ha --namespace artifactory-ha jfrog/artifactory-ha +helm upgrade --install artifactory-ha jfrog/artifactory-ha --namespace artifactory-ha --create-namespace +``` + +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory-ha jfrog/artifactory-ha -f sizing/artifactory-small-extra-config.yaml -f sizing/artifactory-small.yaml --namespace artifactory-ha --create-namespace ``` ## Uninstalling Artifactory diff --git a/stable/artifactory-ha/ci/global-values.yaml b/stable/artifactory-ha/ci/global-values.yaml index b1ef370ec..0987e17ca 100644 --- a/stable/artifactory-ha/ci/global-values.yaml +++ b/stable/artifactory-ha/ci/global-values.yaml @@ -23,8 +23,8 @@ artifactory: cpu: "4" customInitContainersBegin: | - name: "custom-init-begin-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -34,8 +34,8 @@ artifactory: name: volume customInitContainers: | - name: "custom-init-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -55,8 +55,8 @@ artifactory: # Add custom sidecar containers customSidecarContainers: | - name: "sidecar-list-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -84,8 +84,8 @@ global: joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE customInitContainersBegin: | - name: "custom-init-begin-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -95,8 +95,8 @@ global: name: volume customInitContainers: | - name: "custom-init-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -116,8 +116,8 @@ global: # Add custom sidecar containers customSidecarContainers: | - name: "sidecar-list-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -138,8 +138,8 @@ global: nginx: customInitContainers: | - name: "custom-init-begin-nginx" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -149,8 +149,8 @@ nginx: name: custom-script-local customSidecarContainers: | - name: "sidecar-list-nginx" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/stable/artifactory-ha/ci/large-values.yaml b/stable/artifactory-ha/ci/large-values.yaml index 8c1bacd34..153307aa2 100644 --- a/stable/artifactory-ha/ci/large-values.yaml +++ b/stable/artifactory-ha/ci/large-values.yaml @@ -75,14 +75,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory-ha/ci/loggers-values.yaml b/stable/artifactory-ha/ci/loggers-values.yaml new file mode 100644 index 000000000..03c94be95 --- /dev/null +++ b/stable/artifactory-ha/ci/loggers-values.yaml @@ -0,0 +1,43 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + + loggers: + - access-audit.log + - access-request.log + - access-security-audit.log + - access-service.log + - artifactory-access.log + - artifactory-event.log + - artifactory-import-export.log + - artifactory-request.log + - artifactory-service.log + - frontend-request.log + - frontend-service.log + - metadata-request.log + - metadata-service.log + - router-request.log + - router-service.log + - router-traefik.log + + catalinaLoggers: + - tomcat-catalina.log + - tomcat-localhost.log diff --git a/stable/artifactory-ha/ci/medium-values.yaml b/stable/artifactory-ha/ci/medium-values.yaml index 3f04f68df..115e7d460 100644 --- a/stable/artifactory-ha/ci/medium-values.yaml +++ b/stable/artifactory-ha/ci/medium-values.yaml @@ -75,14 +75,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory-ha/ci/rtsplit-access-tls-values.yaml b/stable/artifactory-ha/ci/rtsplit-access-tls-values.yaml index 7ab2221da..6f3b13cb1 100644 --- a/stable/artifactory-ha/ci/rtsplit-access-tls-values.yaml +++ b/stable/artifactory-ha/ci/rtsplit-access-tls-values.yaml @@ -5,15 +5,6 @@ artifactory: masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF persistence: enabled: false - replicator: - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" primary: resources: requests: @@ -105,14 +96,6 @@ event: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory-ha/ci/rtsplit-values.yaml b/stable/artifactory-ha/ci/rtsplit-values.yaml index 2b88d70a8..87832a505 100644 --- a/stable/artifactory-ha/ci/rtsplit-values.yaml +++ b/stable/artifactory-ha/ci/rtsplit-values.yaml @@ -5,23 +5,6 @@ artifactory: masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF persistence: enabled: false - replicator: - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" - # Add lifecycle hooks for replicator container - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the replicator postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the replicator postStart handler >> /tmp/message"] primary: resources: requests: @@ -155,21 +138,6 @@ event: preStop: exec: command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] observability: resources: requests: diff --git a/stable/artifactory-ha/ci/small-values.yaml b/stable/artifactory-ha/ci/small-values.yaml index 501d357b9..b4557289e 100644 --- a/stable/artifactory-ha/ci/small-values.yaml +++ b/stable/artifactory-ha/ci/small-values.yaml @@ -77,14 +77,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory-ha/ci/test-values.yaml b/stable/artifactory-ha/ci/test-values.yaml index ec76512e7..8bbbb5b3e 100644 --- a/stable/artifactory-ha/ci/test-values.yaml +++ b/stable/artifactory-ha/ci/test-values.yaml @@ -1,22 +1,13 @@ databaseUpgradeReady: true artifactory: - openMetrics: + metrics: enabled: true - fsGroupChangePolicy: "OnRootMismatch" + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF unifiedSecretInstallation: false persistence: enabled: false - replicator: - name: replicator - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" primary: resources: requests: diff --git a/stable/artifactory-ha/files/binarystore.xml b/stable/artifactory-ha/files/binarystore.xml index f6b99dbe0..0e7bc5af0 100644 --- a/stable/artifactory-ha/files/binarystore.xml +++ b/stable/artifactory-ha/files/binarystore.xml @@ -29,6 +29,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -57,6 +63,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} // Specify the read and write strategy and redundancy for the sharding binary provider @@ -93,6 +105,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} @@ -145,6 +163,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- if or (eq .Values.artifactory.persistence.type "google-storage") (eq .Values.artifactory.persistence.type "google-storage-v2") }} @@ -228,6 +252,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -236,6 +266,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -261,6 +297,12 @@ {{- with .maxConnections }} {{ . }} {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} {{- with .kmsServerSideEncryptionKeyId }} {{ . }} {{- end }} @@ -332,6 +374,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- if eq .Values.artifactory.persistence.type "azure-blob" }} @@ -364,4 +412,28 @@ {{ .Values.artifactory.persistence.azureBlob.testConnection }} +{{- end }} +{{- if eq .Values.artifactory.persistence.type "azure-blob-storage-v2-direct" -}} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + {{- end }} \ No newline at end of file diff --git a/stable/artifactory-ha/files/installer-info.json b/stable/artifactory-ha/files/installer-info.json new file mode 100644 index 000000000..cf6b020fb --- /dev/null +++ b/stable/artifactory-ha/files/installer-info.json @@ -0,0 +1,32 @@ +{ + "productId": "Helm_artifactory-ha/{{ .Chart.Version }}", + "features": [ + { + "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}" + }, + { + "featureId": "Database/{{ .Values.database.type }}" + }, + { + "featureId": "PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}" + }, + { + "featureId": "Nginx_Enabled/{{ .Values.nginx.enabled }}" + }, + { + "featureId": "ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}" + }, + { + "featureId": "SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}" + }, + { + "featureId": "UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}" + }, + { + "featureId": "Filebeat_Enabled/{{ .Values.filebeat.enabled }}" + }, + { + "featureId": "ReplicaCount/{{ add .Values.artifactory.primary.replicaCount .Values.artifactory.node.replicaCount }}" + } + ] +} \ No newline at end of file diff --git a/stable/artifactory-ha/files/migrate.sh b/stable/artifactory-ha/files/migrate.sh index c07985b26..ba44160f4 100644 --- a/stable/artifactory-ha/files/migrate.sh +++ b/stable/artifactory-ha/files/migrate.sh @@ -896,7 +896,9 @@ setupScriptLogsRedirection() { # Returns Y if this method is run inside a container isRunningInsideAContainer() { - if [ -f "/.dockerenv" ]; then + local check1=$(grep -sq 'docker\|kubepods' /proc/1/cgroup; echo $?) + local check2=$(grep -sq 'containers' /proc/self/mountinfo; echo $?) + if [[ $check1 == 0 || $check2 == 0 || -f "/.dockerenv" ]]; then echo -n "$FLAG_Y" else echo -n "$FLAG_N" @@ -2914,9 +2916,6 @@ yamlMigrate () { if [[ ! -z "${value}" ]]; then value=$(updateConnectionString "${yamlPath}" "${value}") fi - if [[ "${PRODUCT}" == "artifactory" ]]; then - replicatorProfiling - fi if [[ -z "${value}" ]]; then logger "No value for [${key}] in [${sourceFile}]" else @@ -4216,26 +4215,13 @@ commentNodeId () { artifactoryInfoMessage () { if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then - addText "# yamlFile was generated from db.properties,replicator.yaml and ha-node.properties config files." "${SYSTEM_YAML_PATH}" + addText "# yamlFile was generated from db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" else - addText "# yamlFile was generated from default file,replicator.yaml,db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" + addText "# yamlFile was generated from default file,db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" fi } -replicatorProfiling () { - - if [[ "${key}" == "profilingDisabled" ]]; then - if [[ ! -z "${value}" ]]; then - if [[ "${value}" == "false" ]]; then - value="true" - else - value="false" - fi - fi - fi -} - setHaEnabled_hook () { local filePath="$1" if [[ "$(checkFileExists "${NEW_DATA_DIR}/${filePath}/ha-node.properties")" == "true" ]]; then @@ -4275,27 +4261,9 @@ _createBackupOfLogBackDir () { removeFileOperation "${backupDir}/logbackXmlFiles/artifactory" "${artiLogbackFile}" } - -_createBackupOfReplicatorRtYaml () { - local backupDir="$1" - local replicatorRtYamlFile="${NEW_DATA_DIR}/etc/replicator/replicator.artifactory.yaml" - local effectiveUser= - local effectiveGroup= - if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then - effectiveUser="${JF_USER}" - effectiveGroup="${JF_USER}" - elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then - effectiveUser="${USER_TO_CHECK}" - effectiveGroup="${GROUP_TO_CHECK}" - fi - removeSoftLinkAndCreateDir "${backupDir}/replicatorYamlFile" "${effectiveUser}" "${effectiveGroup}" "yes" - removeFileOperation "${backupDir}/replicatorYamlFile" "${replicatorRtYamlFile}" -} - backupFiles_hook () { local backupDirectory="$1" _createBackupOfLogBackDir "${backupDirectory}" - _createBackupOfReplicatorRtYaml "${backupDirectory}" } migrateArtifactory () { diff --git a/stable/artifactory-ha/files/migrationHelmInfo.yaml b/stable/artifactory-ha/files/migrationHelmInfo.yaml index 16cee9e5d..016bea02d 100644 --- a/stable/artifactory-ha/files/migrationHelmInfo.yaml +++ b/stable/artifactory-ha/files/migrationHelmInfo.yaml @@ -11,10 +11,6 @@ migration: work/access=access/tmp log/archived/access=access/logs log/archived/artifactory=logs - etc/replicator=replicator/etc - backup/replicator=replicator/backup - data/replicator=replicator/data - log/archived/replicator=replicator/logs linkFiles: map: # Note : $JF_ROOT_DATA_DIR will be prepended to the sourceDirectoryPath value only if relative path and $JF_ROOT_DATA_DIR will be prepended to the targetDirectoryPath value @@ -27,6 +23,5 @@ migration: # Note $JF_ROOT_DATA_DIR will be prepended to the map entry map: access - replicator metadata logs \ No newline at end of file diff --git a/stable/artifactory-ha/files/nginx-artifactory-conf.yaml b/stable/artifactory-ha/files/nginx-artifactory-conf.yaml new file mode 100644 index 000000000..89a8baa9b --- /dev/null +++ b/stable/artifactory-ha/files/nginx-artifactory-conf.yaml @@ -0,0 +1,98 @@ +{{- if .Values.nginx.https.enabled }} +ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; +ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; +ssl_session_cache shared:SSL:1m; +ssl_prefer_server_ciphers on; +{{- end }} +## server configuration +server { +{{- if .Values.nginx.internalPortHttps }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.internalPortHttps }} ssl; +{{- else -}} +listen {{ .Values.nginx.internalPortHttps }} ssl; +{{- end }} +{{- else -}} +{{- if .Values.nginx.https.enabled }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.https.internalPort }} ssl; +{{- else -}} +listen {{ .Values.nginx.https.internalPort }} ssl; +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.nginx.internalPortHttp }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.internalPortHttp }}; +{{- else -}} +listen {{ .Values.nginx.internalPortHttp }}; +{{- end }} +{{- else -}} +{{- if .Values.nginx.http.enabled }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.http.internalPort }}; +{{- else -}} +listen {{ .Values.nginx.http.internalPort }}; +{{- end }} +{{- end }} +{{- end }} +server_name ~(?.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} +{{ tpl (include "artifactory.nginx.hosts" .) . }}; + +if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; +} +set $host_port {{ .Values.nginx.https.externalPort }}; +if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; +} +## Application specific logs +## access_log /var/log/nginx/artifactory-access.log timing; +## error_log /var/log/nginx/artifactory-error.log; +rewrite ^/artifactory/?$ / redirect; +if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; +} +chunked_transfer_encoding on; +client_max_body_size 0; + +location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; + proxy_set_header X-Forwarded-Port $server_port; + {{- end }} + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {{- if .Values.nginx.disableProxyBuffering}} + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + {{- end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + location /pipelines/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + {{- if .Values.router.tlsEnabled }} + proxy_pass https://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; + {{- else }} + proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; + {{- end }} + } +} +} \ No newline at end of file diff --git a/stable/artifactory-ha/files/nginx-main-conf.yaml b/stable/artifactory-ha/files/nginx-main-conf.yaml new file mode 100644 index 000000000..78cecea6a --- /dev/null +++ b/stable/artifactory-ha/files/nginx-main-conf.yaml @@ -0,0 +1,83 @@ +# Main Nginx configuration file +worker_processes 4; + +{{- if .Values.nginx.logs.stderr }} +error_log stderr {{ .Values.nginx.logs.level }}; +{{- else -}} +error_log {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }}; +{{- end }} +pid /var/run/nginx.pid; + +{{- if .Values.artifactory.ssh.enabled }} +## SSH Server Configuration +stream { + server { + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.ssh.internalPort }}; + {{- else -}} + listen {{ .Values.nginx.ssh.internalPort }}; + {{- end }} + proxy_pass {{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }}; + } +} +{{- end }} + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 128k; + proxy_buffers 40 128k; + proxy_busy_buffers_size 128k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + + {{- if .Values.nginx.logs.stdout }} + access_log /dev/stdout timing; + {{- else -}} + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + {{- end }} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/stable/artifactory-ha/files/system.yaml b/stable/artifactory-ha/files/system.yaml new file mode 100644 index 000000000..3a1d93269 --- /dev/null +++ b/stable/artifactory-ha/files/system.yaml @@ -0,0 +1,163 @@ +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: +{{- if .Values.artifactory.coldStorage.enabled }} + jfrogColdStorage: + coldInstanceEnabled: true +{{- end }} +{{ tpl (include "artifactory.metrics" .) . }} + logging: + consoleLog: + enabled: {{ .Values.artifactory.consoleLog }} + extraJavaOpts: > + -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} + -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} + {{- with .Values.artifactory.primary.javaOpts }} + {{- if .corePoolSize }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- end }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + database: + allowNonPostgresql: {{ .Values.database.allowNonPostgresql }} + {{- if .Values.postgresql.enabled }} + type: postgresql + url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" + host: "" + driver: org.postgresql.Driver + username: "{{ .Values.postgresql.postgresqlUsername }}" + {{ else }} + type: "{{ .Values.database.type }}" + driver: "{{ .Values.database.driver }}" + {{- end }} +artifactory: +{{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} + node: + {{- if .Values.artifactory.haDataDir.path }} + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + {{- if .Values.artifactory.haBackupDir.path }} + haBackupDir: {{ .Values.artifactory.haBackupDir.path }} + {{- end }} +{{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + tomcat: + maintenanceConnector: + port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} + connector: + maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} +frontend: + session: + timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} +access: + runOnArtifactoryTomcat: {{ .Values.access.runOnArtifactoryTomcat | default false }} + database: + maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.access.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- end }} + tomcat: + connector: + maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} + {{- if .Values.access.database.enabled }} + type: "{{ .Values.access.database.type }}" + url: "{{ .Values.access.database.url }}" + driver: "{{ .Values.access.database.driver }}" + username: "{{ .Values.access.database.user }}" + password: "{{ .Values.access.database.password }}" + {{- end }} +{{- if .Values.mc.enabled }} +mc: + enabled: true + database: + maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} + idgenerator: + maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} + tomcat: + connector: + maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} +{{- end }} +metadata: + database: + maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} +{{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +jfconnect: + enabled: true +{{- else }} +jfconnect: + enabled: false +jfconnect_service: + enabled: false +{{- end }} + +{{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +federation: + enabled: true + embedded: {{ .Values.federation.embedded }} + extraJavaOpts: {{ .Values.federation.extraJavaOpts }} + port: {{ .Values.federation.internalPort }} +rtfs: + database: + driver: org.postgresql.Driver + type: postgresql + username: {{ .Values.federation.database.username }} + password: {{ .Values.federation.database.password }} + url: "jdbc:postgresql://{{ .Values.federation.database.host }}:{{ .Values.federation.database.port }}/{{ .Values.federation.database.name }}" +{{- else }} +federation: + enabled: false +{{- end }} +{{- if .Values.event.webhooks }} +event: + webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} +{{- end }} +{{- if .Values.evidence.enabled }} +evidence: + enabled: true +{{- else }} +evidence: + enabled: false +{{- end }} \ No newline at end of file diff --git a/stable/artifactory-ha/logo/artifactory-logo.png b/stable/artifactory-ha/logo/artifactory-logo.png index 3e8ac0d10..fe6c23c5a 100644 Binary files a/stable/artifactory-ha/logo/artifactory-logo.png and b/stable/artifactory-ha/logo/artifactory-logo.png differ diff --git a/stable/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml new file mode 100644 index 000000000..6afc491dc --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml @@ -0,0 +1,44 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + +access: + tomcat: + connector: + maxThreads: 200 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + + database: + maxOpenConnections: 200 + +metadata: + database: + maxOpenConnections: 200 + diff --git a/stable/artifactory-ha/sizing/artifactory-2xlarge.yaml b/stable/artifactory-ha/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..02cf7f94e --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,127 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: "1" + memory: 1Gi + limits: + # cpu: "6" + memory: 2Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +access: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "5000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" diff --git a/stable/artifactory-ha/sizing/artifactory-large-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-large-extra-config.yaml new file mode 100644 index 000000000..fac24ad68 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-large-extra-config.yaml @@ -0,0 +1,44 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + +access: + tomcat: + connector: + maxThreads: 125 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + + database: + maxOpenConnections: 100 + +metadata: + database: + maxOpenConnections: 100 + diff --git a/stable/artifactory-ha/sizing/artifactory-large.yaml b/stable/artifactory-ha/sizing/artifactory-large.yaml new file mode 100644 index 000000000..504edf1ed --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-large.yaml @@ -0,0 +1,127 @@ +############################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 3Gi + +router: + resources: + requests: + cpu: 200m + memory: 400Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "600" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/stable/artifactory-ha/sizing/artifactory-medium-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-medium-extra-config.yaml new file mode 100644 index 000000000..b2b20b198 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-medium-extra-config.yaml @@ -0,0 +1,45 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/stable/artifactory-ha/sizing/artifactory-medium.yaml b/stable/artifactory-ha/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..93b79788d --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-medium.yaml @@ -0,0 +1,127 @@ +############################################################## +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +access: + resources: + requests: + cpu: 1 + memory: 1.5Gi + limits: + # cpu: 1.5 + memory: 2Gi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "200" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/stable/artifactory-ha/sizing/artifactory-small-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-small-extra-config.yaml new file mode 100644 index 000000000..e8329f1a3 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-small-extra-config.yaml @@ -0,0 +1,43 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/stable/artifactory-ha/sizing/artifactory-small.yaml b/stable/artifactory-ha/sizing/artifactory-small.yaml new file mode 100644 index 000000000..b75a22323 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-small.yaml @@ -0,0 +1,127 @@ +############################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +access: + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" diff --git a/stable/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml new file mode 100644 index 000000000..8d04850ad --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml @@ -0,0 +1,42 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + +access: + tomcat: + connector: + maxThreads: 150 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 150 + +metadata: + database: + maxOpenConnections: 150 + diff --git a/stable/artifactory-ha/sizing/artifactory-xlarge.yaml b/stable/artifactory-ha/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..550bd051d --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-xlarge.yaml @@ -0,0 +1,127 @@ +############################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" diff --git a/stable/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml b/stable/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml new file mode 100644 index 000000000..1371e87b8 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml @@ -0,0 +1,43 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + +access: + tomcat: + connector: + maxThreads: 15 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 15 + +metadata: + database: + maxOpenConnections: 15 + diff --git a/stable/artifactory-ha/sizing/artifactory-xsmall.yaml b/stable/artifactory-ha/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..3f7b07138 --- /dev/null +++ b/stable/artifactory-ha/sizing/artifactory-xsmall.yaml @@ -0,0 +1,127 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" \ No newline at end of file diff --git a/stable/artifactory-ha/templates/NOTES.txt b/stable/artifactory-ha/templates/NOTES.txt index 277364908..30dfab8b8 100644 --- a/stable/artifactory-ha/templates/NOTES.txt +++ b/stable/artifactory-ha/templates/NOTES.txt @@ -39,6 +39,13 @@ Congratulations. You have just deployed JFrog Artifactory HA! {{- end }} +{{- if .Values.artifactory.setSecurityContext }} +****************************************** WARNING ********************************************** +* From chart version 107.84.x, `setSecurityContext` has been renamed to `podSecurityContext`, * + please change your values.yaml before upgrade , For more Info , refer to 107.84.x changelog * +************************************************************************************************* +{{- end }} + {{- if and (or (or (or (or (or ( or ( or ( or (or (or ( or (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) .Values.systemYamlOverride.existingSecret) (or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled)) .Values.aws.licenseConfigSecretName) .Values.artifactory.persistence.customBinarystoreXmlSecret) .Values.access.customCertificatesSecretName) .Values.systemYamlOverride.existingSecret) .Values.artifactory.license.secret) .Values.artifactory.userPluginSecrets) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey)) (and .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName)) (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName)) .Values.artifactory.unifiedSecretInstallation }} ****************************************** WARNING ************************************************************************************************** * The unifiedSecretInstallation flag is currently enabled, which creates the unified secret. The existing secrets will continue as separate secrets.* @@ -127,9 +134,16 @@ jconsole {{ template "artifactory-ha.fullname" . }}:{{ .Values.artifactory.node. {{- if ge (.Values.artifactory.node.replicaCount | int) 1 }} ***************************************** WARNING ***************************************************************************** -* Currently member node(s) are enabled, will be depreciated in upcoming releases * +* Currently member node(s) are enabled, will be deprecated in upcoming releases * * It is recommended to upgrade from primary-members to primary-only. * * It can be done by deploying the chart ( >=107.59.x) with the new values. Also, please refer to changelog of 107.59.x chart * * More Info: https://jfrog.com/help/r/jfrog-installation-setup-documentation/cloud-native-high-availability * ******************************************************************************************************************************* +{{- end }} + +{{- if and .Values.nginx.enabled .Values.ingress.hosts }} +***************************************** WARNING ***************************************************************************** +* when nginx is enabled , .Values.ingress.hosts will be deprecated in upcoming releases * +* It is recommended to use nginx.hosts instead ingress.hosts +******************************************************************************************************************************* {{- end }} \ No newline at end of file diff --git a/stable/artifactory-ha/templates/_helpers.tpl b/stable/artifactory-ha/templates/_helpers.tpl index c6ef87daf..d6fb229fe 100644 --- a/stable/artifactory-ha/templates/_helpers.tpl +++ b/stable/artifactory-ha/templates/_helpers.tpl @@ -55,32 +55,6 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{/* -Create a default fully qualified Replicator app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.replicator.fullname" -}} -{{- if .Values.artifactory.replicator.ingress.name -}} -{{- .Values.artifactory.replicator.ingress.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-replication" .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified replicator tracker ingress name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory-ha.replicator.tracker.fullname" -}} -{{- if .Values.artifactory.replicator.trackerIngress.name -}} -{{- .Values.artifactory.replicator.trackerIngress.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-replication-tracker" .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -309,13 +283,29 @@ Return the proper artifactory chart image names {{- $indexReference := index . 1 }} {{- $registryName := index $dot.Values $indexReference "image" "registry" -}} {{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}} -{{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} +{{- $tag := "" -}} +{{- if and (eq $indexReference "artifactory") (hasKey $dot.Values "artifactoryService") }} + {{- if default false $dot.Values.artifactoryService.enabled }} + {{- $indexReference = "artifactoryService" -}} + {{- $tag = default $dot.Chart.Annotations.artifactoryServiceVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- $repositoryName = index $dot.Values $indexReference "image" "repository" -}} + {{- else -}} + {{- $tag = default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} + {{- end -}} +{{- else -}} + {{- $tag = default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} +{{- end -}} {{- if $dot.Values.global }} {{- if and $dot.Values.splitServicesToContainers $dot.Values.global.versions.router (eq $indexReference "router") }} - {{- $tag = $dot.Values.global.versions.router | toString -}} + {{- $tag = $dot.Values.global.versions.router | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} {{- end -}} - {{- if and $dot.Values.global.versions.artifactory (or (eq $indexReference "artifactory") (eq $indexReference "nginx") ) }} - {{- $tag = $dot.Values.global.versions.artifactory | toString -}} + {{- if $dot.Values.global.versions.artifactory }} + {{- if or (eq $indexReference "artifactory") (eq $indexReference "metadata") (eq $indexReference "nginx") (eq $indexReference "observability") }} + {{- $tag = $dot.Values.global.versions.artifactory | toString -}} + {{- end -}} {{- end -}} {{- if $dot.Values.global.imageRegistry }} {{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}} @@ -331,8 +321,7 @@ Return the proper artifactory chart image names Return the proper artifactory app version */}} {{- define "artifactory-ha.app.version" -}} -{{- $image := split ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory")) | toString) -}} -{{- $tag := $image._1 -}} +{{- $tag := (splitList ":" ((include "artifactory-ha.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} {{- printf "%s" $tag -}} {{- end -}} @@ -372,17 +361,14 @@ Resolve requiredServiceTypes value {{- if .Values.event.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} {{- end -}} -{{- if .Values.integration.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfint" -}} -{{- end -}} {{- if .Values.frontend.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} {{- end -}} {{- if .Values.jfconnect.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfcon" -}} {{- end -}} -{{- if .Values.artifactory.replicator.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfxfer" -}} +{{- if .Values.evidence.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevd" -}} {{- end -}} {{- if .Values.mc.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmc" -}} @@ -401,21 +387,18 @@ nginx scheme (http/https) {{- end -}} {{- end -}} + {{/* nginx command */}} {{- define "nginx.command" -}} {{- if .Values.nginx.customCommand }} {{ toYaml .Values.nginx.customCommand }} -{{ else }} -- nginx -- -g -- 'daemon off;' {{- end }} {{- end -}} {{/* -nginx port (80/443) based on http/https enabled +nginx port (8080/8443) based on http/https enabled */}} {{- define "nginx.port" -}} {{- if .Values.nginx.http.enabled -}} @@ -498,12 +481,83 @@ nodeSelector: {{- end -}} {{/* -Resolve fsGroup and runAsGroup on cluster based +Calculate the systemYaml from structured and unstructured text input */}} -{{- define "artifactory.isOpenshiftCompatible" -}} -{{- if (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} -{{- printf "%s" "true" -}} -{{- else -}} -{{- printf "%s" "false" -}} +{{- define "artifactory.finalSystemYaml" -}} +{{ tpl (mergeOverwrite (include "artifactory.systemYaml" . | fromYaml) .Values.artifactory.extraSystemYaml | toYaml) . }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "artifactory.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} + +{{/* +Metrics enabled +*/}} +{{- define "metrics.enabled" -}} +shared: + metrics: + enabled: true +{{- end }} + +{{/* +Resolve artifactory metrics +*/}} +{{- define "artifactory.metrics" -}} +{{- if .Values.artifactory.openMetrics -}} +{{- if .Values.artifactory.openMetrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.openMetrics.filebeat }} +{{- if .Values.artifactory.openMetrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.openMetrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else if .Values.artifactory.metrics -}} +{{- if .Values.artifactory.metrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.metrics.filebeat }} +{{- if .Values.artifactory.metrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.metrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve unified secret prepend release name +*/}} +{{- define "artifactory.unifiedSecretPrependReleaseName" -}} +{{- if .Values.artifactory.unifiedSecretPrependReleaseName }} +{{- printf "%s" (include "artifactory-ha.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "artifactory-ha.name" .) -}} +{{- end }} +{{- end }} + +{{/* +Resolve nginx hosts value +*/}} +{{- define "artifactory.nginx.hosts" -}} +{{- if .Values.ingress.hosts }} +{{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- else if .Values.nginx.hosts }} +{{- range .Values.nginx.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/stable/artifactory-ha/templates/_system-yaml-render.tpl b/stable/artifactory-ha/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..deaa773ea --- /dev/null +++ b/stable/artifactory-ha/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.artifactory.systemYaml -}} +{{- tpl .Values.artifactory.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/stable/artifactory-ha/templates/artifactory-installer-info.yaml b/stable/artifactory-ha/templates/artifactory-installer-info.yaml index e58ec41b3..0dff9dc86 100644 --- a/stable/artifactory-ha/templates/artifactory-installer-info.yaml +++ b/stable/artifactory-ha/templates/artifactory-installer-info.yaml @@ -9,4 +9,8 @@ metadata: release: {{ .Release.Name }} data: installer-info.json: | - {{ tpl .Values.installerInfo . }} +{{- if .Values.installerInfo -}} +{{- tpl .Values.installerInfo . | nindent 4 -}} +{{- else -}} +{{ (tpl ( .Files.Get "files/installer-info.json" | nindent 4 ) .) }} +{{- end -}} diff --git a/stable/artifactory-ha/templates/artifactory-license-secret.yaml b/stable/artifactory-ha/templates/artifactory-license-secret.yaml index a74bd5a6f..73f900863 100644 --- a/stable/artifactory-ha/templates/artifactory-license-secret.yaml +++ b/stable/artifactory-ha/templates/artifactory-license-secret.yaml @@ -1,4 +1,4 @@ -{{ if (not .Values.artifactory.unifiedSecretInstallation) }} +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) (not .Values.artifactory.license.licenseKey) }} {{- with .Values.artifactory.license.licenseKey }} apiVersion: v1 kind: Secret diff --git a/stable/artifactory-ha/templates/artifactory-node-statefulset.yaml b/stable/artifactory-ha/templates/artifactory-node-statefulset.yaml index a0f738f72..9a5d4fd84 100644 --- a/stable/artifactory-ha/templates/artifactory-node-statefulset.yaml +++ b/stable/artifactory-ha/templates/artifactory-node-statefulset.yaml @@ -67,22 +67,8 @@ spec: {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} {{- include "artifactory-ha.imagePullSecrets" . | indent 6 }} {{- end }} - {{- if .Values.artifactory.setSecurityContext }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} - runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} - fsGroup: {{ .Values.artifactory.gid }} - {{- end }} - {{- if .Values.artifactory.fsGroupChangePolicy }} - fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} - {{- end }} - {{- if .Values.artifactory.seLinuxOptions }} - seLinuxOptions: - {{- tpl (toYaml .Values.artifactory.seLinuxOptions) . | nindent 10 }} - {{- end }} + {{- if .Values.artifactory.podSecurityContext.enabled }} + securityContext: {{- omit .Values.artifactory.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{- if .Values.artifactory.topologySpreadConstraints }} topologySpreadConstraints: @@ -96,8 +82,8 @@ spec: {{- if eq .Values.artifactory.persistence.type "file-system" }} {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -115,8 +101,8 @@ spec: {{- end }} {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'bash' - '-c' @@ -130,8 +116,8 @@ spec: {{- end }} {{- if and .Values.artifactory.node.waitForPrimaryStartup.enabled }} - name: "wait-for-primary" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -154,7 +140,8 @@ spec: {{ toYaml .Values.initContainers.resources | indent 10 }} {{- end }} - name: 'copy-system-configurations' - image: '{{ .Values.initContainerImage }}' + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -190,10 +177,10 @@ spec: - name: ARTIFACTORY_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) }} name: {{ include "artifactory-ha.masterKeySecretName" . }} {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: master-key {{- end }} @@ -202,8 +189,9 @@ spec: volumeMounts: - name: volume mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## SystemYaml ######################### + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -211,24 +199,29 @@ spec: {{- if .Values.systemYamlOverride.existingSecret }} mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.artifactory.systemYaml }} + {{- else }} mountPath: "/tmp/etc/system.yaml" subPath: system.yaml {{- end }} - {{- end }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## Binarystore ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} {{- end }} mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: binarystore.xml + + ######################## CustomCertificates ########################## {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} + resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -245,7 +238,8 @@ spec: {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} - name: copy-circle-of-trust-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -266,7 +260,8 @@ spec: {{- if .Values.waitForDatabase }} {{- if or .Values.postgresql.enabled }} - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - /bin/bash - -c @@ -325,7 +320,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -341,7 +336,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -360,7 +355,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -395,13 +390,18 @@ spec: {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} {{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} {{- end }} + + ######################## Artifactory persistence nfs ########################## {{- if eq .Values.artifactory.persistence.type "nfs" }} - name: artifactory-ha-data mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - name: artifactory-ha-backup mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" {{- else }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -409,8 +409,10 @@ spec: mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: binarystore.xml {{- end }} + + ######################## Artifactory persistence google storage ########################## {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} - name: gcpcreds-json {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -418,6 +420,7 @@ spec: mountPath: "/artifactory_bootstrap/gcp.credentials.json" subPath: gcp.credentials.json {{- end }} + {{- end }} {{- if .Values.hostAliases }} hostAliases: @@ -427,7 +430,7 @@ spec: {{- if .Values.splitServicesToContainers }} - name: {{ .Values.router.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "router") }} - imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -507,11 +510,105 @@ spec: {{- if .Values.frontend.livenessProbe.enabled }} livenessProbe: {{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} {{- if .Values.metadata.enabled }} - name: {{ .Values.metadata.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "metadata") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} @@ -541,7 +638,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -557,7 +654,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -576,7 +673,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -638,36 +735,6 @@ spec: livenessProbe: {{ tpl .Values.event.livenessProbe.config . | indent 10 }} {{- end }} - {{- end }} - {{- if .Values.artifactory.replicator.enabled }} - - name: {{ .Values.artifactory.replicator.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/replicator/bin/jf-replicator start - {{- with .Values.artifactory.replicator.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.artifactory.replicator.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.artifactory.replicator.resources | indent 10 }} {{- end }} {{- if .Values.jfconnect.enabled }} - name: {{ .Values.jfconnect.name }} @@ -707,45 +774,7 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} - {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} - {{- end }} - {{- end }} - {{- if .Values.federation.enabled }} + {{- if and .Values.federation.enabled .Values.federation.embedded }} - name: {{ .Values.federation.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} @@ -777,7 +806,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -807,7 +836,7 @@ spec: {{- end }} {{- if .Values.observability.enabled }} - name: {{ .Values.observability.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "observability") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} @@ -843,6 +872,185 @@ spec: {{ tpl .Values.observability.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + + ######################## Artifactory ConfigMap ########################## + {{- if .Values.artifactory.configMapName }} + - name: bootstrap-config + mountPath: "/bootstrap/" + {{- end }} + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare "= 4.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory-ha/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version (< 107.79.x) that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the current postgresql.image.tag to the same tag and databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 107.79.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} {{- end }} {{- if .Values.artifactory.postStartCommand }} {{- fail ".Values.artifactory.postStartCommand is not supported and should be replaced with .Values.artifactory.lifecycle.postStart.exec.command" }} @@ -24,6 +24,20 @@ metadata: {{- if or .Values.artifactory.persistence.googleStorage.identity .Values.artifactory.persistence.googleStorage.credential }} {{- fail "\nGCP Bucket Authentication with Identity and Credential is deprecated" }} {{- end }} +{{- if (eq (.Values.artifactory.setSecurityContext | toString) "false" ) }} + {{- fail "\n You need to set security context at the pod level. .Values.artifactory.setSecurityContext is no longer supported. Replace it with .Values.artifactory.podSecurityContext" }} +{{- end }} +{{- if or .Values.artifactory.uid .Values.artifactory.gid }} +{{- if or (not (eq (.Values.artifactory.uid | toString) "1030" )) (not (eq (.Values.artifactory.gid | toString) "1030" )) }} + {{- fail "\n .Values.artifactory.uid and .Values.artifactory.gid are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.runAsUser, .Values.artifactory.podSecurityContext.runAsGroup and .Values.artifactory.podSecurityContext.fsGroup" }} +{{- end }} +{{- end }} +{{- if or .Values.artifactory.fsGroupChangePolicy .Values.artifactory.seLinuxOptions }} + {{- fail "\n .Values.artifactory.fsGroupChangePolicy and .Values.artifactory.seLinuxOptions are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.fsGroupChangePolicy and .Values.artifactory.podSecurityContext.seLinuxOptions" }} +{{- end }} +{{- if .Values.initContainerImage }} + {{- fail "\n .Values.initContainerImage is no longer supported. Replace it with .Values.initContainers.image.registry .Values.initContainers.image.repository and .Values.initContainers.image.tag" }} +{{- end }} {{- with .Values.artifactory.statefulset.annotations }} annotations: {{ toYaml . | indent 4 }} @@ -85,22 +99,8 @@ spec: {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} {{- include "artifactory-ha.imagePullSecrets" . | indent 6 }} {{- end }} - {{- if .Values.artifactory.setSecurityContext }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} - runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} - fsGroup: {{ .Values.artifactory.gid }} - {{- end }} - {{- if .Values.artifactory.fsGroupChangePolicy }} - fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} - {{- end }} - {{- if .Values.artifactory.seLinuxOptions }} - seLinuxOptions: - {{- tpl (toYaml .Values.artifactory.seLinuxOptions) . | nindent 10 }} - {{- end }} + {{- if .Values.artifactory.podSecurityContext.enabled }} + securityContext: {{- omit .Values.artifactory.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{- if .Values.artifactory.topologySpreadConstraints }} topologySpreadConstraints: @@ -114,8 +114,8 @@ spec: {{- if eq .Values.artifactory.persistence.type "file-system" }} {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} - name: "create-artifactory-data-dir" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -133,8 +133,8 @@ spec: {{- end }} {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -150,8 +150,8 @@ spec: {{- end }} {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} - name: "access-bootstrap-creds" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -168,7 +168,7 @@ spec: volumeMounts: - name: volume mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} - name: access-bootstrap-creds {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -182,7 +182,8 @@ spec: {{- end }} {{- end }} - name: 'copy-system-configurations' - image: '{{ .Values.initContainerImage }}' + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -240,10 +241,10 @@ spec: - name: ARTIFACTORY_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} name: {{ include "artifactory-ha.joinKeySecretName" . }} {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: join-key {{- end }} @@ -251,10 +252,10 @@ spec: - name: ARTIFACTORY_JFCONNECT_TOKEN valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.jfConnectTokenSecretName }} name: {{ include "artifactory-ha.jfConnectTokenSecretName" . }} {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: jfconnect-token {{- end }} @@ -262,18 +263,21 @@ spec: - name: ARTIFACTORY_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} name: {{ include "artifactory-ha.masterKeySecretName" . }} {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: master-key {{- end }} + + ######################## Volume Mounts For copy-system-configurations ########################## volumeMounts: - name: volume mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## SystemYaml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -281,19 +285,22 @@ spec: {{- if .Values.systemYamlOverride.existingSecret }} mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.artifactory.systemYaml }} + {{- else }} mountPath: "/tmp/etc/system.yaml" subPath: system.yaml {{- end }} - {{- end }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## Binarystore ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} {{- end }} mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: binarystore.xml - {{- if .Values.access.accessConfig }} + + ######################## Access config ########################## + {{- if .Values.access.accessConfig }} {{- if not .Values.artifactory.unifiedSecretInstallation }} - name: access-config {{- else }} @@ -301,18 +308,22 @@ spec: {{- end }} mountPath: "/tmp/etc/access.config.patch.yml" subPath: access.config.patch.yml - {{- end }} - {{- if .Values.access.customCertificatesSecretName }} + {{- end }} + + ######################## Access certs external secret ########################## + {{- if .Values.access.customCertificatesSecretName }} - name: access-certs mountPath: "/tmp/etc/tls.crt" subPath: tls.crt - name: access-certs mountPath: "/tmp/etc/tls.key" subPath: tls.key - {{- end }} + {{- end }} + {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -332,7 +343,8 @@ spec: {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} - name: copy-circle-of-trust-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -353,7 +365,8 @@ spec: {{- if .Values.waitForDatabase }} {{- if or .Values.postgresql.enabled }} - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -415,7 +428,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -431,7 +444,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -450,7 +463,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -472,6 +485,8 @@ spec: subPath: migrationStatus.sh - name: volume mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## {{- if eq .Values.artifactory.persistence.type "file-system" }} {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} @@ -482,24 +497,32 @@ spec: mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" {{- end }} {{- end }} + + ######################## CustomVolumeMounts ########################## {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} {{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} {{- end }} + + ######################## Artifactory persistence nfs ########################## {{- if eq .Values.artifactory.persistence.type "nfs" }} - name: artifactory-ha-data mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - name: artifactory-ha-backup mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" {{- else }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} {{- end }} mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - {{- if (not .Values.artifactory.unifiedSecretInstallation) }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} - name: gcpcreds-json {{- else }} - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} @@ -507,8 +530,10 @@ spec: mountPath: "/artifactory_bootstrap/gcp.credentials.json" subPath: gcp.credentials.json {{- end }} - {{- end }} + {{- end }} + {{- end }} + {{- if .Values.hostAliases }} hostAliases: {{ toYaml .Values.hostAliases | indent 6 }} @@ -517,7 +542,7 @@ spec: {{- if .Values.splitServicesToContainers }} - name: {{ .Values.router.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "router") }} - imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -597,11 +622,105 @@ spec: {{- if .Values.frontend.livenessProbe.enabled }} livenessProbe: {{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + - name: volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} {{- if .Values.metadata.enabled }} - name: {{ .Values.metadata.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "metadata") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} @@ -631,7 +750,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -647,7 +766,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -666,7 +785,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory-ha.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory-ha.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -728,36 +847,6 @@ spec: livenessProbe: {{ tpl .Values.event.livenessProbe.config . | indent 10 }} {{- end }} - {{- end }} - {{- if .Values.artifactory.replicator.enabled }} - - name: {{ .Values.artifactory.replicator.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/replicator/bin/jf-replicator start - {{- with .Values.artifactory.replicator.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.artifactory.replicator.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.artifactory.replicator.resources | indent 10 }} {{- end }} {{- if .Values.jfconnect.enabled }} - name: {{ .Values.jfconnect.name }} @@ -797,45 +886,7 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} - {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} - {{- end }} - {{- end }} - {{- if .Values.federation.enabled }} + {{- if and .Values.federation.enabled .Values.federation.embedded }} - name: {{ .Values.federation.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} @@ -879,7 +930,7 @@ spec: {{- end }} {{- if .Values.observability.enabled }} - name: {{ .Values.observability.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "observability") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} @@ -915,6 +966,180 @@ spec: {{ tpl .Values.observability.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory-ha.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.artifactory.customPersistentPodVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentPodVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" + {{- end }} + - name: volume + mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + + ######################## Artifactory persistence fs ########################## + {{- if eq .Values.artifactory.persistence.type "file-system" }} + {{- if .Values.artifactory.persistence.fileSystem.existingSharedClaim.enabled }} + {{- range $sharedClaimNumber, $e := until (.Values.artifactory.persistence.fileSystem.existingSharedClaim.numberOfExistingClaims|int) }} + - name: artifactory-ha-data-{{ $sharedClaimNumber }} + mountPath: "{{ tpl $.Values.artifactory.persistence.fileSystem.existingSharedClaim.dataDir $ }}/filestore{{ $sharedClaimNumber }}" + {{- end }} + - name: artifactory-ha-backup + mountPath: "{{ $.Values.artifactory.persistence.fileSystem.existingSharedClaim.backupDir }}" + {{- end }} + {{- end }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-ha-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-ha-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} + - name: binarystore-xml + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/tmp/etc/artifactory/binarystore.xml" + subPath: binarystore.xml + + ######################## Artifactory persistence google storage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json + {{- end }} + + + ######################## Artifactory license ########################## + {{- if or .Values.artifactory.license.secret .Values.artifactory.license.licenseKey }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.license.secret }} + - name: artifactory-license + {{- else }} + - name: {{ include "artifactory-ha.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/artifactory.cluster.license" + {{- if .Values.artifactory.license.secret }} + subPath: {{ .Values.artifactory.license.dataKey }} + {{- else if .Values.artifactory.license.licenseKey }} + subPath: artifactory.lic + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory-ha.customVolumeMounts" .) . | indent 8 }} + {{- end }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare "=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ default .Values.ingress.className .Values.artifactory.replicator.ingress.className }} - {{- end }} - {{- if .Values.ingress.defaultBackend.enabled }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - defaultBackend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} - rules: -{{- if .Values.artifactory.replicator.ingress.hosts }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - {{- range $host := .Values.artifactory.replicator.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: /replicator/ - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - - path: /artifactory/api/replication/replicate/file/streaming - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end }} - {{- else }} - {{- range $host := .Values.artifactory.replicator.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: /replicator/ - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - - path: /artifactory/api/replication/replicate/file/streaming - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end -}} - {{- if .Values.artifactory.replicator.ingress.tls }} - tls: -{{ toYaml .Values.artifactory.replicator.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} -{{- if and .Values.artifactory.replicator.enabled .Values.artifactory.replicator.trackerIngress.enabled }} ---- -{{- $replicatorTrackerIngressName := default ( include "artifactory-ha.replicator.tracker.fullname" . ) .Values.artifactory.replicator.trackerIngress.name -}} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -apiVersion: networking.k8s.io/v1 - {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 - {{- else }} -apiVersion: extensions/v1beta1 - {{- end }} -kind: Ingress -metadata: - name: {{ $replicatorTrackerIngressName }} - labels: - app: "{{ template "artifactory-ha.name" $ }}" - chart: "{{ template "artifactory-ha.chart" $ }}" - release: {{ $.Release.Name | quote }} - heritage: {{ $.Release.Service | quote }} - {{- if .Values.artifactory.replicator.trackerIngress.annotations }} - annotations: -{{ .Values.artifactory.replicator.trackerIngress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} - {{- end }} -spec: - {{- if and (or .Values.ingress.className .Values.artifactory.replicator.trackerIngress.className) (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ default .Values.ingress.className .Values.artifactory.replicator.trackerIngress.className }} - {{- end }} - {{- if .Values.ingress.defaultBackend.enabled }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - defaultBackend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} - rules: -{{- if .Values.artifactory.replicator.trackerIngress.hosts }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - {{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end }} - {{- else }} - {{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: / - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end -}} - {{- if .Values.artifactory.replicator.trackerIngress.tls }} - tls: -{{ toYaml .Values.artifactory.replicator.trackerIngress.tls | indent 4 }} - {{- end -}} -{{- end -}} + {{- if .Values.customIngress }} --- {{ .Values.customIngress | toYaml | trimSuffix "\n" }} diff --git a/stable/artifactory-ha/templates/nginx-artifactory-conf.yaml b/stable/artifactory-ha/templates/nginx-artifactory-conf.yaml index eb1f0e698..97ae5f27b 100644 --- a/stable/artifactory-ha/templates/nginx-artifactory-conf.yaml +++ b/stable/artifactory-ha/templates/nginx-artifactory-conf.yaml @@ -10,5 +10,9 @@ metadata: release: {{ .Release.Name }} data: artifactory.conf: | +{{- if .Values.nginx.artifactoryConf }} {{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-artifactory-conf.yaml" ) . | indent 4 }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/artifactory-ha/templates/nginx-conf.yaml b/stable/artifactory-ha/templates/nginx-conf.yaml index 5f424d52a..4f0d65f25 100644 --- a/stable/artifactory-ha/templates/nginx-conf.yaml +++ b/stable/artifactory-ha/templates/nginx-conf.yaml @@ -10,5 +10,9 @@ metadata: release: {{ .Release.Name }} data: nginx.conf: | +{{- if .Values.nginx.mainConf }} {{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-main-conf.yaml" ) . | indent 4 }} +{{- end }} {{- end }} diff --git a/stable/artifactory-ha/templates/nginx-deployment.yaml b/stable/artifactory-ha/templates/nginx-deployment.yaml index 80e2def21..d43689b8c 100644 --- a/stable/artifactory-ha/templates/nginx-deployment.yaml +++ b/stable/artifactory-ha/templates/nginx-deployment.yaml @@ -41,10 +41,13 @@ spec: component: {{ .Values.nginx.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} spec: - securityContext: - runAsUser: {{ .Values.nginx.uid }} - runAsGroup: {{ .Values.nginx.gid }} + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} @@ -62,8 +65,8 @@ spec: {{ tpl (include "artifactory.nginx.customInitContainers" .) . | indent 6 }} {{- end }} - name: "setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.imagePullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -73,6 +76,8 @@ spec: - > rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + resources: + {{- toYaml .Values.initContainers.resources | nindent 10 }} volumeMounts: - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} name: nginx-volume @@ -80,12 +85,13 @@ spec: - name: {{ .Values.nginx.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "nginx") }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - {{- with .Values.nginx.securityContext }} - securityContext: -{{ toYaml . | indent 10 }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} + {{- if .Values.nginx.customCommand }} command: {{- tpl (include "nginx.command" .) . | indent 10 }} + {{- end }} ports: {{ if .Values.nginx.customPorts }} {{ toYaml .Values.nginx.customPorts | indent 8 }} @@ -150,7 +156,8 @@ spec: {{- $mountPath := .Values.nginx.persistence.mountPath }} {{- range .Values.nginx.loggers }} - name: {{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "logger") }} + image: {{ include "artifactory-ha.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} command: - tail args: @@ -211,4 +218,4 @@ spec: secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/artifactory-ha/templates/nginx-service.yaml b/stable/artifactory-ha/templates/nginx-service.yaml index 8706a1d4e..4f3bb58a1 100644 --- a/stable/artifactory-ha/templates/nginx-service.yaml +++ b/stable/artifactory-ha/templates/nginx-service.yaml @@ -21,6 +21,12 @@ spec: {{- if and (eq .Values.nginx.service.type "ClusterIP") .Values.nginx.service.clusterIP }} clusterIP: {{ .Values.nginx.service.clusterIP }} {{- end }} + {{- if .Values.nginx.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.nginx.service.ipFamilyPolicy }} + {{- end }} + {{- if not (empty .Values.nginx.service.ipFamilies)}} + ipFamilies: {{- toYaml .Values.nginx.service.ipFamilies | nindent 4 }} + {{- end }} {{- if eq .Values.nginx.service.type "LoadBalancer" }} {{ if .Values.nginx.service.loadBalancerIP -}} loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} diff --git a/stable/artifactory-ha/values-large.yaml b/stable/artifactory-ha/values-large.yaml deleted file mode 100644 index 2d0ee5789..000000000 --- a/stable/artifactory-ha/values-large.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 300 - primary: - replicaCount: 4 - resources: - requests: - memory: "6Gi" - cpu: "2" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "8g" - xmx: "10g" -access: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 100 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 150 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory-ha/values-medium.yaml b/stable/artifactory-ha/values-medium.yaml deleted file mode 100644 index c2d26ee38..000000000 --- a/stable/artifactory-ha/values-medium.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 200 - primary: - replicaCount: 3 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "6g" - xmx: "8g" -access: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 100 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory-ha/values-small.yaml b/stable/artifactory-ha/values-small.yaml deleted file mode 100644 index aa97312a1..000000000 --- a/stable/artifactory-ha/values-small.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 200 - primary: - replicaCount: 2 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "6g" -access: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 80 - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory-ha/values.yaml b/stable/artifactory-ha/values.yaml index 34b9c53dd..0affa3d69 100644 --- a/stable/artifactory-ha/values.yaml +++ b/stable/artifactory-ha/values.yaml @@ -1,7 +1,7 @@ -# Default values for artifactory-ha. -# This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} +## Default values for artifactory-ha. +## This is a YAML-formatted file. +## Beware when changing values here. You should know what you are doing! +## Access the values with {{ .Values.key.subkey }} global: # imageRegistry: releases-docker.jfrog.io @@ -11,7 +11,8 @@ global: ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion ## This applies also for nginx images (.Values.nginx.image.tag) versions: {} - # artifactory: + # artifactory: + # initContainers: # joinKey: # masterKey: # joinKeySecretName: @@ -35,17 +36,32 @@ global: ## Applies to artifactory and nginx pods nodeSelector: {} ## String to partially override artifactory-ha.fullname template (will maintain the release name) -## # nameOverride: ## String to fully override artifactory-ha.fullname template -## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 + +# Init containers +initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.4.949.1716471857 + pullPolicy: IfNotPresent + resources: + requests: + memory: "50Mi" + cpu: "10m" + limits: + memory: "1Gi" + cpu: "1" installer: type: platform: -installerInfo: '{"productId": "Helm_artifactory-ha/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' +## The installerInfo is intentionally commented out and the previous content has been moved under `files/installer-info.json` +## To override the content in `files/installer-info.json`, Uncomment the `installerInfo` and add relevant data +# installerInfo: '{}' + # For supporting pulling from private registries # imagePullSecrets: # - myRegistryKeySecretName @@ -93,7 +109,7 @@ ingress: enabled: false defaultBackend: enabled: true - # Used to create an Ingress record. + ## Used to create an Ingress record. hosts: [] routerPath: / artifactoryPath: /artifactory/ @@ -107,13 +123,15 @@ ingress: # traffic-type: external # traffic-type: internal tls: [] - # Secrets must be manually created in the namespace. + ## Secrets must be manually created in the namespace. # - secretName: chart-example-tls # hosts: # - artifactory.domain.example - # Additional ingress rules + ## Additional ingress rules additionalRules: [] + ## This is an experimental feature, enabling this feature will route all traffic through the Router. + disableRouterBypass: false ## Allows to add custom ingress customIngress: "" networkpolicy: [] @@ -126,7 +144,7 @@ networkpolicy: [] # - {} # ingress: # - {} -# Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) +## Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) # - name: postgresql # podSelector: # matchLabels: @@ -148,7 +166,7 @@ postgresql: image: registry: releases-docker.jfrog.io repository: bitnami/postgresql - tag: 13.10.0-debian-11-r14 + tag: 15.6.0-debian-11-r16 postgresqlUsername: artifactory postgresqlPassword: "" postgresqlDatabase: artifactory @@ -174,22 +192,17 @@ postgresql: enabled: true containerSecurityContext: enabled: true - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - # requests: - # memory: "512Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "500m" + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), ## you MUST specify custom database details here or Artifactory will NOT start database: + ## To run Artifactory with any database other than PostgreSQL allowNonPostgresql set to true. + allowNonPostgresql: false type: driver: ## If you set the url, leave host and port empty @@ -201,20 +214,15 @@ database: ## If you have existing Kubernetes secrets containing db credentials, use ## these values secrets: {} - # user: - # name: "rds-artifactory" - # key: "db-user" - # password: - # name: "rds-artifactory" - # key: "db-password" - # url: - # name: "rds-artifactory" - # key: "db-url" -logger: - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.2.750.1697534106 + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "rds-artifactory" + # key: "db-password" + # url: + # name: "rds-artifactory" + # key: "db-url" ## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName ## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` aws: @@ -222,10 +230,19 @@ aws: enabled: false licenseConfigSecretName: region: us-east-1 +## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## containerSecurityContext: enabled: true runAsNonRoot: true + privileged: false allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -233,14 +250,13 @@ containerSecurityContext: drop: - ALL ## The following router settings are to configure only when splitServicesToContainers set to true -## splitServicesToContainers (by default it is false) router: name: router image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.81.0 - imagePullPolicy: IfNotPresent + tag: 7.118.2 + pullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled insecure: false @@ -253,16 +269,16 @@ router: # - name: MY_ENV_VAR # value: "" resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for router container + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + + ## Add lifecycle hooks for router container lifecycle: - # From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating + ## From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating preStop: exec: command: ["sh", "-c", "while [[ $(curl --fail --silent --connect-timeout 2 http://localhost:8081/artifactory/api/v1/system/liveness) =~ OK ]]; do echo Artifactory is still alive; sleep 2; done"] @@ -270,11 +286,10 @@ router: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: /scripts/script.sh - # subPath: script.sh - + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh livenessProbe: enabled: true config: | @@ -315,16 +330,19 @@ router: timeoutSeconds: {{ .Values.probes.timeoutSeconds }} persistence: mountPath: "/var/opt/jfrog/router" -# Artifactory +## Artifactory artifactory: name: artifactory-ha - # Note that by default we use appVersion to get image tag/version + ## Note that by default we use appVersion to get image tag/version ## refer - https://www.jfrog.com/confluence/display/JFROG/Access+Federation#AccessFederation-EstablishingtheCircleofTrust ## root certificates added will be copied to $JFROG_HOME/artifactory/var/etc/access/keys/trusted folder. circleOfTrustCertificatesSecret: - # unifiedSecretInstallation flag enables single unified secret holding all the artifactory-ha secrets - unifiedSecretInstallation: false + ## unifiedSecretInstallation flag enables single unified secret holding all the artifactory-ha internal(chart) secrets, It won't be affecting external secrets. + ## Note: unifiedSecretInstallation flag is enabled by true by default from chart version 107.78.x, Users can switch to false to continue with the old way of secret creation. + unifiedSecretInstallation: true + ## unifiedSecretPrependReleaseName Set this flag to false if unifiedSecret should not be created with prepended. + unifiedSecretPrependReleaseName: true image: registry: releases-docker.jfrog.io repository: jfrog/artifactory-pro @@ -332,8 +350,8 @@ artifactory: pullPolicy: IfNotPresent ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ schedulerName: - # Create a priority class for the Artifactory pods or use an existing one - # NOTE - Maximum allowed value of a user defined priority is 1000000000 + ## Create a priority class for the Artifactory pods or use an existing one + ## NOTE - Maximum allowed value of a user defined priority is 1000000000 priorityClass: create: false value: 1000000000 @@ -341,7 +359,7 @@ artifactory: # name: ## Use an existing priority class # existingPriorityClass: - # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + ## Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties deleteDBPropertiesOnStartup: true database: maxOpenConnections: 80 @@ -352,14 +370,15 @@ artifactory: maxThreads: 200 sendReasonPhrase: false extraConfig: 'acceptCount="400"' - # certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory customCertificates: enabled: false # certificateSecretName: - # Support for open metrics is only available for Artifactory 7.7.x (appVersions) and above. - # To enable set `.Values.artifactory.openMetrics.enabled` to `true` - # Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics - openMetrics: + ## Support for metrics is only available for Artifactory 7.7.x (appVersions) and above. + ## To enable set `.Values.artifactory.metrics.enabled` to `true` + ## Note: Depricated `openMetrics` as part of 7.87.x and renamed to `metrics` + ## Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics + metrics: enabled: false ## Settings for pushing metrics to Insight - enable filebeat to true filebeat: @@ -373,30 +392,30 @@ artifactory: url: "Elasticsearch url where JFrog Insight is installed For example, http://:8082" username: "" password: "" - # Support for Cold Artifact Storage - # set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance - # Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage + ## Support for Cold Artifact Storage + ## set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance + ## Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage coldStorage: enabled: false - # This directory is intended for use with NFS eventual configuration for HA - # When enabling this section, The system.yaml will include haDataDir section. - # The location of Artifactory Data directory and Artifactory Filestore will be modified accordingly and will be shared among all nodes. - # It's recommended to leave haDataDir disabled, and the default BinarystoreXml will set the Filestore location as configured in artifactory.persistence.nfs.dataDir. + ## This directory is intended for use with NFS eventual configuration for HA + ## When enabling this section, The system.yaml will include haDataDir section. + ## The location of Artifactory Data directory and Artifactory Filestore will be modified accordingly and will be shared among all nodes. + ## It's recommended to leave haDataDir disabled, and the default BinarystoreXml will set the Filestore location as configured in artifactory.persistence.nfs.dataDir. haDataDir: enabled: false path: haBackupDir: enabled: false path: - # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup - # Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers + ## Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + ## Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers copyOnEveryStartup: - # # Absolute path - # - source: /artifactory_bootstrap/artifactory.cluster.license - # # Relative to ARTIFACTORY_HOME/ - # target: etc/artifactory/ + ## Absolute path + # - source: /artifactory_bootstrap/artifactory.cluster.license + ## Relative to ARTIFACTORY_HOME/ + # target: etc/artifactory/ - # Sidecar containers for tailing Artifactory logs + ## Sidecar containers for tailing Artifactory logs loggers: [] # - access-audit.log # - access-request.log @@ -416,132 +435,127 @@ artifactory: # - router-traefik.log # - derby.log - # Loggers containers resources + ## Loggers containers resources loggersResources: {} - # requests: - # memory: "10Mi" - # cpu: "10m" - # limits: - # memory: "100Mi" - # cpu: "50m" - - # Sidecar containers for tailing Tomcat (catalina) logs + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Sidecar containers for tailing Tomcat (catalina) logs catalinaLoggers: [] # - tomcat-catalina.log # - tomcat-localhost.log - # Tomcat (catalina) loggers resources + ## Tomcat (catalina) loggers resources catalinaLoggersResources: {} - # requests: - # memory: "10Mi" - # cpu: "10m" - # limits: - # memory: "100Mi" - # cpu: "50m" - - # Migration support from 6.x to 7.x + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Migration support from 6.x to 7.x. migration: - enabled: true + enabled: false timeoutSeconds: 3600 ## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" ## Add custom init containers execution before predefined init containers - customInitContainersBegin: "" - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - + customInitContainersBegin: | + # - name: "custom-setup" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume ## Add custom init containers ## Add custom init containers execution after predefined init containers - customInitContainers: "" - # - name: "custom-systemyaml-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - + customInitContainers: | + # - name: "custom-systemyaml-setup" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - # - The provided example shows running container as root (id 0) - customSidecarContainers: "" - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" - + ## - The provided example uses a custom volume (customVolumes) + ## - The provided example shows running container as root (id 0) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: {{ include "artifactory-ha.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" ## Add custom volumes - # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory-ha.name" . }}-unified-secret'. - customVolumes: "" - # - name: custom-script - # configMap: - # name: custom-script - + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret'. + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: "/scripts/script.sh" - # subPath: script.sh - # - name: posthook-start - # mountPath: "/scripts/posthoook-start.sh" - # subPath: posthoook-start.sh - # - name: prehook-start - # mountPath: "/scripts/prehook-start.sh" - # subPath: prehook-start.sh - - # Add custom persistent volume mounts - Available to the entire namespace + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + ## Add custom persistent volume mounts - Available to the entire namespace customPersistentVolumeClaim: {} - # name: - # mountPath: - # accessModes: + # name: + # mountPath: + # accessModes: # - "-" - # size: - # storageClassName: + # size: + # storageClassName: ## Artifactory HA requires a unique master key. Each Artifactory node must have the same master key! ## You can generate one with the command: "openssl rand -hex 32" @@ -564,19 +578,19 @@ artifactory: ## Alternatively, you can use a pre-existing secret with a key called jfconnect-token by specifying jfConnectTokenSecretName # jfConnectTokenSecretName: - # Add custom secrets - secret per file - # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory-ha.name" . }}-unified-secret' common to all secrets + ## Add custom secrets - secret per file + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' common to all secrets customSecrets: - # - name: custom-secret - # key: custom-secret.yaml - # data: > - # custom_secret_config: - # parameter1: value1 - # parameter2: value2 - # - name: custom-secret2 - # key: custom-secret2.config - # data: | - # here the custom secret 2 config + # - name: custom-secret + # key: custom-secret.yaml + # data: > + # custom_secret_config: + # parameter1: value1 + # parameter2: value2 + # - name: custom-secret2 + # key: custom-secret2.config + # data: | + # here the custom secret 2 config ## If false, all service console logs will not redirect to a common console.log consoleLog: false @@ -599,25 +613,24 @@ artifactory: dataKey: ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter configMapName: - # Add any list of configmaps to Artifactory - configMaps: "" - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - + ## Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" ## List of secrets for Artifactory user plugins. ## One Secret per plugin's files. userPluginSecrets: - # - archive-old-artifacts - # - build-cleanup - # - webhook - # - '{{ template "my-chart.fullname" . }}' + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" - # Add lifecycle hooks for artifactory container + ## Add lifecycle hooks for artifactory container lifecycle: {} # postStart: # exec: @@ -651,173 +664,44 @@ artifactory: # name: my-secret-name # key: my-secret-key - # TODO: Fix javaOpts for member nodes (currently uses primary settings for all nodes) - systemYaml: | - router: - serviceRegistry: - insecure: {{ .Values.router.serviceRegistry.insecure }} - shared: - {{- if .Values.artifactory.coldStorage.enabled }} - jfrogColdStorage: - coldInstanceEnabled: true - {{- end }} - {{- if .Values.artifactory.openMetrics.enabled }} - metrics: - enabled: true - {{- if .Values.artifactory.openMetrics.filebeat.enabled }} - filebeat: {{ toYaml .Values.artifactory.openMetrics.filebeat | nindent 6 }} - {{- end }} - {{- end }} - logging: - consoleLog: - enabled: {{ .Values.artifactory.consoleLog }} - extraJavaOpts: > - -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} - -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} - {{- with .Values.artifactory.primary.javaOpts }} - {{- if .corePoolSize }} - -Dartifactory.async.corePoolSize={{ .corePoolSize }} - {{- end }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .jmx.enabled }} - -Dcom.sun.management.jmxremote - -Dcom.sun.management.jmxremote.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} - {{- if .jmx.host }} - -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} - {{- else }} - -Djava.rmi.server.hostname={{ template "artifactory-ha.fullname" $ }} - {{- end }} - {{- if .jmx.authenticate }} - -Dcom.sun.management.jmxremote.authenticate=true - -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} - -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} - {{- else }} - -Dcom.sun.management.jmxremote.authenticate=false - {{- end }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" - host: "" - driver: org.postgresql.Driver - username: "{{ .Values.postgresql.postgresqlUsername }}" - {{ else }} - type: "{{ .Values.database.type }}" - driver: "{{ .Values.database.driver }}" - {{- end }} - artifactory: - {{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} - node: - {{- if .Values.artifactory.haDataDir.path }} - haDataDir: {{ .Values.artifactory.haDataDir.path }} - {{- end }} - {{- if .Values.artifactory.haBackupDir.path }} - haBackupDir: {{ .Values.artifactory.haBackupDir.path }} - {{- end }} - {{- end }} - database: - maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} - tomcat: - maintenanceConnector: - port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} - connector: - maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} - frontend: - session: - timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} - access: - database: - maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} - tomcat: - connector: - maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} - {{- if .Values.access.database.enabled }} - type: "{{ .Values.access.database.type }}" - url: "{{ .Values.access.database.url }}" - driver: "{{ .Values.access.database.driver }}" - username: "{{ .Values.access.database.user }}" - password: "{{ .Values.access.database.password }}" - {{- end }} - {{- if .Values.mc.enabled }} - mc: - enabled: true - database: - maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} - idgenerator: - maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} - tomcat: - connector: - maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} - {{- end }} - metadata: - database: - maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} - {{- if .Values.artifactory.replicator.enabled }} - replicator: - enabled: true - {{- end }} - {{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - jfconnect: - enabled: true - {{- else }} - jfconnect: - enabled: false - jfconnect_service: - enabled: false - {{- end }} + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'artifactory.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## node: + ## id: my-instance + ## The entries provided under 'artifactory.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'artifactory.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `artifactory.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'artifactory.systemYaml' and files/system.yaml + extraSystemYaml: {} + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: - {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - federation: - enabled: true - extraJavaOpts: {{ .Values.federation.extraJavaOpts }} - port: {{ .Values.federation.internalPort }} - rtfs: - database: - driver: org.postgresql.Driver - type: postgresql - username: {{ .Values.federation.database.username }} - password: {{ .Values.federation.database.password }} - url: "jdbc:postgresql://{{ .Values.federation.database.host }}:{{ .Values.federation.database.port }}/{{ .Values.federation.database.name }}" - {{- else }} - federation: - enabled: false - {{- end }} - {{- if .Values.event.webhooks }} - event: - webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} - {{- end }} ## IMPORTANT: If overriding artifactory.internalPort: ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! externalPort: 8082 internalPort: 8082 externalArtifactoryPort: 8081 internalArtifactoryPort: 8081 - uid: 1030 - gid: 1030 - # fsGroupChangePolicy: "Always" - # seLinuxOptions: {} terminationGracePeriodSeconds: 30 - ## By default, the Artifactory StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `artifactory.uid` value. - ## If you want to disable the securityContext for the Artifactory StatefulSet, set this tag to false - setSecurityContext: true + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param artifactory.podSecurityContext.enabled Enable security context + ## @param artifactory.podSecurityContext.runAsNonRoot Set pod's Security Context runAsNonRoot + ## @param artifactory.podSecurityContext.runAsUser User ID for the pod + ## @param artifactory.podSecurityContext.runASGroup Group ID for the pod + ## @param artifactory.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} ## The following settings are to configure the frequency of the liveness and startup probes. livenessProbe: enabled: true @@ -867,8 +751,13 @@ artifactory: ## Use a custom Secret to be mounted as your binarystore.xml ## NOTE: This will ignore all settings below that make up binarystore.xml customBinarystoreXmlSecret: + ## cache-fs binary provider configurations + ## Refer: https://jfrog.com/help/r/jfrog-installation-setup-documentation/cache-fs-template-configuration maxCacheSize: 50000000000 cacheProviderDir: cache + # maxFileSizeLimit: + # skipDuringUpload: + ## artifactory data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning @@ -884,12 +773,13 @@ artifactory: ## nfs ## google-storage ## google-storage-v2 - ## google-storage-v2-direct + ## google-storage-v2-direct (Recommended for GCS - Google Cloud Storage) ## aws-s3-v3 - ## s3-storage-v3-direct + ## s3-storage-v3-direct (Recommended for AWS S3) ## s3-storage-v3-archive ## azure-blob ## azure-blob-storage-direct + ## azure-blob-storage-v2-direct (Recommended for Azure Blob Storage) type: file-system ## Use binarystoreXml to provide a custom binarystore.xml ## This is intentionally commented and below previous content of binarystoreXml is moved under files/binarystore.xml @@ -919,7 +809,7 @@ artifactory: ## cluster nodes. ## Need to have the following set nfs: - # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' + ## Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' ip: haDataMount: "/data" haBackupMount: "/backup" @@ -950,7 +840,7 @@ artifactory: # } endpoint: commondatastorage.googleapis.com httpsOnly: false - # Set a unique bucket name + ## Set a unique bucket name bucketName: "artifactory-ha-gcp" ## GCP Bucket Authentication with Identity and Credential is deprecated. ## identity: @@ -971,6 +861,8 @@ artifactory: port: useHttp: maxConnections: 50 + connectionTimeout: + socketTimeout: kmsServerSideEncryptionKeyId: kmsKeyRegion: kmsCryptoMode: @@ -985,7 +877,7 @@ artifactory: enablePathStyleAccess: false multiPartLimit: multipartElementSize: - ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct + ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct, azure-blob-storage-v2-direct azureBlob: accountName: accountKey: @@ -997,6 +889,16 @@ artifactory: service: name: artifactory type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] @@ -1013,70 +915,13 @@ artifactory: # nodePort: 32082 statefulset: annotations: {} - ## The following setting are to configure a dedicated Ingress object for Replicator service - replicator: - name: replicator - enabled: false - ## Extra environment variables that can be used to tune replicator to your needs. - ## Uncomment and set value as needed - extraEnvironmentVariables: - # - name: MY_ENV_VAR - # value: "" - resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for replicator container - lifecycle: {} - # postStart: - # exec: - # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] - # preStop: - # exec: - # command: ["/bin/sh","-c","echo Hello from the preStop handler"] - - ingress: - name: - hosts: [] - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-buffering: "off" - # nginx.ingress.kubernetes.io/configuration-snippet: | - # chunked_transfer_encoding on; - tls: [] - # Secrets must be manually created in the namespace. - # - hosts: - # - artifactory.domain.example - # secretName: chart-example-tls-secret - ## When replicator is enabled and want to use tracker feature, trackerIngress.enabled flag should be set to true - ## Please refer - https://www.jfrog.com/confluence/display/JFROG/JFrog+Peer-to-Peer+%28P2P%29+Downloads - trackerIngress: - enabled: false - name: - hosts: [] - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-buffering: "off" - # nginx.ingress.kubernetes.io/configuration-snippet: | - # chunked_transfer_encoding on; - tls: [] - # Secrets must be manually created in the namespace. - # - hosts: - # - artifactory.domain.example - # secretName: chart-example-tls-secret ssh: enabled: false internalPort: 1339 externalPort: 1339 annotations: {} - # Spread Artifactory pods evenly across your nodes or some other topology - # Note this applies to both the primary and replicas + ## Spread Artifactory pods evenly across your nodes or some other topology + ## Note this applies to both the primary and replicas topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: kubernetes.io/hostname @@ -1092,7 +937,7 @@ artifactory: ## Customising their resources and java parameters is done here. primary: name: artifactory-ha-primary - # preStartCommand specific to the primary node, to be run after artifactory.preStartCommand + ## preStartCommand specific to the primary node, to be run after artifactory.preStartCommand # preStartCommand: labels: {} persistence: @@ -1106,12 +951,12 @@ artifactory: type: RollingUpdate ## Resources for the primary node resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" ## The following Java options are passed to the java process running Artifactory primary node. ## You should set them according to the resources set above javaOpts: @@ -1138,7 +983,7 @@ artifactory: topologyKey: "kubernetes.io/hostname" node: name: artifactory-ha-member - # preStartCommand specific to the member node, to be run after artifactory.preStartCommand + ## preStartCommand specific to the member node, to be run after artifactory.preStartCommand # preStartCommand: labels: {} persistence: @@ -1151,12 +996,12 @@ artifactory: minAvailable: 1 ## Resources for the member nodes resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" ## The following Java options are passed to the java process running Artifactory member nodes. ## You should set them according to the resources set above javaOpts: @@ -1173,9 +1018,6 @@ artifactory: accessFile: passwordFile: # other: "" - # xms: "1g" - # xmx: "2g" - # other: "" nodeSelector: {} ## Wait for Artifactory primary waitForPrimaryStartup: @@ -1201,17 +1043,17 @@ frontend: # - name: MY_ENV_VAR # value: "" resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" ## Session settings session: ## Time in minutes after which the frontend token will need to be refreshed timeoutMinutes: '30' - # Add lifecycle hooks for frontend container + ## Add lifecycle hooks for frontend container lifecycle: {} # postStart: # exec: @@ -1247,6 +1089,7 @@ frontend: periodSeconds: 5 timeoutSeconds: {{ .Values.probes.timeoutSeconds }} access: + name: access enabled: true ## Enable TLS by changing the tls entry (under the security section) in the access.config.yaml file. ## ref: https://www.jfrog.com/confluence/display/JFROG/Managing+TLS+Certificates#ManagingTLSCertificates @@ -1268,11 +1111,74 @@ access: maxThreads: 50 sendReasonPhrase: false extraConfig: 'acceptCount="100"' -metadata: - name: metadata - enabled: true - internalPort: 8086 - ## Extra environment variables that can be used to tune metadata to your needs. + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8040/access/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare ".+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }} - {{- range .Values.ingress.hosts -}} - {{- if contains "." . -}} - {{ "" | indent 0 }} ~(?.+)\.{{ . }} - {{- end -}} - {{- end -}}; - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/artifactory/?$ / redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - chunked_transfer_encoding on; - client_max_body_size 0; - - location / { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/; - {{- if .Values.nginx.service.ssloffload}} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; - {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - {{- end }} - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - {{- if .Values.nginx.disableProxyBuffering}} - proxy_http_version 1.1; - proxy_request_buffering off; - proxy_buffering off; - {{- end }} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - location /artifactory/ { - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; - } - location /pipelines/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - {{- if .Values.router.tlsEnabled }} - proxy_pass https://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; - {{- else }} - proxy_pass http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }}; - {{- end }} - } - } - } + ## The nginx main conf was moved to files/nginx-main-conf.yaml. This key is commented out to keep support for the old configuration + # mainConf: | + + ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration + # artifactoryConf: | customInitContainers: "" customSidecarContainers: "" customVolumes: "" @@ -1844,6 +1625,16 @@ nginx: ## For minikube, set this to NodePort, elsewhere use LoadBalancer type: LoadBalancer ssloffload: false + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] ## For supporting whitelist on the Nginx LoadBalancer service ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] @@ -1852,10 +1643,10 @@ nginx: loadBalancerSourceRanges: [] ## Provide static ip address loadBalancerIP: - ## There are two available options: “Cluster” (default) and “Local”. + ## There are two available options: "Cluster" (default) and "Local". externalTrafficPolicy: Cluster labels: {} - # label-key: label-value + # label-key: label-value ## If the type is NodePort you can set a fixed port # nodePort: 32082 ## A list of custom ports to be exposed on nginx service. Follows the conventional Kubernetes yaml syntax for service ports. @@ -1864,19 +1655,22 @@ nginx: # targetPort: 8066 # protocol: TCP # name: docker + + annotations: {} + ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift http: enabled: true externalPort: 80 - internalPort: 80 + internalPort: 8080 https: enabled: true externalPort: 443 - internalPort: 443 - # DEPRECATED: The following will be replaced by L1065-L1076 in a future release + internalPort: 8443 + ## DEPRECATED: The following will be replaced by L1065-L1076 in a future release # externalPortHttp: 80 - # internalPortHttp: 80 + # internalPortHttp: 8080 # externalPortHttps: 443 - # internalPortHttps: 443 + # internalPortHttps: 8443 ssh: internalPort: 1339 @@ -1889,7 +1683,7 @@ nginx: command: - sh - -c - - curl -s -k --fail --max-time 1 {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/ + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/ initialDelaySeconds: {{ if semverCompare " ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) ## # storageClassName: "-" resources: {} - # requests: - # memory: "250Mi" - # cpu: "100m" - # limits: - # memory: "250Mi" - # cpu: "500m" + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" nodeSelector: {} tolerations: [] affinity: {} -# Filebeat Sidecar container +## Filebeat Sidecar container ## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. filebeat: enabled: false @@ -1990,12 +1784,12 @@ filebeat: periodSeconds: 10 timeoutSeconds: 5 resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "100Mi" - # cpu: "100m" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "100Mi" + # cpu: "100m" filebeatYml: | logging.level: info @@ -2018,19 +1812,19 @@ filebeat: hosts: ["{{ .Values.filebeat.logstashUrl }}"] ## Allows to add additional kubernetes resources ## Use --- as a separator between multiple resources -## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-ha-values.yaml +## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-ha-values.yaml additionalResources: "" -# Adding entries to a Pod's /etc/hosts file -# For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases +## Adding entries to a Pod's /etc/hosts file +## For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases hostAliases: [] -# - ip: "127.0.0.1" -# hostnames: -# - "foo.local" -# - "bar.local" -# - ip: "10.1.2.3" -# hostnames: -# - "foo.remote" -# - "bar.remote" +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" ## Toggling this feature is seamless and requires helm upgrade ## will enable all microservices to run in different containers in a single pod (by default it is true) diff --git a/stable/artifactory-jcr/CHANGELOG.md b/stable/artifactory-jcr/CHANGELOG.md index c053cc9c5..d05e2a520 100644 --- a/stable/artifactory-jcr/CHANGELOG.md +++ b/stable/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,17 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.71.4] - Jul 20, 2023 +## [107.90.10] - Feb 20, 2024 +* Updated `artifactory.installerInfo` content + +## [107.80.0] - Feb 1, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.74.0] - Nov 23, 2023 +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.66.0] - Jul 20, 2023 * Disabled federation services when splitServicesToContainers=true ## [107.45.0] - Aug 25, 2022 diff --git a/stable/artifactory-jcr/Chart.yaml b/stable/artifactory-jcr/Chart.yaml index d40feb50e..3334fb734 100644 --- a/stable/artifactory-jcr/Chart.yaml +++ b/stable/artifactory-jcr/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.71.4 + version: 107.90.10 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-jcr/logo/jcr-logo.png @@ -14,7 +14,7 @@ keywords: - registry - devops - jfrog-container-registry -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: helm@jfrog.com name: Chart Maintainers at JFrog @@ -22,4 +22,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.71.4 +version: 107.90.10 diff --git a/stable/artifactory-jcr/README.md b/stable/artifactory-jcr/README.md index 7df9d9348..c0051e61d 100644 --- a/stable/artifactory-jcr/README.md +++ b/stable/artifactory-jcr/README.md @@ -6,7 +6,7 @@ JFrog Container Registry is a free Artifactory edition with Docker and Helm repo ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ ## Chart Details This chart will do the following: @@ -30,7 +30,7 @@ helm repo update ### Install Chart To install the chart with the release name `jfrog-container-registry`: ```bash -helm upgrade --install jfrog-container-registry --set artifactory.postgresql.postgresqlPassword= --namespace artifactory-jcr jfrog/artifactory-jcr +helm upgrade --install jfrog-container-registry --set artifactory.postgresql.postgresqlPassword= jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace ``` ### Accessing JFrog Container Registry @@ -39,7 +39,7 @@ helm upgrade --install jfrog-container-registry --set artifactory.postgresql.pos ### Updating JFrog Container Registry Once you have a new chart version, you can upgrade your deployment with ```bash -helm upgrade jfrog-container-registry jfrog/artifactory-jcr +helm upgrade jfrog-container-registry jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace ``` ### Special Upgrade Notes @@ -85,7 +85,7 @@ helm upgrade --install jfrog-container-registry \ --set artifactory.ingress.enabled=true \ --set artifactory.ingress.hosts[0]="artifactory.company.com" \ --set artifactory.artifactory.service.type=NodePort \ - --namespace artifactory-jcr jfrog/artifactory-jcr + jfrog/artifactory-jcr --namespace artifactory-jcr --create-namespace ``` To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: diff --git a/stable/artifactory-jcr/logo/jcr-logo.png b/stable/artifactory-jcr/logo/jcr-logo.png index 69e6d91bd..b1e312e32 100644 Binary files a/stable/artifactory-jcr/logo/jcr-logo.png and b/stable/artifactory-jcr/logo/jcr-logo.png differ diff --git a/stable/artifactory-jcr/values.yaml b/stable/artifactory-jcr/values.yaml index b2b2cb3e8..6892aa866 100644 --- a/stable/artifactory-jcr/values.yaml +++ b/stable/artifactory-jcr/values.yaml @@ -35,7 +35,7 @@ artifactory: # other: "" installer: platform: jcr-helm - installerInfo: '{"productId": "Helm_artifactory-jcr/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' + installerInfo: '{"productId":"Helm_artifactory-jcr/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' ## Nginx ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory nginx: @@ -69,8 +69,7 @@ postgresql: enabled: true router: image: - tag: 7.81.0 -logger: + tag: 7.118.2 +initContainers: image: - tag: 9.2.750.1697534106 -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 + tag: 9.4.949.1716471857 diff --git a/stable/artifactory-oss/CHANGELOG.md b/stable/artifactory-oss/CHANGELOG.md index 151fa288c..e5179a058 100644 --- a/stable/artifactory-oss/CHANGELOG.md +++ b/stable/artifactory-oss/CHANGELOG.md @@ -1,7 +1,17 @@ # JFrog Artifactory OSS Chart Changelog All changes to this chart will be documented in this file -## [107.71.4] - Jul 20, 2023 +## [107.90.10] - Feb 20, 2024 +* Updated `artifactory.installerInfo` content + +## [107.80.0] - Feb 1, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.74.0] - Nov 23, 2023 +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.66.0] - Jul 20, 2023 * Disabled federation services when splitServicesToContainers=true ## [107.45.0] - Aug 25, 2022 diff --git a/stable/artifactory-oss/Chart.yaml b/stable/artifactory-oss/Chart.yaml index d4231d10f..38cd23544 100644 --- a/stable/artifactory-oss/Chart.yaml +++ b/stable/artifactory-oss/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.71.4 + version: 107.90.10 description: JFrog Artifactory OSS home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory/logo/artifactory-logo.png @@ -20,4 +20,4 @@ name: artifactory-oss sources: - https://github.com/jfrog/charts type: application -version: 107.71.4 +version: 107.90.10 diff --git a/stable/artifactory-oss/README.md b/stable/artifactory-oss/README.md index 36d1a2d2c..d98c8203a 100644 --- a/stable/artifactory-oss/README.md +++ b/stable/artifactory-oss/README.md @@ -6,7 +6,7 @@ JFrog Artifactory OSS is a free Artifactory edition to host Generic repositories ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ ## Chart Details This chart will do the following: @@ -30,7 +30,7 @@ helm repo update ### Install Chart To install the chart with the release name `artifactory-oss`: ```bash -helm upgrade --install artifactory-oss --set artifactory.postgresql.postgresqlPassword= --namespace artifactory-oss jfrog/artifactory-oss +helm upgrade --install artifactory-oss --set artifactory.postgresql.postgresqlPassword= jfrog/artifactory-oss --namespace artifactory-oss --create-namespace ``` ### Accessing Artifactory OSS @@ -39,7 +39,7 @@ helm upgrade --install artifactory-oss --set artifactory.postgresql.postgresqlPa ### Updating Artifactory OSS Once you have a new chart version, you can upgrade your deployment with ```bash -helm upgrade artifactory-oss jfrog/artifactory-oss +helm upgrade artifactory-oss jfrog/artifactory-oss --namespace artifactory-oss --create-namespace ``` ### Special Upgrade Notes @@ -84,7 +84,7 @@ helm upgrade --install artifactory-oss \ --set artifactory.ingress.enabled=true \ --set artifactory.ingress.hosts[0]="artifactory.company.com" \ --set artifactory.artifactory.service.type=NodePort \ - --namespace artifactory-oss jfrog/artifactory-oss + jfrog/artifactory-oss --namespace artifactory-oss --create-namespace ``` To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: diff --git a/stable/artifactory-oss/values.yaml b/stable/artifactory-oss/values.yaml index 51885f553..9ec458817 100644 --- a/stable/artifactory-oss/values.yaml +++ b/stable/artifactory-oss/values.yaml @@ -35,7 +35,7 @@ artifactory: # other: "" installer: platform: art-oss-helm - installerInfo: '{"productId": "Helm_artifactory-oss/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' + installerInfo: '{"productId":"Helm_artifactory-oss/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' ## Nginx ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory nginx: @@ -69,8 +69,7 @@ postgresql: enabled: true router: image: - tag: 7.81.0 -logger: + tag: 7.118.2 +initContainers: image: - tag: 9.2.750.1697534106 -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 + tag: 9.4.949.1716471857 diff --git a/stable/artifactory/.helmignore b/stable/artifactory/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/stable/artifactory/.helmignore +++ b/stable/artifactory/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md index 8bf3d1b54..c86d0e438 100644 --- a/stable/artifactory/CHANGELOG.md +++ b/stable/artifactory/CHANGELOG.md @@ -1,9 +1,110 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.71.4] - Oct 31, 2023 +## [107.90.10] - July 18, 2024 +* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892) +* Added new `nginx.hosts` to use Nginx server_name directive instead of `ingress.hosts` +* Added a deprecation notice of ingress.hosts when `ngnix.enabled` is true +* Added new evidence service +* Corrected database connection values based on sizing +* **IMPORTANT** +* Separate access from artifactory tomcat to run on its own dedicated tomcat + * With this change access will be running in its own dedicated container + * This will give the ability to control resources and java options specific to access + Can be done by passing the following, + `access.javaOpts.other` + `access.resources` + `access.extraEnvironmentVariables` +* Updating the example link for downloading the DB driver +* Added Binary Provider recommendations + +## [107.89.0] - June 7, 2024 +* Fix the indentation of the commented-out sections in the values.yaml file +* Fixed sizing values by removing `JF_SHARED_NODE_HAENABLED` in xsmall/small configurations + +## [107.88.0] - May 29, 2024 +* **IMPORTANT** +* Refactored `nginx.artifactoryConf` and `nginx.mainConf` configuration (moved to files/nginx-artifactory-conf.yaml and files/nginx-main-conf.yaml instead of keys in values.yaml) + +## [107.87.0] - May 29, 2024 +* Renamed `.Values.artifactory.openMetrics` to `.Values.artifactory.metrics` + +## [107.85.0] - May 29, 2024 +* Changed `migration.enabled` to false by default. For 6.x to 7.x migration, this flag needs to be set to `true` + +## [107.84.0] - May 29, 2024 +* Added image section for `initContainers` instead of `initContainerImage` +* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` +* Removed image section for `loggers` +* Added support for `global.verisons.initContainers` to override `initContainers.image.tag` +* Fixed an issue with extraSystemYaml merge +* **IMPORTANT** +* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` +* Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser` +* Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup` +* Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy` +* Renamed `artifactory.seLinuxOptions` to `artifactory.podSecurityContext.seLinuxOptions` +* Added flag `allowNonPostgresql` defaults to false +* Update postgresql tag version to `15.6.0-debian-12-r5` +* Added a check if `initContainerImage` exists +* Fixed an issue to generate unified secret to support artifactory fullname [GH-1882](https://github.com/jfrog/charts/issues/1882) +* Fixed an issue template render on loggers [GH-1883](https://github.com/jfrog/charts/issues/1883) +* Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962) +* Added .Values.artifactory.unifiedSecretPrependReleaseName` for unified secret to prepend release name +* Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml + +## [107.82.0] - Mar 04, 2024 +* Added `disableRouterBypass` flag as experimental feature, to disable the artifactoryPath /artifactory/ and route all traffic through the Router. +* Removed Replicator service + +## [107.81.0] - Feb 20, 2024 +* **IMPORTANT** +* Refactored systemYaml configuration (moved to files/system.yaml instead of key in values.yaml) +* Added ability to provide `extraSystemYaml` configuration in values.yaml which will merge with the existing system yaml when `systemYamlOverride` is not given [GH-1848](https://github.com/jfrog/charts/pull/1848) +* Added option to modify the new cache configs, maxFileSizeLimit and skipDuringUpload +* Added IPV4/IPV6 Dualstack flag support for Artifactory and nginx service +* Added `singleStackIPv6Cluster` flag, which manages the Nginx configuration to enable listening on IPv6 and proxying. +* Fixing broken link for creating additional kubernetes resources. Refer [here](https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml) +* Refactored installerInfo configuration (moved to files/installer-info.json instead of key in values.yaml) + +## [107.80.0] - Feb 20, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install + +## [107.79.0] - Feb 20, 2024 +* **IMPORTANT** +* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default +* Added support for azure-blob-storage-v2-direct config +* Added option to set Nginx to write access_log to container STDOUT +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true + +## [107.77.0] - April 22, 2024 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) +* Fixed - Removed duplicate keys of the sizing yaml file +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) +* Added nginx.customCommand to use custom commands for the nginx container + +## [107.76.0] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.70.0] - Nov 30, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) * Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml. +* Fixed - SecurityContext with runAsGroup in artifactory [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift ## [107.69.0] - Sep 18, 2023 * Adjust rtfs context diff --git a/stable/artifactory/Chart.yaml b/stable/artifactory/Chart.yaml index c4f4dbe9f..223843784 100644 --- a/stable/artifactory/Chart.yaml +++ b/stable/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - condition: postgresql.enabled name: postgresql @@ -13,7 +13,7 @@ keywords: - artifactory - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.71.4 +version: 107.90.10 diff --git a/stable/artifactory/README.md b/stable/artifactory/README.md index b77f68437..da3304ee5 100644 --- a/stable/artifactory/README.md +++ b/stable/artifactory/README.md @@ -3,7 +3,7 @@ **IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing, uninstalling, and deleting Artifactory. For all other information, refer to [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory#InstallingArtifactory-HelmInstallation). ## Prerequisites -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory Pro trial license [get one from here](https://www.jfrog.com/artifactory/free-trial/) ## Chart Details @@ -28,7 +28,14 @@ helm repo update ### Install Chart To install the chart with the release name `artifactory`: ```bash -helm upgrade --install artifactory --namespace artifactory jfrog/artifactory +helm upgrade --install artifactory jfrog/artifactory --namespace artifactory --create-namespace +``` + +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory jfrog/artifactory -f sizing/artifactory-small-extra-config.yaml -f sizing/artifactory-small.yaml --namespace artifactory --create-namespace ``` ## Uninstalling Artifactory diff --git a/stable/artifactory/ci/derby-test-values.yaml b/stable/artifactory/ci/derby-test-values.yaml index e6fe8d0e9..82ff48545 100644 --- a/stable/artifactory/ci/derby-test-values.yaml +++ b/stable/artifactory/ci/derby-test-values.yaml @@ -3,7 +3,8 @@ databaseUpgradeReady: true postgresql: enabled: false artifactory: - fsGroupChangePolicy: "OnRootMismatch" + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" persistence: enabled: false resources: diff --git a/stable/artifactory/ci/global-values.yaml b/stable/artifactory/ci/global-values.yaml index af972d774..33bbf04a2 100644 --- a/stable/artifactory/ci/global-values.yaml +++ b/stable/artifactory/ci/global-values.yaml @@ -19,8 +19,8 @@ artifactory: xmx: "4g" customInitContainersBegin: | - name: "custom-init-begin-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -30,8 +30,8 @@ artifactory: name: artifactory-volume customInitContainers: | - name: "custom-init-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -51,8 +51,8 @@ artifactory: # Add custom sidecar containers customSidecarContainers: | - name: "sidecar-list-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -75,8 +75,8 @@ global: joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE customInitContainersBegin: | - name: "custom-init-begin-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -86,8 +86,8 @@ global: name: artifactory-volume customInitContainers: | - name: "custom-init-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -107,8 +107,8 @@ global: # Add custom sidecar containers customSidecarContainers: | - name: "sidecar-list-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -129,8 +129,8 @@ global: nginx: customInitContainers: | - name: "custom-init-begin-nginx" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -140,8 +140,8 @@ nginx: name: custom-script-local customSidecarContainers: | - name: "sidecar-list-nginx" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/stable/artifactory/ci/large-values.yaml b/stable/artifactory/ci/large-values.yaml index a832906df..94a485d6f 100644 --- a/stable/artifactory/ci/large-values.yaml +++ b/stable/artifactory/ci/large-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory/ci/loggers-values.yaml b/stable/artifactory/ci/loggers-values.yaml new file mode 100644 index 000000000..03c94be95 --- /dev/null +++ b/stable/artifactory/ci/loggers-values.yaml @@ -0,0 +1,43 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +databaseUpgradeReady: true + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +artifactory: + persistence: + enabled: false + resources: + requests: + memory: "4Gi" + cpu: "2" + limits: + memory: "6Gi" + cpu: "4" + javaOpts: + xms: "4g" + xmx: "4g" + + loggers: + - access-audit.log + - access-request.log + - access-security-audit.log + - access-service.log + - artifactory-access.log + - artifactory-event.log + - artifactory-import-export.log + - artifactory-request.log + - artifactory-service.log + - frontend-request.log + - frontend-service.log + - metadata-request.log + - metadata-service.log + - router-request.log + - router-service.log + - router-traefik.log + + catalinaLoggers: + - tomcat-catalina.log + - tomcat-localhost.log diff --git a/stable/artifactory/ci/medium-values.yaml b/stable/artifactory/ci/medium-values.yaml index 979b7c3da..35044dc36 100644 --- a/stable/artifactory/ci/medium-values.yaml +++ b/stable/artifactory/ci/medium-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory/ci/rtsplit-values-access-tls-values.yaml b/stable/artifactory/ci/rtsplit-values-access-tls-values.yaml index 52861f86e..a38969a8f 100644 --- a/stable/artifactory/ci/rtsplit-values-access-tls-values.yaml +++ b/stable/artifactory/ci/rtsplit-values-access-tls-values.yaml @@ -4,15 +4,6 @@ artifactory: masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF persistence: enabled: false - replicator: - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" resources: requests: memory: "4Gi" @@ -95,14 +86,6 @@ event: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory/ci/rtsplit-values.yaml b/stable/artifactory/ci/rtsplit-values.yaml index 5c2e4b366..057ae9bf3 100644 --- a/stable/artifactory/ci/rtsplit-values.yaml +++ b/stable/artifactory/ci/rtsplit-values.yaml @@ -5,23 +5,6 @@ artifactory: masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF persistence: enabled: false - replicator: - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" - # Add lifecycle hooks for replicator container - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the replicator postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the replicator postStart handler >> /tmp/message"] resources: requests: memory: "4Gi" @@ -151,22 +134,6 @@ event: exec: command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - observability: resources: requests: diff --git a/stable/artifactory/ci/small-values.yaml b/stable/artifactory/ci/small-values.yaml index 1abc64e67..70d77790a 100644 --- a/stable/artifactory/ci/small-values.yaml +++ b/stable/artifactory/ci/small-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/stable/artifactory/ci/test-values.yaml b/stable/artifactory/ci/test-values.yaml index c76ab1cae..d2beb0eff 100644 --- a/stable/artifactory/ci/test-values.yaml +++ b/stable/artifactory/ci/test-values.yaml @@ -4,20 +4,10 @@ artifactory: joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF unifiedSecretInstallation: false - openMetrics: + metrics: enabled: true persistence: enabled: false - replicator: - name: replicator - enabled: true - ingress: - name: - hosts: [] - className: "testclass1" - trackerIngress: - enabled: true - className: "testclass2" resources: requests: memory: "4Gi" diff --git a/stable/artifactory/files/binarystore.xml b/stable/artifactory/files/binarystore.xml index 43dd1cd95..e396e0a41 100644 --- a/stable/artifactory/files/binarystore.xml +++ b/stable/artifactory/files/binarystore.xml @@ -16,6 +16,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -41,6 +47,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -66,6 +78,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} @@ -128,6 +146,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- if eq .Values.artifactory.persistence.type "cluster-google-storage-v2" }} @@ -204,6 +228,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64}} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- end }} @@ -247,6 +277,12 @@ {{- with .maxConnections }} {{ . }} {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} {{- with .kmsServerSideEncryptionKeyId }} {{ . }} {{- end }} @@ -328,6 +364,12 @@ {{ .Values.artifactory.persistence.maxCacheSize | int64 }} {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} {{- if eq .Values.artifactory.persistence.type "cluster-azure-blob-storage" }} @@ -357,4 +399,28 @@ {{ .Values.artifactory.persistence.azureBlob.testConnection }} +{{- end }} +{{- if eq .Values.artifactory.persistence.type "azure-blob-storage-v2-direct" -}} + + + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + {{- if .Values.artifactory.persistence.maxFileSizeLimit }} + {{.Values.artifactory.persistence.maxFileSizeLimit | int64}} + {{- end }} + {{- if .Values.artifactory.persistence.skipDuringUpload }} + {{.Values.artifactory.persistence.skipDuringUpload}} + {{- end }} + + + {{ .Values.artifactory.persistence.azureBlob.accountName }} + {{ .Values.artifactory.persistence.azureBlob.accountKey }} + {{ .Values.artifactory.persistence.azureBlob.endpoint }} + {{ .Values.artifactory.persistence.azureBlob.containerName }} + {{ .Values.artifactory.persistence.azureBlob.multiPartLimit | int64 }} + {{ .Values.artifactory.persistence.azureBlob.multipartElementSize | int64 }} + {{ .Values.artifactory.persistence.azureBlob.testConnection }} + + {{- end }} \ No newline at end of file diff --git a/stable/artifactory/files/installer-info.json b/stable/artifactory/files/installer-info.json new file mode 100644 index 000000000..79f42ed16 --- /dev/null +++ b/stable/artifactory/files/installer-info.json @@ -0,0 +1,32 @@ +{ + "productId": "Helm_artifactory/{{ .Chart.Version }}", + "features": [ + { + "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}" + }, + { + "featureId": "Database/{{ .Values.database.type }}" + }, + { + "featureId": "PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}" + }, + { + "featureId": "Nginx_Enabled/{{ .Values.nginx.enabled }}" + }, + { + "featureId": "ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}" + }, + { + "featureId": "SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}" + }, + { + "featureId": "UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}" + }, + { + "featureId": "Filebeat_Enabled/{{ .Values.filebeat.enabled }}" + }, + { + "featureId": "ReplicaCount/{{ .Values.artifactory.replicaCount }}" + } + ] +} \ No newline at end of file diff --git a/stable/artifactory/files/migrate.sh b/stable/artifactory/files/migrate.sh index c07985b26..ba44160f4 100644 --- a/stable/artifactory/files/migrate.sh +++ b/stable/artifactory/files/migrate.sh @@ -896,7 +896,9 @@ setupScriptLogsRedirection() { # Returns Y if this method is run inside a container isRunningInsideAContainer() { - if [ -f "/.dockerenv" ]; then + local check1=$(grep -sq 'docker\|kubepods' /proc/1/cgroup; echo $?) + local check2=$(grep -sq 'containers' /proc/self/mountinfo; echo $?) + if [[ $check1 == 0 || $check2 == 0 || -f "/.dockerenv" ]]; then echo -n "$FLAG_Y" else echo -n "$FLAG_N" @@ -2914,9 +2916,6 @@ yamlMigrate () { if [[ ! -z "${value}" ]]; then value=$(updateConnectionString "${yamlPath}" "${value}") fi - if [[ "${PRODUCT}" == "artifactory" ]]; then - replicatorProfiling - fi if [[ -z "${value}" ]]; then logger "No value for [${key}] in [${sourceFile}]" else @@ -4216,26 +4215,13 @@ commentNodeId () { artifactoryInfoMessage () { if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then - addText "# yamlFile was generated from db.properties,replicator.yaml and ha-node.properties config files." "${SYSTEM_YAML_PATH}" + addText "# yamlFile was generated from db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" else - addText "# yamlFile was generated from default file,replicator.yaml,db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" + addText "# yamlFile was generated from default file,db.properties and ha-node.properties config files." "${SYSTEM_YAML_PATH}" fi } -replicatorProfiling () { - - if [[ "${key}" == "profilingDisabled" ]]; then - if [[ ! -z "${value}" ]]; then - if [[ "${value}" == "false" ]]; then - value="true" - else - value="false" - fi - fi - fi -} - setHaEnabled_hook () { local filePath="$1" if [[ "$(checkFileExists "${NEW_DATA_DIR}/${filePath}/ha-node.properties")" == "true" ]]; then @@ -4275,27 +4261,9 @@ _createBackupOfLogBackDir () { removeFileOperation "${backupDir}/logbackXmlFiles/artifactory" "${artiLogbackFile}" } - -_createBackupOfReplicatorRtYaml () { - local backupDir="$1" - local replicatorRtYamlFile="${NEW_DATA_DIR}/etc/replicator/replicator.artifactory.yaml" - local effectiveUser= - local effectiveGroup= - if [[ "${INSTALLER}" == "${COMPOSE_TYPE}" || "${INSTALLER}" == "${HELM_TYPE}" ]]; then - effectiveUser="${JF_USER}" - effectiveGroup="${JF_USER}" - elif [[ "${INSTALLER}" == "${DEB_TYPE}" || "${INSTALLER}" == "${RPM_TYPE}" ]]; then - effectiveUser="${USER_TO_CHECK}" - effectiveGroup="${GROUP_TO_CHECK}" - fi - removeSoftLinkAndCreateDir "${backupDir}/replicatorYamlFile" "${effectiveUser}" "${effectiveGroup}" "yes" - removeFileOperation "${backupDir}/replicatorYamlFile" "${replicatorRtYamlFile}" -} - backupFiles_hook () { local backupDirectory="$1" _createBackupOfLogBackDir "${backupDirectory}" - _createBackupOfReplicatorRtYaml "${backupDirectory}" } migrateArtifactory () { diff --git a/stable/artifactory/files/migrationHelmInfo.yaml b/stable/artifactory/files/migrationHelmInfo.yaml index 16cee9e5d..016bea02d 100644 --- a/stable/artifactory/files/migrationHelmInfo.yaml +++ b/stable/artifactory/files/migrationHelmInfo.yaml @@ -11,10 +11,6 @@ migration: work/access=access/tmp log/archived/access=access/logs log/archived/artifactory=logs - etc/replicator=replicator/etc - backup/replicator=replicator/backup - data/replicator=replicator/data - log/archived/replicator=replicator/logs linkFiles: map: # Note : $JF_ROOT_DATA_DIR will be prepended to the sourceDirectoryPath value only if relative path and $JF_ROOT_DATA_DIR will be prepended to the targetDirectoryPath value @@ -27,6 +23,5 @@ migration: # Note $JF_ROOT_DATA_DIR will be prepended to the map entry map: access - replicator metadata logs \ No newline at end of file diff --git a/stable/artifactory/files/nginx-artifactory-conf.yaml b/stable/artifactory/files/nginx-artifactory-conf.yaml new file mode 100644 index 000000000..8ee5e53dd --- /dev/null +++ b/stable/artifactory/files/nginx-artifactory-conf.yaml @@ -0,0 +1,98 @@ +{{- if .Values.nginx.https.enabled }} +ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +ssl_certificate {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt; +ssl_certificate_key {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key; +ssl_session_cache shared:SSL:1m; +ssl_prefer_server_ciphers on; +{{- end }} +## server configuration +server { +{{- if .Values.nginx.internalPortHttps }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.internalPortHttps }} ssl; +{{- else -}} +listen {{ .Values.nginx.internalPortHttps }} ssl; +{{- end }} +{{- else -}} +{{- if .Values.nginx.https.enabled }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.https.internalPort }} ssl; +{{- else -}} +listen {{ .Values.nginx.https.internalPort }} ssl; +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.nginx.internalPortHttp }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.internalPortHttp }}; +{{- else -}} +listen {{ .Values.nginx.internalPortHttp }}; +{{- end }} +{{- else -}} +{{- if .Values.nginx.http.enabled }} +{{- if .Values.nginx.singleStackIPv6Cluster }} +listen [::]:{{ .Values.nginx.http.internalPort }}; +{{- else -}} +listen {{ .Values.nginx.http.internalPort }}; +{{- end }} +{{- end }} +{{- end }} +server_name ~(?.+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }} +{{ tpl (include "artifactory.nginx.hosts" .) . }}; + +if ($http_x_forwarded_proto = '') { + set $http_x_forwarded_proto $scheme; +} +set $host_port {{ .Values.nginx.https.externalPort }}; +if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; +} +## Application specific logs +## access_log /var/log/nginx/artifactory-access.log timing; +## error_log /var/log/nginx/artifactory-error.log; +rewrite ^/artifactory/?$ / redirect; +if ( $repo != "" ) { + rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; +} +chunked_transfer_encoding on; +client_max_body_size 0; + +location / { + proxy_read_timeout 900; + proxy_pass_header Server; + proxy_cookie_path ~*^/.* /; + proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/; + {{- if .Values.nginx.service.ssloffload}} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; + {{- else }} + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; + proxy_set_header X-Forwarded-Port $server_port; + {{- end }} + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {{- if .Values.nginx.disableProxyBuffering}} + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + {{- end }} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + location /artifactory/ { + if ( $request_uri ~ ^/artifactory/(.*)$ ) { + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; + } + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; + } + location /pipelines/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + {{- if .Values.router.tlsEnabled }} + proxy_pass https://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- else }} + proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; + {{- end }} + } +} +} \ No newline at end of file diff --git a/stable/artifactory/files/nginx-main-conf.yaml b/stable/artifactory/files/nginx-main-conf.yaml new file mode 100644 index 000000000..6ee7f98f9 --- /dev/null +++ b/stable/artifactory/files/nginx-main-conf.yaml @@ -0,0 +1,83 @@ +# Main Nginx configuration file +worker_processes 4; + +{{- if .Values.nginx.logs.stderr }} +error_log stderr {{ .Values.nginx.logs.level }}; +{{- else -}} +error_log {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }}; +{{- end }} +pid /var/run/nginx.pid; + +{{- if .Values.artifactory.ssh.enabled }} +## SSH Server Configuration +stream { + server { + {{- if .Values.nginx.singleStackIPv6Cluster }} + listen [::]:{{ .Values.nginx.ssh.internalPort }}; + {{- else -}} + listen {{ .Values.nginx.ssh.internalPort }}; + {{- end }} + proxy_pass {{ include "artifactory.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }}; + } +} +{{- end }} + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + variables_hash_max_size 1024; + variables_hash_bucket_size 64; + server_names_hash_max_size 4096; + server_names_hash_bucket_size 128; + types_hash_max_size 2048; + types_hash_bucket_size 64; + proxy_read_timeout 2400s; + client_header_timeout 2400s; + client_body_timeout 2400s; + proxy_connect_timeout 75s; + proxy_send_timeout 2400s; + proxy_buffer_size 128k; + proxy_buffers 40 128k; + proxy_busy_buffers_size 128k; + proxy_temp_file_write_size 250m; + proxy_http_version 1.1; + client_body_buffer_size 128k; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + log_format timing 'ip = $remote_addr ' + 'user = \"$remote_user\" ' + 'local_time = \"$time_local\" ' + 'host = $host ' + 'request = \"$request\" ' + 'status = $status ' + 'bytes = $body_bytes_sent ' + 'upstream = \"$upstream_addr\" ' + 'upstream_time = $upstream_response_time ' + 'request_time = $request_time ' + 'referer = \"$http_referer\" ' + 'UA = \"$http_user_agent\"'; + + {{- if .Values.nginx.logs.stdout }} + access_log /dev/stdout timing; + {{- else -}} + access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing; + {{- end }} + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + +} diff --git a/stable/artifactory/files/system.yaml b/stable/artifactory/files/system.yaml new file mode 100644 index 000000000..053207fd0 --- /dev/null +++ b/stable/artifactory/files/system.yaml @@ -0,0 +1,156 @@ +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: +{{- if .Values.artifactory.coldStorage.enabled }} + jfrogColdStorage: + coldInstanceEnabled: true +{{- end }} +{{ tpl (include "artifactory.metrics" .) . }} + logging: + consoleLog: + enabled: {{ .Values.artifactory.consoleLog }} + extraJavaOpts: > + -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} + -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} + {{- with .Values.artifactory.javaOpts }} + {{- if .corePoolSize }} + -Dartifactory.async.corePoolSize={{ .corePoolSize }} + {{- end }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .jmx.enabled }} + -Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} + -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} + {{- if .jmx.host }} + -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} + {{- else }} + -Djava.rmi.server.hostname={{ template "artifactory.fullname" $ }} + {{- end }} + {{- if .jmx.authenticate }} + -Dcom.sun.management.jmxremote.authenticate=true + -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} + -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} + {{- else }} + -Dcom.sun.management.jmxremote.authenticate=false + {{- end }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- if or .Values.database.type .Values.postgresql.enabled }} + database: + allowNonPostgresql: {{ .Values.database.allowNonPostgresql }} + {{- if .Values.postgresql.enabled }} + type: postgresql + url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" + driver: org.postgresql.Driver + username: "{{ .Values.postgresql.postgresqlUsername }}" + {{- else }} + type: "{{ .Values.database.type }}" + driver: "{{ .Values.database.driver }}" + {{- end }} + {{- end }} +artifactory: +{{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} + node: + {{- if .Values.artifactory.haDataDir.path }} + haDataDir: {{ .Values.artifactory.haDataDir.path }} + {{- end }} + {{- if .Values.artifactory.haBackupDir.path }} + haBackupDir: {{ .Values.artifactory.haBackupDir.path }} + {{- end }} +{{- end }} + database: + maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} + tomcat: + maintenanceConnector: + port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} + connector: + maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} +frontend: + session: + timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} +access: + runOnArtifactoryTomcat: {{ .Values.access.runOnArtifactoryTomcat | default false }} + database: + maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} + {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }} + extraJavaOpts: > + {{- if .Values.splitServicesToContainers }} + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=70 + {{- end }} + {{- with .Values.access.javaOpts }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} + {{- end }} + tomcat: + connector: + maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} +{{- if .Values.mc.enabled }} +mc: + enabled: true + database: + maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} + idgenerator: + maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} + tomcat: + connector: + maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} + sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} + extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} +{{- end }} +metadata: + database: + maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} +{{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +jfconnect: + enabled: true +{{- else }} +jfconnect: + enabled: false +jfconnect_service: + enabled: false +{{- end }} +{{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} +federation: + enabled: true + embedded: {{ .Values.federation.embedded }} + extraJavaOpts: {{ .Values.federation.extraJavaOpts }} + port: {{ .Values.federation.internalPort }} +rtfs: + database: + driver: org.postgresql.Driver + type: postgresql + username: {{ .Values.federation.database.username }} + password: {{ .Values.federation.database.password }} + url: jdbc:postgresql://{{ .Values.federation.database.host }}:{{ .Values.federation.database.port }}/{{ .Values.federation.database.name }} +{{- else }} +federation: + enabled: false +{{- end }} +{{- if .Values.event.webhooks }} +event: + webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} +{{- end }} +{{- if .Values.evidence.enabled }} +evidence: + enabled: true +{{- else }} +evidence: + enabled: false +{{- end }} \ No newline at end of file diff --git a/stable/artifactory/logo/artifactory-logo.png b/stable/artifactory/logo/artifactory-logo.png index 3e8ac0d10..fe6c23c5a 100644 Binary files a/stable/artifactory/logo/artifactory-logo.png and b/stable/artifactory/logo/artifactory-logo.png differ diff --git a/stable/artifactory/sizing/artifactory-2xlarge-extra-config.yaml b/stable/artifactory/sizing/artifactory-2xlarge-extra-config.yaml new file mode 100644 index 000000000..7bccf330d --- /dev/null +++ b/stable/artifactory/sizing/artifactory-2xlarge-extra-config.yaml @@ -0,0 +1,41 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + +access: + tomcat: + connector: + maxThreads: 200 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 200 + +metadata: + database: + maxOpenConnections: 200 + diff --git a/stable/artifactory/sizing/artifactory-2xlarge.yaml b/stable/artifactory/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..be477939b --- /dev/null +++ b/stable/artifactory/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,126 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: 2 + memory: 4Gi + +router: + resources: + requests: + cpu: "1" + memory: 1Gi + limits: + # cpu: "6" + memory: 2Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "5000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" \ No newline at end of file diff --git a/stable/artifactory/sizing/artifactory-large-extra-config.yaml b/stable/artifactory/sizing/artifactory-large-extra-config.yaml new file mode 100644 index 000000000..d97a85c9f --- /dev/null +++ b/stable/artifactory/sizing/artifactory-large-extra-config.yaml @@ -0,0 +1,41 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + +access: + tomcat: + connector: + maxThreads: 125 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 100 + +metadata: + database: + maxOpenConnections: 100 + diff --git a/stable/artifactory/sizing/artifactory-large.yaml b/stable/artifactory/sizing/artifactory-large.yaml new file mode 100644 index 000000000..80326a8e4 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-large.yaml @@ -0,0 +1,126 @@ +############################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 1 + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +router: + resources: + requests: + cpu: 200m + memory: 400Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "600" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/stable/artifactory/sizing/artifactory-medium-extra-config.yaml b/stable/artifactory/sizing/artifactory-medium-extra-config.yaml new file mode 100644 index 000000000..1c294c043 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-medium-extra-config.yaml @@ -0,0 +1,41 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/stable/artifactory/sizing/artifactory-medium.yaml b/stable/artifactory/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..8b7215041 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-medium.yaml @@ -0,0 +1,126 @@ +############################################################## +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "200" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/stable/artifactory/sizing/artifactory-small-extra-config.yaml b/stable/artifactory/sizing/artifactory-small-extra-config.yaml new file mode 100644 index 000000000..1c294c043 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-small-extra-config.yaml @@ -0,0 +1,41 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/stable/artifactory/sizing/artifactory-small.yaml b/stable/artifactory/sizing/artifactory-small.yaml new file mode 100644 index 000000000..eb8d7239d --- /dev/null +++ b/stable/artifactory/sizing/artifactory-small.yaml @@ -0,0 +1,124 @@ +############################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" \ No newline at end of file diff --git a/stable/artifactory/sizing/artifactory-xlarge-extra-config.yaml b/stable/artifactory/sizing/artifactory-xlarge-extra-config.yaml new file mode 100644 index 000000000..00e6099f2 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-xlarge-extra-config.yaml @@ -0,0 +1,41 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + +access: + tomcat: + connector: + maxThreads: 150 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 150 + +metadata: + database: + maxOpenConnections: 150 + diff --git a/stable/artifactory/sizing/artifactory-xlarge.yaml b/stable/artifactory/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..e77152ee1 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-xlarge.yaml @@ -0,0 +1,126 @@ +############################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 500m + memory: 2Gi + limits: + # cpu: 1 + memory: 3Gi + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" \ No newline at end of file diff --git a/stable/artifactory/sizing/artifactory-xsmall-extra-config.yaml b/stable/artifactory/sizing/artifactory-xsmall-extra-config.yaml new file mode 100644 index 000000000..39709b691 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-xsmall-extra-config.yaml @@ -0,0 +1,42 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + +access: + tomcat: + connector: + maxThreads: 15 + javaOpts: + other: > + -XX:InitialRAMPercentage=20 + -XX:MaxRAMPercentage=60 + database: + maxOpenConnections: 15 + +metadata: + database: + maxOpenConnections: 15 + diff --git a/stable/artifactory/sizing/artifactory-xsmall.yaml b/stable/artifactory/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..246f830a0 --- /dev/null +++ b/stable/artifactory/sizing/artifactory-xsmall.yaml @@ -0,0 +1,125 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +access: + resources: + requests: + cpu: 500m + memory: 1.5Gi + limits: + # cpu: 1 + memory: 2Gi + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" + diff --git a/stable/artifactory/templates/NOTES.txt b/stable/artifactory/templates/NOTES.txt index 127c1a51d..76652ac98 100644 --- a/stable/artifactory/templates/NOTES.txt +++ b/stable/artifactory/templates/NOTES.txt @@ -37,6 +37,13 @@ Congratulations. You have just deployed JFrog Artifactory! {{- end }} {{- end }} +{{- if .Values.artifactory.setSecurityContext }} +****************************************** WARNING ********************************************** +* From chart version 107.84.x, `setSecurityContext` has been renamed to `podSecurityContext`, * + please change your values.yaml before upgrade , For more Info , refer to 107.84.x changelog * +************************************************************************************************* +{{- end }} + {{- if and (or (or (or (or (or ( or ( or ( or (or (or ( or (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) .Values.systemYamlOverride.existingSecret) (or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled)) .Values.aws.licenseConfigSecretName) .Values.artifactory.persistence.customBinarystoreXmlSecret) .Values.access.customCertificatesSecretName) .Values.systemYamlOverride.existingSecret) .Values.artifactory.license.secret) .Values.artifactory.userPluginSecrets) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey)) (and .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName)) (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName)) .Values.artifactory.unifiedSecretInstallation }} ****************************************** WARNING ************************************************************************************************** * The unifiedSecretInstallation flag is currently enabled, which creates the unified secret. The existing secrets will continue as separate secrets.* @@ -90,3 +97,10 @@ sudo sh -c "echo \"${SERVICE_IP} {{ template "artifactory.fullname" . }}\" >> 3. Launch jconsole: jconsole {{ template "artifactory.fullname" . }}:{{ .Values.artifactory.javaOpts.jmx.port }} {{- end }} + +{{- if and .Values.nginx.enabled .Values.ingress.hosts }} +***************************************** WARNING ***************************************************************************** +* when nginx is enabled , .Values.ingress.hosts will be deprecated in upcoming releases * +* It is recommended to use nginx.hosts instead ingress.hosts +******************************************************************************************************************************* +{{- end }} \ No newline at end of file diff --git a/stable/artifactory/templates/_helpers.tpl b/stable/artifactory/templates/_helpers.tpl index a28776f87..7cea041f7 100644 --- a/stable/artifactory/templates/_helpers.tpl +++ b/stable/artifactory/templates/_helpers.tpl @@ -30,33 +30,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} - -{{/* -Create a default fully qualified replicator app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory.replicator.fullname" -}} -{{- if .Values.artifactory.replicator.ingress.name -}} -{{- .Values.artifactory.replicator.ingress.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-replication" .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified replicator tracker ingress name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "artifactory.replicator.tracker.fullname" -}} -{{- if .Values.artifactory.replicator.trackerIngress.name -}} -{{- .Values.artifactory.replicator.trackerIngress.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-replication-tracker" .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - {{/* Create a default fully qualified nginx name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -262,6 +235,9 @@ Return the proper artifactory chart image names {{- if and $dot.Values.splitServicesToContainers $dot.Values.global.versions.router (eq $indexReference "router") }} {{- $tag = $dot.Values.global.versions.router | toString -}} {{- end -}} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} + {{- end -}} {{- if and $dot.Values.global.versions.artifactory (or (eq $indexReference "artifactory") (eq $indexReference "nginx") ) }} {{- $tag = $dot.Values.global.versions.artifactory | toString -}} {{- end -}} @@ -279,8 +255,7 @@ Return the proper artifactory chart image names Return the proper artifactory app version */}} {{- define "artifactory.app.version" -}} -{{- $image := split ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory")) | toString) -}} -{{- $tag := $image._1 -}} +{{- $tag := (splitList ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory" )))) | last | toString -}} {{- printf "%s" $tag -}} {{- end -}} @@ -320,17 +295,14 @@ Resolve requiredServiceTypes value {{- if .Values.event.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} {{- end -}} -{{- if .Values.integration.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfint" -}} -{{- end -}} {{- if .Values.frontend.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} {{- end -}} {{- if .Values.jfconnect.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfcon" -}} {{- end -}} -{{- if .Values.artifactory.replicator.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfxfer" -}} +{{- if .Values.evidence.enabled -}} + {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevd" -}} {{- end -}} {{- if .Values.mc.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfmc" -}} @@ -377,15 +349,11 @@ nginx command {{- define "nginx.command" -}} {{- if .Values.nginx.customCommand }} {{ toYaml .Values.nginx.customCommand }} -{{ else }} -- nginx -- -g -- 'daemon off;' {{- end }} {{- end -}} {{/* -nginx port (80/443) based on http/https enabled +nginx port (8080/8443) based on http/https enabled */}} {{- define "nginx.port" -}} {{- if .Values.nginx.http.enabled -}} @@ -478,12 +446,83 @@ if the volume exists in customVolume then an extra volume with the same name wil {{- end -}} {{/* -Resolve fsGroup and runAsGroup on cluster based +Calculate the systemYaml from structured and unstructured text input */}} -{{- define "artifactory.isOpenshiftCompatible" -}} -{{- if (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} -{{- printf "%s" "true" -}} -{{- else -}} -{{- printf "%s" "false" -}} +{{- define "artifactory.finalSystemYaml" -}} +{{ tpl (mergeOverwrite (include "artifactory.systemYaml" . | fromYaml) .Values.artifactory.extraSystemYaml | toYaml) . }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "artifactory.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} + +{{/* +Metrics enabled +*/}} +{{- define "metrics.enabled" -}} +shared: + metrics: + enabled: true +{{- end }} + +{{/* +Resolve unified secret prepend release name +*/}} +{{- define "artifactory.unifiedSecretPrependReleaseName" -}} +{{- if .Values.artifactory.unifiedSecretPrependReleaseName }} +{{- printf "%s" (include "artifactory.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "artifactory.name" .) -}} +{{- end }} +{{- end }} + +{{/* +Resolve artifactory metrics +*/}} +{{- define "artifactory.metrics" -}} +{{- if .Values.artifactory.openMetrics -}} +{{- if .Values.artifactory.openMetrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.openMetrics.filebeat }} +{{- if .Values.artifactory.openMetrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.openMetrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else if .Values.artifactory.metrics -}} +{{- if .Values.artifactory.metrics.enabled -}} +{{ include "metrics.enabled" . }} +{{- if .Values.artifactory.metrics.filebeat }} +{{- if .Values.artifactory.metrics.filebeat.enabled }} +{{ include "metrics.enabled" . }} + filebeat: +{{ tpl (.Values.artifactory.metrics.filebeat | toYaml) . | indent 6 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve nginx hosts value +*/}} +{{- define "artifactory.nginx.hosts" -}} +{{- if .Values.ingress.hosts }} +{{- range .Values.ingress.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} +{{- end -}} +{{- else if .Values.nginx.hosts }} +{{- range .Values.nginx.hosts -}} + {{- if contains "." . -}} + {{ "" | indent 0 }} ~(?.+)\.{{ . }} + {{- end -}} {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/artifactory/templates/_system-yaml-render.tpl b/stable/artifactory/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..deaa773ea --- /dev/null +++ b/stable/artifactory/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.artifactory.systemYaml -}} +{{- tpl .Values.artifactory.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/stable/artifactory/templates/artifactory-installer-info.yaml b/stable/artifactory/templates/artifactory-installer-info.yaml index f2e2c0f5b..cfb95b67d 100644 --- a/stable/artifactory/templates/artifactory-installer-info.yaml +++ b/stable/artifactory/templates/artifactory-installer-info.yaml @@ -9,4 +9,8 @@ metadata: release: {{ .Release.Name }} data: installer-info.json: | - {{ tpl .Values.installerInfo . }} +{{- if .Values.installerInfo -}} +{{- tpl .Values.installerInfo . | nindent 4 -}} +{{- else -}} +{{ (tpl ( .Files.Get "files/installer-info.json" | nindent 4 ) .) }} +{{- end -}} diff --git a/stable/artifactory/templates/artifactory-license-secret.yaml b/stable/artifactory/templates/artifactory-license-secret.yaml index 236cc97de..ba83aaf24 100644 --- a/stable/artifactory/templates/artifactory-license-secret.yaml +++ b/stable/artifactory/templates/artifactory-license-secret.yaml @@ -1,4 +1,4 @@ -{{ if (not .Values.artifactory.unifiedSecretInstallation) }} +{{ if and (not .Values.artifactory.unifiedSecretInstallation) (not .Values.artifactory.license.secret) (not .Values.artifactory.license.licenseKey) }} {{- with .Values.artifactory.license.licenseKey }} apiVersion: v1 kind: Secret diff --git a/stable/artifactory/templates/artifactory-secrets.yaml b/stable/artifactory/templates/artifactory-secrets.yaml index 31009b698..266d8e39a 100644 --- a/stable/artifactory/templates/artifactory-secrets.yaml +++ b/stable/artifactory/templates/artifactory-secrets.yaml @@ -1,4 +1,5 @@ {{- if not .Values.artifactory.unifiedSecretInstallation }} +{{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.jfConnectToken .Values.artifactory.masterKey .Values.global.masterKey }} apiVersion: v1 kind: Secret metadata: @@ -25,4 +26,5 @@ data: jfconnect-token: {{ include "artifactory.jfConnectToken" . | b64enc | quote }} {{- end }} {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/artifactory/templates/artifactory-service.yaml b/stable/artifactory/templates/artifactory-service.yaml index f83904e27..ab8f9d6ce 100644 --- a/stable/artifactory/templates/artifactory-service.yaml +++ b/stable/artifactory/templates/artifactory-service.yaml @@ -16,6 +16,12 @@ metadata: {{ toYaml .Values.artifactory.service.annotations | indent 4 }} {{- end }} spec: + {{- if .Values.artifactory.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.artifactory.service.ipFamilyPolicy }} + {{- end }} + {{- if not (empty .Values.artifactory.service.ipFamilies)}} + ipFamilies: {{- toYaml .Values.artifactory.service.ipFamilies | nindent 4 }} + {{- end }} type: {{ .Values.artifactory.service.type }} {{- if .Values.artifactory.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: diff --git a/stable/artifactory/templates/artifactory-statefulset.yaml b/stable/artifactory/templates/artifactory-statefulset.yaml index 5a63f9c46..c149d86d6 100644 --- a/stable/artifactory/templates/artifactory-statefulset.yaml +++ b/stable/artifactory/templates/artifactory-statefulset.yaml @@ -8,11 +8,12 @@ metadata: component: {{ .Values.artifactory.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + version: {{ include "artifactory.app.version" . }} {{- with .Values.artifactory.labels }} {{ toYaml . | indent 4 }} {{- end }} {{- if and .Release.IsUpgrade .Values.postgresql.enabled }} - databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version (< 11.x.x) that has postgresql.image.tag of 9.x or 10.x or 12.x, make sure to pass the current postgresql.image.tag and set databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 12.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version (< 107.79.x) that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the current postgresql.image.tag to the same tag and databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 107.79.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} {{- end }} {{- with .Values.artifactory.statefulset.annotations }} annotations: @@ -30,6 +31,20 @@ metadata: {{- if or .Values.artifactory.persistence.googleStorage.identity .Values.artifactory.persistence.googleStorage.credential }} {{- fail "\nGCP Bucket Authentication with Identity and Credential is deprecated" }} {{- end }} +{{- if (eq (.Values.artifactory.setSecurityContext | toString) "false" ) }} + {{- fail "\n You need to set security context at the pod level. .Values.artifactory.setSecurityContext is no longer supported. Replace it with .Values.artifactory.podSecurityContext" }} +{{- end }} +{{- if or .Values.artifactory.uid .Values.artifactory.gid }} +{{- if or (not (eq (.Values.artifactory.uid | toString) "1030" )) (not (eq (.Values.artifactory.gid | toString) "1030" )) }} + {{- fail "\n .Values.artifactory.uid and .Values.artifactory.gid are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.runAsUser .Values.artifactory.podSecurityContext.runAsGroup and .Values.artifactory.podSecurityContext.fsGroup" }} +{{- end }} +{{- end }} +{{- if or .Values.artifactory.fsGroupChangePolicy .Values.artifactory.seLinuxOptions }} + {{- fail "\n .Values.artifactory.fsGroupChangePolicy and .Values.artifactory.seLinuxOptions are no longer supported. You need to set these values at the pod security context level. Replace them with .Values.artifactory.podSecurityContext.fsGroupChangePolicy and .Values.artifactory.podSecurityContext.seLinuxOptions" }} +{{- end }} +{{- if .Values.initContainerImage }} + {{- fail "\n .Values.initContainerImage is no longer supported. Replace it with .Values.initContainers.image.registry .Values.initContainers.image.repository and .Values.initContainers.image.tag" }} +{{- end }} spec: serviceName: {{ template "artifactory.name" . }} replicas: {{ .Values.artifactory.replicaCount }} @@ -87,22 +102,8 @@ spec: {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} {{- include "artifactory.imagePullSecrets" . | indent 6 }} {{- end }} - {{- if .Values.artifactory.setSecurityContext }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} - runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} - fsGroup: {{ .Values.artifactory.gid }} - {{- end }} - {{- if .Values.artifactory.fsGroupChangePolicy }} - fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} - {{- end }} - {{- if .Values.artifactory.seLinuxOptions }} - seLinuxOptions: - {{- tpl (toYaml .Values.artifactory.seLinuxOptions) . | nindent 10 }} - {{- end }} + {{- if .Values.artifactory.podSecurityContext.enabled }} + securityContext: {{- omit .Values.artifactory.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{- if .Values.artifactory.topologySpreadConstraints }} topologySpreadConstraints: @@ -115,8 +116,8 @@ spec: {{- if .Values.artifactory.persistence.enabled }} {{- if .Values.artifactory.deleteDBPropertiesOnStartup }} - name: "delete-db-properties" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -133,8 +134,8 @@ spec: {{- end }} {{- if or (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) .Values.artifactory.admin.password }} - name: "access-bootstrap-creds" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -151,7 +152,7 @@ spec: volumeMounts: - name: artifactory-volume mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) (and .Values.artifactory.admin.secret .Values.artifactory.admin.dataKey) }} - name: access-bootstrap-creds {{- else }} - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} @@ -164,7 +165,8 @@ spec: {{- end }} {{- end }} - name: 'copy-system-configurations' - image: '{{ .Values.initContainerImage }}' + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -222,10 +224,10 @@ spec: - name: ARTIFACTORY_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }} name: {{ include "artifactory.joinKeySecretName" . }} {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: join-key {{- end }} @@ -233,10 +235,10 @@ spec: - name: ARTIFACTORY_JFCONNECT_TOKEN valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.jfConnectTokenSecretName }} name: {{ include "artifactory.jfConnectTokenSecretName" . }} {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: jfconnect-token {{- end }} @@ -244,18 +246,17 @@ spec: - name: ARTIFACTORY_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }} name: {{ include "artifactory.masterKeySecretName" . }} {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: master-key {{- end }} volumeMounts: - name: artifactory-volume mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} @@ -263,11 +264,12 @@ spec: {{- if .Values.systemYamlOverride.existingSecret }} mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.artifactory.systemYaml }} + {{- else }} mountPath: "/tmp/etc/system.yaml" subPath: "system.yaml" {{- end }} - {{- end }} + + ######################## Binarystore ########################## {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} @@ -275,6 +277,8 @@ spec: {{- end }} mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: binarystore.xml + + ######################## Access config ########################## {{- if .Values.access.accessConfig }} {{- if not .Values.artifactory.unifiedSecretInstallation }} - name: access-config @@ -284,6 +288,8 @@ spec: mountPath: "/tmp/etc/access.config.patch.yml" subPath: "access.config.patch.yml" {{- end }} + + ######################## Access certs external secret ########################## {{- if .Values.access.customCertificatesSecretName }} - name: access-certs mountPath: "/tmp/etc/tls.crt" @@ -292,9 +298,11 @@ spec: mountPath: "/tmp/etc/tls.key" subPath: tls.key {{- end }} + {{- if or .Values.artifactory.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -314,7 +322,8 @@ spec: {{- if .Values.artifactory.circleOfTrustCertificatesSecret }} - name: copy-circle-of-trust-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -335,7 +344,8 @@ spec: {{- if .Values.waitForDatabase }} {{- if .Values.postgresql.enabled }} - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -399,7 +409,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -415,7 +425,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -434,7 +444,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -454,29 +464,37 @@ spec: subPath: migrationStatus.sh - name: artifactory-volume mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + + ######################## Artifactory persistence nfs ########################## {{- if eq .Values.artifactory.persistence.type "nfs" }} - name: artifactory-data mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" - name: artifactory-backup mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" {{- else }} - {{- if not .Values.artifactory.unifiedSecretInstallation }} + + ######################## Artifactory persistence binarystore Xml ########################## + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.customBinarystoreXmlSecret }} - name: binarystore-xml {{- else }} - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} {{- end }} mountPath: "/tmp/etc/artifactory/binarystore.xml" subPath: "binarystore.xml" + + ######################## Artifactory persistence google storage ########################## {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} - {{- if (not .Values.artifactory.unifiedSecretInstallation) }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} - name: gcpcreds-json {{- else }} - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} {{- end }} mountPath: "/artifactory_bootstrap/gcp.credentials.json" subPath: gcp.credentials.json + {{- end }} {{- end }} - {{- end }} + + ######################## CustomVolumeMounts ########################## {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} {{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} {{- end }} @@ -489,7 +507,7 @@ spec: {{- if .Values.splitServicesToContainers }} - name: {{ .Values.router.name }} image: {{ include "artifactory.getImageInfoByValue" (list . "router") }} - imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} + imagePullPolicy: {{ .Values.router.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -571,6 +589,100 @@ spec: {{- if .Values.frontend.livenessProbe.enabled }} livenessProbe: {{ tpl .Values.frontend.livenessProbe.config . | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.evidence.enabled }} + - name: {{ .Values.evidence.name }} + image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} + imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + exec /opt/jfrog/artifactory/app/evidence/bin/jf-evidence start + {{- with .Values.evidence.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SHARED_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.evidence.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 8 }} +{{- end }} + ports: + - containerPort: {{ .Values.evidence.internalPort }} + name: http-evidence + - containerPort: {{ .Values.evidence.externalPort }} + name: grpc-evidence + volumeMounts: + - name: artifactory-volume + mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} + resources: +{{ toYaml .Values.evidence.resources | indent 10 }} + {{- if .Values.evidence.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.evidence.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.evidence.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.evidence.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} {{- if .Values.metadata.enabled }} @@ -605,7 +717,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-user {{- end }} @@ -621,7 +733,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -640,7 +752,7 @@ spec: {{- if not .Values.artifactory.unifiedSecretInstallation }} name: {{ template "artifactory.fullname" . }}-database-creds {{- else }} - name: "{{ template "artifactory.name" . }}-unified-secret" + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" {{- end }} key: db-url {{- end }} @@ -702,36 +814,6 @@ spec: livenessProbe: {{ tpl .Values.event.livenessProbe.config . | indent 10 }} {{- end }} - {{- end }} - {{- if .Values.artifactory.replicator.enabled }} - - name: {{ .Values.artifactory.replicator.name }} - image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/replicator/bin/jf-replicator start - {{- with .Values.artifactory.replicator.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.artifactory.replicator.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: artifactory-volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.artifactory.replicator.resources | indent 10 }} {{- end }} {{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - name: {{ .Values.jfconnect.name }} @@ -771,45 +853,140 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} + {{- if and .Values.access.enabled (not (.Values.access.runOnArtifactoryTomcat | default false)) }} + - name: {{ .Values.access.name }} image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + {{- if .Values.access.resources }} + resources: +{{ toYaml .Values.access.resources | indent 10 }} {{- end }} command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} + - '/bin/bash' + - '-c' + - > + set -e; + {{- if .Values.access.preStartCommand }} + echo "Running custom preStartCommand command"; + {{ tpl .Values.access.preStartCommand . }}; + {{- end }} + exec /opt/jfrog/artifactory/app/access/bin/entrypoint-access.sh + {{- with .Values.access.lifecycle }} lifecycle: {{ toYaml . | indent 10 }} {{- end }} env: - - name: JF_SHARED_NODE_ID + {{- if and (gt (.Values.artifactory.replicaCount | int64) 1) (eq (include "artifactory.isImageProType" .) "true") (eq (include "artifactory.isUsingDerby" .) "false") }} + - name : JF_SHARED_NODE_HAENABLED + value: "true" + {{- end }} + {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.artifactory.unifiedSecretInstallation }} + name: {{ template "artifactory.fullname" . }}-database-creds + {{- else }} + name: "{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} +{{- with .Values.access.extraEnvironmentVariables }} {{ tpl (toYaml .) $ | indent 8 }} {{- end }} volumeMounts: + {{- if .Values.artifactory.customPersistentVolumeClaim }} + - name: {{ .Values.artifactory.customPersistentVolumeClaim.name }} + mountPath: {{ .Values.artifactory.customPersistentVolumeClaim.mountPath }} + {{- end }} - name: artifactory-volume mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} + + ######################## Artifactory persistence nfs ########################## + {{- if eq .Values.artifactory.persistence.type "nfs" }} + - name: artifactory-data + mountPath: "{{ .Values.artifactory.persistence.nfs.dataDir }}" + - name: artifactory-backup + mountPath: "{{ .Values.artifactory.persistence.nfs.backupDir }}" + {{- else }} + + ######################## Artifactory persistence googleStorage ########################## + {{- if .Values.artifactory.persistence.googleStorage.gcpServiceAccount.enabled }} + {{- if or (not .Values.artifactory.unifiedSecretInstallation) .Values.artifactory.persistence.googleStorage.gcpServiceAccount.customSecretName }} + - name: gcpcreds-json + {{- else }} + - name: {{ include "artifactory.unifiedCustomSecretVolumeName" . }} + {{- end }} + mountPath: "/artifactory_bootstrap/gcp.credentials.json" + subPath: gcp.credentials.json {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} {{- end }} + {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }} {{- end }} - {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} + {{- if .Values.access.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.access.startupProbe.config . | indent 10 }} + {{- end }} + {{- if semverCompare "=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ default .Values.ingress.className .Values.artifactory.replicator.ingress.className }} - {{- end }} - {{- if .Values.ingress.defaultBackend.enabled }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - defaultBackend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} - rules: -{{- if .Values.artifactory.replicator.ingress.hosts }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - {{- range $host := .Values.artifactory.replicator.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: /replicator/ - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - - path: /artifactory/api/replication/replicate/file/streaming - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end }} - {{- else }} - {{- range $host := .Values.artifactory.replicator.ingress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: /replicator/ - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - - path: /artifactory/api/replication/replicate/file/streaming - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end -}} - {{- if .Values.artifactory.replicator.ingress.tls }} - tls: -{{ toYaml .Values.artifactory.replicator.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} -{{- if and .Values.artifactory.replicator.enabled .Values.artifactory.replicator.trackerIngress.enabled }} ---- -{{- $replicatorTrackerIngressName := default ( include "artifactory.replicator.tracker.fullname" . ) .Values.artifactory.replicator.trackerIngress.name -}} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -apiVersion: networking.k8s.io/v1 - {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 - {{- else }} -apiVersion: extensions/v1beta1 - {{- end }} -kind: Ingress -metadata: - name: {{ $replicatorTrackerIngressName }} - labels: - app: "{{ template "artifactory.name" $ }}" - chart: "{{ template "artifactory.chart" $ }}" - release: {{ $.Release.Name | quote }} - heritage: {{ $.Release.Service | quote }} - {{- if .Values.artifactory.replicator.trackerIngress.annotations }} - annotations: -{{ .Values.artifactory.replicator.trackerIngress.annotations | toYaml | trimSuffix "\n" | indent 4 -}} - {{- end }} -spec: - {{- if and (or .Values.ingress.className .Values.artifactory.replicator.trackerIngress.className) (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ default .Values.ingress.className .Values.artifactory.replicator.trackerIngress.className }} - {{- end }} - {{- if .Values.ingress.defaultBackend.enabled }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - defaultBackend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} - rules: -{{- if .Values.artifactory.replicator.trackerIngress.hosts }} - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} - {{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- end }} - {{- else }} - {{- range $host := .Values.artifactory.replicator.trackerIngress.hosts }} - - host: {{ $host | quote }} - http: - paths: - - path: / - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end -}} - {{- if .Values.artifactory.replicator.trackerIngress.tls }} - tls: -{{ toYaml .Values.artifactory.replicator.trackerIngress.tls | indent 4 }} - {{- end -}} -{{- end -}} + {{- if .Values.customIngress }} --- {{ .Values.customIngress | toYaml | trimSuffix "\n" }} diff --git a/stable/artifactory/templates/nginx-artifactory-conf.yaml b/stable/artifactory/templates/nginx-artifactory-conf.yaml index bd2ebea96..343448994 100644 --- a/stable/artifactory/templates/nginx-artifactory-conf.yaml +++ b/stable/artifactory/templates/nginx-artifactory-conf.yaml @@ -10,5 +10,9 @@ metadata: release: {{ .Release.Name }} data: artifactory.conf: | +{{- if .Values.nginx.artifactoryConf }} {{ tpl .Values.nginx.artifactoryConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-artifactory-conf.yaml" ) . | indent 4 }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/artifactory/templates/nginx-conf.yaml b/stable/artifactory/templates/nginx-conf.yaml index 851eae247..31219d58a 100644 --- a/stable/artifactory/templates/nginx-conf.yaml +++ b/stable/artifactory/templates/nginx-conf.yaml @@ -10,5 +10,9 @@ metadata: release: {{ .Release.Name }} data: nginx.conf: | +{{- if .Values.nginx.mainConf }} {{ tpl .Values.nginx.mainConf . | indent 4 }} +{{- else }} +{{ tpl ( .Files.Get "files/nginx-main-conf.yaml" ) . | indent 4 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/artifactory/templates/nginx-deployment.yaml b/stable/artifactory/templates/nginx-deployment.yaml index ff7c78c5d..774bedcca 100644 --- a/stable/artifactory/templates/nginx-deployment.yaml +++ b/stable/artifactory/templates/nginx-deployment.yaml @@ -44,10 +44,13 @@ spec: component: {{ .Values.nginx.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} spec: - securityContext: - runAsUser: {{ .Values.nginx.uid }} - runAsGroup: {{ .Values.nginx.gid }} + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} serviceAccountName: {{ template "artifactory.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} @@ -65,8 +68,8 @@ spec: {{ tpl (include "artifactory.nginx.customInitContainers" .) . | indent 6 }} {{- end }} - name: "setup" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -76,6 +79,8 @@ spec: - > rm -rfv {{ .Values.nginx.persistence.mountPath }}/lost+found; mkdir -p {{ .Values.nginx.persistence.mountPath }}/logs; + resources: + {{- toYaml .Values.initContainers.resources | nindent 10 }} volumeMounts: - mountPath: {{ .Values.nginx.persistence.mountPath | quote }} name: nginx-volume @@ -83,12 +88,13 @@ spec: - name: {{ .Values.nginx.name }} image: {{ include "artifactory.getImageInfoByValue" (list . "nginx") }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - {{- with .Values.nginx.securityContext }} - securityContext: -{{ toYaml . | indent 10 }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} + {{- if .Values.nginx.customCommand }} command: {{- tpl (include "nginx.command" .) . | indent 10 }} + {{- end }} ports: {{ if .Values.nginx.customPorts }} {{ toYaml .Values.nginx.customPorts | indent 8 }} @@ -153,7 +159,8 @@ spec: {{- $mountPath := .Values.nginx.persistence.mountPath }} {{- range .Values.nginx.loggers }} - name: {{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "artifactory.getImageInfoByValue" (list $ "logger") }} + image: {{ include "artifactory.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} command: - tail args: diff --git a/stable/artifactory/templates/nginx-service.yaml b/stable/artifactory/templates/nginx-service.yaml index 5ae4077a2..7204d9f46 100644 --- a/stable/artifactory/templates/nginx-service.yaml +++ b/stable/artifactory/templates/nginx-service.yaml @@ -14,6 +14,12 @@ metadata: {{ toYaml .Values.nginx.service.annotations | indent 4 }} {{- end }} spec: + {{- if .Values.nginx.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.nginx.service.ipFamilyPolicy }} + {{- end }} + {{- if not (empty .Values.nginx.service.ipFamilies)}} + ipFamilies: {{- toYaml .Values.nginx.service.ipFamilies | nindent 4 }} + {{- end }} type: {{ .Values.nginx.service.type }} {{- if eq .Values.nginx.service.type "LoadBalancer" }} {{ if .Values.nginx.service.loadBalancerIP -}} diff --git a/stable/artifactory/values-large.yaml b/stable/artifactory/values-large.yaml deleted file mode 100644 index 43b1b53e4..000000000 --- a/stable/artifactory/values-large.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 300 - resources: - requests: - memory: "6Gi" - cpu: "2" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "8g" - xmx: "10g" -access: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 100 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 150 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory/values-medium.yaml b/stable/artifactory/values-medium.yaml deleted file mode 100644 index 48970ef65..000000000 --- a/stable/artifactory/values-medium.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 200 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "6g" - xmx: "8g" -access: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 100 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory/values-small.yaml b/stable/artifactory/values-small.yaml deleted file mode 100644 index 898119539..000000000 --- a/stable/artifactory/values-small.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 200 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "6g" -access: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 80 - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index 02311d737..ff9a6b33f 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -1,8 +1,8 @@ -# Default values for artifactory. -# This is a YAML-formatted file. +## Default values for artifactory. +## This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} +## Beware when changing values here. You should know what you are doing! +## Access the values with {{ .Values.key.subkey }} global: # imageRegistry: releases-docker.jfrog.io @@ -12,7 +12,8 @@ global: ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion ## This applies also for nginx images (.Values.nginx.image.tag) versions: {} - # artifactory: + # artifactory: + # initContainers: # joinKey: # masterKey: # joinKeySecretName: @@ -36,15 +37,18 @@ global: ## Applies to artifactory and nginx pods nodeSelector: {} ## String to partially override artifactory.fullname template (will maintain the release name) -## # nameOverride: ## String to fully override artifactory.fullname template -## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 -# Init containers + +## Init containers initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.4.949.1716471857 + pullPolicy: IfNotPresent resources: requests: memory: "50Mi" @@ -55,8 +59,11 @@ initContainers: installer: type: platform: -installerInfo: '{"productId": "Helm_artifactory/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}' -# For supporting pulling from private registries +## The installerInfo is intentionally commented out and the previous content has been moved under `files/installer-info.json` +## To override the content in `files/installer-info.json`, Uncomment the `installerInfo` and add relevant data +# installerInfo: '{}' + +## For supporting pulling from private registries # imagePullSecrets: # - myRegistryKeySecretName @@ -90,7 +97,6 @@ rbac: - list ## Service Account ## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ -## serviceAccount: create: false ## The name of the ServiceAccount to use. @@ -104,7 +110,7 @@ ingress: enabled: false defaultBackend: enabled: true - # Used to create an Ingress record. + ## Used to create an Ingress record. hosts: [] routerPath: / artifactoryPath: /artifactory/ @@ -121,17 +127,19 @@ ingress: # traffic-type: external # traffic-type: internal tls: [] - # Secrets must be manually created in the namespace. + ## Secrets must be manually created in the namespace. # - secretName: chart-example-tls # hosts: # - artifactory.domain.example - # Additional ingress rules + ## Additional ingress rules additionalRules: [] + ## This is an experimental feature, enabling this feature will route all traffic through the Router. + disableRouterBypass: false ## Allows to add custom ingress customIngress: "" networkpolicy: [] -# Allows all ingress and egress +## Allows all ingress and egress # - name: artifactory # podSelector: # matchLabels: @@ -140,7 +148,7 @@ networkpolicy: [] # - {} # ingress: # - {} -# Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) +## Uncomment to allow only artifactory pods to communicate with postgresql (if postgresql.enabled is true) # - name: postgresql # podSelector: # matchLabels: @@ -158,11 +166,6 @@ autoscaling: minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 70 -logger: - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.2.750.1697534106 ## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName ## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` aws: @@ -170,10 +173,19 @@ aws: enabled: false licenseConfigSecretName: region: us-east-1 +## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## containerSecurityContext: enabled: true runAsNonRoot: true + privileged: false allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault @@ -181,14 +193,13 @@ containerSecurityContext: drop: - ALL ## The following router settings are to configure only when splitServicesToContainers set to true -## splitServicesToContainers (by default it is false) router: name: router image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.81.0 - imagePullPolicy: IfNotPresent + tag: 7.118.2 + pullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled insecure: false @@ -208,9 +219,9 @@ router: # memory: "1Gi" # cpu: "1" - # Add lifecycle hooks for router container + ## Add lifecycle hooks for router container lifecycle: - # From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating + ## From Artifactory versions 7.52.x, Wait for Artifactory to complete any open uploads or downloads before terminating preStop: exec: command: ["sh", "-c", "while [[ $(curl --fail --silent --connect-timeout 2 http://localhost:8081/artifactory/api/v1/system/liveness) =~ OK ]]; do echo Artifactory is still alive; sleep 2; done"] @@ -218,11 +229,10 @@ router: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: /scripts/script.sh - # subPath: script.sh - + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh livenessProbe: enabled: true config: | @@ -263,19 +273,22 @@ router: timeoutSeconds: {{ .Values.probes.timeoutSeconds }} persistence: mountPath: "/var/opt/jfrog/router" -# Artifactory +## Artifactory artifactory: name: artifactory ## refer - https://www.jfrog.com/confluence/display/JFROG/Access+Federation#AccessFederation-EstablishingtheCircleofTrust ## root certificates added will be copied to $JFROG_HOME/artifactory/var/etc/access/keys/trusted folder. circleOfTrustCertificatesSecret: - # unifiedSecretInstallation flag enables single unified secret holding all the artifactory secrets - unifiedSecretInstallation: false - # For HA installation, set this value > 1. This is only supported in Artifactory 7.25.x (appVersions) and above. + ## unifiedSecretInstallation flag enables single unified secret holding all the artifactory internal(chart) secrets, It won't be affecting external secrets. + ## Note: unifiedSecretInstallation flag is enabled by true by default from chart version 107.79.x, Users can switch to false to continue with the old way of secret creation. + unifiedSecretInstallation: true + ## unifiedSecretPrependReleaseName Set this flag to false if unifiedSecret should not be created with prepended. + unifiedSecretPrependReleaseName: true + ## For HA installation, set this value > 1. This is only supported in Artifactory 7.25.x (appVersions) and above. replicaCount: 1 # minAvailable: 1 - # Note that by default we use appVersion to get image tag/version + ## Note that by default we use appVersion to get image tag/version image: registry: releases-docker.jfrog.io repository: jfrog/artifactory-pro @@ -286,8 +299,8 @@ artifactory: type: RollingUpdate ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ schedulerName: - # Create a priority class for the Artifactory pod or use an existing one - # NOTE - Maximum allowed value of a user defined priority is 1000000000 + ## Create a priority class for the Artifactory pod or use an existing one + ## NOTE - Maximum allowed value of a user defined priority is 1000000000 priorityClass: create: false value: 1000000000 @@ -295,7 +308,7 @@ artifactory: # name: ## Use an existing priority class # existingPriorityClass: - # Spread Artifactory pods evenly across your nodes or some other topology + ## Spread Artifactory pods evenly across your nodes or some other topology topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: kubernetes.io/hostname @@ -306,9 +319,9 @@ artifactory: # role: '{{ template "artifactory.name" . }}' # release: "{{ .Release.Name }}" - # Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties + ## Delete the db.properties file in ARTIFACTORY_HOME/etc/db.properties deleteDBPropertiesOnStartup: true - # certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory + ## certificates added to this secret will be copied to $JFROG_HOME/artifactory/var/etc/security/keys/trusted directory customCertificates: enabled: false # certificateSecretName: @@ -321,10 +334,11 @@ artifactory: maxThreads: 200 sendReasonPhrase: false extraConfig: 'acceptCount="400"' - # Support for open metrics is only available for Artifactory 7.7.x (appVersions) and above. - # To enable set `.Values.artifactory.openMetrics.enabled` to `true` - # Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics - openMetrics: + ## Support for metrics is only available for Artifactory 7.7.x (appVersions) and above. + ## To enable set `.Values.artifactory.metrics.enabled` to `true` + ## Note : Depricated openMetrics as part of 7.87.x and renamed to `metrics` + ## Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics + metrics: enabled: false ## Settings for pushing metrics to Insight - enable filebeat to true filebeat: @@ -338,27 +352,27 @@ artifactory: url: "Elasticsearch url where JFrog Insight is installed For example, http://:8082" username: "" password: "" - # Support for Cold Artifact Storage - # set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance - # Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage + ## Support for Cold Artifact Storage + ## set 'coldStorage.enabled' to 'true' only for Artifactory instance that you are designating as the Cold instance + ## Refer - https://jfrog.com/help/r/jfrog-platform-administration-documentation/setting-up-cold-artifact-storage coldStorage: enabled: false - # This directory is intended for use with NFS eventual configuration for HA + ## This directory is intended for use with NFS eventual configuration for HA haDataDir: enabled: false path: haBackupDir: enabled: false path: - # Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup - # Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers + ## Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup + ## Note : From 107.46.x chart versions, copyOnEveryStartup is not needed for binarystore.xml, it is always copied via initContainers copyOnEveryStartup: - # # Absolute path - # - source: /artifactory_bootstrap/artifactory.lic - # # Relative to ARTIFACTORY_HOME/ - # target: etc/artifactory/ + ## Absolute path + # - source: /artifactory_bootstrap/artifactory.lic + ## Relative to ARTIFACTORY_HOME/ + # target: etc/artifactory/ - # Sidecar containers for tailing Artifactory logs + ## Sidecar containers for tailing Artifactory logs loggers: [] # - access-audit.log # - access-request.log @@ -378,130 +392,125 @@ artifactory: # - router-traefik.log # - derby.log - # Loggers containers resources + ## Loggers containers resources loggersResources: {} - # requests: - # memory: "10Mi" - # cpu: "10m" - # limits: - # memory: "100Mi" - # cpu: "50m" - - # Sidecar containers for tailing Tomcat (catalina) logs + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Sidecar containers for tailing Tomcat (catalina) logs catalinaLoggers: [] # - tomcat-catalina.log # - tomcat-localhost.log - # Tomcat (catalina) loggers resources + ## Tomcat (catalina) loggers resources catalinaLoggersResources: {} - # requests: - # memory: "10Mi" - # cpu: "10m" - # limits: - # memory: "100Mi" - # cpu: "50m" - - # Migration support from 6.x to 7.x + # requests: + # memory: "10Mi" + # cpu: "10m" + # limits: + # memory: "100Mi" + # cpu: "50m" + + ## Migration support from 6.x to 7.x migration: - enabled: true + enabled: false timeoutSeconds: 3600 ## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" ## Add custom init containers execution before predefined init containers - customInitContainersBegin: "" - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: artifactory-volume - + customInitContainersBegin: | + # - name: "custom-setup" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume ## Add custom init containers execution after predefined init containers - customInitContainers: "" - # - name: "custom-systemyaml-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: artifactory-volume - + customInitContainers: | + # - name: "custom-systemyaml-setup" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'curl -o {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https:///systemyaml' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - customSidecarContainers: "" - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" - # name: artifactory-volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" - + ## - The provided example uses a custom volume (customVolumes) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: {{ include "artifactory.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}" + # name: artifactory-volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" ## Add custom volumes - # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.name" . }}-unified-secret' - customVolumes: "" - # - name: custom-script - # configMap: - # name: custom-script - + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: "/scripts/script.sh" - # subPath: script.sh - # - name: posthook-start - # mountPath: "/scripts/posthoook-start.sh" - # subPath: posthoook-start.sh - # - name: prehook-start - # mountPath: "/scripts/prehook-start.sh" - # subPath: prehook-start.sh - - # Add custom persistent volume mounts - Available to the entire namespace + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + # - name: posthook-start + # mountPath: "/scripts/posthoook-start.sh" + # subPath: posthoook-start.sh + # - name: prehook-start + # mountPath: "/scripts/prehook-start.sh" + # subPath: prehook-start.sh + ## Add custom persistent volume mounts - Available to the entire namespace customPersistentVolumeClaim: {} - # name: - # mountPath: - # accessModes: + # name: + # mountPath: + # accessModes: # - "-" - # size: - # storageClassName: + # size: + # storageClassName: ## Artifactory license. license: @@ -514,20 +523,19 @@ artifactory: dataKey: ## Create configMap with artifactory.config.import.xml and security.import.xml and pass name of configMap in following parameter configMapName: - # Add any list of configmaps to Artifactory - configMaps: "" - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - + ## Add any list of configmaps to Artifactory + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" ## List of secrets for Artifactory user plugins. ## One Secret per plugin's files. userPluginSecrets: - # - archive-old-artifacts - # - build-cleanup - # - webhook - # - '{{ template "my-chart.fullname" . }}' + # - archive-old-artifacts + # - build-cleanup + # - webhook + # - '{{ template "my-chart.fullname" . }}' ## Artifactory requires a unique master key. ## You can generate one with the command: "openssl rand -hex 32" @@ -548,8 +556,8 @@ artifactory: ## Alternatively, you can use a pre-existing secret with a key called jfconnect-token by specifying jfConnectTokenSecretName # jfConnectTokenSecretName: - # Add custom secrets - secret per file - # If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.name" . }}-unified-secret' common to all secrets + ## Add custom secrets - secret per file + ## If .Values.artifactory.unifiedSecretInstallation is true then secret name should be '{{ template "artifactory.unifiedSecretPrependReleaseName" . }}-unified-secret' common to all secrets customSecrets: # - name: custom-secret # key: custom-secret.yaml @@ -573,9 +581,9 @@ artifactory: secret: dataKey: ## Extra pre-start command to install JDBC driver for MySql/MariaDb/Oracle - # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" + # preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && curl -o /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://repo1.maven.org/maven2/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar" - # Add lifecycle hooks for artifactory container + ## Add lifecycle hooks for artifactory container lifecycle: {} # postStart: # exec: @@ -609,155 +617,34 @@ artifactory: # name: my-secret-name # key: my-secret-key - systemYaml: | - router: - serviceRegistry: - insecure: {{ .Values.router.serviceRegistry.insecure }} - shared: - {{- if .Values.artifactory.coldStorage.enabled }} - jfrogColdStorage: - coldInstanceEnabled: true - {{- end }} - {{- if .Values.artifactory.openMetrics.enabled }} - metrics: - enabled: true - {{- if .Values.artifactory.openMetrics.filebeat.enabled }} - filebeat: {{ toYaml .Values.artifactory.openMetrics.filebeat | nindent 6 }} - {{- end }} - {{- end }} - logging: - consoleLog: - enabled: {{ .Values.artifactory.consoleLog }} - extraJavaOpts: > - -Dartifactory.graceful.shutdown.max.request.duration.millis={{ mul .Values.artifactory.terminationGracePeriodSeconds 1000 }} - -Dartifactory.access.client.max.connections={{ .Values.access.tomcat.connector.maxThreads }} - {{- with .Values.artifactory.javaOpts }} - {{- if .corePoolSize }} - -Dartifactory.async.corePoolSize={{ .corePoolSize }} - {{- end }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .jmx.enabled }} - -Dcom.sun.management.jmxremote - -Dcom.sun.management.jmxremote.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.rmi.port={{ .jmx.port }} - -Dcom.sun.management.jmxremote.ssl={{ .jmx.ssl }} - {{- if .jmx.host }} - -Djava.rmi.server.hostname={{ tpl .jmx.host $ }} - {{- else }} - -Djava.rmi.server.hostname={{ template "artifactory.fullname" $ }} - {{- end }} - {{- if .jmx.authenticate }} - -Dcom.sun.management.jmxremote.authenticate=true - -Dcom.sun.management.jmxremote.access.file={{ .jmx.accessFile }} - -Dcom.sun.management.jmxremote.password.file={{ .jmx.passwordFile }} - {{- else }} - -Dcom.sun.management.jmxremote.authenticate=false - {{- end }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - {{- if or .Values.database.type .Values.postgresql.enabled }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - url: "jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" - driver: org.postgresql.Driver - username: "{{ .Values.postgresql.postgresqlUsername }}" - {{- else }} - type: "{{ .Values.database.type }}" - driver: "{{ .Values.database.driver }}" - {{- end }} - {{- end }} - artifactory: - {{- if or .Values.artifactory.haDataDir.enabled .Values.artifactory.haBackupDir.enabled }} - node: - {{- if .Values.artifactory.haDataDir.path }} - haDataDir: {{ .Values.artifactory.haDataDir.path }} - {{- end }} - {{- if .Values.artifactory.haBackupDir.path }} - haBackupDir: {{ .Values.artifactory.haBackupDir.path }} - {{- end }} - {{- end }} - database: - maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }} - tomcat: - maintenanceConnector: - port: {{ .Values.artifactory.tomcat.maintenanceConnector.port }} - connector: - maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.artifactory.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }} - frontend: - session: - timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }} - access: - database: - maxOpenConnections: {{ .Values.access.database.maxOpenConnections }} - tomcat: - connector: - maxThreads: {{ .Values.access.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.access.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.access.tomcat.connector.extraConfig }} - {{- if .Values.mc.enabled }} - mc: - enabled: true - database: - maxOpenConnections: {{ .Values.mc.database.maxOpenConnections }} - idgenerator: - maxOpenConnections: {{ .Values.mc.idgenerator.maxOpenConnections }} - tomcat: - connector: - maxThreads: {{ .Values.mc.tomcat.connector.maxThreads }} - sendReasonPhrase: {{ .Values.mc.tomcat.connector.sendReasonPhrase }} - extraConfig: {{ .Values.mc.tomcat.connector.extraConfig }} - {{- end }} - metadata: - database: - maxOpenConnections: {{ .Values.metadata.database.maxOpenConnections }} - {{- if .Values.artifactory.replicator.enabled }} - replicator: - enabled: true - {{- end }} - {{- if and .Values.jfconnect.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - jfconnect: - enabled: true - {{- else }} - jfconnect: - enabled: false - jfconnect_service: - enabled: false - {{- end }} - {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - federation: - enabled: true - extraJavaOpts: {{ .Values.federation.extraJavaOpts }} - port: {{ .Values.federation.internalPort }} - rtfs: - database: - driver: org.postgresql.Driver - type: postgresql - username: {{ .Values.federation.database.username }} - password: {{ .Values.federation.database.password }} - url: jdbc:postgresql://{{ .Values.federation.database.host }}:{{ .Values.federation.database.port }}/{{ .Values.federation.database.name }} - {{- else }} - federation: - enabled: false - {{- end }} - {{- if .Values.event.webhooks }} - event: - webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }} - {{- end }} + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'artifactory.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## node: + ## id: my-instance + ## The entries provided under 'artifactory.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'artifactory.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `artifactory.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'artifactory.systemYaml' and files/system.yaml + extraSystemYaml: {} + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: annotations: {} service: name: artifactory type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] ## For supporting whitelist on the Artifactory service (useful if setting service.type=LoadBalancer) ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] @@ -769,78 +656,29 @@ artifactory: # nodePort: 32082 statefulset: annotations: {} - ## The following setting are to configure a dedicated Ingress object for Replicator service - replicator: - name: replicator - enabled: false - ## Extra environment variables that can be used to tune replicator to your needs. - ## Uncomment and set value as needed - extraEnvironmentVariables: - # - name: MY_ENV_VAR - # value: "" - resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for replicator container - lifecycle: {} - # postStart: - # exec: - # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] - # preStop: - # exec: - # command: ["/bin/sh","-c","echo Hello from the preStop handler"] - - ingress: - enabled: true - name: - hosts: [] - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-buffering: "off" - # nginx.ingress.kubernetes.io/configuration-snippet: | - # chunked_transfer_encoding on; - tls: [] - # Secrets must be manually created in the namespace. - # - hosts: - # - artifactory.domain.example - # secretName: chart-example-tls-secret - ## When replicator is enabled and want to use tracker feature, trackerIngress.enabled flag should be set to true - ## Please refer - https://www.jfrog.com/confluence/display/JFROG/JFrog+Peer-to-Peer+%28P2P%29+Downloads - trackerIngress: - enabled: false - name: - hosts: [] - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-buffering: "off" - # nginx.ingress.kubernetes.io/configuration-snippet: | - # chunked_transfer_encoding on; - tls: [] - # Secrets must be manually created in the namespace. - # - hosts: - # - artifactory.domain.example - # secretName: chart-example-tls-secret ## IMPORTANT: If overriding artifactory.internalPort: ## DO NOT use port lower than 1024 as Artifactory runs as non-root and cannot bind to ports lower than 1024! externalPort: 8082 internalPort: 8082 externalArtifactoryPort: 8081 internalArtifactoryPort: 8081 - uid: 1030 - gid: 1030 - # fsGroupChangePolicy: "Always" - # seLinuxOptions: {} terminationGracePeriodSeconds: 30 - ## By default, the Artifactory StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `artifactory.uid` value. - ## If you want to disable the securityContext for the Artifactory StatefulSet, set this tag to false - setSecurityContext: true + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param artifactory.podSecurityContext.enabled Enable security context + ## @param artifactory.podSecurityContext.runAsNonRoot Set pod's Security Context runAsNonRoot + ## @param artifactory.podSecurityContext.runAsUser User ID for the pod + ## @param artifactory.podSecurityContext.runASGroup Group ID for the pod + ## @param artifactory.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1030 + runAsGroup: 1030 + fsGroup: 1030 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} livenessProbe: enabled: true config: | @@ -896,9 +734,13 @@ artifactory: ## Redundancy required For HA deployments, with "cluster" persistence storage type redundancy: 3 lenientLimit: 1 - ## Cache default size. Should be increased for production deployments. + ## cache-fs binary provider configurations + ## Refer: https://jfrog.com/help/r/jfrog-installation-setup-documentation/cache-fs-template-configuration maxCacheSize: 5000000000 cacheProviderDir: cache + ## maxFileSizeLimit: + ## skipDuringUpload: + ## Set the persistence storage type. This will apply the matching binarystore.xml to Artifactory config ## Supported types are: ## file-system (default) @@ -906,14 +748,15 @@ artifactory: ## nfs ## google-storage ## google-storage-v2 - ## google-storage-v2-direct + ## google-storage-v2-direct (Recommended for GCS - Google Cloud Storage) ## cluster-google-storage-v2 ## aws-s3-v3 - ## s3-storage-v3-direct + ## s3-storage-v3-direct (Recommended for AWS S3) ## cluster-s3-storage-v3 ## s3-storage-v3-archive ## azure-blob ## azure-blob-storage-direct + ## azure-blob-storage-v2-direct (Recommended for Azure Blob Storage) ## cluster-azure-blob-storage type: file-system ## Use binarystoreXml to provide a custom binarystore.xml @@ -925,7 +768,7 @@ artifactory: ## cluster nodes. ## Need to have the following set nfs: - # Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' + ## Must pass actual IP of NFS server with '--set For artifactory.persistence.nfs.ip=${NFS_IP}' ip: haDataMount: "/data" haBackupMount: "/backup" @@ -959,7 +802,7 @@ artifactory: # } endpoint: commondatastorage.googleapis.com httpsOnly: false - # Set a unique bucket name + ## Set a unique bucket name bucketName: "artifactory-gcp" ## GCP Bucket Authentication with Identity and Credential is deprecated. ## identity: @@ -980,6 +823,8 @@ artifactory: port: useHttp: maxConnections: 50 + connectionTimeout: + socketTimeout: kmsServerSideEncryptionKeyId: kmsKeyRegion: kmsCryptoMode: @@ -994,7 +839,7 @@ artifactory: enablePathStyleAccess: false multiPartLimit: multipartElementSize: - ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct, cluster-azure-blob-storage + ## For artifactory.persistence.type azure-blob, azure-blob-storage-direct, cluster-azure-blob-storage, azure-blob-storage-v2-direct azureBlob: accountName: accountKey: @@ -1016,12 +861,12 @@ artifactory: ## Uncomment the following resources definitions or pass them from command line ## to control the cpu and memory resources allocated by the Kubernetes cluster resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "2Gi" - # cpu: "1" + # requests: + # memory: "1Gi" + # cpu: "500m" + # limits: + # memory: "2Gi" + # cpu: "1" ## The following Java options are passed to the java process running Artifactory. ## You should set them according to the resources set above javaOpts: @@ -1032,13 +877,12 @@ artifactory: port: 9010 host: ssl: false - # When authenticate is true, accessFile and passwordFile are required + ## When authenticate is true, accessFile and passwordFile are required authenticate: false accessFile: passwordFile: # corePoolSize: 24 - # other: "" - + # other: "" nodeSelector: {} tolerations: [] affinity: {} @@ -1061,14 +905,14 @@ frontend: # - name: MY_ENV_VAR # value: "" resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for frontend container + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" + + ## Add lifecycle hooks for frontend container lifecycle: {} # postStart: # exec: @@ -1108,6 +952,7 @@ frontend: periodSeconds: 5 timeoutSeconds: {{ .Values.probes.timeoutSeconds }} access: + name: access enabled: true ## Enable TLS by changing the tls entry (under the security section) in the access.config.yaml file. ## ref: https://www.jfrog.com/confluence/display/JFROG/Managing+TLS+Certificates#ManagingTLSCertificates @@ -1129,6 +974,67 @@ access: maxThreads: 50 sendReasonPhrase: false extraConfig: 'acceptCount="100"' + livenessProbe: + enabled: true + config: | + exec: + command: + - sh + - -c + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8040/access/api/v1/system/liveness + initialDelaySeconds: {{ if semverCompare ".+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }} - {{- range .Values.ingress.hosts -}} - {{- if contains "." . -}} - {{ "" | indent 0 }} ~(?.+)\.{{ . }} - {{- end -}} - {{- end -}}; - - if ($http_x_forwarded_proto = '') { - set $http_x_forwarded_proto $scheme; - } - ## Application specific logs - ## access_log /var/log/nginx/artifactory-access.log timing; - ## error_log /var/log/nginx/artifactory-error.log; - rewrite ^/artifactory/?$ / redirect; - if ( $repo != "" ) { - rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break; - } - chunked_transfer_encoding on; - client_max_body_size 0; - - location / { - proxy_read_timeout 900; - proxy_pass_header Server; - proxy_cookie_path ~*^/.* /; - proxy_pass {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/; - {{- if .Values.nginx.service.ssloffload}} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; - {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - {{- end }} - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - {{- if .Values.nginx.disableProxyBuffering}} - proxy_http_version 1.1; - proxy_request_buffering off; - proxy_buffering off; - {{- end }} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - location /artifactory/ { - if ( $request_uri ~ ^/artifactory/(.*)$ ) { - proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; - } - proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/; - } - location /pipelines/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - {{- if .Values.router.tlsEnabled }} - proxy_pass https://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; - {{- else }} - proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }}; - {{- end }} - } - } - } + ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration + # artifactoryConf: | customInitContainers: "" customSidecarContainers: "" customVolumes: "" @@ -1709,6 +1478,16 @@ nginx: ## For minikube, set this to NodePort, elsewhere use LoadBalancer type: LoadBalancer ssloffload: false + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] ## For supporting whitelist on the Nginx LoadBalancer service ## Set this to a list of IP CIDR ranges ## Example: loadBalancerSourceRanges: ['10.10.10.5/32', '10.11.10.5/32'] @@ -1718,7 +1497,7 @@ nginx: annotations: {} ## Provide static ip address loadBalancerIP: - ## There are two available options: “Cluster” (default) and “Local”. + ## There are two available options: "Cluster" (default) and "Local". externalTrafficPolicy: Cluster ## If the type is NodePort you can set a fixed port # nodePort: 32082 @@ -1728,22 +1507,23 @@ nginx: # targetPort: 8066 # protocol: TCP # name: docker + ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift http: enabled: true externalPort: 80 - internalPort: 80 + internalPort: 8080 https: enabled: true externalPort: 443 - internalPort: 443 + internalPort: 8443 ssh: internalPort: 1339 externalPort: 1339 - # DEPRECATED: The following will be removed in a future release - # externalPortHttp: 80 - # internalPortHttp: 80 - # externalPortHttps: 443 - # internalPortHttps: 443 + ## DEPRECATED: The following will be removed in a future release + # externalPortHttp: 8080 + # internalPortHttp: 8080 + # externalPortHttps: 8443 + # internalPortHttps: 8443 ## The following settings are to configure the frequency of the liveness and readiness probes. livenessProbe: @@ -1780,7 +1560,7 @@ nginx: - sh - -c - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} {{ include "nginx.scheme" . }}://localhost:{{ include "nginx.port" . }}/router/api/v1/system/readiness - initialDelaySeconds: 30 + initialDelaySeconds: 3 failureThreshold: 90 periodSeconds: 5 timeoutSeconds: {{ .Values.probes.timeoutSeconds }} @@ -1809,12 +1589,12 @@ nginx: ## # storageClassName: "-" resources: {} - # requests: - # memory: "250Mi" - # cpu: "100m" - # limits: - # memory: "250Mi" - # cpu: "500m" + # requests: + # memory: "250Mi" + # cpu: "100m" + # limits: + # memory: "250Mi" + # cpu: "500m" nodeSelector: {} tolerations: [] affinity: {} @@ -1828,7 +1608,7 @@ postgresql: image: registry: releases-docker.jfrog.io repository: bitnami/postgresql - tag: 13.10.0-debian-11-r14 + tag: 15.6.0-debian-11-r16 postgresqlUsername: artifactory postgresqlPassword: "" postgresqlDatabase: artifactory @@ -1854,22 +1634,17 @@ postgresql: enabled: true containerSecurityContext: enabled: true - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - # requests: - # memory: "512Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "500m" + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), ## specify custom database details here or leave empty and Artifactory will use embedded derby database: + ## To run Artifactory with any database other than PostgreSQL allowNonPostgresql set to true. + allowNonPostgresql: false type: driver: ## If you set the url, leave host and port empty @@ -1881,16 +1656,16 @@ database: ## If you have existing Kubernetes secrets containing db credentials, use ## these values secrets: {} - # user: - # name: "rds-artifactory" - # key: "db-user" - # password: - # name: "rds-artifactory" - # key: "db-password" - # url: - # name: "rds-artifactory" - # key: "db-url" -# Filebeat Sidecar container + # user: + # name: "rds-artifactory" + # key: "db-user" + # password: + # name: "rds-artifactory" + # key: "db-password" + # url: + # name: "rds-artifactory" + # key: "db-url" +## Filebeat Sidecar container ## The provided filebeat configuration is for Artifactory logs. It assumes you have a logstash installed and configured properly. filebeat: enabled: false @@ -1924,12 +1699,12 @@ filebeat: periodSeconds: 10 timeoutSeconds: 5 resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "100Mi" - # cpu: "100m" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "100Mi" + # cpu: "100m" filebeatYml: | logging.level: info @@ -1952,19 +1727,19 @@ filebeat: hosts: ["{{ .Values.filebeat.logstashUrl }}"] ## Allows to add additional kubernetes resources ## Use --- as a separator between multiple resources -## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-values.yaml +## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml additionalResources: "" -# Adding entries to a Pod's /etc/hosts file -# For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases +## Adding entries to a Pod's /etc/hosts file +## For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases hostAliases: [] -# - ip: "127.0.0.1" -# hostnames: -# - "foo.local" -# - "bar.local" -# - ip: "10.1.2.3" -# hostnames: -# - "foo.remote" -# - "bar.remote" +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" ## Toggling this feature is seamless and requires helm upgrade ## will enable all microservices to run in different containers in a single pod (by default it is true) diff --git a/stable/distribution/.helmignore b/stable/distribution/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/stable/distribution/.helmignore +++ b/stable/distribution/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/stable/distribution/CHANGELOG.md b/stable/distribution/CHANGELOG.md index 5daf66593..83a4cc913 100644 --- a/stable/distribution/CHANGELOG.md +++ b/stable/distribution/CHANGELOG.md @@ -1,7 +1,58 @@ # JFrog Distribution Chart Changelog All changes to this project chart be documented in this file. -## [102.20.3] - Aug 29, 2023 +## [102.26.1] - May 29, 2024 +* Fix the indentation of the commented-out sections in the values.yaml file + +## [102.25.0] - May 16, 2024 +* Update postgresql tag version to `15.6.0-debian-12-r5` +* Fixed an issue to generate unified secret to support distribution fullname [GH-1882](https://github.com/jfrog/charts/issues/1882) +* Fixed an issue template render on loggers [GH-1883](https://github.com/jfrog/charts/issues/1883) +* Added `.Values.distribution.unifiedSecretPrependReleaseName` for unified secret name as fullname release name + +## [102.24.0] - Mar 27, 2024 +* Added image section for `initContainers` instead of `initContainerImage` +* Renamed `distribution.image.imagePullPolicy` to `distribution.image.pullPolicy` +* Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy` +* Renamed `observability.image.imagePullPolicy` to `observability.image.pullPolicy` +* Removed loggers.image section +* Added support for `global.verisons.initContainers` to override `initContainers.image.tag` +* Fixed an issue with extraSystemYaml merge + +## [102.23.0] - Feb 15, 2024 +* **IMPORTANT** +* Added `unifiedSecretInstallation` flag which enables single unified secret holding all internal (chart) secrets to `true` by default +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* Added support for distribution on openshift by setting `podSecurityContext` and `containerSecurityContext` to false +* **IMPORTANT** +* Renamed `common.uid` to `podSecurityContext.runAsUser` +* Renamed `common.gid` to `podSecurityContext.runAsGroup` and `podSecurityContext.fsGroup` +* Renamed `common.fsGroupChangePolicy` to `podSecurityContext.fsGroupChangePolicy` +* Added `redis.containerSecurityContext` to support openshift +* Renamed `redis.uid` to `redis.containerSecurityContext.runAsUser` +* Updated README.md to create a namespace using `--create-namespace` as part of helm install +* Updated redis multi-arch tag version to 7.2.4-debian-11-r5 +* Refactored systemYaml configuration (moved to files/system.yaml instead of key in values.yaml). +* Added ability to provide `extraSystemYaml` configuration in values.yaml which will merge with the existing system yaml when `systemYamlOverride` is not given. +* Added IPV4/IPV6 Dualstack flag support for Distribution chart + +## [102.22.0] - Dec 22, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) + +## [102.21.0] - Nov 27, 2023 +* Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) +* Removed default hardcoded javaOpts `-Xms2g -Xmx4g` from distribution.sh file +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [102.20.1] - Sep 18, 2023 +* Reverted - Enabled `unifiedSecretInstallation` by default [GH-1819](https://github.com/jfrog/charts/issues/1819) +* Added NewRelic APM agent integration + +## [102.20.0] - Aug 29, 2023 * Updated redis version tag to `7.2.0-debian-11-r2` * Enabled `unifiedSecretInstallation` by default diff --git a/stable/distribution/Chart.yaml b/stable/distribution/Chart.yaml index 7a425b364..748544019 100644 --- a/stable/distribution/Chart.yaml +++ b/stable/distribution/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.20.3 +appVersion: 2.26.1 dependencies: - condition: postgresql.enabled name: postgresql @@ -11,7 +11,7 @@ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/distribution/ keywords: - distribution - jfrog -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -19,4 +19,4 @@ name: distribution sources: - https://github.com/jfrog/charts type: application -version: 102.20.3 +version: 102.26.1 diff --git a/stable/distribution/README.md b/stable/distribution/README.md index 62297a025..dfede37f5 100644 --- a/stable/distribution/README.md +++ b/stable/distribution/README.md @@ -3,7 +3,7 @@ **IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing Distribution. For all other information, refer to [Installing Distribution](https://www.jfrog.com/confluence/display/JFROG/Installing+Distribution). ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ ## Chart Details This chart does the following: @@ -37,7 +37,14 @@ Provide a join key and the JFrog URL as a parameter to the Distribution chart in ```bash helm upgrade --install distribution --set distribution.joinKey= \ - --set distribution.jfrogUrl= --namespace distribution jfrog/distribution + --set distribution.jfrogUrl= jfrog/distribution --namespace distribution --create-namespace +``` + +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install distribution jfrog/distribution -f sizing/distribution-small.yaml --namespace distribution --create-namespace ``` ## Uninstalling Distribution diff --git a/stable/distribution/ci/global-section-values.yaml b/stable/distribution/ci/global-section-values.yaml index 5295a048f..63c1923e2 100644 --- a/stable/distribution/ci/global-section-values.yaml +++ b/stable/distribution/ci/global-section-values.yaml @@ -33,8 +33,8 @@ global: joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE customInitContainersBegin: | - name: "custom-init-begin-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" command: - 'sh' - '-c' @@ -51,8 +51,8 @@ global: mountPath: "/scriptsglobal" customInitContainers: | - name: "custom-init-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" command: - 'sh' - '-c' @@ -62,8 +62,8 @@ global: name: distribution-data customSidecarContainers: | - name: "sidecar-list-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" securityContext: allowPrivilegeEscalation: false capabilities: @@ -84,8 +84,8 @@ global: common: customInitContainersBegin: | - name: "custom-init-begin-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" command: - 'sh' - '-c' @@ -102,8 +102,8 @@ common: mountPath: "/scriptslocal" customInitContainers: | - name: "custom-init-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" command: - 'sh' - '-c' @@ -113,8 +113,8 @@ common: name: distribution-data customSidecarContainers: | - name: "sidecar-list-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/stable/distribution/ci/loggers-values.yaml b/stable/distribution/ci/loggers-values.yaml new file mode 100644 index 000000000..4814bb264 --- /dev/null +++ b/stable/distribution/ci/loggers-values.yaml @@ -0,0 +1,63 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. +# If this is an upgrade over an existing Mission Control 4.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade +unifiedUpgradeAllowed: true +databaseUpgradeReady: true +distribution: + jfrogUrl: http://artifactory.rt:8082 + persistence: + enabled: false + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "3Gi" + cpu: "2" + javaOpts: + xms: "1g" + xmx: "3g" + loggers: + - router-request.log + - router-service.log + - router-traefik.log + - distribution-service.log + - distribution-request.log + - distribution-access.log + - distributor-foreman.log + - observability-metrics.log + - observability-request.log + - observability-service.log + +# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release +postgresql: + postgresqlPassword: password + persistence: + enabled: false +redis: + persistence: + enabled: false + resources: + requests: + memory: "512Mi" + cpu: "1" + limits: + memory: "1Gi" + cpu: "1" + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/stable/distribution/ci/newrelic-values.yaml b/stable/distribution/ci/newrelic-values.yaml new file mode 100644 index 000000000..861bcc50e --- /dev/null +++ b/stable/distribution/ci/newrelic-values.yaml @@ -0,0 +1,56 @@ +newRelic: + apm: + enabled: true + appName: "ci-test" + licenseKey: "123456789" + version: 8.6.0 + logLevel: severe + downloadUrl: https://download.newrelic.com + downloadPath: newrelic/java-agent/newrelic-agent/{{ .Values.newRelic.apm.version }} + downloadFile: newrelic-agent-{{ .Values.newRelic.apm.version }}.jar + +distribution: + jfrogUrl: http://artifactory.rt:8082 + persistence: + enabled: false + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "3Gi" + cpu: "2" + +postgresql: + postgresqlPassword: password + persistence: + enabled: false + +redis: + persistence: + enabled: false + resources: + requests: + memory: "512Mi" + cpu: "1" + limits: + memory: "1Gi" + cpu: "1" + +router: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + +observability: + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" diff --git a/stable/distribution/ci/test-values.yaml b/stable/distribution/ci/test-values.yaml index be3e92f30..812b1210a 100644 --- a/stable/distribution/ci/test-values.yaml +++ b/stable/distribution/ci/test-values.yaml @@ -29,7 +29,7 @@ redis: distribution: jfrogUrl: http://artifactory.rt:8082 - unifiedSecretInstallation: true + unifiedSecretInstallation: false persistence: enabled: false annotations: diff --git a/stable/distribution/files/system.yaml b/stable/distribution/files/system.yaml new file mode 100644 index 000000000..0ce5f7bff --- /dev/null +++ b/stable/distribution/files/system.yaml @@ -0,0 +1,34 @@ +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: + logging: + consoleLog: + enabled: {{ .Values.distribution.consoleLog }} + jfrogUrl: "{{ tpl (required "\n\ndistribution.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > User Management > Settings > Connection details" (include "distribution.jfrogUrl" .)) . }}" + database: + {{- if .Values.postgresql.enabled }} + type: "postgresql" + driver: "org.postgresql.Driver" + username: "{{ .Values.postgresql.postgresqlUsername }}" + url: "postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" + {{ else }} + type: "{{ .Values.database.type }}" + driver: "{{ .Values.database.driver }}" + {{- end }} +distribution: + extraJavaOpts: > + {{- if .Values.newRelic.apm.enabled }} + -javaagent:{{ .Values.distribution.persistence.mountPath }}/etc/newrelic/newrelic.jar + {{- end }} + {{- with .Values.distribution.javaOpts }} + {{- if .xms }} + -Xms{{ .xms }} + {{- end }} + {{- if .xmx }} + -Xmx{{ .xmx }} + {{- end }} + {{- if .other }} + {{ .other }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/stable/distribution/sizing/distribution-2xlarge.yaml b/stable/distribution/sizing/distribution-2xlarge.yaml new file mode 100644 index 000000000..4fd235b98 --- /dev/null +++ b/stable/distribution/sizing/distribution-2xlarge.yaml @@ -0,0 +1,81 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 3 + +distribution: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: "4" + memory: 3Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 25m + memory: 50Mi + limits: + # cpu: "1" + memory: 250Mi + +redis: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +postgresql: + postgresqlExtendedConf: + maxConnections: "300" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "150m" + memory: 1Gi + limits: + # cpu: "2" + memory: 8Gi \ No newline at end of file diff --git a/stable/distribution/sizing/distribution-small.yaml b/stable/distribution/sizing/distribution-small.yaml new file mode 100644 index 000000000..012b4d7c9 --- /dev/null +++ b/stable/distribution/sizing/distribution-small.yaml @@ -0,0 +1,81 @@ +############################################################## +# The small sizing +# This is the size recommended for running Distribution for small teams +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 1 + +distribution: + resources: + requests: + cpu: 100m + memory: 700Mi + limits: + # cpu: "3" + memory: 1200Mi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=30 + -XX:MaxRAMPercentage=60 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 30m + memory: 30Mi + limits: + # cpu: "1" + memory: 50Mi + +redis: + resources: + requests: + cpu: 30m + memory: 50Mi + limits: + # cpu: "1" + memory: 150Mi + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "50m" + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi \ No newline at end of file diff --git a/stable/distribution/sizing/distribution-xlarge.yaml b/stable/distribution/sizing/distribution-xlarge.yaml new file mode 100644 index 000000000..3ad386c18 --- /dev/null +++ b/stable/distribution/sizing/distribution-xlarge.yaml @@ -0,0 +1,81 @@ +############################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 2 + +distribution: + resources: + requests: + cpu: 1 + memory: 2Gi + limits: + # cpu: "4" + memory: 3Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 25m + memory: 50Mi + limits: + # cpu: "1" + memory: 250Mi + +redis: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +postgresql: + postgresqlExtendedConf: + maxConnections: "200" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "100m" + memory: 1Gi + limits: + # cpu: "2" + memory: 8Gi \ No newline at end of file diff --git a/stable/distribution/sizing/distribution-xsmall.yaml b/stable/distribution/sizing/distribution-xsmall.yaml new file mode 100644 index 000000000..d54618932 --- /dev/null +++ b/stable/distribution/sizing/distribution-xsmall.yaml @@ -0,0 +1,81 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running Distribution +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 1 + +distribution: + resources: + requests: + cpu: 50m + memory: 700Mi + limits: + # cpu: "3" + memory: 1200Mi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=30 + -XX:MaxRAMPercentage=60 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 30m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + # cpu: "1" + memory: 50Mi + +redis: + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + # cpu: "1" + memory: 100Mi + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "20m" + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi \ No newline at end of file diff --git a/stable/distribution/sizing/distrubution-large.yaml b/stable/distribution/sizing/distrubution-large.yaml new file mode 100644 index 000000000..f775168f5 --- /dev/null +++ b/stable/distribution/sizing/distrubution-large.yaml @@ -0,0 +1,81 @@ +############################################################## +# The large sizing +# This is identical to the medium sizing, but with an extra Distribution replica +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 2 + +distribution: + resources: + requests: + cpu: 100m + memory: 700Mi + limits: + # cpu: "3" + memory: 1200Mi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=30 + -XX:MaxRAMPercentage=60 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 30m + memory: 30Mi + limits: + # cpu: "1" + memory: 50Mi + +redis: + resources: + requests: + cpu: 30m + memory: 50Mi + limits: + # cpu: "1" + memory: 150Mi + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "2" + memory: 1Gi \ No newline at end of file diff --git a/stable/distribution/sizing/distrubution-medium.yaml b/stable/distribution/sizing/distrubution-medium.yaml new file mode 100644 index 000000000..3dea6d21a --- /dev/null +++ b/stable/distribution/sizing/distrubution-medium.yaml @@ -0,0 +1,81 @@ +############################################################## +# The medium sizing +# This is identical to the small sizing +############################################################## + +unifiedUpgradeAllowed: true +databaseUpgradeReady: true + +replicaCount: 1 + +distribution: + resources: + requests: + cpu: 100m + memory: 700Mi + limits: + # cpu: "3" + memory: 1200Mi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + + javaOpts: + other: > + -XX:InitialRAMPercentage=30 + -XX:MaxRAMPercentage=60 + -XX:+UseStringDeduplication + -XX:MaxMetaspaceSize=300m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: 30m + memory: 30Mi + limits: + # cpu: "1" + memory: 50Mi + +redis: + resources: + requests: + cpu: 30m + memory: 50Mi + limits: + # cpu: "1" + memory: 150Mi + +postgresql: + postgresqlExtendedConf: + maxConnections: "50" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than distribution pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - distribution + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: "50m" + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi \ No newline at end of file diff --git a/stable/distribution/templates/NOTES.txt b/stable/distribution/templates/NOTES.txt index b85cfb9db..c497ec4fd 100644 --- a/stable/distribution/templates/NOTES.txt +++ b/stable/distribution/templates/NOTES.txt @@ -15,6 +15,13 @@ Congratulations. You have just deployed JFrog Distribution! ******************************************************************************************** {{- end }} +{{- if or .Values.common.uid .Values.common.gid .Values.common.fsGroupChangePolicy }} +****************************************** WARNING ********************************************** +* From chart version 102.23.x, `common.uid,common.gid,common.fsGroupChangePolicy` has been moved under `podSecurityContext` + please change your values.yaml before upgrade , For more Info , refer to 102.23.x changelog * +************************************************************************************************* +{{- end }} + {{- if and (or (or (or .Values.systemYamlOverride.existingSecret (or .Values.distribution.masterKeySecretName .Values.global.masterKeySecretName)) (or .Values.distribution.joinKeySecretName .Values.global.joinKeySecretName)) .Values.database.secrets) .Values.distribution.unifiedSecretInstallation }} ****************************************** WARNING ************************************************************************************************** * The unifiedSecretInstallation flag is currently enabled, which creates the unified secret. The existing secrets will continue as separate secrets.* diff --git a/stable/distribution/templates/_helpers.tpl b/stable/distribution/templates/_helpers.tpl index d88f8d862..63c5acc65 100644 --- a/stable/distribution/templates/_helpers.tpl +++ b/stable/distribution/templates/_helpers.tpl @@ -204,6 +204,9 @@ Return the proper distribution chart image names {{- if and $dot.Values.global.versions.router (eq $indexReference "router") }} {{- $tag = $dot.Values.global.versions.router | toString -}} {{- end -}} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} + {{- end -}} {{- if and $dot.Values.global.versions.distribution (eq $indexReference "distribution") }} {{- $tag = $dot.Values.global.versions.distribution | toString -}} {{- end -}} @@ -266,3 +269,28 @@ if the volume exists in customVolume then an extra volume with the same name wil {{- printf "%s" "false" -}} {{- end -}} {{- end -}} + +{{/* +Calculate the systemYaml from structured and unstructured text input +*/}} +{{- define "distribution.finalSystemYaml" -}} +{{ tpl (mergeOverwrite (include "distribution.systemYaml" . | fromYaml) .Values.distribution.extraSystemYaml | toYaml) . }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "distribution.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} + +{{/* +Resolve unified secret prepend release name +*/}} +{{- define "distribution.unifiedSecretPrependReleaseName" -}} +{{- if .Values.distribution.unifiedSecretPrependReleaseName }} +{{- printf "%s" (include "distribution.fullname" .) -}} +{{- else }} +{{- printf "%s" (include "distribution.name" .) -}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/distribution/templates/_system-yaml-render.tpl b/stable/distribution/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..944b16d28 --- /dev/null +++ b/stable/distribution/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.distribution.systemYaml -}} +{{- tpl .Values.distribution.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/stable/distribution/templates/distribution-newrelic.yaml b/stable/distribution/templates/distribution-newrelic.yaml new file mode 100644 index 000000000..269efea03 --- /dev/null +++ b/stable/distribution/templates/distribution-newrelic.yaml @@ -0,0 +1,129 @@ +{{- if .Values.newRelic.apm.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "distribution.fullname" . }}-newrelic-apm-config + labels: + app: {{ template "distribution.name" . }} + chart: {{ template "distribution.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + newrelic.yml: |- + common: &default_settings + license_key: {{ .Values.newRelic.apm.licenseKey }} + agent_enabled: {{ .Values.newRelic.apm.enabled }} + app_name: {{ .Values.newRelic.apm.appName }} + high_security: false + enable_auto_app_naming: false + enable_auto_transaction_naming: true + audit_mode: false + log_level: {{ .Values.newRelic.apm.logLevel }} + log_file_count: 1 + log_limit_in_kbytes: 100000 + log_daily: false + log_file_path: {{ .Values.distribution.persistence.mountPath }}/log + log_file_name: newrelic_apm_agent.log + + application_logging: + enabled: true + forwarding: + enabled: true + context_data: + enabled: false + metrics: + enabled: true + code_level_metrics: + enabled: true + + max_stack_trace_lines: 30 + attributes: + enabled: true + + transaction_tracer: + enabled: true + transaction_threshold: apdex_f + record_sql: obfuscated + log_sql: false + stack_trace_threshold: 0.5 + explain_enabled: true + explain_threshold: 0.5 + top_n: 20 + + error_collector: + enabled: true + ignore_classes: + - "akka.actor.ActorKilledException" + ignore_status_codes: 404 + + transaction_events: + enabled: true + max_samples_stored: 2000 + + distributed_tracing: + enabled: true + exclude_newrelic_header: false + + span_events: + enabled: true + max_samples_stored: 2000 + attributes: + enabled: true + + thread_profiler: + enabled: true + + browser_monitoring: + auto_instrument: true + + class_transformer: + com.newrelic.instrumentation.servlet-user: + enabled: false + + com.newrelic.instrumentation.spring-aop-2: + enabled: false + + com.newrelic.instrumentation.jdbc-resultset: + enabled: false + + classloader_excludes: + groovy.lang.GroovyClassLoader$InnerLoader, + org.codehaus.groovy.runtime.callsite.CallSiteClassLoader, + com.collaxa.cube.engine.deployment.BPELClassLoader, + org.springframework.data.convert.ClassGeneratingEntityInstantiator$ObjectInstantiatorClassGenerator, + org.mvel2.optimizers.impl.asm.ASMAccessorOptimizer$ContextClassLoader, + gw.internal.gosu.compiler.SingleServingGosuClassLoader, + + jfr: + enabled: false + audit_logging: false + + labels: + # An example label + #label_name: label_value + + security: + enabled: false + mode: IAST + validator_service_url: wss://csec.nr-data.net + agent: + enabled: false + detection: + rci: + enabled: true + rxss: + enabled: true + deserialization: + enabled: true + + development: + <<: *default_settings + app_name: My Application (Development) + + staging: + <<: *default_settings + app_name: My Application (Staging) + + production: + <<: *default_settings +{{- end }} diff --git a/stable/distribution/templates/distribution-statefulset.yaml b/stable/distribution/templates/distribution-statefulset.yaml index 68021fe0c..cc31b55c8 100644 --- a/stable/distribution/templates/distribution-statefulset.yaml +++ b/stable/distribution/templates/distribution-statefulset.yaml @@ -15,7 +15,7 @@ metadata: unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Distribution 1.x currently not supported!\nIf this is an upgrade over an existing Distribution 2.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} {{- end }} {{- if and .Release.IsUpgrade .Values.postgresql.enabled }} - databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/distribution/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x" .Values.databaseUpgradeReady | quote }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/distribution/CHANGELOG.md)\nNote: If you are upgrading from a chart version (< 102.23.x) that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the current postgresql.image.tag to the same tag and databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 102.23.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }} {{- end }} {{- with .Values.distribution.statefulset.annotations }} annotations: @@ -49,8 +49,8 @@ spec: {{- else }} checksum/distribution-unified-secret: {{ include (print $.Template.BasePath "/distribution-unified-secret.yaml") . | sha256sum }} {{- end }} - {{- range $key, $value := .Values.distribution.annotations }} - {{ $key }}: {{ $value | quote }} + {{- with .Values.distribution.annotations }} +{{ toYaml . | indent 8 }} {{- end }} spec: {{- if .Values.distribution.schedulerName }} @@ -67,12 +67,9 @@ spec: {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} {{- include "distribution.imagePullSecrets" . | indent 6 }} {{- end }} - securityContext: - runAsUser: {{ .Values.common.uid }} - fsGroup: {{ .Values.common.gid }} - {{- if .Values.common.fsGroupChangePolicy }} - fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }} - {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} {{- if .Values.common.topologySpreadConstraints }} topologySpreadConstraints: {{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} @@ -81,50 +78,56 @@ spec: {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} {{ tpl (include "distribution.customInitContainersBegin" .) . | indent 6 }} {{- end }} - - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + - name: 'copy-system-configurations' + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: - '/bin/bash' - '-c' - - > - sleep 30; - if [[ -e "{{ .Values.distribution.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.distribution.persistence.mountPath }}/etc/filebeat.yaml; fi; - echo "Copy system.yaml to {{ .Values.distribution.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc; - {{- if .Values.systemYamlOverride.existingSecret }} - cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml; - {{- else }} - cp -fv /tmp/etc/system.yaml {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml; - {{- end }} - echo "Remove {{ .Values.distribution.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.distribution.persistence.mountPath }}/lost+found; - {{- if or .Values.distribution.joinKey .Values.distribution.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} - echo "Copy joinKey to {{ .Values.distribution.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security; - echo ${DISTRIBUTION_JOIN_KEY} > {{ .Values.distribution.persistence.mountPath }}/etc/security/join.key; - {{- end }} - {{- if or .Values.distribution.masterKey .Values.distribution.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} - echo "Copy masterKey to {{ .Values.distribution.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security; - echo ${DISTRIBUTION_MASTER_KEY} > {{ .Values.distribution.persistence.mountPath }}/etc/security/master.key; - {{- end }} + - | + if [[ -e "{{ .Values.distribution.persistence.mountPath }}/etc/filebeat.yaml" ]]; then + chmod 644 {{ .Values.distribution.persistence.mountPath }}/etc/filebeat.yaml + fi + echo "Copy system.yaml to {{ .Values.distribution.persistence.mountPath }}/etc" + mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml + {{- end }} + echo "Remove {{ .Values.distribution.persistence.mountPath }}/lost+found folder if exists" + rm -rfv {{ .Values.distribution.persistence.mountPath }}/lost+found + {{- if or .Values.distribution.joinKey .Values.distribution.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.distribution.persistence.mountPath }}/etc/security" + mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security + echo ${DISTRIBUTION_JOIN_KEY} > {{ .Values.distribution.persistence.mountPath }}/etc/security/join.key + {{- end }} + {{- if or .Values.distribution.masterKey .Values.distribution.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.distribution.persistence.mountPath }}/etc/security" + mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/security + echo ${DISTRIBUTION_MASTER_KEY} > {{ .Values.distribution.persistence.mountPath }}/etc/security/master.key + {{- end }} + {{- if .Values.newRelic.apm.enabled }} + echo "Download NewRelic Java APM agent" + mkdir -p {{ .Values.distribution.persistence.mountPath }}/etc/newrelic/ + curl {{ .Values.newRelic.apm.downloadUrl }}/{{ tpl .Values.newRelic.apm.downloadPath . }}/{{ tpl .Values.newRelic.apm.downloadFile . }} \ + -o {{ .Values.distribution.persistence.mountPath }}/etc/newrelic/newrelic.jar + cp -f /tmp/newrelic/newrelic.yml {{ .Values.distribution.persistence.mountPath }}/etc/newrelic/ + {{- end }} env: {{- if or .Values.distribution.joinKey .Values.distribution.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} - name: DISTRIBUTION_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.distribution.unifiedSecretInstallation }} + {{- if or (not .Values.distribution.unifiedSecretInstallation) (or .Values.distribution.joinKeySecretName .Values.global.joinKeySecretName) }} name: {{ include "distribution.joinKeySecretName" . }} {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: join-key {{- end }} @@ -132,18 +135,22 @@ spec: - name: DISTRIBUTION_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.distribution.unifiedSecretInstallation }} + {{- if or (not .Values.distribution.unifiedSecretInstallation) (or .Values.distribution.masterKeySecretName .Values.global.masterKeySecretName) }} name: {{ include "distribution.masterKeySecretName" . }} {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: master-key {{- end }} volumeMounts: - name: distribution-data mountPath: {{ .Values.distribution.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.distribution.systemYaml }} - {{- if not .Values.distribution.unifiedSecretInstallation }} + {{- if .Values.newRelic.apm.enabled }} + - name: newrelic-config + mountPath: /tmp/newrelic/newrelic.yml + subPath: newrelic.yml + {{- end }} + {{- if or (not .Values.distribution.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "distribution.unifiedCustomSecretVolumeName" . }} @@ -151,20 +158,17 @@ spec: {{- if .Values.systemYamlOverride.existingSecret }} mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.distribution.systemYaml }} + {{- else }} mountPath: "/tmp/etc/system.yaml" subPath: system.yaml {{- end }} - {{- end }} {{- if or .Values.distribution.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -181,13 +185,11 @@ spec: {{- if .Values.waitForDatabase }} {{- if .Values.postgresql.enabled }} - name: 'wait-for-db' - image: '{{ .Values.initContainerImage }}' - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -205,14 +207,10 @@ spec: {{- if and .Release.IsUpgrade .Values.distribution.migration.enabled }} - name: migration-{{ .Values.distribution.name }} image: {{ include "distribution.getImageInfoByValue" (list $ "distribution") }} - imagePullPolicy: {{ .Values.distribution.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + imagePullPolicy: {{ .Values.distribution.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -246,14 +244,10 @@ spec: containers: - name: {{ .Values.distribution.name }} image: {{ include "distribution.getImageInfoByValue" (list $ "distribution") }} - imagePullPolicy: {{ .Values.distribution.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + imagePullPolicy: {{ .Values.distribution.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} ports: - name: http-distro containerPort: {{ .Values.distribution.internalPort }} @@ -286,7 +280,7 @@ spec: {{- if not .Values.distribution.unifiedSecretInstallation }} name: {{ template "distribution.fullname" . }}-database-creds {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: db-user {{- end }} @@ -302,7 +296,7 @@ spec: {{- if not .Values.distribution.unifiedSecretInstallation }} name: {{ template "distribution.fullname" . }}-database-creds {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: db-password {{- else if .Values.postgresql.enabled }} @@ -321,7 +315,7 @@ spec: {{- if not .Values.distribution.unifiedSecretInstallation }} name: {{ template "distribution.fullname" . }}-database-creds {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: db-url {{- end }} @@ -334,7 +328,7 @@ spec: {{- else if not .Values.distribution.unifiedSecretInstallation }} name: {{ include "distribution.fullname" . }} {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: redis-password - name: JF_SHARED_REDIS_CONNECTIONSTRING @@ -364,13 +358,10 @@ spec: {{- end }} - name: {{ .Values.router.name }} image: {{ include "distribution.getImageInfoByValue" (list $ "router") }} - imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + imagePullPolicy: {{ .Values.router.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -415,13 +406,10 @@ spec: {{- end }} - name: {{ .Values.observability.name }} image: {{ include "distribution.getImageInfoByValue" (list . "observability") }} - imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + imagePullPolicy: {{ .Values.observability.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} command: - '/bin/sh' - '-c' @@ -451,12 +439,9 @@ spec: - name: redis image: {{ include "distribution.getImageInfoByValue" (list $ "redis") }} imagePullPolicy: {{ .Values.redis.image.pullPolicy }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.redis.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.redis.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} env: - name: REDIS_REPLICATION_MODE value: master @@ -468,7 +453,7 @@ spec: {{- else if not .Values.distribution.unifiedSecretInstallation }} name: {{ include "distribution.fullname" . }} {{- else }} - name: "{{ template "distribution.name" . }}-unified-secret" + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret {{- end }} key: redis-password - name: REDIS_PORT @@ -500,13 +485,11 @@ spec: {{- $mountPath := .Values.distribution.persistence.mountPath }} {{- range .Values.distribution.loggers }} - name: {{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "distribution.getImageInfoByValue" (list $ "logger") }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + image: {{ include "distribution.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} command: - 'sh' - '-c' @@ -524,12 +507,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} args: - "-e" - "-E" @@ -603,10 +583,11 @@ spec: {{- if and .Values.distribution.unifiedSecretInstallation (eq (include "distribution.checkDuplicateUnifiedCustomVolume" .) "false" ) }} - name: {{ include "distribution.unifiedCustomSecretVolumeName" . }} secret: - secretName: {{ template "distribution.name" . }}-unified-secret + secretName: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret + {{- else if not .Values.distribution.unifiedSecretInstallation }} ############ If single secret installation flag is disable ############ - {{- if and (not .Values.systemYamlOverride.existingSecret) .Values.distribution.systemYaml }} + {{- if and (not .Values.systemYamlOverride.existingSecret) }} - name: systemyaml secret: secretName: {{ printf "%s-%s" (include "distribution.fullname" .) "systemyaml" }} @@ -635,6 +616,11 @@ spec: configMap: name: {{ template "distribution.fullname" . }}-logger {{- end }} + {{- if .Values.newRelic.apm.enabled }} + - name: newrelic-config + configMap: + name: {{ template "distribution.fullname" . }}-newrelic-apm-config + {{- end }} {{- if .Values.filebeat.enabled }} - name: filebeat-config configMap: diff --git a/stable/distribution/templates/distribution-svc.yaml b/stable/distribution/templates/distribution-svc.yaml index c1cc464fe..407aafb49 100644 --- a/stable/distribution/templates/distribution-svc.yaml +++ b/stable/distribution/templates/distribution-svc.yaml @@ -16,6 +16,12 @@ metadata: {{ toYaml .Values.distribution.service.annotations | indent 4 }} {{- end }} spec: + {{- if .Values.distribution.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.distribution.service.ipFamilyPolicy }} + {{- end }} + {{- if not (empty .Values.distribution.service.ipFamilies)}} + ipFamilies: {{- toYaml .Values.distribution.service.ipFamilies | nindent 4 }} + {{- end }} type: {{ .Values.distribution.service.type }} ports: - name: http-distro diff --git a/stable/distribution/templates/distribution-system-yaml.yaml b/stable/distribution/templates/distribution-system-yaml.yaml index 3f994e319..d15f06238 100644 --- a/stable/distribution/templates/distribution-system-yaml.yaml +++ b/stable/distribution/templates/distribution-system-yaml.yaml @@ -12,5 +12,5 @@ metadata: type: Opaque stringData: system.yaml: | -{{ tpl .Values.distribution.systemYaml . | indent 4 }} +{{ include "distribution.finalSystemYaml" . | nindent 4 }} {{- end }} diff --git a/stable/distribution/templates/distribution-unified-secret.yaml b/stable/distribution/templates/distribution-unified-secret.yaml index 95095fea7..3587d55a5 100644 --- a/stable/distribution/templates/distribution-unified-secret.yaml +++ b/stable/distribution/templates/distribution-unified-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "distribution.name" . }}-unified-secret + name: {{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret labels: app: "{{ template "distribution.name" $ }}" chart: "{{ template "distribution.chart" $ }}" @@ -12,9 +12,9 @@ metadata: type: Opaque stringData: -{{- if not .Values.systemYamlOverride.existingSecret }} +{{- if and (not .Values.systemYamlOverride.existingSecret) }} system.yaml: | -{{ tpl .Values.distribution.systemYaml . | indent 4 }} +{{ include "distribution.finalSystemYaml" . | nindent 4 }} {{- end }} {{- if .Values.distribution.customSecrets }} diff --git a/stable/distribution/values-large.yaml b/stable/distribution/values-large.yaml deleted file mode 100644 index 0048a2484..000000000 --- a/stable/distribution/values-large.yaml +++ /dev/null @@ -1,22 +0,0 @@ -replicaCount: 4 - -redis: - resources: - requests: - memory: "512Mi" - cpu: "1" - limits: - memory: "2Gi" - cpu: "2" - -distribution: - resources: - requests: - memory: "3Gi" - cpu: "2" - limits: - memory: "9Gi" - cpu: "6" - javaOpts: - xms: "3g" - xmx: "9g" diff --git a/stable/distribution/values-medium.yaml b/stable/distribution/values-medium.yaml deleted file mode 100644 index 82772ac2e..000000000 --- a/stable/distribution/values-medium.yaml +++ /dev/null @@ -1,22 +0,0 @@ -replicaCount: 3 - -redis: - resources: - requests: - memory: "512Mi" - cpu: "1" - limits: - memory: "1Gi" - cpu: "1" - -distribution: - resources: - requests: - memory: "2Gi" - cpu: "1" - limits: - memory: "6Gi" - cpu: "3" - javaOpts: - xms: "2g" - xmx: "6g" diff --git a/stable/distribution/values-small.yaml b/stable/distribution/values-small.yaml deleted file mode 100644 index 9fb57641c..000000000 --- a/stable/distribution/values-small.yaml +++ /dev/null @@ -1,22 +0,0 @@ -replicaCount: 2 - -redis: - resources: - requests: - memory: "512Mi" - cpu: "1" - limits: - memory: "1Gi" - cpu: "1" - -distribution: - resources: - requests: - memory: "1Gi" - cpu: "1" - limits: - memory: "3Gi" - cpu: "2" - javaOpts: - xms: "1g" - xmx: "3g" diff --git a/stable/distribution/values.yaml b/stable/distribution/values.yaml index 1445b9fa9..d927f6bc3 100644 --- a/stable/distribution/values.yaml +++ b/stable/distribution/values.yaml @@ -1,7 +1,7 @@ -# Default values for distribution. -# This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} +## Default values for distribution. +## This is a YAML-formatted file. +## Beware when changing values here. You should know what you are doing! +## Access the values with {{ .Values.key.subkey }} global: # imageRegistry: @@ -12,6 +12,7 @@ global: versions: {} # distribution: # router: + # initContainers: # jfrogUrl: # joinKey: # masterKey: @@ -36,15 +37,18 @@ global: ## Applies to distribution pods nodeSelector: {} ## String to partially override distribution.fullname template (will maintain the release name) -## # nameOverride: ## String to fully override distribution.fullname template -## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.1.0.1793 -# Init containers + +## Init containers initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.4.949.1716471857 + pullPolicy: IfNotPresent resources: requests: memory: "50Mi" @@ -52,7 +56,7 @@ initContainers: limits: memory: "1Gi" cpu: "1" -# For supporting pulling from private registries +## For supporting pulling from private registries imagePullSecrets: # - myRegistryKeySecretName @@ -67,7 +71,7 @@ systemYamlOverride: existingSecret: ## The dataKey should be the name of the secret data key created. dataKey: -# For HA +## For HA replicaCount: 1 ## Database configurations ## Use the wait-for-db init container. Set to false to skip @@ -90,7 +94,7 @@ rbac: - watch - list networkpolicy: [] -# Allows all ingress and egress +## Allows all ingress and egress # - name: distribution # podSelector: # matchLabels: @@ -99,7 +103,7 @@ networkpolicy: [] # - {} # ingress: # - {} -# Uncomment to allow only distribution pods to communicate with postgresql (if postgresql.enabled is true) +## Uncomment to allow only distribution pods to communicate with postgresql (if postgresql.enabled is true) # - name: postgres # podSelector: # matchLabels: @@ -109,7 +113,7 @@ networkpolicy: [] # - podSelector: # matchLabels: # app: distribution -# Uncomment to allow only distribution pods to communicate with redis +## Uncomment to allow only distribution pods to communicate with redis # - name: redis # podSelector: # matchLabels: @@ -130,7 +134,23 @@ serviceAccount: name: ## Explicitly mounts the API credentials for the Service Account automountServiceAccountToken: false -# PostgreSQL +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Disable containerSecurityContext for openshift +containerSecurityContext: + enabled: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW +## Disable podSecurityContext for openshift +podSecurityContext: + enabled: true + runAsUser: 1020 + runAsGroup: 1020 + fsGroup: 1020 + # fsGroupChangePolicy: "Always" +## PostgreSQL ## Configuration values for the PostgreSQL dependency sub-chart ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md postgresql: @@ -138,7 +158,7 @@ postgresql: image: registry: releases-docker.jfrog.io repository: bitnami/postgresql - tag: 13.10.0-debian-11-r14 + tag: 15.6.0-debian-11-r16 postgresqlUsername: distribution postgresqlPassword: "" postgresqlDatabase: distribution @@ -160,12 +180,17 @@ postgresql: affinity: {} tolerations: [] resources: {} - # requests: - # memory: "1Gi" - # cpu: "250m" - # limits: - # memory: "2Gi" - # cpu: "1" + ## Disable SecurityContext and containerSecurityContext for openshift + securityContext: + enabled: true + containerSecurityContext: + enabled: true + # requests: + # memory: "1Gi" + # cpu: "250m" + # limits: + # memory: "2Gi" + # cpu: "1" ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), ## specify custom/external database details here database: @@ -179,15 +204,15 @@ database: ## If you have existing Kubernetes secrets containing db credentials, use ## these values secrets: {} - # user: - # name: "dis-database-creds" - # key: "db-user" - # password: - # name: "dis-database-creds" - # key: "db-password" - # url: - # name: "dis-database-creds" - # key: "db-url" + # user: + # name: "dis-database-creds" + # key: "db-user" + # password: + # name: "dis-database-creds" + # key: "db-password" + # url: + # name: "dis-database-creds" + # key: "db-url" ## Configuration values for the redis dependency ## ref: https://github.com/helm/charts/blob/master/stable/redis/README.md ## @@ -195,13 +220,12 @@ redis: image: registry: releases-docker.jfrog.io repository: bitnami/redis - tag: 7.2.0-debian-11-r2 + tag: 7.2.4-debian-11-r5 pullPolicy: IfNotPresent port: 6379 password: "" ## Alternatively, you can use a pre-existing secret with a key called redis-password by specifying existingSecret # existingSecret: - uid: 1001 disableCommands: "FLUSHDB,FLUSHALL" persistence: enabled: true @@ -212,23 +236,24 @@ redis: ## If defined, PVC must be created manually before volume will be bound # existingClaim: accessMode: ReadWriteOnce + ## Disable containerSecurityContext for openshift + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsGroup: 0 resources: {} - # requests: - # memory: "256Mi" - # cpu: "100m" - # limits: - # memory: "2Gi" - # cpu: "250m" + # requests: + # memory: "256Mi" + # cpu: "100m" + # limits: + # memory: "2Gi" + # cpu: "250m" nodeSelector: {} tolerations: [] affinity: {} common: - uid: 1020 - gid: 1020 - # fsGroupChangePolicy: "Always" - - # Spread Distribution pods evenly across your nodes or some other topology + ## Spread Distribution pods evenly across your nodes or some other topology topologySpreadConstraints: [] # - maxSkew: 1 # topologyKey: kubernetes.io/hostname @@ -242,97 +267,87 @@ common: ## Custom command to run before distribution startup. Runs BEFORE any microservice-specific preStartCommand preStartCommand: ## Add custom volumes - # If .Values.distribution.unifiedSecretInstallation is true then secret name should be '{{ template "distribution.name" . }}-unified-secret'. - customVolumes: "" - # - name: custom-script - # configMap: - # name: custom-script - + ## If .Values.distribution.unifiedSecretInstallation is true then secret name should be '{{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret'. + customVolumes: | + # - name: custom-script + # configMap: + # name: custom-script ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: /scripts/script.sh - # subPath: script.sh - - # Add any list of configmaps to distribution - configMaps: "" - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + ## Add any list of configmaps to distribution + configMaps: | + # posthook-start.sh: |- + # echo "This is a post start script" + # posthook-end.sh: |- + # echo "This is a post end script" ## Add custom init containers execution before predefined init containers - customInitContainersBegin: "" - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.distribution.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.distribution.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" - # name: distribution-data - + customInitContainersBegin: | + # - name: "custom-setup" + # image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'touch {{ .Values.distribution.persistence.mountPath }}/example-custom-setup' + # volumeMounts: + # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" + # name: distribution-data ## Add custom init containers execution after predefined init containers - customInitContainers: "" - # - name: "custom-systemyaml-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.distribution.image.pullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'curl -o {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml https:///systemyaml' - # volumeMounts: - # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" - # name: distribution-data - + customInitContainers: | + # - name: "custom-systemyaml-setup" + # image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'curl -o {{ .Values.distribution.persistence.mountPath }}/etc/system.yaml https:///systemyaml' + # volumeMounts: + # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" + # name: distribution-data ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - customSidecarContainers: "" - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" -logger: - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.1.0.1793 + ## - The provided example uses a custom volume (customVolumes) + customSidecarContainers: | + # - name: "sidecar-list-etc" + # image: {{ include "distribution.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" + # securityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW + # command: + # - 'sh' + # - '-c' + # - 'sh /scripts/script.sh' + # volumeMounts: + # - mountPath: "{{ .Values.distribution.persistence.mountPath }}" + # name: volume + # - mountPath: "/scripts/script.sh" + # name: custom-script + # subPath: script.sh + # resources: + # requests: + # memory: "32Mi" + # cpu: "50m" + # limits: + # memory: "128Mi" + # cpu: "100m" distribution: name: distribution ## Note that by default we use appVersion to get image tag/version @@ -340,13 +355,16 @@ distribution: registry: releases-docker.jfrog.io repository: jfrog/distribution-distribution # tag: - imagePullPolicy: IfNotPresent - # unifiedSecretInstallation flag enables single unified secret holding all the distribution secrets + pullPolicy: IfNotPresent + ## unifiedSecretInstallation flag enables single unified secret holding all the distribution internal(chart) secrets, It won't be affecting external secrets. + ## Note: unifiedSecretInstallation flag is enabled by true by default from chart version 102.23.0, Users can switch to false to continue with the old way of secret creation. unifiedSecretInstallation: true + ## unifiedSecretPrependReleaseName Set this flag to false if unifiedSecret should not be created with prepended. + unifiedSecretPrependReleaseName: true ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ schedulerName: - # Create a priority class for the Distribution pod or use an existing one - # NOTE - Maximum allowed value of a user defined priority is 1000000000 + ## Create a priority class for the Distribution pod or use an existing one + ## NOTE - Maximum allowed value of a user defined priority is 1000000000 priorityClass: create: false value: 1000000000 @@ -355,7 +373,7 @@ distribution: ## Use an existing priority class # existingPriorityClass: labels: {} - # Add lifecycle hooks for the distribution pods + ## Add lifecycle hooks for the distribution pods lifecycle: {} # postStart: # exec: @@ -399,61 +417,52 @@ distribution: # - name: JF_DISTRIBUTION_DATABASE_URL # value: "jdbc:postgresql://localhost:5432/distribution" - systemYaml: | - router: - serviceRegistry: - insecure: {{ .Values.router.serviceRegistry.insecure }} - shared: - logging: - consoleLog: - enabled: {{ .Values.distribution.consoleLog }} - jfrogUrl: "{{ tpl (required "\n\ndistribution.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > User Management > Settings > Connection details" (include "distribution.jfrogUrl" .)) . }}" - database: - {{- if .Values.postgresql.enabled }} - type: "postgresql" - driver: "org.postgresql.Driver" - username: "{{ .Values.postgresql.postgresqlUsername }}" - url: "postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}" - {{ else }} - type: "{{ .Values.database.type }}" - driver: "{{ .Values.database.driver }}" - {{- end }} - distribution: - extraJavaOpts: > - {{- with .Values.distribution.javaOpts }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'distribution.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## node: + ## id: my-instance + ## The entries provided under 'distribution.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'distribution.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `distribution.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'distribution.systemYaml' and files/system.yaml + extraSystemYaml: {} + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: service: type: ClusterIP + ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) + ## This can be either SingleStack, PreferDualStack or RequireDualStack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilyPolicy: "" + ## @param service.ipFamilies Controller Service ipFamilies (optional, cloud specific) + ## This can be either ["IPv4"], ["IPv6"], ["IPv4", "IPv6"] or ["IPv6", "IPv4"] + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ## + ipFamilies: [] statefulset: annotations: {} ## Add custom volumeMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: "/scripts/script.sh" - # subPath: script.sh - - # Add custom secrets - secret per file - # If .Values.distribution.unifiedSecretInstallation is true then secret name should be '{{ template "distribution.name" . }}-unified-secret'. + customVolumeMounts: | + # - name: custom-script + # mountPath: "/scripts/script.sh" + # subPath: script.sh + ## Add custom secrets - secret per file + ## If .Values.distribution.unifiedSecretInstallation is true then secret name should be '{{ template "distribution.unifiedSecretPrependReleaseName" . }}-unified-secret'. customSecrets: - # - name: custom-secret - # key: custom-secret.yaml - # data: > - # custom_secret_config: - # parameter1: value1 - # parameter2: value2 - # - name: custom-secret2 - # key: custom-secret2.config - # data: | - # here the custom secret 2 config + # - name: custom-secret + # key: custom-secret.yaml + # data: > + # custom_secret_config: + # parameter1: value1 + # parameter2: value2 + # - name: custom-secret2 + # key: custom-secret2.config + # data: | + # here the custom secret 2 config resources: {} # requests: @@ -531,7 +540,7 @@ distribution: # - observability-request.log # - observability-service.log - # Loggers containers resources + ## Loggers containers resources loggersResources: {} # requests: # memory: "64Mi" @@ -553,8 +562,8 @@ router: image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.73.0 - imagePullPolicy: IfNotPresent + tag: 7.118.0 + pullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled insecure: false @@ -562,14 +571,14 @@ router: externalPort: 8082 tlsEnabled: false resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" - # Add lifecycle hooks for the router pod + ## Add lifecycle hooks for the router pod lifecycle: {} # postStart: # exec: @@ -579,11 +588,10 @@ router: # command: ["/bin/sh", "-c", "echo Hello from the router preStart handler > /usr/share/message"] ## Add custom volumesMounts - customVolumeMounts: "" - # - name: custom-script - # mountPath: /scripts/script.sh - # subPath: script.sh - + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh livenessProbe: enabled: true config: | @@ -634,18 +642,18 @@ observability: image: registry: releases-docker.jfrog.io repository: jfrog/observability - tag: 1.13.6 - imagePullPolicy: IfNotPresent + tag: 1.29.0 + pullPolicy: IfNotPresent internalPort: 8036 resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "1" - # Add lifecycle hooks for the observability pod + ## Add lifecycle hooks for the observability pod lifecycle: {} # postStart: # exec: @@ -684,7 +692,7 @@ observability: shared: node: id: -# Filebeat Sidecar container +## Filebeat Sidecar container ## The provided filebeat configuration is for Distribution logs. It assumes you have a logstash installed and configured properly. filebeat: enabled: false @@ -719,12 +727,12 @@ filebeat: periodSeconds: 10 timeoutSeconds: 5 resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "100Mi" - # cpu: "100m" + # requests: + # memory: "100Mi" + # cpu: "100m" + # limits: + # memory: "100Mi" + # cpu: "100m" filebeatYml: | logging.level: info @@ -748,17 +756,17 @@ filebeat: ## Allows to add additional kubernetes resources ## Use --- as a separator between multiple resources additionalResources: "" -# Adding entries to a Pod's /etc/hosts file -# For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases +## Adding entries to a Pod's /etc/hosts file +## For an example, refer - https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases hostAliases: [] -# - ip: "127.0.0.1" -# hostnames: -# - "foo.local" -# - "bar.local" -# - ip: "10.1.2.3" -# hostnames: -# - "foo.remote" -# - "bar.remote" +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" +# - ip: "10.1.2.3" +# hostnames: +# - "foo.remote" +# - "bar.remote" ## Specify common probes parameters probes: @@ -777,3 +785,15 @@ serviceMonitor: kubePromFullName: "" namespaceSelector: {} selector: {} +## @param newRelic Specify NewRelic APM integration settings +## https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/ +newRelic: + apm: + enabled: false + appName: "" + version: 8.6.0 + licenseKey: "" + logLevel: info + downloadUrl: https://download.newrelic.com + downloadPath: newrelic/java-agent/newrelic-agent/{{ .Values.newRelic.apm.version }} + downloadFile: newrelic-agent-{{ .Values.newRelic.apm.version }}.jar diff --git a/stable/insight/.helmignore b/stable/insight/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/stable/insight/.helmignore +++ b/stable/insight/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/stable/insight/CHANGELOG.md b/stable/insight/CHANGELOG.md index 80354d75d..7c622888b 100644 --- a/stable/insight/CHANGELOG.md +++ b/stable/insight/CHANGELOG.md @@ -1,7 +1,10 @@ # JFrog Insights Chart Changelog All changes to this chart will be documented in this file. -## [101.15.4] - Mar 21, 2023 +## [101.16.12] - Oct 17, 2023 +* Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) + +## [101.15.0] - Sep 18, 2023 * Updated postgresql multi-arch tag version to `13.10.0-debian-11-r14` ## [101.14.0] - Mar 02, 2023 diff --git a/stable/insight/Chart.yaml b/stable/insight/Chart.yaml index 79446a5d2..e709ac668 100644 --- a/stable/insight/Chart.yaml +++ b/stable/insight/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.15.4 +appVersion: 1.16.12 dependencies: - condition: postgresql.enabled name: postgresql @@ -19,4 +19,4 @@ name: insight sources: - https://github.com/jfrog/charts type: application -version: 101.15.4 +version: 101.16.12 diff --git a/stable/insight/ci/test-values.yaml b/stable/insight/ci/test-values.yaml index 0c94b3b57..fe40cef2f 100644 --- a/stable/insight/ci/test-values.yaml +++ b/stable/insight/ci/test-values.yaml @@ -5,7 +5,7 @@ unifiedUpgradeAllowed: true databaseUpgradeReady: true insightServer: jfrogUrl: http://artifactory.rt:8082 - unifiedSecretInstallation: true + unifiedSecretInstallation: false openMetrics: enabled: true extraEnvironmentVariables: diff --git a/stable/insight/templates/insight-statefulset.yaml b/stable/insight/templates/insight-statefulset.yaml index 3bdc10f73..ad10a4c48 100644 --- a/stable/insight/templates/insight-statefulset.yaml +++ b/stable/insight/templates/insight-statefulset.yaml @@ -47,8 +47,8 @@ spec: {{- else }} checksum/insightServer-unified-secret: {{ include (print $.Template.BasePath "/insightServer-unified-secret.yaml") . | sha256sum }} {{- end }} - {{- range $key, $value := .Values.insightServer.annotations }} - {{ $key }}: {{ $value | quote }} + {{- with .Values.insightServer.annotations }} +{{ toYaml . | indent 8 }} {{- end }} spec: {{- if .Values.insightServer.schedulerName }} diff --git a/stable/insight/values.yaml b/stable/insight/values.yaml index ef6b4fc47..bb72dd2a4 100644 --- a/stable/insight/values.yaml +++ b/stable/insight/values.yaml @@ -40,7 +40,7 @@ global: ## Fully override insight.fullname template # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.1.0.1793 +initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 # For supporting pulling from private registries imagePullSecrets: # - myRegistryKeySecretName @@ -396,7 +396,7 @@ logger: image: registry: releases-docker.jfrog.io repository: ubi9/ubi-minimal - tag: 9.1.0.1793 + tag: 9.2.750.1697534106 insightServer: name: insight-server ## Note that by default we use appVersion to get image tag/version @@ -727,7 +727,7 @@ router: image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.78.0 + tag: 7.87.0 imagePullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled diff --git a/stable/jfrog-platform/.helmignore b/stable/jfrog-platform/.helmignore index d5c2e4aab..fa55f6aa1 100644 --- a/stable/jfrog-platform/.helmignore +++ b/stable/jfrog-platform/.helmignore @@ -22,4 +22,5 @@ *.tmproj .vscode/ -logo/ \ No newline at end of file +logo/ +tests/ \ No newline at end of file diff --git a/stable/jfrog-platform/CHANGELOG.md b/stable/jfrog-platform/CHANGELOG.md index 6d9e72b42..317a4fcea 100644 --- a/stable/jfrog-platform/CHANGELOG.md +++ b/stable/jfrog-platform/CHANGELOG.md @@ -1,6 +1,116 @@ # JFrog Platform Chart Changelog (GA releases only) All changes to this chart will be documented in this file. +## [10.19.5] - Sep 11, 2024 +* Update dependency artifactory chart version to 107.90.10 +* Update dependency xray chart version to 103.104.8 + +## [10.19.4] - Aug 28, 2024 +* Update dependency artifactory chart version to 107.90.9 +* Update dependency xray chart version to 103.103.6 + +## [10.19.3] - Aug 16, 2024 +* Update dependency artifactory chart version to 107.90.8 +* Update dependency xray chart version to 103.102.3 +* Update global.versions.router version to `7.124.1` + +## [10.19.2] - Aug 9, 2024 +* Update dependency artifactory chart version to 107.90.7 +* Update global.versions.router version to `7.124.0` + +## [10.19.1] - Aug 6, 2024 +* Update dependency artifactory chart version to 107.90.6 +* Update dependency xray chart version to 103.101.5 + +## [10.19.0] - Jul 25, 2024 +* **Important change:** +* Mission Control is also disabled by default now, if you are using this product from previous release, enable them using your custom-values.yaml file. +* Update dependency artifactory chart version to 107.90.5 +* Update dependency xray chart version to 103.100.3 +* Update global.versions.router version to `7.122.1` + +## [10.18.3] - Jul 15, 2024 +* Update dependency artifactory chart version to 107.84.17 +* Update dependency xray chart version to 103.98.5 + +## [10.18.2] - June 12, 2024 +* Update dependency artifactory chart version to 107.84.14 +* Update dependency xray chart version to 103.96.1 +* Fixed an issue related to chart artifactory fullname + +## [10.18.1] - May 26, 2024 +* Update dependency artifactory chart version to 107.84.12 +* Update dependency xray chart version to 103.95.7 +* Fixed an issue related to chart fullname when unifiedSecretInstallation is set to false [GH-1882](https://github.com/jfrog/charts/issues/1882) + +## [10.18.0] - May 12, 2024 +* **Important change:** +* Distribution, Insight and Pipelines are disabled by default, if you are using these products from previous release, enable them using your custom-values.yaml file. +* Added `preUpgradeHook.enabled` flag defaults to true to check if previous Distribution, Insight and Pipelines releases exists +* Update postgresql tag version to `15.6.0-debian-11-r16` +* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! +* If this is an upgrade and you are using the default bundles PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x/13.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* Added suppport for `global.imageRegistry` for initContainers +* Updated rabbitmq tag version to `3.12.10-debian-11-r1` +* Added default resources for postgres-setup-init, pre-upgrade-check and rabbitmq's migration pre-upgrade-container container +* Enabled `unifiedSecretInstallation` to true by default,which enables single unified secret holding all of each product secrets +* Update dependency artifactory chart version to 107.84.10 +* Update dependency xray chart version to 103.94.6 + +## [10.17.4] - May 2, 2024 +* Update dependency artifactory chart version to 107.77.11 +* Update dependency xray chart version to 103.94.5 +* Update dependency distribution chart version to 102.24.0 +* Update global.versions.router version to `7.108.0` + +## [10.17.3] - Mar 14, 2024 +* Add missing IF statement in `NOTES.txt` +* Update dependency artifactory chart version to 107.77.7 +* Update dependency xray chart version to 103.91.3 + +## [10.17.3] - Mar 14, 2024 +* Add missing IF statement in `NOTES.txt` +* Update dependency artifactory chart version to 107.77.7 +* Update dependency xray chart version to 103.91.3 + +## [10.17.1] - Feb 29, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install +* Updated `artifactory.installerInfo` content + +## [10.17.0] - Jan 24, 2023 +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml +* Removed "Waiting for artifactory to start" conditional check in `postgres-setup-init` init container +* Update pipelines to use its internal redis chart +* Removed obsolete dependency redis chart from chart.yaml +* Update `global.database.initContainerImagePullPolicy` to `IfNotPresent` +* Updated the chart Notes.txt content +* Fix the pre-upgrade-hook for rabbitmq migration +* Update dependency artifactory chart version to 107.77.3 +* Update dependency xray chart version to 103.87.9 +* Update dependency distribution chart version to 102.22.1 +* Update dependency insight chart version to 101.16.6 +* Update dependency pipelines chart version to 101.53.4 +* Update global.versions.router version to `7.95.0` + +## [10.16.5] - Jan 05, 2024 +* Update dependency artifactory chart version to 107.71.11 +* Update dependency xray chart version to 103.86.10 +* Update dependency insight chart version to 101.16.5 +* Update global.versions.router version to `7.91.0` + +## [10.16.4] - Dec 21, 2023 +* Update dependency artifactory chart version to 107.71.9 +* Update dependency xray chart version to 103.86.9 +* Update dependency distribution chart version to 102.21.3 + +## [10.16.3] - Dec 6, 2023 +* Update dependency artifactory chart version to 107.71.5 +* Update dependency xray chart version to 103.86.4 +* Update dependency insight chart version to 101.16.2 +* Update global.versions.router version to `7.87.0` +* Fixed an issue to use custom postgres DB port other than default 5432 + ## [10.16.2] - Nov 10, 2023 * Update dependency artifactory chart version to 107.71.4 * Update dependency xray chart version to 103.85.5 diff --git a/stable/jfrog-platform/Chart.lock b/stable/jfrog-platform/Chart.lock index 2db93c8c3..9d8718838 100644 --- a/stable/jfrog-platform/Chart.lock +++ b/stable/jfrog-platform/Chart.lock @@ -5,23 +5,20 @@ dependencies: - name: rabbitmq repository: https://charts.jfrog.io/ version: 11.9.3 -- name: redis - repository: https://charts.jfrog.io/ - version: 12.10.1 - name: artifactory repository: https://charts.jfrog.io/ - version: 107.71.4 + version: 107.90.10 - name: xray repository: https://charts.jfrog.io/ - version: 103.85.5 + version: 103.104.8 - name: distribution repository: https://charts.jfrog.io/ - version: 102.20.3 + version: 102.26.1 - name: insight repository: https://charts.jfrog.io/ - version: 101.15.4 + version: 101.16.7 - name: pipelines repository: https://charts.jfrog.io/ - version: 101.44.5 -digest: sha256:15d219e1983ce1ab5c8d759f2814c645ab359c4e779a9e0c79b3caa529945d31 -generated: "2023-11-09T11:25:20.649655+05:30" + version: 101.59.7 +digest: sha256:fb50efce66803cefab39d3efc0a32c0842b97703a8bec572453b2217a56d8934 +generated: "2024-09-11T16:49:29.381655+02:00" diff --git a/stable/jfrog-platform/Chart.yaml b/stable/jfrog-platform/Chart.yaml index e22bd3174..2ff280b6f 100644 --- a/stable/jfrog-platform/Chart.yaml +++ b/stable/jfrog-platform/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.71.4 +appVersion: 7.90.10 dependencies: - condition: postgresql.enabled name: postgresql @@ -9,30 +9,26 @@ dependencies: name: rabbitmq repository: https://charts.jfrog.io/ version: 11.9.3 -- condition: redis.enabled - name: redis - repository: https://charts.jfrog.io/ - version: 12.10.1 - condition: artifactory.enabled name: artifactory repository: https://charts.jfrog.io/ - version: 107.71.4 + version: 107.90.10 - condition: xray.enabled name: xray repository: https://charts.jfrog.io/ - version: 103.85.5 + version: 103.104.8 - condition: distribution.enabled name: distribution repository: https://charts.jfrog.io/ - version: 102.20.3 + version: 102.26.1 - condition: insight.enabled name: insight repository: https://charts.jfrog.io/ - version: 101.15.4 + version: 101.16.7 - condition: pipelines.enabled name: pipelines repository: https://charts.jfrog.io/ - version: 101.44.5 + version: 101.59.7 description: The Helm chart for JFrog Platform (Universal, hybrid, end-to-end DevOps automation) home: https://jfrog.com/platform/ @@ -43,11 +39,10 @@ keywords: - xray - distribution - insight -- pdn-server - pipelines - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -55,4 +50,4 @@ name: jfrog-platform sources: - https://github.com/jfrog/charts type: application -version: 10.16.2 +version: 10.19.5 diff --git a/stable/jfrog-platform/README.md b/stable/jfrog-platform/README.md index 8897667ec..ae922e05a 100644 --- a/stable/jfrog-platform/README.md +++ b/stable/jfrog-platform/README.md @@ -4,7 +4,7 @@ ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory Enterprise(+) trial license [get one from here](https://jfrog.com/platform/free-trial/) or Pro trial license [get one from here](https://www.jfrog.com/artifactory/free-trial/) ## Chart Details @@ -13,7 +13,6 @@ This chart will do the following: * Deploy JFrog Platform (artifactory, xray, distribution, insight and pipelines). Fully customizable. * Deploy a PostgreSQL database using the bitnami/postgresql chart (can be changed) **NOTE:** For production grade installations it is recommended to use an external PostgreSQL. * Deploy a Rabbitmq using the bitnami/rabbitmq chart (can be changed) -* Deploy a Redis using the bitnami/redis chart (can be changed) * Deploy an optional Nginx server ## Installing the Chart @@ -30,7 +29,7 @@ helm repo update ### Install Chart To install the chart with the release name `jfrog-platform` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform +helm upgrade --install jfrog-platform jfrog/jfrog-platform --namespace jfrog-platform --create-namespace ``` ### High Availability @@ -38,7 +37,7 @@ helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-pla For **high availability** of Artifactory, set the replica count to be equal or higher than **2**. Recommended is **3**. ```bash # Start artifactory with 3 replicas per service -helm upgrade --install jfrog-platform --namespace jfrog-platform --set artifactory.artifactory.replicaCount=3 +helm upgrade --install jfrog-platform --set artifactory.artifactory.replicaCount=3 --namespace jfrog-platform --create-namespace ``` ### Install Artifactory license @@ -73,7 +72,7 @@ artifactory: ``` ```bash # Apply the values file during install -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` **NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). Updating the license should be done via Artifactory UI or REST API. @@ -96,7 +95,7 @@ artifactory: ``` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` **NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). Updating the license should be done via Artifactory UI or REST API. @@ -109,18 +108,19 @@ This chart would provide flexibility to enable one or more of the jfrog products 2. Distribution 3. Insight 4. Pipelines -5. PDN server -For example to enable xray and insight with artifactory, you can refer the following yaml and pass it during install. +For example to enable distribution, insight and pipelines with artifactory, you can refer the following yaml and pass it during install. customvalues.yaml ```yaml -xray: +distribution: enabled: true insight: enabled: true +pipelines: + enabled: true ```` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` ### Uninstalling Jfrog Platform chart. diff --git a/stable/jfrog-platform/ci/platform-ha-values.yaml b/stable/jfrog-platform/ci/platform-ha-values.yaml index 9ba8b0b40..1f59538cd 100644 --- a/stable/jfrog-platform/ci/platform-ha-values.yaml +++ b/stable/jfrog-platform/ci/platform-ha-values.yaml @@ -10,7 +10,7 @@ artifactory: persistence: enabled: false xray: - replicaCount: 2 + replicaCount: 1 common: persistence: enabled: false @@ -35,10 +35,6 @@ pipelines: pipelines: replicaCount: 2 -pdnServer: - enabled: true - replicaCount: 2 - rabbitmq: replicaCount: 3 persistence: diff --git a/stable/jfrog-platform/ci/rt-ha-values.yaml b/stable/jfrog-platform/ci/rt-ha-values.yaml deleted file mode 100644 index 142b39ca7..000000000 --- a/stable/jfrog-platform/ci/rt-ha-values.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# If this is an upgrade over an existing platform chart , explicitly pass 'gaUpgradeReady=true' to upgrade -gaUpgradeReady: true - -postgresql: - persistence: - enabled: false -artifactory: - artifactory: - replicaCount: 3 - persistence: - enabled: false -xray: - common: - persistence: - enabled: false -distribution: - distribution: - persistence: - enabled: false - redis: - persistence: - enabled: false -insight: - insightServer: - persistence: - enabled: false - elasticsearch: - persistence: - enabled: false - -rabbitmq: - persistence: - enabled: false -redis: - master: - persistence: - enabled: false diff --git a/stable/jfrog-platform/files/setupPostgres.sh b/stable/jfrog-platform/files/setupPostgres.sh index 3a7c879f8..69cd53661 100644 --- a/stable/jfrog-platform/files/setupPostgres.sh +++ b/stable/jfrog-platform/files/setupPostgres.sh @@ -115,7 +115,7 @@ setupDB(){ ## Set Postgres options [[ -z "${POSTGRES_PATH}" ]] && PSQL=psql || PSQL=${POSTGRES_PATH}/psql -POSTGRES_OPTIONS="sslmode=${DB_SSL_MODE} --host=${DB_HOST} -U ${PGUSERNAME} -w" +POSTGRES_OPTIONS="sslmode=${DB_SSL_MODE} --host=${DB_HOST} -p ${DB_PORT} -U ${PGUSERNAME} -w" init diff --git a/stable/jfrog-platform/logo/jfrog-platform-logo.png b/stable/jfrog-platform/logo/jfrog-platform-logo.png deleted file mode 100644 index 0e696ee3a..000000000 Binary files a/stable/jfrog-platform/logo/jfrog-platform-logo.png and /dev/null differ diff --git a/stable/jfrog-platform/templates/NOTES.txt b/stable/jfrog-platform/templates/NOTES.txt index e3841ab73..c4f7cc18f 100644 --- a/stable/jfrog-platform/templates/NOTES.txt +++ b/stable/jfrog-platform/templates/NOTES.txt @@ -1,65 +1,59 @@ -Congratulations. You have just deployed JFrog Platform Chart with following products: - +Congratulations, you have just deployed JFrog Platform Chart with the following products:{{- if .Values.artifactory.enabled }} Artifactory{{- end }}{{- if .Values.xray.enabled }}, Xray {{- end }}{{- if .Values.distribution.enabled }}, Distribution{{- end }}{{- if index .Values "insight" "enabled" }}, Insight{{- end }}{{- if .Values.pipelines.enabled }}, Pipelines{{- end }} {{- if .Values.artifactory.enabled }} -- artifactory -{{- end }} - -{{- if .Values.xray.enabled }} -- xray -{{- end }} +--------------------------------------------------------------------------------------------------------------------------------------------------- +Instructions for accessing the JFrog Platform +--------------------------------------------------------------------------------------------------------------------------------------------------- -{{- if index .Values "insight" "enabled" }} -- insight -{{- end }} +1. The JFrog Platform Chart is being deployed. This process may take up to 10 minutes, depending on your internet connection speed. + You can monitor the deployment status by running the following command: -{{- if .Values.distribution.enabled }} -- distribution -{{- end }} + $ kubectl get pods -w --namespace {{ .Release.Namespace }} -{{- if .Values.pipelines.enabled }} -- pipelines -{{- end }} - -{{- if .Values.artifactory.enabled }} - -1. Get the Artifactory URL by running these commands: +2. Retrieve the JFrog Platform URL: {{- if .Values.artifactory.ingress.enabled }} {{- range .Values.artifactory.ingress.hosts }} http://{{ . }} {{- end }} - + {{- else if contains "NodePort" .Values.artifactory.nginx.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT/ + $ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }}) + $ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + $ echo http://$NODE_IP:$NODE_PORT/ {{- else if contains "LoadBalancer" .Values.artifactory.nginx.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of the service by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP/ + + - Method 1: LoadBalancer Connection (preferred) + It may take a few minutes for the LoadBalancer service to be available. + You can monitor the service status by running this command: + + $ kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }} + + Extract the LoadBalancer IP / Hostname: + + $ export SERVICE_HOSTNAME=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + $ echo http://$SERVICE_HOSTNAME/ + + - Method 2: Port Forwarding + + $ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }} 8080:{{ .Values.artifactory.nginx.http.internalPort }} & + $ echo http://localhost:8080/ {{- else if contains "ClusterIP" .Values.artifactory.nginx.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "component={{ .Values.artifactory.nginx.name }}" -o jsonpath="{.items[0].metadata.name}") - echo http://127.0.0.1:{{ .Values.artifactory.nginx.externalPortHttp }} - kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.artifactory.nginx.externalPortHttp }}:{{ .Values.artifactory.nginx.internalPortHttp }} + $ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "call-nested" (list . "artifactory" "artifactory.nginx.fullname") }} 8080:{{ .Values.artifactory.nginx.http.internalPort }} & + $ echo http://localhost:8080/ {{- end }} -2. Open Artifactory in your browser - Default credential for Artifactory: - user: admin - password: password -Open Artifactory URL in your browser. +3. Once you have the URL, open your preferred web browser and access the JFrog Platform. + Default credentials for Artifactory: + - Username: admin + - Password: password {{- end }} {{- if .Values.postgresql.enabled }} -To extract the database password, run the following -export DB_PASSWORD=$(kubectl get --namespace {{ .Release.Namespace }} $(kubectl get secret --namespace {{ .Release.Namespace }} -o name | grep postgresql) -o jsonpath="{.data.postgresql-password}" | base64 --decode) -echo ${DB_PASSWORD} --------------------------------------------------------------------------------------------------------------------------------------------------- -***WARNING*** You are using the bundled postgresql database from the chart. Bundled postgresql database is not supported for production use cases. -Use an external postgresql database for production deployments. +***WARNING*** You are using the bundled PostgreSQL database from the chart. This bundled database is not suitable for production use cases. +Use an external PostgreSQL database for production deployments. --------------------------------------------------------------------------------------------------------------------------------------------------- {{- end }} \ No newline at end of file diff --git a/stable/jfrog-platform/templates/_helpers.tpl b/stable/jfrog-platform/templates/_helpers.tpl index 8fdf0e4c2..026edba4d 100644 --- a/stable/jfrog-platform/templates/_helpers.tpl +++ b/stable/jfrog-platform/templates/_helpers.tpl @@ -62,23 +62,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{/* -Return the registry of a service -*/}} -{{- define "jfrog-platform.getRegistryByService" -}} -{{- $dot := index . 0 }} -{{- $service := index . 1 }} -{{- if $dot.Values.global.imageRegistry }} - {{- $dot.Values.global.imageRegistry }} -{{- else -}} - {{- if (eq $service "migrationHook") -}} - {{- index $dot.Values.rabbitmq.migration.image.registry -}} - {{- else -}} - {{- index $dot.Values $service "image" "registry" -}} - {{- end -}} -{{- end -}} -{{- end -}} - {{/* Resolve imagePullSecrets value */}} @@ -91,14 +74,50 @@ imagePullSecrets: {{- end -}} {{- end -}} +{{/* +Resolve unifiedSecretInstallation name +*/}} +{{- define "jfrog-platform.unifiedSecretInstallation" -}} +{{- if eq .Chart.Name "artifactory" -}} +{{- if not .Values.artifactory.unifiedSecretInstallation }} +{{- printf "%s-%s" (include "artifactory.fullname" .) "database-creds" -}} +{{- else }} +{{- printf "%s-%s" (include "artifactory.unifiedSecretPrependReleaseName" .) "unified-secret" -}} +{{- end }} +{{- end -}} +{{- if eq .Chart.Name "distribution" -}} +{{- if not .Values.distribution.unifiedSecretInstallation }} +{{- printf "%s-%s" (include "distribution.fullname" . ) "database-creds" -}} +{{- else }} +{{- printf "%s-%s" (include "distribution.fullname" .) "unified-secret" -}} +{{- end }} +{{- end -}} +{{- if eq .Chart.Name "xray" -}} +{{- if not .Values.xray.unifiedSecretInstallation }} +{{- printf "%s-%s" (include "xray.fullname" . ) "database-creds" -}} +{{- else }} +{{- printf "%s-%s" (include "xray.name" .) "unified-secret" -}} +{{- end }} +{{- end -}} +{{- if eq .Chart.Name "insight" -}} +{{- if not .Values.insightServer.unifiedSecretInstallation }} +{{- printf "%s-%s" (include "insight.fullname" . ) "database-creds" -}} +{{- else }} +{{- printf "%s-%s" (include "insight.name" .) "unified-secret" -}} +{{- end }} +{{- end -}} +{{- end -}} + {{/* Custom init container for Postgres setup */}} {{- define "initdb" -}} -{{- if and .Values.global.database.initDBCreation (ne .Chart.Name "pdn-server") }} +{{- if .Values.global.database.initDBCreation }} - name: postgres-setup-init - image: {{ .Values.global.database.initContainerSetupDBImage }} + image: "{{ tpl .Values.global.database.initContainerSetupDBImage . }}" imagePullPolicy: {{ .Values.global.database.initContainerImagePullPolicy }} + resources: +{{ toYaml .Values.global.database.initContainerImageResources | indent 10 }} {{- with .Values.global.database.initContainerSetupDBUser }} securityContext: runAsUser: {{ . }} @@ -107,9 +126,6 @@ Custom init container for Postgres setup - '/bin/bash' - '-c' - > - {{- if (ne .Chart.Name "artifactory") }} - until nc -z -w 5 {{ .Release.Name }}-artifactory 8082; do echo "Waiting for artifactory to start"; sleep 10; done; - {{- end }} echo "Running init db scripts"; bash /scripts/setupPostgres.sh {{- if eq .Chart.Name "pipelines" }} @@ -172,8 +188,7 @@ Custom init container for Postgres setup name: {{ tpl .Values.database.secrets.user.name . }} key: {{ tpl .Values.database.secrets.user.key . }} {{- else if .Values.database.user }} - {{- $chartFullName := printf "%s.fullname" .Chart.Name }} - name: {{ include $chartFullName . }}-database-creds + name: {{ include "jfrog-platform.unifiedSecretInstallation" . }} key: db-user {{- end }} - name: DB_PASSWORD @@ -183,8 +198,7 @@ Custom init container for Postgres setup name: {{ tpl .Values.database.secrets.password.name . }} key: {{ tpl .Values.database.secrets.password.key . }} {{- else if .Values.database.password }} - {{- $chartFullName := printf "%s.fullname" .Chart.Name }} - name: {{ include $chartFullName . }}-database-creds + name: {{ include "jfrog-platform.unifiedSecretInstallation" . }} key: db-password {{- end }} - name: PGPASSWORD diff --git a/stable/jfrog-platform/templates/migration-hook.yaml b/stable/jfrog-platform/templates/migration-hook.yaml index 3a52f1ab6..c89c75170 100644 --- a/stable/jfrog-platform/templates/migration-hook.yaml +++ b/stable/jfrog-platform/templates/migration-hook.yaml @@ -68,8 +68,8 @@ roleRef: --- {{- if .Values.rabbitmq.enabled }} {{- if .Values.rabbitmq.migration.enabled }} -apiVersion: v1 -kind: Pod +apiVersion: batch/v1 +kind: Job metadata: labels: app: {{ template "jfrog-platform.name" . }} @@ -81,37 +81,47 @@ metadata: "helm.sh/hook": "pre-upgrade" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: - serviceAccountName: {{ template "jfrog-platform.rabbitmq.migration.serviceAccountName" . }} - {{- if .Values.rabbitmq.podSecurityContext.enabled }} - securityContext: {{- omit .Values.rabbitmq.podSecurityContext "enabled" | toYaml | nindent 4 }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - {{- include "jfrog-platform.imagePullSecrets" . | indent 2 }} - {{- end }} - containers: - - name: pre-upgrade-container - image: "{{ include "jfrog-platform.getRegistryByService" (list . "migrationHook") }}/{{ .Values.rabbitmq.migration.image.repository }}:{{ .Values.rabbitmq.migration.image.tag }}" - imagePullPolicy: IfNotPresent - {{- if .Values.rabbitmq.containerSecurityContext.enabled }} - securityContext: {{- tpl (omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + template: + metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ template "jfrog-platform.rabbitmq.migration.serviceAccountName" . }} + {{- if .Values.rabbitmq.podSecurityContext.enabled }} + securityContext: {{- omit .Values.rabbitmq.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + {{- include "jfrog-platform.imagePullSecrets" . | indent 6 }} {{- end }} - command: - - sh - - -c - - | - #!/bin/sh - if [ "$(kubectl get pods -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }}" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then - kubectl exec -it {{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0 -- rabbitmqctl enable_feature_flag all - if [ "$?" -ne 0 ]; then - echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " - exit 1 + containers: + - name: pre-upgrade-container + image: "{{ tpl .Values.rabbitmq.migration.image.registry . }}/{{ .Values.rabbitmq.migration.image.repository }}:{{ .Values.rabbitmq.migration.image.tag }}" + imagePullPolicy: {{ .Values.rabbitmq.migration.image.pullPolicy }} + resources: +{{ toYaml .Values.rabbitmq.migration.resources | indent 12 }} + {{- if .Values.rabbitmq.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml) . | nindent 12 }} + {{- end }} + command: + - sh + - -c + - | + #!/bin/sh + if [ "$(kubectl get pods -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }}" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then + kubectl exec -it {{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0 -- rabbitmqctl enable_feature_flag all + if [ "$?" -ne 0 ]; then + echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " + exit 1 + else + echo Feature flags executed successfully! + fi else - echo Feature flags executed successfully! + echo "Rabbitmq pod is not in running state. Ignoring feature flag migration for rabbitmq" fi - else - echo "Rabbitmq pod is not in running state. Ignoring feature flag migration for rabbitmq" - fi - restartPolicy: Never - terminationGracePeriodSeconds: 0 + restartPolicy: Never + terminationGracePeriodSeconds: 0 {{- end }} {{- end }} \ No newline at end of file diff --git a/stable/jfrog-platform/templates/postgres-upgrade-check.yaml b/stable/jfrog-platform/templates/postgres-upgrade-check.yaml new file mode 100644 index 000000000..d04a063ff --- /dev/null +++ b/stable/jfrog-platform/templates/postgres-upgrade-check.yaml @@ -0,0 +1,5 @@ +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + {{- if not (default .Values.databaseUpgradeReady false ) }} + {{- fail "\n\nUPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/jfrog-platform/CHANGELOG.md) \nIf you are upgrading from a chart version (< 10.18.x) that has postgresql.image.tag of 13.x, make sure to set the current postgresql.image.tag to the same tag and databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 10.18.x), just set databaseUpgradeReady=true. \n" }} + {{- end }} +{{- end }} diff --git a/stable/jfrog-platform/templates/upgrade-hook.yaml b/stable/jfrog-platform/templates/upgrade-hook.yaml new file mode 100644 index 000000000..f146e8137 --- /dev/null +++ b/stable/jfrog-platform/templates/upgrade-hook.yaml @@ -0,0 +1,169 @@ +{{- if .Values.preUpgradeHook.enabled }} +{{- if not (and .Values.insight.enabled .Values.pipelines.enabled .Values.distribution.enabled .Values.artifactory.mc.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "jfrog-platform.fullname" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +automountServiceAccountToken: true +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "jfrog-platform.fullname" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +rules: +- apiGroups: + - "" + resources: + - pods/exec + - pods + verbs: + - create + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "jfrog-platform.fullname" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +subjects: + - kind: ServiceAccount + name: {{ template "jfrog-platform.fullname" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ template "jfrog-platform.fullname" . }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "jfrog-platform.fullname" . }}-pre-upgrade-check + annotations: + "helm.sh/hook": "pre-upgrade" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" +spec: + backoffLimit: 0 + template: + metadata: + labels: + app: {{ template "jfrog-platform.name" . }} + chart: {{ template "jfrog-platform.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: {{ template "jfrog-platform.fullname" . }} + {{- if .Values.global.imagePullSecrets }} + {{- include "jfrog-platform.imagePullSecrets" . | indent 6 }} + {{- end }} + containers: + - name: pre-upgrade-check + image: "{{ tpl .Values.preUpgradeHook.image.registry . }}/{{ .Values.preUpgradeHook.image.repository }}:{{ .Values.preUpgradeHook.image.tag }}" + imagePullPolicy: {{ .Values.preUpgradeHook.image.pullPolicy }} + resources: +{{ toYaml .Values.preUpgradeHook.resources | indent 12 }} + command: + - sh + - -c + - | + #!/bin/sh + {{- if not .Values.distribution.enabled }} + if [ "$(kubectl get pods -l "statefulset.kubernetes.io/pod-name={{ .Release.Name }}-distribution-0" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then + if [ "$?" -eq 0 ]; then + echo "Failed to perform the upgrade. Refer to https://github.com/jfrog/charts/blob/master/stable/jfrog-platform/CHANGELOG.md#10180" + echo "From chart verison 10.18.x, Products - Distribution, Insight and Pipelines are disabled. If you are using these products in the previous release(s)." + echo "Enable them using your custom-values.yaml file " + exit 1 + fi + else + echo "Distribution pod(s) don't exist. Allowing upgrade" + fi + {{- end }} + {{- if not .Values.insight.enabled }} + if [ "$(kubectl get pods -l "statefulset.kubernetes.io/pod-name={{ .Release.Name }}-insight-0" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then + if [ "$?" -eq 0 ]; then + echo "Failed to perform the upgrade. Refer to https://github.com/jfrog/charts/blob/master/stable/jfrog-platform/CHANGELOG.md#10180" + echo "From chart verison 10.18.x, Products - Distribution, Insight and Pipelines are disabled. If you are using these products in the previous release(s)." + echo "Enable them using your custom-values.yaml file " + exit 1 + fi + else + echo "Insight pod(s) don't exist. Allowing upgrade" + fi + {{- end }} + {{- if not .Values.pipelines.enabled }} + if [ "$(kubectl get pods -l "statefulset.kubernetes.io/pod-name={{ .Release.Name }}-pipelines-0" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then + if [ "$?" -eq 0 ]; then + echo "Failed to perform the upgrade. Refer to https://github.com/jfrog/charts/blob/master/stable/jfrog-platform/CHANGELOG.md#10180" + echo "From chart verison 10.18.x, Products - Distribution, Insight and Pipelines are disabled. If you are using these products in the previous release(s)." + echo "Enable them using your custom-values.yaml file " + exit 1 + fi + else + echo "Pipelines pod(s) don't exist. Allowing upgrade" + fi + {{- end }} + + {{- if not .Values.artifactory.mc.enabled }} + systemYamlUnifiedSecret={{ .Release.Name }}-artifactory-unified-secret + systemYamlSecret={{ .Release.Name }}-artifactory-systemyaml + systemYamlEncoded=$(kubectl get secrets "$systemYamlUnifiedSecret" -o jsonpath="{.data.system\.yaml}") + if [ $? -ne 0 ]; then + systemYamlEncoded=$(kubectl get secrets "$systemYamlSecret" -o jsonpath="{.data.system\.yaml}") + if [ $? -ne 0 ]; then + systemYamlEncoded=$(kubectl get secrets "artifactory-unified-secret" -o jsonpath="{.data.system\.yaml}") + if [ $? -ne 0 ]; then + echo "Error: Secret '$systemYamlSecret' or '$systemYamlUnifiedSecret' or "artifactory-unified-secret" not found" + exit 1 + fi + fi + fi + systemYaml=$(echo "$systemYamlEncoded" | base64 -d) + isMcEnabled=$(echo "$systemYaml" | awk 'BEGIN {flag=0} /^mc:/ {flag=1} flag && /^ enabled: / {print $2; exit} /^[^ ]/ && !/^mc:/ {if (flag) flag=0}') + if [ "$isMcEnabled" = "true" ]; then + echo "Failed to perform the upgrade. Refer to https://github.com/jfrog/charts/blob/master/stable/jfrog-platform/CHANGELOG.md#10180" + echo "From chart verison 10.19.x, Artifactory's Mission Control is disabled. If you are using this in the previous release(s)." + echo "Enable them using your custom-values.yaml file " + exit 1 + else + echo "Artifactory's Mission Control is not enabled. Allowing upgrade" + fi + {{- end }} + restartPolicy: Never + terminationGracePeriodSeconds: 10 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/jfrog-platform/values.yaml b/stable/jfrog-platform/values.yaml index 10a2094db..51d18dd2f 100644 --- a/stable/jfrog-platform/values.yaml +++ b/stable/jfrog-platform/values.yaml @@ -6,6 +6,10 @@ # If this is an upgrade over an existing platform chart(>= 10.0.0), explicitly pass 'gaUpgradeReady=true' to upgrade gaUpgradeReady: false +# If you are upgrading from a chart version(< 10.18.x) that has postgresql.image.tag of 13.x, make sure to set the current postgresql.image.tag to the same tag and databaseUpgradeReady=true. +# If you are upgrading from a chart version (>= 10.18.x), just set databaseUpgradeReady=true. +databaseUpgradeReady: false + global: # imagePullSecrets: # - myRegistryKeySecretName @@ -23,13 +27,12 @@ global: ## For example : For artifactory, using global.versions.artifactory ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion versions: - router: 7.81.0 + router: 7.124.1 # artifactory: # xray: # distribution: # insight: # pipelines: - # pdnServer: database: host: "{{ .Release.Name }}-postgresql" port: 5432 @@ -43,10 +46,17 @@ global: # adminPassword: # name: "jp-database-creds" # key: "db-admin-password" - initContainerSetupDBImage: releases-docker.jfrog.io/postgres:13.10-alpine + initContainerSetupDBImage: "{{ .Values.global.imageRegistry }}/postgres:15.6-alpine" # Run the postgres init container as a non-default uid initContainerSetupDBUser: - initContainerImagePullPolicy: Always + initContainerImagePullPolicy: IfNotPresent + initContainerImageResources: + requests: + cpu: 5m + memory: 10Mi + limits: + cpu: 1 + memory: 1Gi # If you are using external postgresql, set initDBCreation: false initDBCreation: true ## certificates added to this secret will be copied to $JFROG_HOME//var/etc/security/keys/trusted directory @@ -76,7 +86,7 @@ postgresql: enabled: true image: repository: bitnami/postgresql - tag: 13.10.0-debian-11-r14 + tag: 15.6.0-debian-11-r16 postgresqlUsername: postgres postgresqlPassword: postgres postgresqlExtendedConf: @@ -92,7 +102,7 @@ rabbitmq: rabbitmqUpgradeReady: false image: repository: bitnami/rabbitmq - tag: 3.11.10-debian-11-r5 + tag: 3.12.10-debian-11-r1 auth: ## Enable encryption to rabbitmq ## ref: https://www.rabbitmq.com/ssl.html @@ -179,9 +189,17 @@ rabbitmq: ## Migration is required to be performed only once hence this option can be disabled once the feature flags are enabled in rabbitmq. enabled: true image: - registry: releases-docker.jfrog.io + registry: "{{ .Values.global.imageRegistry }}" repository: bitnami/kubectl tag: 1.24.12 + pullPolicy: IfNotPresent + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + cpu: 1 + memory: 1Gi ## Service account for the pre-upgrade hook to perform rabbitmq migration serviceAccount: create: true @@ -211,20 +229,10 @@ rabbitmq: # extraConfiguration: |- # management.listener.ssl = {{ .Values.global.rabbitmq.auth.tls.enabled }} -## This Redis is used by pipelines only, set redis.enabled: false, when pipelines is not enabled -redis: - enabled: true - image: - repository: bitnami/redis - tag: 7.2.0-debian-11-r2 - cluster: - enabled: false - usePassword: false - artifactory: enabled: true unifiedUpgradeAllowed: true - installerInfo: '{"productId": "Helm_JFrogPlatform/{{ printf "10.16.2-%s" .Chart.AppVersion }}", "features": [ { "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"}]}' + installerInfo: '{"productId":"Helm_JFrogPlatform/{{ printf "10.19.5-%s" .Chart.AppVersion }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' postgresql: enabled: false waitForDatabase: false @@ -235,10 +243,13 @@ artifactory: user: artifactory password: artifactory # Note: For artifactory Pro license, mission-control is not supported, Hence, set mc.enabled: false + # Note: mission-control is disabled by default, this is only available for E+ customers, and can be enabled by setting mc.enabled: true mc: - enabled: true + enabled: false artifactory: - unifiedSecretInstallation: false + unifiedSecretInstallation: true + ## unifiedSecretPrependReleaseName Set this flag to false if unifiedSecret should not be created with prepended. + unifiedSecretPrependReleaseName: true # Note: For HA deployments, set replicaCount >1 (recommended 3) replicaCount: 1 migration: @@ -253,7 +264,7 @@ xray: enabled: true unifiedUpgradeAllowed: true xray: - unifiedSecretInstallation: false + unifiedSecretInstallation: true postgresql: enabled: false database: @@ -277,10 +288,10 @@ xray: erlangCookie: secretcookie distribution: - enabled: true + enabled: false unifiedUpgradeAllowed: true distribution: - unifiedSecretInstallation: false + unifiedSecretInstallation: true postgresql: enabled: false database: @@ -289,10 +300,10 @@ distribution: password: distribution insight: - enabled: true + enabled: false unifiedUpgradeAllowed: true insightServer: - unifiedSecretInstallation: false + unifiedSecretInstallation: true postgresql: enabled: false database: @@ -305,9 +316,8 @@ insight: xms: "2g" xmx: "2g" - pipelines: - enabled: true + enabled: false unifiedUpgradeAllowed: true postgresql: enabled: false @@ -319,11 +329,11 @@ pipelines: user: "apiuser" password: "pipeline" pipelines: - unifiedSecretInstallation: false + unifiedSecretInstallation: true msg: uiUserPassword: password redis: - enabled: false + enabled: true rabbitmq: enabled: false internal_ip: "{{ .Release.Name }}-rabbitmq" @@ -339,3 +349,20 @@ pipelines: build_vhost_name: pipelines root_vhost_name: pipelinesRoot protocol: amqp + + +preUpgradeHook: + ## This is required to be performed to check if existing products like distribution, insight and pipelines already exists + enabled: true + image: + registry: "{{ .Values.global.imageRegistry }}" + repository: bitnami/kubectl + tag: 1.24.12 + pullPolicy: IfNotPresent + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + cpu: 1 + memory: 1Gi diff --git a/stable/mission-control/.helmignore b/stable/mission-control/.helmignore deleted file mode 100644 index c7eb1e274..000000000 --- a/stable/mission-control/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -OWNERS \ No newline at end of file diff --git a/stable/mission-control/CHANGELOG.md b/stable/mission-control/CHANGELOG.md deleted file mode 100644 index b515fbc10..000000000 --- a/stable/mission-control/CHANGELOG.md +++ /dev/null @@ -1,492 +0,0 @@ -# JFrog Mission-Control Chart Changelog -All changes to this chart will be documented in this file. - -## [104.7.16] - Sep 20, 2021 -* Added missing security context in filebeat container -* Update elasticsearch version to `7.14.1` -* Added min kubeVersion ">= 1.14.0-0" in chart.yaml -* Update alpine tag version to `3.14.2` -* Update busybox tag version to `1.33.1` - -## [104.7.14] - Sep 02, 2021 -* Dropped NET_RAW capability for the containers -* Added support for new probes(set to false by default) -* Update elasticsearch version to `7.14.0` -* Updated router version to `7.25.1` - -## [104.7.12] - Aug 25, 2021 -* Added security hardening fixes -* Update router version to `7.24.1` -* Update elasticsearch version to `7.13.4` -* Enabled startup probes for k8s >= 1.20.x -* Changed network policy to allow all ingress and egress traffic -* Added support for serviceRegistry insecure flag in router -* Fixed duplicate resources Key violates YAML spec -* Added elasticsearch default java opts to `2g` -* Added support for new probes(set to false by default) - -## [104.7.11] - July 22, 2021 -* Added support for graceful shutdown of router container on SIGTERM -* Update router version to `7.21.5` -* Added elasticsearch.app.version to system.yaml -* Update elasticsearch version to `7.13.2` - -## [104.7.10] - Aug 9, 2021 -* Added support for graceful shutdown of router container on SIGTERM -* Update router version to `7.21.5` -* Added elasticsearch.app.version to system.yaml -* Update elasticsearch version to `7.13.2` -* Support global and product specific tags at the same time -* Updated readme of chart to point to wiki. Refer [Installing Mission Control](https://www.jfrog.com/confluence/display/JFROG/Installing+Mission+Control) - -## [104.7.8] - July 6, 2021 -* Update router version to `7.21.3` -* Update alpine tag version to `3.14.0` -* Add required services for router container in systemYaml - -## [104.7.7] - June 17, 2021 -* Bumping chart version to align with app version -* **Breaking change:** -* Increased default postgresql persistence size to `100Gi` -* Update postgresql tag version to `13.2.0-debian-10-r55` -* Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000) -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! -* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true -* **IMPORTANT** -* This chart is only helm v3 compatible -* Update router version to `7.19.8` -* Update alpine tag version to `3.13.5` -* Fix broken support for startupProbe for k8s < 1.18.x -* Remove `prepare-storage` init container fixes openShift issue -* Added support for `nameOverride` and `fullnameOverride` in values.yaml -* Added configurable `.Values.global.versions.router` in values.yaml -* Update elasticsearch version to `7.12.1` - -## [5.8.3] - May 26, 2021 -* Update mission-Control to version `4.7.4` - [Release notes](https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.7.4) - -## [5.8.2] - April 15, 2021 -* Update mission-Control to version `4.7.3` - [Release notes](https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.7.3) - -## [5.8.1] - April 6, 2021 -* Update alpine tag version to `3.13.4` - -## [5.8.0] - Apr 5, 2021 -* **IMPORTANT** -* Added `charts.jfrog.io` as default JFrog Helm repository - -## [5.7.2] - Mar 31, 2021 -* Update mission-Control to version `4.7.2` - [Release notes](https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.7.2) - -## [5.7.1] - Mar 30, 2021 -* Update router version to `7.17.2` -* Add `timeoutSeconds` to all exec probes - Please refer [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes) - -## [5.7.0] - Mar 22, 2021 -* Update mission-Control to version `4.7.1` -* Update router version to `7.17.1` -* Update Elasticsearch version to `7.10.2` with Searchguard -* Add support for graceful shutdown -* Optimized startupProbe time - -## [5.6.0] - Mar 18, 2021 -* Add support to startupProbe - -## [5.5.3] - Mar 12, 2021 -* Update mission-Control to version `4.6.5` - [Release notes](https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.6.5) - -## [5.5.2] - Mar 9, 2021 -* Removed bintray URL references in the chart -* Update router version to `7.15.3` - -## [5.5.1] - Feb 19, 2021 -* Update router version to `7.15.2` -* Update busybox tag version to `1.32.1` - -## [5.5.0] - Feb 08, 2021 -* Support for custom certificates using secrets -* **Important:** Switched docker images download from `docker.bintray.io` to `releases-docker.jfrog.io` -* Update alpine tag version to `3.13.1` -* Update router version to `7.12.6` - -## [5.4.6] - Jan 27, 2021 -* Update router version to `7.12.4` - -## [5.4.5] - Jan 25, 2021 -* Add support for hostAliases - -## [5.4.4] - Jan 18, 2021 -* Update Mission Control version to 4.6.3 -* Upgrade Elasticsearch version to 7.8.1 with Searchguard -* Added support for `.Values.elasticsearch.username` -* Added support for custom tls certificates for elastic searchguard -* **IMPORTANT** -* If the certificates are changed, rolling update is not possible. Scale down to one replica and do an helm upgrade - -## [5.4.3] - Jan 8, 2021 -* Add support for creating additional kubernetes resources - -## [5.4.2] - Dec 17, 2020 -* Update Mission Control version to 4.6.2 - -## [5.4.1] - Dec 11, 2020 -* Added configurable `.Values.global.versions.missionControl` in values.yaml - -## [5.4.0] - Dec 10, 2020 -* Update postgresql tag version to `12.5.0-debian-10-r25` -* Updated chart maintainers email - -## [5.3.4] - Dec 4, 2020 -* **Important:** Renamed `.Values.systemYaml` to `.Values.systemYamlOverride` - -## [5.3.3] - Dec 3, 2020 -* Updated port namings on services and pods to allow for istio protocol discovery - -## [5.3.2] - Nov 30, 2020 -* Update router version to `7.11.5` -* Added special notes in readme for upgrading to 5.2.x and above chart versions - -## [5.3.1] - Nov 30, 2020 -* Update Mission Control version to 4.6.1 -* Update router version to `7.11.2` - -## [5.3.0] - Nov 16, 2020 -* Update Mission Control version to 4.6.0 -* Update alpine tag version to `3.12.1` - -## [5.2.2] - Nov 10, 2020 -* Pass system.yaml via external secret for advanced usecases -* Added configurable `insightServer.clients.elasticsearch.searchguard.connectionWaitTimeoutSecs` in values.yaml -* Bugfix - stateful set not picking up changes to database secrets - -## [5.2.1] - Nov 9, 2020 -* Expose router port 8082 for inter pod communication - -## [5.2.0] - Oct 27, 2020 -* Upgrade Elasticsearch version to 7.8.0 with Searchguard -* Added configurable `insightServer.clients.elasticsearch.connectionWaitTimeoutSecs` in values.yaml -* **IMPORTANT** -* Enable Elasticsearch request via router - -## [5.1.1] - Oct 24, 2020 -* Update router version to `1.4.4` - -## [5.1.0] - Oct 13, 2020 -* **Breaking** -* Changed `insightServer.internalHttpPort` to `insightServer.internalPort` -* Add support for livenessProbe and readinessProbe for all microservices -* Updated UPGRADE_NOTES.md - Upgrading to 4.x and above charts versions - -## [5.0.5] - Oct 9, 2020 -* Add support for customInitContainersBegin - -## [5.0.4] - Oct 1, 2020 -* Added support for resources in init containers - -## [5.0.3] - Sep 29, 2020 -* Fix broken failure when using existing pvc - -## [5.0.2] - Sep 25, 2020 -* Changed insightServer.internalHttpPort to `8087` -* Changed initial replicaCount to 1 when replicacount > 1 -* Update filebeat version to `7.9.2` - -## [5.0.1] - Sep 22, 2020 -* Readme updates - -## [5.0.0] - Sep 3, 2020 -* **Breaking change:** Modified `imagePullSecrets` value from string to list. -* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images -* Added support for global values -* Updated maintainers in chart.yaml -* Update postgresql tag version to `12.3.0-debian-10-r71` -* Update router version to `1.4.3` -* Update postgresql chart version to `9.3.4` in requirements.yaml - [9.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900) -* Removed redundant mcKey -* **IMPORTANT** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! -* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x or 10.x's postgresql.image.tag and databaseUpgradeReady=true - -## [4.3.2] - Aug 20, 2020 -* Support list of custom secrets. - -## [4.3.1] - Aug 13, 2020 -* Expose Elasticsearch HTTP port with the mission control service. - -## [4.3.0] - Aug 12, 2020 -* Update Mission Control version to 4.5.0 -* **IMPORTANT** -* Removed insight executor service - -## [4.2.1] - Jul 30, 2020 -* Fix broken support for External elasticsearch -* Added tpl support for resolve jfrogUrl - -## [4.2.0] - Jul 27, 2020 -* Added support for `common.customSidecarContainers` to create custom sidecar containers. -* Added support for `common.configMaps` to create custom configMaps -* Moved customVolumes,customVolumeMounts,customInitContainers under `common` -* Added README for Establishing TLS and Adding certificates. Please refer [here](https://github.com/jfrog/charts/blob/master/stable/mission-control/README.md#establishing-tls-and-adding-certificates) -* Update router version to `1.4.2` - -## [4.1.1] - Jul 20, 2020 -* Updated Mission-Control Chart to add labels from values to service, pods and controller - -## [4.1.0] - Jul 10, 2020 -* Move some postgresql values to where they should be according to the subchart -* **IMPORTANT** -* Added ChartCenter Helm repository in README - -## [4.0.1] - Jun 29, 2020 -* Added UPGRADES_NOTES.md for upgrading to 3.x/4.x chart versions - -## [4.0.0] - Jun 26, 2020 -* Update postgresql tag version to `10.13.0-debian-10-r38` -* Update alpine tag version to `3.12` -* Update busybox tag version to `1.31.1` -* **IMPORTANT** -* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! -* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass postgresql.image.tag=9.6.18-debian-10-r7 and databaseUpgradeReady=true - -## [3.4.7] - Jun 17, 2020 -* Added support for javaopts via systemyaml - -## [3.4.6] - June 15, 2020 -* Update Mission Control version to 4.4.2 - https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.4.2 - -## [3.4.5] - June 9, 2020 -* Added support for Elasticsearch secrets - -## [3.4.4] - June 4, 2020 -* Update postgresql image tag to `9.6.18-debian-10-r7` -* Added Upgrade Notes in README for 4.x upgrades - https://github.com/jfrog/charts/blob/master/stable/mission-control/README.md#special-upgrade-notes - -## [3.4.3] - June 1, 2020 -* Update Mission Control version to 4.4.1 -* Fixes Broken upgrades of charts - use `kubectl delete statefulsets ` and run helm upgrade - -## [3.4.2] - May 25, 2020 -* Added ci test for image version change -* Added ci test for postgresql image tag -* Readme fixes - -## [3.4.1] - May 21, 2020 -* Fix image version in statefulset - -## [3.4.0] - May 19, 2020 -* Update Mission Control to version `4.4.0` - https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.4 -* Bump router version to `1.4.0` - -## [3.3.0] - May 12, 2020 -* Support external database secrets -* **Breaking change:** Use single user/password for all services for both internal/external databases. - -## [3.2.1] - April 26, 2020 -* Added `elasticsearch.configureDockerHost` parameter to enable control over running of privileged containers (init-elasticsearch) - -## [3.2.0] - Apr 21, 2020 -* Upgrade Elasticsearch version to 7.6.1 -* Upgrade Mission Control version to 4.3.2 -* Bump postgresql tag version to `9.6.17-debian-10-r72` in values.yaml -* Bump router version to `1.3.0` -* **NOTE:** If you have externalized elasticsearch, please upgrade your elasticsearch to 7.6.1 to work with Mission Control 4.3.x. Mission Control version 4.3.x and above is not compatible with Elasticsearch version 6.x. -* **NOTE:** Mission Control version 4.3.2 is compatible with Artifactory 7.4.1 and above. Refer Mission Control release notes for more details - https://www.jfrog.com/confluence/display/JFROG/Mission+Control+Release+Notes#MissionControlReleaseNotes-MissionControl4.3.2. - -## [3.1.1] - April 13, 2020 -* Update README with helm v3 commands - -## [3.1.0] - April 10, 2020 -* Use dependency charts from `https://charts.bitnami.com/bitnami` -* Bump postgresql chart version to `8.7.3` in requirements.yaml -* Bump postgresql tag version to `9.6.17-debian-10-r21` in values.yaml - -## [3.0.23] - April 3, 2020 -* Support masterKey and joinKey as secrets -* Support `masterKey` (previously `mcKey`) in values.yaml - -## [3.0.22] - Mar 30, 2020 -* Readme fixes - -## [3.0.21] - Mar 23, 2020 -* Use `postgresqlExtendedConf` for setting custom PostgreSQL configuration (instead of `postgresqlConfiguration`) - -## [3.0.20] - Mar 17, 2020 -* Changed all single quotes to double quotes in values files - -## [3.0.19] - Mar 11, 2020 -* Unified charts public release - -## [3.0.18] - Mar 9, 2020 -* Removed unused `ingress` code + fixes - -## [3.0.17] - Mar 9, 2020 -* Fix `elasticsearch` indentation in `system.yaml` file - -## [3.0.16] - Mar 4, 2020 -* Add support for disabling `consoleLog` in `system.yaml` file -* Add support for database secrets - -## [3.0.15] - Feb 27, 2020 -* Add an annotation with the checksum of the `system.yaml` file to make sure the pods restart after a configuration change - -## [3.0.14] - Feb 26, 2020 -* Fix path of mission-control entrypoint - -## [3.0.12] - Feb 24, 2020 -* Update Mission Control to version `4.2.0` - -## [1.1.17] - Feb 13, 2020 -* Add support for `ingress.additionalRules` and `ingress.defaultBackend` - -## [1.1.16] - Feb 11, 2020 -* Use a with clause for `preStartCommand`, `customVolumes` and `customVolumeMounts` - -## [1.1.15] - Feb 6, 2020 -* Fix init containers resources - -## [1.1.14] - Feb 2, 2020 -* Add a comment stating that it is recommended to use an external PostgreSQL with a static password for production installations - -## [1.1.13] - Jan 30, 2020 -* Add the option to configure resources for the logger containers - -## [1.1.12] - Jan 22, 2020 -* Add support for providing resources to the init containers and the insight container - -## [1.1.11] - Jan 19, 2020 -* Update Mission-Control version to 3.5.6 - -## [1.1.10] - Nov 21, 2019 -* Support missionControl.preStartCommand for running command before entrypoint starts - -## [1.1.9] - Nov 20, 2019 -* Update Mission-Control logo - -## [1.1.8] - Nov 12, 2019 -* Add annotation options to Mission-Control service - -## [1.1.7] - Nov 11, 2019 -* Update Mission-Control version to 3.5.5 - -## [1.1.6] - Sep 23, 2019 -* Update Mission-Control version to 3.5.4 - -## [1.1.5] - Jul 22, 2019 -* Change Ingress API to be compatible with recent kubernetes versions - -## [1.1.4] - Jun 24, 2019 -* Update chart maintainers - -## [1.1.3] - Jun 23, 2019 -* Add values files for small, medium and large installations - -## [1.1.2] - Jun 3, 2019 -* Update Mission-Control version to 3.5.3 -* Use correct key to specify UpdateStrategy -* Update apiVersion to apps/v1 - -## [1.1.1] - May 20, 2019 -* Fix missing logger image tag - -## [1.1.0] - May 10, 2019 -* Added support for `missionControl.customVolumeMounts` and `missionControl.customVolumes` to create custom volume mounts - -## [1.0.6] - Apr 17, 2019 -* Update Mission-Control version to 3.5.2 - -## [1.0.5] - Apr 9, 2019 -* Update Mission-Control version to 3.5.1 - -## [1.0.4] - Apr 7, 2019 -* Add network policy support - -## [1.0.3] - Apr 4, 2019 -* Add information about upgrading mission-control with auto-generated postgres password - -## [1.0.2] - Apr 4, 2019 -* Change mission-control auto-generated DB password to update the password on every startup - -## [1.0.1] - Apr 1, 2019 -* Fix error of missing volume when `missionControl.persistence` is disabled - -## [1.0.0] - Mar 28, 2019 -* **NOTE:** This chart is not compatible with older versions and should not be used to upgrade them. See README for more details on upgrades -* Updated Mission Control version to 3.5.0 -* HA support for Mission Control and elasticsearch with Statefulset -* Elasticsearch now part of Mission Control template -* New Elasticsearch (6.6.0) with searchguard plugin enabled - -## [0.9.4] - Mar 26, 2019 -* Add default auto-generated random password for mission control database users - -## [0.9.3] - Mar 15, 2019 -* Revert securityContext change that was causing issues - -## [0.9.2] - Mar 14, 2019 -* Move securityContext to container level - -## [0.9.1] - Mar 14, 2019 -* Updated Mission-Control version to 3.4.3 - -## [0.9.0] - Feb 28, 2019 -* Support loggers sidecars to tail a configured log - -## [0.8.1] - Feb 20, 2019 -* Update Mission-Control Readme with new database details - -## [0.8.0] - Feb 19, 2019 -* Update Mission-Control version 3.4.2 -* Move to using PostgreSQL as Mission-Control database (replace MongoDB) -* Move setup of database from post install hook to init container of corresponding deployment -* **NOTE:** For upgrading an existing deployment (pre 3.4.2), Mission-Control must be installed with both databases: MongoDB and PostgreSQL -* **UPGRADE NOTES:** For upgrading an existing deployment (pre 3.4.2), follow the following: - * Pass `--set mongodb.enabled=true` to the `helm upgrade command`. - * Mission-Control should be idle. - * New Mission-Control must be installed with both databases: MongoDB and PostgreSQL - * Upgrade to new version (3.4.2) with the following parameter for the upgrade process `helm upgrade .... --set mongodb.enabled=true ....` - * Once Mission-Control is up - it means the migration from MongoDB to PostgreSQL is done! - -## [0.7.3] - Jan 31, 2019 -* Add 0.5G to all memory limits for java services to be higher than java xmx value - -## [0.7.2] - Jan 23, 2019 -* Added support for `missionControl.customInitContainers` to create custom init containers - -## [0.7.1] - Dec 17, 2018 -* Updated Mission-Control version to 3.3.2 - -## [0.7.0] - Nov 16, 2018 -* Updated Mission-Control version to 3.3.0 -* Remove usage of certificates for internal communication - -## [0.6.0] - Oct 18, 2018 -* Updated Mission-Control version to 3.2.0 -* This chart version (0.6.0) cannot be used to deploy older versions of Mission Control (less than or equal to 3.1.2) - -## [0.5.2] - Oct 17, 2018 -* Add Apache 2.0 license - -## [0.5.1] - Oct 16, 2018 -* Fix #67 Set password used to generate internal certs in Mission-Control - -## [0.5.0] - Oct 14, 2018 -* Upgrade MongoDB version (chart 4.3.10, app 3.6.8-debian-9) - -## [0.4.5] - Oct 9, 2018 -* Quote ingress hosts to support wildcard names - -## [0.4.4] - Oct 2, 2018 -* Add `helm repo add jfrog https://charts.jfrog.io` to README - -## [0.4.3] - Sep 6, 2018 -* Option to set Java `Xms` and `Xmx` for Insight scheduler and executor - -## [0.4.2] - Aug 23, 2018 -* Updated Mission-Control version to 3.1.2 - -## [0.4.1] - Aug 22, 2018 -* Enabled RBAC Support -* Using secrets for credentials -* Updated Mission-Control version to 3.1.1 -* Changed deployment api to apps/v1beta2 -* Made postInstallHook image configurable diff --git a/stable/mission-control/Chart.lock b/stable/mission-control/Chart.lock deleted file mode 100644 index 75d82ee6c..000000000 --- a/stable/mission-control/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 10.3.18 -digest: sha256:0f05940ac62e827e3f5f7bfe513e3880576cbe6b8cc234d0f26a146c6d4e8ece -generated: "2021-04-23T11:36:16.206454+05:30" diff --git a/stable/mission-control/Chart.yaml b/stable/mission-control/Chart.yaml deleted file mode 100644 index 206939168..000000000 --- a/stable/mission-control/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v2 -appVersion: 4.7.16 -dependencies: -- condition: postgresql.enabled - name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 10.3.18 -description: A Helm chart for JFrog Mission Control -home: https://jfrog.com/mission-control/ -icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/mission-control/logo/jfmc-logo.png -keywords: -- mission-control -- jfrog -kubeVersion: '>= 1.14.0-0' -maintainers: -- email: installers@jfrog.com - name: Chart Maintainers at JFrog -name: mission-control -sources: -- https://github.com/jfrog/charts -type: application -version: 104.7.16 diff --git a/stable/mission-control/LICENSE b/stable/mission-control/LICENSE deleted file mode 100644 index 8dada3eda..000000000 --- a/stable/mission-control/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/stable/mission-control/README.md b/stable/mission-control/README.md deleted file mode 100644 index 47f3044ff..000000000 --- a/stable/mission-control/README.md +++ /dev/null @@ -1,53 +0,0 @@ -# JFrog Mission-Control Helm Chart - -**IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing Mission Control. For all other information, refer to [Installing Mission Control](https://www.jfrog.com/confluence/display/JFROG/Installing+Mission+Control). - -## Prerequisites Details - -* Kubernetes 1.12+ - -## Chart Details -This chart will do the following: - -* Deploy PostgreSQL database **NOTE:** For production grade installations it is recommended to use an external PostgreSQL. -* Deploy Elasticsearch. -* Deploy Mission Control. - -## Requirements -- A running Kubernetes cluster -- Dynamic storage provisioning enabled -- Default StorageClass set to allow services using the default StorageClass for persistent storage -- A running Artifactory Enterprise -- [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed and setup to use the cluster -- [Helm](https://helm.sh/) installed and setup to use the cluster (helm init) - -## Installing the Chart - -### Add the JFrog Helm Repository -Before installing JFrog helm charts, you will need to add the [JFrog helm repository](https://charts.jfrog.io) to your Helm client. - -```bash -helm repo add jfrog https://charts.jfrog.io -helm repo update -``` - -### Artifactory Connection Details -To connect Mission Control to your Artifactory installation, you will need to use a join key. To learn how to retrieve the connection details of your Artifactory installation (join key and JFrog URL) from the UI, see https://www.jfrog.com/confluence/display/JFROG/General+Security+Settings#GeneralSecuritySettings-ViewingtheJoinKey. - -### Initiate Installation -Provide a join key and the JFrog URL as a parameter to the Mission Control chart installation: - -```bash -helm upgrade --install mission-control --set missionControl.joinKey= \ - --set missionControl.jfrogUrl= --namespace mission-control jfrog/mission-control -``` - -## Uninstalling the Chart - -Uninstall is supported only on Helm v3 and on. - -Uninstall Mission-control using the following command. - -```bash -helm uninstall mission-control && sleep 90 && kubectl delete pvc -l app=mission-control -``` diff --git a/stable/mission-control/UPGRADE_NOTES.md b/stable/mission-control/UPGRADE_NOTES.md deleted file mode 100644 index 7edac8d95..000000000 --- a/stable/mission-control/UPGRADE_NOTES.md +++ /dev/null @@ -1,44 +0,0 @@ -# JFrog Mission-Control Chart Upgrade Notes -This file describes special upgrade notes needed at specific versions - -## Upgrade from 1.x/2.x to 3.x and above (Chart Versions) - -* To upgrade chart version to 3.x and above, you must be on chart version 1.0.5 or above as described in https://github.com/jfrog/charts/blob/master/stable/mission-control/CHANGELOG.md. -* Data other than your licenses, such as your service information and insight, will not be available after the upgrade. -* JFrog Mission Control v4.x is only compatible with JFrog Artifactory v7.x. To upgrade, you must first install JFrog Artifactory 7.x. -* To know more about upgrading mission control, please refer -> https://www.jfrog.com/confluence/display/JFROG/Upgrading+Mission+Control#UpgradingMissionControl-UpgradingfromVersion3.5.1to4.x - -**DOWNTIME IS REQUIRED FOR AN UPGRADE!** - -* Data export is done with a migration script jfmcDataExport.sh (available under files directory in mission-control chart). - -* Upgrade steps: -1. Stop old mission-control pod (scale down replicas to 0). Postgresql still exists - ```bash - $ kubectl scale statefulsets -mission-control --replicas=0 - ``` -2. Export data from old postgresql instance - 1. Connect to the old PostgreSQL pod (you can obtain the name by running kubectl get pods) - ```bash - $ kubectl exec -it -postgresql bash - ``` - 2. Copy the jfmcDataExport.sh file and run the following commands - ```bash - $ kubectl cp ./jfmcDataExport.sh -postgresql:/tmp/jfmcDataExport.sh - $ chown postgres:postgres /tmp/jfmcDataExport.sh - $ su postgres -c "PGPASSWORD=password bash /tmp/jfmcDataExport.sh --output=/tmp" - if you are on 2x charts(operating system user postgres is not there) run ./jfmcDataExport.sh --output=/tmp and provide jfmc user password - ``` - 3. Copy the exported file to your local system. - ```bash - $ kubectl cp -postgresql:/tmp/jfmcDataExport.tar.gz ./jfmcDataExport.tar.gz - ``` -3. Install new mission-control(4x) and copy the exported file - 1. Run the `helm install` with the `new version` say `mission-control-new` - 2. Copy the exported tar file to the new mission-control pod - ```bash - $ kubectl cp ./jfmcDataExport.tar.gz -mission-control:/opt/jfrog/mc/var/bootstrap/mc/jfmcDataExport.tar.gz -c mission-control - ``` - 3. Restart the mission-control new pod - 4. Validate that the import was successful. The filename should be renamed to jfmcDataExport.tar.gz.done. It will be renamed to jfmcDataExport.tar.gz.failed if the import procedure has failed. -4. Run `helm delete ` which will remove remove old Mission-control deployment and Helm release. diff --git a/stable/mission-control/ci/default-values.yaml b/stable/mission-control/ci/default-values.yaml deleted file mode 100644 index 2a874c48d..000000000 --- a/stable/mission-control/ci/default-values.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. -# If this is an upgrade over an existing Mission Control 4.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade -unifiedUpgradeAllowed: true -databaseUpgradeReady: true -missionControl: - jfrogUrl: http://artifactory.rt:8082 - persistence: - enabled: false -# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release -postgresql: - postgresqlPassword: password - db: - password: password - persistence: - enabled: false - -elasticsearch: - persistence: - enabled: false - javaOpts: - xms: "2g" - xmx: "2g" diff --git a/stable/mission-control/ci/global-section-values.yaml b/stable/mission-control/ci/global-section-values.yaml deleted file mode 100644 index f55d4a93a..000000000 --- a/stable/mission-control/ci/global-section-values.yaml +++ /dev/null @@ -1,123 +0,0 @@ -unifiedUpgradeAllowed: true -databaseUpgradeReady: true -missionControl: - persistence: - enabled: false -postgresql: - postgresqlPassword: password - db: - password: password - persistence: - enabled: false - -elasticsearch: - persistence: - enabled: false - javaOpts: - xms: "2g" - xmx: "2g" - -global: - jfrogUrl: http://artifactory.rt:8082 - masterKey: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb - joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE - customInitContainersBegin: | - - name: "custom-init-begin-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - command: - - 'sh' - - '-c' - - 'touch {{ .Values.missionControl.persistence.mountPath }}/init-begin-global' - volumeMounts: - - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - name: mission-control-data - customVolumes: | - - name: custom-volume-global - emptyDir: - sizeLimit: 100Mi - customVolumeMounts: | - - name: custom-volume-global - mountPath: "/scriptsglobal" - customInitContainers: | - - name: "custom-init-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - command: - - 'sh' - - '-c' - - 'touch {{ .Values.missionControl.persistence.mountPath }}/init-global' - volumeMounts: - - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - name: mission-control-data - customSidecarContainers: | - - name: "sidecar-list-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: ["sh","-c","echo 'Sidecar is running in global' >> /scriptsglobal/sidecar.txt; cat /scriptsglobal/sidecar.txt; while true; do sleep 30; done"] - volumeMounts: - - mountPath: "/scriptsglobal" - name: custom-volume-global - resources: - requests: - memory: "32Mi" - cpu: "50m" - limits: - memory: "128Mi" - cpu: "100m" - -common: - customInitContainersBegin: | - - name: "custom-init-begin-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - command: - - 'sh' - - '-c' - - 'touch {{ .Values.missionControl.persistence.mountPath }}/init-begin-local' - volumeMounts: - - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - name: mission-control-data - customVolumes: | - - name: custom-volume-local - emptyDir: - sizeLimit: 100Mi - customVolumeMounts: | - - name: custom-volume-local - mountPath: "/scriptslocal" - customInitContainers: | - - name: "custom-init-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - command: - - 'sh' - - '-c' - - 'touch {{ .Values.missionControl.persistence.mountPath }}/init-local' - volumeMounts: - - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - name: mission-control-data - customSidecarContainers: | - - name: "sidecar-list-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecar.txt; cat /scriptslocal/sidecar.txt; while true; do sleep 30; done"] - volumeMounts: - - mountPath: "/scriptslocal" - name: custom-volume-local - resources: - requests: - memory: "32Mi" - cpu: "50m" - limits: - memory: "128Mi" - cpu: "100m" diff --git a/stable/mission-control/ci/ha-values.yaml b/stable/mission-control/ci/ha-values.yaml deleted file mode 100644 index 9350aa49c..000000000 --- a/stable/mission-control/ci/ha-values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# CI values for Mission-control - -# If this is an upgrade over an existing Mission Control 4.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade -unifiedUpgradeAllowed: true -databaseUpgradeReady: true -missionControl: - jfrogUrl: http://artifactory.rt:8082 - persistence: - enabled: false - -postgresql: - postgresqlPassword: password - db: - password: password - persistence: - enabled: false - -elasticsearch: - persistence: - enabled: false - javaOpts: - xms: "2g" - xmx: "2g" - -# For HA -replicaCount: 2 diff --git a/stable/mission-control/ci/test-values.yaml b/stable/mission-control/ci/test-values.yaml deleted file mode 100644 index 169d605f3..000000000 --- a/stable/mission-control/ci/test-values.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# CI values for Mission-control. - -# If this is an upgrade over an existing Mission Control 4.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade -unifiedUpgradeAllowed: true -databaseUpgradeReady: true -missionControl: - jfrogUrl: http://artifactory.rt:8082 - javaOpts: - other: "-server -XX:+UseG1GC -Dfile.encoding=UTF8" - xms: "500m" - xmx: "1000m" - persistence: - enabled: false - -insightServer: - javaOpts: - xms: "500m" - xmx: "1000m" - -insightScheduler: - javaOpts: - xms: "500m" - xmx: "1000m" - -postgresql: - image: - tag: 9.6.15-debian-9-r91 - postgresqlPassword: password - db: - password: password - persistence: - enabled: false - -elasticsearch: - persistence: - enabled: false - javaOpts: - xms: "2g" - xmx: "2g" diff --git a/stable/mission-control/files/jfmcDataExport.sh b/stable/mission-control/files/jfmcDataExport.sh deleted file mode 100644 index e4a908929..000000000 --- a/stable/mission-control/files/jfmcDataExport.sh +++ /dev/null @@ -1,452 +0,0 @@ -#! /bin/bash -# This can be used to export JFrog Mission Control data for migration from Mission Control 3.5.1+ to 4.x - -set -e - -# default values -TEMP_FOLDER= # Will be defined during init -OUTPUT_DIR=. -OUTPUT_FILE= # Will be defined during init -DB_USER_NAME=jfmc -DB_HOST=127.0.0.1 -DB_PORT=5432 -DB_DATABASE_NAME=mission_control -DB_DATABASE_SCHEMA=jfmc_server -VERBOSE_MODE=false - - -# ..... _logger.sh ...... -# REF https://misc.flogisoft.com/bash/tip_colors_and_formatting -cClear="\e[0m" -cBlue="\e[38;5;69m" -cRedDull="\e[1;31m" -cYellow="\e[1;33m" -cRedBright="\e[38;5;197m" - - -_loggerGetMode() { - local MODE="$1" - case $MODE in - INFO) - printf "${cBlue}%s%-5s%s${cClear}" "[" "${MODE}" "]" - ;; - DEBUG) - printf "%-7s" "[${MODE}]" - ;; - WARN) - printf "${cRedDull}%s%-5s%s${cClear}" "[" "${MODE}" "]" - ;; - ERROR) - printf "${cRedBright}%s%-5s%s${cClear}" "[" "${MODE}" "]" - ;; - esac -} - -# Capitalises the first letter of the message -_loggerGetMessage() { - local originalMessage="$*" - local firstChar=$(echo "${originalMessage:0:1}" | awk '{ print toupper($0) }') - local resetOfMessage="${originalMessage:1}" - echo "$firstChar$resetOfMessage" -} - -# The spec also says content should be left-trimmed but this is not necessary in our case. We don't reach the limit. -_loggerGetStackTrace() { - printf "%s%-30s%s" "[" "$1:$2" "]" -} - -_loggerGetThread() { - printf "%s" "[main]" -} - -_loggerGetServiceType() { - printf "%s%-5s%s" "[" "shell" "]" -} - -#Trace ID is not applicable to scripts -_loggerGetTraceID() { - printf "%s" "[]" -} - -# The date binary works differently based on whether it is GNU/BSD -is_date_supported=0 -date --version > /dev/null 2>&1 || is_date_supported=1 -IS_GNU=$(echo $is_date_supported) - -_loggerGetTimestamp() { - if [ "${IS_GNU}" == "0" ]; then - echo -n $(date -u +%FT%T.%3NZ) - else - echo -n $(date -u +%FT%T.000Z) - fi -} - -logger() { - if [ -z "$CONTEXT" ] - then - CONTEXT=$(caller) - fi - local MESSAGE="$1" - local MODE=${2-"INFO"} - local SERVICE_TYPE="script" - local TRACE_ID="" - local THREAD="main" - - local CONTEXT_LINE=$(echo "$CONTEXT" | awk '{print $1}') - local CONTEXT_FILE=$(echo "$CONTEXT" | awk -F"/" '{print $NF}') - - # To comply with logging standards - printf "%s\n" "$(_loggerGetTimestamp) $(_loggerGetServiceType) $(_loggerGetMode $MODE) $(_loggerGetTraceID) $(_loggerGetStackTrace $CONTEXT_FILE $CONTEXT_LINE) $(_loggerGetThread) - $(_loggerGetMessage $MESSAGE)" - - CONTEXT= -} - -logDebug(){ - VERBOSE_MODE=${VERBOSE_MODE-"false"} - CONTEXT=$(caller) - if [ ${VERBOSE_MODE} == "true" ];then - logger "$1" "DEBUG" - else - logger "$1" "DEBUG" >&6 - fi - CONTEXT= -} - -logError() { - CONTEXT=$(caller) - logger "$1" "ERROR" - CONTEXT= -} - -errorExit () { - logError "$1" "ERROR" - exit 1 -} - -warn () { - CONTEXT=$(caller) - logger "$1" "WARN" - CONTEXT= -} - -note () { - CONTEXT=$(caller) - logger "$1" "NOTE" - CONTEXT= -} - -bannerStart() { - title=$1 - echo - echo -e "\033[1m${title}\033[0m" - echo -} - -bannerSection() { - title=$1 - echo - echo -e "******************************** ${title} ********************************" - echo -} - -bannerSubSection() { - title=$1 - echo - echo -e "************** ${title} *******************" - echo -} - -bannerMessge() { - title=$1 - echo - echo -e "********************************" - echo -e "${title}" - echo -e "********************************" - echo -} - -setRed () { - local input="$1" - echo -e \\033[31m${input}\\033[0m -} -setGreen () { - local input="$1" - echo -e \\033[32m${input}\\033[0m -} -setYellow () { - local input="$1" - echo -e \\033[33m${input}\\033[0m -} - -logger_addLinebreak () { - echo -e "---\n" -} - -bannerImportant() { - title=$1 - echo - echo -e "######################################## IMPORTANT ########################################" - echo -e "\033[1m${title}\033[0m" - echo -e "###########################################################################################" - echo -} - -bannerEnd() { - #TODO pass a title and calculate length dynamically so that start and end look alike - echo - echo "*****************************************************************************" - echo -} - -banner() { - title=$1 - content=$2 - bannerStart "${title}" - echo -e "$content" -} - -# The logic below helps us redirect content we'd normally hide to the log file. - # - # We have several commands which clutter the console with output and so use - # `cmd > /dev/null` - this redirects the command's output to null. - # - # However, the information we just hid maybe useful for support. Using the code pattern - # `cmd >&6` (instead of `cmd> >/dev/null` ), the command's output is hidden from the console - # but redirected to the installation log file - # - -#Default value of 6 is just null -exec 6>>/dev/null -redirectLogsToFile() { - echo "" - # local file=$1 - - # [ ! -z "${file}" ] || return 0 - - # local logDir=$(dirname "$file") - - # if [ ! -f "${file}" ]; then - # [ -d "${logDir}" ] || mkdir -p ${logDir} || \ - # ( echo "WARNING : Could not create parent directory (${logDir}) to redirect console log : ${file}" ; return 0 ) - # fi - - # #6 now points to the log file - # exec 6>>${file} - # #reference https://unix.stackexchange.com/questions/145651/using-exec-and-tee-to-redirect-logs-to-stdout-and-a-log-file-in-the-same-time - # exec 2>&1 > >(tee -a "${file}") -} - - -# Utility method to strip away codes -_codeStripper() { - # Some possible codes [39m, [33m, [1m - echo "$*" | sed 's/\[[0-9]\{1,\}m//g' -} - - -# Output from application's logs are piped to this method. It checks a configuration variable to determine if content should be logged to -# the common console.log file -redirectServiceLogsToFile() { - - local result="0" - # check if the function getSystemValue exists - LC_ALL=C type getSystemValue > /dev/null 2>&1 || result="$?" - if [[ "$result" != "0" ]]; then - warn "Couldn't find the systemYamlHelper. Skipping log redirection" - return 0 - fi - - getSystemValue "shared.consoleLog" "NOT_SET" - if [[ "${YAML_VALUE}" == "false" ]]; then - logger "Redirection is set to false. Skipping log redirection" - return 0; - fi - - if [ -z "${JF_PRODUCT_HOME}" ] || [ "${JF_PRODUCT_HOME}" == "" ]; then - warn "JF_PRODUCT_HOME is unavailable. Skipping log redirection" - return 0 - fi - - local targetFile="${JF_PRODUCT_HOME}/var/log/console.log" - - if [ ! -f ${targetFile} ]; then - mkdir -p "${JF_PRODUCT_HOME}/var/log" || return 0 - touch $targetFile - fi - - while read -r line; do - printf '%s\n' "${line}" >> $targetFile || return 0 # Don't want to log anything - might clutter the screen - done -} -# ..... _logger.sh ..... - -logInfo() { - CONTEXT=$(caller) - logger "$1" "INFO" - CONTEXT= -} - -usage() { - cat << END_USAGE - -jfmcDataExport.sh - Export JFrog Mission Control data for migration from Mission Control 3.5.1+ to 4.x. - -Usage: jfmcDataExport.sh [OPTION]... - -Options: - --host=HOST database server host (default: "127.0.0.1") - --port=PORT database server port (default: "5432") - --user=USER database user name (default: "jfmc") - --database=DATABASE database name to connect to (default: "mission_control") - --schema=SCHEMA database schema name to connect to (default: "jfmc_server") - --output=OUTPUT path to output dir where jfmcDataExport.tar.gz will be created (default: ".") - --verbose show detailed output logs - -h, --help show this help, then exit - -In case psql binary cannot be found in path, POSTGRES_PATH environment variable can be defined to provide psql -location dir. - -END_USAGE - - exit 1 -} - -parseOptions() { - for cliArgument in "$@" - do - case ${cliArgument} in - --user=*) - DB_USER_NAME="${cliArgument#*=}" - shift # past argument=value - ;; - --database=*) - DB_DATABASE_NAME="${cliArgument#*=}" - shift # past argument=value - ;; - --schema=*) - DB_DATABASE_SCHEMA="${cliArgument#*=}" - shift # past argument=value - ;; - --host=*) - DB_HOST="${cliArgument#*=}" - shift # past argument=value - ;; - --port=*) - DB_PORT="${cliArgument#*=}" - shift # past argument=value - ;; - --output=*) - OUTPUT_DIR="${cliArgument#*=}" - shift # past argument=value - ;; - --verbose) - VERBOSE_MODE=true - shift # past argument=value - ;; - -h|--help) - usage - ;; - *) - # unknown option - usage - ;; - esac - done -} - -logEnv() { - logDebug "Settings: " - logDebug " - Database server host: ${DB_HOST}" - logDebug " - Database server port: ${DB_PORT}" - logDebug " - Database name: ${DB_DATABASE_NAME}" - logDebug " - Database user name: ${DB_USER_NAME}" - logDebug " - Temporary output folder: ${TEMP_FOLDER}" - logDebug " - Output dir: ${OUTPUT_DIR}" -} - -cleanUp() { - [[ -d "${TEMP_FOLDER}" ]] && logDebug "Deleting temp folder..." && rm -rf ${TEMP_FOLDER} - logDebug "Clean up complete" - -} - -exitOnError() { - local message=$1 - logError "Stopping because: ${message}!" - cleanUp - exit 1 -} - -exitOnInterrupt() { - exitOnError "Process interrupted" -} - -init() { - if [[ -z $POSTGRES_PATH ]]; then - hash ${PSQL} 2>/dev/null || { echo >&2 "\"${PSQL}\" is not installed or not available in path"; exit 1; } - fi - logDebug "Preparing output folder..." - TEMP_FOLDER=$(mktemp -d) - logEnv - [[ -d ${TEMP_FOLDER} ]] || exitOnError "Temporary folder could not be created" - [[ -d ${OUTPUT_DIR} ]] || exitOnError "${OUTPUT_DIR} does not exist" - OUTPUT_FILE="${OUTPUT_DIR}/jfmcDataExport.tar.gz" - if [[ -f "${OUTPUT_FILE}" ]]; then - warn "${OUTPUT_FILE} will be overwritten." - fi -} - -verifyFileExistsAndIsNotEmpty() { - local file=$1 - [[ -f "${file}" ]] || exitOnError "${file} is missing" - [[ -s "${file}" ]] || exitOnError "${file} should not be empty" -} - -extractSqlQueryToJsonFile() { - local sqlQuery=$1 - local outputPath=$2 - logDebug "Dumping data to ${outputPath}" - # Note: Redirecting output requires less permissions than using "COPY ... TO 'path/to/file'" - ${PSQL} --command="COPY (SELECT array_to_json(coalesce(array_agg(row_to_json(t)), '{}')) FROM ($sqlQuery) t) TO STDOUT;" \ - --username=${DB_USER_NAME} \ - --host=${DB_HOST} \ - --port=${DB_PORT} \ - --dbname=${DB_DATABASE_NAME} > ${outputPath} || exitOnError "psql command failed" - verifyFileExistsAndIsNotEmpty "${outputPath}" -} - -bundleData() { - logInfo "Bundling exported data..." - tar --create --gzip --file ${OUTPUT_FILE} --directory ${TEMP_FOLDER} . || exitOnError "Bundle creation failed" - logInfo "Mission Control data dumped to: ${OUTPUT_FILE}" -} - -extractData() { - logInfo "Exporting license buckets..." - local bucketsSql="SELECT id, subject, product_name, product_id, license_type, issued_date, valid_date, quantity, identifier, signature, max_of_usage, name, saas_imported, identifier_index, jfmc_info_service_id, jfmc_info_url, split_parent_id FROM ${DB_DATABASE_SCHEMA}.bucket" - extractSqlQueryToJsonFile "${bucketsSql}" "${TEMP_FOLDER}/buckets.json" || exitOnError "Export of License Buckets failed" - logInfo "Exporting managed licenses..." - local managedLicensesSql="SELECT id, bucket_id, license_hash, encode(license_key, 'base64') AS license_key, instance_name, state FROM ${DB_DATABASE_SCHEMA}.managed_license" - extractSqlQueryToJsonFile "${managedLicensesSql}" "${TEMP_FOLDER}/managed-licenses.json" || exitOnError "Export of Managed Licenses failed" -} - -trap exitOnInterrupt SIGINT SIGTERM SIGHUP - -[[ -z "${POSTGRES_PATH}" ]] && PSQL=psql || PSQL=${POSTGRES_PATH}/psql - -parseOptions "$@" -init -extractData -bundleData -cleanUp - -cat << END_REPORT - -To import the data in Mission Control 4.x:" - 1. Copy ${OUTPUT_FILE} into JF_PRODUCT_HOME/var/bootstrap/mc without changing the file name on one Mission Control node." - 2. Restart Mission Control node." - -END_REPORT - - - diff --git a/stable/mission-control/logo/jfmc-logo.png b/stable/mission-control/logo/jfmc-logo.png deleted file mode 100644 index 8a0706605..000000000 Binary files a/stable/mission-control/logo/jfmc-logo.png and /dev/null differ diff --git a/stable/mission-control/templates/NOTES.txt b/stable/mission-control/templates/NOTES.txt deleted file mode 100644 index 804cf478f..000000000 --- a/stable/mission-control/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -Congratulations. You have just deployed JFrog Mission Control! - -Open Artifactory - {{ .Values.missionControl.jfrogUrl }} in your browser. Mission Control should be activated with Artifactory. diff --git a/stable/mission-control/templates/_helpers.tpl b/stable/mission-control/templates/_helpers.tpl deleted file mode 100644 index 45fa0bc3f..000000000 --- a/stable/mission-control/templates/_helpers.tpl +++ /dev/null @@ -1,294 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "mission-control.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "mission-control.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a list of elasticsearch master eligible nodes. -This will create one entry per replica. -*/}} -{{- define "elasticsearch.endpoints" -}} -{{- $replicas := 1 }} -{{- $releaseName := printf "%s" (include "mission-control.fullname" .) }} - {{- range $i, $e := untilStep 0 $replicas 1 -}} -{{ $releaseName }}-{{ $i }}, - {{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "mission-control.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} -{{ default (include "mission-control.fullname" .) .Values.serviceAccount.name }} -{{- else -}} -{{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "mission-control.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Scheme (http/https) based on Access TLS enabled/disabled -*/}} -{{- define "mission-control.scheme" -}} -{{- if .Values.router.tlsEnabled -}} -{{- printf "%s" "https" -}} -{{- else -}} -{{- printf "%s" "http" -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve jfrogUrl value -*/}} -{{- define "mission-control.jfrogUrl" -}} -{{- if .Values.global.jfrogUrl -}} -{{- .Values.global.jfrogUrl -}} -{{- else if .Values.missionControl.jfrogUrl -}} -{{- .Values.missionControl.jfrogUrl -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve joinKey value -*/}} -{{- define "mission-control.joinKey" -}} -{{- if .Values.global.joinKey -}} -{{- .Values.global.joinKey -}} -{{- else if .Values.missionControl.joinKey -}} -{{- .Values.missionControl.joinKey -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve masterKey value -*/}} -{{- define "mission-control.masterKey" -}} -{{- if .Values.global.masterKey -}} -{{- .Values.global.masterKey -}} -{{- else if .Values.missionControl.masterKey -}} -{{- .Values.missionControl.masterKey -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve joinKeySecretName value -*/}} -{{- define "mission-control.joinKeySecretName" -}} -{{- if .Values.global.joinKeySecretName -}} -{{- .Values.global.joinKeySecretName -}} -{{- else if .Values.missionControl.joinKeySecretName -}} -{{- .Values.missionControl.joinKeySecretName -}} -{{- else -}} -{{ include "mission-control.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* -Resolve masterKeySecretName value -*/}} -{{- define "mission-control.masterKeySecretName" -}} -{{- if .Values.global.masterKeySecretName -}} -{{- .Values.global.masterKeySecretName -}} -{{- else if .Values.missionControl.masterKeySecretName -}} -{{- .Values.missionControl.masterKeySecretName -}} -{{- else -}} -{{ include "mission-control.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* -Resolve imagePullSecrets value -*/}} -{{- define "mission-control.imagePullSecrets" -}} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if .Values.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Resolve customInitContainersBegin value -*/}} -{{- define "mission-control.customInitContainersBegin" -}} -{{- if .Values.global.customInitContainersBegin -}} -{{- .Values.global.customInitContainersBegin -}} -{{- end -}} -{{- if .Values.common.customInitContainersBegin -}} -{{- .Values.common.customInitContainersBegin -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve customInitContainers value -*/}} -{{- define "mission-control.customInitContainers" -}} -{{- if .Values.global.customInitContainers -}} -{{- .Values.global.customInitContainers -}} -{{- end -}} -{{- if .Values.common.customInitContainers -}} -{{- .Values.common.customInitContainers -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve customVolumes value -*/}} -{{- define "mission-control.customVolumes" -}} -{{- if .Values.global.customVolumes -}} -{{- .Values.global.customVolumes -}} -{{- end -}} -{{- if .Values.common.customVolumes -}} -{{- .Values.common.customVolumes -}} -{{- end -}} -{{- end -}} - - -{{/* -Resolve customVolumeMounts value -*/}} -{{- define "mission-control.customVolumeMounts" -}} -{{- if .Values.global.customVolumeMounts -}} -{{- .Values.global.customVolumeMounts -}} -{{- end -}} -{{- if .Values.common.customVolumeMounts -}} -{{- .Values.common.customVolumeMounts -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve customSidecarContainers value -*/}} -{{- define "mission-control.customSidecarContainers" -}} -{{- if .Values.global.customSidecarContainers -}} -{{- .Values.global.customSidecarContainers -}} -{{- end -}} -{{- if .Values.common.customSidecarContainers -}} -{{- .Values.common.customSidecarContainers -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper mission-control chart image names -*/}} -{{- define "mission-control.getImageInfoByValue" -}} -{{- $dot := index . 0 }} -{{- $indexReference := index . 1 }} -{{- $registryName := index $dot.Values $indexReference "image" "registry" -}} -{{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}} -{{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} -{{- if $dot.Values.global }} - {{- if and $dot.Values.global.versions.router (eq $indexReference "router") }} - {{- $tag = $dot.Values.global.versions.router | toString -}} - {{- end -}} - {{- if and $dot.Values.global.versions.missionControl (or (eq $indexReference "insightScheduler") (eq $indexReference "missionControl") (eq $indexReference "insightServer") ) }} - {{- $tag = $dot.Values.global.versions.missionControl | toString -}} - {{- end -}} - {{- if $dot.Values.global.imageRegistry }} - {{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Resolve elastic search url -*/}} -{{- define "elasticsearch.url" -}} -{{- if .Values.router.tlsEnabled -}} -{{- printf "https://localhost:%d" (int .Values.router.internalPort) -}} -{{- else -}} -{{- printf "http://localhost:%d" (int .Values.router.internalPort) -}} -{{- end -}} -{{- end -}} - -{{/* -Custom certificate copy command -*/}} -{{- define "mission-control.copyCustomCerts" -}} -echo "Copy custom certificates to {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted"; -mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted; -find /tmp/certs -type f -not -name "*.key" -exec cp -v {} {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted \;; -find {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ -type f -name "tls.crt" -exec mv -v {} {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ca.crt \;; -{{- end -}} - -{{/* -mission-control liveness probe -*/}} -{{- define "mission-control.livenessProbe" -}} -{{- if .Values.newProbes -}} -{{- printf "%s" "/api/v1/system/liveness" -}} -{{- else -}} -{{- printf "%s" "/api/v1/system/ping" -}} -{{- end -}} -{{- end -}} - -{{/* -mission-control readiness probe -*/}} -{{- define "mission-control.readinessProbe" -}} -{{- if .Values.newProbes -}} -{{- printf "%s" "/api/v1/system/readiness" -}} -{{- else -}} -{{- printf "%s" "/api/v1/system/ping" -}} -{{- end -}} -{{- end -}} - -{{/* -router liveness probe -*/}} -{{- define "mission-control.router.livenessProbe" -}} -{{- if .Values.newProbes -}} -{{- printf "%s" "/router/api/v1/system/liveness" -}} -{{- else -}} -{{- printf "%s" "/router/api/v1/system/health" -}} -{{- end -}} -{{- end -}} - -{{/* -router readiness probe -*/}} -{{- define "mission-control.router.readinessProbe" -}} -{{- if .Values.newProbes -}} -{{- printf "%s" "/router/api/v1/system/readiness" -}} -{{- else -}} -{{- printf "%s" "/router/api/v1/system/health" -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/stable/mission-control/templates/additional-resources.yaml b/stable/mission-control/templates/additional-resources.yaml deleted file mode 100644 index c4d06f08a..000000000 --- a/stable/mission-control/templates/additional-resources.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if .Values.additionalResources }} -{{ tpl .Values.additionalResources . }} -{{- end -}} diff --git a/stable/mission-control/templates/database-secrets.yaml b/stable/mission-control/templates/database-secrets.yaml deleted file mode 100644 index 96e48928f..000000000 --- a/stable/mission-control/templates/database-secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if not .Values.database.secrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" . }}-database-creds - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: - {{- if .Values.postgresql.enabled }} - {{- with .Values.postgresql.db.password }} - db-password: {{ tpl . $ | b64enc | quote }} - {{- else }} - db-password: {{ randAlphaNum 10 | b64enc | quote }} - {{- end }} - {{- else }} - {{- with .Values.database.url }} - db-url: {{ tpl . $ | b64enc | quote }} - {{- end }} - {{- with .Values.database.user }} - db-user: {{ tpl . $ | b64enc | quote }} - {{- end }} - {{- with .Values.database.password }} - db-password: {{ tpl . $ | b64enc | quote }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/mission-control/templates/elasticsearch-secrets.yaml b/stable/mission-control/templates/elasticsearch-secrets.yaml deleted file mode 100644 index 53a0abbdb..000000000 --- a/stable/mission-control/templates/elasticsearch-secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ - {{- if .Values.elasticsearch.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: -{{- with .Values.elasticsearch.username }} - username: {{ tpl . $ | b64enc | quote }} -{{- end }} -{{- with .Values.elasticsearch.password }} - password: {{ tpl . $ | b64enc | quote }} -{{- end }} -{{- with .Values.elasticsearch.url }} - url: {{ tpl . $ | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/stable/mission-control/templates/filebeat-configmap.yaml b/stable/mission-control/templates/filebeat-configmap.yaml deleted file mode 100644 index 45d2cf5fb..000000000 --- a/stable/mission-control/templates/filebeat-configmap.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.filebeat.enabled }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "mission-control.fullname" . }}-filebeat-config - labels: - app: {{ template "mission-control.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service | quote }} - release: {{ .Release.Name | quote }} -data: - filebeat.yml: | -{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} -{{- end -}} \ No newline at end of file diff --git a/stable/mission-control/templates/jfmc-setup-scripts.yaml b/stable/mission-control/templates/jfmc-setup-scripts.yaml deleted file mode 100644 index fbf3fac79..000000000 --- a/stable/mission-control/templates/jfmc-setup-scripts.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "mission-control.fullname" . }}-jfmc-setup-scripts - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - setProperties.sh: | - #!/bin/bash - # Setup script to set properties in mission-control.properties on install - addProperty() { - local propertyName=$1 - local propertyValue=$2 - local propertiesPath=$3 - local result= - local propertyNotSet=1 - local propertySet=0 - - # Return if any of the inputs are empty - [[ -z "$propertyName" || "$propertyName" == "" ]] && return - [[ -z "$propertyValue" || "$propertyValue" == "" ]] && return - [[ -z "$propertiesPath" || "$propertiesPath" == "" ]] && return - - grep "^${propertyName}\s*=.*$" ${propertiesPath} >/dev/null 2>&1 - result=$? - if [[ ${result} -eq ${propertyNotSet} ]]; then - echo "setting ${propertyName} property in ${propertiesPath}" - echo -e "\n${propertyName}=${propertyValue}" >> ${propertiesPath} - elif [[ ${result} -eq ${propertySet} && {{ .Values.missionControl.propertyOverride | quote }} == true ]]; then - echo "modifying ${propertyName} property in ${propertiesPath}" - sed -i -e "s|^${propertyName}\s*=.*$|${propertyName}=${propertyValue}|g;" ${propertiesPath} - else - echo "skipping ${propertyName} as it is already set" - fi - } - - JFMC_ETC={{ .Values.missionControl.persistence.mountPath }}/etc - JFMC_PROPERTIES=${JFMC_ETC}/mission-control.properties - - if ! [[ -f ${JFMC_PROPERTIES} ]]; then \ - mkdir -p ${JFMC_ETC}; \ - touch ${JFMC_PROPERTIES} || ( echo "unable to create ${JFMC_PROPERTIES} file" && exit 1 ) - fi - - addProperty "jfmc.db.username" "${JFMC_DB_USERNAME}" ${JFMC_PROPERTIES} && \ - addProperty "jfmc.db.password" "${JFMC_DB_PASSWORD}" ${JFMC_PROPERTIES} && \ - addProperty "jfsc.db.username" "${JFSC_DB_USERNAME}" ${JFMC_PROPERTIES} && \ - addProperty "jfsc.db.password" "${JFSC_DB_PASSWORD}" ${JFMC_PROPERTIES} && \ - addProperty "jfis.db.username" "${JFIS_DB_USERNAME}" ${JFMC_PROPERTIES} && \ - addProperty "jfis.db.password" "${JFIS_DB_PASSWORD}" ${JFMC_PROPERTIES} || \ - ( echo "unable to set mission-control properties in ${JFMC_PROPERTIES}" && exit 1 ) \ No newline at end of file diff --git a/stable/mission-control/templates/mission-control-application-yaml.yaml b/stable/mission-control/templates/mission-control-application-yaml.yaml deleted file mode 100644 index 30a1e1ce6..000000000 --- a/stable/mission-control/templates/mission-control-application-yaml.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" . }}-applicationyaml - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -stringData: - application.yaml: | -{{ toYaml .Values.applicationConfigs | indent 4 }} diff --git a/stable/mission-control/templates/mission-control-configmaps.yaml b/stable/mission-control/templates/mission-control-configmaps.yaml deleted file mode 100644 index d8c4c609a..000000000 --- a/stable/mission-control/templates/mission-control-configmaps.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.common.configMaps }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "mission-control.fullname" . }}-configmaps - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{ tpl .Values.common.configMaps . | indent 2 }} -{{- end }} diff --git a/stable/mission-control/templates/mission-control-custom-secrets.yaml b/stable/mission-control/templates/mission-control-custom-secrets.yaml deleted file mode 100644 index 0bb69cf9e..000000000 --- a/stable/mission-control/templates/mission-control-custom-secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.common.customSecrets }} -{{- range .Values.common.customSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" $ }}-{{ .name }} - labels: - app: "{{ template "mission-control.name" $ }}" - chart: "{{ template "mission-control.chart" $ }}" - component: "{{ $.Values.missionControl.name }}" - heritage: {{ $.Release.Service | quote }} - release: {{ $.Release.Name | quote }} -type: Opaque -stringData: - {{ .key }}: | -{{ .data | indent 4 -}} -{{- end -}} -{{- end -}} diff --git a/stable/mission-control/templates/mission-control-networkpolicy.yaml b/stable/mission-control/templates/mission-control-networkpolicy.yaml deleted file mode 100644 index 8fba63649..000000000 --- a/stable/mission-control/templates/mission-control-networkpolicy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- range .Values.networkpolicy }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "mission-control.fullname" $ }}-{{ .name }}-networkpolicy - labels: - app: {{ template "mission-control.name" $ }} - component: {{ $.Values.missionControl.name }} - release: {{ $.Release.Name }} -spec: -{{- if .podSelector }} - podSelector: -{{ .podSelector | toYaml | trimSuffix "\n" | indent 4 -}} -{{ else }} - podSelector: {} -{{- end }} - policyTypes: - {{- if .ingress }} - - Ingress - {{- end }} - {{- if .egress }} - - Egress - {{- end }} -{{- if .ingress }} - ingress: -{{ .ingress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} -{{- if .egress }} - egress: -{{ .egress | toYaml | trimSuffix "\n" | indent 2 -}} -{{- end }} ---- -{{- end -}} \ No newline at end of file diff --git a/stable/mission-control/templates/mission-control-role.yaml b/stable/mission-control/templates/mission-control-role.yaml deleted file mode 100644 index 8a9795ed8..000000000 --- a/stable/mission-control/templates/mission-control-role.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "mission-control.fullname" . }} -rules: -{{ toYaml .Values.rbac.role.rules }} -{{- end }} diff --git a/stable/mission-control/templates/mission-control-rolebinding.yaml b/stable/mission-control/templates/mission-control-rolebinding.yaml deleted file mode 100644 index 04e002fd1..000000000 --- a/stable/mission-control/templates/mission-control-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "mission-control.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "mission-control.serviceAccountName" . }} -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: {{ template "mission-control.fullname" . }} -{{- end }} diff --git a/stable/mission-control/templates/mission-control-secrets.yaml b/stable/mission-control/templates/mission-control-secrets.yaml deleted file mode 100644 index a708c4e05..000000000 --- a/stable/mission-control/templates/mission-control-secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" . }} - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: -{{- if or .Values.missionControl.masterKey .Values.global.masterKey }} - {{- if not (or .Values.missionControl.masterKeySecretName .Values.global.masterKeySecretName) }} - master-key: {{ include "mission-control.masterKey" . | b64enc | quote }} - {{- end }} -{{- end }} -{{- if not (or .Values.missionControl.joinKey .Values.global.joinKey) }} - {{- if not (or .Values.missionControl.joinKeySecretName .Values.global.joinKeySecretName) }} - {{ required "\n\n.Values.missionControl.joinKey/joinKeySecretName or .Values.global.joinKey/joinKeySecretName is required!\n\n" .Values.missionControl.joinKey }} - {{- end }} -{{- end }} -{{- if or .Values.missionControl.joinKey .Values.global.joinKey }} - {{- if not (or .Values.missionControl.joinKeySecretName .Values.global.joinKeySecretName) }} - join-key: {{ include "mission-control.joinKey" . | b64enc | quote }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/stable/mission-control/templates/mission-control-serviceaccount.yaml b/stable/mission-control/templates/mission-control-serviceaccount.yaml deleted file mode 100644 index 16b907994..000000000 --- a/stable/mission-control/templates/mission-control-serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "mission-control.serviceAccountName" . }} -{{- end }} diff --git a/stable/mission-control/templates/mission-control-statefulset.yaml b/stable/mission-control/templates/mission-control-statefulset.yaml deleted file mode 100644 index 374db8d20..000000000 --- a/stable/mission-control/templates/mission-control-statefulset.yaml +++ /dev/null @@ -1,840 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "mission-control.fullname" . }} - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - {{- with .Values.missionControl.labels }} -{{ toYaml . | indent 4 }} - {{- end }} - {{- if .Release.IsUpgrade }} - unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Mission Control 3.x currently not supported!\nIf this is an upgrade over an existing Mission Control 4.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} - {{- end }} - {{- if and .Release.IsUpgrade .Values.postgresql.enabled }} - databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/mission-control/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x" .Values.databaseUpgradeReady | quote }} - {{- end }} -spec: - serviceName: {{ template "mission-control.fullname" . }} - replicas: {{ .Values.replicaCount }} - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: {{ template "mission-control.name" . }} - component: {{ .Values.missionControl.name }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "mission-control.name" . }} - component: {{ .Values.missionControl.name }} - release: {{ .Release.Name }} - {{- with .Values.missionControl.labels }} -{{ toYaml . | indent 8 }} - {{- end }} - annotations: - checksum/database-secrets: {{ include (print $.Template.BasePath "/database-secrets.yaml") . | sha256sum }} - checksum/systemyaml: {{ include (print $.Template.BasePath "/mission-control-system-yaml.yaml") . | sha256sum }} - {{- range $key, $value := .Values.missionControl.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - spec: - serviceAccountName: {{ template "mission-control.serviceAccountName" . }} - {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} -{{- include "mission-control.imagePullSecrets" . | indent 6 }} - {{- end }} - securityContext: - fsGroup: {{ .Values.common.uid }} - initContainers: - {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} -{{ tpl (include "mission-control.customInitContainersBegin" .) . | indent 6 }} - {{- end }} - {{- if .Values.elasticsearch.enabled }} - {{- if .Values.elasticsearch.configureDockerHost }} - - name: elasticsearch-init - image: "{{ .Values.elasticsearch.initContainerImage }}" - securityContext: - privileged: true - command: - - '/bin/sh' - - '-c' - - > - sysctl -w vm.max_map_count={{ .Values.elasticsearch.env.maxMapCount }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - {{- end }} - {{- end }} - - name: copy-system-yaml - image: '{{ .Values.initContainerImage }}' - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - '/bin/sh' - - '-c' - - > - echo "Copy system.yaml to {{ .Values.missionControl.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc; - {{- if .Values.systemYamlOverride.existingSecret }} - cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.missionControl.persistence.mountPath }}/etc/system.yaml; - {{- else }} - cp -fv /tmp/etc/system.yaml {{ .Values.missionControl.persistence.mountPath }}/etc/system.yaml; - {{- end }} - echo "Copy application.yaml to {{ .Values.missionControl.persistence.mountPath }}/bootstrap/mc"; - mkdir -p {{ .Values.missionControl.persistence.mountPath }}/bootstrap/mc; - cp -fv /tmp/etc/application.yaml {{ .Values.missionControl.persistence.mountPath }}/bootstrap/mc/application.yaml; - echo "Remove {{ .Values.missionControl.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.missionControl.persistence.mountPath }}/lost+found; - {{- if or .Values.missionControl.joinKey .Values.missionControl.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} - echo "Copy joinKey to {{ .Values.missionControl.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security; - echo ${MC_JOIN_KEY} > {{ .Values.missionControl.persistence.mountPath }}/etc/security/join.key; - {{- end }} - {{- if or .Values.missionControl.masterKey .Values.missionControl.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} - echo "Copy masterKey to {{ .Values.missionControl.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security; - echo ${MC_MASTER_KEY} > {{ .Values.missionControl.persistence.mountPath }}/etc/security/master.key; - {{- end }} - env: - {{- if or .Values.missionControl.joinKey .Values.missionControl.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} - - name: MC_JOIN_KEY - valueFrom: - secretKeyRef: - name: {{ include "mission-control.joinKeySecretName" . }} - key: join-key - {{- end }} - {{- if or .Values.missionControl.masterKey .Values.missionControl.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} - - name: MC_MASTER_KEY - valueFrom: - secretKeyRef: - name: {{ include "mission-control.masterKeySecretName" . }} - key: master-key - {{- end }} - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.missionControl.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.missionControl.systemYaml }} - - name: systemyaml - {{- if .Values.systemYamlOverride.existingSecret }} - mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" - subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.missionControl.systemYaml }} - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- end }} - {{- end }} - - name: applicationyaml - mountPath: "/tmp/etc/application.yaml" - subPath: application.yaml - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - {{- if or .Values.missionControl.customCertificates.enabled .Values.global.customCertificates.enabled }} - - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - command: - - 'sh' - - '-c' - - > -{{ include "mission-control.copyCustomCerts" . | indent 10 }} - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.missionControl.persistence.mountPath }} - - name: ca-certs - mountPath: "/tmp/certs" - {{- end }} - {{- if or .Values.postgresql.enabled ( and .Values.database.host .Values.database.port ) }} - - name: wait-for-db - image: "{{ .Values.initContainerImage }}" - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - 'sh' - - '-c' - - > - {{- if .Values.postgresql.enabled }} - until nc -z -w 2 {{ .Release.Name }}-postgresql {{ .Values.postgresql.service.port }} && echo database ok; do - {{- else }} - {{- if and .Values.database.host .Values.database.port }} - until nc -z -w 2 {{ .Values.database.host }} {{ .Values.database.port }} && echo database ok; do - {{- else }} - until true; do - {{- end }} - {{- end }} - sleep 2; - done; - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - {{- if .Values.postgresql.enabled }} - - name: postgresql-setup - image: "{{ .Values.dbSetup.postgresql.image.repository }}:{{ .Values.dbSetup.postgresql.image.tag }}" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - env: - - name: DB_PORT - value: '{{ .Values.postgresql.service.port }}' - - name: DB_HOST - value: '{{ .Release.Name }}-postgresql' - - name: DB_NAME - value: '{{ .Values.postgresql.db.name }}' - - name: DB_SSLMODE - value: '{{ .Values.postgresql.db.sslmode }}' - - name: DB_TABLESPACE - value: '{{ .Values.postgresql.db.tablespace }}' - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-postgresql - key: postgresql-password - - name: JFMC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - - name: JFMC_DB_USERNAME - value: '{{ .Values.postgresql.db.user }}' - - name: JFMC_DB_SCHEMA - value: '{{ .Values.postgresql.db.jfmcSchema }}' - - name: JFSC_DB_USERNAME - value: '{{ .Values.postgresql.db.user }}' - - name: JFSC_DB_SCHEMA - value: '{{ .Values.postgresql.db.jfscSchema }}' - - name: JFSC_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - - name: JFIS_DB_USERNAME - value: '{{ .Values.postgresql.db.user }}' - - name: JFIS_DB_SCHEMA - value: '{{ .Values.postgresql.db.jfisSchema }}' - - name: JFIS_DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - command: - - 'bash' - - '-c' - - 'su postgres -c "PGPASSWORD=${PGPASSWORD} bash /scripts/createPostgresUsers.sh all"' - volumeMounts: - - name: postgresql-setup - mountPath: "/scripts" - resources: -{{ toYaml .Values.initContainers.resources | indent 10 }} - {{- end }} - {{- if or .Values.common.customInitContainers .Values.global.customInitContainers }} -{{ tpl (include "mission-control.customInitContainers" .) . | indent 6 }} - {{- end }} - {{- if .Values.hostAliases }} - hostAliases: -{{ toYaml .Values.hostAliases | indent 6 }} - {{- end }} - containers: - {{- if .Values.elasticsearch.enabled }} - - name: {{ .Values.elasticsearch.name }} - image: {{ include "mission-control.getImageInfoByValue" (list . "elasticsearch") }} - imagePullPolicy: {{ .Values.elasticsearch.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.elasticsearch.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - '/bin/sh' - - '-c' - - > - sleep 10; -{{- if and .Values.elasticsearch.enabled .Values.elasticsearch.certificatesSecretName }} - mkdir -p /usr/share/elasticsearch/data/certs; - cp -fv /tmp/certs/* /usr/share/elasticsearch/data/certs; -{{- end }} - if [[ $mission_control_pod_name == *"-0"* ]] ; then echo "Setting clustersetup to no" && export ELASTICSEARCH_CLUSTERSETUP=NO; else echo "Setting clustersetup to yes" && export ELASTICSEARCH_CLUSTERSETUP=YES; fi; - (/usr/local/bin/initializeSearchGuard.sh &) && docker-entrypoint.sh 'elasticsearch'; - env: - - name: 'mission_control_pod_name' - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: 'cluster.name' - value: '{{ .Values.elasticsearch.env.clusterName }}' - - name: 'network.host' - value: '{{ .Values.elasticsearch.env.networkHost }}' - - name: 'transport.host' - value: '{{ .Values.elasticsearch.env.transportHost }}' - - name: 'transport.port' - value: '{{ .Values.elasticsearch.transportPort }}' - - name: 'discovery.seed_hosts' - value: '{{ template "mission-control.fullname" . }}' - - name: 'cluster.initial_master_nodes' - value: '{{ template "elasticsearch.endpoints" . }}' - - name: ELASTICSEARCH_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - key: password - - name: ELASTICSEARCH_USERNAME - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - key: username - - name: JF_SHARED_ELASTICSEARCH_USERNAME - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - key: username - - name: JF_SHARED_ELASTICSEARCH_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - key: password - - name: ES_JAVA_OPTS - value: " - {{- if .Values.elasticsearch.javaOpts.xms }} - -Xms{{ .Values.elasticsearch.javaOpts.xms }} - {{- end }} - {{- if .Values.elasticsearch.javaOpts.xmx }} - -Xmx{{ .Values.elasticsearch.javaOpts.xmx }} - {{- end }} - " - - name: JF_SHARED_ELASTICSEARCH_URL - valueFrom: - secretKeyRef: - name: {{ template "mission-control.fullname" . }}-elasticsearch-cred - key: url - ports: - - name: tcp-estransprt - containerPort: {{ .Values.elasticsearch.transportPort }} - volumeMounts: -{{- if and .Values.elasticsearch.enabled .Values.elasticsearch.certificatesSecretName }} - - name: elastic-certs - mountPath: /tmp/certs -{{- end }} - - name: elasticsearch-data - mountPath: {{ .Values.elasticsearch.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.elasticsearch.resources | indent 10 }} -{{- if .Values.elasticsearch.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.elasticsearch.startupProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.elasticsearch.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.elasticsearch.livenessProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.elasticsearch.readinessProbe.enabled }} - readinessProbe: -{{ tpl .Values.elasticsearch.readinessProbe.config . | indent 10 }} -{{- end }} - {{- end }} - - name: {{ .Values.router.name }} - image: {{ include "mission-control.getImageInfoByValue" (list . "router") }} - imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - '/bin/sh' - - '-c' - - > - exec /opt/jfrog/router/app/bin/entrypoint-router.sh; - ports: - - name: http-router - containerPort: {{ .Values.router.internalPort }} - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.router.persistence.mountPath | quote }} - {{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} -{{ tpl (include "mission-control.customVolumeMounts" .) . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.router.resources | indent 10 }} -{{- if .Values.router.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.router.startupProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.router.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.router.livenessProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.router.readinessProbe.enabled }} - readinessProbe: -{{ tpl .Values.router.readinessProbe.config . | indent 10 }} -{{- end }} - - name: {{ .Values.missionControl.name }} - image: {{ include "mission-control.getImageInfoByValue" (list . "missionControl") }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - '/bin/bash' - - '-c' - - > - {{- with .Values.missionControl.preStartCommand }} - echo "Running custom preStartCommand command"; - {{ tpl . $ }}; - {{- end }} - exec /opt/jfrog/mc/app/bin/entrypoint-mc.sh; - env: - {{- if or .Values.database.secrets.user .Values.database.user }} - - name: JF_SHARED_DATABASE_USERNAME - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.user }} - name: {{ tpl .Values.database.secrets.user.name .}} - key: {{ tpl .Values.database.secrets.user.key .}} - {{- else if .Values.database.user }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-user - {{- end }} - {{- end }} - {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.password }} - name: {{ tpl .Values.database.secrets.password.name . }} - key: {{ tpl .Values.database.secrets.password.key . }} - {{- else if or .Values.database.password .Values.postgresql.enabled }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - {{- end }} - {{- end }} - {{- if or .Values.database.secrets.url .Values.database.url }} - - name: JF_SHARED_DATABASE_URL - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.url }} - name: {{ tpl .Values.database.secrets.url.name .}} - key: {{ tpl .Values.database.secrets.url.key .}} - {{- else if .Values.database.url }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-url - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.missionControl.internalPort }} - protocol: TCP - name: http-mc - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.missionControl.persistence.mountPath | quote }} - {{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} -{{ tpl (include "mission-control.customVolumeMounts" .) . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.missionControl.resources | indent 10 }} -{{- if .Values.missionControl.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.missionControl.startupProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.missionControl.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.missionControl.livenessProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.missionControl.readinessProbe.enabled }} - readinessProbe: -{{ tpl .Values.missionControl.readinessProbe.config . | indent 10 }} -{{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - args: - - "-e" - - "-E" - - "http.enabled=true" - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: mission-control-data - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - livenessProbe: -{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} - readinessProbe: -{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} - resources: -{{ toYaml .Values.filebeat.resources | indent 10 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} - {{- end }} - - name: {{ .Values.insightServer.name }} - image: {{ include "mission-control.getImageInfoByValue" (list . "insightServer") }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - env: - {{- if or .Values.database.secrets.user .Values.database.user }} - - name: JF_SHARED_DATABASE_USERNAME - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.user }} - name: {{ tpl .Values.database.secrets.user.name .}} - key: {{ tpl .Values.database.secrets.user.key .}} - {{- else if .Values.database.user }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-user - {{- end }} - {{- end }} - {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.password }} - name: {{ tpl .Values.database.secrets.password.name . }} - key: {{ tpl .Values.database.secrets.password.key . }} - {{- else if or .Values.database.password .Values.postgresql.enabled }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - {{- end }} - {{- end }} - {{- if or .Values.database.secrets.url .Values.database.url }} - - name: JF_SHARED_DATABASE_URL - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.url }} - name: {{ tpl .Values.database.secrets.url.name .}} - key: {{ tpl .Values.database.secrets.url.key .}} - {{- else if .Values.database.url }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-url - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.insightServer.internalPort }} - protocol: TCP - name: http-inserver - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.missionControl.persistence.mountPath | quote }} - {{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} -{{ tpl (include "mission-control.customVolumeMounts" .) . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.insightServer.resources | indent 10 }} -{{- if .Values.insightServer.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.insightServer.startupProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.insightServer.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.insightServer.livenessProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.insightServer.readinessProbe.enabled }} - readinessProbe: -{{ tpl .Values.insightServer.readinessProbe.config . | indent 10 }} -{{- end }} - - name: {{ .Values.insightScheduler.name }} - image: {{ include "mission-control.getImageInfoByValue" (list . "insightScheduler") }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.uid }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - env: - - name: JFMC_EXTRA_JAVA_OPTS - value: " - {{- if .Values.insightScheduler.javaOpts.other }} - {{ .Values.insightScheduler.javaOpts.other }} - {{- end}} - {{- if .Values.insightScheduler.javaOpts.xms }} - -Xms{{ .Values.insightScheduler.javaOpts.xms }} - {{- end}} - {{- if .Values.insightScheduler.javaOpts.xmx }} - -Xmx{{ .Values.insightScheduler.javaOpts.xmx }} - {{- end}} - -Dserver.port={{ .Values.insightScheduler.internalPort }} - " - {{- if or .Values.database.secrets.user .Values.database.user }} - - name: JF_SHARED_DATABASE_USERNAME - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.user }} - name: {{ tpl .Values.database.secrets.user.name .}} - key: {{ tpl .Values.database.secrets.user.key .}} - {{- else if .Values.database.user }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-user - {{- end }} - {{- end }} - {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} - - name: JF_SHARED_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.password }} - name: {{ tpl .Values.database.secrets.password.name . }} - key: {{ tpl .Values.database.secrets.password.key . }} - {{- else if or .Values.database.password .Values.postgresql.enabled }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-password - {{- end }} - {{- end }} - {{- if or .Values.database.secrets.url .Values.database.url }} - - name: JF_SHARED_DATABASE_URL - valueFrom: - secretKeyRef: - {{- if .Values.database.secrets.url }} - name: {{ tpl .Values.database.secrets.url.name .}} - key: {{ tpl .Values.database.secrets.url.key .}} - {{- else if .Values.database.url }} - name: {{ template "mission-control.fullname" . }}-database-creds - key: db-url - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.insightScheduler.internalPort }} - protocol: TCP - name: http-insched - volumeMounts: - - name: mission-control-data - mountPath: {{ .Values.missionControl.persistence.mountPath | quote }} - {{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} -{{ tpl (include "mission-control.customVolumeMounts" .) . | indent 8 }} - {{- end }} - resources: -{{ toYaml .Values.insightScheduler.resources | indent 10 }} -{{- if .Values.insightScheduler.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.insightScheduler.startupProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.insightScheduler.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.insightScheduler.livenessProbe.config . | indent 10 }} -{{- end }} -{{- if .Values.insightScheduler.readinessProbe.enabled }} - readinessProbe: -{{ tpl .Values.insightScheduler.readinessProbe.config . | indent 10 }} -{{- end }} - {{- $image := .Values.logger.image.repository }} - {{- $tag := .Values.logger.image.tag }} - {{- $uid := .Values.common.uid }} - {{- $context := .Values.missionControl.appContext }} - {{- $name := .Values.missionControl.name }} - {{- $mountPath := .Values.missionControl.persistence.mountPath }} - {{- range .Values.missionControl.loggers }} - - name: {{ $name }}-{{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "mission-control.getImageInfoByValue" (list $ "logger") }} - securityContext: - runAsUser: {{ $uid }} - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ $context }}/{{ . }}' - volumeMounts: - - name: mission-control-data - mountPath: {{ $mountPath }} - resources: -{{ toYaml $.Values.missionControl.loggersResources | indent 10 }} - {{- end }} - {{- $name := .Values.insightServer.name }} - {{- $context := .Values.insightServer.appContext }} - {{- $mountPath := .Values.insightServer.persistence.mountPath }} - {{- range .Values.insightServer.loggers }} - - name: {{ $name }}-{{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "mission-control.getImageInfoByValue" (list $ "logger") }} - securityContext: - runAsUser: {{ $uid }} - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ $context }}/{{ . }}' - volumeMounts: - - name: mission-control-data - mountPath: {{ $mountPath }} - resources: - {{ toYaml $.Values.insightServer.loggersResources | indent 10 }} - {{- end }} - {{- $name := .Values.insightScheduler.name }} - {{- $context := .Values.insightScheduler.appContext }} - {{- $mountPath := .Values.insightScheduler.persistence.mountPath }} - {{- range .Values.insightScheduler.loggers }} - - name: {{ $name }}-{{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "mission-control.getImageInfoByValue" (list $ "logger") }} - securityContext: - runAsUser: {{ $uid }} - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - command: - - tail - args: - - '-F' - - '{{ $mountPath }}/logs/{{ $context }}/{{ . }}' - volumeMounts: - - name: mission-control-data - mountPath: {{ $mountPath }} - resources: -{{ toYaml $.Values.insightScheduler.loggersResources | indent 10 }} - {{- end }} - {{- if or .Values.common.customSidecarContainers .Values.global.customSidecarContainers }} -{{ tpl (include "mission-control.customSidecarContainers" .) . | indent 6 }} - {{- end }} - {{- with .Values.missionControl.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.missionControl.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.missionControl.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - {{- if or .Values.missionControl.customCertificates.enabled .Values.global.customCertificates.enabled }} - - name: ca-certs - secret: - secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.missionControl.customCertificates.certificateSecretName }} - {{- end }} - {{- if and .Values.elasticsearch.enabled .Values.elasticsearch.certificatesSecretName }} - - name: elastic-certs - secret: - secretName: {{ .Values.elasticsearch.certificatesSecretName }} - {{- end }} - - name: applicationyaml - secret: - secretName: {{ template "mission-control.fullname" . }}-applicationyaml - {{- if or .Values.systemYamlOverride.existingSecret .Values.missionControl.systemYaml }} - - name: systemyaml - secret: - secretName: {{ default (printf "%s-%s" (include "mission-control.fullname" .) "systemyaml") .Values.systemYamlOverride.existingSecret }} - {{- end }} - {{- if .Values.postgresql.enabled }} - - name: postgresql-setup - configMap: - name: {{ template "mission-control.fullname" . }}-postgresql-setup-script - {{- end }} - - name: jfmc-setup-scripts - configMap: - name: {{ template "mission-control.fullname" . }}-jfmc-setup-scripts - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "mission-control.fullname" . }}-filebeat-config - {{- end }} - {{- if .Values.common.configMaps }} - - name: mission-control-configmaps - configMap: - name: {{ template "mission-control.fullname" . }}-configmaps - {{- end }} - {{- if or .Values.common.customVolumes .Values.global.customVolumes }} -{{ tpl (include "mission-control.customVolumes" .) . | indent 6 }} - {{- end }} - {{- if not .Values.missionControl.persistence.enabled }} - - name: mission-control-data - emptyDir: {} - {{- end }} - {{- if and (.Values.missionControl.persistence.enabled) (.Values.missionControl.persistence.existingClaim) }} - - name: mission-control-data - persistentVolumeClaim: - claimName: {{ .Values.missionControl.persistence.existingClaim }} - {{- end }} - {{- if not .Values.elasticsearch.persistence.enabled }} - - name: elasticsearch-data - emptyDir: {} - {{- end }} - {{- if and (.Values.elasticsearch.persistence.enabled) (.Values.elasticsearch.persistence.existingClaim) }} - - name: elasticsearch-data - persistentVolumeClaim: - claimName: {{ .Values.elasticsearch.persistence.existingClaim }} - {{- end }} - volumeClaimTemplates: - {{- if and (.Values.missionControl.persistence.enabled) (not .Values.missionControl.persistence.existingClaim) }} - - metadata: - name: mission-control-data - spec: - {{- if .Values.missionControl.persistence.storageClass }} - {{- if (eq "-" .Values.missionControl.persistence.storageClass) }} - storageClassName: '' - {{- else }} - storageClassName: '{{ .Values.missionControl.persistence.storageClass }}' - {{- end }} - {{- end }} - accessModes: [ '{{ .Values.missionControl.persistence.accessMode }}' ] - resources: - requests: - storage: {{ .Values.missionControl.persistence.size }} - {{- end }} - {{- if and (.Values.elasticsearch.persistence.enabled) (not .Values.elasticsearch.persistence.existingClaim) }} - - metadata: - name: elasticsearch-data - spec: - {{- if .Values.elasticsearch.persistence.storageClass }} - {{- if (eq "-" .Values.elasticsearch.persistence.storageClass) }} - storageClassName: '' - {{- else }} - storageClassName: '{{ .Values.elasticsearch.persistence.storageClass }}' - {{- end }} - {{- end }} - accessModes: [ '{{ .Values.elasticsearch.persistence.accessMode }}' ] - resources: - requests: - storage: {{ .Values.elasticsearch.persistence.size }} - {{- end }} diff --git a/stable/mission-control/templates/mission-control-svc.yaml b/stable/mission-control/templates/mission-control-svc.yaml deleted file mode 100644 index 0f4f959aa..000000000 --- a/stable/mission-control/templates/mission-control-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "mission-control.fullname" . }} - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - {{- with .Values.missionControl.labels }} -{{ toYaml . | indent 4 }} - {{- end }} -{{- if .Values.missionControl.service.annotations }} - annotations: -{{ toYaml .Values.missionControl.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.missionControl.service.type }} - ports: - - name: http - port: {{ .Values.missionControl.externalPort }} - targetPort: {{ .Values.missionControl.internalPort }} - protocol: TCP - - name: http-router - port: {{ .Values.router.externalPort }} - targetPort: {{ .Values.router.internalPort }} - protocol: TCP -{{- if .Values.elasticsearch.enabled }} - - name: tcp-estransport - port: {{ .Values.elasticsearch.transportPort }} - targetPort: {{ .Values.elasticsearch.transportPort }} -{{- end }} - publishNotReadyAddresses: true - selector: - app: {{ template "mission-control.name" . }} - component: {{ .Values.missionControl.name }} - release: {{ .Release.Name }} diff --git a/stable/mission-control/templates/mission-control-system-yaml.yaml b/stable/mission-control/templates/mission-control-system-yaml.yaml deleted file mode 100644 index 970890d85..000000000 --- a/stable/mission-control/templates/mission-control-system-yaml.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if not .Values.systemYamlOverride.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "mission-control.fullname" . }}-systemyaml - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - component: {{ .Values.missionControl.name }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -stringData: - system.yaml: | -{{ tpl .Values.missionControl.systemYaml . | indent 4 }} -{{- end }} diff --git a/stable/mission-control/templates/postgresql-setup-script.yaml b/stable/mission-control/templates/postgresql-setup-script.yaml deleted file mode 100644 index 6856922ef..000000000 --- a/stable/mission-control/templates/postgresql-setup-script.yaml +++ /dev/null @@ -1,173 +0,0 @@ -{{- if .Values.postgresql.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "mission-control.fullname" . }}-postgresql-setup-script - labels: - app: {{ template "mission-control.name" . }} - chart: {{ template "mission-control.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - createPostgresUsers.sh: | - #!/bin/bash - # This can be used to create user, database, schema and grant the required permissions. - # This script can handle multiple execution and not with "already exists" error. An entity will get created only if it does not exist. - # NOTE : 1. This expects current linux user to be admin user in postgreSQL (this is the case with 'postgres' user) - # 2. Execute this by logging as postgres or any other user with similar privilege - # 3. This files needs be executed from a location which postgres (or the admin user which will be used) has access to. (/opt can be used) - # - # su postgres -c "POSTGRES_PATH=/path/to/postgres/bin PGPASSWORD=postgres bash ./createPostgresUsers.sh" - - POSTGRES_LABEL="Postgres" - - log() { - echo -e "$1" - } - - errorExit() { - echo; echo -e "\033[31mERROR:\033[0m $1"; echo - exit 1 - } - - # Create user if it does not exist - createUser(){ - local user=$1 - local pass=$2 - - [ ! -z ${user} ] || errorExit "user is empty" - [ ! -z ${pass} ] || errorExit "password is empty" - - ${PSQL} $POSTGRES_OPTIONS -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user}'" | grep -q 1 1>/dev/null - local rc=$? - # If the user already exists, change the password - if [[ ${rc} -eq 0 ]]; then - echo "Changing password for user ${user}..." - ${PSQL} $POSTGRES_OPTIONS -c "ALTER USER ${user} WITH PASSWORD '${pass}';" 1>/dev/null || errorExit "Failed updating user ${user} password on PostgreSQL" - echo "Done" - else - echo "Creating user ${user}..." - ${PSQL} $POSTGRES_OPTIONS -c "CREATE USER ${user} WITH PASSWORD '${pass}';" 1>/dev/null || errorExit "Failed creating user ${user} on PostgreSQL" - echo "Done" - fi - } - - # Create database if it does not exist - createDB(){ - local db=$1 - local user=$2 - - [ ! -z ${db} ] || errorExit "db is empty" - [ ! -z ${user} ] || errorExit "user is empty" - - if ! ${PSQL} $POSTGRES_OPTIONS -lqt | cut -d \| -f 1 | grep -qw ${db} 1>/dev/null; then - ${PSQL} $POSTGRES_OPTIONS -c "CREATE DATABASE ${db} WITH ENCODING='UTF8' TABLESPACE=${DB_TABLESPACE} template template0;" 1>/dev/null || errorExit "Failed creating db ${db} on PostgreSQL" - fi - } - - # Create schema if it does not exist - createSchema(){ - local schema=$1 - local db=$2 - local user=$3 - - [ ! -z ${schema} ] || errorExit "schema is empty" - [ ! -z ${db} ] || errorExit "db is empty" - [ ! -z ${user} ] || errorExit "user is empty" - - PGOPTIONS='--client-min-messages=warning' ${PSQL} $POSTGRES_OPTIONS --dbname="${db}" -qc "CREATE SCHEMA IF NOT EXISTS ${schema} AUTHORIZATION ${user}" 1>/dev/null - } - - postgresIsNotReady() { - attempt_number=${attempt_number:-0} - ${PSQL} $POSTGRES_OPTIONS --version > /dev/null 2>&1 - outcome1=$? - # Execute a simple db function to verify if postgres is up and running - ${PSQL} $POSTGRES_OPTIONS -l > /dev/null 2>&1 - outcome2=$? - if [[ $outcome1 -eq 0 ]] && [[ $outcome2 -eq 0 ]]; then - return 0 - else - if [ $attempt_number -gt 10 ]; then - errorExit "Unable to proceed. $POSTGRES_LABEL is not reachable. This can occur if the service is not running \ - or the port is not accepting requests at $DB_PORT (host : $DB_HOST). Gave up after $attempt_number attempts" - fi - let "attempt_number=attempt_number+1" - return 1 - fi - } - - init(){ - if [[ -z $POSTGRES_PATH ]]; then - hash ${PSQL} 2>/dev/null || { echo >&2 "\"${PSQL}\" is not installed or not available in path"; exit 1; } - fi - - log "Waiting for $POSTGRES_LABEL to get ready using the commands: \"${PSQL} $POSTGRES_OPTIONS --version\" & \"${PSQL} $POSTGRES_OPTIONS -l\"" - attempt_number=0 - while ! postgresIsNotReady - do - sleep 5 - echo -n '.' - done - log "$POSTGRES_LABEL is ready. Executing commands" - } - - setupDB(){ - local user=$1 - local pass=$2 - local db=$3 - local schema=$4 - - createUser "${user}" "${pass}" - createDB "${db}" "${user}" - createSchema "${schema}" "${db}" "${user}" - - ${PSQL} $POSTGRES_OPTIONS -c "GRANT ALL ON DATABASE ${db} TO ${user}" 1>/dev/null; - ${PSQL} $POSTGRES_OPTIONS -c "GRANT ALL ON SCHEMA ${schema} TO ${user}" --dbname="${db}" 1>/dev/null; - } - - # Load default and custom postgres details from below files - [ -f setenvDefaults.sh ] && source setenvDefaults.sh || true - [ -f setenv.sh ] && source setenv.sh || true - - ### Following are the postgres details being setup for each service. - ## Common details - : ${DB_PORT:=5432} - : ${DB_NAME:="mission_control"} - : ${DB_SSLMODE:="false"} - : ${DB_TABLESPACE:="pg_default"} - : ${DB_HOST:="localhost"} - - ## Insight Server - : ${JFIS_DB_USERNAME:="mc"} - : ${JFIS_DB_PASSWORD:="password"} - : ${JFIS_DB_SCHEMA:="insight_server"} - - ## Insight Scheduler - : ${JFSC_DB_USERNAME:="mc"} - : ${JFSC_DB_PASSWORD:="password"} - : ${JFSC_DB_SCHEMA:="insight_scheduler"} - - ## Jfmc Server - : ${JFMC_DB_USERNAME:="mc"} - : ${JFMC_DB_PASSWORD:="password"} - : ${JFMC_DB_SCHEMA:="jfmc_server"} - - # Enable script to run setup for specific service - SERVICE=${1:-all} - if ! [[ $SERVICE =~ all|jfmc|jfex|jfsc|jfis ]]; then - SERVICE=all - fi - - DB_HOST={{ .Release.Name }}-postgresql - [[ -z "${POSTGRES_PATH}" ]] && PSQL=psql || PSQL=${POSTGRES_PATH}/psql - POSTGRES_OPTIONS="--host=${DB_HOST} --port=${DB_PORT} -U {{ .Values.postgresql.postgresqlUsername }} -w" - - init - [[ $SERVICE =~ all|jfis ]] && setupDB "${JFIS_DB_USERNAME}" "${JFIS_DB_PASSWORD}" "${DB_NAME}" "${JFIS_DB_SCHEMA}" || true - [[ $SERVICE =~ all|jfsc ]] && setupDB "${JFSC_DB_USERNAME}" "${JFSC_DB_PASSWORD}" "${DB_NAME}" "${JFSC_DB_SCHEMA}" || true - [[ $SERVICE =~ all|jfmc ]] && setupDB "${JFMC_DB_USERNAME}" "${JFMC_DB_PASSWORD}" "${DB_NAME}" "${JFMC_DB_SCHEMA}" || true - log "$POSTGRES_LABEL setup is now complete" - - exit 0 -{{- end }} diff --git a/stable/mission-control/values-large.yaml b/stable/mission-control/values-large.yaml deleted file mode 100644 index 6f38d308d..000000000 --- a/stable/mission-control/values-large.yaml +++ /dev/null @@ -1,53 +0,0 @@ -initContainers: - resources: - requests: - memory: "64Mi" - cpu: "10m" - limits: - memory: "128Mi" - cpu: "250m" -elasticsearch: - resources: - requests: - memory: "8Gi" - cpu: "1" - limits: - memory: "8Gi" - cpu: "2" - ## ElasticSearch xms and xmx should be same! - javaOpts: - xms: "7g" - xmx: "7g" - -missionControl: - resources: - requests: - memory: "3Gi" - cpu: "1" - limits: - memory: "6Gi" - cpu: "2" - javaOpts: - xms: "3g" - xmx: "6g" - -insightServer: - resources: - requests: - memory: "512Mi" - cpu: "1" - limits: - memory: "4Gi" - cpu: "2" - -insightScheduler: - resources: - requests: - memory: "512Mi" - cpu: "1" - limits: - memory: "3Gi" - cpu: "2" - javaOpts: - xms: "512m" - xmx: "3g" diff --git a/stable/mission-control/values-medium.yaml b/stable/mission-control/values-medium.yaml deleted file mode 100644 index 995ad4093..000000000 --- a/stable/mission-control/values-medium.yaml +++ /dev/null @@ -1,53 +0,0 @@ -initContainers: - resources: - requests: - memory: "64Mi" - cpu: "10m" - limits: - memory: "128Mi" - cpu: "250m" -elasticsearch: - resources: - requests: - memory: "6Gi" - cpu: "500m" - limits: - memory: "6Gi" - cpu: "2" - ## ElasticSearch xms and xmx should be same! - javaOpts: - xms: "5g" - xmx: "5g" - -missionControl: - resources: - requests: - memory: "3Gi" - cpu: "500m" - limits: - memory: "6Gi" - cpu: "2" - javaOpts: - xms: "3g" - xmx: "6g" - -insightServer: - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "4Gi" - cpu: "1" - -insightScheduler: - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "3Gi" - cpu: "1" - javaOpts: - xms: "512m" - xmx: "3g" diff --git a/stable/mission-control/values-small.yaml b/stable/mission-control/values-small.yaml deleted file mode 100644 index 31885d438..000000000 --- a/stable/mission-control/values-small.yaml +++ /dev/null @@ -1,53 +0,0 @@ -initContainers: - resources: - requests: - memory: "64Mi" - cpu: "10m" - limits: - memory: "128Mi" - cpu: "250m" -elasticsearch: - resources: - requests: - memory: "4Gi" - cpu: "500m" - limits: - memory: "4Gi" - cpu: "1" - ## ElasticSearch xms and xmx should be same! - javaOpts: - xms: "3g" - xmx: "3g" - -missionControl: - resources: - requests: - memory: "2Gi" - cpu: "500m" - limits: - memory: "4Gi" - cpu: "1" - javaOpts: - xms: "2g" - xmx: "4g" - -insightServer: - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "2Gi" - cpu: "1" - -insightScheduler: - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "2Gi" - cpu: "1" - javaOpts: - xms: "512m" - xmx: "2g" diff --git a/stable/mission-control/values.yaml b/stable/mission-control/values.yaml deleted file mode 100644 index 75b2e7105..000000000 --- a/stable/mission-control/values.yaml +++ /dev/null @@ -1,1013 +0,0 @@ -# Default values for Mission Control. -# This is a YAML-formatted file. -# Beware when changing values here. You should know what you are doing! -# Access the values with {{ .Values.key.subkey }} - -global: - # imageRegistry: - # imagePullSecrets: - # - myRegistryKeySecretName - ## Chart.AppVersion can be overidden using global.versions.missionControl or image tags - ## Note: Order of preference is 1) global.versions 2) image tags 3) Chart.AppVersion - versions: {} - # missionControl: - # router: - # jfrogUrl: - # joinKey: - # masterKey: - # joinKeySecretName: - # masterKeySecretName: - - ## Note: tags customInitContainersBegin,customInitContainers,customVolumes,customVolumeMounts,customSidecarContainers can be used both from global and application level simultaneously - # customVolumes: | - - # customVolumeMounts: | - - # customInitContainersBegin: | - - # customInitContainers: | - - # customSidecarContainers: | - - customCertificates: - enabled: false - # certificateSecretName: - -## Partially override mission-control.fullname template (eg: -) -# nameOverride: - -## Fully override mission-control.fullname template -# fullnameOverride: - -initContainerImage: releases-docker.jfrog.io/alpine:3.14.2 - -# For supporting pulling from private registries -imagePullSecrets: - # - myRegistryKeySecretName - -## Mission-control systemYaml override -## This is for advanced usecases where users wants to provide their own systemYaml for configuring mission-control -## Refer - https://www.jfrog.com/confluence/display/JFROG/Mission+Control+System+YAML -## Note: This will override existing (default) .Values.missionControl.systemYaml in values.yaml -## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example. -## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml -systemYamlOverride: -## You can use a pre-existing secret by specifying existingSecret - existingSecret: -## The dataKey should be the name of the secret data key created. - dataKey: - -# Init containers -initContainers: - resources: {} -# requests: -# memory: "64Mi" -# cpu: "10m" -# limits: -# memory: "128Mi" -# cpu: "250m" - -imagePullPolicy: IfNotPresent - -# For HA -replicaCount: 1 - -shared: - node: - id: - -common: - uid: 1050 - gid: 1050 - - ## Add custom volumes - customVolumes: | - # - name: custom-script - # configMap: - # name: custom-script - - ## Add custom volumesMounts - customVolumeMounts: | - # - name: custom-script - # mountPath: /scripts/script.sh - # subPath: script.sh - - # Add any list of configmaps - configMaps: | - # posthook-start.sh: |- - # echo "This is a post start script" - # posthook-end.sh: |- - # echo "This is a post end script" - - ## Add custom init containers execution before predefined init containers - customInitContainersBegin: | - # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'touch {{ .Values.missionControl.persistence.mountPath }}/example-custom-setup' - # volumeMounts: - # - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - # name: data-volume - - ## Add custom init containers execution after predefined init containers - customInitContainers: | - # - name: "custom-systemyaml-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'wget -O {{ .Values.missionControl.persistence.mountPath }}/etc/system.yaml https:///systemyaml' - # volumeMounts: - # - mountPath: "{{ .Values.missionControl.persistence.mountPath }}" - # name: data-volume - - ## Add custom sidecar containers - # - The provided example uses a custom volume (customVolumes) - customSidecarContainers: | - # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW - # command: - # - 'sh' - # - '-c' - # - 'sh /scripts/script.sh' - # volumeMounts: - # - mountPath: "{{ .Values.xray.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh - # resources: - # requests: - # memory: "32Mi" - # cpu: "50m" - # limits: - # memory: "128Mi" - # cpu: "100m" - - # Add custom secrets - secret per file - customSecrets: - # - name: custom-secret - # key: custom-secret.yaml - # data: > - # custom_secret_config: - # parameter1: value1 - # parameter2: value2 - # - name: custom-secret2 - # key: custom-secret2.config - # data: | - # here the custom secret 2 config - -## Role Based Access Control -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -rbac: - create: true - role: - ## Rules to create. It follows the role specification - rules: - - apiGroups: - - '' - resources: - - services - - endpoints - - pods - verbs: - - get - - watch - - list - -networkpolicy: [] - # Allows all ingress and egress - # - name: mission-control - # podSelector: - # matchLabels: - # app: mission-control - # egress: - # - {} - # ingress: - # - {} - # Uncomment to allow only mission-control pods to communicate with postgresql (if postgresql.enabled is true) - # - name: postgres - # podSelector: - # matchLabels: - # app: postgresql - # ingress: - # - from: - # - podSelector: - # matchLabels: - # app: mission-control - -## Service Account -## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ -## -serviceAccount: - create: true - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - -## Details required for initialization/setup of database -dbSetup: - postgresql: - image: - repository: releases-docker.jfrog.io/postgres - tag: 13.2-alpine - pullPolicy: IfNotPresent - -# PostgreSQL - -## Configuration values for the PostgreSQL dependency sub-chart -## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md -postgresql: - enabled: true - image: - registry: releases-docker.jfrog.io - repository: bitnami/postgresql - tag: 13.2.0-debian-10-r55 - postgresqlUsername: postgres - postgresqlPassword: "" - postgresqlDatabase: mission_control - postgresqlExtendedConf: - listenAddresses: "*" - maxConnections: "1500" - db: - name: mission_control - sslmode: "false" - tablespace: "pg_default" - ## Use single user and password for all the services - user: mc - password: "" - jfmcSchema: jfmc_server - jfisSchema: insight_server - jfscSchema: insight_scheduler - service: - port: 5432 - persistence: - enabled: true - size: 100Gi - # existingClaim: - primary: - nodeSelector: {} - affinity: {} - tolerations: [] - readReplicas: - nodeSelector: {} - affinity: {} - tolerations: [] - resources: {} - # requests: - # memory: "1Gi" - # cpu: "250m" - # limits: - # memory: "2Gi" - # cpu: "1" - -### If NOT using the PostgreSQL in this chart (postgresql.enabled=false), -## specify custom database details here or leave empty -database: - type: postgresql - driver: org.postgresql.Driver - ## Please make sure these are created under the provided database - name: mission_control - jfisSchema: insight_server - jfmcSchema: jfmc_server - jfscSchema: insight_scheduler - ## Use single user and password for all the services - user: - password: - url: - ## If you have existing Kubernetes secrets containing db credentials, use - ## these values - secrets: {} - # user: - # name: "mc-database-creds" - # key: "db-user" - # password: - # name: "mc-database-creds" - # key: "db-password" - # url: - # name: "mc-database-creds" - # key: "db-url" - - -elasticsearch: - enabled: true - uid: 1000 - ## To overwrite existing ES search guard certificates, create a secret with the following files (localhost.key, localhost.pem, root-ca.pem, sgadmin.key, sgadmin.pem ) - ## certificatesSecretName: - name: elasticsearch - initContainerImage: releases-docker.jfrog.io/alpine:3.14.2 - configureDockerHost: true - image: - registry: releases-docker.jfrog.io - repository: jfrog/elasticsearch-sg - tag: 7.14.1 - pullPolicy: IfNotPresent - ## Enter elasticsearch connection details - ## By default url is set to localhost:8082 (router) - ## If external elasticsearch is used, provide external elasticsearch url and set elasticsearch.enabled=false - url: '{{ include "elasticsearch.url" . }}' - transportPort: 9300 - username: "admin" - password: "admin" - env: - clusterName: "es-cluster" - networkHost: "0.0.0.0" - transportHost: "0.0.0.0" - maxMapCount: 262144 - - persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - mountPath: "/usr/share/elasticsearch/data" - accessMode: ReadWriteOnce - size: 100Gi - ## ElasticSearch data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## ElasticSearch xms and xmx should be same! - javaOpts: - xms: "2g" - xmx: "2g" - - resources: {} - # requests: - # memory: "2Gi" - # cpu: "100m" - # limits: - # memory: "2.5Gi" - # cpu: "500m" - - livenessProbe: - enabled: true - config: | - httpGet: - path: /_cluster/health - port: 9200 - initialDelaySeconds: {{ if semverCompare " Security > Settings" (include "mission-control.jfrogUrl" .)) . }}" - elasticsearch: - username: {{ .Values.elasticsearch.username }} - password: {{ .Values.elasticsearch.password }} - {{- if and .Values.elasticsearch.enabled (gt (int .Values.replicaCount) 1) }} - clusterSetup: "yes" - {{- end }} - {{- if not .Values.elasticsearch.enabled }} - external: true - url: {{ tpl .Values.elasticsearch.url . }} - {{- end }} - database: - {{- if .Values.postgresql.enabled }} - type: postgresql - driver: org.postgresql.Driver - url: jdbc:postgresql://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.db.name }}?sslmode=disable - {{ else }} - type: "{{ .Values.database.type }}" - driver: "{{ .Values.database.driver }}" - {{- end }} - - mc: - {{- if .Values.postgresql.enabled }} - database: - username: {{ .Values.postgresql.db.user }} - schema: {{ .Values.postgresql.db.jfmcSchema }} - {{- end }} - extraJavaOpts: > - {{- with .Values.missionControl.javaOpts }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - - insight-scheduler: - {{- if .Values.postgresql.enabled }} - database: - username: {{ .Values.postgresql.db.user }} - schema: {{ .Values.postgresql.db.jfscSchema }} - {{- end }} - extraJavaOpts: > - {{- with .Values.insightScheduler.javaOpts }} - {{- if .xms }} - -Xms{{ .xms }} - {{- end }} - {{- if .xmx }} - -Xmx{{ .xmx }} - {{- end }} - {{- if .other }} - {{ .other }} - {{- end }} - {{- end }} - - insight-server: - {{- if .Values.postgresql.enabled }} - database: - username: {{ .Values.postgresql.db.user }} - schema: {{ .Values.postgresql.db.jfisSchema }} - {{- end }} - clients: - elasticsearch: - connectionWaitTimeoutSecs: {{ .Values.insightServer.clients.elasticsearch.connectionWaitTimeoutSecs }} - searchguard: - connectionWaitTimeoutSecs: {{ .Values.insightServer.clients.elasticsearch.searchguard.connectionWaitTimeoutSecs }} - - persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - mountPath: "/var/opt/jfrog/mc" - accessMode: ReadWriteOnce - size: 100Gi - ## Mission Control data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## Control Java options (JAVA_OPTIONS) - ## IMPORTANT: keep resources.limits.memory higher than javaOpts.xmx by 0.5G - javaOpts: {} - # other: "-server -XX:+UseG1GC -Dfile.encoding=UTF8" - # xms: "2g" - # xmx: "3g" - resources: {} - # requests: - # memory: "2Gi" - # cpu: "100m" - # limits: - # memory: "3.5Gi" - # cpu: "1" - nodeSelector: {} - - tolerations: [] - - affinity: {} - - service: - type: ClusterIP - annotations: {} - internalPort: 8080 - externalPort: 80 - - livenessProbe: - enabled: true - config: | - exec: - command: - - curl - - http://127.0.0.1:{{ .Values.missionControl.internalPort }}{{ include "mission-control.livenessProbe" .}} - initialDelaySeconds: {{ if semverCompare " - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## Add any of the loggers to a sidecar if you want to be able to see them with kubectl logs or a log collector in your k8s cluster - loggers: [] - # - insight-server.log - - # Loggers containers resources - loggersResources: {} - # requests: - # memory: "64Mi" - # cpu: "25m" - # limits: - # memory: "128Mi" - # cpu: "50m" - - livenessProbe: - enabled: true - config: | - exec: - command: - - curl - - http://127.0.0.1:{{ .Values.insightServer.internalPort }}{{ include "mission-control.livenessProbe" .}} - initialDelaySeconds: {{ if semverCompare " - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## Add any of the loggers to a sidecar if you want to be able to see them with kubectl logs or a log collector in your k8s cluster - loggers: [] - # - insight-scheduler.log - # - access.log - - # Loggers containers resources - loggersResources: {} - # requests: - # memory: "64Mi" - # cpu: "25m" - # limits: - # memory: "128Mi" - # cpu: "50m" - - livenessProbe: - enabled: true - config: | - exec: - command: - - curl - - http://127.0.0.1:{{ .Values.insightScheduler.internalPort }}{{ include "mission-control.livenessProbe" .}} - initialDelaySeconds: {{ if semverCompare "= 1.19.0-0' -maintainers: -- email: dev-distribution-pdn@jfrog.com - name: Chart Maintainers at JFrog -name: pdn-node -sources: -- https://github.com/jfrog/charts -type: application -version: 101.8.4 diff --git a/stable/pdn-node/LICENSE b/stable/pdn-node/LICENSE deleted file mode 100644 index 8dada3eda..000000000 --- a/stable/pdn-node/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/stable/pdn-node/README.md b/stable/pdn-node/README.md deleted file mode 100644 index bb71db8c5..000000000 --- a/stable/pdn-node/README.md +++ /dev/null @@ -1,27 +0,0 @@ - -# PDN-node - - -## TL;DR - -```bash -$ helm repo add jfrog https://charts.jfrog.io -$ helm install my-release jfrog/pdn-node -``` - -## Introduction - - -## Prerequisites - -- Kubernetes 1.19+ -- Helm 3.2.0+ - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install my-release jfrog/pdn-node -``` - diff --git a/stable/pdn-node/ci/default-values.yaml b/stable/pdn-node/ci/default-values.yaml deleted file mode 100644 index 4dcde576e..000000000 --- a/stable/pdn-node/ci/default-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. - -pdnServerUrl: pdnserver-pdn-server:8095 -pdnJoinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE diff --git a/stable/pdn-node/logo/pdn-node-logo.png b/stable/pdn-node/logo/pdn-node-logo.png deleted file mode 100644 index 686b9decc..000000000 Binary files a/stable/pdn-node/logo/pdn-node-logo.png and /dev/null differ diff --git a/stable/pdn-node/templates/NOTES.txt b/stable/pdn-node/templates/NOTES.txt deleted file mode 100644 index b50ce6721..000000000 --- a/stable/pdn-node/templates/NOTES.txt +++ /dev/null @@ -1,13 +0,0 @@ -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -** Please be patient while the chart is being deployed ** - -Get the list of pods by executing: - - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -Access the pod you want to debug by executing - - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash diff --git a/stable/pdn-node/templates/_helpers.tpl b/stable/pdn-node/templates/_helpers.tpl deleted file mode 100644 index 8f051dd6e..000000000 --- a/stable/pdn-node/templates/_helpers.tpl +++ /dev/null @@ -1,101 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* - Expand the name of the chart. -*/}} -{{- define "pdn-node.name" -}} -{{- include "common.names.name" . -}} -{{- end -}} - -{{/* - Create a default fully qualified app name. - We truncate at 63 chars because some Kubernetes name - fields are limited to this (by the DNS naming spec). - If release name contains chart name it will be used as a full name. -*/}} -{{- define "pdn-node.fullname" -}} -{{- include "common.names.fullname" . -}} -{{- end -}} - -{{/* - pdnnode liveness probe -*/}} -{{- define "pdn-node.livenessProbe" -}} -{{- printf "%s" "/api/v1/system/liveness" -}} -{{- end -}} - -{{/* - pdnnode startup probe -*/}} -{{- define "pdn-node.startupProbe" -}} -{{- printf "%s" "/api/v1/system/readiness" -}} -{{- end -}} - -{{/* - Return the proper pdnnode image name -*/}} -{{- define "pdn-node.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global "appVer" .Chart.AppVersion) }} -{{- end -}} - -{{/* - Return the proper init container image name -*/}} -{{- define "pdn-node.initContainers.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.initContainers.image "global" .Values.global) }} -{{- end -}} - -{{/* - Return the proper Docker Image Registry Secret Names -*/}} -{{- define "pdn-node.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.initContainers.image) "global" .Values.global) }} -{{- end -}} - -{{/* - Return podAnnotations -*/}} -{{- define "pdn-node.podAnnotations" -}} -{{- if .Values.podAnnotations }} -{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} -{{- end }} -{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} -{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} -{{- end }} -{{- end -}} - -{{/* - Create the name of the service account to use -*/}} -{{- define "pdn-node.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "pdn-node.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* - Resolve pdnJoinKeySecretName value -*/}} -{{- define "pdn-node.pdnJoinKeySecretName" -}} -{{- if .Values.pdnJoinKeySecretName -}} -{{- .Values.pdnJoinKeySecretName -}} -{{- else -}} -{{ include "pdn-node.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* - Custom certificate copy command -*/}} -{{- define "pdn-node.copyCustomCertsCmd" -}} -echo "Copy custom certificates to {{ .Values.persistence.mountPath }}/etc/security/keys/trusted" -mkdir -p {{ .Values.persistence.mountPath }}/etc/security/keys/trusted - -for file in $(ls -1 /tmp/certs/* | grep -v .key | grep -v ":" | grep -v grep) -do - if [[ -f "${file}" ]]; then - cp -v "${file}" {{ .Values.persistence.mountPath }}/etc/security/keys/trusted/ - fi -done -{{- end -}} diff --git a/stable/pdn-node/templates/additional-resources.yaml b/stable/pdn-node/templates/additional-resources.yaml deleted file mode 100644 index c4d06f08a..000000000 --- a/stable/pdn-node/templates/additional-resources.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if .Values.additionalResources }} -{{ tpl .Values.additionalResources . }} -{{- end -}} diff --git a/stable/pdn-node/templates/hpa.yaml b/stable/pdn-node/templates/hpa.yaml deleted file mode 100644 index 17a19f1b5..000000000 --- a/stable/pdn-node/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "pdn-node.fullname" . }}-hpa - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - scaleTargetRef: - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} - kind: StatefulSet - name: {{ include "pdn-node.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetMemory }} - - type: Resource - resource: - name: memory - {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} - {{- else }} - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetMemory }} - {{- end }} - {{- end }} - {{- if .Values.autoscaling.targetCPU }} - - type: Resource - resource: - name: cpu - {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} - {{- else }} - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetCPU }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-node/templates/ingress.yaml b/stable/pdn-node/templates/ingress.yaml deleted file mode 100644 index 1e64bc1ba..000000000 --- a/stable/pdn-node/templates/ingress.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if or .Values.ingress.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - {{- end }} - rules: - {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname }} - http: - paths: - {{- if .Values.ingress.extraPaths }} - {{- toYaml .Values.ingress.extraPaths | nindent 10 }} - {{- end }} - - path: {{ .Values.ingress.path }} - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http-server" "context" $) | nindent 14 }} - {{- end }} - {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} - http: - paths: - - path: {{ default "/" .path }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ default "ImplementationSpecific" .pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http-server" "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.ingress.extraRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} - {{- end }} - {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} - tls: - {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} - - hosts: - - {{ .Values.ingress.hostname | quote }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} - {{- end }} - {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-node/templates/networkpolicy.yaml b/stable/pdn-node/templates/networkpolicy.yaml deleted file mode 100644 index b14e3676c..000000000 --- a/stable/pdn-node/templates/networkpolicy.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: {{ include "pdn-node.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - ingress: - {{- if not .Values.networkPolicy.allowExternal }} - - ports: - - port: 8088 - protocol: TCP - - port: 8089 - protocol: TCP - from: - - podSelector: - matchLabels: - {{ template "pdn-node.fullname" . }}-client: "true" - - podSelector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 14 }} - {{- if .Values.networkPolicy.additionalRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-node/templates/pdb.yaml b/stable/pdn-node/templates/pdb.yaml deleted file mode 100644 index 00b5a855d..000000000 --- a/stable/pdn-node/templates/pdb.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ include "pdn-node.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/stable/pdn-node/templates/role.yaml b/stable/pdn-node/templates/role.yaml deleted file mode 100644 index 45ffe945a..000000000 --- a/stable/pdn-node/templates/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.rbac.create }} -kind: Role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ template "pdn-node.fullname" . }}-endpoint-reader - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] -{{- end }} diff --git a/stable/pdn-node/templates/rolebinding.yaml b/stable/pdn-node/templates/rolebinding.yaml deleted file mode 100644 index 043253f44..000000000 --- a/stable/pdn-node/templates/rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.serviceAccount.create .Values.rbac.create }} -kind: RoleBinding -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ template "pdn-node.fullname" . }}-endpoint-reader - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -subjects: - - kind: ServiceAccount - name: {{ template "pdn-node.serviceAccountName" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "pdn-node.fullname" . }}-endpoint-reader -{{- end }} diff --git a/stable/pdn-node/templates/secrets.yaml b/stable/pdn-node/templates/secrets.yaml deleted file mode 100644 index 4afb93940..000000000 --- a/stable/pdn-node/templates/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "pdn-node.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if .Values.pdnJoinKey }} - {{- if not .Values.pdnJoinKeySecretName }} - pdn-join-key: {{ .Values.pdnJoinKey | b64enc | quote }} - {{- end }} - {{- end }} - -{{- $extraSecretsPrependReleaseName := .Values.extraSecretsPrependReleaseName }} -{{- range $key, $value := .Values.extraSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - {{- if $extraSecretsPrependReleaseName }} - name: {{ $.Release.Name }}-{{ $key }} - {{- else }} - name: {{ $key }} - {{- end }} - namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -stringData: {{- include "common.tplvalues.render" (dict "value" $value "context" $) | nindent 2 }} -{{- end }} diff --git a/stable/pdn-node/templates/serviceaccount.yaml b/stable/pdn-node/templates/serviceaccount.yaml deleted file mode 100644 index 905c66efc..000000000 --- a/stable/pdn-node/templates/serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "pdn-node.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -secrets: - - name: {{ include "pdn-node.fullname" . }} -{{- end }} diff --git a/stable/pdn-node/templates/servicemonitor.yaml b/stable/pdn-node/templates/servicemonitor.yaml deleted file mode 100644 index 377296423..000000000 --- a/stable/pdn-node/templates/servicemonitor.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "pdn-node.name" . }}-metrics-service - namespace: {{ .Values.serviceMonitor.kubePromFullName }} - labels: - app: {{ .Values.serviceMonitor.kubePromApp }} - release: {{ .Values.serviceMonitor.kubePromFullName }} - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - jobLabel: {{ .Values.serviceMonitor.jobLabel }} - endpoints: - - path: /api/v1/metrics - honorLabels: true - honorTimestamps: false - interval: {{ .Values.serviceMonitor.interval }} - scheme: http - scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} - port: {{ .Values.serviceMonitor.port }} - targetPort: {{ .Values.serviceMonitor.targetPort }} - tlsConfig: - insecureSkipVerify: true - namespaceSelector: -{{ toYaml .Values.serviceMonitor.namespaceSelector | indent 4 }} - selector: -{{ toYaml .Values.serviceMonitor.selector | indent 4 }} -{{- end }} diff --git a/stable/pdn-node/templates/statefulset.yaml b/stable/pdn-node/templates/statefulset.yaml deleted file mode 100644 index 43760363a..000000000 --- a/stable/pdn-node/templates/statefulset.yaml +++ /dev/null @@ -1,238 +0,0 @@ -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "pdn-node.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.statefulsetLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.statefulsetLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - serviceName: {{ template "pdn-node.fullname" . }}-headless - podManagementPolicy: {{ .Values.podManagementPolicy }} - replicas: {{ .Values.replicaCount }} - updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - annotations: - systemYaml/checksum: {{ include (print $.Template.BasePath "/system-yaml.yaml") . | sha256sum }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.extraSecrets }} - checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} - {{- end }} - {{- if or .Values.podAnnotations }} - {{- include "pdn-node.podAnnotations" . | nindent 8 }} - {{- end }} - spec: - {{- include "pdn-node.imagePullSecrets" . | nindent 6 }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName | quote }} - {{- end }} - serviceAccountName: {{ template "pdn-node.serviceAccountName" . }} - {{- if .Values.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" .) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - initContainers: - - name: 'copy-system-yaml' - image: {{ include "pdn-node.initContainers.image" . }} - imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }} - {{- if .Values.initContainers.containerSecurityContext }} - securityContext: {{- toYaml .Values.initContainers.containerSecurityContext | nindent 12 }} - {{- end }} - {{- if .Values.initContainers.resources }} - resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - echo "Copy system.yaml to {{ .Values.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.persistence.mountPath }}/etc; - {{- if .Values.systemYamlOverride.existingSecret }} - cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.persistence.mountPath }}/etc/system.yaml; - {{- else }} - cp -fv /tmp/etc/system.yaml {{ .Values.persistence.mountPath }}/etc/system.yaml; - {{- end }} - echo "Remove {{ .Values.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.persistence.mountPath }}/lost+found - {{- if or .Values.pdnJoinKey .Values.pdnJoinKeySecretName }} - echo "Copy pdnJoinKey to {{ .Values.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.persistence.mountPath }}/etc/security; - echo -n ${PDN_JOIN_KEY} > {{ .Values.persistence.mountPath }}/etc/security/pdn_join.key; - {{- end }} - env: - {{- if or .Values.pdnJoinKey .Values.pdnJoinKeySecretName}} - - name: PDN_JOIN_KEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-node.pdnJoinKeySecretName" . }} - key: pdn-join-key - {{- end }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.systemYaml }} - - name: systemyaml - {{- if .Values.systemYamlOverride.existingSecret }} - mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" - subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.systemYaml }} - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- end }} - {{- end }} - {{- if .Values.customCertificates.enabled }} - - name: 'copy-custom-certificates' - image: {{ include "pdn-node.initContainers.image" . }} - {{- if .Values.initContainers.containerSecurityContext }} - securityContext: {{- toYaml .Values.initContainers.containerSecurityContext | nindent 12 }} - {{- end }} - {{- if .Values.initContainers.resources }} - resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - | - {{ include "pdn-node.copyCustomCertsCmd" . | nindent 14 }} - volumeMounts: - - name: ca-certs - mountPath: "/tmp/certs" - - name: data - mountPath: {{ .Values.persistence.mountPath | quote }} - {{- end }} - containers: - - name: pdn-node - image: {{ template "pdn-node.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: -{{ toYaml . | indent 12 }} - {{- end }} - env: - - name: JF_PDNNODE_JOINKEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-node.pdnJoinKeySecretName" . }} - key: pdn-join-key - - name: POD_LOCAL_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: JF_PDNNODE_SELFGRPCADDRESS - value: "{{ tpl .Values.selfGrpcAddress . }}" - - name: JF_PDNNODE_SELFHTTPADDRESS - value: "{{ tpl .Values.selfHttpAddress . }}" - - name: JF_PDNNODE_PDNSERVERURL - value: "{{ .Values.pdnServerUrl }}" - - name: JF_PDNNODE_PDNSERVERINITIALCONNECTIONURL - value: "{{ .Values.pdnServerInitialConnectionUrl }}" -{{- with .Values.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} - ports: - - name: secure-grpc - containerPort: 8088 - - name: http-server - containerPort: 8089 - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- toYaml .Values.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.startupProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.livenessProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - - name: systemyaml - secret: - secretName: {{ default ( default (printf "%s-%s" (include "pdn-node.fullname" .) "systemyaml") ) .Values.systemYamlOverride.existingSecret }} - {{- if .Values.persistence.volumes }} - {{- toYaml .Values.persistence.volumes | nindent 8 }} - {{- end }} - {{- if .Values.customCertificates.enabled }} - - name: ca-certs - secret: - secretName: {{ .Values.customCertificates.certificateSecretName }} - {{- end }} - {{- if not (contains "data" (quote .Values.persistence.volumes)) }} - {{- if not .Values.persistence.enabled }} - - name: data - emptyDir: - sizeLimit: {{ .Values.diskSize }} - {{- else if .Values.persistence.existingClaim }} - - name: data - persistentVolumeClaim: - {{- with .Values.persistence.existingClaim }} - claimName: {{ tpl . $ }} - {{- end }} - {{- else }} - volumeClaimTemplates: - - metadata: - name: data - labels: {{- include "common.labels.matchLabels" . | nindent 10 }} - {{- if .Values.persistence.annotations }} - annotations: - {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.diskSize | quote }} - {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} - {{- if .Values.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} - {{- end -}} - {{- end }} - {{- end }} diff --git a/stable/pdn-node/templates/svc.yaml b/stable/pdn-node/templates/svc.yaml deleted file mode 100644 index b05879bed..000000000 --- a/stable/pdn-node/templates/svc.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "pdn-node.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.service.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.labels "context" $) | nindent 4 }} - {{- end }} - {{- if or (.Values.service.annotations) (.Values.commonAnnotations) }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} - {{- end -}} - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end -}} - {{- end }} -spec: - type: {{ .Values.service.type }} - {{- if eq .Values.service.type "LoadBalancer" }} - {{- if not (empty .Values.service.loadBalancerIP) }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- end }} - {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} - externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if .Values.service.externalIPs }} - externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }} - {{- end }} - ports: - - name: secure-grpc - port: 8088 - targetPort: secure-grpc - - name: http-server - port: 8089 - targetPort: http-server - {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{ include "common.labels.matchLabels" . | nindent 4 }} diff --git a/stable/pdn-node/templates/system-yaml.yaml b/stable/pdn-node/templates/system-yaml.yaml deleted file mode 100644 index 72b279a78..000000000 --- a/stable/pdn-node/templates/system-yaml.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if not .Values.systemYamlOverride.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "pdn-node.fullname" . }}-systemyaml - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -stringData: - system.yaml: | -{{ tpl .Values.systemYaml . | indent 4 }} -{{- end }} diff --git a/stable/pdn-node/values.yaml b/stable/pdn-node/values.yaml deleted file mode 100644 index a9d965e4f..000000000 --- a/stable/pdn-node/values.yaml +++ /dev/null @@ -1,674 +0,0 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, -## including dependencies, configured to use the global value - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global PVC Storage Class for data volume -global: - ## Docker image registry, default: releases-docker.jfrog.io - imageRegistry: "" - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## imagePullSecrets: - ## - myRegistryKeySecretName - imagePullSecrets: [] - ## PVC Storage Class for pdnnode data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, - ## choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) - storageClass: "" -## PDN Join key value generated in the Artifactory node and used for establishing a connection -## between the PDNs to the PDN Server. You can copy the key from JFrog UI under -## Admin -> User Management -> Settings -> PDN Access Token -> Join Key -## IMPORTANT: You MUST NOT use the example pdnJoinKey for a production deployment! -pdnJoinKey: "aa34bd4dc7902a65f14900fc47ec6b5a" -## Alternatively, you can use a pre-existing secret with a key -## called join-key by specifying pdnJoinKeySecretName -pdnJoinKeySecretName: "" -## PDN Server URL on which the PDN Server accepts insecure gRPC connections. -## Note: .Values.pdnServerInitialConnectionUrl value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.pdnNode.pdnServerInitialConnectionUrl -## Example: -## abcdefg-1234567.us-east-1.elb.amazonaws.com:8093 -## pdn-server.us-east-1-prod.svc.cluster.local:8093 -pdnServerInitialConnectionUrl: "pdn-server:8093" -## PDN Server application settings -## URL on which the PDN Server accepts secure gRPC connections. -## Note: .Values.pdnServerUrl value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.pdnNode.pdnServerUrl -## Example: -## abcdefg-1234567.us-east-1.elb.amazonaws.com:8095 -## pdn-server.us-east-1-prod.svc.cluster.local:8095 -pdnServerUrl: "pdn-server:8095" -## The PDN gRPC server settings -## gRPC address to expose for other PDNs node. -## The address MUST be unique as we use it as node id -## $(POD_LOCAL_IP) will be replaced with pod local ip adderess. -## Note: selfGrpcAddress value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.pdnNode.selfGrpcAddress -## Example: -## selfGrpcAddress: "abcdefg-1234567.us-east-1.elb.amazonaws.com:8088" -selfGrpcAddress: "$(POD_LOCAL_IP):8088" -## The PDN http(s) server settings -## HTTP address to expose for external clients. -## The address MUST be accessible to a clients -## Note: selfHttpAddress value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.pdnNode.selfHttpAddress -## Example: -## selfHttpAddress: "https://abcdefg-1234567.us-east-1.elb.amazonaws.com:443" -## selfHttpAddress: "http://nginx-ingress.pdn-node.svc.cluster.local:8089" -selfHttpAddress: 'http://{{ include "pdn-node.fullname" . }}:8089' -## @param diskSize Storage limit for PDN Node data volume -## Must be aligned with dynamic config value `pdnNode.maximumMbToKeep` -diskSize: 64Gi -## PDN Node system configuration file -## Ref: https://www.jfrog.com/confluence/display/JFROG/Advanced+Private+Distribution+Network+%28PDN%29+Configurations -systemYaml: | - pdnNode: - disableBasicAuth: true - http: true - logLevel: info - metrics: - enabled: true -## PDN Node systemYaml override -## This is for advanced usecases where users wants to provide their own systemYaml -## Ref: https://www.jfrog.com/confluence/display/JFROG/Advanced+Private+Distribution+Network+%28PDN%29+Configurations -## Note: This will override existing (default) .Values.systemYaml in values.yaml -## Alternatively, systemYaml can be overidden via customInitContainers using external sources -## like vaults, external repositories etc. Please refer customInitContainer section below for an example. -## Note: Order of preference is: -## 1. customInitContainers -## 2. systemYamlOverride.existingSecret -## 3. default systemYaml in values.yaml -systemYamlOverride: - ## You can use a pre-existing secret by specifying existingSecret. - existingSecret: "" - ## The dataKey should be the name of the secret data key created. - dataKey: "" -## If enabled certificates added to this secret will be copied -## to $JFROG_HOME/pdnnode/var/etc/security/keys/trusted directory -customCertificates: - enabled: false - certificateSecretName: "" -## pdnnode containers' resource requests and limits -## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ -## We usually recommend not to specify default resources and to leave this as a conscious -## choice for the user. This also increases chances charts run on environments with little -## resources, such as Minikube. If you do want to specify resources, uncomment the following -## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for pdnnode containers -## @param resources.requests The requested resources for pdnnode containers -resources: {} -## limits: -## cpu: "1" -## memory: "2Gi" -## requests: -## cpu: "1" -## memory: "2Gi" - -## @param extraEnvironmentVariables that can be used to tune pdnnode to your needs. -## Example: -## extraEnvironmentVariables: -## - name: POD_LOCAL_IP -## valueFrom: -## fieldRef: -## fieldPath: status.podIP -extraEnvironmentVariables: -## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts -## Examples: -## extraVolumeMounts: -## - name: extras -## mountPath: /usr/share/extras -## readOnly: true -## -extraVolumeMounts: [] -## @param extraSecrets Optionally specify extra secrets to be created by the chart. -## This can be useful when combined with load_definitions to automatically create -## the secret containing the definitions to be loaded. -## Example: -## extraSecrets: -## load-definition: -## load_definition.json: | -## { -## ... -## } -## -extraSecrets: {} -## @param extraSecretsPrependReleaseName Add release-name to a secret name -## Set this flag to true if extraSecrets should be created with prepended. -## -extraSecretsPrependReleaseName: false -## Specify common probes parameters -probes: - timeoutSeconds: 5 -## The following settings are to configure the frequency of the liveness and readiness probes -livenessProbe: - enabled: true - config: | - exec: - command: - - sh - - -c - - curl -k -s --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8089{{ include "pdn-node.livenessProbe" . }} - initialDelaySeconds: {{ if semverCompare " - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, - ## choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) - storageClass: "" - ## @param persistence.selector Selector to match an existing Persistent Volume - ## selector: - ## matchLabels: - ## app: my-app - selector: {} - ## @param persistence.accessMode PVC Access Mode for pdnnode data volume - accessMode: ReadWriteOnce - ## @param persistence.existingClaim Provide an existing PersistentVolumeClaims - ## The value is evaluated as a template - ## So, for example, the name can depend on .Release or .Chart - existingClaim: "" - ## @param persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom pdnnode images - mountPath: /var/opt/jfrog/pdnnode - ## @param persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - subPath: "" - ## @param persistence.volumes Additional volumes without creating PVC - ## - name: volume_name - ## emptyDir: {} - volumes: [] - ## @param persistence.annotations Persistence annotations. Evaluated as a template - ## Example: - ## annotations: - ## example.io/disk-volume-type: SSD - annotations: {} -## @section Exposure parameters -## Kubernetes service type -service: - ## @param service.type Kubernetes Service type - type: ClusterIP - ## @param service.extraPorts Extra ports to expose in the service - ## E.g.: - ## extraPorts: - ## - name: new_svc_name - ## port: 1234 - ## targetPort: 1234 - extraPorts: [] - ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer` - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param service.externalIPs Set the ExternalIPs - externalIPs: [] - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: Cluster - ## @param service.loadBalancerIP Set the LoadBalancerIP - loadBalancerIP: "" - ## @param service.labels Service labels. Evaluated as a template - labels: {} - ## @param service.annotations Service annotations. Evaluated as a template - ## Example: - ## annotations: - ## service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 - annotations: {} - ## @param service.annotationsHeadless Headless Service annotations. Evaluated as a template - ## Example: - ## annotations: - ## external-dns.alpha.kubernetes.io/internal-hostname: pdnnode.example.com - annotationsHeadless: {} -## @section pdn-node ingress parameters -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress record generation for pdn-node - ## - enabled: false - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.hostname Default host for the ingress record - ## - hostname: pdnnode.local - ## @param ingress.ingressClassName IngressClass that will be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.path Default path for the ingress record - ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate auto-generation, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: - ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` - ## You can: - ## - Use the `ingress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record - ## e.g: - ## extraHosts: - ## - name: pdnnode.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host - ## e.g: - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## e.g: - ## extraTls: - ## - hosts: - ## - pdnnode.local - ## secretName: pdnnode.local-tls - ## - extraTls: [] - ## @param ingress.secrets Custom TLS certificates as secrets - ## NOTE: 'key' and 'certificate' are expected in PEM format - ## NOTE: 'name' should line up with a 'secretName' set further up - ## If it is not set, and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates - ## If it is not set, and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days - ## It is also possible to create and manage the certificates outside this helm chart - ## Please see README.md for more information - ## e.g: - ## secrets: - ## - name: pdnnode.local-tls - ## key: |- - ## -----BEGIN RSA PRIVATE KEY----- - ## ... - ## -----END RSA PRIVATE KEY----- - ## certificate: |- - ## -----BEGIN CERTIFICATE----- - ## ... - ## -----END CERTIFICATE----- - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: example.local - ## http: - ## path: / - ## backend: - ## service: - ## name: example-svc - ## port: - ## name: http - ## - extraRules: [] -## Network Policy configuration -## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -networkPolicy: - ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the ports PDN is listening on. - ## When set to true, integration will accept connections from any source - ## (with the correct destination port). - allowExternal: true - ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. - ## Note: All rules are OR-ed. - ## Example: - ## additionalRules: - ## - matchLabels: - ## - app.kubernetes.io/name: pdn-node - ## - matchExpressions: - ## - key: app.kubernetes.io/name - ## operator: In - ## values: - ## - pdn-node - additionalRules: [] -## @section Init Container Parameters -## Init Container parameters -initContainers: - ## Add init containers to the pdnnode pod - ## Example: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## pullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## @param initContainers.image.registry Init container volume-permissions image registry - ## @param initContainers.image.repository Init container volume-permissions image repository - ## @param initContainers.image.tag Init container volume-permissions image tag - ## @param initContainers.image.pullPolicy Init container volume-permissions image pull policy - ## @param initContainers.image.pullSecrets Specify docker-registry secret names as an array - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.2.484 - ## Specify an image PullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## Ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - pullSecrets: [] - ## Init Container resource requests and limits - ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param initContainers.resources.limits The resources limits for Init containers - ## @param initContainers.resources.requests The requested resources for Init containers - resources: {} - ## limits: - ## cpu: "1" - ## memory: "1Gi" - ## requests: - ## cpu: "10m" - ## memory: "50Mi" - - ## @param containerSecurityContext init containers' Security Context - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## Example: - ## containerSecurityContext: - ## capabilities: - ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - readOnlyRootFilesystem: true - runAsNonRoot: true -## @param sidecars Add sidecar containers to the pdnnode pod -## Example: -## sidecars: -## - name: your-image-name -## image: your-image -## pullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -sidecars: [] -## All values are under the 'nginx' sub chart. -nginx: - enabled: false - image: - registry: releases-docker.jfrog.io - repository: bitnami/nginx - tag: 1.23.2-debian-11-r2 - containerPorts: - http: 8089 - service: - loadBalancerSourceRanges: [] - ports: - http: 8089 - serverBlock: |- - upstream backend { - server pdn-node:8089; - } - - server { - server_name _; - listen 0.0.0.0:8089 default_server; - - location / { - proxy_pass http://backend; - } - } -## Allows to add additional kubernetes resources -## Use --- as a separator between multiple resources -## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml -additionalResources: "" -## @section Common parameters -## @param nameOverride String to partially override pdnnode.fullname template (will maintain the release name) -nameOverride: "" -## @param fullnameOverride String to fully override pdnnode.fullname template -fullnameOverride: -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -kubeVersion: "" -## @param clusterDomain Kubernetes Cluster Domain -clusterDomain: cluster.local -## @param hostAliases Adding entries to a Pod's /etc/hosts file -## For an example, refer - https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ -## If you do want to specify additional aliases, uncomment the following lines, -## adjust them as necessary, and remove the square braces after 'hostAliases:'. -hostAliases: [] -## - ip: "127.0.0.1" -## hostnames: -## - "foo.local" -## - "bar.local" -## - ip: "10.1.2.3" -## hostnames: -## - "foo.remote" -## - "bar.remote" - -## @param commonAnnotations Annotations to add to all deployed objects -commonAnnotations: {} -## @param command Override default container command (useful when using custom images) -command: [] -## @param args Override default container args (useful when using custom images) -args: [] -## @param terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal. -## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data. -terminationGracePeriodSeconds: 120 -## @param podLabels pdnnode Pod labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -podLabels: {} -## @param podAnnotations pdnnode Pod annotations. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -podAnnotations: {} -## @param statefulsetLabels PDN Node statefulset labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -statefulsetLabels: {} -## @param priorityClassName Name of the priority class to be used by pdnnode pods, priority class needs to be created beforehand -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -priorityClassName: "" -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## We recommend to use the value `hard` to run one pod per node -podAntiAffinityPreset: hard -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - type: "" - ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - values: [] -## @param affinity Affinity for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -affinity: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} -## @param tolerations Tolerations for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods -topologySpreadConstraints: [] -## @param serviceMonitor Declaratively specifies how groups of Kubernetes services should be monitored. -## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md -serviceMonitor: - enabled: false - interval: 30s - jobLabel: pdnnode-metrics - port: http-server - targetPort: 8089 - scrapeTimeout: 15s - kubePromApp: "" - kubePromFullName: "" - namespaceSelector: - any: true - selector: - matchLabels: - app: pdnnode diff --git a/stable/pdn-server/.helmignore b/stable/pdn-server/.helmignore deleted file mode 100644 index c13e3c8fb..000000000 --- a/stable/pdn-server/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj \ No newline at end of file diff --git a/stable/pdn-server/CHANGELOG.md b/stable/pdn-server/CHANGELOG.md deleted file mode 100644 index 79ad7da4a..000000000 --- a/stable/pdn-server/CHANGELOG.md +++ /dev/null @@ -1,71 +0,0 @@ -# JFrog PDN Server Chart Changelog -All changes to this chart will be documented in this file. - -## [101.8.4] - Jun 21, 2023 -* Request metrics via router -* Aligned router port name -* Aligned serviceMonitor scheme -* Bump router version to 7.67.0 - -## [101.7.6] - May 25, 2023 -* Updated base image `ubi9/ubi-micro:9.2.5` -* Updated initContainerImage `ubi9/ubi-minimal:9.2.484` -* Changed podAntiAffinityPreset default value to hard -* Added ServiceMinotor object - -## [101.7.3] - May 09, 2023 -* Added checksum annotation to pod to auto-restart upon change to system.yaml -* Fixed HPA template issue - -## [101.7.2] - May 07, 2023 -* Upgraded common chart dependency up to 0.0.6 -* Updated initContainerImage `ubi9/ubi-minimal:9.1.0.1829` -* Fixed network policy template issue - -## [101.6.4] - Mar 06, 2023 -* Updated initContainerImage `ubi9/ubi-minimal:9.1.0.1793` -* Removed unused global values -* Added `logLevel` option to systemYaml.pdnServer -* Added Bitnami nginx sub chart -* Unify system.yaml - -## [101.5.5] - Jan 17, 2023 -* Aligned variables name with JFrog Platform helm chart -* Updated initContainerImage to `ubi8/ubi-minimal:8.7.1049` -* Aligned network policy with Artifactory helm chart - -## [101.5.1] - Jan 06, 2023 -* Aligned values.yaml parameters between node and server charts -* Replaced readinessProbe with startupProbe - -## [101.5.0] - Dec 26, 2022 -* Renamed common chart to jfrog-common to avoid conflicts with Bitnami common chart -* Changed selfAddress value from localhost:8095 to pdn-server:8095 - -## [101.3.6] - Dec 7, 2022 -* Upgraded Filebeat version up to 7.17.7 -* Added additionaResorces and hostAliases - -## [101.3.5] - Dec 1, 2022 -* Upgraded common chart dependency up to 0.0.4 -* Added containerSecurityContext to initContainers -* Updated fsGroup/runAsUser to 11055 to avoid host conflict -* Increased persistence storage size up to 16 Gb -* Updated initContainerImage to `ubi8/ubi-micro:8.7.1` - -## [101.3.4] - Nov 22, 2022 -* Updated chart to use jfrog common chart as dependency hence the prefix of `pdnServer.` is no more required when setting any flags -* Updated router version to 7.51.0 and observability to 1.12.0 -* Removed unused parameters from values.yaml -* Added resources requests and limits to initContainers - -## [101.1.3] - Aug 2, 2022 -* Updated router version to 7.45.0 -* Use an alternate command for `find` to copy custom certificates -* Updated initContainerImage and logger Image to `ubi8/ubi-minimal:8.6-854` -* Added `.Values.pdnServer.openMetrics.enabled` flag to enable metrics (defaults to `false`) -* Added flag `pdnServer.schedulerName` to set for the pods the value of schedulerName field [GH-1606](https://github.com/jfrog/charts/issues/1606) -* Updated Observability version to `1.9.3` - -## [101.0.0] - May 04, 2022 -* Initial support for Jfrog PDN Server diff --git a/stable/pdn-server/Chart.lock b/stable/pdn-server/Chart.lock deleted file mode 100644 index c0bc5a6dd..000000000 --- a/stable/pdn-server/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: jfrog-common - repository: https://charts.jfrog.io/ - version: 0.0.6 -- name: nginx - repository: https://charts.jfrog.io/ - version: 13.2.13 -digest: sha256:e66497241d7d5eaefd6561077d1e18aaa82644184ab29d5a817a273ff04a97f0 -generated: "2023-05-06T22:58:29.56475+03:00" diff --git a/stable/pdn-server/Chart.yaml b/stable/pdn-server/Chart.yaml deleted file mode 100644 index 92f7f5b36..000000000 --- a/stable/pdn-server/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v2 -appVersion: 1.8.4 -dependencies: -- name: jfrog-common - repository: https://charts.jfrog.io/ - version: 0.0.6 -- condition: nginx.enabled - name: nginx - repository: https://charts.jfrog.io/ - version: 13.2.13 -description: Universal Repository Manager supporting all major packaging formats, - build tools and CI servers. -home: https://www.jfrog.com/artifactory/ -icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory/logo/pdn-node-logo.png -keywords: -- pdnserver -- jfrog -- devops -kubeVersion: '>= 1.19.0-0' -maintainers: -- email: dev-distribution-pdn@jfrog.com - name: Chart Maintainers at JFrog -name: pdn-server -sources: -- https://github.com/jfrog/charts -type: application -version: 101.8.4 diff --git a/stable/pdn-server/LICENSE b/stable/pdn-server/LICENSE deleted file mode 100644 index 8dada3eda..000000000 --- a/stable/pdn-server/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/stable/pdn-server/README.md b/stable/pdn-server/README.md deleted file mode 100644 index 15a075163..000000000 --- a/stable/pdn-server/README.md +++ /dev/null @@ -1,27 +0,0 @@ - -# PDN-node - - -## TL;DR - -```bash -$ helm repo add jfrog https://charts.jfrog.io -$ helm install my-release jfrog/pdn-server -``` - -## Introduction - - -## Prerequisites - -- Kubernetes 1.19+ -- Helm 3.2.0+ - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install my-release jfrog/pdn-server -``` - diff --git a/stable/pdn-server/ci/default-values.yaml b/stable/pdn-server/ci/default-values.yaml deleted file mode 100644 index 6d1d665f7..000000000 --- a/stable/pdn-server/ci/default-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. - -pdnServerUrl: pdnserver-pdn-server:8095 -pdnNodeJoinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE diff --git a/stable/pdn-server/logo/pdn-node-logo.png b/stable/pdn-server/logo/pdn-node-logo.png deleted file mode 100644 index 686b9decc..000000000 Binary files a/stable/pdn-server/logo/pdn-node-logo.png and /dev/null differ diff --git a/stable/pdn-server/templates/NOTES.txt b/stable/pdn-server/templates/NOTES.txt deleted file mode 100644 index b50ce6721..000000000 --- a/stable/pdn-server/templates/NOTES.txt +++ /dev/null @@ -1,13 +0,0 @@ -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -** Please be patient while the chart is being deployed ** - -Get the list of pods by executing: - - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -Access the pod you want to debug by executing - - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash diff --git a/stable/pdn-server/templates/_helpers.tpl b/stable/pdn-server/templates/_helpers.tpl deleted file mode 100644 index 655c00438..000000000 --- a/stable/pdn-server/templates/_helpers.tpl +++ /dev/null @@ -1,207 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* - Expand the name of the chart. -*/}} -{{- define "pdn-server.name" -}} -{{- include "common.names.name" . -}} -{{- end -}} - -{{/* - Create chart name and version as used by the chart label. -*/}} -{{- define "pdn-server.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Create a default fully qualified app name. - We truncate at 63 chars because some Kubernetes name fields - are limited to this (by the DNS naming spec). - If release name contains chart name it will be used as a full name. -*/}} -{{- define "pdn-server.fullname" -}} -{{- include "common.names.fullname" . -}} -{{- end -}} - -{{/* - Return the proper PDN Server image name -*/}} -{{- define "pdn-server.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global "appVer" .Chart.AppVersion) }} -{{- end -}} - -{{/* - Return the proper init container image name -*/}} -{{- define "pdn-server.initContainers.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.initContainers.image "global" .Values.global) }} -{{- end -}} - -{{/* - Return the proper Docker Image Registry Secret Names -*/}} -{{- define "pdn-server.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.initContainers.image) "global" .Values.global) }} -{{- end -}} - -{{/* - Return podAnnotations -*/}} -{{- define "pdn-server.podAnnotations" -}} -{{- if .Values.podAnnotations }} -{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} -{{- end }} -{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} -{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} -{{- end }} -{{- end -}} - -{{/* - Create the name of the service account to use - */}} -{{- define "pdn-server.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "pdn-server.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* - Resolve joinKey value -*/}} -{{- define "pdn-server.joinKey" -}} -{{- if .Values.global.joinKey -}} -{{- .Values.global.joinKey -}} -{{- else if .Values.joinKey -}} -{{- .Values.joinKey -}} -{{- end -}} -{{- end -}} - -{{/* - Resolve joinKeySecretName value -*/}} -{{- define "pdn-server.joinKeySecretName" -}} -{{- if .Values.global.joinKeySecretName -}} -{{- .Values.global.joinKeySecretName -}} -{{- else if .Values.joinKeySecretName -}} -{{- .Values.joinKeySecretName -}} -{{- else -}} -{{ include "pdn-server.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* - Resolve masterKey value -*/}} -{{- define "pdn-server.masterKey" -}} -{{- if .Values.global.masterKey -}} -{{- .Values.global.masterKey -}} -{{- else if .Values.masterKey -}} -{{- .Values.masterKey -}} -{{- end -}} -{{- end -}} - -{{/* - Resolve masterKeySecretName value -*/}} -{{- define "pdn-server.masterKeySecretName" -}} -{{- if .Values.global.masterKeySecretName -}} -{{- .Values.global.masterKeySecretName -}} -{{- else if .Values.masterKeySecretName -}} -{{- .Values.masterKeySecretName -}} -{{- else -}} -{{ include "pdn-server.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* - Resolve pdnJoinKeySecretName value -*/}} -{{- define "pdn-server.pdnJoinKeySecretName" -}} -{{- if .Values.global.pdnJoinKeySecretName -}} -{{- .Values.global.pdnJoinKeySecretName -}} -{{- else if .Values.pdnJoinKeySecretName -}} -{{- .Values.pdnJoinKeySecretName -}} -{{- else -}} -{{ include "pdn-server.fullname" . }} -{{- end -}} -{{- end -}} - -{{/* - Scheme (http/https) based on Access TLS enabled/disabled -*/}} -{{- define "pdn-server.scheme" -}} -{{- if .Values.router.tlsEnabled -}} -{{- printf "%s" "https" -}} -{{- else -}} -{{- printf "%s" "http" -}} -{{- end -}} -{{- end -}} - -{{/* - Resolve jfrogUrl value -*/}} -{{- define "pdn-server.jfrogUrl" -}} -{{- if .Values.global.jfrogUrl -}} -{{- .Values.global.jfrogUrl -}} -{{- else if .Values.jfrogUrl -}} -{{- .Values.jfrogUrl -}} -{{- end -}} -{{- end -}} - -{{/* - Return the proper observability image name -*/}} -{{- define "observability.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.observability.image "global" .Values.global) }} -{{- end -}} - -{{/* - Return the proper router image name -*/}} -{{- define "router.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.router.image "global" .Values.global) }} -{{- end -}} - -{{/* - Custom certificate copy command -*/}} -{{- define "pdn-server.copyCustomCertsCmd" -}} -echo "Copy custom certificates to {{ .Values.persistence.mountPath }}/etc/security/keys/trusted" -mkdir -p {{ .Values.persistence.mountPath }}/etc/security/keys/trusted - -for file in $(ls -1 /tmp/certs/* | grep -v .key | grep -v ":" | grep -v grep) -do - if [[ -f "${file}" ]]; then - cp -v "${file}" {{ .Values.persistence.mountPath }}/etc/security/keys/trusted - fi -done - -if [[ -f {{ .Values.persistence.mountPath }}/etc/security/keys/trusted/tls.crt ]]; then - mv -v {{ .Values.persistence.mountPath }}/etc/security/keys/trusted/tls.crt \ - {{ .Values.persistence.mountPath }}/etc/security/keys/trusted/ca.crt -fi -{{- end -}} - -{{/* - pdnserver liveness probe -*/}} -{{- define "pdn-server.livenessProbe" -}} -{{- printf "%s" "/api/v1/system/liveness" -}} -{{- end -}} - -{{/* - pdnserver startup probe -*/}} -{{- define "pdn-server.startupProbe" -}} -{{- printf "%s" "/api/v1/system/readiness" -}} -{{- end -}} - -{{/* - Resolve pdnserver requiredServiceTypes value -*/}} -{{- define "pdn-server.router.requiredServiceTypes" -}} -{{- $requiredTypes := "jftrk,jfob" -}} -{{- $requiredTypes -}} -{{- end -}} diff --git a/stable/pdn-server/templates/additional-resources.yaml b/stable/pdn-server/templates/additional-resources.yaml deleted file mode 100644 index c4d06f08a..000000000 --- a/stable/pdn-server/templates/additional-resources.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if .Values.additionalResources }} -{{ tpl .Values.additionalResources . }} -{{- end -}} diff --git a/stable/pdn-server/templates/deployment.yaml b/stable/pdn-server/templates/deployment.yaml deleted file mode 100644 index 61f7654ee..000000000 --- a/stable/pdn-server/templates/deployment.yaml +++ /dev/null @@ -1,361 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "pdn-server.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.deploymentLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.deploymentLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - annotations: - systemYaml/checksum: {{ include (print $.Template.BasePath "/system-yaml.yaml") . | sha256sum }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.extraSecrets }} - checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} - {{- end }} - {{- if or .Values.podAnnotations }} - {{- include "pdn-server.podAnnotations" . | nindent 8 }} - {{- end }} - spec: - {{- include "pdn-server.imagePullSecrets" . | nindent 6 }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName | quote }} - {{- end }} - serviceAccountName: {{ template "pdn-server.serviceAccountName" . }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" .) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - initContainers: - - name: 'copy-system-yaml' - image: {{ include "pdn-server.initContainers.image" . }} - imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }} - {{- if .Values.initContainers.containerSecurityContext }} - securityContext: {{- toYaml .Values.initContainers.containerSecurityContext | nindent 12 }} - {{- end }} - {{- if .Values.initContainers.resources }} - resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - echo "Copy system.yaml to {{ .Values.persistence.mountPath }}/etc"; - mkdir -p {{ .Values.persistence.mountPath }}/etc; - mkdir -p {{ .Values.persistence.mountPath }}/etc/access/keys/trusted; - {{- if .Values.systemYamlOverride.existingSecret }} - cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.persistence.mountPath }}/etc/system.yaml; - {{- else }} - cp -fv /tmp/etc/system.yaml {{ .Values.persistence.mountPath }}/etc/system.yaml; - {{- end }} - echo "Remove {{ .Values.persistence.mountPath }}/lost+found folder if exists"; - rm -rfv {{ .Values.persistence.mountPath }}/lost+found; - {{- if not .Values.systemYamlOverride.existingSecret }} - {{- if or .Values.joinKey .Values.global.joinKey .Values.joinKeySecretName .Values.global.joinKeySecretName }} - echo "Copy joinKey to {{ .Values.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.persistence.mountPath }}/etc/security; - echo -n "${ARTIFACTORY_JOIN_KEY}" > {{ .Values.persistence.mountPath }}/etc/security/join.key; - {{- end }} - {{- if or .Values.masterKey .Values.global.masterKey .Values.masterKeySecretName .Values.global.masterKeySecretName }} - echo "Copy masterKey to {{ .Values.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.persistence.mountPath }}/etc/security; - echo -n "${ARTIFACTORY_MASTER_KEY}" > {{ .Values.persistence.mountPath }}/etc/security/master.key; - {{- end }} - {{- if or .Values.pdnJoinKey .Values.pdnJoinKeySecretName }} - echo "Copy pdnJoinKey to {{ .Values.persistence.mountPath }}/etc/security"; - mkdir -p {{ .Values.persistence.mountPath }}/etc/security; - echo -n "${PDN_JOIN_KEY}" > {{ .Values.persistence.mountPath }}/etc/security/pdn_join.key; - {{- end }} - {{- end }} - env: - {{- if not .Values.systemYamlOverride.existingSecret }} - {{- if or .Values.joinKey .Values.global.joinKey .Values.joinKeySecretName .Values.global.joinKeySecretName }} - - name: ARTIFACTORY_JOIN_KEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.joinKeySecretName" . }} - key: join-key - {{- end }} - {{- if or .Values.masterKey .Values.global.masterKey .Values.masterKeySecretName .Values.global.masterKeySecretName }} - - name: ARTIFACTORY_MASTER_KEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.masterKeySecretName" . }} - key: master-key - {{- end }} - {{- if or .Values.pdnJoinKey .Values.pdnJoinKeySecretName }} - - name: PDN_JOIN_KEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.pdnJoinKeySecretName" . }} - key: pdn-join-key - {{- end }} - {{- end }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.systemYaml }} - - name: systemyaml - {{- if .Values.systemYamlOverride.existingSecret }} - mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" - subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.systemYaml }} - mountPath: "/tmp/etc/system.yaml" - subPath: system.yaml - {{- end }} - {{- end }} - {{- if .Values.customCertificates.enabled }} - - name: copy-custom-certificates - image: {{ include "pdn-server.initContainers.image" . }} - imagePullPolicy: {{ .Values.initContainers.image.pullPolicy | quote }} - {{- if .Values.initContainers.containerSecurityContext }} - securityContext: {{- toYaml .Values.initContainers.containerSecurityContext | nindent 12 }} - {{- end }} - {{- if .Values.initContainers.resources }} - resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - | - {{ include "pdn-server.copyCustomCertsCmd" . | nindent 14 }} - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - - name: ca-certs - mountPath: "/tmp/certs" - {{- end }} - containers: - - name: pdnserver - image: {{ template "pdn-server.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - exec /opt/jfrog/pdnserver/app/pdnserver/bin/pdnserver.sh - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: JF_PDNSERVER_SELFADDRESS - value: "{{ tpl .Values.selfAddress . }}" -{{- with .Values.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} - ports: - - name: insecure-grpc - containerPort: 8093 - - name: secure-grpc - containerPort: 8095 - volumeMounts: - - name: data - mountPath: {{ .Values.persistence.mountPath }} - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- toYaml .Values.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.startupProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.livenessProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: -{{ toYaml . | indent 12 }} - {{- end }} - {{- if .Values.observability.enabled }} - - name: observability - image: {{ template "observability.image" . }} - imagePullPolicy: {{ .Values.observability.image.pullPolicy | quote }} - resources: {{- toYaml .Values.observability.resources | nindent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NEW_PLATFORM_SERVICES_ARCH - value: "true" - {{- if not .Values.systemYamlOverride.existingSecret }} - - name: JF_SHARED_SECURITY_MASTERKEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.masterKeySecretName" . }} - key: master-key - - name: JF_SHARED_SECURITY_JOINKEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.joinKeySecretName" . }} - key: join-key - {{- end }} -{{- with .Values.observability.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} - volumeMounts: - - name: data - mountPath: {{ .Values.observability.persistence.mountPath }} - {{- if .Values.observability.persistence.subPath }} - subPath: {{ .Values.observability.persistence.subPath }} - {{- end }} - {{- if .Values.observability.extraVolumeMounts }} - {{- toYaml .Values.observability.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.observability.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.observability.startupProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.observability.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.observability.livenessProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- with .Values.observability.lifecycle }} - lifecycle: -{{ toYaml . | indent 12 }} - {{- end }} - {{- end }} - - name: router - image: {{ template "router.image" . }} - imagePullPolicy: {{ .Values.router.image.pullPolicy }} - resources: {{- toYaml .Values.router.resources | nindent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/router/app/bin/entrypoint-router.sh - env: - - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES - value: {{ include "pdn-server.router.requiredServiceTypes" . }} - - name: JF_SHARED_JFROGURL - value: {{ include "pdn-server.jfrogUrl" . }} - {{- if not .Values.systemYamlOverride.existingSecret }} - - name: JF_SHARED_SECURITY_MASTERKEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.masterKeySecretName" . }} - key: master-key - - name: JF_SHARED_SECURITY_JOINKEY - valueFrom: - secretKeyRef: - name: {{ include "pdn-server.joinKeySecretName" . }} - key: join-key - {{- end }} -{{- with .Values.router.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} - ports: - - name: http-router - containerPort: 8082 - volumeMounts: - - name: data - mountPath: {{ .Values.router.persistence.mountPath | quote }} - {{- if .Values.router.extraVolumeMounts }} - {{- toYaml .Values.router.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.router.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.router.livenessProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.router.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.router.startupProbe.config "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- with .Values.router.lifecycle }} - lifecycle: -{{ toYaml . | indent 12 }} - {{- end }} - {{- if .Values.filebeat.enabled }} - - name: {{ .Values.filebeat.name }} - image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" - imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - resources: {{- toYaml .Values.filebeat.resources | nindent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - args: - - "-e" - - "-E" - - "http.enabled=true" - volumeMounts: - - name: filebeat-config - mountPath: /usr/share/filebeat/filebeat.yml - readOnly: true - subPath: filebeat.yml - - name: data - mountPath: {{ .Values.persistence.mountPath | quote }} - livenessProbe: {{ toYaml .Values.filebeat.livenessProbe | nindent 12 }} - readinessProbe: {{ toYaml .Values.filebeat.readinessProbe | nindent 12 }} - {{- end }} - volumes: - {{- if .Values.customCertificates.enabled }} - - name: ca-certs - secret: - secretName: {{ .Values.customCertificates.certificateSecretName }} - {{- end }} - - name: systemyaml - secret: - secretName: {{ default ( default (printf "%s-%s" (include "pdn-server.fullname" .) "systemyaml") ) .Values.systemYamlOverride.existingSecret }} - {{- if .Values.persistence.volumes }} - {{- toYaml .Values.persistence.volumes | nindent 8 }} - {{- end }} - {{- if .Values.extraVolumes }} - {{- toYaml .Values.extraVolumes | nindent 8 }} - {{- end }} - - name: data - emptyDir: {} - {{- if .Values.filebeat.enabled }} - - name: filebeat-config - configMap: - name: {{ template "pdn-server.fullname" . }}-filebeat-config - {{- end }} diff --git a/stable/pdn-server/templates/filebeat.yaml b/stable/pdn-server/templates/filebeat.yaml deleted file mode 100644 index 11f207bbd..000000000 --- a/stable/pdn-server/templates/filebeat.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.filebeat.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "pdn-server.fullname" . }}-filebeat-config - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.statefulsetLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.statefulsetLabels "context" $) | nindent 4 }} - {{- end }} -data: - filebeat.yml: | -{{ tpl .Values.filebeat.filebeatYml . | indent 4 }} -{{- end -}} diff --git a/stable/pdn-server/templates/hpa.yaml b/stable/pdn-server/templates/hpa.yaml deleted file mode 100644 index 7db267cd7..000000000 --- a/stable/pdn-server/templates/hpa.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "pdn-server.fullname" . }}-hpa - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - scaleTargetRef: - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} - kind: Deployment - name: {{ include "pdn-server.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetMemory }} - - type: Resource - resource: - name: memory - {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} - {{- else }} - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetMemory }} - {{- end }} - {{- end }} - {{- if .Values.autoscaling.targetCPU }} - - type: Resource - resource: - name: cpu - {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} - targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} - {{- else }} - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetCPU }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-server/templates/ingress.yaml b/stable/pdn-server/templates/ingress.yaml deleted file mode 100644 index f358fdd2d..000000000 --- a/stable/pdn-server/templates/ingress.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if or .Values.ingress.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - {{- end }} - rules: - {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname }} - http: - paths: - {{- if .Values.ingress.extraPaths }} - {{- toYaml .Values.ingress.extraPaths | nindent 10 }} - {{- end }} - - path: {{ .Values.ingress.path }} - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "secure-grpc" "context" $) | nindent 14 }} - {{- end }} - {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} - http: - paths: - - path: {{ default "/" .path }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ default "ImplementationSpecific" .pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "secure-grpc" "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.ingress.extraRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} - {{- end }} - {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} - tls: - {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} - - hosts: - - {{ .Values.ingress.hostname | quote }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} - {{- end }} - {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-server/templates/networkpolicy.yaml b/stable/pdn-server/templates/networkpolicy.yaml deleted file mode 100644 index d0cd376bb..000000000 --- a/stable/pdn-server/templates/networkpolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: {{ include "pdn-server.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - ingress: - {{- if not .Values.networkPolicy.allowExternal }} - - ports: - - port: 8082 - protocol: TCP - - port: 8093 - protocol: TCP - - port: 8095 - protocol: TCP - from: - - podSelector: - matchLabels: - {{ template "pdn-server.fullname" . }}-client: "true" - - podSelector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 14 }} - {{- if .Values.networkPolicy.additionalRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/pdn-server/templates/pdb.yaml b/stable/pdn-server/templates/pdb.yaml deleted file mode 100644 index e7bc6ba88..000000000 --- a/stable/pdn-server/templates/pdb.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ include "pdn-server.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/stable/pdn-server/templates/role.yaml b/stable/pdn-server/templates/role.yaml deleted file mode 100644 index 3a588df72..000000000 --- a/stable/pdn-server/templates/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.rbac.create }} -kind: Role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ template "pdn-server.fullname" . }}-endpoint-reader - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] -{{- end }} diff --git a/stable/pdn-server/templates/rolebinding.yaml b/stable/pdn-server/templates/rolebinding.yaml deleted file mode 100644 index 873f83cbd..000000000 --- a/stable/pdn-server/templates/rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.serviceAccount.create .Values.rbac.create }} -kind: RoleBinding -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ template "pdn-server.fullname" . }}-endpoint-reader - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -subjects: - - kind: ServiceAccount - name: {{ template "pdn-server.serviceAccountName" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "pdn-server.fullname" . }}-endpoint-reader -{{- end }} diff --git a/stable/pdn-server/templates/secrets.yaml b/stable/pdn-server/templates/secrets.yaml deleted file mode 100644 index 0cdf14186..000000000 --- a/stable/pdn-server/templates/secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "pdn-server.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if or .Values.joinKey .Values.global.joinKey }} - {{- if not (or .Values.joinKeySecretName .Values.global.joinKeySecretName) }} - join-key: {{ include "pdn-server.joinKey" . | b64enc | quote }} - {{- end }} - {{- end }} - {{- if or .Values.masterKey .Values.global.masteKey }} - {{- if not (or .Values.masterKeySecretName .Values.global.masterKeySecretName) }} - master-key: {{ include "pdn-server.masterKey" . | b64enc | quote }} - {{- end }} - {{- end }} - {{- if .Values.pdnJoinKey }} - {{- if not .Values.pdnJoinKeySecretName }} - pdn-join-key: {{ .Values.pdnJoinKey | b64enc | quote }} - {{- end }} - {{- end }} - -{{- $extraSecretsPrependReleaseName := .Values.extraSecretsPrependReleaseName }} -{{- range $key, $value := .Values.extraSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - {{- if $extraSecretsPrependReleaseName }} - name: {{ $.Release.Name }}-{{ $key }} - {{- else }} - name: {{ $key }} - {{- end }} - namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -stringData: {{- include "common.tplvalues.render" (dict "value" $value "context" $) | nindent 2 }} -{{- end }} diff --git a/stable/pdn-server/templates/serviceaccount.yaml b/stable/pdn-server/templates/serviceaccount.yaml deleted file mode 100644 index 2f23161bb..000000000 --- a/stable/pdn-server/templates/serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "pdn-server.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -secrets: - - name: {{ include "pdn-server.fullname" . }} -{{- end }} diff --git a/stable/pdn-server/templates/servicemonitor.yaml b/stable/pdn-server/templates/servicemonitor.yaml deleted file mode 100644 index 99e8a9e4b..000000000 --- a/stable/pdn-server/templates/servicemonitor.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "pdn-server.name" . }}-metrics-service - namespace: {{ .Values.serviceMonitor.kubePromFullName }} - labels: - app: {{ .Values.serviceMonitor.kubePromApp }} - release: {{ .Values.serviceMonitor.kubePromFullName }} - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - jobLabel: {{ .Values.serviceMonitor.jobLabel }} - endpoints: - - path: /pdnserver/api/v1/metrics - bearerTokenSecret: - key: token - name: {{ .Values.serviceMonitor.tokenName }} - honorLabels: true - honorTimestamps: false - interval: {{ .Values.serviceMonitor.interval }} - scheme: {{ include "pdn-server.scheme" . }} - scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} - port: {{ .Values.serviceMonitor.port }} - targetPort: {{ .Values.serviceMonitor.targetPort }} - tlsConfig: - insecureSkipVerify: true - namespaceSelector: -{{ toYaml .Values.serviceMonitor.namespaceSelector | indent 4 }} - selector: -{{ toYaml .Values.serviceMonitor.selector | indent 4 }} -{{- end }} diff --git a/stable/pdn-server/templates/svc.yaml b/stable/pdn-server/templates/svc.yaml deleted file mode 100644 index 90c305efa..000000000 --- a/stable/pdn-server/templates/svc.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "pdn-server.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.service.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.labels "context" $) | nindent 4 }} - {{- end }} - {{- if or (.Values.service.annotations) (.Values.commonAnnotations) }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} - {{- end -}} - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end -}} - {{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - name: http-router - port: 8082 - targetPort: http-router - - name: insecure-grpc - port: 8093 - targetPort: insecure-grpc - - name: secure-grpc - port: 8095 - targetPort: secure-grpc - {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{ include "common.labels.matchLabels" . | nindent 4 }} diff --git a/stable/pdn-server/templates/system-yaml.yaml b/stable/pdn-server/templates/system-yaml.yaml deleted file mode 100644 index 25d71d7d7..000000000 --- a/stable/pdn-server/templates/system-yaml.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if not .Values.systemYamlOverride.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "pdn-server.fullname" . }}-systemyaml - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -stringData: - system.yaml: | -{{ tpl .Values.systemYaml . | indent 4 }} -{{- end }} diff --git a/stable/pdn-server/values.yaml b/stable/pdn-server/values.yaml deleted file mode 100644 index 2271406ba..000000000 --- a/stable/pdn-server/values.yaml +++ /dev/null @@ -1,971 +0,0 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) -## @param global.jfrogUrl Global Base URL of the JFrog Platform Deployment (JPD) -## @param global.masterKey Global Master key for the PDN Server -## @param global.joinKey Global Join Key to connect other services to Artifactory -global: - ## Docker image registry, default: releases-docker.jfrog.io - imageRegistry: "" - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## imagePullSecrets: - ## - myRegistryKeySecretName - imagePullSecrets: [] - ## PVC Storage Class for pdnnode data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, - ## choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) - storageClass: "" - ## Base URL of the JFrog Platform Deployment (JPD). This is the URL to the machine - ## where JFrog Artifactory is deployed, or the load balancer pointing to it. - ## You can copy the JFrog URL from Admin -> User Management -> Settings -> Connection details - ## It is recommended to use DNS names rather than direct IPs. - ## IMPORTANT: jfrogUrl value will be injected as environment variable - ## so it will take precedence over .Values.systemYaml.shared.jfrogUrl - ## Example: - ## http://abcdefg-1234567.us-east-1.elb.amazonaws.com - ## http://artifactory.us-east-1-prod.svc.cluster.local:8082 - jfrogUrl: "" - ## PDN Server requires a unique master key. - ## You can generate one with the command: "openssl rand -hex 32" - ## An initial one is auto generated on first startup. - masterKey: "" - ## Alternatively, you can use a pre-existing secret with a key - ## called "master-key" by specifying "masterKeySecretName" - masterKeySecretName: "" - ## Join Key to connect other services to Artifactory - ## IMPORTANT: Setting this value overrides the existing joinKey - joinKey: "" - ## Alternatively, you can use a pre-existing secret with a key - ## called "join-key" by specifying "joinKeySecretName" - joinKeySecretName: "" -## PDN Server requires a unique master key. -## You can generate one with the command: "openssl rand -hex 32" -## IMPORTANT: You MUST NOT use the example masterKey for a production deployment! -masterKey: "bca2fafd3b39649b24269de29300ce21" -## Alternatively, you can use a pre-existing secret with a key -## called "master-key" by specifying "masterKeySecretName" -masterKeySecretName: "" -## Join Key to connect other services to Artifactory -## IMPORTANT: Setting this value overrides the existing joinKey -## IMPORTANT: You MUST NOT use the example joinKey for a production deployment! -joinKey: "" -## Alternatively, you can use a pre-existing secret with a key -## called "join-key" by specifying "joinKeySecretName" -joinKeySecretName: "" -## Join Key to connect PDN Node(s) to PDN Server -## If not specified or empty value, a random join key will be generated -## upon PDN Server startup. You can copy the key from JFrog UI under -# Admin -> User Management -> Settings -> PDN Access Token -> Join Key -## You can generate one with the command: "openssl rand -hex 16" -## The PDN join key must be 16 bytes in length (a 32 characters long hexadecimal value) -pdnJoinKey: "aa34bd4dc7902a65f14900fc47ec6b5a" -## Alternatively, you can use a pre-existing secret with a key -## called "pdn-join-key" by specifying "pdnJoinKeySecretName" -pdnJoinKeySecretName: "" -## The external address to be used from outside -## the PDN Server service for the PDN Server to be reached. -## Note: selfAddress value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.pdnServer.selfAddress -selfAddress: '{{ include "pdn-server.fullname" . }}:8095' -## Base URL of the JFrog Platform Deployment (JPD). This is the URL to the machine -## where JFrog Artifactory is deployed, or the load balancer pointing to it. -## You can copy the JFrog URL from Admin -> User Management -> Settings -> Connection details -## It is recommended to use DNS names rather than direct IPs. -## Note: jfrogUrl value will be injected as environment variable -## so it will take precedence over .Values.systemYaml.shared.jfrogUrl -## Example: -## http://abcdefg-1234567.us-east-1.elb.amazonaws.com -## http://artifactory.us-east-1-prod.svc.cluster.local:8082 -jfrogUrl: "" -## PDN Server system configuration file -## Ref: https://www.jfrog.com/confluence/display/JFROG/Advanced+Private+Distribution+Network+%28PDN%29+Configurations -systemYaml: | - router: - serviceRegistry: - insecure: {{ .Values.router.serviceRegistry.insecure }} - pdnServer: - logLevel: info - metrics: - enabled: true -## PDN Server systemYaml override -## This is for advanced usecases where users wants to provide their own systemYaml -## Ref: https://www.jfrog.com/confluence/display/JFROG/Advanced+Private+Distribution+Network+%28PDN%29+Configurations -## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml -## Alternatively, systemYaml can be overidden via customInitContainers using external sources -## like vaults, external repositories etc. Please refer customInitContainer section below for an example. -## Note: Order of preference is: -## 1. customInitContainers -## 2. systemYamlOverride.existingSecret -## 3. default systemYaml in values.yaml -systemYamlOverride: - ## You can use a pre-existing secret by specifying existingSecret - existingSecret: "" - ## The dataKey should be the name of the secret data key created. - dataKey: "" -## If enabled certificates added to this secret will be copied -## to $JFROG_HOME/pdnserver/var/etc/security/keys/trusted directory -customCertificates: - enabled: false - certificateSecretName: "" -## PDN Server containers' resource requests and limits -## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ -## We usually recommend not to specify default resources and to leave this as a conscious -## choice for the user. This also increases chances charts run on environments with little -## resources, such as Minikube. If you do want to specify resources, uncomment the following -## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for PDN Server containers -## @param resources.requests The requested resources for PDN Server containers -resources: {} -## limits: -## cpu: "1" -## memory: "2Gi" -## requests: -## cpu: "2" -## memory: "4Gi" - -## @section PDN Server Image parameters -## @param image.registry PDN Server image registry -## @param image.repository PDN Server image repository -## @param image.tag PDN Server image tag (immutable tags are recommended) -## @param image.pullPolicy PDN Server image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -image: - registry: releases-docker.jfrog.io - repository: jfrog/pdn/server - # tag: - - ## Specify a image PullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## Ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - pullSecrets: [] -## PDN Server pods' Security Context -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enable PDN Server pods' Security Context -## @param podSecurityContext.fsGroup Group ID for the filesystem used by the containers -## @param podSecurityContext.runAsUser User ID for the service user running the pod -podSecurityContext: - enabled: true - fsGroup: 11055 - runAsUser: 11055 -## @param containerSecurityContext PDN Server containers' Security Context -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## Example: -## containerSecurityContext: -## capabilities: -## drop: ["NET_RAW"] -## readOnlyRootFilesystem: true -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["NET_RAW"] - runAsNonRoot: true -## @section Exposure parameters -## Kubernetes service type -service: - ## @param service.type Kubernetes Service type - type: ClusterIP - ## @param service.portEnabled Amqp port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`. - portEnabled: true - ## @param service.extraPorts Extra ports to expose in the service - ## E.g.: - ## extraPorts: - ## - name: new_svc_name - ## port: 1234 - ## targetPort: 1234 - extraPorts: [] - ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer` - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param service.externalIPs Set the ExternalIPs - externalIPs: [] - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: Cluster - ## @param service.loadBalancerIP Set the LoadBalancerIP - loadBalancerIP: "" - ## @param service.labels Service labels. Evaluated as a template - labels: {} - ## @param service.annotations Service annotations. Evaluated as a template - ## Example: - ## annotations: - ## service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 - annotations: {} - ## @param service.annotationsHeadless Headless Service annotations. Evaluated as a template - ## Example: - ## annotations: - ## external-dns.alpha.kubernetes.io/internal-hostname: pdnserver.example.com - annotationsHeadless: {} -## @section pdn-server ingress parameters -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress record generation for pdn-server - ## - enabled: false - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.hostname Default host for the ingress record - ## - hostname: pdnserver.local - ## @param ingress.ingressClassName IngressClass that will be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.path Default path for the ingress record - ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate auto-generation, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - ## ** Note that backend-protocol annotation is required to support GRPC traffic. If you are using a non-nginx ingress controller, this annotation - ## ** must be changed accordingly. For examples and more information see: https://kubernetes.github.io/ingress-nginx/examples/grpc/ - ## - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPCS" - ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` - ## You can: - ## - Use the `ingress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record - ## e.g: - ## extraHosts: - ## - name: pdnserver.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host - ## e.g: - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## e.g: - ## extraTls: - ## - hosts: - ## - pdnserver.local - ## secretName: pdnserver.local-tls - ## - extraTls: [] - ## @param ingress.secrets Custom TLS certificates as secrets - ## NOTE: 'key' and 'certificate' are expected in PEM format - ## NOTE: 'name' should line up with a 'secretName' set further up - ## If it is not set, and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates - ## If it is not set, and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days - ## It is also possible to create and manage the certificates outside this helm chart - ## Please see README.md for more information - ## e.g: - ## secrets: - ## - name: pdnserver.local-tls - ## key: |- - ## -----BEGIN RSA PRIVATE KEY----- - ## ... - ## -----END RSA PRIVATE KEY----- - ## certificate: |- - ## -----BEGIN CERTIFICATE----- - ## ... - ## -----END CERTIFICATE----- - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: example.local - ## http: - ## path: / - ## backend: - ## service: - ## name: example-svc - ## port: - ## name: http - ## - extraRules: [] -## Specify common probes parameters -probes: - timeoutSeconds: 5 -## The following settings are to configure the frequency of the liveness and startup probes -livenessProbe: - enabled: true - config: | - exec: - command: - - sh - - -c - - curl -s --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:8092{{ include "pdn-server.livenessProbe" .}} - initialDelaySeconds: {{ if semverCompare " - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, - ## choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) - storageClass: "" - ## @param persistence.selector Selector to match an existing Persistent Volume - ## selector: - ## matchLabels: - ## app: my-app - selector: {} - ## @param persistence.accessMode PVC Access Mode for PDN Server data volume - accessMode: ReadWriteOnce - ## @param persistence.existingClaim Provide an existing PersistentVolumeClaims - ## The value is evaluated as a template - ## So, for example, the name can depend on .Release or .Chart - existingClaim: "" - ## @param persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PDN Server images - mountPath: /var/opt/jfrog/pdnserver - ## @param persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - subPath: "" - ## @param persistence.size PVC Storage Request for PDN Server data volume - size: 16Gi - ## @param persistence.volumes Additional volumes without creating PVC - ## - name: volume_name - ## emptyDir: {} - volumes: [] - ## @param persistence.annotations Persistence annotations. Evaluated as a template - ## Example: - ## annotations: - ## example.io/disk-volume-type: SSD - annotations: {} -## Network Policy configuration -## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -networkPolicy: - ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the ports PDN is listening on. - ## When set to true, integration will accept connections from any source - ## (with the correct destination port). - allowExternal: true - ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. - ## Note: All rules are OR-ed. - ## Example: - ## additionalRules: - ## - matchLabels: - ## - app.kubernetes.io/name: pdn-server - ## - matchExpressions: - ## - key: app.kubernetes.io/name - ## operator: In - ## values: - ## - pdn-server - additionalRules: [] -## @section Init Container Parameters -## Init Container parameters -initContainers: - ## @param initContainers Add init containers to the PDN Server pod - ## Example: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## pullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## @param initContainers.image.registry Init container volume-permissions image registry - ## @param initContainers.image.repository Init container volume-permissions image repository - ## @param initContainers.image.tag Init container volume-permissions image tag - ## @param initContainers.image.pullPolicy Init container volume-permissions image pull policy - ## @param initContainers.image.pullSecrets Specify docker-registry secret names as an array - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.2.484 - ## Specify a image PullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## Ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - pullSecrets: [] - ## Init Container resource requests and limits - ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param initContainers.resources.limits The resources limits for Init containers - ## @param initContainers.resources.requests The requested resources for Init containers - resources: {} - ## limits: - ## cpu: "1" - ## memory: "1Gi" - ## requests: - ## cpu: "100m" - ## memory: "50Mi" - ## @param containerSecurityContext init containers' Security Context - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## Example: - ## containerSecurityContext: - ## capabilities: - ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - readOnlyRootFilesystem: true - runAsNonRoot: true -## @param sidecars Add sidecar containers to the PDN Server pod -## Example: -## sidecars: -## - name: your-image-name -## image: your-image -## pullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -sidecars: [] -## Filebeat Sidecar container -## The provided filebeat configuration is for Pdn server logs. -## It assumes you have a logstash installed and configured properly. -filebeat: - enabled: false - name: pdnserver-filebeat - image: - pullPolicy: IfNotPresent - repository: docker.elastic.co/beats/filebeat - version: 7.17.7 - logstashUrl: "logstash:5044" - livenessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - curl -s --fail 127.0.0.1:5066 - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/usr/bin/env bash -e - filebeat test output - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - ## Filebeat container resource requests and limits - ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param filebeat.resources.limits The resources limits for filebeat container - ## @param filebeat.resources.requests The requested resources for filebeat container - resources: {} - ## limits: - ## cpu: "100m" - ## memory: "100Mi" - ## requests: - ## cpu: "100m" - ## memory: "100Mi" - filebeatYml: | - logging.level: info - path.data: {{ .Values.persistence.mountPath }}/log/filebeat - name: pdnserver-filebeat - queue.spool: - file: - permissions: 0760 - filebeat.inputs: - - type: log - enabled: true - close_eof: ${CLOSE:false} - paths: - - {{ .Values.persistence.mountPath }}/log/*.log - fields: - service: "jftr" - log_type: "pdnserver" - output: - logstash: - hosts: ["{{ .Values.filebeat.logstashUrl }}"] -## Allows to add additional kubernetes resources -## Use --- as a separator between multiple resources -## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/helm/artifactory-values.yaml -additionalResources: "" -## All values are under the 'nginx' sub chart. -nginx: - ## If you enable nginx you have to manually create pdn-server-nginx-tls - ## tls secret and provide certificate, private key, root certficate - enabled: false - image: - registry: releases-docker.jfrog.io - repository: bitnami/nginx - tag: 1.23.2-debian-11-r2 - containerPorts: - http: 8095 - service: - loadBalancerSourceRanges: [] - ports: - http: 8095 - extraVolumes: - - name: pdn-server-nginx-tls - secret: - secretName: pdn-server-nginx-tls - extraVolumeMounts: - - name: pdn-server-nginx-tls - mountPath: "/etc/ssl/nginx" - readOnly: true - serverBlock: |- - chunked_transfer_encoding on; - proxy_request_buffering off; - - grpc_send_timeout 180; - grpc_read_timeout 180; - - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:1m; - ssl_certificate /etc/ssl/nginx/tls.crt; - ssl_certificate_key /etc/ssl/nginx/tls.key; - - server { - server_name _; - listen 0.0.0.0:8095 default_server http2 ssl; - - location / { - grpc_pass grpcs://pdn-server:8095; - } - } -## @section Common parameters -## @param nameOverride String to partially override PDN Server.fullname template (will maintain the release name) -nameOverride: "" -## @param fullnameOverride String to fully override PDN Server.fullname template -fullnameOverride: "" -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -kubeVersion: "" -## @param clusterDomain Kubernetes Cluster Domain -clusterDomain: cluster.local -## @param hostAliases Adding entries to a Pod's /etc/hosts file -## For an example, refer - https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/ -## If you do want to specify additional aliases, uncomment the following lines, -## adjust them as necessary, and remove the square braces after 'hostAliases:'. -hostAliases: [] -## - ip: "127.0.0.1" -## hostnames: -## - "foo.local" -## - "bar.local" -## - ip: "10.1.2.3" -## hostnames: -## - "foo.remote" -## - "bar.remote" - -## @param commonAnnotations Annotations to add to all deployed objects -commonAnnotations: {} -## @param command Override default container command (useful when using custom images) -command: [] -## @param args Override default container args (useful when using custom images) -args: [] -## @param terminationGracePeriodSeconds Default duration in seconds k8s waits -## for container to exit before sending kill signal. Any time in excess of 10 seconds -## will be spent waiting for any synchronization necessary for cluster not to lose data. -terminationGracePeriodSeconds: 120 -## @param extraEnvironmentVariables that can be used to tune PDN Server to your needs. -## Example: -## extraEnvironmentVariables: -## - name: MY_ENV_VAR -## value: "" -extraEnvironmentVariables: [] -## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts -## Examples: -## extraVolumeMounts: -## - name: extras -## mountPath: /usr/share/extras -## readOnly: true -extraVolumeMounts: [] -## @param extraVolumes Optionally specify extra list of additional volumes . -## Example: -## extraVolumes: -## - name: extras -## emptyDir: {} -extraVolumes: [] -## @param extraSecrets Optionally specify extra secrets to be created by the chart. -## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded. -## Example: -## extraSecrets: -## load-definition: -## load_definition.json: | -## { -## ... -## } -extraSecrets: {} -## @param extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with prepended. -extraSecretsPrependReleaseName: false -## @section Statefulset parameters - -## @param replicaCount Number of PDN Server replicas to deploy -replicaCount: 1 -## @param schedulerName Use an alternate scheduler, e.g. "stork". -## Ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -schedulerName: "" -## @param podLabels PDN Server Pod labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -podLabels: {} -## @param podAnnotations PDN Server Pod annotations. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -podAnnotations: {} -## @param updateStrategyType Update strategy type for PDN Server statefulset -## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -updateStrategyType: RollingUpdate -## @param deploymentLabels PDN Server deployment labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -deploymentLabels: {} -## @param priorityClassName Name of the priority class to be used by PDN Server pods, priority class needs to be created beforehand -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -priorityClassName: "" -## @param affinity Affinity for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -affinity: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} -## @param tolerations Tolerations for pod assignment. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] -## @param podAffinityPreset Pod affinity preset. -## Ignored if `affinity` is set and not empty. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. -## Ignored if `affinity` is set and not empty. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## We recommend to use the value `hard` to run one pod per node -podAntiAffinityPreset: hard -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. - ## Ignored if `affinity` is set and not empty. Allowed values: `soft` or `hard` - type: "" - ## @param nodeAffinityPreset.key Node label key to match. - ## Ignored if `affinity` is set. - ## Example: - ## key: "kubernetes.io/e2e-az-name" - key: "" - ## @param nodeAffinityPreset.values Node label values to match. - ## Ignored if `affinity` is set and not empty. - ## Example: - ## values: - ## - e2e-az1 - ## - e2e-az2 - values: [] -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment -## spread across your cluster among failure-domains. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods -topologySpreadConstraints: [] -## @param serviceMonitor Declaratively specifies how groups of Kubernetes services should be monitored. -## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md -serviceMonitor: - enabled: false - interval: 30s - jobLabel: pdnserver-metrics - port: http-router - targetPort: 8082 - scrapeTimeout: 15s - tokenName: "" - kubePromApp: "" - kubePromFullName: "" - namespaceSelector: - any: true - selector: - matchLabels: - app: pdnserver diff --git a/stable/pipelines/CHANGELOG.md b/stable/pipelines/CHANGELOG.md index 63b168ed0..a4df29f57 100644 --- a/stable/pipelines/CHANGELOG.md +++ b/stable/pipelines/CHANGELOG.md @@ -1,8 +1,53 @@ # JFrog Pipelines Chart Changelog All changes to this chart to be documented in this file. -## [101.44.5] - Aug 7, 2023 +## [101.59.7] - Feb 21, 2024 +* Updated postgresql tag version to `15.2.0-debian-11-r23` + * If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**! + * If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x/12.x's postgresql.image.tag, previous postgresql.persistence.size and databaseUpgradeReady=true +* Added a check for postgresql version during upgrades +* Added pod level and container security context + +## [101.56.0] - Jan 31, 2024 +* Fixes in external secret support on unified secret installation + +## [101.55.0] - Dec 28, 2023 +* Handled #redis postfix is ommited from redis service name if it contains redis + +## [101.54.0] - Dec 21, 2023 +* Removed hardcoding of redis resources in default values + +## [101.53.0] - Nov 14, 2023 +* Updated rabbitmq version to 3.12.10-debian-11-r1 +* Updated redis version to 7.2.0-debian-11-r2 + +## [101.51.0] - Nov 14, 2023 +* Update minimum supported kubernetes version to 1.19 +* Updated postgresql tag version to `13.13.0-debian-11-r4` +* Updated hashicorp tag version to `1.15` +* Changed default replicacount to 1 for redis +* Updated sentinel port and master group name + +## [101.50.0] - Oct 20, 2023 +* Added sentinel redis +* Upgrade redis, redis-sentinel and redis-exporter to latest versions +* Upgrade rabbitmq container and chart version to 3.11.10-debian-11-r5 and 11.9.3 +* Use multiarch supported image for init container + +## [101.49.0] - Oct 16, 2023 +* Defined router required service types for pods + +## [101.46.2] - Oct 12, 2023 +* Added sidecar container for stepservice logs + +## [101.46.0] - Aug 7, 2023 +* Remove nexec microservice + +## [101.45.0] - Aug 7, 2023 * Upadate chart version of vault to 0.25.0 to work with 1.25 of kubernetes + + +## [101.44.0] - Jul 27, 2023 * Added option to stream logs in json * Add support to work without vault on modifying corresponding flags * Remove steptrigger from pipelines @@ -10,22 +55,13 @@ All changes to this chart to be documented in this file. * Add ability to pass filebeat metric configuration * Updated nodePollerInterval from 15 seconds to 5 seconds * Fixed #adding colon in image registry breaks deployment with meta label error + +## [101.42.0] - Jun 16, 2023 * Add observability container to non api pods * Add terminationGracePeriodSeconds for all the pods - -## [101.41.3] - Jun 16, 2023 * Add ability to work with redis.fullnameOverride -* Add support to pass db metric parameters in system.yaml -* Add hpa api version to autoscaling/v2 for missing conf -## [101.40.1] - May 31, 2023 -* Handle jfrogUrlUI if nothing is set -* Added log-service -* Added step-service -* Enabled nodepoolservice by default -* Fix migration script failures on ssl enforced database -* Fix database SSL details not being passed to nodepoolservice as expected in split mode -* Fix vault issue with enforced SSL on azure database +## [101.41.0] - May 31, 2023 * Opens grpc port for nodepoolservice apis. * Opens http health check port for nodepoolservice * Add ability to use redis with password @@ -34,15 +70,21 @@ All changes to this chart to be documented in this file. * Enable probes on router * Add readiness to api container * Fix port for router readiness probe +* Adds toggle for enabling/disabling anti-affinity spec for k8s node -## [101.38.1] - Apr 18, 2023 -* Handle jfrogUrlUI if nothing is set +## [101.40.0] - Apr 25, 2023 +* Added log-service +* Added step-service +* Enabled nodepoolservice by default * Fix migration script failures on ssl enforced database +* Fix database SSL details not being passed to nodepoolservice as expected in split mode +* Fix vault issue with enforced SSL on azure database -## [101.37.3] - Feb 20, 2023 +## [101.36.0] - Feb 23, 2023 * Added build badge feature for pipelines * Added configuration to use access instead of vault to store secrets * Retained installer metrics only for db migrations +* Handle jfrogUrlUI if nothing is set ## [101.35.0] - Feb 06, 2023 * Fixed indentation in nodepoolservice container definition diff --git a/stable/pipelines/Chart.lock b/stable/pipelines/Chart.lock index 2a1dd2970..61aec15ed 100644 --- a/stable/pipelines/Chart.lock +++ b/stable/pipelines/Chart.lock @@ -4,12 +4,12 @@ dependencies: version: 10.3.18 - name: rabbitmq repository: https://charts.jfrog.io/ - version: 8.31.6 + version: 11.9.3 - name: redis repository: https://charts.jfrog.io/ - version: 12.10.1 + version: 17.13.2 - name: vault repository: https://charts.jfrog.io/ version: 0.25.0 -digest: sha256:9d9b9eaa7258294872a09b31aae9d39fb4f0970ce5c17220d2d6ab889562e3b5 -generated: "2023-08-07T15:59:25.511241+05:30" +digest: sha256:dd3150c4f1f61d956c9ddb58ea16803748aec1427c69efb60551274611ddccd0 +generated: "2023-12-05T15:54:45.066391+05:30" diff --git a/stable/pipelines/Chart.yaml b/stable/pipelines/Chart.yaml index eabb61289..c4c5633d5 100644 --- a/stable/pipelines/Chart.yaml +++ b/stable/pipelines/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.44.5 +appVersion: 1.59.7 dependencies: - condition: postgresql.enabled name: postgresql @@ -8,11 +8,11 @@ dependencies: - condition: rabbitmq.enabled name: rabbitmq repository: https://charts.jfrog.io/ - version: 8.31.6 + version: 11.9.3 - condition: redis.enabled name: redis repository: https://charts.jfrog.io/ - version: 12.10.1 + version: 17.13.2 - condition: vault.enabled name: vault repository: https://charts.jfrog.io/ @@ -24,7 +24,7 @@ keywords: - pipelines - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -32,4 +32,4 @@ name: pipelines sources: - https://github.com/jfrog/charts type: application -version: 101.44.5 +version: 101.59.7 diff --git a/stable/pipelines/templates/_helpers.tpl b/stable/pipelines/templates/_helpers.tpl index b1b36a8f1..78d081597 100644 --- a/stable/pipelines/templates/_helpers.tpl +++ b/stable/pipelines/templates/_helpers.tpl @@ -32,6 +32,50 @@ The services name {{- printf "%s-%s-services" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Expand the name of rabbit chart. +*/}} +{{- define "rabbitmq.name" -}} +{{- default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} +{{- end -}} + +{{/* +Return the registry of a service +*/}} +{{- define "pipelines.getRegistryByService" -}} +{{- $dot := index . 0 }} +{{- $service := index . 1 }} +{{- if $dot.Values.global.imageRegistry }} + {{- $dot.Values.global.imageRegistry }} +{{- else -}} + {{- if (eq $service "migrationHook") -}} + {{- index $dot.Values.rabbitmq.migration.image.registry -}} + {{- else -}} + {{- index $dot.Values $service "image" "registry" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "pipelines.rabbitmq.migration.fullname" -}} +{{- $name := default "rabbitmq-migration" -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for rabbitmq migration +*/}} +{{- define "pipelines.rabbitmq.migration.serviceAccountName" -}} +{{- if .Values.rabbitmq.migration.serviceAccount.create -}} +{{ default (include "pipelines.rabbitmq.migration.fullname" .) .Values.rabbitmq.migration.serviceAccount.name }} +{{- else -}} +{{ default "rabbitmq-migration" .Values.rabbitmq.migration.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{- define "pipelines.sync.name" -}} {{- $name := .Release.Name | trunc 29 -}} {{- printf "%s-%s-sync" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} @@ -126,6 +170,14 @@ The stepservice name {{- printf "%s-%s-stepservice" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +The analyticsservice name +*/}} +{{- define "pipelines.analyticsservice.name" -}} +{{- $name := .Release.Name | trunc 29 -}} +{{- printf "%s-%s-analyticsservice" $name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* The msg name */}} @@ -379,6 +431,37 @@ Set grcp url {{- end }} {{- end -}} +{{/* +Create rabbitmq URL +*/}} +{{- define "rabbitmq.url" -}} +{{- if index .Values "rabbitmq" "enabled" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +{{- $rabbitmqPort := .Values.rabbitmq.service.ports.amqpTls -}} +{{- $name := default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} +{{- printf "%s://%s-%s:%g/" "amqps" .Release.Name $name $rabbitmqPort -}} +{{- else -}} +{{- $rabbitmqPort := .Values.rabbitmq.service.ports.amqp -}} +{{- $name := default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} +{{- printf "%s://%s-%s:%g/" "amqp" .Release.Name $name $rabbitmqPort -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* +Custom Rabbitmq certificate copy command +*/}} +{{- define "pipelines.copyRabbitmqCustomCerts" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +echo "Copy rabbitmq custom certificates to {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted"; +mkdir -p {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted {{ .Values.pipelines.mountPath }}/data/rabbitmq/certs/; +cd /tmp/rabbitmqcerts/; +for file in $(ls * | grep -v ".key" | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted/rabbitmq_${file}; fi done; +for file in $(ls * | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_${file}; fi done; +{{- end -}} +{{- end -}} + {{/* Resolve jfrogUrl value */}} @@ -765,8 +848,12 @@ bash "${new_script_path}" "${PIP_CONTAINER_START_TIME}" "{{ .Values.pipelines.lo Common code to change ownership of metrics file */}} {{- define "pipelines.changeOwnershipMetrics" -}} +{{- if .Values.podSecurityContext.enabled -}} +echo "podSecurityContext is enabled"; +{{- else -}} chown 1066:1066 {{ .Values.pipelines.logPath }}/*-metrics.log || true; {{- end -}} +{{- end -}} {{/* Return the proper vault image name @@ -803,17 +890,72 @@ Custom certificate copy command echo "Copy custom certificates to {{ .Values.pipelines.mountPath }}/security/keys/trusted"; mkdir -p {{ .Values.pipelines.mountPath }}/security/keys/trusted; if [ -f /tmp/certs/tls.crt ]; then cp -v /tmp/certs/tls.crt {{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt; fi; +{{- if not .Values.podSecurityContext.enabled -}} chown -R 1066:1066 {{ .Values.pipelines.mountPath }} {{- end -}} +{{- end -}} {{/* Resolve pipelines requiredServiceTypes value */}} {{- define "pipelines.router.requiredServiceTypes" -}} +{{- if .Values.splitServicesToPods }} +{{- $requiredTypes := "jfpip,jfob,jfpipwww,jfpipfrontend" -}} +{{- $requiredTypes -}} +{{- else -}} +{{- $requiredTypes := "jfpip,jfob,jfpipwww,jfpipfrontend,jfpnps" -}} +{{- $requiredTypes -}} +{{- end -}} +{{- end -}} + +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.cron.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.sync.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.hookhandler.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.trigger.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfob,jfpnps" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.internalapi.router.requiredServiceTypes" -}} {{- $requiredTypes := "jfpip,jfob" -}} {{- $requiredTypes -}} {{- end -}} +{{/* +Resolve pipelines requiredServiceTypes value +*/}} +{{- define "pipelines.stepservice.router.requiredServiceTypes" -}} +{{- $requiredTypes := "jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + {{/* Resolve Pipelines pod node selector value */}} @@ -844,3 +986,54 @@ if the volume exists in customVolume then an extra volume with the same name wil {{- printf "%s" "false" -}} {{- end -}} {{- end -}} + +{{/* +Construct Redis service name +*/}} +{{- define "pipelines.redisServiceName" -}} +{{- if .Values.redis.fullnameOverride -}} +{{- .Values.redis.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if contains "redis" .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-redis" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret name of rabbitmq TLS certs. +*/}} +{{- define "pipelines.rabbitmqCustomCertificateshandler" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +{{- $secretName := printf "%s-%s" .Release.Name "rabbitmq-certs" -}} +{{- $val := default $secretName .Values.rabbitmq.auth.tls.existingSecret -}} +{{- $val -}} +{{- end -}} +{{- end -}} + +{{/* +Prints value of Values.rabbitmq.auth.tls.enabled. +*/}} +{{- define "pipelines.rabbitmq.isTlsEnabled" -}} +{{- printf "%t" $.Values.auth.tls.enabled -}} +{{- end -}} + +{{/* +Set pipelines env variables if rabbitmq.tls is enabled. +*/}} +{{- define "pipelines.rabbitmqTlsEnvVariables" -}} +{{- if .Values.rabbitmq.auth.tls.enabled }} +- name: GODEBUG + value: "x509ignoreCN=0" +- name: enableTlsConnectionToRabbitMQ + value: "true" +- name: JF_SHARED_MSG_TLSCERT + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_tls.crt +- name: JF_SHARED_MSG_TLSKEY + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_tls.key +- name: JF_SHARED_MSG_TLSCA + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_ca.crt +{{- end }} +{{- end -}} diff --git a/stable/pipelines/templates/migration-hook.yaml b/stable/pipelines/templates/migration-hook.yaml new file mode 100644 index 000000000..44d823a82 --- /dev/null +++ b/stable/pipelines/templates/migration-hook.yaml @@ -0,0 +1,116 @@ +{{- if .Values.rabbitmq.enabled }} +{{- if .Values.rabbitmq.migration.enabled }} +{{- if .Values.rabbitmq.migration.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "pipelines.name" . }} + chart: {{ template "pipelines.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "pipelines.rabbitmq.migration.serviceAccountName" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +automountServiceAccountToken: {{ .Values.rabbitmq.migration.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if .Values.rabbitmq.enabled }} +{{- if .Values.rabbitmq.migration.enabled }} +{{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: {{ template "pipelines.name" . }} + chart: {{ template "pipelines.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "pipelines.rabbitmq.migration.fullname" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +rules: +{{ toYaml .Values.rabbitmq.migration.serviceAccount.rbac.role.rules }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if .Values.rabbitmq.enabled }} +{{- if .Values.rabbitmq.migration.enabled }} +{{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: {{ template "pipelines.name" . }} + chart: {{ template "pipelines.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + name: {{ template "pipelines.rabbitmq.migration.fullname" . }} + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-weight: "-10" +subjects: + - kind: ServiceAccount + name: {{ template "pipelines.rabbitmq.migration.serviceAccountName" . }} +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: {{ template "pipelines.rabbitmq.migration.fullname" . }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if .Values.rabbitmq.enabled }} +{{- if .Values.rabbitmq.migration.enabled }} +apiVersion: v1 +kind: Pod +metadata: + labels: + app: {{ template "pipelines.name" . }} + chart: {{ template "pipelines.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "pipelines.fullname" . }}-pre-upgrade-hook + annotations: + "helm.sh/hook": "pre-upgrade" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + {{- if .Values.rabbitmq.podSecurityContext.enabled }} + securityContext: {{- omit .Values.rabbitmq.podSecurityContext "enabled" | toYaml | nindent 4 }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} + {{- include "pipelines.imagePullSecrets" . | indent 2 }} + {{- end }} + serviceAccountName: {{ template "pipelines.rabbitmq.migration.serviceAccountName" . }} + containers: + - name: pre-upgrade-container + image: "{{ include "pipelines.getRegistryByService" (list . "migrationHook") }}/{{ .Values.rabbitmq.migration.image.repository }}:{{ .Values.rabbitmq.migration.image.tag }}" + imagePullPolicy: IfNotPresent + {{- if .Values.rabbitmq.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + command: + - sh + - -c + - | + #!/bin/sh + if [ "$(kubectl get pods -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }}" -o jsonpath='{.items[?(@.metadata.name=="{{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0")].status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then + kubectl exec -it {{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0 -- rabbitmqctl enable_feature_flag all + if [ "$?" -ne 0 ]; then + echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " + exit 1 + else + echo Feature flags executed successfully! + fi + else + echo "Rabbitmq pod is not in running state. Ignoring feature flag migration for rabbitmq" + fi + restartPolicy: Never + terminationGracePeriodSeconds: 0 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/pipelines/templates/pipelines-cron-statefulset.yaml b/stable/pipelines/templates/pipelines-cron-statefulset.yaml index c92f19c70..367e116ce 100644 --- a/stable/pipelines/templates/pipelines-cron-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-cron-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{ toYaml . | indent 4 }} {{- end }} {{- include "pipelines.common.labels" . | nindent 4 }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless replicas: {{ .Values.pipelines.cron.replicaCount }} @@ -45,6 +48,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -62,8 +68,11 @@ spec: {{ tpl (include "pipelines.cron.customInitContainersBegin" .) . | indent 8 }} {{- end }} - name: wait-for-pipelines-internalapi - image: '{{ .Values.initContainer.image }}' - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -77,11 +86,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -98,7 +105,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -115,11 +122,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -133,6 +146,27 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -154,9 +188,13 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -164,6 +202,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -199,7 +238,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -210,7 +249,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -238,7 +277,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -250,7 +289,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -273,11 +312,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -295,12 +332,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.cron.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -325,7 +362,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -373,12 +410,9 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_OBSERVABILITY_PARENT_SERVICE value: "cron" @@ -387,7 +421,7 @@ spec: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -396,7 +430,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -430,13 +464,14 @@ spec: - name: cron image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "cron" ) }} imagePullPolicy: {{ .Values.pipelines.cron.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/cron env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -594,4 +629,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml b/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml index e401a333d..387325760 100644 --- a/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{- with .Values.pipelines.labels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless {{- if not .Values.pipelines.hookHandler.autoscaling.enabled }} @@ -49,6 +52,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -66,8 +72,11 @@ spec: {{ tpl (include "pipelines.hookhandler.customInitContainersBegin" .) . | indent 8 }} {{- end }} - name: wait-for-pipelines-internalapi - image: '{{ .Values.initContainer.image }}' - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -81,11 +90,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -102,7 +109,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -119,11 +126,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -137,6 +150,27 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -158,9 +192,13 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -168,6 +206,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -203,7 +242,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -214,7 +253,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -242,7 +281,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -254,7 +293,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -277,11 +316,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -299,12 +336,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.hookhandler.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -329,7 +366,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -377,12 +414,9 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_OBSERVABILITY_PARENT_SERVICE value: "hookhandler" @@ -391,7 +425,7 @@ spec: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -400,7 +434,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -434,13 +468,14 @@ spec: - name: hookhandler image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "hookHandler" ) }} imagePullPolicy: {{ .Values.pipelines.hookHandler.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/hookHandler env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -598,4 +633,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml b/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml index 925a5c4fd..6287d4be1 100644 --- a/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{ toYaml . | indent 4 }} {{- end }} {{- include "pipelines.common.labels" . | nindent 4 }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.internalapi.name" . }} {{- if not .Values.pipelines.internalapi.autoscaling.enabled }} @@ -51,6 +54,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -70,11 +76,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -91,7 +95,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -108,11 +112,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -126,6 +136,7 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -147,11 +158,15 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} {{- if .Values.vault.enabled }} {{- if .Values.waitForDatabase }} - name: wait-for-db image: {{ include "vault.getImageInfoByValue" (list . "postgresql" ) }} imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -171,13 +186,11 @@ spec: {{- end }} {{- if and .Values.vault.enabled (.Values.access.shouldReadFromVault) (not .Values.access.shouldJustUpdateAccess) }} - name: wait-for-vault - image: "{{ .Values.initContainer.image }}" - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} {{- if not .Values.vault.enabled }} @@ -219,9 +232,32 @@ spec: done; {{- end }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -229,6 +265,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -264,7 +301,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -275,7 +312,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -290,17 +327,13 @@ spec: export PIP_METRIC_FILE_PREFIX="internalapi-pipelines-installer"; {{- if .Values.rabbitmq.enabled }} echo "Waiting for RabbitMQ to come up..."; - until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.port }} && echo rabbitmq ok; do + until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.ports.amqp }} && echo rabbitmq ok; do sleep 1; done; {{- end }} {{- if .Values.redis.enabled }} echo "Waiting for Redis to come up..."; - {{- if .Values.redis.fullnameOverride }} - until nc -z -w 2 {{ .Values.redis.fullnameOverride }}-master {{ .Values.redis.redisPort }} && echo redis ok; do - {{- else }} - until nc -z -w 2 {{ .Release.Name }}-redis-master {{ .Values.redis.redisPort }} && echo redis ok; do - {{- end }} + until nc -z -w 2 {{ template "pipelines.redisServiceName" . }} {{ .Values.redis.redisPort }} && echo redis ok; do sleep 1; done; {{- end }} @@ -314,7 +347,9 @@ spec: mkdir -p {{ .Values.pipelines.mountPath }}/security; echo -n ${PIPELINES_JOIN_KEY} > {{ .Values.pipelines.mountPath }}/security/join.key; {{- end }} + set -e; ./pipelines-k8s; + set +e; {{ include "pipelines.addMetrics" . | nindent 12 }} {{ include "pipelines.changeOwnershipMetrics" . | nindent 12 }} volumeMounts: @@ -325,7 +360,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -337,7 +372,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -360,11 +395,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -382,12 +415,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.internalapi.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -412,7 +445,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -460,17 +493,14 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -479,7 +509,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -513,12 +543,13 @@ spec: - name: internalapi image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "api" ) }} imagePullPolicy: {{ .Values.pipelines.api.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: PIPELINES_NODE_ID @@ -699,4 +730,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-statefulset.yaml b/stable/pipelines/templates/pipelines-statefulset.yaml index a11dcd2e1..e8ad61563 100644 --- a/stable/pipelines/templates/pipelines-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-statefulset.yaml @@ -8,6 +8,9 @@ metadata: {{- with .Values.pipelines.labels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} {{- with .Values.pipelines.statefulset.annotations }} annotations: {{ toYaml . | indent 4 }} @@ -51,6 +54,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -70,11 +76,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -91,7 +95,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -108,11 +112,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -126,6 +136,7 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -147,11 +158,15 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} {{- if .Values.vault.enabled }} {{- if .Values.waitForDatabase }} - name: wait-for-db image: {{ include "vault.getImageInfoByValue" (list . "postgresql" ) }} imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -171,6 +186,9 @@ spec: - name: create-vault-table image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} env: @@ -203,7 +221,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -219,13 +237,11 @@ spec: {{- end }} {{- if and .Values.vault.enabled (.Values.access.shouldReadFromVault) (not .Values.access.shouldJustUpdateAccess) }} - name: wait-for-vault - image: "{{ .Values.initContainer.image }}" - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} {{- if not .Values.vault.enabled }} @@ -267,9 +283,32 @@ spec: done; {{- end }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -277,6 +316,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -312,7 +352,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -323,7 +363,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -338,17 +378,13 @@ spec: export PIP_METRIC_FILE_PREFIX="services-pipelines-installer"; {{- if .Values.rabbitmq.enabled }} echo "Waiting for RabbitMQ to come up..."; - until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.port }} && echo rabbitmq ok; do + until nc -z -w 2 {{ .Release.Name }}-rabbitmq {{ .Values.rabbitmq.service.ports.amqp }} && echo rabbitmq ok; do sleep 1; done; {{- end }} {{- if .Values.redis.enabled }} echo "Waiting for Redis to come up..."; - {{- if .Values.redis.fullnameOverride }} - until nc -z -w 2 {{ .Values.redis.fullnameOverride }}-master {{ .Values.redis.redisPort }} && echo redis ok; do - {{- else }} - until nc -z -w 2 {{ .Release.Name }}-redis-master {{ .Values.redis.redisPort }} && echo redis ok; do - {{- end }} + until nc -z -w 2 {{ template "pipelines.redisServiceName" . }} {{ .Values.redis.redisPort }} && echo redis ok; do sleep 1; done; {{- end }} @@ -362,7 +398,9 @@ spec: mkdir -p {{ .Values.pipelines.mountPath }}/security; echo -n ${PIPELINES_JOIN_KEY} > {{ .Values.pipelines.mountPath }}/security/join.key; {{- end }} + set -e; ./pipelines-k8s; + set +e; {{ include "pipelines.addMetrics" . | nindent 12 }} {{ include "pipelines.changeOwnershipMetrics" . | nindent 12 }} volumeMounts: @@ -408,11 +446,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -430,11 +466,9 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES value: {{ include "pipelines.router.requiredServiceTypes" . }} @@ -462,7 +496,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -510,17 +544,14 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -529,7 +560,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -563,12 +594,13 @@ spec: - name: api image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "api" ) }} imagePullPolicy: {{ .Values.pipelines.api.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -619,16 +651,17 @@ spec: - name: www image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "www" ) }} imagePullPolicy: {{ .Values.pipelines.www.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -667,11 +700,9 @@ spec: - name: frontend image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "frontend" ) }} imagePullPolicy: {{ .Values.pipelines.frontend.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS @@ -713,12 +744,13 @@ spec: - name: nodepoolservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "nodepoolservice" ) }} imagePullPolicy: {{ .Values.pipelines.nodepoolservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -757,12 +789,13 @@ spec: - name: runservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "runservice" ) }} imagePullPolicy: {{ .Values.pipelines.runservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -797,16 +830,17 @@ spec: - name: logservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "logservice" ) }} imagePullPolicy: {{ .Values.pipelines.logservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -835,12 +869,13 @@ spec: - name: stepservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "stepservice" ) }} imagePullPolicy: {{ .Values.pipelines.stepservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -868,17 +903,58 @@ spec: mountPath: {{ .Values.pipelines.logPath }} {{- with .Values.pipelines.customVolumeMounts }} {{ tpl . $ | nindent 10 }} +{{- end }} +{{- if .Values.pipelines.analyticsservice.enabled }} + - name: analyticsservice + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "analyticsservice" ) }} + imagePullPolicy: {{ .Values.pipelines.analyticsservice.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: NODE_EXTRA_CA_CERTS + value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" + {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} + - name: PIPELINES_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" +{{- if .Values.pipelines.extraEnvironmentVariables }} +{{- with .Values.pipelines.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} +{{- end }} +{{- if .Values.pipelines.analyticsservice.extraEnvironmentVariables }} +{{- with .Values.pipelines.analyticsservice.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} +{{- end }} + resources: + {{- toYaml .Values.pipelines.analyticsservice.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} +{{- with .Values.pipelines.customVolumeMounts }} +{{ tpl . $ | nindent 10 }} +{{- end }} {{- end }} - name: pipelinesync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelineSync" ) }} imagePullPolicy: {{ .Values.pipelines.pipelineSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: pipelinesync - name: PIPELINES_NODE_ID @@ -909,15 +985,16 @@ spec: - name: cron image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "cron" ) }} imagePullPolicy: {{ .Values.pipelines.cron.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/cron env: - name: COMPONENT value: cron + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -943,55 +1020,17 @@ spec: mountPath: {{ .Values.pipelines.mountPath }} - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} - {{- if .Values.pipelines.nexec.enabled }} - - name: nexec - image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "nexec" ) }} - imagePullPolicy: {{ .Values.pipelines.nexec.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - workingDir: /opt/jfrog/pipelines/app/micro/nexec - env: - - name: COMPONENT - value: nexec - - name: PIPELINES_NODE_ID - valueFrom: - fieldRef: - fieldPath: "metadata.name" - {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - - name: NODE_EXTRA_CA_CERTS - value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" - {{- end }} -{{- if .Values.pipelines.extraEnvironmentVariables }} -{{- with .Values.pipelines.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} -{{- end }} -{{- if .Values.pipelines.nexec.extraEnvironmentVariables }} -{{- with .Values.pipelines.nexec.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} -{{- end }} - resources: - {{- toYaml .Values.pipelines.nexec.resources | nindent 12 }} - volumeMounts: - - name: jfrog-pipelines-folder - mountPath: {{ .Values.pipelines.mountPath }} - - name: jfrog-pipelines-logs - mountPath: {{ .Values.pipelines.logPath }} - {{- end }} - name: hookhandler image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "hookHandler" ) }} imagePullPolicy: {{ .Values.pipelines.hookHandler.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/hookHandler env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: hookhandler - name: PIPELINES_NODE_ID @@ -1022,15 +1061,16 @@ spec: - name: extensionsync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "extensionSync" ) }} imagePullPolicy: {{ .Values.pipelines.extensionSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/extensionSync env: - name: COMPONENT value: extensionsync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -1059,13 +1099,14 @@ spec: - name: reqsealer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "reqSealer" ) }} imagePullPolicy: {{ .Values.pipelines.reqSealer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/reqSealer env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: reqsealer - name: PIPELINES_NODE_ID @@ -1096,13 +1137,14 @@ spec: - name: templatesync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "templateSync" ) }} imagePullPolicy: {{ .Values.pipelines.templateSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/templateSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: templatesync - name: PIPELINES_NODE_ID @@ -1197,6 +1239,12 @@ spec: secretName: {{ .Values.buildPlane.dynamic.provider.k8s.existingSecret }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} + ######### unifiedSecretInstallation ########### {{- if and .Values.pipelines.unifiedSecretInstallation (eq (include "pipelines.checkDuplicateUnifiedCustomVolume" .) "false" ) }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} diff --git a/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml b/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml index 676ecbc6b..ccdcf6eb0 100644 --- a/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{- with .Values.pipelines.labels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless replicas: {{ .Values.pipelines.stepservice.replicaCount }} @@ -45,6 +48,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -62,8 +68,11 @@ spec: {{ tpl (include "pipelines.stepservice.customInitContainersBegin" .) . | indent 8 }} {{- end }} - name: wait-for-pipelines-internalapi - image: '{{ .Values.initContainer.image }}' - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -77,11 +86,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -98,7 +105,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -115,11 +122,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -133,6 +146,27 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -154,9 +188,13 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -164,6 +202,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -199,7 +238,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -210,7 +249,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -238,7 +277,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -250,7 +289,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -273,11 +312,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -295,12 +332,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.stepservice.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -325,7 +362,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -370,52 +407,12 @@ spec: readinessProbe: {{ tpl .Values.pipelines.router.readinessProbe.config . | indent 12 }} {{- end }} - - name: stepservice - image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "stepservice" ) }} - imagePullPolicy: {{ .Values.pipelines.stepservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - env: - {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - - name: NODE_EXTRA_CA_CERTS - value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" - {{- end }} - - name: PIPELINES_NODE_ID - valueFrom: - fieldRef: - fieldPath: "metadata.name" -{{- if .Values.pipelines.extraEnvironmentVariables }} -{{- with .Values.pipelines.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} -{{- end }} -{{- if .Values.pipelines.stepservice.extraEnvironmentVariables }} -{{- with .Values.pipelines.stepservice.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 12 }} -{{- end }} -{{- end }} - resources: - {{- toYaml .Values.pipelines.stepservice.resources | nindent 12 }} - volumeMounts: - - name: jfrog-pipelines-folder - mountPath: {{ .Values.pipelines.mountPath }} - - name: jfrog-pipelines-logs - mountPath: {{ .Values.pipelines.logPath }} -{{- with .Values.pipelines.customVolumeMounts }} -{{ tpl . $ | nindent 10 }} -{{- end }} - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_OBSERVABILITY_PARENT_SERVICE value: "stepservice" @@ -424,7 +421,7 @@ spec: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -433,7 +430,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -464,6 +461,48 @@ spec: livenessProbe: {{ tpl .Values.pipelines.observability.livenessProbe.config . | indent 12 }} {{- end }} + - name: stepservice + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "stepservice" ) }} + imagePullPolicy: {{ .Values.pipelines.stepservice.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} + - name: PIPELINES_INTERNAL_API + value: "true" + - name: COMPONENT + value: stepservice + - name: PIPELINES_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" + {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: NODE_EXTRA_CA_CERTS + value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" + {{- end }} +{{- if .Values.pipelines.extraEnvironmentVariables }} +{{- with .Values.pipelines.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} +{{- end }} +{{- if .Values.pipelines.stepservice.extraEnvironmentVariables }} +{{- with .Values.pipelines.stepservice.extraEnvironmentVariables }} +{{ tpl (toYaml .) $ | indent 12 }} +{{- end }} +{{- end }} + resources: + {{- toYaml .Values.pipelines.stepservice.resources | nindent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} + {{- if or .Values.pipelines.stepservice.customSidecarContainers .Values.global.customSidecarContainers }} +{{ tpl (include "pipelines.stepservice.customSidecarContainers" .) . | nindent 8 }} + {{- end }} {{- if or .Values.pipelines.nodeSelector .Values.global.nodeSelector }} {{ tpl (include "pipelines.nodeSelector" .) . | indent 6 }} {{- end }} @@ -589,4 +628,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} \ No newline at end of file diff --git a/stable/pipelines/templates/pipelines-sync-statefulset.yaml b/stable/pipelines/templates/pipelines-sync-statefulset.yaml index a80d00ca6..57e13bfcc 100644 --- a/stable/pipelines/templates/pipelines-sync-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-sync-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{- with .Values.pipelines.labels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless {{- if not .Values.pipelines.pipelineSync.autoscaling.enabled }} @@ -47,6 +50,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -64,8 +70,11 @@ spec: {{ tpl (include "pipelines.sync.customInitContainersBegin" .) . | indent 8 }} {{- end }} - name: wait-for-pipelines-internalapi - image: '{{ .Values.initContainer.image }}' - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -79,11 +88,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -100,7 +107,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -117,11 +124,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -135,6 +148,27 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -156,9 +190,13 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -166,6 +204,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -201,7 +240,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -212,7 +251,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -240,7 +279,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -252,7 +291,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -275,11 +314,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -297,14 +334,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: -# - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES -# value: {{ include "pipelines.router.requiredServiceTypes" . }} + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.sync.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -331,7 +366,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -379,12 +414,9 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_OBSERVABILITY_PARENT_SERVICE value: "sync" @@ -393,7 +425,7 @@ spec: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -402,7 +434,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -436,13 +468,14 @@ spec: - name: pipelinesync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelineSync" ) }} imagePullPolicy: {{ .Values.pipelines.pipelineSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -475,17 +508,18 @@ spec: - name: extensionsync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "extensionSync" ) }} imagePullPolicy: {{ .Values.pipelines.extensionSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/extensionSync env: - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT value: extensionsync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -514,17 +548,18 @@ spec: - name: templatesync image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "templateSync" ) }} imagePullPolicy: {{ .Values.pipelines.templateSync.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/templateSync env: - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT value: templatesync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -678,4 +713,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-trigger-statefulset.yaml b/stable/pipelines/templates/pipelines-trigger-statefulset.yaml index 347224ec7..f02e18109 100644 --- a/stable/pipelines/templates/pipelines-trigger-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-trigger-statefulset.yaml @@ -12,6 +12,9 @@ metadata: {{- with .Values.pipelines.labels }} {{ toYaml . | indent 4 }} {{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/pipelines/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version that has postgresql.image.tag of 9.x or 10.x or 12.x or 13.x, make sure to set the same postgres image version (postgresql.image.tag) and databaseUpgradeReady to true in your custom values yaml file. This is to prevent major version upgrades in postgresql resulting in data corruption.\n" .Values.databaseUpgradeReady | quote }} +{{- end }} spec: serviceName: {{ include "pipelines.services.name" . }}-headless {{- if not .Values.pipelines.runservice.autoscaling.enabled }} @@ -47,6 +50,9 @@ spec: {{- if .Values.pipelines.schedulerName }} schedulerName: {{ .Values.pipelines.schedulerName | quote }} {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} {{- if .Values.pipelines.priorityClass.existingPriorityClass }} priorityClassName: {{ .Values.pipelines.priorityClass.existingPriorityClass }} {{- else -}} @@ -64,8 +70,11 @@ spec: {{ tpl (include "pipelines.trigger.customInitContainersBegin" .) . | indent 8 }} {{- end }} - name: wait-for-pipelines-internalapi - image: '{{ .Values.initContainer.image }}' - imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} + imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -79,11 +88,9 @@ spec: - name: copy-system-yaml image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -100,7 +107,7 @@ spec: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} {{- if or .Values.systemYamlOverride.existingSecret .Values.pipelines.systemYaml }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -117,11 +124,17 @@ spec: - name: copy-custom-certificates image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: + add: + - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.initContainers.resources | nindent 12 }} command: @@ -135,6 +148,27 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} + {{- if not .Values.podSecurityContext.enabled }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -156,9 +190,13 @@ spec: volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} + {{- end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -166,6 +204,7 @@ spec: - CHOWN drop: - NET_RAW + {{- end }} resources: {{ toYaml .Values.pipelineInstallerInitContainer.resources | nindent 12 }} env: @@ -201,7 +240,7 @@ spec: - name: PIPELINES_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -212,7 +251,7 @@ spec: - name: PIPELINES_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -240,7 +279,7 @@ spec: - name: jfrog-pipelines-logs mountPath: {{ .Values.pipelines.logPath }} {{- if .Values.buildPlane.dynamic.provider.aws.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.aws.existingSecret }} - name: buildplane-creds-aws {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -252,7 +291,7 @@ spec: readOnly: true {{- end }} {{- if .Values.buildPlane.dynamic.provider.k8s.enabled }} - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.buildPlane.dynamic.provider.k8s.existingSecret }} - name: buildplane-creds-k8s {{- else }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} @@ -275,11 +314,9 @@ spec: - name: {{ .Values.filebeat.name }} image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} args: - "-e" - "-E" @@ -297,12 +334,12 @@ spec: - name: router image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "router" ) }} imagePullPolicy: {{ .Values.pipelines.router.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "pipelines.trigger.router.requiredServiceTypes" . }} {{- if not .Values.router.routerConfiguration }} - name: JF_SHARED_JFROGURL value: "{{ tpl (include "pipelines.jfrogUrl" .) . }}" @@ -327,7 +364,7 @@ spec: {{- if or .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -376,12 +413,9 @@ spec: - name: observability image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "observability" ) }} imagePullPolicy: {{ .Values.pipelines.observability.image.pullPolicy }} - securityContext: - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - name: JF_OBSERVABILITY_PARENT_SERVICE value: "trigger" @@ -390,7 +424,7 @@ spec: - name: JF_SHARED_SECURITY_MASTERKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.masterKeySecretName .Values.global.masterKeySecretName }} name: "{{ include "pipelines.masterKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -399,7 +433,7 @@ spec: - name: JF_SHARED_SECURITY_JOINKEY valueFrom: secretKeyRef: - {{- if not .Values.pipelines.unifiedSecretInstallation }} + {{- if or (not .Values.pipelines.unifiedSecretInstallation) .Values.pipelines.joinKeySecretName .Values.global.joinKeySecretName }} name: "{{ include "pipelines.joinKeySecretName" . }}" {{- else }} name: "{{ template "pipelines.name" . }}-unified-secret" @@ -433,12 +467,13 @@ spec: - name: nodepoolservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "nodepoolservice" ) }} imagePullPolicy: {{ .Values.pipelines.nodepoolservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -477,12 +512,13 @@ spec: - name: runservice image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "runservice" ) }} imagePullPolicy: {{ .Values.pipelines.runservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -512,16 +548,17 @@ spec: {{ tpl . $ | nindent 10 }} {{- end }} {{- end }} -{{- if .Values.pipelines.logservice.enabled }} - - name: logservice - image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "logservice" ) }} - imagePullPolicy: {{ .Values.pipelines.logservice.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW +{{- if .Values.pipelines.analyticsservice.enabled }} + - name: analyticsservice + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "analyticsservice" ) }} + imagePullPolicy: {{ .Values.pipelines.analyticsservice.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -535,13 +572,13 @@ spec: {{ tpl (toYaml .) $ | indent 12 }} {{- end }} {{- end }} -{{- if .Values.pipelines.logservice.extraEnvironmentVariables }} -{{- with .Values.pipelines.logservice.extraEnvironmentVariables }} +{{- if .Values.pipelines.analyticsservice.extraEnvironmentVariables }} +{{- with .Values.pipelines.analyticsservice.extraEnvironmentVariables }} {{ tpl (toYaml .) $ | indent 12 }} {{- end }} {{- end }} resources: - {{- toYaml .Values.pipelines.logservice.resources | nindent 12 }} + {{- toYaml .Values.pipelines.analyticsservice.resources | nindent 12 }} volumeMounts: - name: jfrog-pipelines-folder mountPath: {{ .Values.pipelines.mountPath }} @@ -551,57 +588,57 @@ spec: {{ tpl . $ | nindent 10 }} {{- end }} {{- end }} - {{- if .Values.pipelines.nexec.enabled }} - - name: nexec - image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "nexec" ) }} - imagePullPolicy: {{ .Values.pipelines.nexec.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW - workingDir: /opt/jfrog/pipelines/app/micro/nexec +{{- if .Values.pipelines.logservice.enabled }} + - name: logservice + image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "logservice" ) }} + imagePullPolicy: {{ .Values.pipelines.logservice.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: - - name: PIPELINES_INTERNAL_API - value: "true" - - name: COMPONENT - value: nexec - - name: PIPELINES_NODE_ID - valueFrom: - fieldRef: - fieldPath: "metadata.name" + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + - name: PIPELINES_NODE_ID + valueFrom: + fieldRef: + fieldPath: "metadata.name" {{- if .Values.pipelines.extraEnvironmentVariables }} {{- with .Values.pipelines.extraEnvironmentVariables }} {{ tpl (toYaml .) $ | indent 12 }} {{- end }} {{- end }} -{{- if .Values.pipelines.nexec.extraEnvironmentVariables }} -{{- with .Values.pipelines.nexec.extraEnvironmentVariables }} +{{- if .Values.pipelines.logservice.extraEnvironmentVariables }} +{{- with .Values.pipelines.logservice.extraEnvironmentVariables }} {{ tpl (toYaml .) $ | indent 12 }} {{- end }} {{- end }} resources: - {{- toYaml .Values.pipelines.nexec.resources | nindent 12 }} + {{- toYaml .Values.pipelines.logservice.resources | nindent 12 }} volumeMounts: - - name: jfrog-pipelines-folder - mountPath: {{ .Values.pipelines.mountPath }} - - name: jfrog-pipelines-logs - mountPath: {{ .Values.pipelines.logPath }} - {{- end }} + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: jfrog-pipelines-logs + mountPath: {{ .Values.pipelines.logPath }} +{{- with .Values.pipelines.customVolumeMounts }} +{{ tpl . $ | nindent 10 }} +{{- end }} +{{- end }} - name: reqsealer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "reqSealer" ) }} imagePullPolicy: {{ .Values.pipelines.reqSealer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} workingDir: /opt/jfrog/pipelines/app/micro/reqSealer env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -759,4 +796,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-unified-secret.yaml b/stable/pipelines/templates/pipelines-unified-secret.yaml index b688dce7a..b382824d2 100644 --- a/stable/pipelines/templates/pipelines-unified-secret.yaml +++ b/stable/pipelines/templates/pipelines-unified-secret.yaml @@ -11,7 +11,7 @@ metadata: type: Opaque stringData: -{{- if not .Values.systemYamlOverride.existingSecret }} +{{- if and (not .Values.systemYamlOverride.existingSecret) .Values.pipelines.systemYaml }} system.yaml: | {{ tpl .Values.pipelines.systemYaml . | indent 4 }} {{- end}} diff --git a/stable/pipelines/values.yaml b/stable/pipelines/values.yaml index b33c6ef48..0d08e459e 100644 --- a/stable/pipelines/values.yaml +++ b/stable/pipelines/values.yaml @@ -68,7 +68,7 @@ global: ## Common initContainer: - image: "releases-docker.jfrog.io/alpine:3.14.2" + image: "releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.691" pullPolicy: IfNotPresent # Init containers @@ -131,11 +131,41 @@ systemYamlOverride: ## String to fully override pipelines.fullname template # fullnameOverride: -## Set user/group to run Pipelines components with -securityContext: +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## @param artifactory.podSecurityContext.enabled Enable security context +## @param artifactory.podSecurityContext.runAsNonRoot Set pod's Security Context runAsNonRoot +## @param artifactory.podSecurityContext.runAsUser User ID for the pod +## @param artifactory.podSecurityContext.runASGroup Group ID for the pod +## @param artifactory.podSecurityContext.fsGroup Group ID for the pod +## +podSecurityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1066 + runAsGroup: 1066 + fsGroup: 1066 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} + +## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param containerSecurityContext.enabled Enabled containers' Security Context + ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param containerSecurityContext.privileged Set container's Security Context privileged + ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## +containerSecurityContext: enabled: true - uid: 1030 - gid: 1030 + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL splitServicesToPods: false @@ -385,7 +415,7 @@ pipelines: command: - sh - -c - - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.pipelines.api.service.port }}/v1/system/liveness + - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://127.0.0.1:{{ .Values.pipelines.api.service.port }}/v1/system/liveness initialDelaySeconds: {{ if semverCompare ".yaml` to `xray-.yaml` +* **Important change:** +* Update postgresql tag version to `15.2.0-debian-11-r23` +* Renamed `common.xrayUserId` to `podSecurityContext.runAsUser` +* Renamed `common.xrayGroupId` to `podSecurityContext.runAsGroup` and `podSecurityContext.fsGroup` +* Renamed `common.fsGroupChangePolicy` to `podSecurityContext.fsGroupChangePolicy` + +## [103.89.0] - Jan 18,2023 +* Remove fallback section from keda. + +## [103.88.0] - Dec 20,2023 +* Added support for migrating rabbitmq to high-availability quorum queues setup + +## [103.87.0] - Dec 7,2023 +* Update minimum supported kubernetes version to 1.19 +* Added recommended t-shirt sizing configurations under sizing folder +* Added support for rabbitmq high-availability quorum queues clean install setup +* Fix the pre-upgrade-hook for rabbitmq migration to support installations on openshift platforms + +## [103.86.0] - Nov 14,2023 +* Fixed - containerSecurityContext on loggers + +## [103.83.0] - Sep 15,2023 * Fixed - Support to configure privateRegistry for pre-upgrade-hook ## [103.80.0] - Jul 16, 2023 @@ -849,4 +903,4 @@ All changes to this chart will be documented in this file. ## [0.4.0] - Aug 22, 2018 * Enabled RBAC support * Added ingress support -* Updated Xray version to 2.2.4 +* Updated Xray version to 2.2.4 \ No newline at end of file diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml index 80ec93732..408224700 100644 --- a/stable/xray/Chart.yaml +++ b/stable/xray/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.85.6 +appVersion: 3.104.8 dependencies: - condition: postgresql.enabled name: postgresql @@ -16,7 +16,7 @@ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/xray/logo/xra keywords: - xray - jfrog -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -24,4 +24,4 @@ name: xray sources: - https://github.com/jfrog/charts type: application -version: 103.85.5 +version: 103.104.8 \ No newline at end of file diff --git a/stable/xray/README.md b/stable/xray/README.md index 99f0e088e..fb953b032 100644 --- a/stable/xray/README.md +++ b/stable/xray/README.md @@ -45,7 +45,14 @@ Provide the join key and JFrog URL as a parameter to the Xray chart installation ```bash helm upgrade --install xray --set xray.joinKey= \ - --set xray.jfrogUrl= --namespace xray jfrog/xray + --set xray.jfrogUrl= jfrog/xray --namespace xray --create-namespace +``` + +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install xray jfrog/xray -f sizing/xray-sizing-small.yaml --namespace xray --create-namespace ``` ## Uninstalling Xray diff --git a/stable/xray/ci/default-values.yaml b/stable/xray/ci/default-values.yaml index 9984d735b..1be1f56ae 100644 --- a/stable/xray/ci/default-values.yaml +++ b/stable/xray/ci/default-values.yaml @@ -3,7 +3,7 @@ unifiedUpgradeAllowed: true databaseUpgradeReady: true xray: - jfrogUrl: http://artifactory.rt:8082 + jfrogUrl: http://rt-artifactory.rt:8082 common: persistence: enabled: false @@ -55,3 +55,34 @@ indexer: limits: memory: "4Gi" cpu: "4" + +sbom: + enabled: true + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "3" + +panoramic: + enabled: false + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "3" + + +policyenforcer: + enabled: false + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "3" \ No newline at end of file diff --git a/stable/xray/ci/global-section-values.yaml b/stable/xray/ci/global-section-values.yaml index 78a5b5b98..072dca5ca 100644 --- a/stable/xray/ci/global-section-values.yaml +++ b/stable/xray/ci/global-section-values.yaml @@ -16,8 +16,8 @@ common: enabled: false customInitContainersBegin: | - name: "custom-init-begin-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -34,8 +34,8 @@ common: mountPath: "/scriptslocal" customInitContainers: | - name: "custom-init-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -45,8 +45,8 @@ common: name: data-volume customSidecarContainers: | - name: "sidecar-list-local" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -65,13 +65,13 @@ common: cpu: "100m" global: - jfrogUrl: http://artifactory.rt:8082 + jfrogUrl: http://rt-artifactory.rt:8082 masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE customInitContainersBegin: | - name: "custom-init-begin-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -88,8 +88,8 @@ global: mountPath: "/scriptsglobal" customInitContainers: | - name: "custom-init-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} command: - 'sh' - '-c' @@ -99,8 +99,8 @@ global: name: data-volume customSidecarContainers: | - name: "sidecar-list-global" - image: "{{ .Values.initContainerImage }}" - imagePullPolicy: "{{ .Values.imagePullPolicy }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/stable/xray/ci/test-rabbitmq-haQuorum-values.yaml b/stable/xray/ci/test-rabbitmq-haQuorum-values.yaml new file mode 100644 index 000000000..11de8207c --- /dev/null +++ b/stable/xray/ci/test-rabbitmq-haQuorum-values.yaml @@ -0,0 +1,65 @@ +# CI values for Xray +# If this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade. +unifiedUpgradeAllowed: true +databaseUpgradeReady: true +xray: + jfrogUrl: http://rt-artifactory.rt:8082 +common: + persistence: + enabled: false + +postgresql: + postgresqlPassword: xray + persistence: + enabled: false + +rabbitmq: + replicaCount: 3 + auth: + username: guest + password: password + persistence: + enabled: false + podManagementPolicy: Parallel + +global: + xray: + rabbitmq: + haQuorum: + enabled: true + +server: + resources: + requests: + memory: "300Mi" + cpu: "100m" + limits: + memory: "4Gi" + cpu: "3" + +analysis: + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "3" + +persist: + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "3" + +indexer: + resources: + requests: + memory: "300Mi" + cpu: "50m" + limits: + memory: "4Gi" + cpu: "4" diff --git a/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml b/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml index 0fa0cb2a4..f0a970860 100644 --- a/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml +++ b/stable/xray/ci/test-rabbitmq-replicaCount-values.yaml @@ -3,7 +3,7 @@ unifiedUpgradeAllowed: true databaseUpgradeReady: true xray: - jfrogUrl: http://artifactory.rt:8082 + jfrogUrl: http://rt-artifactory.rt:8082 common: persistence: enabled: false diff --git a/stable/xray/ci/test-values.yaml b/stable/xray/ci/test-values.yaml index eb571a587..c236816d8 100644 --- a/stable/xray/ci/test-values.yaml +++ b/stable/xray/ci/test-values.yaml @@ -3,7 +3,7 @@ unifiedUpgradeAllowed: true databaseUpgradeReady: true xray: - jfrogUrl: http://artifactory.rt:8082 + jfrogUrl: http://rt-artifactory.rt:8082 unifiedSecretInstallation: true openMetrics: enabled: true diff --git a/stable/xray/files/system.yaml b/stable/xray/files/system.yaml new file mode 100644 index 000000000..c11372548 --- /dev/null +++ b/stable/xray/files/system.yaml @@ -0,0 +1,85 @@ +configVersion: 1 +router: + serviceRegistry: + insecure: {{ .Values.router.serviceRegistry.insecure }} +shared: +{{- if .Values.xray.openMetrics.enabled }} + metrics: + enabled: true + {{- if .Values.xray.openMetrics.filebeat.enabled }} + filebeat: {{ toYaml .Values.xray.openMetrics.filebeat | nindent 6 }} + {{- end }} +{{- end }} + logging: + consoleLog: + enabled: {{ .Values.xray.consoleLog }} + jfrogUrl: "{{ tpl (required "\n\nxray.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > User Management > Settings > Connection details" (include "xray.jfrogUrl" .)) . }}" + database: + {{- if .Values.postgresql.enabled }} + type: "postgresql" + driver: "org.postgresql.Driver" + username: "{{ .Values.postgresql.postgresqlUsername }}" + url: "postgres://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}?sslmode=disable" + {{- else }} + type: {{ .Values.database.type }} + driver: {{ .Values.database.driver }} + {{- end }} + {{- if and (not .Values.rabbitmq.enabled) (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + rabbitMq: + {{- if .Values.global.xray.rabbitmq.haQuorum.enabled }} + ha_quorum: true + vhost: {{ .Values.global.xray.rabbitmq.haQuorum.vhost }} + replicasCount: {{ .Values.global.xray.rabbitmq.replicaCount }} + {{- end }} + erlangCookie: + value: "{{ .Values.rabbitmq.external.erlangCookie }}" + {{- if not .Values.rabbitmq.external.secrets }} + url: "{{ tpl .Values.rabbitmq.external.url . }}" + username: "{{ .Values.rabbitmq.external.username }}" + password: "{{ .Values.rabbitmq.external.password }}" + {{- end }} + {{- else if and .Values.rabbitmq.enabled .Values.global.xray.rabbitmq.haQuorum.enabled }} + rabbitMq: + ha_quorum: true + vhost: {{ .Values.global.xray.rabbitmq.haQuorum.vhost }} + replicasCount: {{ .Values.rabbitmq.replicaCount }} + {{- end }} + {{- if .Values.xray.mongoUrl }} + mongo: + url: "{{ .Values.xray.mongoUrl }}" + username: "{{ .Values.xray.mongoUsername }}" + password: "{{ .Values.xray.mongoPassword }}" + {{- end }} +{{- if or .Values.server.mailServer .Values.server.indexAllBuilds .Values.global.xray.rabbitmq.migrateMessagesFromXrayDefaultVhost .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq }} +server: + {{- if .Values.server.mailServer }} + mailServer: "{{ .Values.server.mailServer }}" + {{- end }} + {{- if .Values.server.indexAllBuilds }} + indexAllBuilds: {{ .Values.server.indexAllBuilds }} + {{- end }} + {{- if .Values.global.xray.rabbitmq.migrateMessagesFromXrayDefaultVhost }} + dataMigrations: + migrate_msgs_from_other_rabbitmq: + vhost: {{ .Values.global.xray.rabbitmq.vhost | default "%2f" | quote }} + {{- else if .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq }} + dataMigrations: + migrate_msgs_from_other_rabbitmq: {{ toYaml .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq | nindent 6 }} + {{- end }} +{{- end }} +{{- if .Values.policyenforcer.enabled }} +policyenforcer: + enabled: true +{{- end }} +{{- if (include "xray.imagePullSecretsStrList" .) }} +executionService: + pullSecret: + {{- include "xray.imagePullSecretsStrList" . | indent 4 }} +{{- end }} +contextualAnalysis: + registry: {{ include "xray.getRegistryByService" (list . "contextualAnalysis") }} + image: {{ .Values.contextualAnalysis.image.repository }} +exposures: + container: + registry: {{ include "xray.getRegistryByService" (list . "exposures") }} + image: {{ .Values.exposures.image.repository }} \ No newline at end of file diff --git a/stable/xray/rabbitmq/ha-quorum.yaml b/stable/xray/rabbitmq/ha-quorum.yaml new file mode 100644 index 000000000..ac80ce1aa --- /dev/null +++ b/stable/xray/rabbitmq/ha-quorum.yaml @@ -0,0 +1,10 @@ +rabbitmq: + replicaCount: 3 + podManagementPolicy: Parallel + +global: + xray: + rabbitmq: + replicaCount: 3 + haQuorum: + enabled: true \ No newline at end of file diff --git a/stable/xray/rabbitmq/migration-to-ha-quorum.yaml b/stable/xray/rabbitmq/migration-to-ha-quorum.yaml new file mode 100644 index 000000000..62e4cb6d5 --- /dev/null +++ b/stable/xray/rabbitmq/migration-to-ha-quorum.yaml @@ -0,0 +1,12 @@ +rabbitmq: + extraPlugins: "rabbitmq_shovel rabbitmq_shovel_management" + migration: + deleteStatefulSetToAllowFieldUpdate: + enabled: true + removeHaPolicyOnMigrationToHaQuorum: + enabled: true + +global: + xray: + rabbitmq: + migrateMessagesFromXrayDefaultVhost: true \ No newline at end of file diff --git a/stable/xray/sizing/xray-2xlarge.yaml b/stable/xray/sizing/xray-2xlarge.yaml new file mode 100644 index 000000000..e2110e4c0 --- /dev/null +++ b/stable/xray/sizing/xray-2xlarge.yaml @@ -0,0 +1,148 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for large organizations. It can be increased with adding replicas +############################################################## + +replicaCount: 3 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 12 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +indexer: + resources: + requests: + cpu: "300m" + memory: 550Mi + limits: + # cpu: "6" + memory: 8Gi + +persist: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +server: + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 6Gi + +router: + resources: + requests: + cpu: "60m" + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +sbom: + enabled: false + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "2000" + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 6G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "500m" + memory: 1Gi + limits: + # cpu: "8" + memory: 7Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-large.yaml b/stable/xray/sizing/xray-large.yaml new file mode 100644 index 000000000..f4a3bd477 --- /dev/null +++ b/stable/xray/sizing/xray-large.yaml @@ -0,0 +1,148 @@ +############################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +############################################################## + +replicaCount: 2 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 6 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +indexer: + resources: + requests: + cpu: "300m" + memory: 550Mi + limits: + # cpu: "6" + memory: 8Gi + +persist: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +server: + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 6Gi + +router: + resources: + requests: + cpu: "60m" + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +sbom: + enabled: false + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "600" + resources: + requests: + memory: 32Gi + cpu: "16" + limits: + memory: 32Gi + # cpu: "32" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 3G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "2" + memory: 4Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-medium.yaml b/stable/xray/sizing/xray-medium.yaml new file mode 100644 index 000000000..7983f50e3 --- /dev/null +++ b/stable/xray/sizing/xray-medium.yaml @@ -0,0 +1,148 @@ +############################################################## +# The medium sizing +# This size is just more replicas of the small size. Vertical sizing of all services is not changed +############################################################## + +replicaCount: 1 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +indexer: + resources: + requests: + cpu: "300m" + memory: 550Mi + limits: + # cpu: "6" + memory: 8Gi + +persist: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +server: + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 6Gi + +router: + resources: + requests: + cpu: "60m" + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +sbom: + enabled: false + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "500" + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "18" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 3G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "100m" + memory: 500Mi + limits: + # cpu: "2" + memory: 4Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-small.yaml b/stable/xray/sizing/xray-small.yaml new file mode 100644 index 000000000..1267250c4 --- /dev/null +++ b/stable/xray/sizing/xray-small.yaml @@ -0,0 +1,148 @@ +############################################################## +# The small sizing +# This is the size recommended for running Xray for small teams +############################################################## + +replicaCount: 1 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +indexer: + resources: + requests: + cpu: "300m" + memory: 550Mi + limits: + # cpu: "6" + memory: 8Gi + +persist: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +server: + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 6Gi + +router: + resources: + requests: + cpu: "60m" + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +sbom: + enabled: false + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "200" + resources: + requests: + memory: 16Gi + cpu: "6" + limits: + memory: 16Gi + # cpu: "18" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 2G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "50m" + memory: 300Mi + limits: + # cpu: "2" + memory: 3Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-xlarge.yaml b/stable/xray/sizing/xray-xlarge.yaml new file mode 100644 index 000000000..ebc6511b4 --- /dev/null +++ b/stable/xray/sizing/xray-xlarge.yaml @@ -0,0 +1,148 @@ +############################################################## +# The xlarge sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the 2xlarge sizing +############################################################## + +replicaCount: 2 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 8 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +indexer: + resources: + requests: + cpu: "300m" + memory: 550Mi + limits: + # cpu: "6" + memory: 8Gi + +persist: + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +server: + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 6Gi + +router: + resources: + requests: + cpu: "60m" + memory: 100Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 8Gi + +sbom: + enabled: false + resources: + requests: + cpu: "100m" + memory: 250Mi + limits: + # cpu: "4" + memory: 10Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "1200" + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 4G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "200m" + memory: 500Mi + limits: + # cpu: "4" + memory: 5Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-xsmall.yaml b/stable/xray/sizing/xray-xsmall.yaml new file mode 100644 index 000000000..9b71886b6 --- /dev/null +++ b/stable/xray/sizing/xray-xsmall.yaml @@ -0,0 +1,148 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running JFrog Xray +############################################################## + +replicaCount: 1 +databaseUpgradeReady: true +waitForDatabase: true +unifiedUpgradeAllowed: true + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 800 + +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" + +analysis: + resources: + requests: + cpu: "30m" + memory: 250Mi + limits: + # cpu: "3" + memory: 4Gi + +indexer: + resources: + requests: + cpu: "40m" + memory: 250Mi + limits: + # cpu: "4" + memory: 4Gi + +persist: + resources: + requests: + cpu: "30m" + memory: 250Mi + limits: + # cpu: "3" + memory: 4Gi + +server: + resources: + requests: + cpu: "60m" + memory: 250Mi + limits: + # cpu: "3" + memory: 4Gi + +router: + resources: + requests: + cpu: "20m" + memory: 50Mi + limits: + # cpu: "1" + memory: 1Gi + +observability: + resources: + requests: + cpu: "10m" + memory: 25Mi + limits: + # cpu: "1" + memory: 250Mi + +panoramic: + enabled: true + resources: + requests: + cpu: "30m" + memory: 250Mi + limits: + # cpu: "3" + memory: 4Gi + +sbom: + enabled: false + resources: + requests: + cpu: "30m" + memory: 250Mi + limits: + # cpu: "3" + memory: 4Gi + +# PostgreSQL +## Configuration values for the postgresql dependency +## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md +## +postgresql: + postgresqlExtendedConf: + listenAddresses: "*" + maxConnections: "100" + resources: + requests: + memory: 8Gi + cpu: "4" + limits: + memory: 8Gi + # cpu: "12" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Xray pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname + +rabbitmq: + extraConfiguration: |- + vm_memory_high_watermark.absolute = 2G + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} + raft.wal_max_size_bytes = 1048576 + {{- end }} + resources: + requests: + cpu: "50m" + memory: 300Mi + limits: + # cpu: "2" + memory: 3Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/templates/_helpers.tpl b/stable/xray/templates/_helpers.tpl index 1b708e4a5..3b4ae9023 100644 --- a/stable/xray/templates/_helpers.tpl +++ b/stable/xray/templates/_helpers.tpl @@ -20,6 +20,20 @@ The xray-sbom name {{- default .Chart.Name .Values.sbom.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +The xray-panoramic name +*/}} +{{- define "xray-panoramic.name" -}} +{{- default .Chart.Name .Values.panoramic.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The xray-policyenforcer name +*/}} +{{- define "xray-policyenforcer.name" -}} +{{- default .Chart.Name .Values.panoramic.name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* The xray-indexer name */}} @@ -66,6 +80,9 @@ Expand the name of rabbit chart. {{- default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} {{- end -}} +{{- define "xray.rabbitmq.migration.isHookRegistered" }} +{{- or .Values.rabbitmq.migration.enabled .Values.rabbitmq.migration.deleteStatefulSetToAllowFieldUpdate.enabled .Values.rabbitmq.migration.removeHaPolicyOnMigrationToHaQuorum.enabled }} +{{- end }} {{- define "xray.rabbitmq.migration.fullname" -}} {{- $name := default "rabbitmq-migration" -}} @@ -432,14 +449,17 @@ Return the proper xray chart image names {{- $registryName := index $dot.Values $indexReference "image" "registry" -}} {{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}} {{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}} -{{- if and $dot.Values.common.xrayVersion (or (eq $indexReference "persist") (eq $indexReference "server") (eq $indexReference "analysis") (eq $indexReference "sbom") (eq $indexReference "indexer")) }} +{{- if and $dot.Values.common.xrayVersion (or (eq $indexReference "persist") (eq $indexReference "server") (eq $indexReference "analysis") (eq $indexReference "sbom") (eq $indexReference "indexer") (eq $indexReference "panoramic")) }} {{- $tag = $dot.Values.common.xrayVersion | toString -}} {{- end -}} {{- if $dot.Values.global }} {{- if and $dot.Values.global.versions.router (eq $indexReference "router") }} {{- $tag = $dot.Values.global.versions.router | toString -}} {{- end -}} - {{- if and $dot.Values.global.versions.xray (or (eq $indexReference "persist") (eq $indexReference "server") (eq $indexReference "analysis") (eq $indexReference "sbom") (eq $indexReference "indexer")) }} + {{- if and $dot.Values.global.versions.initContainers (eq $indexReference "initContainers") }} + {{- $tag = $dot.Values.global.versions.initContainers | toString -}} + {{- end -}} + {{- if and $dot.Values.global.versions.xray (or (eq $indexReference "persist") (eq $indexReference "server") (eq $indexReference "analysis") (eq $indexReference "sbom") (eq $indexReference "indexer") (eq $indexReference "panoramic")) }} {{- $tag = $dot.Values.global.versions.xray | toString -}} {{- end -}} {{- if $dot.Values.global.imageRegistry }} @@ -452,6 +472,14 @@ Return the proper xray chart image names {{- end -}} {{- end -}} +{{/* +Return the proper xray app version +*/}} +{{- define "xray.app.version" -}} +{{- $tag := (splitList ":" ((include "xray.getImageInfoByValue" (list . "server" )))) | last | toString -}} +{{- printf "%s" $tag -}} +{{- end -}} + {{/* Return the registry of a service */}} @@ -502,6 +530,22 @@ Resolve xray requiredServiceTypes value {{- $requiredTypes -}} {{- end -}} +{{/* +Resolve xray ipa requiredServiceTypes value +*/}} +{{- define "xray.router.ipa.requiredServiceTypes" -}} +{{- $requiredTypes := "jfxana,jfxidx,jfxpst,jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve xray server requiredServiceTypes value +*/}} +{{- define "xray.router.server.requiredServiceTypes" -}} +{{- $requiredTypes := "jfxr,jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + {{/* Resolve Xray pod node selector value */}} @@ -551,6 +595,47 @@ Resolve autoscalingQueues value {{- define "xray.autoscalingQueues" -}} {{- if .Values.autoscaling.keda.queues }} {{- range .Values.autoscaling.keda.queues }} +- type: rabbitmq + metadata: + name: "{{- .name -}}-queue" + protocol: amqp + queueName: {{ .name }} + mode: QueueLength + value: "{{ .value }}" +{{- if $.Values.global.xray.rabbitmq.haQuorum.enabled }} + vhostName: "{{ $.Values.global.xray.rabbitmq.haQuorum.vhost }}" +{{- end }} + authenticationRef: + name: keda-trigger-auth-rabbitmq-conn-xray +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Resolve autoscalingQueues value for ipa +*/}} +{{- define "xray.autoscalingQueuesIpa" -}} +{{- if .Values.autoscalingIpa.keda.queues }} +{{- range .Values.autoscalingIpa.keda.queues }} +- type: rabbitmq + metadata: + name: "{{- .name -}}-queue" + protocol: amqp + queueName: {{ .name }} + mode: QueueLength + value: "{{ .value }}" + authenticationRef: + name: keda-trigger-auth-rabbitmq-conn-xray +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Resolve autoscalingQueues value for server +*/}} +{{- define "xray.autoscalingQueuesServer" -}} +{{- if .Values.autoscalingServer.keda.queues }} +{{- range .Values.autoscalingServer.keda.queues }} - type: rabbitmq metadata: name: "{{- .name -}}-queue" @@ -582,10 +667,14 @@ Return the secret name of rabbitmq TLS certs. {{/* Prints value of Values.rabbitmq.auth.tls.enabled. */}} -{{- define "xray.rabbitmq.isTlsEnabled" -}} +{{- define "xray.rabbitmq.isManagementListenerTlsEnabledInContext" -}} {{- printf "%t" $.Values.auth.tls.enabled -}} {{- end -}} +{{- define "xray.rabbitmq.isManagementListenerTlsEnabled" -}} +{{- printf "%t" $.Values.rabbitmq.auth.tls.enabled -}} +{{- end -}} + {{/* Set xray env variables if rabbitmq.tls is enabled. */}} @@ -616,3 +705,21 @@ Set xray env variables if rabbitmq.tls is enabled. - name: XRAY_CHART_SYSTEM_YAML_OVERRIDE_DATA_KEY value: "{{ .Values.systemYamlOverride.dataKey }}" {{- end }} + +{{/* +Calculate the systemYaml from structured and unstructured text input +*/}} +{{- define "xray.finalSystemYaml" -}} +{{- if .Values.xray.extraSystemYaml }} +{{ tpl (mergeOverwrite (include "xray.systemYaml" . | fromYaml) .Values.xray.extraSystemYaml | toYaml) . }} +{{- else }} +{{ include "xray.systemYaml" . }} +{{- end }} +{{- end -}} + +{{/* +Calculate the systemYaml from the unstructured text input +*/}} +{{- define "xray.systemYaml" -}} +{{ include (print $.Template.BasePath "/_system-yaml-render.tpl") . }} +{{- end -}} \ No newline at end of file diff --git a/stable/xray/templates/_system-yaml-render.tpl b/stable/xray/templates/_system-yaml-render.tpl new file mode 100644 index 000000000..34ef784df --- /dev/null +++ b/stable/xray/templates/_system-yaml-render.tpl @@ -0,0 +1,5 @@ +{{- if .Values.xray.systemYaml -}} +{{- tpl .Values.xray.systemYaml . -}} +{{- else -}} +{{ (tpl ( $.Files.Get "files/system.yaml" ) .) }} +{{- end -}} \ No newline at end of file diff --git a/stable/xray/templates/migration-hook.yaml b/stable/xray/templates/migration-hook.yaml index 9f747ab51..908fd71a0 100644 --- a/stable/xray/templates/migration-hook.yaml +++ b/stable/xray/templates/migration-hook.yaml @@ -2,7 +2,7 @@ {{- if and (not .Values.rabbitmq.migration.enabled) (not .Values.rabbitmq.rabbitmqUpgradeReady) }} {{- fail "Rabbitmq migration flag is disabled. Please enable the rabbitmq.rabbitmqUpgradeReady flag after manually enabling the feature flags in rabbitmq" }} {{- end }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount @@ -22,7 +22,7 @@ automountServiceAccountToken: {{ .Values.rabbitmq.migration.serviceAccount.autom {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -43,7 +43,7 @@ rules: {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -69,9 +69,9 @@ roleRef: {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} -apiVersion: v1 -kind: Pod +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} +apiVersion: batch/v1 +kind: Job metadata: labels: app: {{ template "xray.name" . }} @@ -83,37 +83,112 @@ metadata: "helm.sh/hook": "pre-upgrade" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: - {{- if .Values.rabbitmq.podSecurityContext.enabled }} - securityContext: {{- omit .Values.rabbitmq.podSecurityContext "enabled" | toYaml | nindent 4 }} - {{- end }} - {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} - {{- include "xray.imagePullSecrets" . | indent 2 }} - {{- end }} - serviceAccountName: {{ template "xray.rabbitmq.migration.serviceAccountName" . }} - containers: - - name: pre-upgrade-container - image: "{{ include "xray.getRegistryByService" (list . "migrationHook") }}/{{ .Values.rabbitmq.migration.image.repository }}:{{ .Values.rabbitmq.migration.image.tag }}" - imagePullPolicy: IfNotPresent - {{- if .Values.rabbitmq.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml | nindent 8 }} + template: + metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + {{- if .Values.rabbitmq.podSecurityContext.enabled }} + securityContext: {{- omit .Values.rabbitmq.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - command: - - sh - - -c - - | - #!/bin/sh - if [ "$(kubectl get pods -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }}" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then - kubectl exec -it {{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0 -- rabbitmqctl enable_feature_flag all + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} + {{- include "xray.imagePullSecrets" . | indent 6 }} + {{- end }} + serviceAccountName: {{ template "xray.rabbitmq.migration.serviceAccountName" . }} + containers: + - name: pre-upgrade-container + image: "{{ include "xray.getRegistryByService" (list . "migrationHook") }}/{{ .Values.rabbitmq.migration.image.repository }}:{{ .Values.rabbitmq.migration.image.tag }}" + imagePullPolicy: IfNotPresent + {{- if .Values.rabbitmq.resources }} + resources: + {{- toYaml .Values.rabbitmq.resources | nindent 12 }} + {{- end }} + {{- if .Values.rabbitmq.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - bash + - -c + - | + #!/bin/bash + rabbitMqZeroPodName="{{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0" + rabbitMqZeroPodStatus=$(kubectl get pods $rabbitMqZeroPodName -n {{ .Release.Namespace }} -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}') + + {{- if and .Values.global.xray.rabbitmq.haQuorum.enabled .Values.rabbitmq.migration.removeHaPolicyOnMigrationToHaQuorum.enabled }} + for (( i=1; i<=6; i++ )) + do + if [ "$rabbitMqZeroPodStatus" = "True" ]; then + break + fi + echo "Waiting for Rabbitmq zero pod $rabbitMqZeroPodName to be in Ready state - iteration $i" + sleep 5 + rabbitMqZeroPodStatus=$(kubectl get pods $rabbitMqZeroPodName -n {{ .Release.Namespace }} -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}') + done + if [ "$rabbitMqZeroPodStatus" != "True" ]; then + echo "Rabbitmq zero pod $rabbitMqZeroPodName is not in Ready state. Failed to remove mirroring policy 'ha-all'" + exit 1 + fi + policyExists=$(kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- bash -c "rabbitmqctl list_policies --formatter json | grep -o "'"\"name\":\"ha-all\""'" | wc -l | tr -d '[:space:]'") if [ "$?" -ne 0 ]; then - echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " + echo "Failed to check if policy ha-all exists on default vhost" + exit 1 + fi + echo "Policy ha-all exists: $policyExists" + if [ $policyExists -gt 0 ]; then + kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- rabbitmqctl clear_policy ha-all + if [ "$?" -ne 0 ]; then + echo "Failed to delete policy ha-all on default vhost" + exit 1 + else + echo "Deleted ha-all policy successfully on default vhost" + fi + fi + {{- end }} + + {{- if .Values.rabbitmq.migration.enabled }} + if [ "$rabbitMqZeroPodStatus" = "True" ]; then + kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- rabbitmqctl enable_feature_flag all + if [ "$?" -ne 0 ]; then + echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " + exit 1 + else + echo Feature flags executed successfully! + fi + else + echo "Rabbitmq zero pod is not in running state. Ignoring feature flag migration for rabbitmq" + fi + {{- end }} + + {{- if .Values.rabbitmq.migration.deleteStatefulSetToAllowFieldUpdate.enabled }} + if [ -n "{{ .Values.rabbitmq.podManagementPolicy }}" ]; then + rabbitMqStatefulSetName=$(kubectl get statefulsets -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o=jsonpath='{.items[0].metadata.name}') + if [ $? -ne 0 ]; then + echo "Failed to get current rabbitmq statefulset name" + exit 1 + fi + currPodManagementPolicy=$(kubectl get statefulset $rabbitMqStatefulSetName -n {{ .Release.Namespace }} -o=jsonpath='{.spec.podManagementPolicy}') + if [ $? -ne 0 ]; then + echo "Failed to get current pod management policy definition" exit 1 + fi + if [ "$currPodManagementPolicy" != "{{ .Values.rabbitmq.podManagementPolicy }}" ]; then + kubectl delete statefulset $rabbitMqStatefulSetName --cascade=orphan -n {{ .Release.Namespace }} + if [ $? -ne 0 ]; then + echo "Failed to delete statefulset $rabbitMqStatefulSetName to allow update of podManagementDefinition field: [kubectl delete statefulset STATEFULSET_NAME --cascade=orphan]" + exit 1 + fi + echo "Deleted statefulset $rabbitMqStatefulSetName successfully" + else + echo "Field podManagementPolicy of statefulset $rabbitMqStatefulSetName has not changed" + fi else - echo Feature flags executed successfully! + echo "rabbitmq.podManagementPolicy is not set" fi - else - echo "Rabbitmq pod is not in running state. Ignoring feature flag migration for rabbitmq" - fi - restartPolicy: Never - terminationGracePeriodSeconds: 0 + {{- end }} + restartPolicy: Never + terminationGracePeriodSeconds: 0 {{- end }} {{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-hpa-ipa.yaml b/stable/xray/templates/xray-hpa-ipa.yaml new file mode 100644 index 000000000..f3438a206 --- /dev/null +++ b/stable/xray/templates/xray-hpa-ipa.yaml @@ -0,0 +1,31 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingIpa.enabled) (eq .Values.autoscalingIpa.keda.enabled false) }} + {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 + {{- else }} +apiVersion: autoscaling/v2beta2 + {{- end }} +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-ipa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "xray.fullname" . }}-ipa + minReplicas: {{ .Values.autoscalingIpa.minReplicas }} + maxReplicas: {{ .Values.autoscalingIpa.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscalingIpa.targetCPUUtilizationPercentage }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-hpa-server.yaml b/stable/xray/templates/xray-hpa-server.yaml new file mode 100644 index 000000000..147d1db79 --- /dev/null +++ b/stable/xray/templates/xray-hpa-server.yaml @@ -0,0 +1,31 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingServer.enabled) (eq .Values.autoscalingServer.keda.enabled false) }} + {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 + {{- else }} +apiVersion: autoscaling/v2beta2 + {{- end }} +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-server +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "xray.fullname" . }}-server + minReplicas: {{ .Values.autoscalingServer.minReplicas }} + maxReplicas: {{ .Values.autoscalingServer.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscalingServer.targetCPUUtilizationPercentage }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-hpa.yaml b/stable/xray/templates/xray-hpa.yaml index fd8c757cf..3233546c7 100644 --- a/stable/xray/templates/xray-hpa.yaml +++ b/stable/xray/templates/xray-hpa.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} {{- if and (.Values.autoscaling.enabled) (eq .Values.autoscaling.keda.enabled false) }} {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} apiVersion: autoscaling/v2 @@ -26,4 +27,5 @@ spec: target: type: Utilization averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-ipa-deployment.yaml b/stable/xray/templates/xray-ipa-deployment.yaml new file mode 100644 index 000000000..6e7439e9b --- /dev/null +++ b/stable/xray/templates/xray-ipa-deployment.yaml @@ -0,0 +1,1530 @@ +{{- if .Values.splitXraytoSeparateDeployments.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "xray.fullname" . }}-ipa + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + {{- with .Values.xray.labels }} +{{ toYaml . | indent 4 }} + {{- end }} +{{- if .Release.IsUpgrade }} + unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} +{{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 or 15.2.0-debian-11-r23 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x or 15.x" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- with .Values.server.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if not .Values.autoscalingIpa.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- with .Values.deployment.strategy }} + strategy: +{{ toYaml . | indent 4 }} +{{- end }} + selector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + template: + metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + {{- with .Values.xray.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.xray.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/xray-database-secrets.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/xray-system-yaml.yaml") . | sha256sum }} + {{- else }} + checksum/xray-unified-secret: {{ include (print $.Template.BasePath "/xray-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.analysis.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.indexer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.persist.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.server.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.router.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.filebeat.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.xray.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.policyenforcer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + spec: + {{- if .Values.xray.schedulerName }} + schedulerName: {{ .Values.xray.schedulerName | quote }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "xray.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.xray.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.xray.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.xray.priorityClass.create }} + priorityClassName: {{ default (include "xray.fullname" .) .Values.xray.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "xray.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.common.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "xray.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + - name: 'copy-system-yaml' + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + if [[ -e "{{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.xray.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Remove {{ .Values.xray.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.xray.persistence.mountPath }}/lost+found; + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_JOIN_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/join.key; + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_MASTER_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + - name: XRAY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }} + name: {{ include "xray.joinKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + - name: XRAY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }} + name: {{ include "xray.masterKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath | quote }} + {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} + - name: copy-custom-certificates + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "xray.copyCustomCerts" . | indent 10 }} +{{ include "xray.copyRabbitmqCustomCerts" . | indent 10 }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{- end }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/router/app/bin/entrypoint-router.sh; + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "xray.router.ipa.requiredServiceTypes" . }} + {{- if .Values.router.extraEnvVars }} + {{- tpl .Values.router.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} +{{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.observability.name }} + image: {{ include "xray.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/observability/app/bin/entrypoint-observability.sh; + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.observability.extraEnvVars }} + {{- tpl .Values.observability.extraEnvVars . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.observability.persistence.mountPath }}" + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + - name: {{ .Values.analysis.name }} + image: {{ include "xray.getImageInfoByValue" (list . "analysis") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.analysis.preStartCommand }} + echo "Running custom Analysis preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.analysis.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.analysis.extraEnvVars }} + {{- tpl .Values.analysis.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.analysis.internalPort }} + name: http-analysis + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.analysis.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.analysis.resources | indent 10 }} +{{- if .Values.analysis.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.analysis.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.analysis.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.analysis.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.sbom.enabled }} + - name: {{ .Values.sbom.name }} + image: {{ include "xray.getImageInfoByValue" (list . "sbom") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.sbom.preStartCommand }} + echo "Running custom Sbom preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.sbom.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.sbom.extraEnvVars }} + {{- tpl .Values.sbom.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.sbom.internalPort }} + name: http-sbom + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.sbom.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.sbom.resources | indent 10 }} +{{- if .Values.sbom.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.sbom.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.sbom.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.sbom.livenessProbe.config . | indent 10 }} +{{- end }} +{{- end }} +{{- if .Values.panoramic.enabled }} + - name: {{ .Values.panoramic.name }} + image: {{ include "xray.getImageInfoByValue" (list . "panoramic") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.panoramic.preStartCommand }} + echo "Running custom panoramic preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.panoramic.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.panoramic.extraEnvVars }} + {{- tpl .Values.panoramic.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.panoramic.internalPort }} + name: http-panoramic + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.panoramic.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.panoramic.resources | indent 10 }} +{{- if .Values.panoramic.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.panoramic.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.panoramic.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.panoramic.livenessProbe.config . | indent 10 }} +{{- end }} +{{- end }} +{{- if .Values.policyenforcer.enabled }} + - name: {{ .Values.policyenforcer.name }} + image: {{ include "xray.getImageInfoByValue" (list . "policyenforcer") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.policyenforcer.preStartCommand }} + echo "Running custom policyenforcer preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.policyenforcer.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.policyenforcer.extraEnvVars }} + {{- tpl .Values.policyenforcer.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.policyenforcer.internalPort }} + name: http-polenf + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.policyenforcer.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.policyenforcer.resources | indent 10 }} +{{- if .Values.policyenforcer.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.policyenforcer.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.policyenforcer.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.policyenforcer.livenessProbe.config . | indent 10 }} +{{- end }} +{{- end }} + - name: {{ .Values.indexer.name }} + image: {{ include "xray.getImageInfoByValue" (list . "indexer") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.indexer.preStartCommand }} + echo "Running custom Indexer preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.indexer.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.indexer.extraEnvVars }} + {{- tpl .Values.indexer.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.indexer.internalPort }} + name: http-indexer + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.indexer.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.indexer.resources | indent 10 }} +{{- if .Values.indexer.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.indexer.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.indexer.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.indexer.livenessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.persist.name }} + image: {{ include "xray.getImageInfoByValue" (list . "persist") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.persist.preStartCommand }} + echo "Running custom Persist preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.persist.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_K8S_ENV + value: "true" + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.persist.extraEnvVars }} + {{- tpl .Values.persist.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.persist.internalPort }} + name: http-persist + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.persist.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.persist.resources | indent 10 }} +{{- if .Values.persist.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.persist.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.persist.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.persist.livenessProbe.config . | indent 10 }} +{{- end }} + {{- $mountPath := .Values.xray.persistence.mountPath }} + {{- range .Values.xray.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "xray.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/log {{ . }}' + volumeMounts: + - name: data-volume + mountPath: {{ $mountPath }} + - name: tail-logger-script + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + resources: +{{ toYaml $.Values.xray.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} +{{- if or .Values.common.customSidecarContainers .Values.global.customSidecarContainers }} +{{ tpl (include "xray.customSidecarContainers" .) . | indent 6 }} +{{- end }} + {{- if or .Values.xray.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "xray.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- if .Values.affinity }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.xray.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.xray.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + ########## External secrets ########### + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + secret: + secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.xray.customCertificates.certificateSecretName }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + ############ Config map, Volumes and Custom Volumes ############## + {{- if .Values.xray.loggers }} + - name: tail-logger-script + configMap: + name: {{ template "xray.fullname" . }}-logger + {{- end }} + - name: data-volume + emptyDir: + sizeLimit: {{ .Values.common.persistence.size }} + {{- if and .Values.xray.unifiedSecretInstallation (eq (include "xray.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + ######### unifiedSecretInstallation ########### + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + secret: + secretName: {{ template "xray.name" . }}-unified-secret + {{- else if not .Values.xray.unifiedSecretInstallation }} + ######### Non unifiedSecretInstallation ########### + {{- if not .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ printf "%s-%s" (include "xray.fullname" .) "system-yaml" }} + {{- end }} + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "xray.rabbitmqCustomCertificateshandler" . }} + {{- end }} + +{{- if or .Values.common.customVolumes .Values.global.customVolumes }} +{{ tpl (include "xray.customVolumes" .) . | indent 6 }} +{{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "xray.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.common.configMaps }} + - name: xray-configmaps + configMap: + name: {{ template "xray.fullname" . }}-configmaps + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-ipa-svc.yaml b/stable/xray/templates/xray-ipa-svc.yaml new file mode 100644 index 000000000..529f2571e --- /dev/null +++ b/stable/xray/templates/xray-ipa-svc.yaml @@ -0,0 +1,62 @@ +{{- if .Values.splitXraytoSeparateDeployments.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: xray-ipa-headless + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + component: {{ .Values.xray.name }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + servicename: ipa + {{- with .Values.xray.labels }} +{{ toYaml . | indent 4 }} + {{- end }} +spec: + clusterIP: None + type: ClusterIP + {{- if .additionalSpec }} +{{ tpl .additionalSpec $ | indent 2 }} + {{- end }} + ports: + - name: http-analysis + port: {{ .Values.analysis.externalPort }} + protocol: TCP + targetPort: {{ .Values.analysis.internalPort }} + - name: http-indexer + port: {{ .Values.indexer.externalPort }} + protocol: TCP + targetPort: {{ .Values.indexer.internalPort }} + - name: http-persist + port: {{ .Values.persist.externalPort }} + protocol: TCP + targetPort: {{ .Values.persist.internalPort }} + - name: http-router + port: {{ .Values.router.externalPort }} + protocol: TCP + targetPort: {{ .Values.router.internalPort }} +{{- if .Values.sbom.enabled }} + - name: http-sbom + port: {{ .Values.sbom.externalPort }} + protocol: TCP + targetPort: {{ .Values.sbom.internalPort }} +{{- end }} +{{- if .Values.panoramic.enabled }} + - name: http-panoramic + port: {{ .Values.panoramic.externalPort }} + protocol: TCP + targetPort: {{ .Values.panoramic.internalPort }} +{{- end }} +{{- if .Values.policyenforcer.enabled }} + - name: http-polenf + port: {{ .Values.policyenforcer.externalPort }} + protocol: TCP + targetPort: {{ .Values.policyenforcer.internalPort }} +{{- end }} + selector: + app: {{ template "xray.name" . }} + component: {{ .Values.xray.name }} + release: {{ .Release.Name }} + servicename: ipa +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa-ipa.yaml b/stable/xray/templates/xray-keda-hpa-ipa.yaml new file mode 100644 index 000000000..f9776b4b9 --- /dev/null +++ b/stable/xray/templates/xray-keda-hpa-ipa.yaml @@ -0,0 +1,38 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingIpa.enabled) (eq .Values.autoscalingIpa.keda.enabled true) }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-ipa +spec: + scaleTargetRef: + kind: Deployment + name: {{ template "xray.fullname" . }}-ipa + minReplicaCount: {{ .Values.autoscalingIpa.minReplicas }} + maxReplicaCount: {{ .Values.autoscalingIpa.maxReplicas }} + pollingInterval: {{ .Values.autoscalingIpa.keda.pollingInterval }} + cooldownPeriod: {{ .Values.autoscalingIpa.keda.cooldownPeriod }} + advanced: + horizontalPodAutoscalerConfig: + behavior: + scaleUp: + {{- .Values.autoscalingIpa.keda.scaleUp | toYaml | nindent 10 }} + scaleDown: + {{- .Values.autoscalingIpa.keda.scaleDown | toYaml | nindent 10 }} + triggers: + {{- include "xray.autoscalingQueuesIpa" . | indent 4 }} + - type: cpu + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingIpa.targetCPUUtilizationPercentage }}" + - type: memory + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingIpa.targetMemoryUtilizationPercentage }}" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa-server.yaml b/stable/xray/templates/xray-keda-hpa-server.yaml new file mode 100644 index 000000000..145e933c3 --- /dev/null +++ b/stable/xray/templates/xray-keda-hpa-server.yaml @@ -0,0 +1,38 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingServer.enabled) (eq .Values.autoscalingServer.keda.enabled true) }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-server +spec: + scaleTargetRef: + kind: Deployment + name: {{ template "xray.fullname" . }}-server + minReplicaCount: {{ .Values.autoscalingServer.minReplicas }} + maxReplicaCount: {{ .Values.autoscalingServer.maxReplicas }} + pollingInterval: {{ .Values.autoscalingServer.keda.pollingInterval }} + cooldownPeriod: {{ .Values.autoscalingServer.keda.cooldownPeriod }} + advanced: + horizontalPodAutoscalerConfig: + behavior: + scaleUp: + {{- .Values.autoscalingServer.keda.scaleUp | toYaml | nindent 10 }} + scaleDown: + {{- .Values.autoscalingServer.keda.scaleDown | toYaml | nindent 10 }} + triggers: + {{- include "xray.autoscalingQueuesServer" . | indent 4 }} + - type: cpu + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingServer.targetCPUUtilizationPercentage }}" + - type: memory + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingServer.targetMemoryUtilizationPercentage }}" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa.yaml b/stable/xray/templates/xray-keda-hpa.yaml index dbca87f70..9827c89e4 100644 --- a/stable/xray/templates/xray-keda-hpa.yaml +++ b/stable/xray/templates/xray-keda-hpa.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} {{- if and (.Values.autoscaling.enabled) (eq .Values.autoscaling.keda.enabled true) }} apiVersion: keda.sh/v1alpha1 kind: ScaledObject @@ -16,9 +17,6 @@ spec: maxReplicaCount: {{ .Values.autoscaling.maxReplicas }} pollingInterval: {{ .Values.autoscaling.keda.pollingInterval }} cooldownPeriod: {{ .Values.autoscaling.keda.cooldownPeriod }} - fallback: - failureThreshold: 3 - replicas: 5 advanced: horizontalPodAutoscalerConfig: behavior: @@ -36,4 +34,5 @@ spec: metricType: Utilization metadata: value: "{{ .Values.autoscaling.targetMemoryUtilizationPercentage }}" +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-secret.yaml b/stable/xray/templates/xray-keda-secret.yaml index 38fea43f1..c9c0b9cb9 100644 --- a/stable/xray/templates/xray-keda-secret.yaml +++ b/stable/xray/templates/xray-keda-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.autoscaling.keda.enabled }} +{{- if or .Values.autoscaling.keda.enabled .Values.autoscalingServer.keda.enabled .Values.autoscalingIpa.keda.enabled }} apiVersion: v1 kind: Secret metadata: diff --git a/stable/xray/templates/xray-keda-trigger-authentication.yaml b/stable/xray/templates/xray-keda-trigger-authentication.yaml index a83c28453..aa50a6b6f 100644 --- a/stable/xray/templates/xray-keda-trigger-authentication.yaml +++ b/stable/xray/templates/xray-keda-trigger-authentication.yaml @@ -1,4 +1,4 @@ -{{- if .Values.autoscaling.keda.enabled }} +{{- if or .Values.autoscaling.keda.enabled .Values.autoscalingServer.keda.enabled .Values.autoscalingIpa.keda.enabled }} apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: diff --git a/stable/xray/templates/xray-server-deployment.yaml b/stable/xray/templates/xray-server-deployment.yaml new file mode 100644 index 000000000..a481b4fe5 --- /dev/null +++ b/stable/xray/templates/xray-server-deployment.yaml @@ -0,0 +1,701 @@ +{{- if .Values.splitXraytoSeparateDeployments.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "xray.fullname" . }}-server + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + {{- with .Values.xray.labels }} +{{ toYaml . | indent 4 }} + {{- end }} +{{- if .Release.IsUpgrade }} + unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} +{{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 or 15.2.0-debian-11-r23 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x or 15.x" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- with .Values.server.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if not .Values.autoscalingServer.enabled }} + replicas: {{ .Values.replicaCountServer }} +{{- end }} +{{- with .Values.deployment.strategy }} + strategy: +{{ toYaml . | indent 4 }} +{{- end }} + selector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + template: + metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + {{- with .Values.xray.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.xray.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/xray-database-secrets.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/xray-system-yaml.yaml") . | sha256sum }} + {{- else }} + checksum/xray-unified-secret: {{ include (print $.Template.BasePath "/xray-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.analysis.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.indexer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.persist.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.server.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.router.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.filebeat.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.xray.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + spec: + {{- if .Values.xray.schedulerName }} + schedulerName: {{ .Values.xray.schedulerName | quote }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "xray.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.xray.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.xray.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.xray.priorityClass.create }} + priorityClassName: {{ default (include "xray.fullname" .) .Values.xray.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "xray.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.common.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "xray.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + - name: 'copy-system-yaml' + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + if [[ -e "{{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.xray.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Remove {{ .Values.xray.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.xray.persistence.mountPath }}/lost+found; + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_JOIN_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/join.key; + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_MASTER_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + - name: XRAY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }} + name: {{ include "xray.joinKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + - name: XRAY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }} + name: {{ include "xray.masterKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath | quote }} + {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + {{- else }} + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} + - name: copy-custom-certificates + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "xray.copyCustomCerts" . | indent 10 }} +{{ include "xray.copyRabbitmqCustomCerts" . | indent 10 }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{- end }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/router/app/bin/entrypoint-router.sh; + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "xray.router.server.requiredServiceTypes" . }} + {{- if .Values.router.extraEnvVars }} + {{- tpl .Values.router.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} +{{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.observability.name }} + image: {{ include "xray.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/observability/app/bin/entrypoint-observability.sh; + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.observability.extraEnvVars }} + {{- tpl .Values.observability.extraEnvVars . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.observability.persistence.mountPath }}" + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + - name: {{ .Values.server.name }} + image: {{ include "xray.getImageInfoByValue" (list . "server") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.server.preStartCommand }} + echo "Running custom Server preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.server.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.server.extraEnvVars }} + {{- tpl .Values.server.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.server.internalPort }} + name: http-server + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.server.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.server.resources | indent 10 }} +{{- if .Values.server.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.server.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.server.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.server.livenessProbe.config . | indent 10 }} +{{- end }} + {{- $mountPath := .Values.xray.persistence.mountPath }} + {{- range .Values.xray.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "xray.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/log {{ . }}' + volumeMounts: + - name: data-volume + mountPath: {{ $mountPath }} + - name: tail-logger-script + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + resources: +{{ toYaml $.Values.xray.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} +{{- if or .Values.common.customSidecarContainers .Values.global.customSidecarContainers }} +{{ tpl (include "xray.customSidecarContainers" .) . | indent 6 }} +{{- end }} + {{- if or .Values.xray.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "xray.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- if .Values.affinity }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.xray.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.xray.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + ########## External secrets ########### + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + secret: + secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.xray.customCertificates.certificateSecretName }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + ############ Config map, Volumes and Custom Volumes ############## + {{- if .Values.xray.loggers }} + - name: tail-logger-script + configMap: + name: {{ template "xray.fullname" . }}-logger + {{- end }} + - name: data-volume + emptyDir: + sizeLimit: {{ .Values.common.persistence.size }} + {{- if and .Values.xray.unifiedSecretInstallation (eq (include "xray.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + ######### unifiedSecretInstallation ########### + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + secret: + secretName: {{ template "xray.name" . }}-unified-secret + {{- else if not .Values.xray.unifiedSecretInstallation }} + ######### Non unifiedSecretInstallation ########### + {{- if not .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ printf "%s-%s" (include "xray.fullname" .) "system-yaml" }} + {{- end }} + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "xray.rabbitmqCustomCertificateshandler" . }} + {{- end }} + +{{- if or .Values.common.customVolumes .Values.global.customVolumes }} +{{ tpl (include "xray.customVolumes" .) . | indent 6 }} +{{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "xray.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.common.configMaps }} + - name: xray-configmaps + configMap: + name: {{ template "xray.fullname" . }}-configmaps + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml index cd54fb0df..7d92bc25f 100644 --- a/stable/xray/templates/xray-statefulset.yaml +++ b/stable/xray/templates/xray-statefulset.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -7,6 +8,7 @@ metadata: chart: {{ template "xray.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} + version: {{ include "xray.app.version" . }} component: {{ .Values.xray.name }} {{- with .Values.xray.labels }} {{ toYaml . | indent 4 }} @@ -15,7 +17,7 @@ metadata: unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} {{- end }} {{- if and .Release.IsUpgrade .Values.postgresql.enabled }} - databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' or 13.10.0-debian-11-r14 or 15.2.0-debian-11-r23 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x or 13.x or 15.x" .Values.databaseUpgradeReady | quote }} {{- end }} {{- with .Values.server.statefulset.annotations }} annotations: @@ -37,6 +39,7 @@ spec: metadata: labels: app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} release: {{ .Release.Name }} component: {{ .Values.xray.name }} {{- with .Values.xray.labels }} @@ -67,9 +70,12 @@ spec: {{- with .Values.filebeat.annotations }} {{ toYaml . | indent 8 }} {{- end }} - {{- range $key, $value := .Values.xray.annotations }} - {{ $key }}: {{ $value | quote }} + {{- with .Values.xray.annotations }} +{{ toYaml . | indent 8 }} {{- end }} + {{- with .Values.policyenforcer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} spec: {{- if .Values.xray.schedulerName }} schedulerName: {{ .Values.xray.schedulerName | quote }} @@ -86,12 +92,7 @@ spec: {{- end }} serviceAccountName: {{ template "xray.serviceAccountName" . }} {{- if .Values.podSecurityContext.enabled }} - securityContext: - runAsUser: {{ .Values.common.xrayUserId }} - fsGroup: {{ .Values.common.xrayGroupId }} - {{- if .Values.common.fsGroupChangePolicy }} - fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }} - {{- end }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{- if .Values.common.topologySpreadConstraints }} topologySpreadConstraints: @@ -102,7 +103,8 @@ spec: {{ tpl (include "xray.customInitContainersBegin" .) . | indent 6 }} {{- end }} - name: 'copy-system-yaml' - image: '{{ .Values.initContainerImage }}' + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} {{- end }} @@ -137,7 +139,7 @@ spec: - name: XRAY_JOIN_KEY valueFrom: secretKeyRef: - {{- if not .Values.xray.unifiedSecretInstallation }} + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.joinKeySecretName .Values.global.joinKeySecretName) }} name: {{ include "xray.joinKeySecretName" . }} {{- else }} name: "{{ template "xray.name" . }}-unified-secret" @@ -148,7 +150,7 @@ spec: - name: XRAY_MASTER_KEY valueFrom: secretKeyRef: - {{- if not .Values.xray.unifiedSecretInstallation }} + {{- if or (not .Values.xray.unifiedSecretInstallation) (or .Values.xray.masterKeySecretName .Values.global.masterKeySecretName) }} name: {{ include "xray.masterKeySecretName" . }} {{- else }} name: "{{ template "xray.name" . }}-unified-secret" @@ -158,8 +160,7 @@ spec: volumeMounts: - name: data-volume mountPath: {{ .Values.xray.persistence.mountPath | quote }} - {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }} - {{- if not .Values.xray.unifiedSecretInstallation }} + {{- if or (not .Values.xray.unifiedSecretInstallation) .Values.systemYamlOverride.existingSecret }} - name: systemyaml {{- else }} - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} @@ -167,14 +168,14 @@ spec: {{- if .Values.systemYamlOverride.existingSecret }} mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" subPath: {{ .Values.systemYamlOverride.dataKey }} - {{- else if .Values.xray.systemYaml }} + {{- else }} mountPath: "/tmp/etc/system.yaml" subPath: system.yaml {{- end }} - {{- end }} {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} - name: copy-custom-certificates - image: "{{ .Values.initContainerImage }}" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} {{- end }} @@ -201,7 +202,8 @@ spec: {{- if .Values.waitForDatabase }} {{- if .Values.postgresql.enabled }} - name: "wait-for-db" - image: "{{ .Values.initContainerImage }}" + image: "{{ include "xray.getImageInfoByValue" (list . "initContainers") }}" + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} {{- if .Values.containerSecurityContext.enabled }} securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} {{- end }} @@ -218,6 +220,90 @@ spec: if [[ $exit_status -eq 0 ]]; then ready=true; echo "database ok"; fi; sleep 1; done {{- end }} + {{- end }} + {{- if and .Values.global.xray.rabbitmq.haQuorum.enabled .Values.common.rabbitmq.waitForReplicasQuorumOnStartup }} + - name: "wait-for-rabbitmq-replicas-quorum" + image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - -ecx + - | + echo "Waiting for rabbitmq replicas quorum to be running" + ready=false; + amqpPort={{ .Values.rabbitmq.service.ports.amqp }} + amqpTlsPort={{ .Values.rabbitmq.service.ports.amqpTls }} + managerPort={{ .Values.rabbitmq.service.ports.manager }} + managerSchema="http" + additionalFlags="" + if [[ "$JF_SHARED_RABBITMQ_MANAGEMENT_LISTENER_TLS_ENABLED" = "true" ]]; then + managerSchema="https" + additionalFlags="--insecure" + fi + rabbitMqManagementUrl=$(echo $JF_SHARED_RABBITMQ_URL | sed -e "s/amqp:/${managerSchema}:/" -e "s/amqps:/${managerSchema}:/" -e "s/:${amqpPort}/:${managerPort}/" -e "s/:${amqpTlsPort}/:${managerPort}/") + while ! $ready; do echo waiting; + # This would be better done with jq instead of grep -o + # jq 'map(select ( .running == true )) | length') + # but currently we do not have jq in the UBI-minimal base image approved by the installer team + nodesNum=$(curl -s ${additionalFlags} -u${JF_SHARED_RABBITMQ_USERNAME}:${JF_SHARED_RABBITMQ_PASSWORD} ${rabbitMqManagementUrl}api/nodes | grep -o '"running"\s*:true' | wc -l | tr -d '[:space:]') + echo $nodesNum + quorumSize=$(( $JF_SHARED_RABBITMQ_REPLICASCOUNT/2 + 1 )) + echo $quorumSize + if [[ "$nodesNum" -ge "$quorumSize" ]]; then ready=true; echo "rabbitmq ok"; fi; sleep 5; + done + env: + {{- if eq (include "xray.rabbitmq.isManagementListenerTlsEnabled" .) "true" }} + - name: JF_SHARED_RABBITMQ_MANAGEMENT_LISTENER_TLS_ENABLED + value: {{ include "xray.rabbitmq.isManagementListenerTlsEnabled" . | quote }} + {{- end }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if and (not .Values.rabbitmq.external.secrets) (not .Values.common.rabbitmq.connectionConfigFromEnvironment) (not .Values.common.rabbitmq.enabled) }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: "{{ .Values.rabbitmq.external.username }}" + - name: JF_SHARED_RABBITMQ_URL + value: "{{ tpl .Values.rabbitmq.external.url . }}" + - name: JF_SHARED_RABBITMQ_PASSWORD + value: "{{ .Values.rabbitmq.external.password }}" + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: JF_SHARED_RABBITMQ_REPLICASCOUNT + {{- if .Values.rabbitmq.enabled }} + value: "{{ .Values.rabbitmq.replicaCount }}" + {{- else }} + value: "{{ .Values.global.xray.rabbitmq.replicaCount }}" + {{- end }} {{- end }} {{- if or .Values.common.customInitContainers .Values.global.customInitContainers }} {{ tpl (include "xray.customInitContainers" .) . | indent 6 }} @@ -809,6 +895,331 @@ spec: livenessProbe: {{ tpl .Values.sbom.livenessProbe.config . | indent 10 }} {{- end }} +{{- end }} +{{- if .Values.panoramic.enabled }} + - name: {{ .Values.panoramic.name }} + image: {{ include "xray.getImageInfoByValue" (list . "panoramic") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.common.xrayUserId }} + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.panoramic.preStartCommand }} + echo "Running custom panoramic preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.panoramic.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.sbom.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.panoramic.resources | indent 10 }} +{{- if .Values.panoramic.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.panoramic.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.panoramic.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.panoramic.livenessProbe.config . | indent 10 }} +{{- end }} +{{- end }} +{{- if .Values.policyenforcer.enabled }} + - name: {{ .Values.policyenforcer.name }} + image: {{ include "xray.getImageInfoByValue" (list . "policyenforcer") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.common.xrayUserId }} + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.policyenforcer.preStartCommand }} + echo "Running custom policyenforcer preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.policyenforcer.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.indexer.extraEnvVars }} + {{- tpl .Values.indexer.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.policyenforcer.internalPort }} + name: http-polenf + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.sbom.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.policyenforcer.resources | indent 10 }} +{{- if .Values.policyenforcer.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.policyenforcer.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.policyenforcer.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.policyenforcer.livenessProbe.config . | indent 10 }} +{{- end }} {{- end }} - name: {{ .Values.indexer.name }} image: {{ include "xray.getImageInfoByValue" (list . "indexer") }} @@ -1119,9 +1530,10 @@ spec: {{- $mountPath := .Values.xray.persistence.mountPath }} {{- range .Values.xray.loggers }} - name: {{ . | replace "_" "-" | replace "." "-" }} - image: {{ include "xray.getImageInfoByValue" (list $ "logger") }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + image: {{ include "xray.getImageInfoByValue" (list $ "initContainers") }} + imagePullPolicy: {{ $.Values.initContainers.image.pullPolicy }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} command: - 'sh' @@ -1233,7 +1645,7 @@ spec: secretName: {{ template "xray.name" . }}-unified-secret {{- else if not .Values.xray.unifiedSecretInstallation }} ######### Non unifiedSecretInstallation ########### - {{- if and (not .Values.systemYamlOverride.existingSecret) .Values.xray.systemYaml }} + {{- if not .Values.systemYamlOverride.existingSecret }} - name: systemyaml secret: secretName: {{ printf "%s-%s" (include "xray.fullname" .) "system-yaml" }} @@ -1277,3 +1689,4 @@ spec: storage: {{ .size }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-svc.yaml b/stable/xray/templates/xray-svc.yaml index 6a4984e3c..756db8ed6 100644 --- a/stable/xray/templates/xray-svc.yaml +++ b/stable/xray/templates/xray-svc.yaml @@ -14,8 +14,8 @@ metadata: {{- with .Values.server.service }} {{- if .annotations }} annotations: - {{- range $key, $value := .annotations }} - {{ $key }}: {{ $value | quote }} + {{- with .annotations }} +{{ toYaml . | indent 4 }} {{- end }} {{- end }} spec: @@ -37,3 +37,6 @@ spec: app: {{ template "xray.name" . }} component: {{ .Values.xray.name }} release: {{ .Release.Name }} +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} + servicename: server +{{- end }} diff --git a/stable/xray/templates/xray-system-yaml.yaml b/stable/xray/templates/xray-system-yaml.yaml index 47781db7c..95d82eba9 100644 --- a/stable/xray/templates/xray-system-yaml.yaml +++ b/stable/xray/templates/xray-system-yaml.yaml @@ -11,5 +11,5 @@ metadata: type: Opaque stringData: system.yaml: | -{{ tpl .Values.xray.systemYaml . | indent 4 }} +{{ include "xray.finalSystemYaml" . | nindent 4 }} {{- end }} diff --git a/stable/xray/templates/xray-unified-secret.yaml b/stable/xray/templates/xray-unified-secret.yaml index 6fa086858..51e421228 100644 --- a/stable/xray/templates/xray-unified-secret.yaml +++ b/stable/xray/templates/xray-unified-secret.yaml @@ -22,7 +22,7 @@ stringData: {{- if not .Values.systemYamlOverride.existingSecret }} system.yaml: | -{{ tpl .Values.xray.systemYaml . | nindent 4 }} +{{ include "xray.finalSystemYaml" . | nindent 4 }} {{- end }} data: diff --git a/stable/xray/values-large.yaml b/stable/xray/values-large.yaml deleted file mode 100644 index 41081ae08..000000000 --- a/stable/xray/values-large.yaml +++ /dev/null @@ -1,75 +0,0 @@ -replicaCount: 7 -common: - persistence: - size: 500Gi -rabbitmq: - replicaCount: 3 - memoryHighWatermark: - enabled: true - type: "absolute" - value: 2500MB - maxAvailableSchedulers: "4" - onlineSchedulers: "4" - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "3Gi" - cpu: "3" - -postgresql: - postgresqlExtendedConf: - maxConnections: "600" - resources: - requests: - memory: "1Gi" - cpu: "1" - limits: - memory: "6Gi" - cpu: "6" - -server: - resources: - requests: - memory: "300Mi" - cpu: "100m" - limits: - memory: "10Gi" - cpu: "10" - -analysis: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "10Gi" - cpu: "10" - -sbom: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "10Gi" - cpu: "10" - -persist: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "10Gi" - cpu: "10" - -indexer: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "10Gi" - cpu: "10" diff --git a/stable/xray/values-medium.yaml b/stable/xray/values-medium.yaml deleted file mode 100644 index 1894caa84..000000000 --- a/stable/xray/values-medium.yaml +++ /dev/null @@ -1,75 +0,0 @@ -replicaCount: 3 -common: - persistence: - size: 200Gi -rabbitmq: - replicaCount: 3 - memoryHighWatermark: - enabled: true - type: "absolute" - value: 1700MB - maxAvailableSchedulers: "2" - onlineSchedulers: "2" - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "2Gi" - cpu: "2" - -postgresql: - postgresqlExtendedConf: - maxConnections: "400" - resources: - requests: - memory: "1Gi" - cpu: "1" - limits: - memory: "4Gi" - cpu: "4" - -server: - resources: - requests: - memory: "300Mi" - cpu: "100m" - limits: - memory: "8Gi" - cpu: "6" - -analysis: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "8Gi" - cpu: "6" - -sbom: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "8Gi" - cpu: "6" - -persist: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "8Gi" - cpu: "6" - -indexer: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "8Gi" - cpu: "8" diff --git a/stable/xray/values-small.yaml b/stable/xray/values-small.yaml deleted file mode 100644 index ec021db5b..000000000 --- a/stable/xray/values-small.yaml +++ /dev/null @@ -1,75 +0,0 @@ -replicaCount: 2 -common: - persistence: - size: 100Gi -rabbitmq: - replicaCount: 3 - memoryHighWatermark: - enabled: true - type: "absolute" - value: 700MB - maxAvailableSchedulers: "1" - onlineSchedulers: "1" - resources: - requests: - memory: "512Mi" - cpu: "500m" - limits: - memory: "1Gi" - cpu: "1" - -postgresql: - postgresqlExtendedConf: - maxConnections: "200" - resources: - requests: - memory: "1Gi" - cpu: "1" - limits: - memory: "2Gi" - cpu: "2" - -server: - resources: - requests: - memory: "300Mi" - cpu: "100m" - limits: - memory: "4Gi" - cpu: "3" - -analysis: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "4Gi" - cpu: "3" - -sbom: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "4Gi" - cpu: "3" - -persist: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "4Gi" - cpu: "3" - -indexer: - resources: - requests: - memory: "300Mi" - cpu: "50m" - limits: - memory: "4Gi" - cpu: "4" diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml index d0527d2ce..bc57875af 100644 --- a/stable/xray/values.yaml +++ b/stable/xray/values.yaml @@ -10,6 +10,7 @@ global: ## Note: Order of preference is 1) global.versions 2) common.xrayVersion 3) image tags 4) Chart.AppVersion versions: {} # xray: + # initContainers: # router: # joinKey: # masterKey: @@ -44,6 +45,21 @@ global: enabled: autoGenerated: + xray: + # Rabbitmq settings that are specific to Xray + rabbitmq: + replicaCount: 1 + haQuorum: + enabled: false + waitForPreviousPodsOnInitialStartup: true + vhost: xray_haq + +deployment: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + ## String to partially override xray.fullname template (will maintain the release name) ## # nameOverride: @@ -52,11 +68,15 @@ global: ## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.717 imagePullPolicy: IfNotPresent # Init containers initContainers: + image: + registry: releases-docker.jfrog.io + repository: ubi9/ubi-minimal + tag: 9.4.949.1716471857 + pullPolicy: IfNotPresent resources: requests: memory: "50Mi" @@ -96,8 +116,9 @@ xray: # adding minAvailable for Xray Pod Disruption Budget # minAvailable: 1 - # unifiedSecretInstallation flag enables single unified secret holding all xray secrets - unifiedSecretInstallation: false + # unifiedSecretInstallation flag enables single unified secret holding all the xray internal(chart) secrets, It won't be affecting external secrets. + ## Note: unifiedSecretInstallation flag is enabled by true by default from chart version 103.91.x, Users can switch to false to continue with the old way of secret creation. + unifiedSecretInstallation: true ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ schedulerName: @@ -174,70 +195,23 @@ xray: username: "" password: "" - systemYaml: | - configVersion: 1 - router: - serviceRegistry: - insecure: {{ .Values.router.serviceRegistry.insecure }} - shared: - {{- if .Values.xray.openMetrics.enabled }} - metrics: - enabled: true - {{- if .Values.xray.openMetrics.filebeat.enabled }} - filebeat: {{ toYaml .Values.xray.openMetrics.filebeat | nindent 6 }} - {{- end }} - {{- end }} - logging: - consoleLog: - enabled: {{ .Values.xray.consoleLog }} - jfrogUrl: "{{ tpl (required "\n\nxray.jfrogUrl or global.jfrogUrl is required! This allows to connect to Artifactory.\nYou can copy the JFrog URL from Administration > User Management > Settings > Connection details" (include "xray.jfrogUrl" .)) . }}" - database: - {{- if .Values.postgresql.enabled }} - type: "postgresql" - driver: "org.postgresql.Driver" - username: "{{ .Values.postgresql.postgresqlUsername }}" - url: "postgres://{{ .Release.Name }}-postgresql:{{ .Values.postgresql.service.port }}/{{ .Values.postgresql.postgresqlDatabase }}?sslmode=disable" - {{- else }} - type: {{ .Values.database.type }} - driver: {{ .Values.database.driver }} - {{- end }} - {{- if and (not .Values.rabbitmq.enabled) (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} - rabbitMq: - erlangCookie: - value: "{{ .Values.rabbitmq.external.erlangCookie }}" - {{- if not .Values.rabbitmq.external.secrets }} - url: "{{ tpl .Values.rabbitmq.external.url . }}" - username: "{{ .Values.rabbitmq.external.username }}" - password: "{{ .Values.rabbitmq.external.password }}" - {{- end }} - {{- end }} - {{- if .Values.xray.mongoUrl }} - mongo: - url: "{{ .Values.xray.mongoUrl }}" - username: "{{ .Values.xray.mongoUsername }}" - password: "{{ .Values.xray.mongoPassword }}" - {{- end }} - {{- if or .Values.server.mailServer .Values.server.indexAllBuilds }} - server: - {{- if .Values.server.mailServer }} - mailServer: "{{ .Values.server.mailServer }}" - {{- end }} - {{- if .Values.server.indexAllBuilds }} - indexAllBuilds: {{ .Values.server.indexAllBuilds }} - {{- end }} - {{- end }} - {{- if (include "xray.imagePullSecretsStrList" .) }} - executionService: - pullSecret: - {{- include "xray.imagePullSecretsStrList" . | indent 2 }} - {{- end }} - contextualAnalysis: - registry: {{ include "xray.getRegistryByService" (list . "contextualAnalysis") }} - image: {{ .Values.contextualAnalysis.image.repository }} - exposures: - container: - registry: {{ include "xray.getRegistryByService" (list . "exposures") }} - image: {{ .Values.exposures.image.repository }} + ## System YAML entries now reside under files/system.yaml. + ## You can provide the specific values that you want to add or override under 'xray.extraSystemYaml'. + ## For example: + ## extraSystemYaml: + ## shared: + ## logging: + ## consoleLog: + ## enabled: true + ## The entries provided under 'xray.extraSystemYaml' are merged with files/system.yaml to create the final system.yaml. + ## If you have already provided system.yaml under, 'xray.systemYaml', the values in that entry take precedence over files/system.yaml + ## You can modify specific entries with your own value under `xray.extraSystemYaml`, The values under extraSystemYaml overrides the values under 'xray.systemYaml' and files/system.yaml + + extraSystemYaml: {} + + ## systemYaml is intentionally commented and the previous content has been moved under files/system.yaml. + ## You have to add the all entries of the system.yaml file here, and it overrides the values in files/system.yaml. + # systemYaml: # Sidecar containers for tailing Xray logs loggers: [] @@ -369,18 +343,11 @@ autoscaling: value: "100" - name: persist value: "100" - - name: alert + - name: policyEnforcer value: "100" - name: impactAnalysis value: "100" - -logger: - image: - registry: releases-docker.jfrog.io - repository: ubi9/ubi-minimal - tag: 9.2.717 - ## Service Account ## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ ## @@ -394,10 +361,15 @@ serviceAccount: ## Explicitly mounts the API credentials for the Service Account automountServiceAccountToken: true -## By default, the Xray StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `common.xrayUserId` value. -## If you want to disable the pod securityContext for the Xray StatefulSet, set this tag to false +## @param podSecurityContext.enabled enable the pod's Security Context podSecurityContext: enabled: true + runAsNonRoot: true + runAsUser: 1035 + runAsGroup: 1035 + fsGroup: 1035 + # fsGroupChangePolicy: "Always" + # seLinuxOptions: {} ## @param containerSecurityContext.enabled enable the container's Security Context containerSecurityContext: @@ -418,7 +390,7 @@ postgresql: image: registry: releases-docker.jfrog.io repository: bitnami/postgresql - tag: 13.10.0-debian-11-r14 + tag: 15.6.0-debian-11-r16 postgresqlUsername: xray postgresqlPassword: "" postgresqlDatabase: xraydb @@ -487,7 +459,7 @@ rabbitmq: image: registry: releases-docker.jfrog.io repository: bitnami/rabbitmq - tag: 3.11.10-debian-11-r5 + tag: 3.12.13-debian-11-r0 extraPlugins: "rabbitmq_management" auth: @@ -608,6 +580,13 @@ rabbitmq: "configure": ".*", "write": ".*", "read": ".*" + }, + { + "user": "{{ .Values.auth.username }}", + "vhost": "{{ .Values.global.xray.rabbitmq.haQuorum.vhost }}", + "configure": ".*", + "write": ".*", + "read": ".*" } ], "users": [ @@ -620,9 +599,13 @@ rabbitmq: "vhosts": [ { "name": "/" + }, + { + "name": "{{ .Values.global.xray.rabbitmq.haQuorum.vhost }}" } ], "policies": [ + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} { "name": "ha-all", "apply-to": "all", @@ -633,6 +616,7 @@ rabbitmq: "ha-sync-mode": "automatic" } } + {{- end }} ] } loadDefinition: @@ -641,12 +625,23 @@ rabbitmq: nodeSelector: {} tolerations: [] affinity: {} + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false ## Upgrade of rabbitmq from 3.8.x to 3.11.x needs the feature flags to be enabled. ## Ref: (https://blog.rabbitmq.com/posts/2022/07/required-feature-flags-in-rabbitmq-3.11/ ## migration enable will perform `rabbitmqctl enable_feature_flag all` command on the existing rabbitmq before starting the upgrade migration: ## Migration is required to be performed only once hence this option can be disabled once the feature flags are enabled in rabbitmq. enabled: true + ## Another uses of migration hook are: + ## - Deleting StatefulSet for allowing updating certain fields that require it: + ## Changing podManagementPolicy OrderedReady -> Parallel requires deleting stateful set + ## - Deleting ha-all mirror policy on migrating to Quorum Queues + deleteStatefulSetToAllowFieldUpdate: + enabled: false + removeHaPolicyOnMigrationToHaQuorum: + enabled: false image: registry: releases-docker.jfrog.io repository: bitnami/kubectl @@ -673,19 +668,100 @@ rabbitmq: - create - get - list + - apiGroups: + - "apps" + resources: + - statefulsets + verbs: + - get + - list + - delete # This is automatically set based on rabbitmqTLS enabled flag. extraConfiguration: |- - management.listener.ssl = {{ template "xray.rabbitmq.isTlsEnabled" . }} + management.listener.ssl = {{ template "xray.rabbitmq.isManagementListenerTlsEnabledInContext" . }} + + initContainers: | + {{- if and .Values.global.xray.rabbitmq.haQuorum.enabled .Values.global.xray.rabbitmq.haQuorum.waitForPreviousPodsOnInitialStartup }} + - name: "wait-for-previous-pods" + image: "{{ template "rabbitmq.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: RABBITMQ_ERL_COOKIE + valueFrom: + secretKeyRef: + name: {{ template "rabbitmq.secretErlangName" . }} + key: rabbitmq-erlang-cookie + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: {{ printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }} + {{- if (eq "hostname" .Values.clustering.addressType) }} + - name: RABBITMQ_NODE_NAME + value: "rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: K8S_HOSTNAME_SUFFIX + value: ".$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- else }} + - name: RABBITMQ_NODE_NAME + value: "rabbit@$(MY_POD_NAME)" + {{- end }} + - name: RABBITMQ_MNESIA_DIR + value: "{{ .Values.persistence.mountPath }}/$(RABBITMQ_NODE_NAME)" + command: + - /bin/bash + args: + - -ecx + - | + echo $HOSTNAME + if [[ $HOSTNAME == *-0 ]]; then + exit 0 + fi + if [ -d "$RABBITMQ_MNESIA_DIR" ]; then + exit 0 + fi + + # wait for zero pod to start running and accept requests + zero_pod_name=$(echo $MY_POD_NAME | sed -E "s/-[[:digit:]]$/-0/") + zero_pod_node_name=$(echo "$RABBITMQ_NODE_NAME" | sed -E "s/^rabbit@$MY_POD_NAME/rabbit@$zero_pod_name/") + maxIterations=60 + i=1 + while true; do + rabbitmq-diagnostics -q check_running -n $zero_pod_node_name --longnames --erlang-cookie $RABBITMQ_ERL_COOKIE && \ + rabbitmq-diagnostics -q check_local_alarms -n $zero_pod_node_name --longnames --erlang-cookie $RABBITMQ_ERL_COOKIE && \ + break || sleep 5; + if [ "$i" == "$maxIterations" ]; then exit 1; fi + i=$((i+1)) + done; + + # node x waits for x previous nodes to join cluster (since node number is zero based) + nodeSerialNum=$(echo "$MY_POD_NAME" | grep -o "[0-9]*$") + timeoutSeconds=180 + rabbitmqctl --erlang-cookie $RABBITMQ_ERL_COOKIE \ + --node $zero_pod_node_name --longnames \ + await_online_nodes $nodeSerialNum \ + --timeout $timeoutSeconds || exit 1 + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- end }} # Common Xray settings common: ## Note that by default we use appVersion to get image tag # xrayVersion: - xrayUserId: 1035 - xrayGroupId: 1035 - # fsGroupChangePolicy: "Always" # Spread Xray pods evenly across your nodes or some other topology topologySpreadConstraints: [] @@ -709,6 +785,7 @@ common: # When using external rabbitmq, set this to false rabbitmq: connectionConfigFromEnvironment: true + waitForReplicasQuorumOnStartup: true ## Custom command to run before Xray startup. Runs BEFORE any microservice-specific preStartCommand preStartCommand: @@ -736,8 +813,8 @@ common: ## Add custom init containers execution before predefined init containers customInitContainersBegin: | # - name: "custom-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" + # image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" # {{- if .Values.containerSecurityContext.enabled }} # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} # {{- end }} @@ -752,8 +829,8 @@ common: ## Add custom init containers execution after predefined init containers customInitContainers: | # - name: "custom-systemyaml-setup" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" + # image: "{{ include "xray.getImageInfoByValue" (list . "initContainers") }}" + # imagePullPolicy: "{{ .Values.initContainers.image.pullPolicy }}" # {{- if .Values.containerSecurityContext.enabled }} # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} # {{- end }} @@ -770,8 +847,8 @@ common: # - The provided example shows running container as root (id 0) customSidecarContainers: | # - name: "sidecar-list-etc" - # image: "{{ .Values.initContainerImage }}" - # imagePullPolicy: "{{ .Values.imagePullPolicy }}" + # image: {{ include "xray.getImageInfoByValue" (list . "initContainers") }} + # imagePullPolicy: {{ .Values.initContainers.image.pullPolicy }} # {{- if .Values.containerSecurityContext.enabled }} # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} # {{- end }} @@ -862,11 +939,9 @@ analysis: livenessProbe: enabled: true config: | - exec: - command: - - sh - - -c - - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.analysis.internalPort }}/api/v1/system/liveness + httpGet: + path: /api/v1/system/liveness + port: {{ .Values.analysis.internalPort }} initialDelaySeconds: {{ if semverCompare " /usr/share/message"] # preStop: # exec: - # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] + # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] ## Add custom volumesMounts customVolumeMounts: | @@ -996,7 +1069,7 @@ indexer: command: - sh - -c - - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.indexer.internalPort }}/api/v1/system/liveness + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.panoramic.internalPort }}/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare " /usr/share/message"] # preStop: # exec: - # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] + # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] ## Add custom volumesMounts customVolumeMounts: | @@ -1061,7 +1133,7 @@ persist: command: - sh - -c - - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.persist.internalPort }}/api/v1/system/liveness + - curl -s -k --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.policyenforcer.internalPort }}/api/v1/system/liveness initialDelaySeconds: {{ if semverCompare " /usr/share/message"] + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + livenessProbe: + enabled: true + config: | + httpGet: + path: /api/v1/system/liveness + port: {{ .Values.indexer.internalPort }} + initialDelaySeconds: {{ if semverCompare " /usr/share/message"] + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"] + + ## Add custom volumesMounts + customVolumeMounts: | + # - name: custom-script + # mountPath: /scripts/script.sh + # subPath: script.sh + + livenessProbe: + enabled: true + config: | + httpGet: + path: /api/v1/system/liveness + port: {{ .Values.persist.internalPort }} + initialDelaySeconds: {{ if semverCompare "