From e4744f8c0c31979c8db647bef8924fe70bdb1bb6 Mon Sep 17 00:00:00 2001 From: Ram <1331672+chukka@users.noreply.github.com> Date: Thu, 16 Sep 2021 13:07:34 +0530 Subject: [PATCH 1/3] [mission-control] 4.7.14 release --- stable/mission-control/CHANGELOG.md | 8 +++- stable/mission-control/Chart.yaml | 4 +- .../ci/global-section-values.yaml | 6 +++ stable/mission-control/templates/_helpers.tpl | 44 +++++++++++++++++++ .../mission-control-statefulset.yaml | 39 ++++++++++++++++ stable/mission-control/values.yaml | 38 ++++++++++------ 6 files changed, 123 insertions(+), 16 deletions(-) diff --git a/stable/mission-control/CHANGELOG.md b/stable/mission-control/CHANGELOG.md index 32c9883ad..258cb4647 100644 --- a/stable/mission-control/CHANGELOG.md +++ b/stable/mission-control/CHANGELOG.md @@ -1,7 +1,12 @@ # JFrog Mission-Control Chart Changelog All changes to this chart will be documented in this file. -## [104.7.13] - Aug 25, 2021 +## [104.7.14] - Sep 02, 2021 +* Dropped NET_RAW capability for the containers +* Added support for new probes(set to false by default) +* Update elasticsearch version to `7.14.0` + +## [104.7.12] - Aug 25, 2021 * Added security hardening fixes * Update router version to `7.24.1` * Update elasticsearch version to `7.13.4` @@ -10,6 +15,7 @@ All changes to this chart will be documented in this file. * Added support for serviceRegistry insecure flag in router * Fixed duplicate resources Key violates YAML spec * Added elasticsearch default java opts to `2g` +* Added support for new probes(set to false by default) ## [104.7.11] - July 22, 2021 * Added support for graceful shutdown of router container on SIGTERM diff --git a/stable/mission-control/Chart.yaml b/stable/mission-control/Chart.yaml index ee6f972ab..01f2029b0 100644 --- a/stable/mission-control/Chart.yaml +++ b/stable/mission-control/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 4.7.13 +appVersion: 4.7.14 dependencies: - condition: postgresql.enabled name: postgresql @@ -18,4 +18,4 @@ name: mission-control sources: - https://github.com/jfrog/charts type: application -version: 104.7.13 +version: 104.7.14 diff --git a/stable/mission-control/ci/global-section-values.yaml b/stable/mission-control/ci/global-section-values.yaml index f8af7f7fe..f55d4a93a 100644 --- a/stable/mission-control/ci/global-section-values.yaml +++ b/stable/mission-control/ci/global-section-values.yaml @@ -56,6 +56,9 @@ global: imagePullPolicy: "{{ .Values.imagePullPolicy }}" securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: ["sh","-c","echo 'Sidecar is running in global' >> /scriptsglobal/sidecar.txt; cat /scriptsglobal/sidecar.txt; while true; do sleep 30; done"] volumeMounts: - mountPath: "/scriptsglobal" @@ -104,6 +107,9 @@ common: imagePullPolicy: "{{ .Values.imagePullPolicy }}" securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: ["sh","-c","echo 'Sidecar is running in local' >> /scriptslocal/sidecar.txt; cat /scriptslocal/sidecar.txt; while true; do sleep 30; done"] volumeMounts: - mountPath: "/scriptslocal" diff --git a/stable/mission-control/templates/_helpers.tpl b/stable/mission-control/templates/_helpers.tpl index f17d0f3b1..45fa0bc3f 100644 --- a/stable/mission-control/templates/_helpers.tpl +++ b/stable/mission-control/templates/_helpers.tpl @@ -248,3 +248,47 @@ mkdir -p {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/tr find /tmp/certs -type f -not -name "*.key" -exec cp -v {} {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted \;; find {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ -type f -name "tls.crt" -exec mv -v {} {{ .Values.missionControl.persistence.mountPath }}/etc/security/keys/trusted/ca.crt \;; {{- end -}} + +{{/* +mission-control liveness probe +*/}} +{{- define "mission-control.livenessProbe" -}} +{{- if .Values.newProbes -}} +{{- printf "%s" "/api/v1/system/liveness" -}} +{{- else -}} +{{- printf "%s" "/api/v1/system/ping" -}} +{{- end -}} +{{- end -}} + +{{/* +mission-control readiness probe +*/}} +{{- define "mission-control.readinessProbe" -}} +{{- if .Values.newProbes -}} +{{- printf "%s" "/api/v1/system/readiness" -}} +{{- else -}} +{{- printf "%s" "/api/v1/system/ping" -}} +{{- end -}} +{{- end -}} + +{{/* +router liveness probe +*/}} +{{- define "mission-control.router.livenessProbe" -}} +{{- if .Values.newProbes -}} +{{- printf "%s" "/router/api/v1/system/liveness" -}} +{{- else -}} +{{- printf "%s" "/router/api/v1/system/health" -}} +{{- end -}} +{{- end -}} + +{{/* +router readiness probe +*/}} +{{- define "mission-control.router.readinessProbe" -}} +{{- if .Values.newProbes -}} +{{- printf "%s" "/router/api/v1/system/readiness" -}} +{{- else -}} +{{- printf "%s" "/router/api/v1/system/health" -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/mission-control/templates/mission-control-statefulset.yaml b/stable/mission-control/templates/mission-control-statefulset.yaml index 20eef3d7d..c4e50ada4 100644 --- a/stable/mission-control/templates/mission-control-statefulset.yaml +++ b/stable/mission-control/templates/mission-control-statefulset.yaml @@ -84,6 +84,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - '/bin/sh' - '-c' @@ -150,6 +153,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -170,6 +176,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - 'sh' - '-c' @@ -193,6 +202,9 @@ spec: image: "{{ .Values.dbSetup.postgresql.image.repository }}:{{ .Values.dbSetup.postgresql.image.tag }}" securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW env: - name: DB_PORT value: '{{ .Values.postgresql.service.port }}' @@ -262,6 +274,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.elasticsearch.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - '/bin/sh' - '-c' @@ -348,6 +363,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - '/bin/sh' - '-c' @@ -383,6 +401,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - '/bin/bash' - '-c' @@ -460,6 +481,9 @@ spec: securityContext: runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW args: - "-e" - "-E" @@ -486,6 +510,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW env: {{- if or .Values.database.secrets.user .Values.database.user }} - name: JF_SHARED_DATABASE_USERNAME @@ -554,6 +581,9 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.common.uid }} allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW env: - name: JFMC_EXTRA_JAVA_OPTS value: " @@ -641,6 +671,9 @@ spec: runAsUser: {{ $uid }} runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - tail args: @@ -662,6 +695,9 @@ spec: runAsUser: {{ $uid }} runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - tail args: @@ -683,6 +719,9 @@ spec: runAsUser: {{ $uid }} runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW command: - tail args: diff --git a/stable/mission-control/values.yaml b/stable/mission-control/values.yaml index 45091c11c..82b43a9e5 100644 --- a/stable/mission-control/values.yaml +++ b/stable/mission-control/values.yaml @@ -107,6 +107,9 @@ common: # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW # command: # - 'sh' # - '-c' @@ -123,6 +126,9 @@ common: # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW # command: # - 'sh' # - '-c' @@ -140,6 +146,9 @@ common: # securityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - NET_RAW # command: # - 'sh' # - '-c' @@ -313,7 +322,7 @@ elasticsearch: image: registry: releases-docker.jfrog.io repository: jfrog/elasticsearch-sg - tag: 7.13.4 + tag: 7.14.0 pullPolicy: IfNotPresent ## Enter elasticsearch connection details ## By default url is set to localhost:8082 (router) @@ -614,7 +623,7 @@ missionControl: exec: command: - curl - - http://127.0.0.1:{{ .Values.missionControl.internalPort }}/api/v1/system/ping + - http://127.0.0.1:{{ .Values.missionControl.internalPort }}{{ include "mission-control.livenessProbe" .}} initialDelaySeconds: {{ if semverCompare " Date: Thu, 16 Sep 2021 13:07:58 +0530 Subject: [PATCH 2/3] [pipelines] 1.17.9 release --- stable/pipelines/CHANGELOG.md | 2 +- stable/pipelines/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/pipelines/CHANGELOG.md b/stable/pipelines/CHANGELOG.md index 06f772618..e1a6a3f9f 100644 --- a/stable/pipelines/CHANGELOG.md +++ b/stable/pipelines/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Pipelines Chart Changelog All changes to this chart to be documented in this file. -## [101.17.8] - Aug 11, 2021 +## [101.17.9] - Aug 11, 2021 * Support global and product specific tags at the same time * Updated readme of chart to point to wiki. Refer [Installing Pipelines](https://www.jfrog.com/confluence/display/JFROG/Installing+Pipelines#InstallingPipelines-HelmInstallation) * Added support for configuring postgresql connection pool diff --git a/stable/pipelines/Chart.yaml b/stable/pipelines/Chart.yaml index dc98ddefd..bf41cc4a8 100644 --- a/stable/pipelines/Chart.yaml +++ b/stable/pipelines/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.17.8 +appVersion: 1.17.9 dependencies: - condition: postgresql.enabled name: postgresql @@ -27,4 +27,4 @@ name: pipelines sources: - https://github.com/jfrog/charts type: application -version: 101.17.8 +version: 101.17.9 From 56e5d8d33848c0247e5b268768671f5dd4a4ff0c Mon Sep 17 00:00:00 2001 From: Ram <1331672+chukka@users.noreply.github.com> Date: Thu, 16 Sep 2021 13:08:23 +0530 Subject: [PATCH 3/3] [jfrog-platform] 7.25.7 release --- stable/jfrog-platform/CHANGELOG.md | 5 +++++ stable/jfrog-platform/Chart.lock | 12 ++++++------ stable/jfrog-platform/Chart.yaml | 12 ++++++------ 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/stable/jfrog-platform/CHANGELOG.md b/stable/jfrog-platform/CHANGELOG.md index 52b07264e..4edc03207 100644 --- a/stable/jfrog-platform/CHANGELOG.md +++ b/stable/jfrog-platform/CHANGELOG.md @@ -1,6 +1,11 @@ # JFrog Platform Chart Changelog All changes to this chart will be documented in this file. +## [0.10.1] - Sep 16, 2021 +* Update dependency artifactory/ha charts version to 107.25.7 +* Update dependency mission-control chart version to 104.7.14 +* Update dependency pipelines chart version to 101.17.9 + ## [0.10.0] - Sep 6, 2021 * Update dependency artifactory/ha charts version to 107.25.6 * Update dependency xray chart version to 103.32.2 diff --git a/stable/jfrog-platform/Chart.lock b/stable/jfrog-platform/Chart.lock index 4f38b58ff..f038aeaee 100644 --- a/stable/jfrog-platform/Chart.lock +++ b/stable/jfrog-platform/Chart.lock @@ -10,10 +10,10 @@ dependencies: version: 12.10.1 - name: artifactory repository: https://charts.jfrog.io/ - version: 107.25.6 + version: 107.25.7 - name: artifactory-ha repository: https://charts.jfrog.io/ - version: 107.25.6 + version: 107.25.7 - name: xray repository: https://charts.jfrog.io/ version: 103.32.2 @@ -22,9 +22,9 @@ dependencies: version: 102.9.2 - name: mission-control repository: https://charts.jfrog.io/ - version: 104.7.13 + version: 104.7.14 - name: pipelines repository: https://charts.jfrog.io/ - version: 101.17.8 -digest: sha256:bae517d18731bda5da4add3892500903f2e47a8fba43c7567615e71e45dc2df7 -generated: "2021-09-07T18:33:25.404876+05:30" + version: 101.17.9 +digest: sha256:b6d924fb95a4f20ec46957387404ad72c287c5bae33e665d1d5d80d0a086e527 +generated: "2021-09-16T13:04:04.634825+05:30" diff --git a/stable/jfrog-platform/Chart.yaml b/stable/jfrog-platform/Chart.yaml index ff9ce4016..a1f6eeb7c 100644 --- a/stable/jfrog-platform/Chart.yaml +++ b/stable/jfrog-platform/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.25.6 +appVersion: 7.25.7 dependencies: - name: postgresql version: 10.3.18 @@ -14,11 +14,11 @@ dependencies: repository: https://charts.bitnami.com/bitnami condition: redis.enabled - name: artifactory - version: 107.25.6 + version: 107.25.7 repository: https://charts.jfrog.io/ condition: artifactory.enabled - name: artifactory-ha - version: 107.25.6 + version: 107.25.7 repository: https://charts.jfrog.io/ condition: artifactory-ha.enabled - name: xray @@ -30,11 +30,11 @@ dependencies: repository: https://charts.jfrog.io/ condition: distribution.enabled - name: mission-control - version: 104.7.13 + version: 104.7.14 repository: https://charts.jfrog.io/ condition: mission-control.enabled - name: pipelines - version: 101.17.8 + version: 101.17.9 repository: https://charts.jfrog.io/ condition: pipelines.enabled description: The Helm chart for JFrog Platform (Universal, hybrid, end-to-end DevOps automation) @@ -52,5 +52,5 @@ name: jfrog-platform sources: - https://github.com/jfrog/charts type: application -version: 0.10.0 +version: 0.10.1 kubeVersion: ">= 1.14.0-0"