Charts CI

```
Updated:
  btp/chronicle:
    - 0.1.25
  external-secrets/external-secrets:
    - 0.9.17
  jfrog/artifactory-ha:
    - 107.77.11
  jfrog/artifactory-jcr:
    - 107.77.11
  redpanda/redpanda:
    - 5.8.3
  speedscale/speedscale-operator:
    - 2.1.301
```

charts/btp/chronicle/Chart.yaml

@@ -3,7 +3,7 @@ annotations:
   catalog.cattle.io/display-name: Chronicle
   catalog.cattle.io/release-name: chronicle
 apiVersion: v2
-appVersion: 0.7.3
+appVersion: 0.7.6
 dependencies:
 - name: standard-defs
   repository: file://./charts/standard-defs
@@ -22,4 +22,4 @@ keywords:
 - blockchain
 name: chronicle
 type: application
-version: 0.1.15
+version: 0.1.25

charts/btp/chronicle/README.md

@@ -1,9 +1,10 @@
-# Chronicle
+# Chronicle on Hyperledger Sawtooth
 
 | field | description | default |
 |-|-|-|
 | `affinity`| custom affinity rules for the chronicle pod | {} |
-| `auth.required` | if true require authentication | false |
+| `auth.required` | if true require authentication, rejecting 'anonymous' requests | false |
+| `auth.id.claims` | Chronicle provides default values ["iss", "sub"] | nil |
 | `backtraceLevel` | backtrace level for Chronicle  | nil |
 | `devIdProvider.image` | the image to use for the id-provider container | blockchaintp/id-provider |
 | `devIdProvider.image.pullPolicy` | the image pull policy | IfNotPresent |
@@ -44,11 +45,15 @@
 | `replicas` | number of Chronicle replicas to run | 1 |
 | `serviceAccount.create` | true to create a service account | false |
 | `serviceAccount.name` | name of the service account | nil (defaults to based on release name) |
-| `test.enabled` | true to enable test Jobs and Services | true |
+| `test.api` | test the chronicle GraphQL server API |
-| `api-test-container.image` | the image to use for the api-test container | blockchaintp/chronicle-api-test |
+| `test.api.enabled` | true to enable api-test Jobs and Services | true |
+| `test.api.image` | the image to use for the api-test container | blockchaintp/chronicle-helm-api-test |
 | `test.api.image.pullPolicy` | the image pull policy | IfNotPresent |
 | `test.api.image.repository` | the image repository | blockchaintp/chronicle-helm-api-test |
 | `test.api.image.tag` | the image tag | latest |
+| `test.auth` | test the chronicle auth server API |
+| `test.auth.enabled` | true to enable auth-related testing | true |
+| `test.auth.token` | provide a token for auth-related testing | nil |
 | `postgres.enabled` | if true create an internal postgres instance | boolean | true |
 | `postgres.env` | postgres environment variables | map | N/A |
 | `postgres.image.repository` | postgres image repository | string | "postgres" |
@@ -82,3 +87,19 @@
 | `tp.maxUnavailable` | maximum unavailable nodes during a rolling upgrade |
 | `tp.minReadySeconds` | minimum time before node becomes available |
 | `sawtooth` | sawtooth options may be configured | see [Sawtooth](../sawtooth/README.md) |
+| `livenessProbe.enabled` | if true, enables the liveness probe | false |
+| `livenessProbe.initialDelaySeconds` | delay before liveness probe is initiated | 30 |
+| `livenessProbe.periodSeconds` | how often to perform the probe | 10 |
+| `livenessProbe.timeoutSeconds` | when the probe times out | 1 |
+| `livenessProbe.failureThreshold` | how many times to retry the probe before giving up | 3 |
+| `livenessProbe.successThreshold` | how many times the probe must report success to be considered successful after having failed | 1 |
+| `livenessProbe.namespaceName` | the namespace name for the liveness probe | "default" |
+| `livenessProbe.namespaceUuid` | the namespace UUID for the liveness probe | "fd717fd6-70f1-44c1-81de-287d5e101089" |
+| `startupProbe.enabled` | if true, enables the startup probe | false |
+| `startupProbe.initialDelaySeconds` | delay before startup probe is initiated | 10 |
+| `startupProbe.periodSeconds` | how often to perform the probe | 10 |
+| `startupProbe.timeoutSeconds` | when the probe times out | 1 |
+| `startupProbe.failureThreshold` | how many times to retry the probe before giving up | 3 |
+| `startupProbe.successThreshold` | how many times the probe must report success to be considered successful after having failed | 1 |
+| `startupProbe.namespaceName` | the namespace name for the startup probe | "default" |
+| `startupProbe.namespaceUuid` | the namespace UUID for the startup probe | "fd717fd6-70f1-44c1-81de-287d5e101089" |

charts/btp/chronicle/app-readme.md

@@ -1,10 +1,12 @@
+# Chronicle on Hyperledger Sawtooth
+
 Chronicle records provenance information of any physical or digital asset on a distributed ledger.
 
 - Chronicle is available with Hyperledger Sawtooth as its default backing ledger.
 - Chronicle is built on the established W3C PROV Ontology standard; it uses the lightweight JSON-LD linked data format, and the data query language GraphQL.
 - Chronicle is easily adaptable to enable users to model, capture, and query provenance information pertinent to their industry, application and use case.
 
-You can find example domains and further instructions at https://examples.btp.works
+You can find example domains and further instructions at <https://examples.chronicle.works>
 
 ## *Important*
 

charts/btp/chronicle/templates/_chronicle.tpl

@@ -55,21 +55,75 @@ chronicle: {{ include "common.names.fullname" . }}
 {{ include "common.names.fullname" . }}-test-id-provider
 {{- end -}}
 
-{{- define "chronicle.jwksUrl" -}}
+{{- define "chronicle.id-provider.service.jwks.url" -}}
+http://{{ include "chronicle.id-provider.service" . }}:8090/jwks
+{{- end -}}
+
+{{- define "chronicle.id-provider.service.userinfo.url" -}}
+http://{{ include "chronicle.id-provider.service" . }}:8090/userinfo
+{{- end -}}
+
+{{- define "chronicle.id-claims" -}}
+{{- if .Values.auth.id.claims -}}
+--id-claims {{ .Values.auth.id.claims }} \
+{{- else -}}
+{{- /* Do nothing */ -}}
+{{- end -}}
+{{- end -}}
+
+{{/* The JWKS and userinfo URLs are connected. */}}
+{{/* If either is provided Chronicle will use the user-provided options. */}}
+{{/* If neither is provided Chronicle should fall back to using the 'devIdProvider'.*/}}
+{{- define "chronicle.jwks-url.url" -}}
+{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}}
 {{- if .Values.auth.jwks.url -}}
 {{ .Values.auth.jwks.url }}
+{{- end -}}
 {{- else -}}
 {{- if .Values.devIdProvider.enabled -}}
-http://{{ include "chronicle.id-provider.service" . }}:8090/jwks
+{{ include "chronicle.id-provider.service.jwks.url" . }}
-{{- else -}}
-{{ required "devIdProvider.enabled must be true or auth.jwks.url must be set!" .Values.auth.jwks.url }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
 
-{{- define "chronicle.userinfoUrl" -}}
+{{- define "chronicle.jwks-url.cli" -}}
+{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}}
+{{- if .Values.auth.jwks.url -}}
+--jwks-address {{ include "chronicle.jwks-url.url" . }} \
+{{- end -}}
+{{- else -}}
+{{- if .Values.devIdProvider.enabled -}}
+--jwks-address {{ include "chronicle.jwks-url.url" . }} \
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/* The JWKS and userinfo URLs are connected. */}}
+{{/* If either is provided Chronicle will use the user-provided options. */}}
+{{/* If neither is provided Chronicle should fall back to using the 'devIdProvider'.*/}}
+{{- define "chronicle.userinfo-url" -}}
+{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}}
+{{- if .Values.auth.userinfo.url -}}
 {{ .Values.auth.userinfo.url }}
 {{- end -}}
+{{- else -}}
+{{- if .Values.devIdProvider.enabled -}}
+{{ include "chronicle.id-provider.service.userinfo.url" . }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "chronicle.userinfo-url.cli" -}}
+{{- if or (.Values.auth.jwks.url) (.Values.auth.userinfo.url) -}}
+{{- if .Values.auth.userinfo.url -}}
+--userinfo-address {{ include "chronicle.userinfo-url" . }} \
+{{- end -}}
+{{- else -}}
+{{- if .Values.devIdProvider.enabled -}}
+--userinfo-address {{ include "chronicle.userinfo-url" . }} \
+{{- end -}}
+{{- end -}}
+{{- end -}}
 
 {{- define "chronicle.root-key.secret" -}}
 {{ include "common.names.fullname" . }}-root-key

charts/btp/chronicle/templates/chronicle-init.yaml

@@ -3,12 +3,11 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  annotations:
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   name: {{ include "common.names.fullname" . }}-init
   labels: {{ include "chronicle.labels" . | nindent 4 }}
     component: chronicle
 spec:
+  ttlSecondsAfterFinished: 100
   template:
     metadata:
       labels: {{ include "chronicle.labels" . | nindent 8 }}
@@ -159,13 +158,17 @@ spec:
           command: [ "bash", "-ec"]
           args:
             - |
-              if opactl \
+              echo "Attempting to get policy."
+              opactl \
                 --sawtooth-address tcp://$HOST:$PORT \
                   get-policy \
                     --id {{ .Values.opa.policy.id }} \
-                      --output policy.bin >/dev/null 2>&1; then
+                    --output /shared-data/policy.bin || true
+
+              if [ -f "/shared-data/policy.bin" ]; then
                 echo "Policy already set."
                 touch /shared-data/policy-already-set
+                exit 0
               else
                 echo "Policy not found."
                 exit 0
@@ -197,7 +200,7 @@ spec:
                     set-policy \
                       --id {{ .Values.opa.policy.id }} \
                       -p {{ .Values.opa.policy.url }} \
-                      --root-key /shared-data/root.pem
+                      --root-key /shared-data/root.pem || true
               fi
           env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }}
             - name: HOST

charts/btp/chronicle/templates/statefulset.yaml

@@ -104,7 +104,7 @@ spec:
             - |
               {{ if .Values.auth.required }}
               {{ if and (not .Values.auth.jwks.url) (not .Values.auth.userinfo.url) (not .Values.devIdProvider.enabled) }}
-              {{ required "If auth.required you need to provide at least auth.jwks.url or auth.userinfo.url" .Values.auth.jwks.url }}
+              {{ required "If 'auth.required' you need to provide at least 'auth.jwks.url' or 'auth.userinfo.url', or 'devIdProvider.enabled' must be 'true'!" .Values.auth.jwks.url }}
               {{ end }}
               {{ end }}
 
@@ -122,17 +122,13 @@ spec:
                 --embedded-opa-policy \
                 {{- end }}
                 serve-api \
-                  --interface 0.0.0.0:{{ .Values.port}} \
+                  --interface 0.0.0.0:{{ .Values.port }} \
                   {{- if .Values.auth.required }}
                   --require-auth \
-                  --id-claims {{ .Values.auth.id.claims }} \
-                  {{- if .Values.auth.jwks.enabled }}
-                  --jwks-address {{ include "chronicle.jwksUrl" . }} \
-                  {{- end }}
-                  {{- if .Values.auth.userinfo.url }}
-                  --userinfo-address {{ include "chronicle.userinfoUrl" . }} \
-                  {{- end }}
                   {{- end }}
+                  {{ include "chronicle.jwks-url.cli" . }}
+                  {{ include "chronicle.userinfo-url.cli" . }}
+                  {{ include "chronicle.id-claims" . }}
                   ;
           env: {{ include "lib.safeToYaml" .Values.env | nindent 12 }}
             - name: RUST_LOG
@@ -157,6 +153,106 @@ spec:
             - name: chronicle-data
               mountPath: /var/lib/chronicle/store/
             {{- include "lib.volumeMounts" .Values.extraVolumeMounts | nindent 12 }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            exec:
+              command:
+                - bash
+                - -c
+                - |
+                  PROBE_ID="liveness_$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 13)" &&
+                  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") &&
+                  echo '[
+                    {
+                      "@id": "_:n1",
+                      "@type": [
+                        "http://btp.works/chronicleoperations/ns#ActivityExists"
+                      ],
+                      "http://btp.works/chronicleoperations/ns#activityName": [
+                        {
+                          "@value": "'"$PROBE_ID"'"
+                        }
+                      ],
+                      "http://btp.works/chronicleoperations/ns#namespaceName": [
+                        {
+                          "@value": "{{ .Values.livenessProbe.namespaceName }}"
+                        }
+                      ],
+                      "http://btp.works/chronicleoperations/ns#namespaceUuid": [
+                        {
+                          "@value": "{{ .Values.livenessProbe.namespaceUuid }}"
+                        }
+                      ]
+                    }
+                  ]' > /tmp/import.json &&
+                  echo "Probe ID: $PROBE_ID" &&
+                  RUST_LOG=error chronicle \
+                    -c /etc/chronicle/config/config.toml \
+                    --console-logging json \
+                    --sawtooth tcp://{{ include "chronicle.sawtooth.service" . }}:{{ include "chronicle.sawtooth.sawcomp" . }} \
+                    --remote-database \
+                    --database-name {{ .Values.postgres.database }} \
+                    --database-username {{ .Values.postgres.user }} \
+                    --database-host {{ .Values.postgres.host }} \
+                {{- if not .Values.opa.enabled }}
+                    --embedded-opa-policy \
+                {{- end }}
+                    import {{ .Values.livenessProbe.namespaceName }} {{ .Values.livenessProbe.namespaceUuid }} /tmp/import.json
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.startUpProbe.enabled }}
+          startupProbe:
+            exec:
+              command:
+                - bash
+                - -c
+                - |
+                  PROBE_ID="startup_$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 13)" &&
+                  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") &&
+                  echo '[
+                    {
+                      "@id": "_:n1",
+                      "@type": [
+                        "http://btp.works/chronicleoperations/ns#ActivityExists"
+                      ],
+                      "http://btp.works/chronicleoperations/ns#activityName": [
+                        {
+                          "@value": "'"$PROBE_ID"'"
+                        }
+                      ],
+                      "http://btp.works/chronicleoperations/ns#namespaceName": [
+                        {
+                          "@value": "{{ .Values.startUpProbe.namespaceName }}"
+                        }
+                      ],
+                      "http://btp.works/chronicleoperations/ns#namespaceUuid": [
+                        {
+                          "@value": "{{ .Values.startUpProbe.namespaceUuid }}"
+                        }
+                      ]
+                    }
+                  ]' > /tmp/import.json &&
+                  echo "Probe ID: $PROBE_ID" &&
+                  RUST_LOG=error chronicle \
+                    -c /etc/chronicle/config/config.toml \
+                    --console-logging json \
+                    --sawtooth tcp://{{ include "chronicle.sawtooth.service" . }}:{{ include "chronicle.sawtooth.sawcomp" . }} \
+                    --remote-database \
+                    --database-name {{ .Values.postgres.database }} \
+                    --database-username {{ .Values.postgres.user }} \
+                    --database-host {{ .Values.postgres.host }} \
+                {{- if not .Values.opa.enabled }}
+                    --embedded-opa-policy \
+                {{- end }}
+                    import {{ .Values.startUpProbe.namespaceName }} {{ .Values.startUpProbe.namespaceUuid }} /tmp/import.json
+            initialDelaySeconds: {{ .Values.startUpProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.startUpProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.startUpProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.startUpProbe.failureThreshold }}
+          {{- end }}
       volumes:
         - name: chronicle-secrets
           persistentVolumeClaim:
@@ -167,10 +263,10 @@ spec:
         - name: chronicle-config
           configMap:
             name: {{ .Release.Name }}-chronicle-config
-{{- if not .Values.postgres.persistence.enabled }}
+        {{- if not .Values.postgres.persistence.enabled }}
         - name: "pgdata"
           emptyDir: {}
-{{- end }}
+        {{- end }}
   volumeClaimTemplates:
     - metadata:
         name: chronicle-data
@@ -180,7 +276,7 @@ spec:
         resources:
           requests:
             storage: 6Gi
-{{- if .Values.postgres.persistence.enabled }}
+    {{- if .Values.postgres.persistence.enabled }}
     - metadata:
         name: "pgdata"
         annotations: {{- include "lib.safeToYaml" .Values.postgres.persistence.annotations | nindent 10 }}
@@ -190,4 +286,4 @@ spec:
         resources:
           requests:
             storage: {{ .Values.postgres.persistence.size | quote }}
-{{- end }}
+    {{- end }}

charts/btp/chronicle/templates/test-token-getter-roles.yaml

@@ -1,5 +1,4 @@
-{{- if .Values.test.enabled }}
+{{- if or (.Values.test.api.enabled) (.Values.test.auth.enabled) }}
-{{- if .Values.auth.required }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -34,4 +33,3 @@ subjects:
   name: {{ include "lib.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
-{{- end }}

charts/btp/chronicle/templates/tests/api-test.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.test.enabled }}
+{{- if .Values.test.api.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -15,29 +15,52 @@ spec:
       restartPolicy: Never
       serviceAccountName:  {{ include "lib.serviceAccountName" . }}
       automountServiceAccountToken: true
-      initContainers:
       {{- if .Values.auth.required }}
+      {{ if not .Values.test.auth.token }}
+      {{ if not .Values.devIdProvider.enabled }}
+      {{ required "If 'auth.required' when using the api-test 'test.auth.token' must be provided or 'devIdProvider.enabled' must be set to 'true'!" .Values.devIdProvider.enabled }}
+      {{ end }}
+      initContainers:
         - name: wait-for-id-provider
           {{- include "lib.image" (dict "imageRoot" .Values.test.api.image "global" .Values.global ) | nindent 10 }}
-          command: [ "sh", "-ec" ]
+          command: [ "sh", "-c" ]
           args:
             - |
-              URL={{ include "chronicle.jwksUrl" . }}
+              URL="{{ include "chronicle.id-provider.service.jwks.url" . }}"
-              scheme=$(echo $URL | cut -f 1 -d :)
+
-              hostAndPort=$(echo $URL | cut -f 3 -d /)
+              wait_for_url() {
-              HOST=$(echo $hostAndPort | cut -f 1 -d :)
+                local url=$1
-              port=$(echo $hostAndPort | awk -F: '{print $2}')
+                scheme=$(echo "$url" | cut -f 1 -d :)
-              if [ "$scheme" = "http" ]; then
+                hostAndPort=$(echo "$url" | cut -f 3 -d /)
+                HOST=$(echo "$hostAndPort" | cut -f 1 -d :)
+                port=$(echo "$hostAndPort" | awk -F: '{print $2}')
+
+                case $scheme in
+                  "http")
                     defaultPort=80
-              elif [ "$scheme" = "https" ]; then
+                    ;;
+                  "https")
                     defaultPort=443
-              else
+                    ;;
+                  *)
                     defaultPort=80
-              fi
+                    ;;
+                esac
+
                 PORT=${port:-$defaultPort}
+                wait-for-it "$HOST:$PORT" --timeout=120
+              }
+
               echo "Waiting for id-provider to be ready ..."
-              wait-for-it $HOST:$PORT --timeout=0
+              wait_for_url "$URL"
+
+              if [ $? -eq 0 ]; then
                 echo "Id-provider is ready. Exiting."
+                exit 0
+              else
+                echo "Timeout occurred. Please check if the correct URL has been provided."
+                exit 1
+              fi
         - name: token-loader
           image: alpine/k8s:1.24.13
           command: [ "sh", "-ec" ]
@@ -51,6 +74,7 @@ spec:
           volumeMounts:
             - name: shared-data
               mountPath: /shared-data
+      {{ end }}
       {{- end }}
       containers:
         - name: test
@@ -58,6 +82,14 @@ spec:
           command: [ "sh", "-ec" ]
           args:
             - |
+              {{ if not .Values.test.auth.token }}
+              {{ if or .Values.auth.jwks.url .Values.auth.userinfo.url }}
+              echo "Auth endpoints provided but no token provided."
+              echo "Please provide 'test.auth.token' in the values.yaml file."
+              exit 1
+              {{ end }}
+              {{ end }}
+
               API={{ include "chronicle.api.service" . }}
               export PORT={{ .Values.port }}
               echo "Waiting for API to be ready ..."
@@ -65,13 +97,16 @@ spec:
               echo "Getting IP address for API ..."
               getent hosts $API | cut -f 1 -d \ | head -n 1 > /shared-data/api-ip || exit 1
 
-              {{- if .Values.auth.required }}
+              {{- if .Values.test.auth.token }}
+              echo "{{ .Values.test.auth.token }}" > /shared-data/jwks-token
+              {{- end }}
+
               if [ -f "/shared-data/jwks-token" ]; then
                 echo "Found token."
                 sleep 5
                 export TOKEN=$(cat "/shared-data/jwks-token")
               fi
-              {{- end }}
+
               export HOST=$(cat /shared-data/api-ip)
               echo "Testing API with subscribe-submit-test..."
               subscribe-submit-test

charts/btp/chronicle/templates/tests/auth-endpoints-test.yaml

@@ -0,0 +1,160 @@
+{{- if .Values.test.auth.enabled }}
+{{ if not (or (.Values.devIdProvider.enabled) (or (.Values.auth.jwks.url) (.Values.auth.userinfo.url)))}}
+{{ required "If 'test.auth.enabled' you need to provide 'auth.jwks.url', 'auth.userinfo.url', or enable the `devIdProvider`!" .Values.devIdProvider.enabled }}
+{{ end }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "common.names.fullname" . }}-auth-endpoints-test
+  labels: {{ include "chronicle.labels" . | nindent 4 }}
+    component: auth-endpoints-test
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  backoffLimit: 0
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName:  {{ include "lib.serviceAccountName" . }}
+      {{- if .Values.devIdProvider.enabled }}
+      automountServiceAccountToken: true
+      initContainers:
+        - name: wait
+          {{- include "lib.image" (dict "imageRoot" .Values.test.api.image "global" .Values.global ) | nindent 10 }}
+          command: [ "sh", "-c" ]
+          args:
+            - |
+              URL="{{ include "chronicle.id-provider.service.jwks.url" . }}"
+
+              wait_for_url() {
+                local url=$1
+                scheme=$(echo "$url" | cut -f 1 -d :)
+                hostAndPort=$(echo "$url" | cut -f 3 -d /)
+                HOST=$(echo "$hostAndPort" | cut -f 1 -d :)
+                port=$(echo "$hostAndPort" | awk -F: '{print $2}')
+
+                case $scheme in
+                  "http")
+                    defaultPort=80
+                    ;;
+                  "https")
+                    defaultPort=443
+                    ;;
+                  *)
+                    defaultPort=80
+                    ;;
+                esac
+
+                PORT=${port:-$defaultPort}
+                wait-for-it "$HOST:$PORT" --timeout=120
+              }
+
+              echo "Waiting for id-provider to be ready ..."
+              wait_for_url "$URL"
+
+              if [ $? -eq 0 ]; then
+                echo "Id-provider is ready. Exiting."
+                exit 0
+              else
+                echo "Timeout occurred. Please check if the correct URL has been provided."
+                exit 1
+              fi
+        - name: tok
+          image: alpine/k8s:1.24.13
+          command: [ "sh", "-ec" ]
+          args:
+            - |
+              echo "Waiting to ensure id-provider is ready ..."
+              sleep 20
+              echo "Getting token from id-provider ..."
+              kubectl exec {{ include "chronicle.id-provider.service" . }}-0 -c id-provider -- oauth-token > /shared-data/jwks-token
+              echo "Token loaded. Exiting."
+          volumeMounts:
+            - name: shared-data
+              mountPath: /shared-data
+      {{- end }}
+      containers:
+        - name: jwks
+          image: alpine/k8s:1.24.13
+          command: [ "sh", "-c"]
+          args:
+            - |
+              {{ if or (.Values.auth.jwks.url) (.Values.devIdProvider.enabled) }}
+              {{ if .Values.auth.jwks.url }}
+              echo "Checking provided JWKS endpoint: {{ .Values.auth.jwks.url }}."
+              endPoint="{{ .Values.auth.jwks.url }}"
+              {{ else if .Values.auth.userinfo.url }}
+              echo "JWKS endpoint not set but userinfo url is set - skipping JWKS check."
+              exit 0
+              {{ else }}
+              echo "Checking JWKS endpoint from id-provider: {{ include "chronicle.id-provider.service.jwks.url" . }}."
+              endPoint="{{ include "chronicle.id-provider.service.jwks.url" . }}"
+              {{ end }}
+
+              time curl -s -o /shared-data/jwks.json $endPoint
+
+              cat /shared-data/jwks.json | jq . > /dev/null \
+                || { echo "JWKS endpoint did not return a valid JSON object."; echo "DEBUG: $(cat /shared-data/jwks.json)"; exit 1; }
+              echo "JWKS endpoint returned a valid JSON object:"
+              cat /shared-data/jwks.json
+              echo
+              {{ else }}
+              echo "Skipping JWKS endpoint check."
+              {{ end }}
+
+              echo -e "Exiting."
+          volumeMounts:
+            - name: shared-data
+              mountPath: /shared-data
+        - name: userinfo
+          image: alpine/k8s:1.24.13
+          command: [ "sh", "-c"]
+          args:
+            - |
+              {{ if or (.Values.auth.userinfo.url) (.Values.devIdProvider.enabled) }}
+              {{ if .Values.auth.userinfo.url }}
+              {{ if not .Values.test.auth.token }}
+              {{ required "If providing 'auth.userinfo.url' you need to provide a 'test.auth.token'!" .Values.test.auth.token}}
+              {{ end }}
+              echo "Checking user-provided userinfo endpoint: $endPoint"
+              endPoint="{{ .Values.auth.userinfo.url }}"
+              {{ else if .Values.auth.jwks.url }}
+              echo "Userinfo endpoint not set but JWKS url is set - skipping userinfo check."
+              exit 0
+              {{ else }}
+              echo "Checking id-provider userinfo endpoint: $endPoint"
+              endPoint="{{ include "chronicle.id-provider.service.userinfo.url" . }}"
+              {{ end }}
+
+              {{ if .Values.test.auth.token }}
+              {{ if not .Values.auth.userinfo.url }}
+              {{ required "If providing 'test.auth.token' you need to provide a 'auth.userinfo.url'!" .Values.auth.userinfo.url }}
+              {{ end }}
+              echo "Using 'test.auth.token' to check userinfo endpoint."
+              time curl -s -H "Authorization: Bearer {{ .Values.test.auth.token }}" -o /shared-data/userinfo.json $endPoint
+              {{ else }}
+              echo "Using token from id-provider to check userinfo endpoint."
+              time curl -s -H "Authorization: Bearer $(cat /shared-data/jwks-token)" -o /shared-data/userinfo.json $endPoint
+              {{ end }}
+
+              if jq -e 'has("error")' /shared-data/userinfo.json > /dev/null; then
+                echo "Userinfo endpoint returned an error:"
+                echo "DEBUG: $(cat /shared-data/userinfo.json)"
+                exit 1
+              else
+                echo "Userinfo endpoint returned a valid JSON object: $(cat /shared-data/userinfo.json)"
+                echo
+              fi
+              {{ else }}
+              echo "Skipping userinfo endpoint check."
+              {{ end }}
+
+              echo -e "Exiting."
+          volumeMounts:
+            - name: shared-data
+              mountPath: /shared-data
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+{{- end }}

charts/btp/chronicle/values.yaml

@@ -12,16 +12,46 @@ global:
 affinity: {}
 
 auth:
-  ## @md | `auth.required` | if true require authentication | false |
+  ## @md | `auth.required` | if true require authentication, rejecting 'anonymous' requests | false |
   required: false
   id:
-    claims: email
+    ## @md | `auth.id.claims` | Chronicle provides default values ["iss", "sub"] | nil |
+    claims:
   jwks:
-    enabled: true
     url:
   userinfo:
     url:
 
+## @md | `livenessProbe.enabled` | if true, enables the liveness probe | false |
+livenessProbe:
+  enabled: false
+  ## @md | `livenessProbe.timeoutSeconds` | number of seconds after which the probe times out | 10 |
+  timeoutSeconds: 20
+  ## @md | `livenessProbe.periodSeconds` | how often (in seconds) to perform the probe | 60 |
+  periodSeconds: 60
+  ## @md | `livenessProbe.failureThreshold` | when a probe fails, Kubernetes will try failureThreshold times before giving up | 1 |
+  failureThreshold: 1
+  ## @md | `livenessProbe.namespaceName` | the Chronicle namespace in which the probe operates | default |
+  namespaceName: default
+  ## @md | `livenessProbe.namespaceUuid` | the UUID of the Chronicle namespace in which the probe operates | fd717fd6-70f1-44c1-81de-287d5e101089 |
+  namespaceUuid: fd717fd6-70f1-44c1-81de-287d5e101089
+
+## @md | `startUpProbe.enabled` | if true, enables the startup probe | true |
+startUpProbe:
+  enabled: false
+  ## @md | `startUpProbe.initialDelaySeconds` | number of seconds after which the probe starts | 5 |
+  initialDelaySeconds: 5
+  ## @md | `startUpProbe.failureThreshold` | when a probe fails, Kubernetes will try failureThreshold times before giving up | 30 |
+  failureThreshold: 30
+  ## @md | `startUpProbe.periodSeconds` | how often (in seconds) to perform the probe | 10 |
+  periodSeconds: 10
+  ## @md | `startUpProbe.timeoutSeconds` | number of seconds after which the probe times out | 3 |
+  timeoutSeconds: 3
+  ## @md | `startUpProbe.namespaceName` | the Chronicle namespace in which the probe operates | default |
+  namespaceName: default
+  ## @md | `startUpProbe.namespaceUuid` | the UUID of the Chronicle namespace in which the probe operates | fd717fd6-70f1-44c1-81de-287d5e101089 |
+  namespaceUuid: fd717fd6-70f1-44c1-81de-287d5e101089
+
 ## @md | `backtraceLevel` | backtrace level for Chronicle  | nil |
 backtraceLevel: full
 
@@ -34,7 +64,7 @@ devIdProvider:
     ## @md | `devIdProvider.image.repository` | the image repository | blockchaintp/id-provider |
     repository: blockchaintp/id-provider-amd64
     ## @md | `devIdProvider.image.tag` | the image tag | latest |
-    tag: BTP2.1.0-0.7.3
+    tag: BTP2.1.0-0.7.6
 
 ## @md | `extraVolumes` | a list of additional volumes to add to chronicle | [] |
 extraVolumes: []
@@ -45,7 +75,7 @@ image:
   ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle |
   repository: blockchaintp/chronicle-amd64
   ## @md | `image.tag`| the tag of the image to use | latest |
-  tag: BTP2.1.0-0.7.3
+  tag: BTP2.1.0-0.7.6
   ## @md | `image.pullPolicy` | the image pull policy to use | IfNotPresent |
   pullPolicy: IfNotPresent
 
@@ -89,7 +119,7 @@ logLevel: info
 
 opa:
   ## @md | `opa.enabled` | if true set up a full OPA enabled setup | true |
-  enabled: true
+  enabled: false
   opaInit:
     ## @md | `opa.init.image` | the image to use for the chronicle-init container | blockchaintp/chronicle-opa-init |
     image:
@@ -98,7 +128,7 @@ opa:
       ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle |
       repository: blockchaintp/opactl-amd64
       ## @md | `image.tag`| the tag of the image to use | latest |
-      tag: BTP2.1.0-0.7.3
+      tag: BTP2.1.0-0.7.6
   policy:
     entrypoint: allow_transactions.allowed_users
     id: allow_transactions
@@ -108,7 +138,7 @@ opa:
       ## @md | `image.repository` | the repository of the image | blockchaintp/chronicle |
       repository: blockchaintp/opa-tp-amd64
       ## @md | `image.tag`| the tag of the image to use | latest |
-      tag: BTP2.1.0-0.7.3
+      tag: BTP2.1.0-0.7.6
       ## @md | `image.pullPolicy` | the image pull policy to use | IfNotPresent |
       pullPolicy: IfNotPresent
     ## @md | `opa.tp.resources` | resources | map | nil |
@@ -131,17 +161,24 @@ serviceAccount:
   name:
 
 test:
-  ## @md | `test.enabled` | true to enable test Jobs and Services | true |
+  ## @md | `test.api` | test the chronicle GraphQL server API |
-  enabled: true
   api:
-    ## @md | `api-test-container.image` | the image to use for the api-test container | blockchaintp/chronicle-api-test |
+    ## @md | `test.api.enabled` | true to enable api-test Jobs and Services | true |
+    enabled: false
+    ## @md | `test.api.image` | the image to use for the api-test container | blockchaintp/chronicle-helm-api-test |
     image:
       ## @md | `test.api.image.pullPolicy` | the image pull policy | IfNotPresent |
       pullPolicy: IfNotPresent
       ## @md | `test.api.image.repository` | the image repository | blockchaintp/chronicle-helm-api-test |
       repository: blockchaintp/chronicle-helm-api-test-amd64
       ## @md | `test.api.image.tag` | the image tag | latest |
-      tag: BTP2.1.0-0.7.3
+      tag: BTP2.1.0-0.7.6
+  ## @md | `test.auth` | test the chronicle auth server API |
+  auth:
+    ## @md | `test.auth.enabled` | true to enable auth-related testing | true |
+    enabled: true
+    ## @md | `test.auth.token` | provide a token for auth-related testing | nil |
+    token:
 
 postgres:
   # if enabled we allocate a postgres database here
@@ -211,7 +248,7 @@ tp:
     ## @md | `tp.image.repository` | the image repository | blockchaintp/chronicle-tp |
     repository: blockchaintp/chronicle-tp-amd64
     ## @md | `tp.image.tag` | the image tag | latest |
-    tag: BTP2.1.0-0.7.3
+    tag: BTP2.1.0-0.7.6
   ## @md | `tp.extraVolumes` | extra volumes declarations for the chronicle-tp deployment | list | nil
   extraVolumes:
   ## @md | `tp.extraVolumeMounts` | extra volume mounts for chronicle-tp deployment | list | nil

charts/external-secrets/external-secrets/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
   catalog.cattle.io/kube-version: '>= 1.19.0-0'
   catalog.cattle.io/release-name: external-secrets
 apiVersion: v2
-appVersion: v0.9.16
+appVersion: v0.9.17
 description: External secret management for Kubernetes
 home: https://github.com/external-secrets/external-secrets
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
@@ -17,4 +17,4 @@ maintainers:
   name: mcavoyk
 name: external-secrets
 type: application
-version: 0.9.16
+version: 0.9.17

charts/external-secrets/external-secrets/README.md

@@ -4,7 +4,7 @@
 
 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
 
-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.16](https://img.shields.io/badge/Version-0.9.16-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.17](https://img.shields.io/badge/Version-0.9.17-informational?style=flat-square)
 
 External secret management for Kubernetes
 
@@ -58,7 +58,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.podAnnotations | object | `{}` | Annotations to add to Pod |
 | certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | certController.podLabels | object | `{}` |  |
-| certController.podSecurityContext | object | `{}` |  |
+| certController.podSecurityContext.enabled | bool | `true` |  |
 | certController.priorityClassName | string | `""` | Pod priority class name. |
 | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
 | certController.readinessProbe.address | string | `""` | Address for readiness probe |
@@ -69,6 +69,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
 | certController.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | certController.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| certController.securityContext.enabled | bool | `true` |  |
 | certController.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | certController.securityContext.runAsNonRoot | bool | `true` |  |
 | certController.securityContext.runAsUser | int | `1000` |  |
@@ -95,10 +96,12 @@ The command removes all the Kubernetes components associated with the chart and
 | extraArgs | object | `{}` |  |
 | extraContainers | list | `[]` |  |
 | extraEnv | list | `[]` |  |
+| extraObjects | list | `[]` |  |
 | extraVolumeMounts | list | `[]` |  |
 | extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | global.affinity | object | `{}` |  |
+| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
 | global.nodeSelector | object | `{}` |  |
 | global.tolerations | list | `[]` |  |
 | global.topologySpreadConstraints | list | `[]` |  |
@@ -120,7 +123,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podAnnotations | object | `{}` | Annotations to add to Pod |
 | podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | podLabels | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext.enabled | bool | `true` |  |
 | podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
 | priorityClassName | string | `""` | Pod priority class name. |
 | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
@@ -135,6 +138,7 @@ The command removes all the Kubernetes components associated with the chart and
 | scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
 | securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.enabled | bool | `true` |  |
 | securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | securityContext.runAsNonRoot | bool | `true` |  |
 | securityContext.runAsUser | int | `1000` |  |
@@ -190,7 +194,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
 | webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
 | webhook.podLabels | object | `{}` |  |
-| webhook.podSecurityContext | object | `{}` |  |
+| webhook.podSecurityContext.enabled | bool | `true` |  |
 | webhook.port | int | `10250` | The port the webhook will listen to |
 | webhook.priorityClassName | string | `""` | Pod priority class name. |
 | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
@@ -202,6 +206,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
 | webhook.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | webhook.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| webhook.securityContext.enabled | bool | `true` |  |
 | webhook.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | webhook.securityContext.runAsNonRoot | bool | `true` |  |
 | webhook.securityContext.runAsUser | int | `1000` |  |

charts/external-secrets/external-secrets/templates/_helpers.tpl

@@ -154,3 +154,48 @@ Determine the image to use, including if using a flavour.
 {{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
 {{- end }}
 {{- end }}
+
+<<<<<<< HEAD
+
+{{/*
+Renders a complete tree, even values that contains template.
+*/}}
+{{- define "external-secrets.render" -}}
+  {{- if typeIs "string" .value }}
+    {{- tpl .value .context }}
+  {{ else }}
+    {{- tpl (.value | toYaml) .context }}
+  {{- end }}
+{{- end -}}
+=======
+{{/* 
+Return true if the OpenShift is the detected platform
+Usage:
+{{- include "external-secrets.isOpenShift" . -}}
+*/}}
+{{- define "external-secrets.isOpenShift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext based on the provided securityContext
+  {{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}}
+*/}}
+{{- define "external-secrets.renderSecurityContext" -}}
+{{- $adaptedContext := .securityContext -}}
+{{- if .context.Values.global.compatibility -}}
+  {{- if .context.Values.global.compatibility.openshift -}}
+    {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}}
+      {{/* Remove OpenShift managed fields */}}
+      {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+      {{- if not .securityContext.seLinuxOptions -}}
+        {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
+>>>>>>> 2218c78b (Methods for managing securityContext and OpenShift support)

charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml

@@ -35,15 +35,19 @@ spec:
       serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
       {{- with .Values.certController.podSecurityContext }}
+       {{- if and (.enabled) (gt (keys . | len) 1) }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+      {{- end }}
       {{- end }}
       hostNetwork: {{ .Values.certController.hostNetwork }}
       containers:
         - name: cert-controller
           {{- with .Values.certController.securityContext }}
+          {{- if and (.enabled) (gt (keys . | len) 1) }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+          {{- end }}
           {{- end }}
           image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
           imagePullPolicy: {{ .Values.certController.image.pullPolicy }}

charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: acraccesstokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: clusterexternalsecrets.external-secrets.io
 spec:
   group: external-secrets.io
@@ -526,11 +526,13 @@ spec:
                             items:
                               type: string
                             type: array
+                            x-kubernetes-list-type: atomic
                         required:
                           - key
                           - operator
                         type: object
                       type: array
+                      x-kubernetes-list-type: atomic
                     matchLabels:
                       additionalProperties:
                         type: string
@@ -573,11 +575,13 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           required:
                             - key
                             - operator
                           type: object
                         type: array
+                        x-kubernetes-list-type: atomic
                       matchLabels:
                         additionalProperties:
                           type: string
@@ -590,7 +594,7 @@ spec:
                     x-kubernetes-map-type: atomic
                   type: array
                 namespaces:
-                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelector ends up choosing.
+                  description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
                   items:
                     type: string
                   type: array

charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: clustersecretstores.external-secrets.io
 spec:
   group: external-secrets.io
@@ -1577,11 +1577,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                  x-kubernetes-list-type: atomic
                               required:
                                 - key
                                 - operator
                               type: object
                             type: array
+                            x-kubernetes-list-type: atomic
                           matchLabels:
                             additionalProperties:
                               type: string

charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: ecrauthorizationtokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: externalsecrets.external-secrets.io
 spec:
   group: external-secrets.io

charts/external-secrets/external-secrets/templates/crds/fake.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: fakes.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: gcraccesstokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/githubaccesstoken.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: githubaccesstokens.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/password.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: passwords.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: pushsecrets.external-secrets.io
 spec:
   group: external-secrets.io
@@ -140,11 +140,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                  x-kubernetes-list-type: atomic
                               required:
                                 - key
                                 - operator
                               type: object
                             type: array
+                            x-kubernetes-list-type: atomic
                           matchLabels:
                             additionalProperties:
                               type: string

charts/external-secrets/external-secrets/templates/crds/secretstore.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: secretstores.external-secrets.io
 spec:
   group: external-secrets.io
@@ -1577,11 +1577,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                  x-kubernetes-list-type: atomic
                               required:
                                 - key
                                 - operator
                               type: object
                             type: array
+                            x-kubernetes-list-type: atomic
                           matchLabels:
                             additionalProperties:
                               type: string

charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: vaultdynamicsecrets.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/crds/webhook.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: webhooks.generators.external-secrets.io
 spec:
   group: generators.external-secrets.io

charts/external-secrets/external-secrets/templates/deployment.yaml

@@ -35,15 +35,19 @@ spec:
       serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
       {{- with .Values.podSecurityContext }}
+      {{- if and (.enabled) (gt (keys . | len) 1) }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+      {{- end }}
       {{- end }}
       hostNetwork: {{ .Values.hostNetwork }}
       containers:
         - name: {{ .Chart.Name }}
           {{- with .Values.securityContext }}
+           {{- if and (.enabled) (gt (keys . | len) 1) }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+          {{- end }}
           {{- end }}
           image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/external-secrets/external-secrets/templates/extra-manifests.yaml

@@ -0,0 +1,4 @@
+{{- range .Values.extraObjects }}
+---
+{{ include "external-secrets.render" (dict "value" . "context" $) }}
+{{- end }}

charts/external-secrets/external-secrets/templates/webhook-deployment.yaml

@@ -36,14 +36,18 @@ spec:
       serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
       {{- with .Values.webhook.podSecurityContext }}
+      {{- if and (.enabled) (gt (keys . | len) 1) }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
+        {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+      {{- end }}
       {{- end }}
       containers:
         - name: webhook
           {{- with .Values.webhook.securityContext }}
+          {{- if and (.enabled) (gt (keys . | len) 1) }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+          {{- end }}
           {{- end }}
           image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }}
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}

charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/version: v0.9.16
+        app.kubernetes.io/version: v0.9.17
-        helm.sh/chart: external-secrets-0.9.16
+        helm.sh/chart: external-secrets-0.9.17
       name: RELEASE-NAME-external-secrets-cert-controller
       namespace: NAMESPACE
     spec:
@@ -24,8 +24,8 @@ should match snapshot of default values:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets-cert-controller
-            app.kubernetes.io/version: v0.9.16
+            app.kubernetes.io/version: v0.9.17
-            helm.sh/chart: external-secrets-0.9.16
+            helm.sh/chart: external-secrets-0.9.17
         spec:
           automountServiceAccountToken: true
           containers:
@@ -38,7 +38,7 @@ should match snapshot of default values:
                 - --secret-namespace=NAMESPACE
                 - --metrics-addr=:8080
                 - --healthz-addr=:8081
-              image: ghcr.io/external-secrets/external-secrets:v0.9.16
+              image: ghcr.io/external-secrets/external-secrets:v0.9.17
               imagePullPolicy: IfNotPresent
               name: cert-controller
               ports:

charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/version: v0.9.16
+        app.kubernetes.io/version: v0.9.17
-        helm.sh/chart: external-secrets-0.9.16
+        helm.sh/chart: external-secrets-0.9.17
       name: RELEASE-NAME-external-secrets
       namespace: NAMESPACE
     spec:
@@ -24,15 +24,15 @@ should match snapshot of default values:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets
-            app.kubernetes.io/version: v0.9.16
+            app.kubernetes.io/version: v0.9.17
-            helm.sh/chart: external-secrets-0.9.16
+            helm.sh/chart: external-secrets-0.9.17
         spec:
           automountServiceAccountToken: true
           containers:
             - args:
                 - --concurrent=1
                 - --metrics-addr=:8080
-              image: ghcr.io/external-secrets/external-secrets:v0.9.16
+              image: ghcr.io/external-secrets/external-secrets:v0.9.17
               imagePullPolicy: IfNotPresent
               name: external-secrets
               ports:

charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap

@@ -4,7 +4,7 @@ should match snapshot of default values:
     kind: CustomResourceDefinition
     metadata:
       annotations:
-        controller-gen.kubebuilder.io/version: v0.14.0
+        controller-gen.kubebuilder.io/version: v0.15.0
       name: secretstores.external-secrets.io
     spec:
       conversion:
@@ -1582,11 +1582,13 @@ should match snapshot of default values:
                                       items:
                                         type: string
                                       type: array
+                                      x-kubernetes-list-type: atomic
                                   required:
                                     - key
                                     - operator
                                   type: object
                                 type: array
+                                x-kubernetes-list-type: atomic
                               matchLabels:
                                 additionalProperties:
                                   type: string

charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap

@@ -7,8 +7,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/version: v0.9.16
+        app.kubernetes.io/version: v0.9.17
-        helm.sh/chart: external-secrets-0.9.16
+        helm.sh/chart: external-secrets-0.9.17
       name: RELEASE-NAME-external-secrets-webhook
       namespace: NAMESPACE
     spec:
@@ -24,8 +24,8 @@ should match snapshot of default values:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: external-secrets-webhook
-            app.kubernetes.io/version: v0.9.16
+            app.kubernetes.io/version: v0.9.17
-            helm.sh/chart: external-secrets-0.9.16
+            helm.sh/chart: external-secrets-0.9.17
         spec:
           automountServiceAccountToken: true
           containers:
@@ -37,7 +37,7 @@ should match snapshot of default values:
                 - --check-interval=5m
                 - --metrics-addr=:8080
                 - --healthz-addr=:8081
-              image: ghcr.io/external-secrets/external-secrets:v0.9.16
+              image: ghcr.io/external-secrets/external-secrets:v0.9.17
               imagePullPolicy: IfNotPresent
               name: webhook
               ports:
@@ -81,8 +81,8 @@ should match snapshot of default values:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/version: v0.9.16
+        app.kubernetes.io/version: v0.9.17
         external-secrets.io/component: webhook
-        helm.sh/chart: external-secrets-0.9.16
+        helm.sh/chart: external-secrets-0.9.17
       name: RELEASE-NAME-external-secrets-webhook
       namespace: NAMESPACE

charts/external-secrets/external-secrets/tests/extra_manifests_test.yaml

@@ -0,0 +1,15 @@
+suite: test adding extra kubernetes objects
+templates:
+  - extra-manifests.yaml
+tests:
+  - it: should load extra manifests
+    set:
+      extraObjects:
+      - apiVersion: v1
+        kind: ServiceAccount
+        metadata:
+          name: random
+    asserts:
+      - equal:
+          path: kind
+          value: ServiceAccount

charts/external-secrets/external-secrets/values.yaml

@@ -3,6 +3,14 @@ global:
   tolerations: []
   topologySpreadConstraints: []
   affinity: {}
+  compatibility:
+    openshift:
+      # -- Manages the securityContext properties to make them compatible with OpenShift.
+      # Possible values:
+      # auto - Apply configurations if it is detected that OpenShift is the target platform.
+      # force - Always apply configurations.
+      # disabled - No modification applied.
+      adaptSecurityContext: auto
 
 replicaCount: 1
 
@@ -114,6 +122,9 @@ extraArgs: {}
 ## -- Extra volumes to pass to pod.
 extraVolumes: []
 
+## -- Extra Kubernetes objects to deploy with the helm chart
+extraObjects: []
+
 ## -- Extra volumes to mount to the container.
 extraVolumeMounts: []
 
@@ -128,7 +139,8 @@ podAnnotations: {}
 
 podLabels: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  enabled: true
   # fsGroup: 2000
 
 securityContext:
@@ -136,6 +148,7 @@ securityContext:
   capabilities:
     drop:
       - ALL
+  enabled: true
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
@@ -361,7 +374,8 @@ webhook:
 
   podLabels: {}
 
-  podSecurityContext: {}
+  podSecurityContext:
+    enabled: true
       # fsGroup: 2000
 
   securityContext:
@@ -369,6 +383,7 @@ webhook:
     capabilities:
       drop:
         - ALL
+    enabled: true
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 1000
@@ -474,7 +489,8 @@ certController:
 
   podLabels: {}
 
-  podSecurityContext: {}
+  podSecurityContext:
+    enabled: true
       # fsGroup: 2000
 
   securityContext:
@@ -482,6 +498,7 @@ certController:
     capabilities:
       drop:
         - ALL
+    enabled: true
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 1000

charts/jfrog/artifactory-ha/CHANGELOG.md

@@ -1,7 +1,7 @@
 # JFrog Artifactory-ha Chart Changelog
 All changes to this chart will be documented in this file
 
-## [107.77.10] - April 22, 2024
+## [107.77.11] - April 22, 2024
 * Removed integration service
 * Added recommended postgresql sizing configurations under sizing directory
 * Updated artifactory-federation (probes, port, embedded mode)

charts/jfrog/artifactory-ha/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
   catalog.cattle.io/kube-version: '>= 1.19.0-0'
   catalog.cattle.io/release-name: artifactory-ha
 apiVersion: v2
-appVersion: 7.77.10
+appVersion: 7.77.11
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -26,4 +26,4 @@ name: artifactory-ha
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 107.77.10
+version: 107.77.11

charts/jfrog/artifactory-jcr/CHANGELOG.md

@@ -1,7 +1,7 @@
 # JFrog Container Registry Chart Changelog
 All changes to this chart will be documented in this file.
 
-## [107.77.10] - Nov 23, 2023
+## [107.77.11] - Nov 23, 2023
 * **IMPORTANT**
 * Added min kubeVersion ">= 1.19.0-0" in chart.yaml
 

charts/jfrog/artifactory-jcr/Chart.yaml

@@ -4,11 +4,11 @@ annotations:
   catalog.cattle.io/kube-version: '>= 1.19.0-0'
   catalog.cattle.io/release-name: artifactory-jcr
 apiVersion: v2
-appVersion: 7.77.10
+appVersion: 7.77.11
 dependencies:
 - name: artifactory
   repository: file://./charts/artifactory
-  version: 107.77.10
+  version: 107.77.11
 description: JFrog Container Registry
 home: https://jfrog.com/container-registry/
 icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png
@@ -27,4 +27,4 @@ name: artifactory-jcr
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 107.77.10
+version: 107.77.11

charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md

@@ -1,7 +1,7 @@
 # JFrog Artifactory Chart Changelog
 All changes to this chart will be documented in this file.
 
-## [107.77.10] - April 22, 2024
+## [107.77.11] - April 22, 2024
 * Removed integration service
 * Added recommended postgresql sizing configurations under sizing directory
 * Updated artifactory-federation (probes, port, embedded mode)

charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 7.77.10
+appVersion: 7.77.11
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -21,4 +21,4 @@ name: artifactory
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 107.77.10
+version: 107.77.11

charts/redpanda/redpanda/Chart.yaml

@@ -1,7 +1,7 @@
 annotations:
   artifacthub.io/images: |
     - name: redpanda
-      image: docker.redpanda.com/redpandadata/redpanda:v23.3.11
+      image: docker.redpanda.com/redpandadata/redpanda:v24.1.1
     - name: busybox
       image: busybox:latest
     - name: mintel/docker-alpine-bash-curl-jq
@@ -17,7 +17,7 @@ annotations:
   catalog.cattle.io/kube-version: '>=1.21-0'
   catalog.cattle.io/release-name: redpanda
 apiVersion: v2
-appVersion: v23.3.11
+appVersion: v24.1.1
 dependencies:
 - condition: console.enabled
   name: console
@@ -37,4 +37,4 @@ name: redpanda
 sources:
 - https://github.com/redpanda-data/helm-charts
 type: application
-version: 5.8.2
+version: 5.8.3

charts/redpanda/redpanda/README.md

@@ -3,7 +3,7 @@
 description: Find the default values and descriptions of settings in the Redpanda Helm chart.
 ---
 
-![Version: 5.8.2](https://img.shields.io/badge/Version-5.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.11](https://img.shields.io/badge/AppVersion-v23.3.11-informational?style=flat-square)
+![Version: 5.8.3](https://img.shields.io/badge/Version-5.8.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.1.1](https://img.shields.io/badge/AppVersion-v24.1.1-informational?style=flat-square)
 
 This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values.
 

charts/redpanda/redpanda/templates/secrets.yaml

@@ -174,8 +174,15 @@ stringData:
 
     set -e
 
+    # rpk cluster health can exit non-zero if it's unable to dial brokers. This
+    # can happen for many reasons but we never want this script to crash as it
+    # would take down yet another broker and make a bad situation worse.
+    # Instead, just wait for the command to eventually exit zero.
     echo "Waiting for cluster to be ready"
-    rpk cluster health --watch --exit-when-healthy
+    until rpk cluster health --watch --exit-when-healthy; do
+      echo "rpk cluster health failed. Waiting 5 seconds before trying again..."
+      sleep 5
+    done
 
   {{- if and $sasl.enabled (not (empty $sasl.secretRef )) }}
     while true; do

charts/speedscale/speedscale-operator/Chart.yaml

@@ -4,7 +4,7 @@ annotations:
   catalog.cattle.io/kube-version: '>= 1.17.0-0'
   catalog.cattle.io/release-name: speedscale-operator
 apiVersion: v1
-appVersion: 2.1.296
+appVersion: 2.1.301
 description: Stress test your APIs with real world scenarios.  Collect and replay
   traffic without scripting.
 home: https://speedscale.com
@@ -24,4 +24,4 @@ maintainers:
 - email: support@speedscale.com
   name: Speedscale Support
 name: speedscale-operator
-version: 2.1.296
+version: 2.1.301

charts/speedscale/speedscale-operator/values.yaml

@@ -20,7 +20,7 @@ clusterName: "my-cluster"
 # Speedscale components image settings.
 image:
   registry: gcr.io/speedscale
-  tag: v2.1.296
+  tag: v2.1.301
   pullPolicy: Always
 
 # Log level for Speedscale components.

index.yaml

@@ -4274,6 +4274,39 @@ entries:
     - assets/argo/argo-cd-5.8.0.tgz
     version: 5.8.0
   artifactory-ha:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: JFrog Artifactory HA
+      catalog.cattle.io/kube-version: '>= 1.19.0-0'
+      catalog.cattle.io/release-name: artifactory-ha
+    apiVersion: v2
+    appVersion: 7.77.11
+    created: "2024-05-02T00:52:10.96066079Z"
+    dependencies:
+    - condition: postgresql.enabled
+      name: postgresql
+      repository: file://./charts/postgresql
+      version: 10.3.18
+    description: Universal Repository Manager supporting all major packaging formats,
+      build tools and CI servers.
+    digest: 67ad9a81300436a465fd0a1f4de0bb319c77b19f9513876691e1421da4bb7584
+    home: https://www.jfrog.com/artifactory/
+    icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png
+    keywords:
+    - artifactory
+    - jfrog
+    - devops
+    kubeVersion: '>= 1.19.0-0'
+    maintainers:
+    - email: installers@jfrog.com
+      name: Chart Maintainers at JFrog
+    name: artifactory-ha
+    sources:
+    - https://github.com/jfrog/charts
+    type: application
+    urls:
+    - assets/jfrog/artifactory-ha-107.77.11.tgz
+    version: 107.77.11
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: JFrog Artifactory HA
@@ -5918,6 +5951,40 @@ entries:
     - assets/jfrog/artifactory-ha-3.0.1400.tgz
     version: 3.0.1400
   artifactory-jcr:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: JFrog Container Registry
+      catalog.cattle.io/kube-version: '>= 1.19.0-0'
+      catalog.cattle.io/release-name: artifactory-jcr
+    apiVersion: v2
+    appVersion: 7.77.11
+    created: "2024-05-02T00:52:11.339981268Z"
+    dependencies:
+    - name: artifactory
+      repository: file://./charts/artifactory
+      version: 107.77.11
+    description: JFrog Container Registry
+    digest: 720367b8720b82d341c645b7f980a3f353302f7b356c370241131f56fa5282e1
+    home: https://jfrog.com/container-registry/
+    icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png
+    keywords:
+    - artifactory
+    - jfrog
+    - container
+    - registry
+    - devops
+    - jfrog-container-registry
+    kubeVersion: '>= 1.19.0-0'
+    maintainers:
+    - email: helm@jfrog.com
+      name: Chart Maintainers at JFrog
+    name: artifactory-jcr
+    sources:
+    - https://github.com/jfrog/charts
+    type: application
+    urls:
+    - assets/jfrog/artifactory-jcr-107.77.11.tgz
+    version: 107.77.11
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: JFrog Container Registry
@@ -10997,6 +11064,35 @@ entries:
     - assets/codefresh/cf-runtime-0.1.401.tgz
     version: 0.1.401
   chronicle:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Chronicle
+      catalog.cattle.io/release-name: chronicle
+    apiVersion: v2
+    appVersion: 0.7.6
+    created: "2024-05-02T00:52:09.318693502Z"
+    dependencies:
+    - name: standard-defs
+      repository: file://./charts/standard-defs
+      version: ~0.1.0
+    - name: sawtooth
+      repository: file://./charts/sawtooth
+      version: ~0.2.0
+    description: 'Chronicle is an open-source, blockchain-backed, domain-agnostic
+      provenance product. Chronicle makes it easy for users to record and query immutable
+      provenance information on a distributed ledger - about any asset, in any domain,
+      and across multiple parties. '
+    digest: ce9635e88b9e96cb91a36c33c292876860348ac780eedf7fac7c56e5f3106b8d
+    home: https://docs.btp.works/chronicle
+    icon: https://chronicle-resources.s3.amazonaws.com/icons/chronicle-transparent-bg-dark.png
+    keywords:
+    - provenance
+    - blockchain
+    name: chronicle
+    type: application
+    urls:
+    - assets/btp/chronicle-0.1.25.tgz
+    version: 0.1.25
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Chronicle
@@ -18031,6 +18127,30 @@ entries:
     - assets/dynatrace/dynatrace-operator-0.7.2.tgz
     version: 0.7.2
   external-secrets:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: External Secrets Operator
+      catalog.cattle.io/kube-version: '>= 1.19.0-0'
+      catalog.cattle.io/release-name: external-secrets
+    apiVersion: v2
+    appVersion: v0.9.17
+    created: "2024-05-02T00:52:09.820419345Z"
+    description: External secret management for Kubernetes
+    digest: d34abc8443a9db6ebb7023fed829c49c47402c05df9975b620f214856aba5b07
+    home: https://github.com/external-secrets/external-secrets
+    icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
+    keywords:
+    - kubernetes-external-secrets
+    - secrets
+    kubeVersion: '>= 1.19.0-0'
+    maintainers:
+    - email: kellinmcavoy@gmail.com
+      name: mcavoyk
+    name: external-secrets
+    type: application
+    urls:
+    - assets/external-secrets/external-secrets-0.9.17.tgz
+    version: 0.9.17
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: External Secrets Operator
@@ -44857,6 +44977,50 @@ entries:
     - assets/quobyte/quobyte-cluster-0.1.5.tgz
     version: 0.1.5
   redpanda:
+  - annotations:
+      artifacthub.io/images: |
+        - name: redpanda
+          image: docker.redpanda.com/redpandadata/redpanda:v24.1.1
+        - name: busybox
+          image: busybox:latest
+        - name: mintel/docker-alpine-bash-curl-jq
+          image: mintel/docker-alpine-bash-curl-jq:latest
+      artifacthub.io/license: Apache-2.0
+      artifacthub.io/links: |
+        - name: Documentation
+          url: https://docs.redpanda.com
+        - name: "Helm (>= 3.10.0)"
+          url: https://helm.sh/docs/intro/install/
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Redpanda
+      catalog.cattle.io/kube-version: '>=1.21-0'
+      catalog.cattle.io/release-name: redpanda
+    apiVersion: v2
+    appVersion: v24.1.1
+    created: "2024-05-02T00:52:14.193477918Z"
+    dependencies:
+    - condition: console.enabled
+      name: console
+      repository: file://./charts/console
+      version: '>=0.5 <1.0'
+    - condition: connectors.enabled
+      name: connectors
+      repository: file://./charts/connectors
+      version: '>=0.1.2 <1.0'
+    description: Redpanda is the real-time engine for modern apps.
+    digest: f4eeddbb7743528cbb3aeebd209b79e2d35d916e6fb4807b720714370bd98791
+    icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
+    kubeVersion: '>=1.21-0'
+    maintainers:
+    - name: redpanda-data
+      url: https://github.com/orgs/redpanda-data/people
+    name: redpanda
+    sources:
+    - https://github.com/redpanda-data/helm-charts
+    type: application
+    urls:
+    - assets/redpanda/redpanda-5.8.3.tgz
+    version: 5.8.3
   - annotations:
       artifacthub.io/images: |
         - name: redpanda
@@ -49638,6 +49802,37 @@ entries:
     - assets/shipa/shipa-1.4.0.tgz
     version: 1.4.0
   speedscale-operator:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Speedscale Operator
+      catalog.cattle.io/kube-version: '>= 1.17.0-0'
+      catalog.cattle.io/release-name: speedscale-operator
+    apiVersion: v1
+    appVersion: 2.1.301
+    created: "2024-05-02T00:52:14.283828726Z"
+    description: Stress test your APIs with real world scenarios.  Collect and replay
+      traffic without scripting.
+    digest: 71da5fc8f4d63a8ae94eb7d3e20a53904b0aac7921b57b0c41e14fdfedd4cd74
+    home: https://speedscale.com
+    icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png
+    keywords:
+    - speedscale
+    - test
+    - testing
+    - regression
+    - reliability
+    - load
+    - replay
+    - network
+    - traffic
+    kubeVersion: '>= 1.17.0-0'
+    maintainers:
+    - email: support@speedscale.com
+      name: Speedscale Support
+    name: speedscale-operator
+    urls:
+    - assets/speedscale/speedscale-operator-2.1.301.tgz
+    version: 2.1.301
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Speedscale Operator