[xray] 3.80.9 release

jfrog · Aug 18, 2023 · bd4591f · bd4591f
1 parent 0c84cae
commit bd4591f
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 107 deletions.
diff --git a/stable/xray/CHANGELOG.md b/stable/xray/CHANGELOG.md
@@ -1,7 +1,10 @@
 # JFrog Xray Chart Changelog
 All changes to this chart will be documented in this file.
 
-## [103.79.11] - Jul 3, 2023
+## [103.80.9] - Jul 16, 2023
+* Added `podSecurityContext.enabled` and `containerSecurityContext.enabled` to support openshift
+
+## [103.79.0] - Jul 3, 2023
 * Added TLS support for rabbitmq
 * Moved common.extraEnvs to statefulset from values.yaml
 * Added `extraEnvVars` for each container

diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 3.79.11
+appVersion: 3.80.9
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -24,4 +24,4 @@ name: xray
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 103.79.11
+version: 103.80.9
diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml
@@ -85,12 +85,14 @@ spec:
       {{- end }}
     {{- end }}
       serviceAccountName: {{ template "xray.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
       securityContext:
         runAsUser: {{ .Values.common.xrayUserId }}
         fsGroup: {{ .Values.common.xrayGroupId }}
         {{- if .Values.common.fsGroupChangePolicy }}
         fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }}
         {{- end }}
+      {{- end }}
       {{- if .Values.common.topologySpreadConstraints }}
       topologySpreadConstraints:
 {{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }}
@@ -101,12 +103,9 @@ spec:
     {{- end }}
       - name: 'copy-system-yaml'
         image: '{{ .Values.initContainerImage }}'
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         resources:
 {{ toYaml .Values.initContainers.resources | indent 10 }}
         command:
@@ -176,12 +175,9 @@ spec:
       {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }}
       - name: copy-custom-certificates
         image: "{{ .Values.initContainerImage }}"
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         resources:
 {{ toYaml .Values.initContainers.resources | indent 10 }}
         command:
@@ -206,12 +202,9 @@ spec:
       {{- if .Values.postgresql.enabled }}
       - name: "wait-for-db"
         image: "{{ .Values.initContainerImage }}"
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         resources:
 {{ toYaml .Values.initContainers.resources | indent 10 }}
         command:
@@ -237,13 +230,9 @@ spec:
       - name: {{ .Values.router.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "router") }}
         imagePullPolicy: {{ .Values.router.image.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/sh'
           - '-c'
@@ -292,12 +281,9 @@ spec:
       - name: {{ .Values.observability.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "observability") }}
         imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/sh'
           - '-c'
@@ -331,13 +317,9 @@ spec:
       - name: {{ .Values.server.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "server") }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/bash'
           - '-c'
@@ -497,13 +479,9 @@ spec:
       - name: {{ .Values.analysis.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "analysis") }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/bash'
           - '-c'
@@ -668,13 +646,9 @@ spec:
       - name: {{ .Values.sbom.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "sbom") }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/bash'
           - '-c'
@@ -839,13 +813,9 @@ spec:
       - name: {{ .Values.indexer.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "indexer") }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/bash'
           - '-c'
@@ -998,13 +968,9 @@ spec:
       - name: {{ .Values.persist.name }}
         image: {{ include "xray.getImageInfoByValue" (list . "persist") }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: {{ .Values.common.xrayUserId }}
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
           - '/bin/bash'
           - '-c'
@@ -1154,12 +1120,9 @@ spec:
       {{- range .Values.xray.loggers }}
       - name: {{ . | replace "_" "-" | replace "." "-" }}
         image: {{ include "xray.getImageInfoByValue" (list $ "logger") }}
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         command:
         - 'sh'
         - '-c'
@@ -1181,12 +1144,9 @@ spec:
         - "-e"
         - "-E"
         - "http.enabled=true"
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-              - NET_RAW
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: filebeat-config
           mountPath: /usr/share/filebeat/filebeat.yml

diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml
@@ -365,6 +365,18 @@ serviceAccount:
   name:
   ## Explicitly mounts the API credentials for the Service Account
   automountServiceAccountToken: true
+## By default, the Xray StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `common.xrayUserId` value.
+## If you want to disable the pod securityContext for the Xray StatefulSet, set this tag to false
+podSecurityContext:
+  enabled: true
+## @param containerSecurityContext.enabled enable the container's Security Context
+containerSecurityContext:
+  enabled: true
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - NET_RAW
 # PostgreSQL
 ## Configuration values for the postgresql dependency
 ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
@@ -679,31 +691,25 @@ common:
   #  - name: "custom-setup"
   #    image: "{{ .Values.initContainerImage }}"
   #    imagePullPolicy: "{{ .Values.imagePullPolicy }}"
-  #    securityContext:
-  #      runAsNonRoot: true
-  #      allowPrivilegeEscalation: false
-  #      capabilities:
-  #        drop:
-  #          - NET_RAW
+  #    {{- if .Values.containerSecurityContext.enabled }}
+  #    securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+  #    {{- end }}
   #    command:
   #      - 'sh'
   #      - '-c'
-  #      - 'touch {{ .Values.common.xrayConfigPath }}/example-custom-setup'
+  #      - 'touch {{ .Values.xray.persistence.mountPath }}/example-custom-setup'
   #    volumeMounts:
-  #      - mountPath: "{{ .Values.common.xrayConfigPath }}"
+  #      - mountPath: "{{ .Values.xray.persistence.mountPath }}"
   #        name: data-volume
 
   ## Add custom init containers execution after predefined init containers
   customInitContainers: ""
   #  - name: "custom-systemyaml-setup"
   #    image: "{{ .Values.initContainerImage }}"
   #    imagePullPolicy: "{{ .Values.imagePullPolicy }}"
-  #    securityContext:
-  #      runAsNonRoot: true
-  #      allowPrivilegeEscalation: false
-  #      capabilities:
-  #        drop:
-  #          - NET_RAW
+  #    {{- if .Values.containerSecurityContext.enabled }}
+  #    securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+  #    {{- end }}
   #    command:
   #      - 'sh'
   #      - '-c'
@@ -719,22 +725,17 @@ common:
   #  - name: "sidecar-list-etc"
   #    image: "{{ .Values.initContainerImage }}"
   #    imagePullPolicy: "{{ .Values.imagePullPolicy }}"
-  #    securityContext:
-  #      runAsNonRoot: true
-  #      allowPrivilegeEscalation: false
-  #      capabilities:
-  #        drop:
-  #          - NET_RAW
+  #    {{- if .Values.containerSecurityContext.enabled }}
+  #    securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }}
+  #    {{- end }}
   #    command:
   #      - 'sh'
   #      - '-c'
-  #      - 'sh /scripts/script.sh'
+  #      - >
+  #       while true; do echo "running in sidecar"; sleep 2; done
   #    volumeMounts:
   #      - mountPath: "{{ .Values.xray.persistence.mountPath }}"
-  #        name: volume
-  #      - mountPath: "/scripts/script.sh"
-  #        name: custom-script
-  #        subPath: script.sh
+  #        name: data-volume
   #    resources:
   #      requests:
   #        memory: "32Mi"
@@ -1190,7 +1191,7 @@ observability:
   image:
     registry: releases-docker.jfrog.io
     repository: jfrog/observability
-    tag: 1.13.6
+    tag: 1.14.0
     imagePullPolicy: IfNotPresent
   internalPort: 8036
   resources: {}