diff --git a/stable/artifactory-cpp-ce/CHANGELOG.md b/stable/artifactory-cpp-ce/CHANGELOG.md index f09476ed7..81ddff28b 100644 --- a/stable/artifactory-cpp-ce/CHANGELOG.md +++ b/stable/artifactory-cpp-ce/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory CE for C++ Chart Changelog All changes to this chart will be documented in this file -## [107.77.3] - Nov 23, 2023 +## [107.77.6] - Nov 23, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/stable/artifactory-cpp-ce/Chart.yaml b/stable/artifactory-cpp-ce/Chart.yaml index fc88c8950..c7c9dd6df 100644 --- a/stable/artifactory-cpp-ce/Chart.yaml +++ b/stable/artifactory-cpp-ce/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.77.3 + version: 107.77.6 description: JFrog Artifactory CE for C++ home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-cpp-ce/logo/conan.png @@ -21,4 +21,4 @@ name: artifactory-cpp-ce sources: - https://github.com/jfrog/charts type: application -version: 107.77.3 +version: 107.77.6 diff --git a/stable/artifactory-ha/CHANGELOG.md b/stable/artifactory-ha/CHANGELOG.md index 84a52a4ec..70610745b 100644 --- a/stable/artifactory-ha/CHANGELOG.md +++ b/stable/artifactory-ha/CHANGELOG.md @@ -1,10 +1,11 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.77.3] - Jan 16, 2024 +## [107.77.6] - Feb 20, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) ## [107.76.0] - Dec 13, 2023 * Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section diff --git a/stable/artifactory-ha/Chart.yaml b/stable/artifactory-ha/Chart.yaml index 30018756c..e4dd5e3ca 100644 --- a/stable/artifactory-ha/Chart.yaml +++ b/stable/artifactory-ha/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.77.3 +version: 107.77.6 diff --git a/stable/artifactory-ha/values.yaml b/stable/artifactory-ha/values.yaml index e36b3600e..5b35ef337 100644 --- a/stable/artifactory-ha/values.yaml +++ b/stable/artifactory-ha/values.yaml @@ -1740,6 +1740,10 @@ nginx: if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } + set $host_port {{ .Values.nginx.https.externalPort }}; + if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; + } ## Application specific logs ## access_log /var/log/nginx/artifactory-access.log timing; ## error_log /var/log/nginx/artifactory-error.log; @@ -1749,7 +1753,6 @@ nginx: } chunked_transfer_encoding on; client_max_body_size 0; - location / { proxy_read_timeout 900; proxy_pass_header Server; @@ -1758,7 +1761,7 @@ nginx: {{- if .Values.nginx.service.ssloffload}} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; proxy_set_header X-Forwarded-Port $server_port; {{- end }} proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; @@ -1822,6 +1825,8 @@ nginx: # targetPort: 8066 # protocol: TCP # name: docker + + annotations: {} ## Renamed nginx internalPort 80,443 to 8080,8443 to support openshift http: enabled: true diff --git a/stable/artifactory-jcr/CHANGELOG.md b/stable/artifactory-jcr/CHANGELOG.md index 8a5768666..cd1b89946 100644 --- a/stable/artifactory-jcr/CHANGELOG.md +++ b/stable/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.77.3] - Nov 23, 2023 +## [107.77.6] - Nov 23, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/stable/artifactory-jcr/Chart.yaml b/stable/artifactory-jcr/Chart.yaml index 5ebc7c924..9a50500a0 100644 --- a/stable/artifactory-jcr/Chart.yaml +++ b/stable/artifactory-jcr/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.77.3 + version: 107.77.6 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-jcr/logo/jcr-logo.png @@ -22,4 +22,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.77.3 +version: 107.77.6 diff --git a/stable/artifactory-oss/CHANGELOG.md b/stable/artifactory-oss/CHANGELOG.md index a45009589..2e96c35ef 100644 --- a/stable/artifactory-oss/CHANGELOG.md +++ b/stable/artifactory-oss/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory OSS Chart Changelog All changes to this chart will be documented in this file -## [107.77.3] - Nov 23, 2023 +## [107.77.6] - Nov 23, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/stable/artifactory-oss/Chart.yaml b/stable/artifactory-oss/Chart.yaml index 8c240c5df..45f86b117 100644 --- a/stable/artifactory-oss/Chart.yaml +++ b/stable/artifactory-oss/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - name: artifactory repository: file://charts/artifactory - version: 107.77.3 + version: 107.77.6 description: JFrog Artifactory OSS home: https://www.jfrog.com/artifactory/ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory/logo/artifactory-logo.png @@ -20,4 +20,4 @@ name: artifactory-oss sources: - https://github.com/jfrog/charts type: application -version: 107.77.3 +version: 107.77.6 diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md index 8b82dd1db..203fae3aa 100644 --- a/stable/artifactory/CHANGELOG.md +++ b/stable/artifactory/CHANGELOG.md @@ -1,11 +1,12 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.77.3] - Jan 16, 2024 +## [107.77.6] - Feb 20, 2024 * Removed integration service * Added recommended postgresql sizing configurations under sizing directory * Updated artifactory-federation (probes, port, embedded mode) * Fixed - Removed duplicate keys of the sizing yaml file +* Fixing broken nginx port [GH-1860](https://github.com/jfrog/charts/issues/1860) ## [107.76.0] - Dec 13, 2023 * Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section diff --git a/stable/artifactory/Chart.yaml b/stable/artifactory/Chart.yaml index e224a9577..f951a6e78 100644 --- a/stable/artifactory/Chart.yaml +++ b/stable/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.77.3 +version: 107.77.6 diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml index ab7c1d12c..4b21be599 100644 --- a/stable/artifactory/values.yaml +++ b/stable/artifactory/values.yaml @@ -1612,6 +1612,10 @@ nginx: if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } + set $host_port {{ .Values.nginx.https.externalPort }}; + if ( $scheme = "http" ) { + set $host_port {{ .Values.nginx.http.externalPort }}; + } ## Application specific logs ## access_log /var/log/nginx/artifactory-access.log timing; ## error_log /var/log/nginx/artifactory-error.log; @@ -1630,7 +1634,7 @@ nginx: {{- if .Values.nginx.service.ssloffload}} proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host; {{- else }} - proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port; + proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port; proxy_set_header X-Forwarded-Port $server_port; {{- end }} proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; @@ -1642,7 +1646,6 @@ nginx: proxy_buffering off; {{- end }} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - location /artifactory/ { if ( $request_uri ~ ^/artifactory/(.*)$ ) { proxy_pass http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1; diff --git a/stable/distribution/CHANGELOG.md b/stable/distribution/CHANGELOG.md index b9ad2fbc8..a0229ff16 100644 --- a/stable/distribution/CHANGELOG.md +++ b/stable/distribution/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Distribution Chart Changelog All changes to this project chart be documented in this file. -## [102.22.1] - Dec 22, 2023 +## [102.22.2] - Dec 22, 2023 * Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) ## [102.21.0] - Nov 22, 2023 diff --git a/stable/distribution/Chart.yaml b/stable/distribution/Chart.yaml index c004dcd7f..4263aa2a3 100644 --- a/stable/distribution/Chart.yaml +++ b/stable/distribution/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.22.1 +appVersion: 2.22.2 dependencies: - condition: postgresql.enabled name: postgresql @@ -19,4 +19,4 @@ name: distribution sources: - https://github.com/jfrog/charts type: application -version: 102.22.1 +version: 102.22.2 diff --git a/stable/insight/CHANGELOG.md b/stable/insight/CHANGELOG.md index c7b7e5481..aed485d11 100644 --- a/stable/insight/CHANGELOG.md +++ b/stable/insight/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Insights Chart Changelog All changes to this chart will be documented in this file. -## [101.16.6] - Oct 17, 2023 +## [101.16.7] - Oct 17, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) ## [101.15.0] - Sep 18, 2023 diff --git a/stable/insight/Chart.yaml b/stable/insight/Chart.yaml index 61f1d7b7d..94e8cc17a 100644 --- a/stable/insight/Chart.yaml +++ b/stable/insight/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.16.6 +appVersion: 1.16.7 dependencies: - condition: postgresql.enabled name: postgresql @@ -19,4 +19,4 @@ name: insight sources: - https://github.com/jfrog/charts type: application -version: 101.16.6 +version: 101.16.7 diff --git a/stable/jfrog-platform/CHANGELOG.md b/stable/jfrog-platform/CHANGELOG.md index dc1226344..634fa40c1 100644 --- a/stable/jfrog-platform/CHANGELOG.md +++ b/stable/jfrog-platform/CHANGELOG.md @@ -1,6 +1,15 @@ # JFrog Platform Chart Changelog (GA releases only) All changes to this chart will be documented in this file. +## [10.17.1] - Feb 29, 2024 +* Updated README.md to create a namespace using `--create-namespace` as part of helm install +* Updated `artifactory.installerInfo` content +* Update dependency artifactory chart version to 107.77.6 +* Update dependency xray chart version to 103.90.1 +* Update dependency distribution chart version to 102.22.2 +* Update dependency insight chart version to 101.16.7 +* Update dependency pipelines chart version to 101.55.6 + ## [10.17.0] - Jan 24, 2023 * **IMPORTANT** * Added min kubeVersion ">= 1.19.0-0" in chart.yaml diff --git a/stable/jfrog-platform/Chart.lock b/stable/jfrog-platform/Chart.lock index 10ebceb3c..9ba838e5b 100644 --- a/stable/jfrog-platform/Chart.lock +++ b/stable/jfrog-platform/Chart.lock @@ -7,18 +7,18 @@ dependencies: version: 11.9.3 - name: artifactory repository: https://charts.jfrog.io/ - version: 107.77.3 + version: 107.77.6 - name: xray repository: https://charts.jfrog.io/ - version: 103.87.9 + version: 103.90.1 - name: distribution repository: https://charts.jfrog.io/ - version: 102.22.1 + version: 102.22.2 - name: insight repository: https://charts.jfrog.io/ - version: 101.16.6 + version: 101.16.7 - name: pipelines repository: https://charts.jfrog.io/ - version: 101.53.4 -digest: sha256:f9cf10d922803ead6cfb196700de26f21ff54d13e3b616dd1df1cecc2fac9e44 -generated: "2024-01-24T15:31:40.815967+05:30" + version: 101.55.6 +digest: sha256:7dab87296e623847160abc644f43556da5bb2d7083a357888e68a6db1e11f9e1 +generated: "2024-02-29T20:49:08.265023+05:30" diff --git a/stable/jfrog-platform/Chart.yaml b/stable/jfrog-platform/Chart.yaml index d71aa6920..90907869f 100644 --- a/stable/jfrog-platform/Chart.yaml +++ b/stable/jfrog-platform/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.77.3 +appVersion: 7.77.6 dependencies: - condition: postgresql.enabled name: postgresql @@ -12,23 +12,23 @@ dependencies: - condition: artifactory.enabled name: artifactory repository: https://charts.jfrog.io/ - version: 107.77.3 + version: 107.77.6 - condition: xray.enabled name: xray repository: https://charts.jfrog.io/ - version: 103.87.9 + version: 103.90.1 - condition: distribution.enabled name: distribution repository: https://charts.jfrog.io/ - version: 102.22.1 + version: 102.22.2 - condition: insight.enabled name: insight repository: https://charts.jfrog.io/ - version: 101.16.6 + version: 101.16.7 - condition: pipelines.enabled name: pipelines repository: https://charts.jfrog.io/ - version: 101.53.4 + version: 101.55.6 description: The Helm chart for JFrog Platform (Universal, hybrid, end-to-end DevOps automation) home: https://jfrog.com/platform/ @@ -39,7 +39,6 @@ keywords: - xray - distribution - insight -- pdn-server - pipelines - jfrog - devops @@ -51,4 +50,4 @@ name: jfrog-platform sources: - https://github.com/jfrog/charts type: application -version: 10.17.0 +version: 10.17.1 diff --git a/stable/jfrog-platform/README.md b/stable/jfrog-platform/README.md index 8897667ec..99afda039 100644 --- a/stable/jfrog-platform/README.md +++ b/stable/jfrog-platform/README.md @@ -4,7 +4,7 @@ ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory Enterprise(+) trial license [get one from here](https://jfrog.com/platform/free-trial/) or Pro trial license [get one from here](https://www.jfrog.com/artifactory/free-trial/) ## Chart Details @@ -13,7 +13,6 @@ This chart will do the following: * Deploy JFrog Platform (artifactory, xray, distribution, insight and pipelines). Fully customizable. * Deploy a PostgreSQL database using the bitnami/postgresql chart (can be changed) **NOTE:** For production grade installations it is recommended to use an external PostgreSQL. * Deploy a Rabbitmq using the bitnami/rabbitmq chart (can be changed) -* Deploy a Redis using the bitnami/redis chart (can be changed) * Deploy an optional Nginx server ## Installing the Chart @@ -30,7 +29,7 @@ helm repo update ### Install Chart To install the chart with the release name `jfrog-platform` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform +helm upgrade --install jfrog-platform jfrog/jfrog-platform --namespace jfrog-platform --create-namespace ``` ### High Availability @@ -38,7 +37,7 @@ helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-pla For **high availability** of Artifactory, set the replica count to be equal or higher than **2**. Recommended is **3**. ```bash # Start artifactory with 3 replicas per service -helm upgrade --install jfrog-platform --namespace jfrog-platform --set artifactory.artifactory.replicaCount=3 +helm upgrade --install jfrog-platform --set artifactory.artifactory.replicaCount=3 --namespace jfrog-platform --create-namespace ``` ### Install Artifactory license @@ -73,7 +72,7 @@ artifactory: ``` ```bash # Apply the values file during install -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` **NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). Updating the license should be done via Artifactory UI or REST API. @@ -96,7 +95,7 @@ artifactory: ``` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` **NOTE:** This method is relevant for initial deployment only! Once Artifactory is deployed, you should not keep passing these parameters as the license is already persisted into Artifactory's storage (they will be ignored). Updating the license should be done via Artifactory UI or REST API. @@ -109,7 +108,6 @@ This chart would provide flexibility to enable one or more of the jfrog products 2. Distribution 3. Insight 4. Pipelines -5. PDN server For example to enable xray and insight with artifactory, you can refer the following yaml and pass it during install. customvalues.yaml @@ -120,7 +118,7 @@ insight: enabled: true ```` ```bash -helm upgrade --install jfrog-platform --namespace jfrog-platform jfrog/jfrog-platform -f customvalues.yaml +helm upgrade --install jfrog-platform jfrog/jfrog-platform -f customvalues.yaml --namespace jfrog-platform --create-namespace ``` ### Uninstalling Jfrog Platform chart. diff --git a/stable/jfrog-platform/values.yaml b/stable/jfrog-platform/values.yaml index 493efb0e4..9b0581751 100644 --- a/stable/jfrog-platform/values.yaml +++ b/stable/jfrog-platform/values.yaml @@ -29,7 +29,6 @@ global: # distribution: # insight: # pipelines: - # pdnServer: database: host: "{{ .Release.Name }}-postgresql" port: 5432 @@ -214,7 +213,7 @@ rabbitmq: artifactory: enabled: true unifiedUpgradeAllowed: true - installerInfo: '{"productId": "Helm_JFrogPlatform/{{ printf "10.17.0-%s" .Chart.AppVersion }}", "features": [ { "featureId": "Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"}]}' + installerInfo: '{"productId":"Helm_JFrogPlatform/{{ printf "10.17.0-%s" .Chart.AppVersion }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' postgresql: enabled: false waitForDatabase: false diff --git a/stable/pipelines/CHANGELOG.md b/stable/pipelines/CHANGELOG.md index f0863c0dc..e49e1ce52 100644 --- a/stable/pipelines/CHANGELOG.md +++ b/stable/pipelines/CHANGELOG.md @@ -1,7 +1,13 @@ # JFrog Pipelines Chart Changelog All changes to this chart to be documented in this file. -## [101.53.4] - Nov 14, 2023 +## [101.55.6] - Dec 28, 2023 +* Handled #redis postfix is ommited from redis service name if it contains redis + +## [101.54.0] - Dec 21, 2023 +* Removed hardcoding of redis resources in default values + +## [101.53.0] - Nov 14, 2023 * Updated rabbitmq version to 3.12.10-debian-11-r1 * Updated redis version to 7.2.0-debian-11-r2 diff --git a/stable/pipelines/Chart.yaml b/stable/pipelines/Chart.yaml index acc31475d..8e4e3a349 100644 --- a/stable/pipelines/Chart.yaml +++ b/stable/pipelines/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.53.4 +appVersion: 1.55.6 dependencies: - condition: postgresql.enabled name: postgresql @@ -32,4 +32,4 @@ name: pipelines sources: - https://github.com/jfrog/charts type: application -version: 101.53.4 +version: 101.55.6 diff --git a/stable/pipelines/templates/_helpers.tpl b/stable/pipelines/templates/_helpers.tpl index 603625d7b..049cc5f49 100644 --- a/stable/pipelines/templates/_helpers.tpl +++ b/stable/pipelines/templates/_helpers.tpl @@ -431,6 +431,37 @@ Set grcp url {{- end }} {{- end -}} +{{/* +Create rabbitmq URL +*/}} +{{- define "rabbitmq.url" -}} +{{- if index .Values "rabbitmq" "enabled" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +{{- $rabbitmqPort := .Values.rabbitmq.service.ports.amqpTls -}} +{{- $name := default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} +{{- printf "%s://%s-%s:%g/" "amqps" .Release.Name $name $rabbitmqPort -}} +{{- else -}} +{{- $rabbitmqPort := .Values.rabbitmq.service.ports.amqp -}} +{{- $name := default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} +{{- printf "%s://%s-%s:%g/" "amqp" .Release.Name $name $rabbitmqPort -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* +Custom Rabbitmq certificate copy command +*/}} +{{- define "pipelines.copyRabbitmqCustomCerts" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +echo "Copy rabbitmq custom certificates to {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted"; +mkdir -p {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted {{ .Values.pipelines.mountPath }}/data/rabbitmq/certs/; +cd /tmp/rabbitmqcerts/; +for file in $(ls * | grep -v ".key" | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.pipelines.mountPath }}/etc/security/keys/trusted/rabbitmq_${file}; fi done; +for file in $(ls * | grep -v ":" | grep -v grep); do if [ -f "${file}" ]; then cp -v ${file} {{ .Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_${file}; fi done; +{{- end -}} +{{- end -}} + {{/* Resolve jfrogUrl value */}} @@ -949,3 +980,54 @@ if the volume exists in customVolume then an extra volume with the same name wil {{- printf "%s" "false" -}} {{- end -}} {{- end -}} + +{{/* +Construct Redis service name +*/}} +{{- define "pipelines.redisServiceName" -}} +{{- if .Values.redis.fullnameOverride -}} +{{- .Values.redis.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if contains "redis" .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-redis" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret name of rabbitmq TLS certs. +*/}} +{{- define "pipelines.rabbitmqCustomCertificateshandler" -}} +{{- if .Values.rabbitmq.auth.tls.enabled -}} +{{- $secretName := printf "%s-%s" .Release.Name "rabbitmq-certs" -}} +{{- $val := default $secretName .Values.rabbitmq.auth.tls.existingSecret -}} +{{- $val -}} +{{- end -}} +{{- end -}} + +{{/* +Prints value of Values.rabbitmq.auth.tls.enabled. +*/}} +{{- define "pipelines.rabbitmq.isTlsEnabled" -}} +{{- printf "%t" $.Values.auth.tls.enabled -}} +{{- end -}} + +{{/* +Set pipelines env variables if rabbitmq.tls is enabled. +*/}} +{{- define "pipelines.rabbitmqTlsEnvVariables" -}} +{{- if .Values.rabbitmq.auth.tls.enabled }} +- name: GODEBUG + value: "x509ignoreCN=0" +- name: enableTlsConnectionToRabbitMQ + value: "true" +- name: JF_SHARED_MSG_TLSCERT + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_tls.crt +- name: JF_SHARED_MSG_TLSKEY + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_tls.key +- name: JF_SHARED_MSG_TLSCA + value: {{.Values.pipelines.mountPath }}/data/rabbitmq/certs/rabbitmq_ca.crt +{{- end }} +{{- end -}} diff --git a/stable/pipelines/templates/pipelines-cron-statefulset.yaml b/stable/pipelines/templates/pipelines-cron-statefulset.yaml index f66a28ace..492c278f0 100644 --- a/stable/pipelines/templates/pipelines-cron-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-cron-statefulset.yaml @@ -133,6 +133,28 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -439,6 +461,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/cron env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -596,4 +621,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml b/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml index 400bc0fe0..34310ce19 100644 --- a/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-hookhandler-statefulset.yaml @@ -137,6 +137,28 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -443,6 +465,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/hookHandler env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -600,4 +625,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml b/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml index cae1473d5..2e902002e 100644 --- a/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-internalapi-statefulset.yaml @@ -219,6 +219,28 @@ spec: done; {{- end }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} @@ -296,11 +318,7 @@ spec: {{- end }} {{- if .Values.redis.enabled }} echo "Waiting for Redis to come up..."; - {{- if .Values.redis.fullnameOverride }} - until nc -z -w 2 {{ .Values.redis.fullnameOverride }} {{ .Values.redis.redisPort }} && echo redis ok; do - {{- else }} - until nc -z -w 2 {{ .Release.Name }}-redis {{ .Values.redis.redisPort }} && echo redis ok; do - {{- end }} + until nc -z -w 2 {{ template "pipelines.redisServiceName" . }} {{ .Values.redis.redisPort }} && echo redis ok; do sleep 1; done; {{- end }} @@ -314,7 +332,9 @@ spec: mkdir -p {{ .Values.pipelines.mountPath }}/security; echo -n ${PIPELINES_JOIN_KEY} > {{ .Values.pipelines.mountPath }}/security/join.key; {{- end }} + set -e; ./pipelines-k8s; + set +e; {{ include "pipelines.addMetrics" . | nindent 12 }} {{ include "pipelines.changeOwnershipMetrics" . | nindent 12 }} volumeMounts: @@ -521,6 +541,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: PIPELINES_NODE_ID @@ -701,4 +724,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-statefulset.yaml b/stable/pipelines/templates/pipelines-statefulset.yaml index 8477136c2..1a126acf2 100644 --- a/stable/pipelines/templates/pipelines-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-statefulset.yaml @@ -267,6 +267,28 @@ spec: done; {{- end }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: pipelines-installer image: {{ include "pipelines.getImageInfoByValue" (list . "pipelines" "pipelinesInit" ) }} imagePullPolicy: {{ .Values.pipelines.pipelinesInit.image.pullPolicy }} @@ -344,11 +366,7 @@ spec: {{- end }} {{- if .Values.redis.enabled }} echo "Waiting for Redis to come up..."; - {{- if .Values.redis.fullnameOverride }} - until nc -z -w 2 {{ .Values.redis.fullnameOverride }} {{ .Values.redis.redisPort }} && echo redis ok; do - {{- else }} - until nc -z -w 2 {{ .Release.Name }}-redis {{ .Values.redis.redisPort }} && echo redis ok; do - {{- end }} + until nc -z -w 2 {{ template "pipelines.redisServiceName" . }} {{ .Values.redis.redisPort }} && echo redis ok; do sleep 1; done; {{- end }} @@ -362,7 +380,9 @@ spec: mkdir -p {{ .Values.pipelines.mountPath }}/security; echo -n ${PIPELINES_JOIN_KEY} > {{ .Values.pipelines.mountPath }}/security/join.key; {{- end }} + set -e; ./pipelines-k8s; + set +e; {{ include "pipelines.addMetrics" . | nindent 12 }} {{ include "pipelines.changeOwnershipMetrics" . | nindent 12 }} volumeMounts: @@ -569,6 +589,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -629,6 +652,9 @@ spec: - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -719,6 +745,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -763,6 +792,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -807,6 +839,9 @@ spec: - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -841,6 +876,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -883,6 +921,9 @@ spec: - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -918,6 +959,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: pipelinesync - name: PIPELINES_NODE_ID @@ -957,6 +1001,9 @@ spec: env: - name: COMPONENT value: cron + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -992,6 +1039,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/hookHandler env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: hookhandler - name: PIPELINES_NODE_ID @@ -1031,6 +1081,9 @@ spec: env: - name: COMPONENT value: extensionsync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -1066,6 +1119,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/reqSealer env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: reqsealer - name: PIPELINES_NODE_ID @@ -1103,6 +1159,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/templateSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: COMPONENT value: templatesync - name: PIPELINES_NODE_ID @@ -1197,6 +1256,12 @@ spec: secretName: {{ .Values.buildPlane.dynamic.provider.k8s.existingSecret }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} + ######### unifiedSecretInstallation ########### {{- if and .Values.pipelines.unifiedSecretInstallation (eq (include "pipelines.checkDuplicateUnifiedCustomVolume" .) "false" ) }} - name: {{ include "pipelines.unifiedCustomSecretVolumeName" . }} diff --git a/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml b/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml index b7c72985f..28e03f42e 100644 --- a/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-steptrigger-statefulset.yaml @@ -133,6 +133,28 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -438,6 +460,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -595,4 +620,10 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} \ No newline at end of file diff --git a/stable/pipelines/templates/pipelines-sync-statefulset.yaml b/stable/pipelines/templates/pipelines-sync-statefulset.yaml index d7c2d0168..20737d7c3 100644 --- a/stable/pipelines/templates/pipelines-sync-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-sync-statefulset.yaml @@ -135,6 +135,28 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -443,6 +465,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/pipelineSync env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -486,6 +511,9 @@ spec: value: "true" - name: COMPONENT value: extensionsync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -525,6 +553,9 @@ spec: value: "true" - name: COMPONENT value: templatesync + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_NODE_ID valueFrom: fieldRef: @@ -678,4 +709,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/templates/pipelines-trigger-statefulset.yaml b/stable/pipelines/templates/pipelines-trigger-statefulset.yaml index 6e434161c..5b4d41038 100644 --- a/stable/pipelines/templates/pipelines-trigger-statefulset.yaml +++ b/stable/pipelines/templates/pipelines-trigger-statefulset.yaml @@ -135,6 +135,28 @@ spec: - name: ca-certs mountPath: "/tmp/certs" {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: copy-rabbitmq-certs + image: "{{ .Values.initContainer.image }}" + imagePullPolicy: {{ .Values.initContainer.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW + resources: +{{ toYaml .Values.initContainers.resources | nindent 12 }} + command: + - '/bin/bash' + - '-c' + - > +{{ include "pipelines.copyRabbitmqCustomCerts" . | indent 12 }} + volumeMounts: + - name: jfrog-pipelines-folder + mountPath: {{ .Values.pipelines.mountPath }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{ end }} - name: change-ownership image: "{{ .Values.initContainer.image }}" imagePullPolicy: {{ .Values.initContainer.pullPolicy }} @@ -441,6 +463,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -485,6 +510,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -524,6 +552,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 -}} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -563,6 +594,9 @@ spec: drop: - NET_RAW env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} {{- if or .Values.pipelines.customCertificates.enabled .Values.global.customCertificates.enabled }} - name: NODE_EXTRA_CA_CERTS value: "{{ .Values.pipelines.mountPath }}/security/keys/trusted/pipelines_custom_certs.crt" @@ -602,6 +636,9 @@ spec: - NET_RAW workingDir: /opt/jfrog/pipelines/app/micro/reqSealer env: + {{- if .Values.rabbitmq.auth.tls.enabled }} + {{- include "pipelines.rabbitmqTlsEnvVariables" . | indent 12 }} + {{ end }} - name: PIPELINES_INTERNAL_API value: "true" - name: COMPONENT @@ -759,4 +796,9 @@ spec: persistentVolumeClaim: claimName: {{ .Values.pipelines.customPersistentVolumeClaim.name }} {{- end }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "pipelines.rabbitmqCustomCertificateshandler" . }} + {{- end}} {{- end -}} diff --git a/stable/pipelines/values.yaml b/stable/pipelines/values.yaml index a98907689..d6973fc55 100644 --- a/stable/pipelines/values.yaml +++ b/stable/pipelines/values.yaml @@ -1289,7 +1289,13 @@ pipelines: msg: {{- if .Values.rabbitmq.enabled }} ip: {{ .Release.Name }}-rabbitmq + {{- if .Values.rabbitmq.auth.tls.enabled }} + port: {{ .Values.rabbitmq.service.ports.amqpTls }} + protocol: {{ .Values.rabbitmq.protocol }} + {{- else }} port: {{ .Values.rabbitmq.service.ports.amqp }} + protocol: amqp + {{- end }} adminPort: {{ .Values.rabbitmq.service.ports.manager }} erlangCookie: {{ .Values.rabbitmq.auth.erlangCookie }} username: {{ .Values.rabbitmq.auth.username }} @@ -1327,7 +1333,6 @@ pipelines: username: {{ .Values.pipelines.msg.uiUser }} password: "{{ .Values.pipelines.msg.uiUserPassword }}" {{- else }} - protocol: http username: {{ .Values.rabbitmq.cp_username }} password: "{{ .Values.rabbitmq.cp_password }}" {{- end }} @@ -1336,7 +1341,12 @@ pipelines: {{- if .Values.rabbitmq.externalUrl }} url: {{ .Values.rabbitmq.externalUrl }} {{- else if .Values.rabbitmq.enabled }} + {{- if .Values.rabbitmq.auth.tls.enabled }} + url: amqps://{{ tpl .Release.Name . }}-rabbitmq + protocol: {{ .Values.rabbitmq.protocol }} + {{- else }} url: amqp://{{ tpl .Release.Name . }}-rabbitmq + {{- end }} {{- else }} url: {{ .Values.rabbitmq.protocol }}://{{ tpl .Values.rabbitmq.msg_hostname . }}:{{ .Values.rabbitmq.port }} {{- end }} @@ -1381,11 +1391,7 @@ pipelines: ## Redis configuration ## redis: - {{- if .Values.redis.fullnameOverride }} - ip: {{ .Values.redis.fullnameOverride }} - {{- else }} - ip: {{ .Release.Name }}-redis - {{- end }} + ip: {{ template "pipelines.redisServiceName" . }} port: {{ .Values.redis.redisPort }} password: {{ .Values.redis.auth.password }} clusterEnabled: false @@ -1977,6 +1983,45 @@ rabbitmq: repository: bitnami/rabbitmq tag: 3.12.10-debian-11-r1 auth: + ## Enable encryption to rabbitmq + ## ref: https://www.rabbitmq.com/ssl.html + ## @param auth.tls.enabled Enable TLS support on RabbitMQ + ## @param auth.tls.autoGenerated Generate automatically self-signed TLS certificates + ## @param auth.tls.failIfNoPeerCert When set to true, TLS connection will be rejected if client fails to provide a certificate + ## @param auth.tls.sslOptionsVerify Should [peer verification](https://www.rabbitmq.com/ssl.html#peer-verification) be enabled? + ## @param auth.tls.sslOptionsPassword.enabled Enable usage of password for private Key + ## @param auth.tls.sslOptionsPassword.existingSecret Name of existing Secret containing the sslOptionsPassword + ## @param auth.tls.sslOptionsPassword.key Enable Key referring to sslOptionsPassword in Secret specified in auth.tls.sslOptionsPassword.existingSecret + ## @param auth.tls.sslOptionsPassword.password Use this string as Password. If set, auth.tls.sslOptionsPassword.existingSecret and auth.tls.sslOptionsPassword.key are ignored + ## @param auth.tls.caCertificate Certificate Authority (CA) bundle content + ## @param auth.tls.serverCertificate Server certificate content + ## @param auth.tls.serverKey Server private key content + ## @param auth.tls.existingSecret Existing secret with certificate content to RabbitMQ credentials + ## @param auth.tls.existingSecretFullChain Whether or not the existing secret contains the full chain in the certificate (`tls.crt`). Will be used in place of `ca.cert` if `true`. + ## @param auth.tls.overrideCaCertificate Existing secret with certificate content be mounted instead of the `ca.crt` coming from caCertificate or existingSecret/existingSecretFullChain. + ## + tls: + enabled: false + # By default TLS certs are autogenerated, if you wish to add your own certs, please set this to false. + autoGenerated: true + failIfNoPeerCert: false + sslOptionsVerify: verify_peer + failIfNoCert: false + sslOptionsPassword: + enabled: false + existingSecret: "" + key: "" + password: "" + + caCertificate: + serverCertificate: + serverKey: + + # Rabbitmq tls-certs secret name, as by default it will have {{ .Release.Name }}-rabbitmq-certs. + existingSecret: + existingSecretFullChain: false + overrideCaCertificate: "" + username: admin ## RabbitMQ application password @@ -1998,6 +2043,12 @@ rabbitmq: - name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS value: "+S 2:2 +sbwt none +sbwtdcpu none +sbwtdio none" + service: + ports: + amqp: 5672 + amqpTls: 5671 + manager: 15672 + persistence: enabled: true size: 20Gi @@ -2038,6 +2089,8 @@ rabbitmq: - create - get - list + extraConfiguration: |- + management.listener.ssl = {{ template "pipelines.rabbitmq.isTlsEnabled" . }} ## Platform config access configuration access: @@ -2079,22 +2132,22 @@ redis: enabled: true containerPorts: redis: 6379 - resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 20m - memory: 512Mi + resources: {} + # limits: + # cpu: 1 + # memory: 2Gi + # requests: + # cpu: 20m + # memory: 512Mi replica: replicaCount: 1 - resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 20m - memory: 512Mi + resources: {} + # limits: + # cpu: 1 + # memory: 2Gi + # requests: + # cpu: 20m + # memory: 512Mi sentinel: enabled: true containerPorts: diff --git a/stable/xray/CHANGELOG.md b/stable/xray/CHANGELOG.md index 0c102ebcc..c75c6753c 100644 --- a/stable/xray/CHANGELOG.md +++ b/stable/xray/CHANGELOG.md @@ -1,7 +1,13 @@ # JFrog Xray Chart Changelog All changes to this chart will be documented in this file. -## [103.87.9] - Dec 7,2023 +## [103.89.0] - Jan 18,2023 +* Remove fallback section from keda. + +## [103.88.0] - Dec 20,2023 +* Added support for migrating rabbitmq to high-availability quorum queues setup + +## [103.87.0] - Dec 7,2023 * Update minimum supported kubernetes version to 1.19 * Added recommended t-shirt sizing configurations under sizing folder * Added support for rabbitmq high-availability quorum queues clean install setup diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml index f781957e0..cf493cd93 100644 --- a/stable/xray/Chart.yaml +++ b/stable/xray/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.87.9 +appVersion: 3.90.1 dependencies: - condition: postgresql.enabled name: postgresql @@ -24,4 +24,4 @@ name: xray sources: - https://github.com/jfrog/charts type: application -version: 103.87.9 +version: 103.90.1 diff --git a/stable/xray/rabbitmq/ha-quorum.yaml b/stable/xray/rabbitmq/ha-quorum.yaml index 99d8bffc9..ac80ce1aa 100644 --- a/stable/xray/rabbitmq/ha-quorum.yaml +++ b/stable/xray/rabbitmq/ha-quorum.yaml @@ -5,5 +5,6 @@ rabbitmq: global: xray: rabbitmq: + replicaCount: 3 haQuorum: enabled: true \ No newline at end of file diff --git a/stable/xray/rabbitmq/migration-to-ha-quorum.yaml b/stable/xray/rabbitmq/migration-to-ha-quorum.yaml new file mode 100644 index 000000000..62e4cb6d5 --- /dev/null +++ b/stable/xray/rabbitmq/migration-to-ha-quorum.yaml @@ -0,0 +1,12 @@ +rabbitmq: + extraPlugins: "rabbitmq_shovel rabbitmq_shovel_management" + migration: + deleteStatefulSetToAllowFieldUpdate: + enabled: true + removeHaPolicyOnMigrationToHaQuorum: + enabled: true + +global: + xray: + rabbitmq: + migrateMessagesFromXrayDefaultVhost: true \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-2xlarge.yaml b/stable/xray/sizing/xray-sizing-2xlarge.yaml index b8b7987cf..e2110e4c0 100644 --- a/stable/xray/sizing/xray-sizing-2xlarge.yaml +++ b/stable/xray/sizing/xray-sizing-2xlarge.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 3 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 100Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "2000" - persistence: - enabled: true - size: 2500Gi + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 128Gi - cpu: "32" - limits: - memory: 128Gi - # cpu: "64" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 6G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 1Gi limits: # cpu: "8" - memory: 7Gi \ No newline at end of file + memory: 7Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-large.yaml b/stable/xray/sizing/xray-sizing-large.yaml index df52c7c37..f4a3bd477 100644 --- a/stable/xray/sizing/xray-sizing-large.yaml +++ b/stable/xray/sizing/xray-sizing-large.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 2 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 100Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "600" - persistence: - enabled: true - size: 800Gi + resources: + requests: + memory: 32Gi + cpu: "16" + limits: + memory: 32Gi + # cpu: "32" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 32Gi - cpu: "16" - limits: - memory: 32Gi - # cpu: "32" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 3G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 500Mi limits: # cpu: "2" - memory: 4Gi \ No newline at end of file + memory: 4Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-medium.yaml b/stable/xray/sizing/xray-sizing-medium.yaml index 5edcdc22e..7983f50e3 100644 --- a/stable/xray/sizing/xray-sizing-medium.yaml +++ b/stable/xray/sizing/xray-sizing-medium.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 1 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 100Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "500" - persistence: - enabled: true - size: 500Gi + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "18" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 32Gi - cpu: "8" - limits: - memory: 32Gi - # cpu: "18" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 3G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 500Mi limits: # cpu: "2" - memory: 4Gi \ No newline at end of file + memory: 4Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-small.yaml b/stable/xray/sizing/xray-sizing-small.yaml index 4759053bd..1267250c4 100644 --- a/stable/xray/sizing/xray-sizing-small.yaml +++ b/stable/xray/sizing/xray-sizing-small.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 1 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 100Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "200" - persistence: - enabled: true - size: 500Gi + resources: + requests: + memory: 16Gi + cpu: "6" + limits: + memory: 16Gi + # cpu: "18" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 16Gi - cpu: "6" - limits: - memory: 16Gi - # cpu: "18" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 2G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 300Mi limits: # cpu: "2" - memory: 3Gi \ No newline at end of file + memory: 3Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-tiny.yaml b/stable/xray/sizing/xray-sizing-tiny.yaml deleted file mode 100644 index 544d1a84a..000000000 --- a/stable/xray/sizing/xray-sizing-tiny.yaml +++ /dev/null @@ -1,169 +0,0 @@ -############################################################## -# The tiny sizing -# This is a demo template with very small sizing to allow testing in resource limited environments -############################################################## - -replicaCount: 1 -databaseUpgradeReady: true -waitForDatabase: true -unifiedUpgradeAllowed: true - -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "soft" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - -autoscaling: - enabled: false - -# Common Xray settings -common: - persistence: - enabled: false - size: 50Gi - -analysis: - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "3" - memory: 2Gi - -indexer: - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "4" - memory: 2Gi - -persist: - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "3" - memory: 2Gi - -server: - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "3" - memory: 2Gi - -router: - resources: - requests: - cpu: "10m" - memory: 50Mi - limits: - # cpu: "1" - memory: 1Gi - -observability: - resources: - requests: - cpu: "10m" - memory: 25Mi - limits: - # cpu: "1" - memory: 250Mi - -panoramic: - enabled: true - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "3" - memory: 2Gi - -sbom: - enabled: false - resources: - requests: - cpu: "10m" - memory: 250Mi - limits: - # cpu: "3" - memory: 2Gi - -# PostgreSQL -## Configuration values for the postgresql dependency -## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md -## -postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" - postgresqlExtendedConf: - listenAddresses: "*" - maxConnections: "100" - persistence: - enabled: true - size: 50Gi -# primary: -# affinity: -# # Require PostgreSQL pod to run on a different node than Xray pods -# podAntiAffinity: -# requiredDuringSchedulingIgnoredDuringExecution: -# - labelSelector: -# matchExpressions: -# - key: app -# operator: In -# values: -# - xray -# topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 1Gi - cpu: "50m" - limits: - memory: 2Gi - # cpu: "2" - -rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname - extraConfiguration: |- - vm_memory_high_watermark.absolute = 1G - {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} - raft.wal_max_size_bytes = 1048576 - {{- end }} - resources: - requests: - cpu: "50m" - memory: 150Mi - limits: - # cpu: "2" - memory: 1500Mi \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-xlarge.yaml b/stable/xray/sizing/xray-sizing-xlarge.yaml index e8819019a..ebc6511b4 100644 --- a/stable/xray/sizing/xray-sizing-xlarge.yaml +++ b/stable/xray/sizing/xray-sizing-xlarge.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 2 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 100Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "1200" - persistence: - enabled: true - size: 1000Gi + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 64Gi - cpu: "16" - limits: - memory: 64Gi - # cpu: "32" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 4G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 500Mi limits: # cpu: "4" - memory: 5Gi \ No newline at end of file + memory: 5Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/sizing/xray-sizing-xsmall.yaml b/stable/xray/sizing/xray-sizing-xsmall.yaml index 9e88aa7fd..9b71886b6 100644 --- a/stable/xray/sizing/xray-sizing-xsmall.yaml +++ b/stable/xray/sizing/xray-sizing-xsmall.yaml @@ -8,24 +8,6 @@ databaseUpgradeReady: true waitForDatabase: true unifiedUpgradeAllowed: true -xray: - masterKey: AFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA - joinKey: AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEA - - ## Artifactory URL. Mandatory - jfrogUrl: - - podAntiAffinity: - ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity - type: "hard" - topologyKey: "kubernetes.io/hostname" - -# For enabling advanced security features, enable rbac.create and serviceAccount.create -rbac: - create: false -serviceAccount: - create: false - autoscaling: enabled: true minReplicas: 1 @@ -33,11 +15,11 @@ autoscaling: targetCPUUtilizationPercentage: 200 targetMemoryUtilizationPercentage: 800 -# Common Xray settings -common: - persistence: - enabled: false - size: 50Gi +xray: + podAntiAffinity: + ## Valid values are "soft" or "hard"; any other value indicates no anti-affinity + type: "hard" + topologyKey: "kubernetes.io/hostname" analysis: resources: @@ -118,16 +100,16 @@ sbom: ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md ## postgresql: - enabled: true - postgresqlUsername: "xray" - postgresqlPassword: "bPa$$w0rd!" - postgresqlDatabase: "xraydb" postgresqlExtendedConf: listenAddresses: "*" maxConnections: "100" - persistence: - enabled: true - size: 500Gi + resources: + requests: + memory: 8Gi + cpu: "4" + limits: + memory: 8Gi + # cpu: "12" primary: affinity: # Require PostgreSQL pod to run on a different node than Xray pods @@ -140,25 +122,8 @@ postgresql: values: - xray topologyKey: kubernetes.io/hostname - resources: - requests: - memory: 8Gi - cpu: "4" - limits: - memory: 8Gi - # cpu: "12" rabbitmq: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - xray - topologyKey: kubernetes.io/hostname extraConfiguration: |- vm_memory_high_watermark.absolute = 2G {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} @@ -170,4 +135,14 @@ rabbitmq: memory: 300Mi limits: # cpu: "2" - memory: 3Gi \ No newline at end of file + memory: 3Gi + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xray + topologyKey: kubernetes.io/hostname \ No newline at end of file diff --git a/stable/xray/templates/_helpers.tpl b/stable/xray/templates/_helpers.tpl index f079f9a2c..f3df61aa8 100644 --- a/stable/xray/templates/_helpers.tpl +++ b/stable/xray/templates/_helpers.tpl @@ -66,6 +66,9 @@ Expand the name of rabbit chart. {{- default (printf "%s" "rabbitmq") .Values.rabbitmq.nameOverride -}} {{- end -}} +{{- define "xray.rabbitmq.migration.isHookRegistered" }} +{{- or .Values.rabbitmq.migration.enabled .Values.rabbitmq.migration.deleteStatefulSetToAllowFieldUpdate.enabled .Values.rabbitmq.migration.removeHaPolicyOnMigrationToHaQuorum.enabled }} +{{- end }} {{- define "xray.rabbitmq.migration.fullname" -}} {{- $name := default "rabbitmq-migration" -}} @@ -502,6 +505,22 @@ Resolve xray requiredServiceTypes value {{- $requiredTypes -}} {{- end -}} +{{/* +Resolve xray ipa requiredServiceTypes value +*/}} +{{- define "xray.router.ipa.requiredServiceTypes" -}} +{{- $requiredTypes := "jfxana,jfxidx,jfxpst,jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + +{{/* +Resolve xray server requiredServiceTypes value +*/}} +{{- define "xray.router.server.requiredServiceTypes" -}} +{{- $requiredTypes := "jfxr,jfob" -}} +{{- $requiredTypes -}} +{{- end -}} + {{/* Resolve Xray pod node selector value */}} @@ -567,6 +586,44 @@ Resolve autoscalingQueues value {{- end -}} {{- end -}} +{{/* +Resolve autoscalingQueues value for ipa +*/}} +{{- define "xray.autoscalingQueuesIpa" -}} +{{- if .Values.autoscalingIpa.keda.queues }} +{{- range .Values.autoscalingIpa.keda.queues }} +- type: rabbitmq + metadata: + name: "{{- .name -}}-queue" + protocol: amqp + queueName: {{ .name }} + mode: QueueLength + value: "{{ .value }}" + authenticationRef: + name: keda-trigger-auth-rabbitmq-conn-xray +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Resolve autoscalingQueues value for server +*/}} +{{- define "xray.autoscalingQueuesServer" -}} +{{- if .Values.autoscalingServer.keda.queues }} +{{- range .Values.autoscalingServer.keda.queues }} +- type: rabbitmq + metadata: + name: "{{- .name -}}-queue" + protocol: amqp + queueName: {{ .name }} + mode: QueueLength + value: "{{ .value }}" + authenticationRef: + name: keda-trigger-auth-rabbitmq-conn-xray +{{- end }} +{{- end -}} +{{- end -}} + {{/* Return the secret name of rabbitmq TLS certs. */}} diff --git a/stable/xray/templates/migration-hook.yaml b/stable/xray/templates/migration-hook.yaml index b2011c1c4..9f49e9354 100644 --- a/stable/xray/templates/migration-hook.yaml +++ b/stable/xray/templates/migration-hook.yaml @@ -2,7 +2,7 @@ {{- if and (not .Values.rabbitmq.migration.enabled) (not .Values.rabbitmq.rabbitmqUpgradeReady) }} {{- fail "Rabbitmq migration flag is disabled. Please enable the rabbitmq.rabbitmqUpgradeReady flag after manually enabling the feature flags in rabbitmq" }} {{- end }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount @@ -22,7 +22,7 @@ automountServiceAccountToken: {{ .Values.rabbitmq.migration.serviceAccount.autom {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -43,7 +43,7 @@ rules: {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} {{- if .Values.rabbitmq.migration.serviceAccount.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -69,7 +69,7 @@ roleRef: {{- end }} --- {{- if .Values.rabbitmq.enabled }} -{{- if .Values.rabbitmq.migration.enabled }} +{{- if eq (include "xray.rabbitmq.migration.isHookRegistered" .) "true" }} apiVersion: batch/v1 kind: Job metadata: @@ -106,12 +106,47 @@ spec: securityContext: {{- omit .Values.rabbitmq.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} command: - - sh + - bash - -c - | - #!/bin/sh - if [ "$(kubectl get pods -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }}" -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}')" = "True" ]; then - kubectl exec -it {{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0 -- rabbitmqctl enable_feature_flag all + #!/bin/bash + rabbitMqZeroPodName="{{ .Release.Name }}-{{ template "rabbitmq.name" . }}-0" + rabbitMqZeroPodStatus=$(kubectl get pods $rabbitMqZeroPodName -n {{ .Release.Namespace }} -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}') + + {{- if and .Values.global.xray.rabbitmq.haQuorum.enabled .Values.rabbitmq.migration.removeHaPolicyOnMigrationToHaQuorum.enabled }} + for (( i=1; i<=6; i++ )) + do + if [ "$rabbitMqZeroPodStatus" = "True" ]; then + break + fi + echo "Waiting for Rabbitmq zero pod $rabbitMqZeroPodName to be in Ready state - iteration $i" + sleep 5 + rabbitMqZeroPodStatus=$(kubectl get pods $rabbitMqZeroPodName -n {{ .Release.Namespace }} -o jsonpath='{..status.conditions[?(@.type=="Ready")].status}') + done + if [ "$rabbitMqZeroPodStatus" != "True" ]; then + echo "Rabbitmq zero pod $rabbitMqZeroPodName is not in Ready state. Failed to remove mirroring policy 'ha-all'" + exit 1 + fi + policyExists=$(kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- bash -c "rabbitmqctl list_policies --formatter json | grep -o "'"\"name\":\"ha-all\""'" | wc -l | tr -d '[:space:]'") + if [ "$?" -ne 0 ]; then + echo "Failed to check if policy ha-all exists on default vhost" + exit 1 + fi + echo "Policy ha-all exists: $policyExists" + if [ $policyExists -gt 0 ]; then + kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- rabbitmqctl clear_policy ha-all + if [ "$?" -ne 0 ]; then + echo "Failed to delete policy ha-all on default vhost" + exit 1 + else + echo "Deleted ha-all policy successfully on default vhost" + fi + fi + {{- end }} + + {{- if .Values.rabbitmq.migration.enabled }} + if [ "$rabbitMqZeroPodStatus" = "True" ]; then + kubectl exec -i $rabbitMqZeroPodName -n {{ .Release.Namespace }} -- rabbitmqctl enable_feature_flag all if [ "$?" -ne 0 ]; then echo "Failed to perform the migration. Please make sure to enable the feature flag in rabbitmq manually [rabbitmqctl enable_feature_flag all] " exit 1 @@ -119,8 +154,36 @@ spec: echo Feature flags executed successfully! fi else - echo "Rabbitmq pod is not in running state. Ignoring feature flag migration for rabbitmq" + echo "Rabbitmq zero pod is not in running state. Ignoring feature flag migration for rabbitmq" + fi + {{- end }} + + {{- if .Values.rabbitmq.migration.deleteStatefulSetToAllowFieldUpdate.enabled }} + if [ -n "{{ .Values.rabbitmq.podManagementPolicy }}" ]; then + rabbitMqStatefulSetName=$(kubectl get statefulsets -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "rabbitmq.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o=jsonpath='{.items[0].metadata.name}') + if [ $? -ne 0 ]; then + echo "Failed to get current rabbitmq statefulset name" + exit 1 + fi + currPodManagementPolicy=$(kubectl get statefulset $rabbitMqStatefulSetName -n {{ .Release.Namespace }} -o=jsonpath='{.spec.podManagementPolicy}') + if [ $? -ne 0 ]; then + echo "Failed to get current pod management policy definition" + exit 1 + fi + if [ "$currPodManagementPolicy" != "{{ .Values.rabbitmq.podManagementPolicy }}" ]; then + kubectl delete statefulset $rabbitMqStatefulSetName --cascade=orphan -n {{ .Release.Namespace }} + if [ $? -ne 0 ]; then + echo "Failed to delete statefulset $rabbitMqStatefulSetName to allow update of podManagementDefinition field: [kubectl delete statefulset STATEFULSET_NAME --cascade=orphan]" + exit 1 + fi + echo "Deleted statefulset $rabbitMqStatefulSetName successfully" + else + echo "Field podManagementPolicy of statefulset $rabbitMqStatefulSetName has not changed" + fi + else + echo "rabbitmq.podManagementPolicy is not set" fi + {{- end }} restartPolicy: Never terminationGracePeriodSeconds: 0 {{- end }} diff --git a/stable/xray/templates/xray-hpa-ipa.yaml b/stable/xray/templates/xray-hpa-ipa.yaml new file mode 100644 index 000000000..f3438a206 --- /dev/null +++ b/stable/xray/templates/xray-hpa-ipa.yaml @@ -0,0 +1,31 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingIpa.enabled) (eq .Values.autoscalingIpa.keda.enabled false) }} + {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 + {{- else }} +apiVersion: autoscaling/v2beta2 + {{- end }} +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-ipa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "xray.fullname" . }}-ipa + minReplicas: {{ .Values.autoscalingIpa.minReplicas }} + maxReplicas: {{ .Values.autoscalingIpa.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscalingIpa.targetCPUUtilizationPercentage }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-hpa-server.yaml b/stable/xray/templates/xray-hpa-server.yaml new file mode 100644 index 000000000..147d1db79 --- /dev/null +++ b/stable/xray/templates/xray-hpa-server.yaml @@ -0,0 +1,31 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingServer.enabled) (eq .Values.autoscalingServer.keda.enabled false) }} + {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 + {{- else }} +apiVersion: autoscaling/v2beta2 + {{- end }} +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-server +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "xray.fullname" . }}-server + minReplicas: {{ .Values.autoscalingServer.minReplicas }} + maxReplicas: {{ .Values.autoscalingServer.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscalingServer.targetCPUUtilizationPercentage }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-hpa.yaml b/stable/xray/templates/xray-hpa.yaml index fd8c757cf..3233546c7 100644 --- a/stable/xray/templates/xray-hpa.yaml +++ b/stable/xray/templates/xray-hpa.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} {{- if and (.Values.autoscaling.enabled) (eq .Values.autoscaling.keda.enabled false) }} {{- if semverCompare ">=v1.23.0-0" .Capabilities.KubeVersion.Version }} apiVersion: autoscaling/v2 @@ -26,4 +27,5 @@ spec: target: type: Utilization averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-ipa-deployment.yaml b/stable/xray/templates/xray-ipa-deployment.yaml new file mode 100644 index 000000000..afb5e13aa --- /dev/null +++ b/stable/xray/templates/xray-ipa-deployment.yaml @@ -0,0 +1,1188 @@ +{{- if .Values.splitXraytoSeparateDeployments.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "xray.fullname" . }}-ipa + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + {{- with .Values.xray.labels }} +{{ toYaml . | indent 4 }} + {{- end }} +{{- if .Release.IsUpgrade }} + unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} +{{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- with .Values.server.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if not .Values.autoscalingIpa.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + template: + metadata: + labels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: ipa + {{- with .Values.xray.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.xray.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/xray-database-secrets.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/xray-system-yaml.yaml") . | sha256sum }} + {{- else }} + checksum/xray-unified-secret: {{ include (print $.Template.BasePath "/xray-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.analysis.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.indexer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.persist.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.server.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.router.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.filebeat.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- range $key, $value := .Values.xray.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.xray.schedulerName }} + schedulerName: {{ .Values.xray.schedulerName | quote }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "xray.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.xray.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.xray.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.xray.priorityClass.create }} + priorityClassName: {{ default (include "xray.fullname" .) .Values.xray.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "xray.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: + runAsUser: {{ .Values.common.xrayUserId }} + fsGroup: {{ .Values.common.xrayGroupId }} + {{- if .Values.common.fsGroupChangePolicy }} + fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }} + {{- end }} + {{- end }} + {{- if .Values.common.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "xray.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + if [[ -e "{{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.xray.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Remove {{ .Values.xray.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.xray.persistence.mountPath }}/lost+found; + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_JOIN_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/join.key; + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_MASTER_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + - name: XRAY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ include "xray.joinKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + - name: XRAY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ include "xray.masterKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath | quote }} + {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }} + {{- if not .Values.xray.unifiedSecretInstallation }} + - name: systemyaml + {{- else }} + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else if .Values.xray.systemYaml }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + {{- end }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} + - name: copy-custom-certificates + image: "{{ .Values.initContainerImage }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "xray.copyCustomCerts" . | indent 10 }} +{{ include "xray.copyRabbitmqCustomCerts" . | indent 10 }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{- end }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/router/app/bin/entrypoint-router.sh; + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "xray.router.ipa.requiredServiceTypes" . }} + {{- if .Values.router.extraEnvVars }} + {{- tpl .Values.router.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} +{{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.observability.name }} + image: {{ include "xray.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/observability/app/bin/entrypoint-observability.sh; + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.observability.extraEnvVars }} + {{- tpl .Values.observability.extraEnvVars . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.observability.persistence.mountPath }}" + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + - name: {{ .Values.analysis.name }} + image: {{ include "xray.getImageInfoByValue" (list . "analysis") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.analysis.preStartCommand }} + echo "Running custom Analysis preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.analysis.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.analysis.extraEnvVars }} + {{- tpl .Values.analysis.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.analysis.internalPort }} + name: http-analysis + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.analysis.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.analysis.resources | indent 10 }} +{{- if .Values.analysis.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.analysis.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.analysis.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.analysis.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.sbom.enabled }} + - name: {{ .Values.sbom.name }} + image: {{ include "xray.getImageInfoByValue" (list . "sbom") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.sbom.preStartCommand }} + echo "Running custom Sbom preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.sbom.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.sbom.extraEnvVars }} + {{- tpl .Values.sbom.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.sbom.internalPort }} + name: http-sbom + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.sbom.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.sbom.resources | indent 10 }} +{{- if .Values.sbom.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.sbom.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.sbom.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.sbom.livenessProbe.config . | indent 10 }} +{{- end }} +{{- end }} + - name: {{ .Values.indexer.name }} + image: {{ include "xray.getImageInfoByValue" (list . "indexer") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.indexer.preStartCommand }} + echo "Running custom Indexer preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.indexer.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_HA_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: XRAY_K8S_ENV + value: "true" + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.indexer.extraEnvVars }} + {{- tpl .Values.indexer.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.indexer.internalPort }} + name: http-indexer + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.indexer.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.indexer.resources | indent 10 }} +{{- if .Values.indexer.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.indexer.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.indexer.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.indexer.livenessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.persist.name }} + image: {{ include "xray.getImageInfoByValue" (list . "persist") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.persist.preStartCommand }} + echo "Running custom Persist preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.persist.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_SKIPENTLICCHECKFORCLOUD + value: "true" + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_K8S_ENV + value: "true" + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.persist.extraEnvVars }} + {{- tpl .Values.persist.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.persist.internalPort }} + name: http-persist + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.persist.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.persist.resources | indent 10 }} +{{- if .Values.persist.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.persist.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.persist.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.persist.livenessProbe.config . | indent 10 }} +{{- end }} + {{- $mountPath := .Values.xray.persistence.mountPath }} + {{- range .Values.xray.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "xray.getImageInfoByValue" (list $ "logger") }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/log {{ . }}' + volumeMounts: + - name: data-volume + mountPath: {{ $mountPath }} + - name: tail-logger-script + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + resources: +{{ toYaml $.Values.xray.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} +{{- if or .Values.common.customSidecarContainers .Values.global.customSidecarContainers }} +{{ tpl (include "xray.customSidecarContainers" .) . | indent 6 }} +{{- end }} + {{- if or .Values.xray.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "xray.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- if .Values.affinity }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.xray.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.xray.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + ########## External secrets ########### + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + secret: + secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.xray.customCertificates.certificateSecretName }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + ############ Config map, Volumes and Custom Volumes ############## + {{- if .Values.xray.loggers }} + - name: tail-logger-script + configMap: + name: {{ template "xray.fullname" . }}-logger + {{- end }} + - name: data-volume + emptyDir: + sizeLimit: {{ .Values.common.persistence.size }} + {{- if and .Values.xray.unifiedSecretInstallation (eq (include "xray.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + ######### unifiedSecretInstallation ########### + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + secret: + secretName: {{ template "xray.name" . }}-unified-secret + {{- else if not .Values.xray.unifiedSecretInstallation }} + ######### Non unifiedSecretInstallation ########### + {{- if and (not .Values.systemYamlOverride.existingSecret) .Values.xray.systemYaml }} + - name: systemyaml + secret: + secretName: {{ printf "%s-%s" (include "xray.fullname" .) "system-yaml" }} + {{- end }} + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "xray.rabbitmqCustomCertificateshandler" . }} + {{- end }} + +{{- if or .Values.common.customVolumes .Values.global.customVolumes }} +{{ tpl (include "xray.customVolumes" .) . | indent 6 }} +{{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "xray.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.common.configMaps }} + - name: xray-configmaps + configMap: + name: {{ template "xray.fullname" . }}-configmaps + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa-ipa.yaml b/stable/xray/templates/xray-keda-hpa-ipa.yaml new file mode 100644 index 000000000..f9776b4b9 --- /dev/null +++ b/stable/xray/templates/xray-keda-hpa-ipa.yaml @@ -0,0 +1,38 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingIpa.enabled) (eq .Values.autoscalingIpa.keda.enabled true) }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-ipa +spec: + scaleTargetRef: + kind: Deployment + name: {{ template "xray.fullname" . }}-ipa + minReplicaCount: {{ .Values.autoscalingIpa.minReplicas }} + maxReplicaCount: {{ .Values.autoscalingIpa.maxReplicas }} + pollingInterval: {{ .Values.autoscalingIpa.keda.pollingInterval }} + cooldownPeriod: {{ .Values.autoscalingIpa.keda.cooldownPeriod }} + advanced: + horizontalPodAutoscalerConfig: + behavior: + scaleUp: + {{- .Values.autoscalingIpa.keda.scaleUp | toYaml | nindent 10 }} + scaleDown: + {{- .Values.autoscalingIpa.keda.scaleDown | toYaml | nindent 10 }} + triggers: + {{- include "xray.autoscalingQueuesIpa" . | indent 4 }} + - type: cpu + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingIpa.targetCPUUtilizationPercentage }}" + - type: memory + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingIpa.targetMemoryUtilizationPercentage }}" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa-server.yaml b/stable/xray/templates/xray-keda-hpa-server.yaml new file mode 100644 index 000000000..145e933c3 --- /dev/null +++ b/stable/xray/templates/xray-keda-hpa-server.yaml @@ -0,0 +1,38 @@ +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} +{{- if and (.Values.autoscalingServer.enabled) (eq .Values.autoscalingServer.keda.enabled true) }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "xray.fullname" . }}-server +spec: + scaleTargetRef: + kind: Deployment + name: {{ template "xray.fullname" . }}-server + minReplicaCount: {{ .Values.autoscalingServer.minReplicas }} + maxReplicaCount: {{ .Values.autoscalingServer.maxReplicas }} + pollingInterval: {{ .Values.autoscalingServer.keda.pollingInterval }} + cooldownPeriod: {{ .Values.autoscalingServer.keda.cooldownPeriod }} + advanced: + horizontalPodAutoscalerConfig: + behavior: + scaleUp: + {{- .Values.autoscalingServer.keda.scaleUp | toYaml | nindent 10 }} + scaleDown: + {{- .Values.autoscalingServer.keda.scaleDown | toYaml | nindent 10 }} + triggers: + {{- include "xray.autoscalingQueuesServer" . | indent 4 }} + - type: cpu + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingServer.targetCPUUtilizationPercentage }}" + - type: memory + metricType: Utilization + metadata: + value: "{{ .Values.autoscalingServer.targetMemoryUtilizationPercentage }}" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-hpa.yaml b/stable/xray/templates/xray-keda-hpa.yaml index dbca87f70..9827c89e4 100644 --- a/stable/xray/templates/xray-keda-hpa.yaml +++ b/stable/xray/templates/xray-keda-hpa.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} {{- if and (.Values.autoscaling.enabled) (eq .Values.autoscaling.keda.enabled true) }} apiVersion: keda.sh/v1alpha1 kind: ScaledObject @@ -16,9 +17,6 @@ spec: maxReplicaCount: {{ .Values.autoscaling.maxReplicas }} pollingInterval: {{ .Values.autoscaling.keda.pollingInterval }} cooldownPeriod: {{ .Values.autoscaling.keda.cooldownPeriod }} - fallback: - failureThreshold: 3 - replicas: 5 advanced: horizontalPodAutoscalerConfig: behavior: @@ -36,4 +34,5 @@ spec: metricType: Utilization metadata: value: "{{ .Values.autoscaling.targetMemoryUtilizationPercentage }}" +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-keda-secret.yaml b/stable/xray/templates/xray-keda-secret.yaml index 38fea43f1..c9c0b9cb9 100644 --- a/stable/xray/templates/xray-keda-secret.yaml +++ b/stable/xray/templates/xray-keda-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.autoscaling.keda.enabled }} +{{- if or .Values.autoscaling.keda.enabled .Values.autoscalingServer.keda.enabled .Values.autoscalingIpa.keda.enabled }} apiVersion: v1 kind: Secret metadata: diff --git a/stable/xray/templates/xray-keda-trigger-authentication.yaml b/stable/xray/templates/xray-keda-trigger-authentication.yaml index a83c28453..aa50a6b6f 100644 --- a/stable/xray/templates/xray-keda-trigger-authentication.yaml +++ b/stable/xray/templates/xray-keda-trigger-authentication.yaml @@ -1,4 +1,4 @@ -{{- if .Values.autoscaling.keda.enabled }} +{{- if or .Values.autoscaling.keda.enabled .Values.autoscalingServer.keda.enabled .Values.autoscalingIpa.keda.enabled }} apiVersion: keda.sh/v1alpha1 kind: TriggerAuthentication metadata: diff --git a/stable/xray/templates/xray-server-deployment.yaml b/stable/xray/templates/xray-server-deployment.yaml new file mode 100644 index 000000000..277b8362a --- /dev/null +++ b/stable/xray/templates/xray-server-deployment.yaml @@ -0,0 +1,702 @@ +{{- if .Values.splitXraytoSeparateDeployments.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "xray.fullname" . }}-server + labels: + app: {{ template "xray.name" . }} + chart: {{ template "xray.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + {{- with .Values.xray.labels }} +{{ toYaml . | indent 4 }} + {{- end }} +{{- if .Release.IsUpgrade }} + unifiedUpgradeAllowed: {{ required "\n\n**************************************\nSTOP! UPGRADE from Xray 2.x (appVersion) currently not supported!\nIf this is an upgrade over an existing Xray 3.x, explicitly pass 'unifiedUpgradeAllowed=true' to upgrade.\n**************************************\n" .Values.unifiedUpgradeAllowed | quote }} +{{- end }} +{{- if and .Release.IsUpgrade .Values.postgresql.enabled }} + databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/xray/CHANGELOG.md), pass postgresql.image.tag '9.6.18-debian-10-r7' or '10.13.0-debian-10-r38' or '12.5.0-debian-10-r25' and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x or 10.13.x or 12.5.x" .Values.databaseUpgradeReady | quote }} +{{- end }} +{{- with .Values.server.statefulset.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if not .Values.autoscalingServer.enabled }} + replicas: {{ .Values.replicaCountServer }} +{{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + template: + metadata: + labels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + component: {{ .Values.xray.name }} + servicename: server + {{- with .Values.xray.labels }} +{{ toYaml . | indent 8 }} + {{- end }} + annotations: + {{- if not .Values.xray.unifiedSecretInstallation }} + checksum/database-secrets: {{ include (print $.Template.BasePath "/xray-database-secrets.yaml") . | sha256sum }} + checksum/systemyaml: {{ include (print $.Template.BasePath "/xray-system-yaml.yaml") . | sha256sum }} + {{- else }} + checksum/xray-unified-secret: {{ include (print $.Template.BasePath "/xray-unified-secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.analysis.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.indexer.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.persist.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.server.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.router.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.filebeat.annotations }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- range $key, $value := .Values.xray.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.xray.schedulerName }} + schedulerName: {{ .Values.xray.schedulerName | quote }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} +{{- include "xray.imagePullSecrets" . | indent 6 }} + {{- end }} + {{- if .Values.xray.priorityClass.existingPriorityClass }} + priorityClassName: {{ .Values.xray.priorityClass.existingPriorityClass }} + {{- else -}} + {{- if .Values.xray.priorityClass.create }} + priorityClassName: {{ default (include "xray.fullname" .) .Values.xray.priorityClass.name }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "xray.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: + runAsUser: {{ .Values.common.xrayUserId }} + fsGroup: {{ .Values.common.xrayGroupId }} + {{- if .Values.common.fsGroupChangePolicy }} + fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }} + {{- end }} + {{- end }} + {{- if .Values.common.topologySpreadConstraints }} + topologySpreadConstraints: +{{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} + {{- end }} + initContainers: + {{- if or .Values.common.customInitContainersBegin .Values.global.customInitContainersBegin }} +{{ tpl (include "xray.customInitContainersBegin" .) . | indent 6 }} + {{- end }} + - name: 'copy-system-yaml' + image: '{{ .Values.initContainerImage }}' + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > + if [[ -e "{{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml" ]]; then chmod 644 {{ .Values.xray.persistence.mountPath }}/etc/filebeat.yaml; fi; + echo "Copy system.yaml to {{ .Values.xray.persistence.mountPath }}/etc"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc; + {{- if .Values.systemYamlOverride.existingSecret }} + cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- else }} + cp -fv /tmp/etc/system.yaml {{ .Values.xray.persistence.mountPath }}/etc/system.yaml; + {{- end }} + echo "Remove {{ .Values.xray.persistence.mountPath }}/lost+found folder if exists"; + rm -rfv {{ .Values.xray.persistence.mountPath }}/lost+found; + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + echo "Copy joinKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_JOIN_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/join.key; + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + echo "Copy masterKey to {{ .Values.xray.persistence.mountPath }}/etc/security"; + mkdir -p {{ .Values.xray.persistence.mountPath }}/etc/security; + echo ${XRAY_MASTER_KEY} > {{ .Values.xray.persistence.mountPath }}/etc/security/master.key; + {{- end }} + env: + {{- if or .Values.xray.joinKey .Values.xray.joinKeySecretName .Values.global.joinKey .Values.global.joinKeySecretName }} + - name: XRAY_JOIN_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ include "xray.joinKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: join-key + {{- end }} + {{- if or .Values.xray.masterKey .Values.xray.masterKeySecretName .Values.global.masterKey .Values.global.masterKeySecretName }} + - name: XRAY_MASTER_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ include "xray.masterKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: master-key + {{- end }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath | quote }} + {{- if or .Values.systemYamlOverride.existingSecret .Values.xray.systemYaml }} + {{- if not .Values.xray.unifiedSecretInstallation }} + - name: systemyaml + {{- else }} + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}" + subPath: {{ .Values.systemYamlOverride.dataKey }} + {{- else if .Values.xray.systemYaml }} + mountPath: "/tmp/etc/system.yaml" + subPath: system.yaml + {{- end }} + {{- end }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} + - name: copy-custom-certificates + image: "{{ .Values.initContainerImage }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - > +{{ include "xray.copyCustomCerts" . | indent 10 }} +{{ include "xray.copyRabbitmqCustomCerts" . | indent 10 }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.xray.persistence.mountPath }} + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + mountPath: "/tmp/certs" + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + mountPath: "/tmp/rabbitmqcerts" + {{- end }} + {{- end }} + {{- if .Values.waitForDatabase }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: "{{ .Values.initContainerImage }}" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + resources: +{{ toYaml .Values.initContainers.resources | indent 10 }} + command: + - 'bash' + - '-c' + - | + echo "Waiting for postgresql to come up" + ready=false; + while ! $ready; do echo waiting; + timeout 2s bash -c " + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/router/app/bin/entrypoint-router.sh; + {{- with .Values.router.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + - name: JF_ROUTER_TOPOLOGY_LOCAL_REQUIREDSERVICETYPES + value: {{ include "xray.router.server.requiredServiceTypes" . }} + {{- if .Values.router.extraEnvVars }} + {{- tpl .Values.router.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - name: http-router + containerPort: {{ .Values.router.internalPort }} + volumeMounts: + - name: data-volume + mountPath: {{ .Values.router.persistence.mountPath | quote }} +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.router.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.router.resources | indent 10 }} +{{- if .Values.router.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.router.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.router.livenessProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.router.readinessProbe.enabled }} + readinessProbe: +{{ tpl .Values.router.readinessProbe.config . | indent 10 }} +{{- end }} + - name: {{ .Values.observability.name }} + image: {{ include "xray.getImageInfoByValue" (list . "observability") }} + imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/sh' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/observability/app/bin/entrypoint-observability.sh; + {{- with .Values.observability.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{- if .Values.observability.extraEnvVars }} + {{- tpl .Values.observability.extraEnvVars . | nindent 8 }} + {{- end }} + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.observability.persistence.mountPath }}" + resources: +{{ toYaml .Values.observability.resources | indent 10 }} + {{- if .Values.observability.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.observability.startupProbe.config . | indent 10 }} + {{- end }} + {{- if .Values.observability.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.observability.livenessProbe.config . | indent 10 }} + {{- end }} + - name: {{ .Values.server.name }} + image: {{ include "xray.getImageInfoByValue" (list . "server") }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + command: + - '/bin/bash' + - '-c' + - > + {{- with .Values.common.preStartCommand }} + echo "Running custom common preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + {{- with .Values.server.preStartCommand }} + echo "Running custom Server preStartCommand command"; + {{ tpl . $ }}; + {{- end }} + exec /opt/jfrog/xray/app/bin/wrapper.sh; + {{- with .Values.server.lifecycle }} + lifecycle: +{{ toYaml . | indent 10 }} + {{- end }} + env: + {{ include "xray.envVariables" . | indent 8 }} + {{ include "xray.rabbitmqTlsEnvVariables" . | indent 8 }} + {{- if and .Values.rabbitmq.external.secrets (not .Values.common.rabbitmq.connectionConfigFromEnvironment) }} + - name: JF_SHARED_RABBITMQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.username.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.username.key . }} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.password.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.password.key . }} + - name: JF_SHARED_RABBITMQ_URL + valueFrom: + secretKeyRef: + name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} + key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} + {{- end }} + {{- if or .Values.database.secrets.user .Values.database.user }} + - name: JF_SHARED_DATABASE_USERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.user }} + name: {{ tpl .Values.database.secrets.user.name . }} + key: {{ tpl .Values.database.secrets.user.key . }} + {{- else if .Values.database.user }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-user + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.actualUsername .Values.database.actualUsername }} + - name: JF_SHARED_DATABASE_ACTUALUSERNAME + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.actualUsername }} + name: {{ tpl .Values.database.secrets.actualUsername.name . }} + key: {{ tpl .Values.database.secrets.actualUsername.key . }} + {{- else if .Values.database.actualUsername }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-actualUsername + {{- end }} + {{- end }} + {{ if or .Values.database.secrets.password .Values.database.password .Values.postgresql.enabled }} + - name: JF_SHARED_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.password }} + name: {{ tpl .Values.database.secrets.password.name . }} + key: {{ tpl .Values.database.secrets.password.key . }} + {{- else if .Values.database.password }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-password + {{- else if .Values.postgresql.enabled }} + name: {{ .Release.Name }}-postgresql + key: postgresql-password + {{- end }} + {{- end }} + {{- if or .Values.database.secrets.url .Values.database.url }} + - name: JF_SHARED_DATABASE_URL + valueFrom: + secretKeyRef: + {{- if .Values.database.secrets.url }} + name: {{ tpl .Values.database.secrets.url.name . }} + key: {{ tpl .Values.database.secrets.url.key . }} + {{- else if .Values.database.url }} + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.fullname" . }}-database-creds + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: db-url + {{- end }} + {{- end }} + {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: {{ include "rabbitmq.user" .}} + - name: JF_SHARED_RABBITMQ_URL + value: {{ include "rabbitmq.url" .}} + - name: JF_SHARED_RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "rabbitmq.passwordSecretName" .}} + key: rabbitmq-password + {{- end }} + - name: XRAY_K8S_ENV + value: "true" + - name: EXECUTION_JOB_AES_KEY + valueFrom: + secretKeyRef: + {{- if not .Values.xray.unifiedSecretInstallation }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else if and .Values.xray.unifiedSecretInstallation (or .Values.xray.executionServiceAesKeySecretName .Values.global.executionServiceAesKeySecretName) }} + name: {{ template "xray.executionServiceAesKeySecretName" . }} + {{- else }} + name: "{{ template "xray.name" . }}-unified-secret" + {{- end }} + key: execution-service-aes-key + {{- if .Values.common.extraEnvVars }} + {{- tpl .Values.common.extraEnvVars . | nindent 8 }} + {{- end }} + {{- if .Values.server.extraEnvVars }} + {{- tpl .Values.server.extraEnvVars . | nindent 8 }} + {{- end }} + ports: + - containerPort: {{ .Values.server.internalPort }} + name: http-server + volumeMounts: + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" +{{- if or .Values.common.customVolumeMounts .Values.global.customVolumeMounts }} +{{ tpl (include "xray.customVolumeMounts" .) . | indent 8 }} +{{- end }} +{{- with .Values.server.customVolumeMounts }} +{{ tpl . $ | indent 8 }} +{{- end }} + resources: +{{ toYaml .Values.server.resources | indent 10 }} +{{- if .Values.server.startupProbe.enabled }} + startupProbe: +{{ tpl .Values.server.startupProbe.config . | indent 10 }} +{{- end }} +{{- if .Values.server.livenessProbe.enabled }} + livenessProbe: +{{ tpl .Values.server.livenessProbe.config . | indent 10 }} +{{- end }} + {{- $mountPath := .Values.xray.persistence.mountPath }} + {{- range .Values.xray.loggers }} + - name: {{ . | replace "_" "-" | replace "." "-" }} + image: {{ include "xray.getImageInfoByValue" (list $ "logger") }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} + {{- end }} + command: + - 'sh' + - '-c' + - 'sh /scripts/tail-log.sh {{ $mountPath }}/log {{ . }}' + volumeMounts: + - name: data-volume + mountPath: {{ $mountPath }} + - name: tail-logger-script + mountPath: /scripts/tail-log.sh + subPath: tail-log.sh + resources: +{{ toYaml $.Values.xray.loggersResources | indent 10 }} + {{- end }} + {{- if .Values.filebeat.enabled }} + - name: {{ .Values.filebeat.name }} + image: "{{ .Values.filebeat.image.repository }}:{{ .Values.filebeat.image.version }}" + imagePullPolicy: {{ .Values.filebeat.image.pullPolicy }} + args: + - "-e" + - "-E" + - "http.enabled=true" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} + volumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: data-volume + mountPath: "{{ .Values.xray.persistence.mountPath }}" + livenessProbe: +{{ toYaml .Values.filebeat.livenessProbe | indent 10 }} + readinessProbe: +{{ toYaml .Values.filebeat.readinessProbe | indent 10 }} + resources: +{{ toYaml .Values.filebeat.resources | indent 10 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + {{- end }} +{{- if or .Values.common.customSidecarContainers .Values.global.customSidecarContainers }} +{{ tpl (include "xray.customSidecarContainers" .) . | indent 6 }} +{{- end }} + {{- if or .Values.xray.nodeSelector .Values.global.nodeSelector }} +{{ tpl (include "xray.nodeSelector" .) . | indent 6 }} + {{- end }} + {{- if .Values.affinity }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- else if eq .Values.xray.podAntiAffinity.type "soft" }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- else if eq .Values.xray.podAntiAffinity.type "hard" }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.xray.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: + app: {{ template "xray.name" . }} + release: {{ .Release.Name }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + ########## External secrets ########### + {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled }} + - name: ca-certs + secret: + secretName: {{ default .Values.global.customCertificates.certificateSecretName .Values.xray.customCertificates.certificateSecretName }} + {{- end }} + {{- if .Values.systemYamlOverride.existingSecret }} + - name: systemyaml + secret: + secretName: {{ .Values.systemYamlOverride.existingSecret }} + {{- end }} + ############ Config map, Volumes and Custom Volumes ############## + {{- if .Values.xray.loggers }} + - name: tail-logger-script + configMap: + name: {{ template "xray.fullname" . }}-logger + {{- end }} + - name: data-volume + emptyDir: + sizeLimit: {{ .Values.common.persistence.size }} + {{- if and .Values.xray.unifiedSecretInstallation (eq (include "xray.checkDuplicateUnifiedCustomVolume" .) "false" ) }} + ######### unifiedSecretInstallation ########### + - name: {{ include "xray.unifiedCustomSecretVolumeName" . }} + secret: + secretName: {{ template "xray.name" . }}-unified-secret + {{- else if not .Values.xray.unifiedSecretInstallation }} + ######### Non unifiedSecretInstallation ########### + {{- if and (not .Values.systemYamlOverride.existingSecret) .Values.xray.systemYaml }} + - name: systemyaml + secret: + secretName: {{ printf "%s-%s" (include "xray.fullname" .) "system-yaml" }} + {{- end }} + {{- end }} + {{- if or .Values.global.rabbitmq.auth.tls.enabled .Values.rabbitmq.auth.tls.enabled }} + - name: rabbitmq-ca-certs + secret: + secretName: {{ template "xray.rabbitmqCustomCertificateshandler" . }} + {{- end }} + +{{- if or .Values.common.customVolumes .Values.global.customVolumes }} +{{ tpl (include "xray.customVolumes" .) . | indent 6 }} +{{- end }} + {{- if .Values.filebeat.enabled }} + - name: filebeat-config + configMap: + name: {{ template "xray.fullname" . }}-filebeat-config + {{- end }} + {{- if .Values.common.configMaps }} + - name: xray-configmaps + configMap: + name: {{ template "xray.fullname" . }}-configmaps + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml index 9f5fedbd5..20be2df4f 100644 --- a/stable/xray/templates/xray-statefulset.yaml +++ b/stable/xray/templates/xray-statefulset.yaml @@ -1,3 +1,4 @@ +{{- if or (and .Values.splitXraytoSeparateDeployments.gradualUpgrade .Values.splitXraytoSeparateDeployments.enabled) (not .Values.splitXraytoSeparateDeployments.enabled) }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -220,7 +221,6 @@ spec: {{- end }} {{- end }} {{- if and .Values.global.xray.rabbitmq.haQuorum.enabled .Values.common.rabbitmq.waitForReplicasQuorumOnStartup }} - {{- if .Values.rabbitmq.enabled }} - name: "wait-for-rabbitmq-replicas-quorum" image: "{{ .Values.initContainerImage }}" {{- if .Values.containerSecurityContext.enabled }} @@ -251,7 +251,9 @@ spec: # but currently we do not have jq in the UBI-minimal base image approved by the installer team nodesNum=$(curl -s ${additionalFlags} -u${JF_SHARED_RABBITMQ_USERNAME}:${JF_SHARED_RABBITMQ_PASSWORD} ${rabbitMqManagementUrl}api/nodes | grep -o '"running"\s*:true' | wc -l | tr -d '[:space:]') echo $nodesNum - if [[ "$nodesNum" -ge "{{ add 1 (div .Values.rabbitmq.replicaCount 2) }}" ]]; then ready=true; echo "rabbitmq ok"; fi; sleep 5; + quorumSize=$(( $JF_SHARED_RABBITMQ_REPLICASCOUNT/2 + 1 )) + echo $quorumSize + if [[ "$nodesNum" -ge "$quorumSize" ]]; then ready=true; echo "rabbitmq ok"; fi; sleep 5; done env: {{- if eq (include "xray.rabbitmq.isManagementListenerTlsEnabled" .) "true" }} @@ -275,6 +277,14 @@ spec: name: {{ tpl .Values.rabbitmq.external.secrets.url.name . }} key: {{ tpl .Values.rabbitmq.external.secrets.url.key . }} {{- end }} + {{- if and (not .Values.rabbitmq.external.secrets) (not .Values.common.rabbitmq.connectionConfigFromEnvironment) (not .Values.common.rabbitmq.enabled) }} + - name: JF_SHARED_RABBITMQ_USERNAME + value: "{{ .Values.rabbitmq.external.username }}" + - name: JF_SHARED_RABBITMQ_URL + value: "{{ tpl .Values.rabbitmq.external.url . }}" + - name: JF_SHARED_RABBITMQ_PASSWORD + value: "{{ .Values.rabbitmq.external.password }}" + {{- end }} {{- if .Values.common.rabbitmq.connectionConfigFromEnvironment }} - name: JF_SHARED_RABBITMQ_USERNAME value: {{ include "rabbitmq.user" .}} @@ -286,7 +296,12 @@ spec: name: {{ include "rabbitmq.passwordSecretName" .}} key: rabbitmq-password {{- end }} - {{- end }} + - name: JF_SHARED_RABBITMQ_REPLICASCOUNT + {{- if .Values.rabbitmq.enabled }} + value: "{{ .Values.rabbitmq.replicaCount }}" + {{- else }} + value: "{{ .Values.global.xray.rabbitmq.replicaCount }}" + {{- end }} {{- end }} {{- if or .Values.common.customInitContainers .Values.global.customInitContainers }} {{ tpl (include "xray.customInitContainers" .) . | indent 6 }} @@ -1346,3 +1361,4 @@ spec: storage: {{ .size }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/xray/templates/xray-svc.yaml b/stable/xray/templates/xray-svc.yaml index 6a4984e3c..bce6c4dac 100644 --- a/stable/xray/templates/xray-svc.yaml +++ b/stable/xray/templates/xray-svc.yaml @@ -37,3 +37,6 @@ spec: app: {{ template "xray.name" . }} component: {{ .Values.xray.name }} release: {{ .Release.Name }} +{{- if and (not .Values.splitXraytoSeparateDeployments.gradualUpgrade) .Values.splitXraytoSeparateDeployments.enabled }} + servicename: server +{{- end }} diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml index 128daaeee..4d3c7b9e1 100644 --- a/stable/xray/values.yaml +++ b/stable/xray/values.yaml @@ -47,6 +47,7 @@ global: xray: # Rabbitmq settings that are specific to Xray rabbitmq: + replicaCount: 1 haQuorum: enabled: false waitForPreviousPodsOnInitialStartup: true @@ -60,7 +61,7 @@ global: ## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.3.1361.1699548032 +initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.3.1475 imagePullPolicy: IfNotPresent # Init containers @@ -214,7 +215,7 @@ xray: {{- if .Values.global.xray.rabbitmq.haQuorum.enabled }} ha_quorum: true vhost: {{ .Values.global.xray.rabbitmq.haQuorum.vhost }} - replicasCount: 3 + replicasCount: {{ .Values.global.xray.rabbitmq.replicaCount }} {{- end }} erlangCookie: value: "{{ .Values.rabbitmq.external.erlangCookie }}" @@ -235,7 +236,7 @@ xray: username: "{{ .Values.xray.mongoUsername }}" password: "{{ .Values.xray.mongoPassword }}" {{- end }} - {{- if or .Values.server.mailServer .Values.server.indexAllBuilds .Values.common.rabbitmq.migrateMessagesFromOtherRabbitMq }} + {{- if or .Values.server.mailServer .Values.server.indexAllBuilds .Values.global.xray.rabbitmq.migrateMessagesFromXrayDefaultVhost .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq }} server: {{- if .Values.server.mailServer }} mailServer: "{{ .Values.server.mailServer }}" @@ -243,9 +244,13 @@ xray: {{- if .Values.server.indexAllBuilds }} indexAllBuilds: {{ .Values.server.indexAllBuilds }} {{- end }} - {{- if .Values.common.rabbitmq.migrateMessagesFromOtherRabbitMq }} + {{- if .Values.global.xray.rabbitmq.migrateMessagesFromXrayDefaultVhost }} dataMigrations: - migrate_msgs_from_other_rabbitmq: {{ toYaml .Values.common.rabbitmq.migrateMessagesFromOtherRabbitMq | nindent 6 }} + migrate_msgs_from_other_rabbitmq: + vhost: {{ .Values.global.xray.rabbitmq.vhost | default "%2f" | quote }} + {{- else if .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq }} + dataMigrations: + migrate_msgs_from_other_rabbitmq: {{ toYaml .Values.global.xray.rabbitmq.migrateMessagesFromOtherRabbitMq | nindent 6 }} {{- end }} {{- end }} {{- if (include "xray.imagePullSecretsStrList" .) }} @@ -401,7 +406,7 @@ logger: image: registry: releases-docker.jfrog.io repository: ubi9/ubi-minimal - tag: 9.3.1361.1699548032 + tag: 9.3.1475 ## Service Account ## Ref: https://kubernetes.io/docs/admin/service-accounts-admin/ @@ -653,6 +658,7 @@ rabbitmq: } ], "policies": [ + {{- if not .Values.global.xray.rabbitmq.haQuorum.enabled }} { "name": "ha-all", "apply-to": "all", @@ -663,6 +669,7 @@ rabbitmq: "ha-sync-mode": "automatic" } } + {{- end }} ] } loadDefinition: @@ -677,6 +684,14 @@ rabbitmq: migration: ## Migration is required to be performed only once hence this option can be disabled once the feature flags are enabled in rabbitmq. enabled: true + ## Another uses of migration hook are: + ## - Deleting StatefulSet for allowing updating certain fields that require it: + ## Changing podManagementPolicy OrderedReady -> Parallel requires deleting stateful set + ## - Deleting ha-all mirror policy on migrating to Quorum Queues + deleteStatefulSetToAllowFieldUpdate: + enabled: false + removeHaPolicyOnMigrationToHaQuorum: + enabled: false image: registry: releases-docker.jfrog.io repository: bitnami/kubectl @@ -703,6 +718,14 @@ rabbitmq: - create - get - list + - apiGroups: + - "apps" + resources: + - statefulsets + verbs: + - get + - list + - delete # This is automatically set based on rabbitmqTLS enabled flag. @@ -1295,7 +1318,7 @@ router: image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.92.0 + tag: 7.95.0 imagePullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled. @@ -1381,7 +1404,7 @@ observability: image: registry: releases-docker.jfrog.io repository: jfrog/observability - tag: 1.17.0 + tag: 1.21.0 imagePullPolicy: IfNotPresent internalPort: 8036 resources: {} @@ -1527,3 +1550,82 @@ probes: quota: enabled: true jobCount: 100 + +################################################################################### +## At present, this feature is not available for onprem installations. +## Separate Xray into distinct pods +## (Enabling this setting will divide the Xray pod into two deployments: xray-server and xray-ipa) +splitXraytoSeparateDeployments: + enabled: false + ## To prevent downtime (both the statefulset pod and deployment pod are kept together, with gradual upgrade set to false, which can turn off statefulsets in subsequent upgrades) + gradualUpgrade: false +replicaCountServer: 2 +## Apply horizontal pod auto scaling on Xray server pods +## Only applicable when (splitXraytoSeparateDeployments.enabled) is set to true +## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscalingServer: + enabled: false + minReplicas: 2 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 90 + ## Specify if using the keda hpa or regular basic hpa + ## Note: keda should be installed on the target cluster + ## Ref: https://keda.sh/docs/2.10/deploy/ + keda: + enabled: false + scaleUp: + stabilizationWindowSeconds: 90 + policies: + - type: Pods + value: 3 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 90 + policies: + - type: Pods + value: 1 + periodSeconds: 30 + pollingInterval: 10 + cooldownPeriod: 10 + queues: + - name: impactAnalysis + value: "100" +## Apply horizontal pod auto scaling on Xray ipa pods +## Only applicable when (splitXraytoSeparateDeployments.enabled) is set to true +## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscalingIpa: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 90 + ## Specify if using the keda hpa or regular basic hpa + ## Note: keda should be installed on the target cluster + ## Ref: https://keda.sh/docs/2.10/deploy/ + keda: + enabled: false + scaleUp: + stabilizationWindowSeconds: 90 + policies: + - type: Pods + value: 3 + periodSeconds: 30 + scaleDown: + stabilizationWindowSeconds: 90 + policies: + - type: Pods + value: 1 + periodSeconds: 30 + pollingInterval: 10 + cooldownPeriod: 10 + queues: + - name: analysis + value: "100" + - name: index + value: "100" + - name: persist + value: "100" + - name: alert + value: "100" +###################################################################################