diff --git a/stable/xray/CHANGELOG.md b/stable/xray/CHANGELOG.md index 7a692422e..f08eb3df1 100644 --- a/stable/xray/CHANGELOG.md +++ b/stable/xray/CHANGELOG.md @@ -1,7 +1,10 @@ # JFrog Xray Chart Changelog All changes to this chart will be documented in this file. -## [103.79.11] - Jul 3, 2023 +## [103.80.9] - Jul 16, 2023 +* Added `podSecurityContext.enabled` and `containerSecurityContext.enabled` to support openshift + +## [103.79.0] - Jul 3, 2023 * Added TLS support for rabbitmq * Moved common.extraEnvs to statefulset from values.yaml * Added `extraEnvVars` for each container diff --git a/stable/xray/Chart.yaml b/stable/xray/Chart.yaml index 3732b8a54..d6cbdc3bc 100644 --- a/stable/xray/Chart.yaml +++ b/stable/xray/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.79.11 +appVersion: 3.80.9 dependencies: - condition: postgresql.enabled name: postgresql @@ -24,4 +24,4 @@ name: xray sources: - https://github.com/jfrog/charts type: application -version: 103.79.11 +version: 103.80.9 diff --git a/stable/xray/templates/xray-statefulset.yaml b/stable/xray/templates/xray-statefulset.yaml index e803457ba..cd54fb0df 100644 --- a/stable/xray/templates/xray-statefulset.yaml +++ b/stable/xray/templates/xray-statefulset.yaml @@ -85,12 +85,14 @@ spec: {{- end }} {{- end }} serviceAccountName: {{ template "xray.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} securityContext: runAsUser: {{ .Values.common.xrayUserId }} fsGroup: {{ .Values.common.xrayGroupId }} {{- if .Values.common.fsGroupChangePolicy }} fsGroupChangePolicy: {{ .Values.common.fsGroupChangePolicy }} {{- end }} + {{- end }} {{- if .Values.common.topologySpreadConstraints }} topologySpreadConstraints: {{ tpl (toYaml .Values.common.topologySpreadConstraints) . | indent 8 }} @@ -101,12 +103,9 @@ spec: {{- end }} - name: 'copy-system-yaml' image: '{{ .Values.initContainerImage }}' - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -176,12 +175,9 @@ spec: {{- if or .Values.xray.customCertificates.enabled .Values.global.customCertificates.enabled .Values.rabbitmq.auth.tls.enabled .Values.global.rabbitmq.auth.tls.enabled }} - name: copy-custom-certificates image: "{{ .Values.initContainerImage }}" - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -206,12 +202,9 @@ spec: {{- if .Values.postgresql.enabled }} - name: "wait-for-db" image: "{{ .Values.initContainerImage }}" - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 10 }} command: @@ -237,13 +230,9 @@ spec: - name: {{ .Values.router.name }} image: {{ include "xray.getImageInfoByValue" (list . "router") }} imagePullPolicy: {{ .Values.router.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/sh' - '-c' @@ -292,12 +281,9 @@ spec: - name: {{ .Values.observability.name }} image: {{ include "xray.getImageInfoByValue" (list . "observability") }} imagePullPolicy: {{ .Values.observability.image.imagePullPolicy }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/sh' - '-c' @@ -331,13 +317,9 @@ spec: - name: {{ .Values.server.name }} image: {{ include "xray.getImageInfoByValue" (list . "server") }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -497,13 +479,9 @@ spec: - name: {{ .Values.analysis.name }} image: {{ include "xray.getImageInfoByValue" (list . "analysis") }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -668,13 +646,9 @@ spec: - name: {{ .Values.sbom.name }} image: {{ include "xray.getImageInfoByValue" (list . "sbom") }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -839,13 +813,9 @@ spec: - name: {{ .Values.indexer.name }} image: {{ include "xray.getImageInfoByValue" (list . "indexer") }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -998,13 +968,9 @@ spec: - name: {{ .Values.persist.name }} image: {{ include "xray.getImageInfoByValue" (list . "persist") }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - runAsNonRoot: true - runAsUser: {{ .Values.common.xrayUserId }} - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - '/bin/bash' - '-c' @@ -1154,12 +1120,9 @@ spec: {{- range .Values.xray.loggers }} - name: {{ . | replace "_" "-" | replace "." "-" }} image: {{ include "xray.getImageInfoByValue" (list $ "logger") }} - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} command: - 'sh' - '-c' @@ -1181,12 +1144,9 @@ spec: - "-e" - "-E" - "http.enabled=true" - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - NET_RAW + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + {{- end }} volumeMounts: - name: filebeat-config mountPath: /usr/share/filebeat/filebeat.yml diff --git a/stable/xray/values.yaml b/stable/xray/values.yaml index 4f9cddf88..368bd9436 100644 --- a/stable/xray/values.yaml +++ b/stable/xray/values.yaml @@ -365,6 +365,18 @@ serviceAccount: name: ## Explicitly mounts the API credentials for the Service Account automountServiceAccountToken: true +## By default, the Xray StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `common.xrayUserId` value. +## If you want to disable the pod securityContext for the Xray StatefulSet, set this tag to false +podSecurityContext: + enabled: true +## @param containerSecurityContext.enabled enable the container's Security Context +containerSecurityContext: + enabled: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - NET_RAW # PostgreSQL ## Configuration values for the postgresql dependency ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md @@ -679,18 +691,15 @@ common: # - name: "custom-setup" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW + # {{- if .Values.containerSecurityContext.enabled }} + # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + # {{- end }} # command: # - 'sh' # - '-c' - # - 'touch {{ .Values.common.xrayConfigPath }}/example-custom-setup' + # - 'touch {{ .Values.xray.persistence.mountPath }}/example-custom-setup' # volumeMounts: - # - mountPath: "{{ .Values.common.xrayConfigPath }}" + # - mountPath: "{{ .Values.xray.persistence.mountPath }}" # name: data-volume ## Add custom init containers execution after predefined init containers @@ -698,12 +707,9 @@ common: # - name: "custom-systemyaml-setup" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW + # {{- if .Values.containerSecurityContext.enabled }} + # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + # {{- end }} # command: # - 'sh' # - '-c' @@ -719,22 +725,17 @@ common: # - name: "sidecar-list-etc" # image: "{{ .Values.initContainerImage }}" # imagePullPolicy: "{{ .Values.imagePullPolicy }}" - # securityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - NET_RAW + # {{- if .Values.containerSecurityContext.enabled }} + # securityContext: {{- tpl (omit .Values.containerSecurityContext "enabled" | toYaml) . | nindent 10 }} + # {{- end }} # command: # - 'sh' # - '-c' - # - 'sh /scripts/script.sh' + # - > + # while true; do echo "running in sidecar"; sleep 2; done # volumeMounts: # - mountPath: "{{ .Values.xray.persistence.mountPath }}" - # name: volume - # - mountPath: "/scripts/script.sh" - # name: custom-script - # subPath: script.sh + # name: data-volume # resources: # requests: # memory: "32Mi" @@ -1190,7 +1191,7 @@ observability: image: registry: releases-docker.jfrog.io repository: jfrog/observability - tag: 1.13.6 + tag: 1.14.0 imagePullPolicy: IfNotPresent internalPort: 8036 resources: {}