diff --git a/codefresh/.ci/values/cfapi-roles-no-rbac.yaml b/codefresh/.ci/values/cfapi-roles-no-rbac.yaml deleted file mode 100644 index 7d03bd74e0..0000000000 --- a/codefresh/.ci/values/cfapi-roles-no-rbac.yaml +++ /dev/null @@ -1,60 +0,0 @@ -global: - cfapiService: cfapi-internal - cfapiEndpointsService: cfapi-endpoints - -cfapi: &cf-api - enabled: false - rbac: - namespaced: true - -cfapi-auth: - <<: *cf-api - enabled: true -cfapi-internal: - <<: *cf-api - enabled: true -cfapi-ws: - <<: *cf-api - enabled: true -cfapi-admin: - <<: *cf-api - enabled: true -cfapi-endpoints: - <<: *cf-api - enabled: true -cfapi-terminators: - <<: *cf-api - enabled: true -cfapi-sso-group-synchronizer: - <<: *cf-api - enabled: true -cfapi-buildmanager: - <<: *cf-api - enabled: true -cfapi-cacheevictmanager: - <<: *cf-api - enabled: true -cfapi-eventsmanagersubscriptions: - <<: *cf-api - enabled: true -cfapi-kubernetesresourcemonitor: - <<: *cf-api - enabled: true -cfapi-environments: - <<: *cf-api - enabled: true -cfapi-gitops-resource-receiver: - <<: *cf-api - enabled: true -cfapi-downloadlogmanager: - <<: *cf-api - enabled: true -cfapi-teams: - <<: *cf-api - enabled: true -cfapi-kubernetes-endpoints: - <<: *cf-api - enabled: true -cfapi-test-reporting: - <<: *cf-api - enabled: true diff --git a/codefresh/.ci/values/defaults-hpa.yaml b/codefresh/.ci/values/defaults-hpa.yaml index 015297ed89..8b80bdcb4b 100644 --- a/codefresh/.ci/values/defaults-hpa.yaml +++ b/codefresh/.ci/values/defaults-hpa.yaml @@ -1,105 +1,8 @@ seed-e2e: enabled: true -# kinda external secrets -secrets: - ext-mongo: - enabled: true - stringData: - mongodb-host: cf-mongodb:27017 - mongodb-password: mTiXcU2wafr9 - mongodb-user: cfuser - mongodb-root-user: root - mongodb-root-password: XT9nmM8dZD - ext-postgres: - enabled: true - stringData: - postgres-hostname: cf-postgresql - postgres-password: eC9arYka4ZbH - postgres-user: postgres - ext-redis: - enabled: true - stringData: - redis-url: cf-redis-master - redis-password: hoC9szf7NtrU - ext-rabbitmq: - enabled: true - stringData: - rabbitmq-hostname: cf-rabbitmq:5672 - rabbitmq-password: cVz9ZdJKYm7u - rabbitmq-username: user - ext-firebase: - enabled: true - stringData: - firebase-url: "" # placeholder for ${FIRBASE_URL} - firebase-secret: "" # placeholder for ${FIREBASE_SECRET} - e2e-mongo-uri: - enabled: true - stringData: - mongo-uri: mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/codefresh - -seed: - mongoSeedJob: - mongodbRootUserSecretKeyRef: - name: cf-codefresh-ext-mongo - key: mongodb-root-user - mongodbRootPasswordSecretKeyRef: - name: cf-codefresh-ext-mongo - key: mongodb-root-password - - postgresSeedJob: - postgresUserSecretKeyRef: - name: cf-codefresh-ext-postgres - key: postgres-user - postgresPasswordSecretKeyRef: - name: cf-codefresh-ext-postgres - key: postgres-password - global: appUrl: "" # placeholder - firebaseUrlSecretKeyRef: - name: cf-codefresh-ext-firebase - key: firebase-url - firebaseSecretSecretKeyRef: - name: cf-codefresh-ext-firebase - key: firebase-secret - - mongodbUserSecretKeyRef: - name: cf-codefresh-ext-mongo - key: mongodb-user - mongodbPasswordSecretKeyRef: - name: cf-codefresh-ext-mongo - key: mongodb-password - mongodbHostSecretKeyRef: - name: cf-codefresh-ext-mongo - key: mongodb-host - - postgresHostnameSecretKeyRef: - name: cf-codefresh-ext-postgres - key: postgres-hostname - postgresPasswordSecretKeyRef: - name: cf-codefresh-ext-postgres - key: postgres-password - postgresUserSecretKeyRef: - name: cf-codefresh-ext-postgres - key: postgres-user - - rabbitmqHostnameSecretKeyRef: - name: cf-codefresh-ext-rabbitmq - key: rabbitmq-hostname - rabbitmqPasswordSecretKeyRef: - name: cf-codefresh-ext-rabbitmq - key: rabbitmq-password - rabbitmqUsernameSecretKeyRef: - name: cf-codefresh-ext-rabbitmq - key: rabbitmq-username - - redisPasswordSecretKeyRef: - name: cf-codefresh-ext-redis - key: redis-password - redisUrlSecretKeyRef: - name: cf-codefresh-ext-redis - key: redis-url cfapi: rbac: diff --git a/codefresh/.ci/values/external-secrets.yaml b/codefresh/.ci/values/external-secrets.yaml new file mode 100644 index 0000000000..7f82f184c5 --- /dev/null +++ b/codefresh/.ci/values/external-secrets.yaml @@ -0,0 +1,98 @@ +# values to emulate external secrets +secrets: + ext-mongo: + enabled: true + stringData: + mongodb-host: cf-mongodb:27017 + mongodb-password: mTiXcU2wafr9 + mongodb-user: cfuser + mongodb-root-user: root + mongodb-root-password: XT9nmM8dZD + ext-postgres: + enabled: true + stringData: + postgres-hostname: cf-postgresql + postgres-password: eC9arYka4ZbH + postgres-user: postgres + ext-redis: + enabled: true + stringData: + redis-url: cf-redis-master + redis-password: hoC9szf7NtrU + ext-rabbitmq: + enabled: true + stringData: + rabbitmq-hostname: cf-rabbitmq:5672 + rabbitmq-password: cVz9ZdJKYm7u + rabbitmq-username: user + ext-firebase: + enabled: true + stringData: + firebase-url: "" # placeholder for ${FIRBASE_URL} + firebase-secret: "" # placeholder for ${FIREBASE_SECRET} + e2e-mongo-uri: + enabled: true + stringData: + mongo-uri: mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/codefresh + +seed: + mongoSeedJob: + mongodbRootUserSecretKeyRef: + name: cf-codefresh-ext-mongo + key: mongodb-root-user + mongodbRootPasswordSecretKeyRef: + name: cf-codefresh-ext-mongo + key: mongodb-root-password + + postgresSeedJob: + postgresUserSecretKeyRef: + name: cf-codefresh-ext-postgres + key: postgres-user + postgresPasswordSecretKeyRef: + name: cf-codefresh-ext-postgres + key: postgres-password + +global: + firebaseUrlSecretKeyRef: + name: cf-codefresh-ext-firebase + key: firebase-url + firebaseSecretSecretKeyRef: + name: cf-codefresh-ext-firebase + key: firebase-secret + + mongodbUserSecretKeyRef: + name: cf-codefresh-ext-mongo + key: mongodb-user + mongodbPasswordSecretKeyRef: + name: cf-codefresh-ext-mongo + key: mongodb-password + mongodbHostSecretKeyRef: + name: cf-codefresh-ext-mongo + key: mongodb-host + + postgresHostnameSecretKeyRef: + name: cf-codefresh-ext-postgres + key: postgres-hostname + postgresPasswordSecretKeyRef: + name: cf-codefresh-ext-postgres + key: postgres-password + postgresUserSecretKeyRef: + name: cf-codefresh-ext-postgres + key: postgres-user + + rabbitmqHostnameSecretKeyRef: + name: cf-codefresh-ext-rabbitmq + key: rabbitmq-hostname + rabbitmqPasswordSecretKeyRef: + name: cf-codefresh-ext-rabbitmq + key: rabbitmq-password + rabbitmqUsernameSecretKeyRef: + name: cf-codefresh-ext-rabbitmq + key: rabbitmq-username + + redisPasswordSecretKeyRef: + name: cf-codefresh-ext-redis + key: redis-password + redisUrlSecretKeyRef: + name: cf-codefresh-ext-redis + key: redis-url \ No newline at end of file diff --git a/codefresh/.ci/values/mtls-mongodb-redis.yaml b/codefresh/.ci/values/mtls-mongodb-redis.yaml index 1abf5b39a3..cea05a324c 100644 --- a/codefresh/.ci/values/mtls-mongodb-redis.yaml +++ b/codefresh/.ci/values/mtls-mongodb-redis.yaml @@ -137,7 +137,6 @@ extraResources: kind: Service metadata: name: cf-redis - namespace: codefresh-mtls spec: ports: - name: tcp-redis diff --git a/codefresh/.ci/values/values-install-only.yaml b/codefresh/.ci/values/values-install-only.yaml index 7cb1966a83..daf376de8a 100644 --- a/codefresh/.ci/values/values-install-only.yaml +++ b/codefresh/.ci/values/values-install-only.yaml @@ -1,12 +1,11 @@ # -- checking postgresql password with special characters postgresql: auth: - postgresPassword: "e%C9ar$Yka4Zb!H" + postgresPassword: "()e%C9ar$Yka4Zb!H" -secrets: - ext-postgres: - enabled: true - stringData: - postgres-hostname: cf-postgresql - postgres-password: e%C9ar$Yka4Zb!H - postgres-user: postgres +global: + postgresPassword: "()e%C9ar$Yka4Zb!H" + +seed: + postgresSeedJob: + postgresPassword: "()e%C9ar$Yka4Zb!H" \ No newline at end of file diff --git a/codefresh/.ci/values/values-openshift.yaml b/codefresh/.ci/values/values-openshift.yaml new file mode 100644 index 0000000000..ec23e4e07d --- /dev/null +++ b/codefresh/.ci/values/values-openshift.yaml @@ -0,0 +1,4 @@ +# values provided for openshift cluster +cfapi: + podSecurityContext: + runAsUser: 1000620000 \ No newline at end of file diff --git a/codefresh/Chart.lock b/codefresh/Chart.lock index 09ca4f4bfe..eb8df71a89 100644 --- a/codefresh/Chart.lock +++ b/codefresh/Chart.lock @@ -58,64 +58,64 @@ dependencies: version: 2.30.2 - name: pipeline-manager repository: oci://quay.io/codefresh/charts - version: 3.135.8 + version: 3.135.9 - name: gitops-dashboard-manager repository: oci://quay.io/codefresh/charts version: 1.14.15 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.260.39 + version: 21.260.40 - name: cfui repository: oci://quay.io/codefresh/charts version: 14.95.78 @@ -142,10 +142,10 @@ dependencies: version: 0.8.7 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.65 + version: 0.49.66 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.65 + version: 0.49.66 - name: argo-platform repository: oci://quay.io/codefresh/charts version: 1.3037.0-onprem-fb06d0a @@ -155,5 +155,5 @@ dependencies: - name: cf-oidc-provider repository: oci://quay.io/codefresh/charts version: 0.0.15 -digest: sha256:5f3103c713ddac080b88d73dbb094b2bc02406d87fda6f130bb89abdc2690e3d -generated: "2024-10-18T22:52:29.468059483+03:00" +digest: sha256:1d70af531b08b8a225aeb1bcd099a6699b2a6c343f9c70f023384e1d2a69463c +generated: "2024-10-22T10:56:07.99008+03:00" diff --git a/codefresh/Chart.yaml b/codefresh/Chart.yaml index af0063cdf0..f245d8e707 100644 --- a/codefresh/Chart.yaml +++ b/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 2.5.5 +version: 2.5.6 keywords: - codefresh home: https://codefresh.io/ @@ -19,7 +19,20 @@ annotations: # supported kinds are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | - kind: fixed - description: "encode special characters in postgresql password (argo-platform)" + description: "permissions in cf-api for OpenShift" + links: + - name: JIRA Issue + url: https://codefresh-io.atlassian.net/browse/CR-25662 + - kind: fixed + description: "pipeline-manager memory leak" + links: + - name: JIRA Issue + url: https://codefresh-io.atlassian.net/browse/CR-25053 + - kind: fixed + description: "Secret template when postgres password contains special characters" + links: + - name: JIRA Issue + url: https://codefresh-io.atlassian.net/browse/CR-25131 dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/codefresh/README.md b/codefresh/README.md index c81148de5d..99d1cffeb0 100644 --- a/codefresh/README.md +++ b/codefresh/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 2.5.5](https://img.shields.io/badge/Version-2.5.5-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) +![Version: 2.5.6](https://img.shields.io/badge/Version-2.5.6-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. diff --git a/codefresh/files/mongoSeedJobScript.sh b/codefresh/files/mongoSeedJobScript.sh index aaf2eabe51..3bcaf6f98a 100644 --- a/codefresh/files/mongoSeedJobScript.sh +++ b/codefresh/files/mongoSeedJobScript.sh @@ -75,13 +75,15 @@ waitForMongoDB getMongoVersion for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do - mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" || true - mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" || true + waitForMongoDB + mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true + waitForMongoDB + mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true done -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" || true -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" || true -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" || true +mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true +mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true +mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json diff --git a/codefresh/templates/secrets/secret.yaml b/codefresh/templates/secrets/secret.yaml index 06d794d843..e0fa81259e 100644 --- a/codefresh/templates/secrets/secret.yaml +++ b/codefresh/templates/secrets/secret.yaml @@ -7,26 +7,26 @@ metadata: name: {{ include "codefresh.fullname" . }} labels: {{ include "codefresh.labels" . | nindent 4 }} -stringData: +data: # new MONGODB_* secrets - MONGODB_HOST: {{ coalesce .Values.global.mongodbHost }} - MONGODB_PASSWORD: {{ coalesce .Values.global.mongodbPassword }} - MONGODB_USER: {{ coalesce .Values.global.mongodbUser }} - MONGODB_OPTIONS: {{ coalesce .Values.global.mongodbOptions }} - MONGODB_DATABASE: {{ coalesce .Values.global.mongodbDatabase | default "codefresh" }} - MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" }} + MONGODB_HOST: {{ coalesce .Values.global.mongodbHost | b64enc }} + MONGODB_PASSWORD: {{ coalesce .Values.global.mongodbPassword | b64enc }} + MONGODB_USER: {{ coalesce .Values.global.mongodbUser | b64enc }} + MONGODB_OPTIONS: {{ coalesce .Values.global.mongodbOptions | b64enc }} + MONGODB_DATABASE: {{ coalesce .Values.global.mongodbDatabase | default "codefresh" | b64enc }} + MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" | b64enc }} # legacy MONGODB_* secrets - MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser }} - MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) }} - MONGO_URI: {{ .Values.global.mongoURI | default "empty" }} - MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" }} - MONGODB_RE_DATABASE: runtime-environment-manager + MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser | b64enc }} + MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) | b64enc }} + MONGO_URI: {{ .Values.global.mongoURI | default "empty" | b64enc}} + MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" | b64enc }} + MONGODB_RE_DATABASE: {{ printf "%s" "runtime-environment-manager" | b64enc }} - POSTGRES_USER: {{ coalesce .Values.global.postgresUser }} - POSTGRES_PASSWORD: {{ coalesce .Values.global.postgresPassword }} - POSTGRES_SEED_USER: {{ (coalesce .Values.seed.postgresSeedJob.postgresUser .Values.global.postgresSeedJob.postgresUser) | default .Values.global.postgresUser }} - POSTGRES_SEED_PASSWORD: {{ urlquery ((coalesce .Values.seed.postgresSeedJob.postgresPassword .Values.global.postgresSeedJob.postgresPassword) | default .Values.global.postgresPassword) }} - POSTGRES_HOSTNAME: {{ default (printf "%s-%s" .Release.Name .Values.global.postgresService) .Values.global.postgresHostname }} - POSTGRES_PORT: {{ coalesce .Values.global.postgresPort | default 5432 | quote }} - POSTGRES_DATABASE: {{ .Values.global.postgresDatabase | default "codefresh" }} + POSTGRES_USER: {{ coalesce .Values.global.postgresUser | b64enc }} + POSTGRES_PASSWORD: {{ coalesce .Values.global.postgresPassword | b64enc }} + POSTGRES_SEED_USER: {{ (coalesce .Values.seed.postgresSeedJob.postgresUser .Values.global.postgresSeedJob.postgresUser) | default .Values.global.postgresUser | b64enc}} + POSTGRES_SEED_PASSWORD: {{ (coalesce .Values.seed.postgresSeedJob.postgresPassword .Values.global.postgresSeedJob.postgresPassword) | default .Values.global.postgresPassword | b64enc }} + POSTGRES_HOSTNAME: {{ default (printf "%s-%s" .Release.Name .Values.global.postgresService) .Values.global.postgresHostname | b64enc }} + POSTGRES_PORT: {{ printf "%v" .Values.global.postgresPort | b64enc }} + POSTGRES_DATABASE: {{ .Values.global.postgresDatabase | default "codefresh" | b64enc }}