diff --git a/assets/btp/chronicle-0.1.25.tgz b/assets/btp/chronicle-0.1.25.tgz new file mode 100644 index 000000000..4a9d1affc Binary files /dev/null and b/assets/btp/chronicle-0.1.25.tgz differ diff --git a/assets/external-secrets/external-secrets-0.9.17.tgz b/assets/external-secrets/external-secrets-0.9.17.tgz new file mode 100644 index 000000000..6571885d7 Binary files /dev/null and b/assets/external-secrets/external-secrets-0.9.17.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.77.11.tgz b/assets/jfrog/artifactory-ha-107.77.11.tgz new file mode 100644 index 000000000..c51e02f8f Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.77.11.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.77.11.tgz b/assets/jfrog/artifactory-jcr-107.77.11.tgz new file mode 100644 index 000000000..496d0b5f5 Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.77.11.tgz differ diff --git a/assets/redpanda/redpanda-5.8.3.tgz b/assets/redpanda/redpanda-5.8.3.tgz new file mode 100644 index 000000000..1e953ab35 Binary files /dev/null and b/assets/redpanda/redpanda-5.8.3.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.1.301.tgz b/assets/speedscale/speedscale-operator-2.1.301.tgz new file mode 100644 index 000000000..929135296 Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.1.301.tgz differ diff --git a/charts/btp/chronicle/Chart.yaml b/charts/btp/chronicle/Chart.yaml index febf75d50..bdef06334 100644 --- a/charts/btp/chronicle/Chart.yaml +++ b/charts/btp/chronicle/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Chronicle catalog.cattle.io/release-name: chronicle apiVersion: v2 -appVersion: 0.7.3 +appVersion: 0.7.6 dependencies: - name: standard-defs repository: file://./charts/standard-defs @@ -22,4 +22,4 @@ keywords: - blockchain name: chronicle type: application -version: 0.1.15 +version: 0.1.25 diff --git a/charts/btp/chronicle/README.md b/charts/btp/chronicle/README.md index e619c7cbf..6bc73c0b4 100644 --- a/charts/btp/chronicle/README.md +++ b/charts/btp/chronicle/README.md @@ -1,9 +1,10 @@ -# Chronicle +# Chronicle on Hyperledger Sawtooth | field | description | default | |-|-|-| | `affinity`| custom affinity rules for the chronicle pod | {} | -| `auth.required` | if true require authentication | false | +| `auth.required` | if true require authentication, rejecting 'anonymous' requests | false | +| `auth.id.claims` | Chronicle provides default values ["iss", "sub"] | nil | | `backtraceLevel` | backtrace level for Chronicle | nil | | `devIdProvider.image` | the image to use for the id-provider container | blockchaintp/id-provider | | `devIdProvider.image.pullPolicy` | the image pull policy | IfNotPresent | @@ -44,11 +45,15 @@ | `replicas` | number of Chronicle replicas to run | 1 | | `serviceAccount.create` | true to create a service account | false | | `serviceAccount.name` | name of the service account | nil (defaults to based on release name) | -| `test.enabled` | true to enable test Jobs and Services | true | -| `api-test-container.image` | the image to use for the api-test container | blockchaintp/chronicle-api-test | +| `test.api` | test the chronicle GraphQL server API | +| `test.api.enabled` | true to enable api-test Jobs and Services | true | +| `test.api.image` | the image to use for the api-test container | blockchaintp/chronicle-helm-api-test | | `test.api.image.pullPolicy` | the image pull policy | IfNotPresent | | `test.api.image.repository` | the image repository | blockchaintp/chronicle-helm-api-test | | `test.api.image.tag` | the image tag | latest | +| `test.auth` | test the chronicle auth server API | +| `test.auth.enabled` | true to enable auth-related testing | true | +| `test.auth.token` | provide a token for auth-related testing | nil | | `postgres.enabled` | if true create an internal postgres instance | boolean | true | | `postgres.env` | postgres environment variables | map | N/A | | `postgres.image.repository` | postgres image repository | string | "postgres" | @@ -82,3 +87,19 @@ | `tp.maxUnavailable` | maximum unavailable nodes during a rolling upgrade | | `tp.minReadySeconds` | minimum time before node becomes available | | `sawtooth` | sawtooth options may be configured | see [Sawtooth](../sawtooth/README.md) | +| `livenessProbe.enabled` | if true, enables the liveness probe | false | +| `livenessProbe.initialDelaySeconds` | delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | how often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | when the probe times out | 1 | +| `livenessProbe.failureThreshold` | how many times to retry the probe before giving up | 3 | +| `livenessProbe.successThreshold` | how many times the probe must report success to be considered successful after having failed | 1 | +| `livenessProbe.namespaceName` | the namespace name for the liveness probe | "default" | +| `livenessProbe.namespaceUuid` | the namespace UUID for the liveness probe | "fd717fd6-70f1-44c1-81de-287d5e101089" | +| `startupProbe.enabled` | if true, enables the startup probe | false | +| `startupProbe.initialDelaySeconds` | delay before startup probe is initiated | 10 | +| `startupProbe.periodSeconds` | how often to perform the probe | 10 | +| `startupProbe.timeoutSeconds` | when the probe times out | 1 | +| `startupProbe.failureThreshold` | how many times to retry the probe before giving up | 3 | +| `startupProbe.successThreshold` | how many times the probe must report success to be considered successful after having failed | 1 | +| `startupProbe.namespaceName` | the namespace name for the startup probe | "default" | +| `startupProbe.namespaceUuid` | the namespace UUID for the startup probe | "fd717fd6-70f1-44c1-81de-287d5e101089" | diff --git a/charts/btp/chronicle/app-readme.md b/charts/btp/chronicle/app-readme.md index eb862a2fa..02201a72a 100644 --- a/charts/btp/chronicle/app-readme.md +++ b/charts/btp/chronicle/app-readme.md @@ -1,10 +1,12 @@ +# Chronicle on Hyperledger Sawtooth + Chronicle records provenance information of any physical or digital asset on a distributed ledger. - Chronicle is available with Hyperledger Sawtooth as its default backing ledger. - Chronicle is built on the established W3C PROV Ontology standard; it uses the lightweight JSON-LD linked data format, and the data query language GraphQL. - Chronicle is easily adaptable to enable users to model, capture, and query provenance information pertinent to their industry, application and use case. -You can find example domains and further instructions at https://examples.btp.works +You can find example domains and further instructions at ## *Important* diff --git a/charts/btp/chronicle/templates/_chronicle.tpl b/charts/btp/chronicle/templates/_chronicle.tpl index 585161131..159800850 100644 --- a/charts/btp/chronicle/templates/_chronicle.tpl +++ b/charts/btp/chronicle/templates/_chronicle.tpl @@ -55,21 +55,75 @@ chronicle: {{ include "common.names.fullname" . }} {{ include "common.names.fullname" . }}-test-id-provider {{- end -}} -{{- define "chronicle.jwksUrl" -}} +{{- define "chronicle.id-provider.service.jwks.url" -}} +http://{{ include "chronicle.id-provider.service" . }}:8090/jwks +{{- end -}} + +{{- define "chronicle.id-provider.service.userinfo.url" -}} +http://{{ include "chronicle.id-provider.service" . }}:8090/userinfo +{{- end -}} + +{{- define "chronicle.id-claims" -}} +{{- if .Values.auth.id.claims -}} +--id-claims {{ .Values.auth.id.claims }} \ +{{- else -}} +{{- /* Do nothing */ -}} +{{- end -}} +{{- end -}} + +{{/* The JWKS and userinfo URLs are connected. */}} +{{/* If either is provided Chronicle will use the user-provided options. */}} +{{/* If neither is provided Chronicle should fall back to using the 'devIdProvider'.*/}} +{{- define "chronicle.jwks-url.url" -}} +{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}} {{- if .Values.auth.jwks.url -}} {{ .Values.auth.jwks.url }} +{{- end -}} {{- else -}} {{- if .Values.devIdProvider.enabled -}} -http://{{ include "chronicle.id-provider.service" . }}:8090/jwks -{{- else -}} -{{ required "devIdProvider.enabled must be true or auth.jwks.url must be set!" .Values.auth.jwks.url }} +{{ include "chronicle.id-provider.service.jwks.url" . }} {{- end -}} {{- end -}} {{- end -}} -{{- define "chronicle.userinfoUrl" -}} +{{- define "chronicle.jwks-url.cli" -}} +{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}} +{{- if .Values.auth.jwks.url -}} +--jwks-address {{ include "chronicle.jwks-url.url" . }} \ +{{- end -}} +{{- else -}} +{{- if .Values.devIdProvider.enabled -}} +--jwks-address {{ include "chronicle.jwks-url.url" . }} \ +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* The JWKS and userinfo URLs are connected. */}} +{{/* If either is provided Chronicle will use the user-provided options. */}} +{{/* If neither is provided Chronicle should fall back to using the 'devIdProvider'.*/}} +{{- define "chronicle.userinfo-url" -}} +{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}} +{{- if .Values.auth.userinfo.url -}} {{ .Values.auth.userinfo.url }} {{- end -}} +{{- else -}} +{{- if .Values.devIdProvider.enabled -}} +{{ include "chronicle.id-provider.service.userinfo.url" . }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "chronicle.userinfo-url.cli" -}} +{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}} +{{- if .Values.auth.userinfo.url -}} +--userinfo-address {{ include "chronicle.userinfo-url" . }} \ +{{- end -}} +{{- else -}} +{{- if .Values.devIdProvider.enabled -}} +--userinfo-address {{ include "chronicle.userinfo-url" . }} \ +{{- end -}} +{{- end -}} +{{- end -}} {{- define "chronicle.root-key.secret" -}} {{ include "common.names.fullname" . }}-root-key diff --git a/charts/btp/chronicle/templates/chronicle-init.yaml b/charts/btp/chronicle/templates/chronicle-init.yaml index dd9a7a95b..faefac2d9 100644 --- a/charts/btp/chronicle/templates/chronicle-init.yaml +++ b/charts/btp/chronicle/templates/chronicle-init.yaml @@ -3,12 +3,11 @@ apiVersion: batch/v1 kind: Job metadata: - annotations: - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded name: {{ include "common.names.fullname" . }}-init labels: {{ include "chronicle.labels" . | nindent 4 }} component: chronicle spec: + ttlSecondsAfterFinished: 100 template: metadata: labels: {{ include "chronicle.labels" . | nindent 8 }} @@ -159,13 +158,17 @@ spec: command: [ "bash", "-ec"] args: - | - if opactl \ - --sawtooth-address tcp://$HOST:$PORT \ - get-policy \ - --id {{ .Values.opa.policy.id }} \ - --output policy.bin >/dev/null 2>&1; then + echo "Attempting to get policy." + opactl \ + --sawtooth-address tcp://$HOST:$PORT \ + get-policy \ + --id {{ .Values.opa.policy.id }} \ + --output /shared-data/policy.bin || true + + if [ -f "/shared-data/policy.bin" ]; then echo "Policy already set." touch /shared-data/policy-already-set + exit 0 else echo "Policy not found." exit 0 @@ -197,7 +200,7 @@ spec: set-policy \ --id {{ .Values.opa.policy.id }} \ -p {{ .Values.opa.policy.url }} \ - --root-key /shared-data/root.pem + --root-key /shared-data/root.pem || true fi env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }} - name: HOST diff --git a/charts/btp/chronicle/templates/statefulset.yaml b/charts/btp/chronicle/templates/statefulset.yaml index c2ebb8959..ce3124c84 100644 --- a/charts/btp/chronicle/templates/statefulset.yaml +++ b/charts/btp/chronicle/templates/statefulset.yaml @@ -104,7 +104,7 @@ spec: - | {{ if .Values.auth.required }} {{ if and (not .Values.auth.jwks.url) (not .Values.auth.userinfo.url) (not .Values.devIdProvider.enabled) }} - {{ required "If auth.required you need to provide at least auth.jwks.url or auth.userinfo.url" .Values.auth.jwks.url }} + {{ required "If 'auth.required' you need to provide at least 'auth.jwks.url' or 'auth.userinfo.url', or 'devIdProvider.enabled' must be 'true'!" .Values.auth.jwks.url }} {{ end }} {{ end }} @@ -122,17 +122,13 @@ spec: --embedded-opa-policy \ {{- end }} serve-api \ - --interface 0.0.0.0:{{ .Values.port}} \ + --interface 0.0.0.0:{{ .Values.port }} \ {{- if .Values.auth.required }} --require-auth \ - --id-claims {{ .Values.auth.id.claims }} \ - {{- if .Values.auth.jwks.enabled }} - --jwks-address {{ include "chronicle.jwksUrl" . }} \ - {{- end }} - {{- if .Values.auth.userinfo.url }} - --userinfo-address {{ include "chronicle.userinfoUrl" . }} \ - {{- end }} {{- end }} + {{ include "chronicle.jwks-url.cli" . }} + {{ include "chronicle.userinfo-url.cli" . }} + {{ include "chronicle.id-claims" . }} ; env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }} - name: RUST_LOG @@ -157,6 +153,106 @@ spec: - name: chronicle-data mountPath: /var/lib/chronicle/store/ {{- include "lib.volumeMounts" .Values.extraVolumeMounts | nindent 12 }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - bash + - -c + - | + PROBE_ID="liveness_$(LC_ALL=C tr -dc A-Za-z0-9 /tmp/import.json && + echo "Probe ID: $PROBE_ID" && + RUST_LOG=error chronicle \ + -c /etc/chronicle/config/config.toml \ + --console-logging json \ + --sawtooth tcp://{{ include "chronicle.sawtooth.service" . }}:{{ include "chronicle.sawtooth.sawcomp" . }} \ + --remote-database \ + --database-name {{ .Values.postgres.database }} \ + --database-username {{ .Values.postgres.user }} \ + --database-host {{ .Values.postgres.host }} \ + {{- if not .Values.opa.enabled }} + --embedded-opa-policy \ + {{- end }} + import {{ .Values.livenessProbe.namespaceName }} {{ .Values.livenessProbe.namespaceUuid }} /tmp/import.json + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.startUpProbe.enabled }} + startupProbe: + exec: + command: + - bash + - -c + - | + PROBE_ID="startup_$(LC_ALL=C tr -dc A-Za-z0-9 /tmp/import.json && + echo "Probe ID: $PROBE_ID" && + RUST_LOG=error chronicle \ + -c /etc/chronicle/config/config.toml \ + --console-logging json \ + --sawtooth tcp://{{ include "chronicle.sawtooth.service" . }}:{{ include "chronicle.sawtooth.sawcomp" . }} \ + --remote-database \ + --database-name {{ .Values.postgres.database }} \ + --database-username {{ .Values.postgres.user }} \ + --database-host {{ .Values.postgres.host }} \ + {{- if not .Values.opa.enabled }} + --embedded-opa-policy \ + {{- end }} + import {{ .Values.startUpProbe.namespaceName }} {{ .Values.startUpProbe.namespaceUuid }} /tmp/import.json + initialDelaySeconds: {{ .Values.startUpProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startUpProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startUpProbe.timeoutSeconds }} + failureThreshold: {{ .Values.startUpProbe.failureThreshold }} + {{- end }} volumes: - name: chronicle-secrets persistentVolumeClaim: @@ -167,10 +263,10 @@ spec: - name: chronicle-config configMap: name: {{ .Release.Name }}-chronicle-config -{{- if not .Values.postgres.persistence.enabled }} + {{- if not .Values.postgres.persistence.enabled }} - name: "pgdata" emptyDir: {} -{{- end }} + {{- end }} volumeClaimTemplates: - metadata: name: chronicle-data @@ -180,7 +276,7 @@ spec: resources: requests: storage: 6Gi -{{- if .Values.postgres.persistence.enabled }} + {{- if .Values.postgres.persistence.enabled }} - metadata: name: "pgdata" annotations: {{- include "lib.safeToYaml" .Values.postgres.persistence.annotations | nindent 10 }} @@ -190,4 +286,4 @@ spec: resources: requests: storage: {{ .Values.postgres.persistence.size | quote }} -{{- end }} + {{- end }} diff --git a/charts/btp/chronicle/templates/test-token-getter-roles.yaml b/charts/btp/chronicle/templates/test-token-getter-roles.yaml index cedecdb18..0eaf4423a 100644 --- a/charts/btp/chronicle/templates/test-token-getter-roles.yaml +++ b/charts/btp/chronicle/templates/test-token-getter-roles.yaml @@ -1,5 +1,4 @@ -{{- if .Values.test.enabled }} -{{- if .Values.auth.required }} +{{- if or (.Values.test.api.enabled) (.Values.test.auth.enabled) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -34,4 +33,3 @@ subjects: name: {{ include "lib.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} -{{- end }} diff --git a/charts/btp/chronicle/templates/tests/api-test.yaml b/charts/btp/chronicle/templates/tests/api-test.yaml index 152371400..354a69d7f 100644 --- a/charts/btp/chronicle/templates/tests/api-test.yaml +++ b/charts/btp/chronicle/templates/tests/api-test.yaml @@ -1,4 +1,4 @@ -{{- if .Values.test.enabled }} +{{- if .Values.test.api.enabled }} apiVersion: batch/v1 kind: Job metadata: @@ -15,29 +15,52 @@ spec: restartPolicy: Never serviceAccountName: {{ include "lib.serviceAccountName" . }} automountServiceAccountToken: true - initContainers: {{- if .Values.auth.required }} + {{ if not .Values.test.auth.token }} + {{ if not .Values.devIdProvider.enabled }} + {{ required "If 'auth.required' when using the api-test 'test.auth.token' must be provided or 'devIdProvider.enabled' must be set to 'true'!" .Values.devIdProvider.enabled }} + {{ end }} + initContainers: - name: wait-for-id-provider {{- include "lib.image" (dict "imageRoot" .Values.test.api.image "global" .Values.global ) | nindent 10 }} - command: [ "sh", "-ec" ] + command: [ "sh", "-c" ] args: - | - URL={{ include "chronicle.jwksUrl" . }} - scheme=$(echo $URL | cut -f 1 -d :) - hostAndPort=$(echo $URL | cut -f 3 -d /) - HOST=$(echo $hostAndPort | cut -f 1 -d :) - port=$(echo $hostAndPort | awk -F: '{print $2}') - if [ "$scheme" = "http" ]; then - defaultPort=80 - elif [ "$scheme" = "https" ]; then - defaultPort=443 - else - defaultPort=80 - fi - PORT=${port:-$defaultPort} + URL="{{ include "chronicle.id-provider.service.jwks.url" . }}" + + wait_for_url() { + local url=$1 + scheme=$(echo "$url" | cut -f 1 -d :) + hostAndPort=$(echo "$url" | cut -f 3 -d /) + HOST=$(echo "$hostAndPort" | cut -f 1 -d :) + port=$(echo "$hostAndPort" | awk -F: '{print $2}') + + case $scheme in + "http") + defaultPort=80 + ;; + "https") + defaultPort=443 + ;; + *) + defaultPort=80 + ;; + esac + + PORT=${port:-$defaultPort} + wait-for-it "$HOST:$PORT" --timeout=120 + } + echo "Waiting for id-provider to be ready ..." - wait-for-it $HOST:$PORT --timeout=0 - echo "Id-provider is ready. Exiting." + wait_for_url "$URL" + + if [ $? -eq 0 ]; then + echo "Id-provider is ready. Exiting." + exit 0 + else + echo "Timeout occurred. Please check if the correct URL has been provided." + exit 1 + fi - name: token-loader image: alpine/k8s:1.24.13 command: [ "sh", "-ec" ] @@ -51,6 +74,7 @@ spec: volumeMounts: - name: shared-data mountPath: /shared-data + {{ end }} {{- end }} containers: - name: test @@ -58,6 +82,14 @@ spec: command: [ "sh", "-ec" ] args: - | + {{ if not .Values.test.auth.token }} + {{ if or .Values.auth.jwks.url .Values.auth.userinfo.url }} + echo "Auth endpoints provided but no token provided." + echo "Please provide 'test.auth.token' in the values.yaml file." + exit 1 + {{ end }} + {{ end }} + API={{ include "chronicle.api.service" . }} export PORT={{ .Values.port }} echo "Waiting for API to be ready ..." @@ -65,13 +97,16 @@ spec: echo "Getting IP address for API ..." getent hosts $API | cut -f 1 -d \ | head -n 1 > /shared-data/api-ip || exit 1 - {{- if .Values.auth.required }} + {{- if .Values.test.auth.token }} + echo "{{ .Values.test.auth.token }}" > /shared-data/jwks-token + {{- end }} + if [ -f "/shared-data/jwks-token" ]; then echo "Found token." sleep 5 export TOKEN=$(cat "/shared-data/jwks-token") fi - {{- end }} + export HOST=$(cat /shared-data/api-ip) echo "Testing API with subscribe-submit-test..." subscribe-submit-test diff --git a/charts/btp/chronicle/templates/tests/auth-endpoints-test.yaml b/charts/btp/chronicle/templates/tests/auth-endpoints-test.yaml new file mode 100644 index 000000000..79f80f9e9 --- /dev/null +++ b/charts/btp/chronicle/templates/tests/auth-endpoints-test.yaml @@ -0,0 +1,160 @@ +{{- if .Values.test.auth.enabled }} +{{ if not (or (.Values.devIdProvider.enabled) (or (.Values.auth.jwks.url) (.Values.auth.userinfo.url)))}} +{{ required "If 'test.auth.enabled' you need to provide 'auth.jwks.url', 'auth.userinfo.url', or enable the `devIdProvider`!" .Values.devIdProvider.enabled }} +{{ end }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.names.fullname" . }}-auth-endpoints-test + labels: {{ include "chronicle.labels" . | nindent 4 }} + component: auth-endpoints-test + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": hook-succeeded +spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + serviceAccountName: {{ include "lib.serviceAccountName" . }} + {{- if .Values.devIdProvider.enabled }} + automountServiceAccountToken: true + initContainers: + - name: wait + {{- include "lib.image" (dict "imageRoot" .Values.test.api.image "global" .Values.global ) | nindent 10 }} + command: [ "sh", "-c" ] + args: + - | + URL="{{ include "chronicle.id-provider.service.jwks.url" . }}" + + wait_for_url() { + local url=$1 + scheme=$(echo "$url" | cut -f 1 -d :) + hostAndPort=$(echo "$url" | cut -f 3 -d /) + HOST=$(echo "$hostAndPort" | cut -f 1 -d :) + port=$(echo "$hostAndPort" | awk -F: '{print $2}') + + case $scheme in + "http") + defaultPort=80 + ;; + "https") + defaultPort=443 + ;; + *) + defaultPort=80 + ;; + esac + + PORT=${port:-$defaultPort} + wait-for-it "$HOST:$PORT" --timeout=120 + } + + echo "Waiting for id-provider to be ready ..." + wait_for_url "$URL" + + if [ $? -eq 0 ]; then + echo "Id-provider is ready. Exiting." + exit 0 + else + echo "Timeout occurred. Please check if the correct URL has been provided." + exit 1 + fi + - name: tok + image: alpine/k8s:1.24.13 + command: [ "sh", "-ec" ] + args: + - | + echo "Waiting to ensure id-provider is ready ..." + sleep 20 + echo "Getting token from id-provider ..." + kubectl exec {{ include "chronicle.id-provider.service" . }}-0 -c id-provider -- oauth-token > /shared-data/jwks-token + echo "Token loaded. Exiting." + volumeMounts: + - name: shared-data + mountPath: /shared-data + {{- end }} + containers: + - name: jwks + image: alpine/k8s:1.24.13 + command: [ "sh", "-c"] + args: + - | + {{ if or (.Values.auth.jwks.url) (.Values.devIdProvider.enabled) }} + {{ if .Values.auth.jwks.url }} + echo "Checking provided JWKS endpoint: {{ .Values.auth.jwks.url }}." + endPoint="{{ .Values.auth.jwks.url }}" + {{ else if .Values.auth.userinfo.url }} + echo "JWKS endpoint not set but userinfo url is set - skipping JWKS check." + exit 0 + {{ else }} + echo "Checking JWKS endpoint from id-provider: {{ include "chronicle.id-provider.service.jwks.url" . }}." + endPoint="{{ include "chronicle.id-provider.service.jwks.url" . }}" + {{ end }} + + time curl -s -o /shared-data/jwks.json $endPoint + + cat /shared-data/jwks.json | jq . > /dev/null \ + || { echo "JWKS endpoint did not return a valid JSON object."; echo "DEBUG: $(cat /shared-data/jwks.json)"; exit 1; } + echo "JWKS endpoint returned a valid JSON object:" + cat /shared-data/jwks.json + echo + {{ else }} + echo "Skipping JWKS endpoint check." + {{ end }} + + echo -e "Exiting." + volumeMounts: + - name: shared-data + mountPath: /shared-data + - name: userinfo + image: alpine/k8s:1.24.13 + command: [ "sh", "-c"] + args: + - | + {{ if or (.Values.auth.userinfo.url) (.Values.devIdProvider.enabled) }} + {{ if .Values.auth.userinfo.url }} + {{ if not .Values.test.auth.token }} + {{ required "If providing 'auth.userinfo.url' you need to provide a 'test.auth.token'!" .Values.test.auth.token}} + {{ end }} + echo "Checking user-provided userinfo endpoint: $endPoint" + endPoint="{{ .Values.auth.userinfo.url }}" + {{ else if .Values.auth.jwks.url }} + echo "Userinfo endpoint not set but JWKS url is set - skipping userinfo check." + exit 0 + {{ else }} + echo "Checking id-provider userinfo endpoint: $endPoint" + endPoint="{{ include "chronicle.id-provider.service.userinfo.url" . }}" + {{ end }} + + {{ if .Values.test.auth.token }} + {{ if not .Values.auth.userinfo.url }} + {{ required "If providing 'test.auth.token' you need to provide a 'auth.userinfo.url'!" .Values.auth.userinfo.url }} + {{ end }} + echo "Using 'test.auth.token' to check userinfo endpoint." + time curl -s -H "Authorization: Bearer {{ .Values.test.auth.token }}" -o /shared-data/userinfo.json $endPoint + {{ else }} + echo "Using token from id-provider to check userinfo endpoint." + time curl -s -H "Authorization: Bearer $(cat /shared-data/jwks-token)" -o /shared-data/userinfo.json $endPoint + {{ end }} + + if jq -e 'has("error")' /shared-data/userinfo.json > /dev/null; then + echo "Userinfo endpoint returned an error:" + echo "DEBUG: $(cat /shared-data/userinfo.json)" + exit 1 + else + echo "Userinfo endpoint returned a valid JSON object: $(cat /shared-data/userinfo.json)" + echo + fi + {{ else }} + echo "Skipping userinfo endpoint check." + {{ end }} + + echo -e "Exiting." + volumeMounts: + - name: shared-data + mountPath: /shared-data + volumes: + - name: shared-data + emptyDir: {} +{{- end }} diff --git a/charts/btp/chronicle/values.yaml b/charts/btp/chronicle/values.yaml index 84018a1e6..12d4c6d1a 100644 --- a/charts/btp/chronicle/values.yaml +++ b/charts/btp/chronicle/values.yaml @@ -12,16 +12,46 @@ global: affinity: {} auth: - ## @md | `auth.required` | if true require authentication | false | + ## @md | `auth.required` | if true require authentication, rejecting 'anonymous' requests | false | required: false id: - claims: email + ## @md | `auth.id.claims` | Chronicle provides default values ["iss", "sub"] | nil | + claims: jwks: - enabled: true url: userinfo: url: +## @md | `livenessProbe.enabled` | if true, enables the liveness probe | false | +livenessProbe: + enabled: false + ## @md | `livenessProbe.timeoutSeconds` | number of seconds after which the probe times out | 10 | + timeoutSeconds: 20 + ## @md | `livenessProbe.periodSeconds` | how often (in seconds) to perform the probe | 60 | + periodSeconds: 60 + ## @md | `livenessProbe.failureThreshold` | when a probe fails, Kubernetes will try failureThreshold times before giving up | 1 | + failureThreshold: 1 + ## @md | `livenessProbe.namespaceName` | the Chronicle namespace in which the probe operates | default | + namespaceName: default + ## @md | `livenessProbe.namespaceUuid` | the UUID of the Chronicle namespace in which the probe operates | fd717fd6-70f1-44c1-81de-287d5e101089 | + namespaceUuid: fd717fd6-70f1-44c1-81de-287d5e101089 + +## @md | `startUpProbe.enabled` | if true, enables the startup probe | true | +startUpProbe: + enabled: false + ## @md | `startUpProbe.initialDelaySeconds` | number of seconds after which the probe starts | 5 | + initialDelaySeconds: 5 + ## @md | `startUpProbe.failureThreshold` | when a probe fails, Kubernetes will try failureThreshold times before giving up | 30 | + failureThreshold: 30 + ## @md | `startUpProbe.periodSeconds` | how often (in seconds) to perform the probe | 10 | + periodSeconds: 10 + ## @md | `startUpProbe.timeoutSeconds` | number of seconds after which the probe times out | 3 | + timeoutSeconds: 3 + ## @md | `startUpProbe.namespaceName` | the Chronicle namespace in which the probe operates | default | + namespaceName: default + ## @md | `startUpProbe.namespaceUuid` | the UUID of the Chronicle namespace in which the probe operates | fd717fd6-70f1-44c1-81de-287d5e101089 | + namespaceUuid: fd717fd6-70f1-44c1-81de-287d5e101089 + ## @md | `backtraceLevel` | backtrace level for Chronicle | nil | backtraceLevel: full @@ -34,7 +64,7 @@ devIdProvider: ## @md | `devIdProvider.image.repository` | the image repository | blockchaintp/id-provider | repository: blockchaintp/id-provider-amd64 ## @md | `devIdProvider.image.tag` | the image tag | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 ## @md | `extraVolumes` | a list of additional volumes to add to chronicle | [] | extraVolumes: [] @@ -45,7 +75,7 @@ image: ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle | repository: blockchaintp/chronicle-amd64 ## @md | `image.tag`| the tag of the image to use | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 ## @md | `image.pullPolicy` | the image pull policy to use | IfNotPresent | pullPolicy: IfNotPresent @@ -89,7 +119,7 @@ logLevel: info opa: ## @md | `opa.enabled` | if true set up a full OPA enabled setup | true | - enabled: true + enabled: false opaInit: ## @md | `opa.init.image` | the image to use for the chronicle-init container | blockchaintp/chronicle-opa-init | image: @@ -98,7 +128,7 @@ opa: ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle | repository: blockchaintp/opactl-amd64 ## @md | `image.tag`| the tag of the image to use | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 policy: entrypoint: allow_transactions.allowed_users id: allow_transactions @@ -108,7 +138,7 @@ opa: ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle | repository: blockchaintp/opa-tp-amd64 ## @md | `image.tag`| the tag of the image to use | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 ## @md | `image.pullPolicy` | the image pull policy to use | IfNotPresent | pullPolicy: IfNotPresent ## @md | `opa.tp.resources` | resources | map | nil | @@ -131,17 +161,24 @@ serviceAccount: name: test: - ## @md | `test.enabled` | true to enable test Jobs and Services | true | - enabled: true + ## @md | `test.api` | test the chronicle GraphQL server API | api: - ## @md | `api-test-container.image` | the image to use for the api-test container | blockchaintp/chronicle-api-test | + ## @md | `test.api.enabled` | true to enable api-test Jobs and Services | true | + enabled: false + ## @md | `test.api.image` | the image to use for the api-test container | blockchaintp/chronicle-helm-api-test | image: ## @md | `test.api.image.pullPolicy` | the image pull policy | IfNotPresent | pullPolicy: IfNotPresent ## @md | `test.api.image.repository` | the image repository | blockchaintp/chronicle-helm-api-test | repository: blockchaintp/chronicle-helm-api-test-amd64 ## @md | `test.api.image.tag` | the image tag | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 + ## @md | `test.auth` | test the chronicle auth server API | + auth: + ## @md | `test.auth.enabled` | true to enable auth-related testing | true | + enabled: true + ## @md | `test.auth.token` | provide a token for auth-related testing | nil | + token: postgres: # if enabled we allocate a postgres database here @@ -211,7 +248,7 @@ tp: ## @md | `tp.image.repository` | the image repository | blockchaintp/chronicle-tp | repository: blockchaintp/chronicle-tp-amd64 ## @md | `tp.image.tag` | the image tag | latest | - tag: BTP2.1.0-0.7.3 + tag: BTP2.1.0-0.7.6 ## @md | `tp.extraVolumes` | extra volumes declarations for the chronicle-tp deployment | list | nil extraVolumes: ## @md | `tp.extraVolumeMounts` | extra volume mounts for chronicle-tp deployment | list | nil diff --git a/charts/external-secrets/external-secrets/Chart.yaml b/charts/external-secrets/external-secrets/Chart.yaml index 1d14b3ade..80fecba78 100644 --- a/charts/external-secrets/external-secrets/Chart.yaml +++ b/charts/external-secrets/external-secrets/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: external-secrets apiVersion: v2 -appVersion: v0.9.16 +appVersion: v0.9.17 description: External secret management for Kubernetes home: https://github.com/external-secrets/external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 0.9.16 +version: 0.9.17 diff --git a/charts/external-secrets/external-secrets/README.md b/charts/external-secrets/external-secrets/README.md index 36d048c84..13c67a966 100644 --- a/charts/external-secrets/external-secrets/README.md +++ b/charts/external-secrets/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.16](https://img.shields.io/badge/Version-0.9.16-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.17](https://img.shields.io/badge/Version-0.9.17-informational?style=flat-square) External secret management for Kubernetes @@ -58,7 +58,7 @@ The command removes all the Kubernetes components associated with the chart and | certController.podAnnotations | object | `{}` | Annotations to add to Pod | | certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | certController.podLabels | object | `{}` | | -| certController.podSecurityContext | object | `{}` | | +| certController.podSecurityContext.enabled | bool | `true` | | | certController.priorityClassName | string | `""` | Pod priority class name. | | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | certController.readinessProbe.address | string | `""` | Address for readiness probe | @@ -69,6 +69,7 @@ The command removes all the Kubernetes components associated with the chart and | certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) | | certController.securityContext.allowPrivilegeEscalation | bool | `false` | | | certController.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| certController.securityContext.enabled | bool | `true` | | | certController.securityContext.readOnlyRootFilesystem | bool | `true` | | | certController.securityContext.runAsNonRoot | bool | `true` | | | certController.securityContext.runAsUser | int | `1000` | | @@ -95,10 +96,12 @@ The command removes all the Kubernetes components associated with the chart and | extraArgs | object | `{}` | | | extraContainers | list | `[]` | | | extraEnv | list | `[]` | | +| extraObjects | list | `[]` | | | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | | fullnameOverride | string | `""` | | | global.affinity | object | `{}` | | +| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. | | global.nodeSelector | object | `{}` | | | global.tolerations | list | `[]` | | | global.topologySpreadConstraints | list | `[]` | | @@ -120,7 +123,7 @@ The command removes all the Kubernetes components associated with the chart and | podAnnotations | object | `{}` | Annotations to add to Pod | | podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | +| podSecurityContext.enabled | bool | `true` | | | podSpecExtra | object | `{}` | Any extra pod spec on the deployment | | priorityClassName | string | `""` | Pod priority class name. | | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. | @@ -135,6 +138,7 @@ The command removes all the Kubernetes components associated with the chart and | scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets | | securityContext.allowPrivilegeEscalation | bool | `false` | | | securityContext.capabilities.drop[0] | string | `"ALL"` | | +| securityContext.enabled | bool | `true` | | | securityContext.readOnlyRootFilesystem | bool | `true` | | | securityContext.runAsNonRoot | bool | `true` | | | securityContext.runAsUser | int | `1000` | | @@ -190,7 +194,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.podAnnotations | object | `{}` | Annotations to add to Pod | | webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | webhook.podLabels | object | `{}` | | -| webhook.podSecurityContext | object | `{}` | | +| webhook.podSecurityContext.enabled | bool | `true` | | | webhook.port | int | `10250` | The port the webhook will listen to | | webhook.priorityClassName | string | `""` | Pod priority class name. | | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | @@ -202,6 +206,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.secretAnnotations | object | `{}` | Annotations to add to Secret | | webhook.securityContext.allowPrivilegeEscalation | bool | `false` | | | webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | | +| webhook.securityContext.enabled | bool | `true` | | | webhook.securityContext.readOnlyRootFilesystem | bool | `true` | | | webhook.securityContext.runAsNonRoot | bool | `true` | | | webhook.securityContext.runAsUser | int | `1000` | | diff --git a/charts/external-secrets/external-secrets/templates/_helpers.tpl b/charts/external-secrets/external-secrets/templates/_helpers.tpl index 54b482cc7..2475b1145 100644 --- a/charts/external-secrets/external-secrets/templates/_helpers.tpl +++ b/charts/external-secrets/external-secrets/templates/_helpers.tpl @@ -154,3 +154,48 @@ Determine the image to use, including if using a flavour. {{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }} {{- end }} {{- end }} + +<<<<<<< HEAD + +{{/* +Renders a complete tree, even values that contains template. +*/}} +{{- define "external-secrets.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{ else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} +======= +{{/* +Return true if the OpenShift is the detected platform +Usage: +{{- include "external-secrets.isOpenShift" . -}} +*/}} +{{- define "external-secrets.isOpenShift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render the securityContext based on the provided securityContext + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}} +*/}} +{{- define "external-secrets.renderSecurityContext" -}} +{{- $adaptedContext := .securityContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}} + {{/* Remove OpenShift managed fields */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .securityContext.seLinuxOptions -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} +>>>>>>> 2218c78b (Methods for managing securityContext and OpenShift support) diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml index 54974f47f..000b442d6 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml @@ -35,15 +35,19 @@ spec: serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }} {{- with .Values.certController.podSecurityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 8 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }} + {{- end }} {{- end }} hostNetwork: {{ .Values.certController.hostNetwork }} containers: - name: cert-controller {{- with .Values.certController.securityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 12 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }} + {{- end }} {{- end }} image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }} imagePullPolicy: {{ .Values.certController.image.pullPolicy }} diff --git a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml index c86e5fa61..db8f2ce8b 100644 --- a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml index 703d3f75b..3a9cd06af 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -526,11 +526,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -573,11 +575,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -590,7 +594,7 @@ spec: x-kubernetes-map-type: atomic type: array namespaces: - description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing. + description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing. items: type: string type: array diff --git a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml index 4dd8ebff9..b0732a9e2 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -1577,11 +1577,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml index 45d7a4df2..cfc222c84 100644 --- a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml index 6606ed807..abc90cbdc 100644 --- a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/fake.yaml b/charts/external-secrets/external-secrets/templates/crds/fake.yaml index 237fce3c3..4a9bbfec1 100644 --- a/charts/external-secrets/external-secrets/templates/crds/fake.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/fake.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml index fb9d5784e..21ba92e18 100644 --- a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/githubaccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/githubaccesstoken.yaml index b556c0849..600421362 100644 --- a/charts/external-secrets/external-secrets/templates/crds/githubaccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/githubaccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: githubaccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/password.yaml b/charts/external-secrets/external-secrets/templates/crds/password.yaml index 75d45d4d7..472a27b5e 100644 --- a/charts/external-secrets/external-secrets/templates/crds/password.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/password.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml index 7eb17dfc0..04080beea 100644 --- a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -140,11 +140,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml index 074c9f363..aa80a1292 100644 --- a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -1577,11 +1577,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml index 381b2318c..5aca229fa 100644 --- a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/crds/webhook.yaml b/charts/external-secrets/external-secrets/templates/crds/webhook.yaml index a1cd3ab15..112f97de8 100644 --- a/charts/external-secrets/external-secrets/templates/crds/webhook.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/webhook.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: webhooks.generators.external-secrets.io spec: group: generators.external-secrets.io diff --git a/charts/external-secrets/external-secrets/templates/deployment.yaml b/charts/external-secrets/external-secrets/templates/deployment.yaml index c0584c53c..5c71d96db 100644 --- a/charts/external-secrets/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/deployment.yaml @@ -35,15 +35,19 @@ spec: serviceAccountName: {{ include "external-secrets.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automount }} {{- with .Values.podSecurityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 8 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }} + {{- end }} {{- end }} hostNetwork: {{ .Values.hostNetwork }} containers: - name: {{ .Chart.Name }} {{- with .Values.securityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 12 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }} + {{- end }} {{- end }} image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }} imagePullPolicy: {{ .Values.image.pullPolicy }} diff --git a/charts/external-secrets/external-secrets/templates/extra-manifests.yaml b/charts/external-secrets/external-secrets/templates/extra-manifests.yaml new file mode 100644 index 000000000..1dfe8f48f --- /dev/null +++ b/charts/external-secrets/external-secrets/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraObjects }} +--- +{{ include "external-secrets.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml index 2fe6f3f6e..24692a320 100644 --- a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml @@ -36,14 +36,18 @@ spec: serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }} {{- with .Values.webhook.podSecurityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 8 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }} + {{- end }} {{- end }} containers: - name: webhook {{- with .Values.webhook.securityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} securityContext: - {{- toYaml . | nindent 12 }} + {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }} + {{- end }} {{- end }} image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }} imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap index 07d0b75bc..07121053f 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 name: RELEASE-NAME-external-secrets-cert-controller namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 spec: automountServiceAccountToken: true containers: @@ -38,7 +38,7 @@ should match snapshot of default values: - --secret-namespace=NAMESPACE - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.16 + image: ghcr.io/external-secrets/external-secrets:v0.9.17 imagePullPolicy: IfNotPresent name: cert-controller ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap index d8fa3ba25..b24963649 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 name: RELEASE-NAME-external-secrets namespace: NAMESPACE spec: @@ -24,15 +24,15 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 spec: automountServiceAccountToken: true containers: - args: - --concurrent=1 - --metrics-addr=:8080 - image: ghcr.io/external-secrets/external-secrets:v0.9.16 + image: ghcr.io/external-secrets/external-secrets:v0.9.17 imagePullPolicy: IfNotPresent name: external-secrets ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap index 8f4ee544e..36800fe36 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -4,7 +4,7 @@ should match snapshot of default values: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: secretstores.external-secrets.io spec: conversion: @@ -1582,11 +1582,13 @@ should match snapshot of default values: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap index ad80b9929..53eb6fb0a 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.16 - helm.sh/chart: external-secrets-0.9.16 + app.kubernetes.io/version: v0.9.17 + helm.sh/chart: external-secrets-0.9.17 spec: automountServiceAccountToken: true containers: @@ -37,7 +37,7 @@ should match snapshot of default values: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.16 + image: ghcr.io/external-secrets/external-secrets:v0.9.17 imagePullPolicy: IfNotPresent name: webhook ports: @@ -81,8 +81,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.16 + app.kubernetes.io/version: v0.9.17 external-secrets.io/component: webhook - helm.sh/chart: external-secrets-0.9.16 + helm.sh/chart: external-secrets-0.9.17 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE diff --git a/charts/external-secrets/external-secrets/tests/extra_manifests_test.yaml b/charts/external-secrets/external-secrets/tests/extra_manifests_test.yaml new file mode 100644 index 000000000..8cae8f5f0 --- /dev/null +++ b/charts/external-secrets/external-secrets/tests/extra_manifests_test.yaml @@ -0,0 +1,15 @@ +suite: test adding extra kubernetes objects +templates: + - extra-manifests.yaml +tests: + - it: should load extra manifests + set: + extraObjects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: random + asserts: + - equal: + path: kind + value: ServiceAccount diff --git a/charts/external-secrets/external-secrets/values.yaml b/charts/external-secrets/external-secrets/values.yaml index 9444b1648..bc795ceb5 100644 --- a/charts/external-secrets/external-secrets/values.yaml +++ b/charts/external-secrets/external-secrets/values.yaml @@ -3,6 +3,14 @@ global: tolerations: [] topologySpreadConstraints: [] affinity: {} + compatibility: + openshift: + # -- Manages the securityContext properties to make them compatible with OpenShift. + # Possible values: + # auto - Apply configurations if it is detected that OpenShift is the target platform. + # force - Always apply configurations. + # disabled - No modification applied. + adaptSecurityContext: auto replicaCount: 1 @@ -114,6 +122,9 @@ extraArgs: {} ## -- Extra volumes to pass to pod. extraVolumes: [] +## -- Extra Kubernetes objects to deploy with the helm chart +extraObjects: [] + ## -- Extra volumes to mount to the container. extraVolumeMounts: [] @@ -128,7 +139,8 @@ podAnnotations: {} podLabels: {} -podSecurityContext: {} +podSecurityContext: + enabled: true # fsGroup: 2000 securityContext: @@ -136,6 +148,7 @@ securityContext: capabilities: drop: - ALL + enabled: true readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 @@ -361,7 +374,8 @@ webhook: podLabels: {} - podSecurityContext: {} + podSecurityContext: + enabled: true # fsGroup: 2000 securityContext: @@ -369,6 +383,7 @@ webhook: capabilities: drop: - ALL + enabled: true readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 @@ -474,7 +489,8 @@ certController: podLabels: {} - podSecurityContext: {} + podSecurityContext: + enabled: true # fsGroup: 2000 securityContext: @@ -482,6 +498,7 @@ certController: capabilities: drop: - ALL + enabled: true readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index c634cd4db..3697784b2 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.77.10] - April 22, 2024 +## [107.77.11] - April 22, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index c931870cf..45f247354 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.77.10 +appVersion: 7.77.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.77.10 +version: 107.77.11 diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index 5e489ae64..09082a95e 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.77.10] - Nov 23, 2023 +## [107.77.11] - Nov 23, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index ce73d9ca2..1b389044b 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.77.10 +appVersion: 7.77.11 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.77.10 + version: 107.77.11 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.77.10 +version: 107.77.11 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 03c027ac0..501b801a3 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.77.10] - April 22, 2024 +## [107.77.11] - April 22, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 4763e6f96..0cd199950 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.77.10 +appVersion: 7.77.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.77.10 +version: 107.77.11 diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 1ee4e6930..4e92a5127 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.3.11 + image: docker.redpanda.com/redpandadata/redpanda:v24.1.1 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v23.3.11 +appVersion: v24.1.1 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.8.2 +version: 5.8.3 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index 22eb6325c..0dd46043a 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.8.2](https://img.shields.io/badge/Version-5.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.11](https://img.shields.io/badge/AppVersion-v23.3.11-informational?style=flat-square) +![Version: 5.8.3](https://img.shields.io/badge/Version-5.8.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.1.1](https://img.shields.io/badge/AppVersion-v24.1.1-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index 2989dd6c8..551f5d525 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -174,8 +174,15 @@ stringData: set -e + # rpk cluster health can exit non-zero if it's unable to dial brokers. This + # can happen for many reasons but we never want this script to crash as it + # would take down yet another broker and make a bad situation worse. + # Instead, just wait for the command to eventually exit zero. echo "Waiting for cluster to be ready" - rpk cluster health --watch --exit-when-healthy + until rpk cluster health --watch --exit-when-healthy; do + echo "rpk cluster health failed. Waiting 5 seconds before trying again..." + sleep 5 + done {{- if and $sasl.enabled (not (empty $sasl.secretRef )) }} while true; do diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index d76642983..bffc91589 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.1.296 +appVersion: 2.1.301 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.1.296 +version: 2.1.301 diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 870afbf01..b16cb9040 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.1.296 + tag: v2.1.301 pullPolicy: Always # Log level for Speedscale components. diff --git a/index.yaml b/index.yaml index b9c8337ba..cc36dd437 100644 --- a/index.yaml +++ b/index.yaml @@ -4274,6 +4274,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.77.11 + created: "2024-05-02T00:52:10.96066079Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 67ad9a81300436a465fd0a1f4de0bb319c77b19f9513876691e1421da4bb7584 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.77.11.tgz + version: 107.77.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -5918,6 +5951,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.77.11 + created: "2024-05-02T00:52:11.339981268Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.77.11 + description: JFrog Container Registry + digest: 720367b8720b82d341c645b7f980a3f353302f7b356c370241131f56fa5282e1 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.77.11.tgz + version: 107.77.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -10997,6 +11064,35 @@ entries: - assets/codefresh/cf-runtime-0.1.401.tgz version: 0.1.401 chronicle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Chronicle + catalog.cattle.io/release-name: chronicle + apiVersion: v2 + appVersion: 0.7.6 + created: "2024-05-02T00:52:09.318693502Z" + dependencies: + - name: standard-defs + repository: file://./charts/standard-defs + version: ~0.1.0 + - name: sawtooth + repository: file://./charts/sawtooth + version: ~0.2.0 + description: 'Chronicle is an open-source, blockchain-backed, domain-agnostic + provenance product. Chronicle makes it easy for users to record and query immutable + provenance information on a distributed ledger - about any asset, in any domain, + and across multiple parties. ' + digest: ce9635e88b9e96cb91a36c33c292876860348ac780eedf7fac7c56e5f3106b8d + home: https://docs.btp.works/chronicle + icon: https://chronicle-resources.s3.amazonaws.com/icons/chronicle-transparent-bg-dark.png + keywords: + - provenance + - blockchain + name: chronicle + type: application + urls: + - assets/btp/chronicle-0.1.25.tgz + version: 0.1.25 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Chronicle @@ -18031,6 +18127,30 @@ entries: - assets/dynatrace/dynatrace-operator-0.7.2.tgz version: 0.7.2 external-secrets: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: External Secrets Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: external-secrets + apiVersion: v2 + appVersion: v0.9.17 + created: "2024-05-02T00:52:09.820419345Z" + description: External secret management for Kubernetes + digest: d34abc8443a9db6ebb7023fed829c49c47402c05df9975b620f214856aba5b07 + home: https://github.com/external-secrets/external-secrets + icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png + keywords: + - kubernetes-external-secrets + - secrets + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: kellinmcavoy@gmail.com + name: mcavoyk + name: external-secrets + type: application + urls: + - assets/external-secrets/external-secrets-0.9.17.tgz + version: 0.9.17 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: External Secrets Operator @@ -44857,6 +44977,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.1.1 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.1.1 + created: "2024-05-02T00:52:14.193477918Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: f4eeddbb7743528cbb3aeebd209b79e2d35d916e6fb4807b720714370bd98791 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.8.3.tgz + version: 5.8.3 - annotations: artifacthub.io/images: | - name: redpanda @@ -49638,6 +49802,37 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.1.301 + created: "2024-05-02T00:52:14.283828726Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 71da5fc8f4d63a8ae94eb7d3e20a53904b0aac7921b57b0c41e14fdfedd4cd74 + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.1.301.tgz + version: 2.1.301 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator