From 85ab8e657809dabdf822b26294923d5abf6a26d4 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Mon, 1 Sep 2025 11:29:20 +0300 Subject: [PATCH 01/15] onprem: 3.0 --- .../hooks/mongoSetCompatibilityVersion.sh | 13 +- .../files/seed/postgresSeedJobScript.sh | 21 +- .../{defaults-hpa.yaml => defaults.yaml} | 27 +- .../.ci/values/mtls-mongodb-redis.yaml | 8 +- charts/codefresh/Chart.lock | 96 +-- charts/codefresh/Chart.yaml | 73 +- charts/codefresh/README.md | 407 +++++++++--- charts/codefresh/README.md.gotmpl | 396 ++++++++--- charts/codefresh/files/mongoSeedJobScript.sh | 57 +- charts/codefresh/templates/_helpers.tpl | 11 +- .../configmaps/runtimeEnvironments.json.tpl | 60 +- .../pre-upgrade/delete-consul-svc-job.yaml | 2 +- .../enable-stable-flags-rabbitmq-job.yaml | 83 +++ .../enable-stable-flags-rabbitmq-secret.yaml | 20 + .../codefresh/templates/secrets/secret.yaml | 4 +- .../templates/seed/mongo-seed-job.yaml | 11 + .../templates/seed/postgres-seed-job.yaml | 4 + charts/codefresh/values.yaml | 112 ++-- indexes/codefresh/agenttasks.json | 37 +- .../codefresh/feature-store-versioned.json | 29 +- indexes/codefresh/users.json | 15 + indexes/codefresh/workflowprocesses.json | 616 ++++++++--------- indexes/read-models/analysisruns.json | 523 +++++++-------- indexes/read-models/images-binaries.json | 125 ++-- indexes/read-models/product-releases.json | 105 +++ indexes/read-models/releases.json | 260 +++----- indexes/read-models/rollouts.json | 621 +++++++++--------- scripts/update_re_images.sh | 2 +- 28 files changed, 2167 insertions(+), 1571 deletions(-) rename charts/codefresh/.ci/values/{defaults-hpa.yaml => defaults.yaml} (71%) create mode 100644 charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-job.yaml create mode 100644 charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-secret.yaml create mode 100644 indexes/codefresh/users.json create mode 100644 indexes/read-models/product-releases.json diff --git a/charts/codefresh-gitops/files/hooks/mongoSetCompatibilityVersion.sh b/charts/codefresh-gitops/files/hooks/mongoSetCompatibilityVersion.sh index b539b9e6f..b7a7ab3ba 100644 --- a/charts/codefresh-gitops/files/hooks/mongoSetCompatibilityVersion.sh +++ b/charts/codefresh-gitops/files/hooks/mongoSetCompatibilityVersion.sh @@ -16,6 +16,11 @@ waitForMongoDB() { done } +getMongoDBVersion() { + local version=$(mongosh ${MONGODB_ROOT_URI} --eval "db.version()" 2>&1) + echo $version +} + parseMongoURI() { local proto="$(echo $1 | grep :// | sed -e's,^\(.*://\).*,\1,g')" local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi @@ -33,4 +38,10 @@ parseMongoURI $MONGO_URI waitForMongoDB -mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand( { setFeatureCompatibilityVersion: \"$MONGODB_COMPAT_VERSION\" } )" +MONGO_VERSION=$(getMongoDBVersion) + +if [[ $MONGO_VERSION == 7* ]]; then + mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand( { setFeatureCompatibilityVersion: \"$MONGODB_COMPAT_VERSION\", confirm: true } )" +else + mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand( { setFeatureCompatibilityVersion: \"$MONGODB_COMPAT_VERSION\" } )" +fi diff --git a/charts/codefresh-gitops/files/seed/postgresSeedJobScript.sh b/charts/codefresh-gitops/files/seed/postgresSeedJobScript.sh index 8ba8852ac..fa4950606 100644 --- a/charts/codefresh-gitops/files/seed/postgresSeedJobScript.sh +++ b/charts/codefresh-gitops/files/seed/postgresSeedJobScript.sh @@ -1,6 +1,14 @@ #!/bin/bash -set -xeuo pipefail +DEBUG="${DEBUG:-false}" + + +set -euo pipefail + +if [[ $DEBUG == "true" ]]; then + set -xeuo pipefail + echo "Running in debug mode" +fi POSTGRES_DATABASES=( "codefresh" @@ -20,7 +28,9 @@ POSTGRES_SEED_USER="${POSTGRES_SEED_USER:-$POSTGRES_USER}" POSTGRES_SEED_PASSWORD="${POSTGRES_SEED_PASSWORD:-$POSTGRES_PASSWORD}" function createDB() { - psql -tc "SELECT 1 FROM pg_database WHERE datname = '${1}'" | grep -q 1 || psql -c "CREATE DATABASE ${1}" + local db=$1 + echo "Creating ${db} database" + psql -c "CREATE DATABASE ${db}" 2>&1 || true } function createUser() { @@ -29,7 +39,9 @@ function createUser() { } function grantPrivileges() { - psql -c "GRANT ALL ON DATABASE ${1} TO ${POSTGRES_USER}" + local db=$1 + echo "Granting privileges on $db to ${POSTGRES_USER}" + psql -c "GRANT ALL ON DATABASE ${db} TO ${POSTGRES_USER}" } function runSeed() { @@ -38,6 +50,7 @@ function runSeed() { export PGPASSWORD=${POSTGRES_SEED_PASSWORD} export PGHOST=${POSTGRES_HOSTNAME} export PGPORT=${POSTGRES_PORT} + export PGDATABASE=postgres # Use the default postgres database if [[ "${POSTGRES_SEED_USER}" != "${POSTGRES_USER}" ]]; then createUser @@ -51,4 +64,4 @@ function runSeed() { done } -runSeed \ No newline at end of file +runSeed diff --git a/charts/codefresh/.ci/values/defaults-hpa.yaml b/charts/codefresh/.ci/values/defaults.yaml similarity index 71% rename from charts/codefresh/.ci/values/defaults-hpa.yaml rename to charts/codefresh/.ci/values/defaults.yaml index 2b5a4bc0f..2f80ae4cd 100644 --- a/charts/codefresh/.ci/values/defaults-hpa.yaml +++ b/charts/codefresh/.ci/values/defaults.yaml @@ -22,7 +22,7 @@ cfapi: ingress: enabled: true - ingressClassName: nginx-internal + ingressClassName: nginx tls: enabled: false @@ -75,3 +75,28 @@ argo-platform: promotion-orchestrator: hpa: enabled: true + +mongodb: + migration: + enabled: true + image: + repository: bitnamilegacy/mongodb + nodeSelector: + kubernetes.io/arch: amd64 + +consul: + image: + repository: bitnamilegacy/consul + +nats: + image: + repository: bitnamilegacy/nats + +rabbitmq: + image: + repository: bitnamilegacy/rabbitmq + +hooks: + mongodb: + nodeSelector: + kubernetes.io/arch: amd64 diff --git a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml index 6ba0f60cb..f3b58710c 100644 --- a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml +++ b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml @@ -1,6 +1,8 @@ seed: mongoSeedJob: mongodbRootURI: mongodb://root:XT9nmM8dZDZ@cf-mongodb:27017/?authSource=admin + mongodbRootOptions: authSource=admin + mongodbRootPassword: XT9nmM8dZDZ global: appUrl: "" # placeholder for ${CF_APP_HOST} @@ -86,9 +88,9 @@ mongodb: mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB('${MONGODB_DATABASE}').createCollection('test')" done - mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json - mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json - mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json +# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json +# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json +# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json extraVolumeMounts: - name: extras diff --git a/charts/codefresh/Chart.lock b/charts/codefresh/Chart.lock index 98cc11773..7c8f22d3a 100644 --- a/charts/codefresh/Chart.lock +++ b/charts/codefresh/Chart.lock @@ -4,16 +4,16 @@ dependencies: version: 0.18.1 - name: internal-gateway repository: oci://quay.io/codefresh/charts - version: 0.10.2 + version: 0.11.0 - name: consul repository: https://charts.bitnami.com/bitnami - version: 11.4.17 + version: 11.4.32 - name: mongodb repository: https://charts.bitnami.com/bitnami version: 15.6.26 - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 16.7.4 + version: 16.7.15 - name: postgresql-ha repository: oci://quay.io/codefresh/charts version: 12.0.4 @@ -28,7 +28,7 @@ dependencies: version: 15.5.3 - name: nats repository: https://charts.bitnami.com/bitnami - version: 9.0.17 + version: 9.0.22 - name: builder repository: oci://quay.io/codefresh/charts version: 1.4.0 @@ -37,135 +37,135 @@ dependencies: version: 1.4.0 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx - version: 4.12.1 + version: 4.12.5 - name: cluster-providers repository: oci://quay.io/codefresh/charts - version: 1.17.15 + version: 1.18.0 - name: kube-integration repository: oci://quay.io/codefresh/charts - version: 1.31.19 + version: 1.32.0 - name: charts-manager repository: oci://quay.io/codefresh/charts - version: 1.23.1 + version: 1.23.4 - name: cfsign repository: oci://quay.io/codefresh/charts - version: 1.8.8 + version: 1.8.10 - name: tasker-kubernetes repository: oci://quay.io/codefresh/charts - version: 1.26.18 + version: 1.27.0 - name: context-manager repository: oci://quay.io/codefresh/charts - version: 2.34.2 + version: 2.34.5 - name: pipeline-manager repository: oci://quay.io/codefresh/charts - version: 3.139.2 + version: 3.139.5 - name: gitops-dashboard-manager repository: oci://quay.io/codefresh/charts - version: 1.14.22 + version: 1.15.0 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.2 + version: 21.279.8 - name: cfui repository: oci://quay.io/codefresh/charts - version: 14.98.27 + version: 14.98.29 - name: k8s-monitor repository: oci://quay.io/codefresh/charts - version: 4.11.14 + version: 4.11.16 - name: runtime-environment-manager repository: oci://quay.io/codefresh/charts - version: 3.41.1 + version: 3.41.5 - name: cf-broadcaster repository: oci://quay.io/codefresh/charts - version: 1.13.0 + version: 1.14.0 - name: helm-repo-manager repository: oci://quay.io/codefresh/charts version: 0.20.2 - name: hermes repository: oci://quay.io/codefresh/charts - version: 0.21.18 + version: 0.21.20 - name: nomios repository: oci://quay.io/codefresh/charts - version: 0.11.10 + version: 0.11.11 - name: cronus repository: oci://quay.io/codefresh/charts - version: 0.8.10 + version: 0.8.12 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.87 + version: 0.51.0 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.87 + version: 0.51.0 - name: argo-platform repository: oci://quay.io/codefresh/charts - version: 1.3506.0 + version: 1.3525.3-onprem-24aeab4 - name: argo-hub-platform repository: oci://quay.io/codefresh/charts - version: 0.1.23 + version: 0.1.27 - name: cf-oidc-provider repository: oci://quay.io/codefresh/charts - version: 0.0.16 + version: 0.1.0 - name: mailer repository: oci://quay.io/codefresh/charts - version: 1.20.8 + version: 1.21.0 - name: payments repository: oci://quay.io/codefresh/charts - version: 2.23.18 + version: 2.24.1 - name: segment-reporter repository: oci://quay.io/codefresh/charts - version: 1.17.8 + version: 1.18.0 - name: salesforce-reporter repository: oci://quay.io/codefresh/charts version: 1.30.11 -digest: sha256:814b879b8e7b0b276c66b821c69c2c22febbbec4a30fed89117d50530ae0ea5e -generated: "2025-05-19T23:11:03.858637+03:00" +digest: sha256:4e7b52e0ee6d81e910d3e7352b14cb5a7d01c51a7bcd7a8e455c53cc2564d982 +generated: "2025-08-29T15:06:33.935106+03:00" diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 59e0e1a85..622c9b297 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 2.8.0 +version: 2.8.13 keywords: - codefresh home: https://codefresh.io/ @@ -11,25 +11,30 @@ sources: maintainers: - name: codefresh url: https://codefresh-io.github.io/ -appVersion: 2.7.0 +appVersion: 2.8.0 annotations: - artifacthub.io/prerelease: "true" + artifacthub.io/prerelease: "false" artifacthub.io/alternativeName: "codefresh-onprem" artifacthub.io/containsSecurityUpdates: "true" # supported kinds are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | - kind: changed - description: "Initial 2.8.0 release" + description: "Update internal-gateway" + - kind: changed + description: "Change bitnami subcharts to use bitnamilegacy repository" + links: + - name: GitHub Issue + url: https://github.com/bitnami/charts/issues/35164 dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts version: 0.18.1 - name: internal-gateway repository: oci://quay.io/codefresh/charts - version: 0.10.2 + version: 0.11.0 condition: internal-gateway.enabled - name: consul - version: 11.4.17 + version: 11.4.32 repository: https://charts.bitnami.com/bitnami condition: consul.enabled - name: mongodb @@ -37,7 +42,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami condition: mongodb.enabled,mongo.enabled,global.mongoDeploy - name: postgresql - version: 16.7.4 + version: 16.7.15 repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled - name: postgresql-ha @@ -57,7 +62,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami condition: rabbitmq.enabled - name: nats - version: 9.0.17 + version: 9.0.22 repository: https://charts.bitnami.com/bitnami condition: nats.enabled - name: builder @@ -69,7 +74,7 @@ dependencies: condition: runner.enabled version: 1.4.0 - name: ingress-nginx - version: 4.12.1 + version: 4.12.5 repository: https://kubernetes.github.io/ingress-nginx condition: ingress-nginx.enabled - name: cluster-providers @@ -81,7 +86,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: kube-integration.enabled - name: charts-manager - version: "*" + version: "~1.23.0" repository: oci://quay.io/codefresh/charts condition: charts-manager.enabled - name: cfsign @@ -93,11 +98,11 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: tasker-kubernetes.enabled - name: context-manager - version: "*" + version: "~2.34.0" repository: oci://quay.io/codefresh/charts condition: context-manager.enabled - name: pipeline-manager - version: "*" + version: "~3.139.0" repository: oci://quay.io/codefresh/charts condition: pipeline-manager.enabled - name: gitops-dashboard-manager @@ -106,96 +111,96 @@ dependencies: condition: gitops-dashboard-manager.enabled - name: cfapi alias: cfapi - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi.enabled - name: cfapi alias: cfapi-auth - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-auth.enabled - name: cfapi alias: cfapi-internal - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-internal.enabled - name: cfapi alias: cfapi-ws - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-ws.enabled - name: cfapi alias: cfapi-admin - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-admin.enabled - name: cfapi alias: cfapi-endpoints - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-endpoints.enabled - name: cfapi alias: cfapi-terminators - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-terminators.enabled - name: cfapi alias: cfapi-sso-group-synchronizer - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-sso-group-synchronizer.enabled - name: cfapi alias: cfapi-buildmanager - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-buildmanager.enabled - name: cfapi alias: cfapi-cacheevictmanager - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-cacheevictmanager.enabled - name: cfapi alias: cfapi-eventsmanagersubscriptions - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-eventsmanagersubscriptions.enabled - name: cfapi alias: cfapi-kubernetesresourcemonitor - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-kubernetesresourcemonitor.enabled - name: cfapi alias: cfapi-environments - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-environments.enabled - name: cfapi alias: cfapi-gitops-resource-receiver - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-gitops-resource-receiver.enabled - name: cfapi alias: cfapi-downloadlogmanager - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-downloadlogmanager.enabled - name: cfapi alias: cfapi-teams - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-teams.enabled - name: cfapi alias: cfapi-kubernetes-endpoints - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-kubernetes-endpoints.enabled - name: cfapi alias: cfapi-test-reporting - version: "*" + version: "~21.279.0" repository: oci://quay.io/codefresh/charts condition: cfapi-test-reporting.enabled - name: cfui - version: "*" + version: "~14.98.0" repository: oci://quay.io/codefresh/charts condition: cfui.enabled - name: k8s-monitor @@ -203,7 +208,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: k8s-monitor.enabled - name: runtime-environment-manager - version: "*" + version: "~3.41.0" repository: oci://quay.io/codefresh/charts condition: runtime-environment-manager.enabled - name: cf-broadcaster @@ -211,7 +216,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: cf-broadcaster.enabled - name: helm-repo-manager - version: "*" + version: "0.20.2" repository: oci://quay.io/codefresh/charts condition: helm-repo-manager.enabled - name: hermes @@ -237,7 +242,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: argo-platform.enabled - name: argo-platform - version: "*" + version: "1.3525.3-onprem-24aeab4" repository: oci://quay.io/codefresh/charts condition: argo-platform.enabled - name: argo-hub-platform diff --git a/charts/codefresh/README.md b/charts/codefresh/README.md index ec4d301e0..e0b141dc2 100644 --- a/charts/codefresh/README.md +++ b/charts/codefresh/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 2.8.0](https://img.shields.io/badge/Version-2.8.0-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square) +![Version: 2.8.13](https://img.shields.io/badge/Version-2.8.13-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. @@ -24,7 +24,6 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [Configuration with ALB (Application Load Balancer)](#configuration-with-alb-application-load-balancer) - [Configuration with Private Registry](#configuration-with-private-registry) - [Configuration with multi-role CF-API](#configuration-with-multi-role-cf-api) - - [Indexes in MongoDB](#indexes-in-mongodb) - [High Availability](#high-availability) - [Mounting private CA certs](#mounting-private-ca-certs) - [Installing on OpenShift](#installing-on-openshift) @@ -36,6 +35,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [X-Frame-Options response header](#x-frame-options-response-header) - [Image digests in containers](#image-digests-in-containers) - [Configuring OIDC Provider](#configuring-oidc-provider) +- [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) - [Upgrading](#upgrading) - [To 2.0.0](#to-2-0-0) - [To 2.0.12](#to-2-0-12) @@ -67,7 +67,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - GCR Service Account JSON `sa.json` (provided by Codefresh, contact support@codefresh.io) - Firebase [Realtime Database URL](https://firebase.google.com/docs/database/web/start#create_a_database) with [legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens). See [Firebase Configuration](#firebase-configuration) - Valid TLS certificates for Ingress -- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)) +- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)). The `pg_cron` extension should be the 1.4 version or higher for Azure Postgres DB. ## Get Repo Info @@ -80,8 +80,6 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) **Important:** only helm 3.8.0+ is supported -**Important:** Read about [Indexes in MongoDB](#indexes-in-mongodb) before installation - Edit default `values.yaml` or create empty `cf-values.yaml` - Pass `sa.json` (as a single line) to `.Values.imageCredentials.password` @@ -94,7 +92,7 @@ imageCredentials: password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' ``` -- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl` and `.Values.global.firebaseSecret` +- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl`, `.Values.global.firebaseSecret`, `.Values.global.env.MONGOOSE_AUTO_INDEX`, `.Values.global.env.MONGO_AUTOMATIC_INDEX_CREATION` ```yaml global: @@ -119,6 +117,9 @@ global: # name: my-secret # key: firebase-secret + # -- Enable index creation in MongoDB + # This is required for first-time installations! + # Before usage in Production, you must set it to `false` or remove it! env: MONGOOSE_AUTO_INDEX: "true" MONGO_AUTOMATIC_INDEX_CREATION: "true" @@ -178,6 +179,17 @@ ingress-nginx: --timeout 15m ``` +### ⚠️ **MANDATORY** Post-Installation Action Items + +Once your Codefresh On-Prem instance is installed, configured, and confirmed to be ready for production use, the following variables must be set to `false` or removed: + +```yaml +global: + env: + MONGOOSE_AUTO_INDEX: "false" + MONGO_AUTOMATIC_INDEX_CREATION: "false" +``` + ## Chart Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: @@ -193,9 +205,9 @@ The following table displays the list of **persistent** services created as part | Database | Purpose | Required version | | :--- | :---- | :--- | | MongoDB | Stores all account data (account settings, users, projects, pipelines, builds etc.) | 7.x | -| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 17.x | +| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 16.x or 17.x | | Redis | Used for caching, and as a key-value store for cron trigger manager. | 7.0.x | -| RabbitMQ | Used for message queueing. | 4.0.x | +| RabbitMQ | Used for message queueing. | 3.13 \| 4.0.x | > Running on netfs (nfs, cifs) is not recommended. @@ -215,6 +227,17 @@ However, you might need to use external services like [MongoDB Atlas Database](h #### External MongoDB +> ⚠️ **Important!** If you use MongoDB Atlas, you must create user with `Write` permissions before installing Codefresh:
+> Then, provide the user credentials in the chart values at
+`.Values.global.mongodbUser/mongodbRootUserSecretKeyRef`
+`.Values.global.mongodbPassword/mongodbRootPasswordSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootUser/mongodbRootUserSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootPassword/mongodbRootPasswordSecretKeyRef`
+> Ref:
+> [Create Users in Atlas](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#configure-database-users) + +`values.yaml` for external MongoDB: + ```yaml seed: mongoSeedJob: @@ -386,6 +409,26 @@ postgresql: enabled: false ``` +##### Using SSL with a PostgreSQL + +Provide the following env vars to enforce SSL connection to PostgresSQL: + +```yaml +global: + env: + # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html + PGSSLMODE: "require" + +helm-repo-manager: + env: + POSTGRES_DISABLE_SSL: "false" +``` + +> ⚠️ **Important!**
+> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
+> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
+> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs) + #### External Redis ```yaml @@ -418,7 +461,9 @@ redis: > If ElastiCache is used, set `REDIS_TLS` to `true` in `.Values.global.env` -``` +> ⚠️ ElastiCache with **Cluster mode** is not supported! + +```yaml global: env: REDIS_TLS: true @@ -782,58 +827,6 @@ cfapi-test-reporting: enabled: true ``` -⚠️ ⚠️ ⚠️ -### Indexes in MongoDB -⚠️ ⚠️ ⚠️ - -Indexes in MongoDB are essential for efficient query performance, especially as your data grows. Without proper indexes, MongoDB must perform full collection scans to find matching documents, which can significantly slow down operations and increase resource usage. For production environments, ensuring that all frequently queried fields are indexed is vital to maintain optimal performance and scalability. - -Auto-index creation in MongoDB is disabled by default in Codefresh On-Prem to prevent unexpected performance issues in production environments during upgrades. When enabled, MongoDB will automatically create indexes for fields used in queries, which can lead to high CPU and disk usage, increased I/O, and potential service disruptions—especially on large datasets. By requiring manual index management, administrators can plan index creation during maintenance windows, ensuring system stability and predictable performance before upgrading Codefresh On-Prem. - -It is critical to ensure that your MongoDB indexes are always aligned with the latest recommended state for your Codefresh On-Prem version. Outdated or missing indexes can lead to degraded performance, slow queries, and increased resource consumption. Always review release notes and update or create indexes as specified during upgrades or when new collections/fields are introduced. Regularly auditing and maintaining your indexes helps ensure optimal system reliability and scalability. - -The indexes list is located at the [codefresh-io/codefresh-onprem-helm](https://github.com/codefresh-io/codefresh-onprem-helm/tree/onprem-2.8.0/indexes) repository. -The indexes are stored in JSON files with keys and options specified. - -The directory structure is: - -```console -codefresh-onprem-helm -├── indexes -│ ├── # MongoDB database name -│ │ ├── .json # MongoDB indexes for the specified collection -``` - -#### Enabling auto-index creation - -For first-time installations, you **must** enable auto-index creation by setting the following values: - -```yaml -global: - env: - MONGOOSE_AUTO_INDEX: "true" - MONGO_AUTOMATIC_INDEX_CREATION: "true" -``` - -You **should** disable it for the next upgrades by setting these variables to `false`: - -```yaml -global: - env: - MONGOOSE_AUTO_INDEX: "false" - MONGO_AUTOMATIC_INDEX_CREATION: "false" -``` - -#### Creating Indexes manually - -> **Note!** If you have a large amount of MongoDB data, it is recommended to create indexes manually. Enabling auto-index creation can cause performance degradation during the index creation process with large datasets. - -Depending on your MongoDB service (e.g., Atlas, self-hosted), you can create indexes using the MongoDB shell or the Atlas UI. - -Ref: -- [Create an Index in Atlas DB](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/#create-an-index) -- [Create an Index with mongosh](https://www.mongodb.com/docs/manual/reference/method/db.collection.createIndex/) - ### High Availability The chart installs the non-HA version of Codefresh by default. If you want to run Codefresh in HA mode, use the example values below. @@ -1196,7 +1189,7 @@ cfapi: ### Projects pipelines limit ```yaml -cfapi: +pipeline-manager: env: # Determines project's pipelines limit (default: 500) PROJECT_PIPELINES_LIMIT: 500 @@ -1483,6 +1476,87 @@ To see all the claims supported by Codefresh OIDC provider, see `claims_supporte Use [obtain-oidc-id-token](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/obtain-oidc-id-token/step.yaml#L27-L58) and [aws-sts-assume-role-with-web-identity](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/aws-sts-assume-role-with-web-identity/step.yaml#L29-L63) steps to exchange the OIDC token (JWT) for a cloud access token. +## Maintaining MongoDB Indexes + +Sometimes, in new releases of Codefresh On-Prem, index requirements change. When this happens, it's mentioned in the [Upgrading section](#upgrading) for the specific release. + +> ℹ️ If you're upgrading from version `X` to version `Y`, and index requirements were updated in any of the intermediate versions, you only need to align your indexes with the index requirements of version `Y`. To do that, follow [Index alignment](#index-alignment) instructions. + +### Index alignment + +The required index definitions for each release can be found at the following resources: + +- `2.6` +- `2.7` +- `2.8` + +The indexes are stored in JSON files with keys and options specified. + +The directory structure is: + +```console +indexes +├── # MongoDB database name +│ ├── .json # MongoDB indexes for the specified collection +``` + +**Overview of the index alignment process:** + +1. Identify the differences between the indexes in your MongoDB instance and the required index definitions. +2. Create any missing indexes one by one. (It's important not to create them in bulk.) +3. Perform the upgrade of Codefresh On-Prem installation. +4. Then remove any unnecessary indexes. + +> ⚠️ **Note! Any changes to indexes should be performed during a defined maintenance window or during periods of lowest traffic to MongoDB.** +> +> Building indexes during time periods where the target collection is under heavy write load can result in reduced write performance and longer index builds. ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/index-creation/#index-build-impact-on-database-performance)) +> +> Even minor changes to indexes (e.g., index removal) can cause brief but noticeable performance degradation ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/query-plans/#plan-cache-flushes)) + +#### Self-hosted MongoDB + +For self-hosted MongoDB, follow the instructions below: + +- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing `` with the appropriate MongoDB connection string for your server: + +```shell +mongosh "" +``` + +- Retrieve the list of indexes for a specific collection: + +```js +db.getSiblingDB('').getCollection('').getIndexes() +``` + +- Compare your indexes with the required indexes for the target release, and adjust them by creating any missing indexes or removing any unnecessary ones + +**Index creation** + +> ⚠ **Note! Always create indexes sequentially, one by one. Don't create them in bulk.** + +- To create an index, use the `createIndex()` method: + +```js +db.getSiblingDB('').getCollection('').createIndex(, ) +``` + +After executing the `createIndex()` command, you should see a result indicating that the index was created successfully. + +**Index removal** + +- To remove an index, use the `dropIndex()` method with ``: + +```js +db.getSiblingDB('').getCollection('').dropIndex('') +``` + +#### Atlas Database + +If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Manage Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to View, Create or Remove indexes. + +> ⚠️ **Important!** In Atlas, for production environments, it is recommended to use rolling index builds by enabling the "Build index via rolling process" checkbox. ([*MongoDB official documentation*](https://www.mongodb.com/docs/v6.0/tutorial/build-indexes-on-replica-sets/)) + ## Upgrading ### To 2-0-0 @@ -1742,7 +1816,7 @@ nomios: ... ``` -### To 2.0.12 +### To 2-0-12 #### ⚠️ Legacy ChartMuseum subchart deprecation @@ -2018,18 +2092,22 @@ cfapi: ### To 2-6-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.6.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-26) #### Affected values [Image digests in containers](#image-digests-in-containers) -#### Auto-index creation in MongoDB - -[Auto-index creation in MongoDB](#auto-index-creation-in-mongodb) - ### To 2-7-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.7.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-27) #### Affected values @@ -2061,6 +2139,10 @@ global: ### To 2-8-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.8.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-28) ### ⚠️ ⚠️ ⚠️ Breaking changes. Read before upgrading! @@ -2071,7 +2153,7 @@ Default MongoDB image is changed from 6.x to 7.x. If you run external MongoDB (i.e. [Atlas](https://cloud.mongodb.com)), it is **required** to upgrade it to 7.x after upgrading Codefresh On-Prem to 2.8.x. -For backward compatibility (in case you need to rollback to 6.x), you can set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. +- **Before the upgrade**, for backward compatibility (in case you need to rollback to 6.x), you should set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. ```yaml mongodb: @@ -2080,43 +2162,185 @@ mongodb: featureCompatibilityVersion: "6.0" ``` +- Perform Codefresh On-Prem upgrade to 2.8.x. Make sure all systems are up and running. + +- **After the upgrade**, if all system are stable, you need to set `featureCompatibilityVersion` to `7.0` in your values file and re-deploy the chart. + +```yaml +mongodb: + migration: + enabled: true + featureCompatibilityVersion: "7.0" +``` + +⚠️ ⚠️ ⚠️ If FCV (FeatureCompatibilityVersion) is managed by MongoDB itself (i.e. Atlas), you can disable it completely (that is default value in Helm chart) + +```yaml +mongodb: + migration: + enabled: false +``` + ### PostgreSQL update Default PostgreSQL image is changed from 13.x to 17.x If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x. -⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported. You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. +> ⚠️ **Important!**
+> The default SSL configuration may change on your provider's side when you upgrade.
+> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql) + +⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers) + +⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs: +``` +postgresql 17:36:28.41 INFO ==> ** Starting PostgreSQL ** +2025-05-21 17:36:28.432 GMT [1] FATAL: database files are incompatible with server +2025-05-21 17:36:28.432 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 13, which is not compatible with this version 17.2. +``` +You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. + +- **Before the upgrade**, backup your data on a separate PVC + +- Create PVC with the same or bigger size as your current PostgreSQL PVC: + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgresql-dump +spec: + storageClassName: + resources: + requests: + storage: + volumeMode: Filesystem + accessModes: + - ReadWriteOnce +``` + +- Create a job to dump the data from the old PostgreSQL StatefulSet into the new PVC: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-dump +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-dump + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + pg_dumpall --verbose > /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never +``` + +- Delete old PostgreSQL StatefulSet and PVC ```console -PGUSER=postgres -PGHOST=cf-postgresql -PGPORT=5432 -PGPASSWORD=postgres -BACKUP_DIR=/tmp/pg_backup -BACKUP_SQL=backup.sql -TIMESTAMP=$(date +%Y%m%d%H%M%S) -NAMESPACE=codefresh - -# Backup PostgreSQL data -pg_dumpall --verbose > "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" 2>> "$LOG_FILE" - -# Delete old PostgreSQL StatefulSet STS_NAME=$(kubectl get sts -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') PVC_NAME=$(kubectl get pvc -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') kubectl delete sts $STS_NAME -n $NAMESPACE kubectl delete pvc $PVC_NAME -n $NAMESPACE +``` + +- Peform the upgrade to 2.8.x with PostgreSQL seed job enabled to re-create users and databases + +```yaml +seed: + postgresSeedJob: + enabled: true +``` -# Perform Codefresh On-Prem upgrade to 2.8.x +- Create a job to restore the data from the new PVC into the new PostgreSQL StatefulSet: -# Restore PostgreSQL data -psql -U -f "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" >> "$LOG_FILE" 2>&1 +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-restore +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-restore + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + psql -f /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never ``` ### RabbitMQ update -Default RabbitMQ image is changed from 3.x to 4.x +Default RabbitMQ image is changed from 3.x to 4.0 + +If you run external RabbitMQ, follow the [official instructions](https://www.rabbitmq.com/docs/upgrade) to upgrade to 4.0 + +For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to enable all stable feature flags. #### Affected values @@ -2206,9 +2430,9 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | argo-platform.api-graphql.env | object | See below | Env vars | | argo-platform.api-graphql.hpa | object | `{"enabled":false}` | HPA | | argo-platform.api-graphql.hpa.enabled | bool | `false` | Enable autoscaler | -| argo-platform.api-graphql.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh-io/argo-platform-api-graphql"}` | Image | +| argo-platform.api-graphql.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/argo-platform-api-graphql"}` | Image | | argo-platform.api-graphql.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry | -| argo-platform.api-graphql.image.repository | string | `"codefresh-io/argo-platform-api-graphql"` | Repository | +| argo-platform.api-graphql.image.repository | string | `"codefresh/argo-platform-api-graphql"` | Repository | | argo-platform.api-graphql.kind | string | `"Deployment"` | Controller kind. Currently, only `Deployment` is supported | | argo-platform.api-graphql.pdb | object | `{"enabled":false}` | PDB | | argo-platform.api-graphql.pdb.enabled | bool | `false` | Enable pod disruption budget | @@ -2226,7 +2450,7 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | | argo-platform.ui | object | See below | ui | | argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | -| builder | object | `{"affinity":{},"container":{"image":{"registry":"docker.io","repository":"library/docker","tag":"28.0-dind"}},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.11.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | +| builder | object | `{"affinity":{},"container":{"image":{"registry":"docker.io","repository":"library/docker","tag":"28.3-dind"}},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.14.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | | cf-broadcaster | object | See below | broadcaster | | cf-oidc-provider | object | See below | cf-oidc-provider | | cf-platform-analytics-etlstarter | object | See below | etl-starter | @@ -2387,8 +2611,9 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | helm-repo-manager | object | See below | helm-repo-manager | | hermes | object | See below | hermes | | hooks | object | See below | Pre/post-upgrade Job hooks. | -| hooks.consul | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/kubectl","tag":"1.33.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Recreates `consul-headless` service due to duplicated ports in Service during the upgrade. | +| hooks.consul | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/kubectl","tag":"1.33.3"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Recreates `consul-headless` service due to duplicated ports in Service during the upgrade. | | hooks.mongodb | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/mongosh","tag":"2.5.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Updates images in `system/default` runtime. | +| hooks.rabbitmq | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/rabbitmqadmin","tag":"2.8.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Enable stable feature flags in RabbitMQ. | | imageCredentials | object | `{}` | Credentials for Image Pull Secret object | | ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/service-upstream":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false","nginx.org/redirect-to-https":"false"},"enabled":true,"ingressClassName":"nginx-codefresh","labels":{},"nameOverride":"","services":{"internal-gateway":["/"]},"tls":{"cert":"","enabled":false,"existingSecret":"","key":"","secretName":"star.codefresh.io"}}` | Ingress | | ingress-nginx | object | See below | ingress-nginx Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml | @@ -2426,6 +2651,8 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI | | seed.enabled | bool | `true` | Enable all seed jobs | | seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. | +| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. | +| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). | | seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). | | seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret | | seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). | diff --git a/charts/codefresh/README.md.gotmpl b/charts/codefresh/README.md.gotmpl index 2d3038ebe..2c178c7a0 100644 --- a/charts/codefresh/README.md.gotmpl +++ b/charts/codefresh/README.md.gotmpl @@ -24,7 +24,6 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [Configuration with ALB (Application Load Balancer)](#configuration-with-alb-application-load-balancer) - [Configuration with Private Registry](#configuration-with-private-registry) - [Configuration with multi-role CF-API](#configuration-with-multi-role-cf-api) - - [Indexes in MongoDB](#indexes-in-mongodb) - [High Availability](#high-availability) - [Mounting private CA certs](#mounting-private-ca-certs) - [Installing on OpenShift](#installing-on-openshift) @@ -36,6 +35,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [X-Frame-Options response header](#x-frame-options-response-header) - [Image digests in containers](#image-digests-in-containers) - [Configuring OIDC Provider](#configuring-oidc-provider) +- [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) - [Upgrading](#upgrading) - [To 2.0.0](#to-2-0-0) - [To 2.0.12](#to-2-0-12) @@ -68,7 +68,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - GCR Service Account JSON `sa.json` (provided by Codefresh, contact support@codefresh.io) - Firebase [Realtime Database URL](https://firebase.google.com/docs/database/web/start#create_a_database) with [legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens). See [Firebase Configuration](#firebase-configuration) - Valid TLS certificates for Ingress -- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)) +- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)). The `pg_cron` extension should be the 1.4 version or higher for Azure Postgres DB. ## Get Repo Info @@ -81,8 +81,6 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) **Important:** only helm 3.8.0+ is supported -**Important:** Read about [Indexes in MongoDB](#indexes-in-mongodb) before installation - Edit default `values.yaml` or create empty `cf-values.yaml` - Pass `sa.json` (as a single line) to `.Values.imageCredentials.password` @@ -95,7 +93,7 @@ imageCredentials: password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' ``` -- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl` and `.Values.global.firebaseSecret` +- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl`, `.Values.global.firebaseSecret`, `.Values.global.env.MONGOOSE_AUTO_INDEX`, `.Values.global.env.MONGO_AUTOMATIC_INDEX_CREATION` ```yaml global: @@ -120,6 +118,9 @@ global: # name: my-secret # key: firebase-secret + # -- Enable index creation in MongoDB + # This is required for first-time installations! + # Before usage in Production, you must set it to `false` or remove it! env: MONGOOSE_AUTO_INDEX: "true" MONGO_AUTOMATIC_INDEX_CREATION: "true" @@ -179,6 +180,17 @@ ingress-nginx: --timeout 15m ``` +### ⚠️ **MANDATORY** Post-Installation Action Items + +Once your Codefresh On-Prem instance is installed, configured, and confirmed to be ready for production use, the following variables must be set to `false` or removed: + +```yaml +global: + env: + MONGOOSE_AUTO_INDEX: "false" + MONGO_AUTOMATIC_INDEX_CREATION: "false" +``` + ## Chart Configuration See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: @@ -194,9 +206,9 @@ The following table displays the list of **persistent** services created as part | Database | Purpose | Required version | | :--- | :---- | :--- | | MongoDB | Stores all account data (account settings, users, projects, pipelines, builds etc.) | 7.x | -| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 17.x | +| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 16.x or 17.x | | Redis | Used for caching, and as a key-value store for cron trigger manager. | 7.0.x | -| RabbitMQ | Used for message queueing. | 4.0.x | +| RabbitMQ | Used for message queueing. | 3.13 \| 4.0.x | > Running on netfs (nfs, cifs) is not recommended. @@ -216,6 +228,17 @@ However, you might need to use external services like [MongoDB Atlas Database](h #### External MongoDB +> ⚠️ **Important!** If you use MongoDB Atlas, you must create user with `Write` permissions before installing Codefresh:
+> Then, provide the user credentials in the chart values at
+`.Values.global.mongodbUser/mongodbRootUserSecretKeyRef`
+`.Values.global.mongodbPassword/mongodbRootPasswordSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootUser/mongodbRootUserSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootPassword/mongodbRootPasswordSecretKeyRef`
+> Ref:
+> [Create Users in Atlas](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#configure-database-users) + +`values.yaml` for external MongoDB: + ```yaml seed: mongoSeedJob: @@ -388,6 +411,27 @@ postgresql: enabled: false ``` +##### Using SSL with a PostgreSQL + +Provide the following env vars to enforce SSL connection to PostgresSQL: + +```yaml +global: + env: + # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html + PGSSLMODE: "require" + +helm-repo-manager: + env: + POSTGRES_DISABLE_SSL: "false" +``` + +> ⚠️ **Important!**
+> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
+> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
+> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs) + + #### External Redis ```yaml @@ -421,7 +465,9 @@ redis: > If ElastiCache is used, set `REDIS_TLS` to `true` in `.Values.global.env` -``` +> ⚠️ ElastiCache with **Cluster mode** is not supported! + +```yaml global: env: REDIS_TLS: true @@ -785,59 +831,6 @@ cfapi-test-reporting: enabled: true ``` -⚠️ ⚠️ ⚠️ -### Indexes in MongoDB -⚠️ ⚠️ ⚠️ - -Indexes in MongoDB are essential for efficient query performance, especially as your data grows. Without proper indexes, MongoDB must perform full collection scans to find matching documents, which can significantly slow down operations and increase resource usage. For production environments, ensuring that all frequently queried fields are indexed is vital to maintain optimal performance and scalability. - -Auto-index creation in MongoDB is disabled by default in Codefresh On-Prem to prevent unexpected performance issues in production environments during upgrades. When enabled, MongoDB will automatically create indexes for fields used in queries, which can lead to high CPU and disk usage, increased I/O, and potential service disruptions—especially on large datasets. By requiring manual index management, administrators can plan index creation during maintenance windows, ensuring system stability and predictable performance before upgrading Codefresh On-Prem. - -It is critical to ensure that your MongoDB indexes are always aligned with the latest recommended state for your Codefresh On-Prem version. Outdated or missing indexes can lead to degraded performance, slow queries, and increased resource consumption. Always review release notes and update or create indexes as specified during upgrades or when new collections/fields are introduced. Regularly auditing and maintaining your indexes helps ensure optimal system reliability and scalability. - -The indexes list is located at the [codefresh-io/codefresh-onprem-helm](https://github.com/codefresh-io/codefresh-onprem-helm/tree/onprem-2.8.0/indexes) repository. -The indexes are stored in JSON files with keys and options specified. - -The directory structure is: - -```console -codefresh-onprem-helm -├── indexes -│ ├── # MongoDB database name -│ │ ├── .json # MongoDB indexes for the specified collection -``` - -#### Enabling auto-index creation - -For first-time installations, you **must** enable auto-index creation by setting the following values: - -```yaml -global: - env: - MONGOOSE_AUTO_INDEX: "true" - MONGO_AUTOMATIC_INDEX_CREATION: "true" -``` - -You **should** disable it for the next upgrades by setting these variables to `false`: - -```yaml -global: - env: - MONGOOSE_AUTO_INDEX: "false" - MONGO_AUTOMATIC_INDEX_CREATION: "false" -``` - -#### Creating Indexes manually - -> **Note!** If you have a large amount of MongoDB data, it is recommended to create indexes manually. Enabling auto-index creation can cause performance degradation during the index creation process with large datasets. - -Depending on your MongoDB service (e.g., Atlas, self-hosted), you can create indexes using the MongoDB shell or the Atlas UI. - -Ref: -- [Create an Index in Atlas DB](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/#create-an-index) -- [Create an Index with mongosh](https://www.mongodb.com/docs/manual/reference/method/db.collection.createIndex/) - - ### High Availability The chart installs the non-HA version of Codefresh by default. If you want to run Codefresh in HA mode, use the example values below. @@ -1202,7 +1195,7 @@ cfapi: ### Projects pipelines limit ```yaml -cfapi: +pipeline-manager: env: # Determines project's pipelines limit (default: 500) PROJECT_PIPELINES_LIMIT: 500 @@ -1491,6 +1484,87 @@ To see all the claims supported by Codefresh OIDC provider, see `claims_supporte Use [obtain-oidc-id-token](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/obtain-oidc-id-token/step.yaml#L27-L58) and [aws-sts-assume-role-with-web-identity](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/aws-sts-assume-role-with-web-identity/step.yaml#L29-L63) steps to exchange the OIDC token (JWT) for a cloud access token. +## Maintaining MongoDB Indexes + +Sometimes, in new releases of Codefresh On-Prem, index requirements change. When this happens, it's mentioned in the [Upgrading section](#upgrading) for the specific release. + +> ℹ️ If you're upgrading from version `X` to version `Y`, and index requirements were updated in any of the intermediate versions, you only need to align your indexes with the index requirements of version `Y`. To do that, follow [Index alignment](#index-alignment) instructions. + +### Index alignment + +The required index definitions for each release can be found at the following resources: + +- `2.6` +- `2.7` +- `2.8` + +The indexes are stored in JSON files with keys and options specified. + +The directory structure is: + +```console +indexes +├── # MongoDB database name +│ ├── .json # MongoDB indexes for the specified collection +``` + +**Overview of the index alignment process:** + +1. Identify the differences between the indexes in your MongoDB instance and the required index definitions. +2. Create any missing indexes one by one. (It's important not to create them in bulk.) +3. Perform the upgrade of Codefresh On-Prem installation. +4. Then remove any unnecessary indexes. + +> ⚠️ **Note! Any changes to indexes should be performed during a defined maintenance window or during periods of lowest traffic to MongoDB.** +> +> Building indexes during time periods where the target collection is under heavy write load can result in reduced write performance and longer index builds. ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/index-creation/#index-build-impact-on-database-performance)) +> +> Even minor changes to indexes (e.g., index removal) can cause brief but noticeable performance degradation ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/query-plans/#plan-cache-flushes)) + +#### Self-hosted MongoDB + +For self-hosted MongoDB, follow the instructions below: + +- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing `` with the appropriate MongoDB connection string for your server: + + +```shell +mongosh "" +``` + +- Retrieve the list of indexes for a specific collection: + +```js +db.getSiblingDB('').getCollection('').getIndexes() +``` + +- Compare your indexes with the required indexes for the target release, and adjust them by creating any missing indexes or removing any unnecessary ones + +**Index creation** + +> ⚠ **Note! Always create indexes sequentially, one by one. Don't create them in bulk.** + +- To create an index, use the `createIndex()` method: + +```js +db.getSiblingDB('').getCollection('').createIndex(, ) +``` + +After executing the `createIndex()` command, you should see a result indicating that the index was created successfully. + +**Index removal** + +- To remove an index, use the `dropIndex()` method with ``: + +```js +db.getSiblingDB('').getCollection('').dropIndex('') +``` + +#### Atlas Database + +If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Manage Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to View, Create or Remove indexes. + +> ⚠️ **Important!** In Atlas, for production environments, it is recommended to use rolling index builds by enabling the "Build index via rolling process" checkbox. ([*MongoDB official documentation*](https://www.mongodb.com/docs/v6.0/tutorial/build-indexes-on-replica-sets/)) ## Upgrading @@ -1751,7 +1825,7 @@ nomios: ... ``` -### To 2.0.12 +### To 2-0-12 #### ⚠️ Legacy ChartMuseum subchart deprecation @@ -2028,18 +2102,22 @@ cfapi: ### To 2-6-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.6.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-26) #### Affected values [Image digests in containers](#image-digests-in-containers) -#### Auto-index creation in MongoDB - -[Auto-index creation in MongoDB](#auto-index-creation-in-mongodb) - ### To 2-7-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.7.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-27) #### Affected values @@ -2071,6 +2149,10 @@ global: ### To 2-8-0 +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + ### [What's new in 2.8.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-28) ### ⚠️ ⚠️ ⚠️ Breaking changes. Read before upgrading! @@ -2081,7 +2163,7 @@ Default MongoDB image is changed from 6.x to 7.x. If you run external MongoDB (i.e. [Atlas](https://cloud.mongodb.com)), it is **required** to upgrade it to 7.x after upgrading Codefresh On-Prem to 2.8.x. -For backward compatibility (in case you need to rollback to 6.x), you can set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. +- **Before the upgrade**, for backward compatibility (in case you need to rollback to 6.x), you should set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. ```yaml mongodb: @@ -2090,43 +2172,185 @@ mongodb: featureCompatibilityVersion: "6.0" ``` +- Perform Codefresh On-Prem upgrade to 2.8.x. Make sure all systems are up and running. + +- **After the upgrade**, if all system are stable, you need to set `featureCompatibilityVersion` to `7.0` in your values file and re-deploy the chart. + +```yaml +mongodb: + migration: + enabled: true + featureCompatibilityVersion: "7.0" +``` + +⚠️ ⚠️ ⚠️ If FCV (FeatureCompatibilityVersion) is managed by MongoDB itself (i.e. Atlas), you can disable it completely (that is default value in Helm chart) + +```yaml +mongodb: + migration: + enabled: false +``` + ### PostgreSQL update Default PostgreSQL image is changed from 13.x to 17.x If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x. -⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported. You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. +> ⚠️ **Important!**
+> The default SSL configuration may change on your provider's side when you upgrade.
+> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql) + +⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers) + +⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs: +``` +postgresql 17:36:28.41 INFO ==> ** Starting PostgreSQL ** +2025-05-21 17:36:28.432 GMT [1] FATAL: database files are incompatible with server +2025-05-21 17:36:28.432 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 13, which is not compatible with this version 17.2. +``` +You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. + +- **Before the upgrade**, backup your data on a separate PVC + +- Create PVC with the same or bigger size as your current PostgreSQL PVC: + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgresql-dump +spec: + storageClassName: + resources: + requests: + storage: + volumeMode: Filesystem + accessModes: + - ReadWriteOnce +``` + +- Create a job to dump the data from the old PostgreSQL StatefulSet into the new PVC: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-dump +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-dump + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + pg_dumpall --verbose > /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never +``` + +- Delete old PostgreSQL StatefulSet and PVC ```console -PGUSER=postgres -PGHOST=cf-postgresql -PGPORT=5432 -PGPASSWORD=postgres -BACKUP_DIR=/tmp/pg_backup -BACKUP_SQL=backup.sql -TIMESTAMP=$(date +%Y%m%d%H%M%S) -NAMESPACE=codefresh - -# Backup PostgreSQL data -pg_dumpall --verbose > "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" 2>> "$LOG_FILE" - -# Delete old PostgreSQL StatefulSet STS_NAME=$(kubectl get sts -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') PVC_NAME=$(kubectl get pvc -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') kubectl delete sts $STS_NAME -n $NAMESPACE kubectl delete pvc $PVC_NAME -n $NAMESPACE +``` + +- Peform the upgrade to 2.8.x with PostgreSQL seed job enabled to re-create users and databases + +```yaml +seed: + postgresSeedJob: + enabled: true +``` -# Perform Codefresh On-Prem upgrade to 2.8.x +- Create a job to restore the data from the new PVC into the new PostgreSQL StatefulSet: -# Restore PostgreSQL data -psql -U -f "$BACKUP_DIR/$BACKUP_SQL.$TIMESTAMP" >> "$LOG_FILE" 2>&1 +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-restore +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-restore + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + psql -f /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never ``` ### RabbitMQ update -Default RabbitMQ image is changed from 3.x to 4.x +Default RabbitMQ image is changed from 3.x to 4.0 + +If you run external RabbitMQ, follow the [official instructions](https://www.rabbitmq.com/docs/upgrade) to upgrade to 4.0 + +For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to enable all stable feature flags. #### Affected values diff --git a/charts/codefresh/files/mongoSeedJobScript.sh b/charts/codefresh/files/mongoSeedJobScript.sh index 53947038f..6762bad5c 100644 --- a/charts/codefresh/files/mongoSeedJobScript.sh +++ b/charts/codefresh/files/mongoSeedJobScript.sh @@ -12,9 +12,12 @@ export MONGODB_ROOT_PASSWORD=... COMMENT -# set -eou pipefail +if [[ -n $DEBUG ]]; then + set -o xtrace +fi ASSETS_PATH=${ASSETS_PATH:-/usr/share/extras/} +MTLS_CERT_PATH=${MTLS_CERT_PATH:-/etc/ssl/mongodb/ca.pem} MONGODB_DATABASES=( "archive" @@ -34,12 +37,12 @@ MONGODB_DATABASES=( ) disableMongoTelemetry() { - mongosh --nodb --eval "disableTelemetry()" + mongosh --nodb --eval "disableTelemetry()" || true } waitForMongoDB() { while true; do - status=$(mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand('ping')" 2>&1) + status=$(mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.adminCommand('ping')" 2>&1) echo -e "MongoDB status:\n$status" if $(echo $status | grep 'ok: 1' -q); then @@ -56,12 +59,23 @@ parseMongoURI() { local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi local url="$(echo ${1/$proto/})" local userpass="$(echo $url | grep @ | cut -d@ -f1)" - local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')" + if [[ -z $userpass ]]; then + local hostport="$(echo $url | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')" + MONGO_URI="$proto$hostport/${MONGODB_DATABASE}$parameters" + else + local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')" + MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)" + MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)" + MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters" + fi + + + if [[ -z $MONGODB_ROOT_OPTIONS ]]; then + MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters" + else + MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin?${MONGODB_ROOT_OPTIONS}" + fi - MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)" - MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)" - MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters" - MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters" } getMongoVersion() { @@ -82,6 +96,14 @@ setPacks() { parseMongoURI $MONGO_URI +if [[ -s ${MTLS_CERT_PATH} ]]; then + MONGO_URI_EXTRA_PARAMS="--tls --tlsCertificateKeyFile ${MTLS_CERT_PATH} --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates" + MONGOIMPORT_EXTRA_PARAMS="--ssl --sslPEMKeyFile ${MTLS_CERT_PATH} --sslAllowInvalidHostnames --sslAllowInvalidCertificates" +else + MONGO_URI_EXTRA_PARAMS="" + MONGOIMPORT_EXTRA_PARAMS="" +fi + disableMongoTelemetry waitForMongoDB @@ -90,20 +112,23 @@ getMongoVersion for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do waitForMongoDB - mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true + mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true waitForMongoDB - mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true + mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true + + # MongoDB Atlas + mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db = db.getSiblingDB(\"${MONGODB_DATABASE}\"); db[\"${MONGODB_DATABASE}\"].insertOne({ name: \"init\", value: true })" 2>&1 || true done -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true -mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true +mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true +mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true +mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true if [[ $DEVELOPMENT_CHART == "true" ]]; then setSystemAdmin setPacks fi -mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json -mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json -mongoimport --uri ${MONGO_URI} --collection users --type json --legacy --file ${ASSETS_PATH}users.json +mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json +mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json +mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection users --type json --legacy --file ${ASSETS_PATH}users.json diff --git a/charts/codefresh/templates/_helpers.tpl b/charts/codefresh/templates/_helpers.tpl index b657b6742..05daf4aa0 100644 --- a/charts/codefresh/templates/_helpers.tpl +++ b/charts/codefresh/templates/_helpers.tpl @@ -55,7 +55,16 @@ Return runtime image (classic runtime) with private registry prefix */}} {{- define "codefresh.buildImageName" -}} {{- if .registry -}} - {{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}} + {{- $imageName := .imageFullName -}} + {{- if hasPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }} + {{- $imageName = trimPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }} + {{- end }} + {{- if hasPrefix "quay.io/" $imageName }} + {{- $imageName = trimPrefix "quay.io/" $imageName }} + {{- end }} + {{- if hasPrefix "docker.io/" $imageName }} + {{- $imageName = trimPrefix "docker.io/" $imageName | replace "library" "codefresh" }} + {{- end }} {{- printf "%s/%s" .registry $imageName -}} {{- else -}} {{- printf "%s" .imageFullName -}} diff --git a/charts/codefresh/templates/configmaps/runtimeEnvironments.json.tpl b/charts/codefresh/templates/configmaps/runtimeEnvironments.json.tpl index cf88a3a7f..d52b9ad55 100644 --- a/charts/codefresh/templates/configmaps/runtimeEnvironments.json.tpl +++ b/charts/codefresh/templates/configmaps/runtimeEnvironments.json.tpl @@ -29,7 +29,7 @@ "inCluster": true, "namespace": "{{ .Release.Namespace }}" }, - "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}", + "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}", "command": [ "npm", "run", @@ -45,19 +45,19 @@ "RUNTIME_ADDITIONAL_INTERNAL_REGISTRIES_JSON": "/etc/admin/additional-internal-registries.json", "LOGGER_LEVEL": "debug", "NODE_ENV": "kubernetes", - "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}", - "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}", - "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}", - "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}", - "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}", - "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}", - "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}", - "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}", - "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}", - "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}", - "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}", - "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}", - "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}", + "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}", + "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}", + "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}", + "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}", + "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}", + "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}", + "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}", + "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}", + "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}", + "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}", + "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}", + "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}", + "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}", "NODE_TLS_REJECT_UNAUTHORIZED": "0" }, "volumeMounts": { @@ -109,7 +109,7 @@ }, "description": "System hybrid runtime environment for kubernetes", "runtimeScheduler": { - "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}", + "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}", "command": [ "npm", "run", @@ -121,19 +121,19 @@ "LOGGER_LEVEL": "debug", "NODE_ENV": "kubernetes", "METRICS_CODEFRESH_ENABLED": "true", - "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}", - "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}", - "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}", - "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}", - "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}", - "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}", - "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}", - "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}", - "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}", - "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}", - "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}", - "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}", - "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}", + "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}", + "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}", + "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}", + "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}", + "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}", + "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}", + "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}", + "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}", + "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}", + "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}", + "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}", + "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}", + "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}", "NO_EXT_MONITOR": "true", "DISABLE_WORKSPACE_CACHE": "true", "NODE_TLS_REJECT_UNAUTHORIZED": "0", @@ -170,7 +170,7 @@ "cluster": { "namespace": "{{ .Release.Namespace }}" }, - "dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}", + "dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}", "defaultDindResources": { "requests": { "cpu": "390m", @@ -267,6 +267,6 @@ "extends": [ "system/default" ] - } + } ] {{- end -}} diff --git a/charts/codefresh/templates/hooks/pre-upgrade/delete-consul-svc-job.yaml b/charts/codefresh/templates/hooks/pre-upgrade/delete-consul-svc-job.yaml index 1e01d429a..4bc915e8f 100644 --- a/charts/codefresh/templates/hooks/pre-upgrade/delete-consul-svc-job.yaml +++ b/charts/codefresh/templates/hooks/pre-upgrade/delete-consul-svc-job.yaml @@ -38,7 +38,7 @@ spec: - /bin/sh - -c - | - set -e + set -x CONSUL_SVC_HEADLESS=$(kubectl get svc -n {{ .Release.Namespace }} \ -l app.kubernetes.io/instance={{ include "codefresh.fullname" . }}\ -l app.kubernetes.io/name=consul \ diff --git a/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-job.yaml b/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-job.yaml new file mode 100644 index 000000000..cbff56fa1 --- /dev/null +++ b/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-job.yaml @@ -0,0 +1,83 @@ +{{- if and .Values.hooks.rabbitmq.enabled .Values.rabbitmq.enabled }} +{{- $libTemplateName := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +{{- $tolerations := .Values.hooks.consul.tolerations | default list }} +{{- $globalTolerations := .Values.global.tolerations | default list }} +{{- $allToleration := concat $globalTolerations $tolerations }} +{{- $affinity := .Values.hooks.consul.affinity | default dict }} +{{- $globalAffinity := .Values.global.affinity | default dict }} +{{- $allAffinity := mergeOverwrite $globalAffinity $affinity }} +{{- $nodeSelector := .Values.hooks.consul.nodeSelector | default dict }} +{{- $globalNodeSelector := .Values.global.nodeSelector | default dict }} +{{- $allNodeSelector := mergeOverwrite $globalNodeSelector $nodeSelector }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + labels: + {{ include "codefresh.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "5" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation +spec: + ttlSecondsAfterFinished: 300 + backoffLimit: 6 + template: + metadata: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + labels: + {{ include "codefresh.labels" . | nindent 8 }} + spec: + {{- include (printf "%s.image.pullSecrets" $libTemplateName ) . | nindent 6 }} + containers: + - name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + image: {{ include (printf "%s.image.name" $libTemplateName) (dict "image" .Values.hooks.rabbitmq.image "context" .) }} + env: + - name: RABBITMQADMIN_TARGET_HOST + valueFrom: + secretKeyRef: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + key: RABBITMQADMIN_TARGET_HOST + - name: RABBITMQADMIN_TARGET_PORT + valueFrom: + secretKeyRef: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + key: RABBITMQADMIN_TARGET_PORT + - name: RABBITMQADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + key: RABBITMQADMIN_USERNAME + - name: RABBITMQADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + key: RABBITMQADMIN_PASSWORD + command: + - /bin/bash + - -c + - | + set -x + rabbitmqadmin \ + --host=$RABBITMQADMIN_TARGET_HOST \ + --port=$RABBITMQADMIN_TARGET_PORT \ + --username=$RABBITMQADMIN_USERNAME \ + --password=$RABBITMQADMIN_PASSWORD \ + feature_flags enable_all + resources: + {{- toYaml .Values.hooks.rabbitmq.resources | nindent 10 }} + {{- with $allNodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $allAffinity }} + affinity: + {{- toYaml . | nindent 8}} + {{- end }} + {{- with $allToleration }} + tolerations: + {{- toYaml . | nindent 6 }} + {{- end }} + restartPolicy: OnFailure +{{- end }} diff --git a/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-secret.yaml b/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-secret.yaml new file mode 100644 index 000000000..7244c570e --- /dev/null +++ b/charts/codefresh/templates/hooks/pre-upgrade/enable-stable-flags-rabbitmq-secret.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.hooks.rabbitmq.enabled .Values.rabbitmq.enabled }} +{{- $libTemplateName := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "codefresh.fullname" . }}-rabbitmq-enable-stable-flags + labels: + {{ include "codefresh.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "-10" + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed +type: Opaque +data: + RABBITMQADMIN_TARGET_HOST: {{ (printf "%s-%s" .Release.Name (coalesce .Values.global.rabbitService .Values.global.rabbitmqService) | lower | trimSuffix ":5672") | b64enc | quote }} + RABBITMQADMIN_TARGET_PORT: {{ printf "%d" 15672 | b64enc | quote }} + RABBITMQADMIN_USERNAME: {{ .Values.rabbitmq.auth.username | b64enc | quote }} + RABBITMQADMIN_PASSWORD: {{ .Values.rabbitmq.auth.password | b64enc | quote }} +{{- end }} diff --git a/charts/codefresh/templates/secrets/secret.yaml b/charts/codefresh/templates/secrets/secret.yaml index e0fa81259..0ea7c521c 100644 --- a/charts/codefresh/templates/secrets/secret.yaml +++ b/charts/codefresh/templates/secrets/secret.yaml @@ -17,8 +17,8 @@ data: MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" | b64enc }} # legacy MONGODB_* secrets - MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser | b64enc }} - MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) | b64enc }} + MONGODB_ROOT_USER: {{ coalesce .Values.seed.mongoSeedJob.mongodbRootUser .Values.global.mongodbRootUser | b64enc }} + MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.seed.mongoSeedJob.mongodbRootPassword .Values.global.mongodbRootPassword) | b64enc }} MONGO_URI: {{ .Values.global.mongoURI | default "empty" | b64enc}} MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" | b64enc }} MONGODB_RE_DATABASE: {{ printf "%s" "runtime-environment-manager" | b64enc }} diff --git a/charts/codefresh/templates/seed/mongo-seed-job.yaml b/charts/codefresh/templates/seed/mongo-seed-job.yaml index a97706859..2cbac34a2 100644 --- a/charts/codefresh/templates/seed/mongo-seed-job.yaml +++ b/charts/codefresh/templates/seed/mongo-seed-job.yaml @@ -52,8 +52,19 @@ spec: {{- include "codefresh.mongodb-root-user-env-var-value" . | indent 12 }} - name: MONGODB_ROOT_PASSWORD {{- include "codefresh.mongodb-root-password-env-var-value" . | indent 12 }} + - name: MONGODB_ROOT_OPTIONS + value: {{ .Values.seed.mongoSeedJob.mongodbRootOptions | quote }} - name: DEVELOPMENT_CHART value: {{ .Values.developmentChart | quote }} + {{- range $env, $val := .Values.seed.mongoSeedJob.env }} + - name: {{ $env }} + value: {{ $val | quote }} + {{ end }} + {{- range $env, $val := .Values.global.env }} + - name: {{ $env }} + value: {{ $val | quote }} + {{ end }} + command: - "/bin/bash" - "-exc" diff --git a/charts/codefresh/templates/seed/postgres-seed-job.yaml b/charts/codefresh/templates/seed/postgres-seed-job.yaml index 6ff5366b1..9f66be450 100644 --- a/charts/codefresh/templates/seed/postgres-seed-job.yaml +++ b/charts/codefresh/templates/seed/postgres-seed-job.yaml @@ -49,6 +49,10 @@ spec: {{- include "codefresh.postgres-seed-user-env-var-value" . | indent 12 }} - name: POSTGRES_SEED_PASSWORD {{- include "codefresh.postgres-seed-password-env-var-value" . | indent 12 }} + {{- range $env, $val := .Values.global.env }} + - name: {{ $env }} + value: {{ $val | quote }} + {{ end }} resources: {{- toYaml .Values.seed.resources | nindent 10 }} command: diff --git a/charts/codefresh/values.yaml b/charts/codefresh/values.yaml index 9a4b9df36..3b5d09448 100644 --- a/charts/codefresh/values.yaml +++ b/charts/codefresh/values.yaml @@ -14,7 +14,7 @@ gencerts: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/kubectl - tag: 1.33.0 + tag: 1.33.3 rbac: enabled: true ttlSecondsAfterFinished: 300 @@ -55,6 +55,11 @@ seed: # name: my-secret # key: mongodb-root-password + # -- Extra options for connection string (e.g. `authSource=admin`). + mongodbRootOptions: "" + # -- Extra env variables for seed job. + env: {} + # -- Postgres Seed Job. Required at first install. Creates required user and databases. # @default -- See below postgresSeedJob: @@ -62,7 +67,7 @@ seed: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/postgresql - tag: 17 + tag: 17.5.0-debian-12-r20 # -- (optional) "postgres" admin user in plain text (required ONLY for seed job!) # Must be a privileged user allowed to create databases and grant roles. # If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. @@ -454,13 +459,24 @@ hooks: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/kubectl - tag: 1.33.0 + tag: 1.33.3 + affinity: {} + nodeSelector: {} + podSecurityContext: {} + resources: {} + tolerations: [] + # -- Enable stable feature flags in RabbitMQ. + rabbitmq: + enabled: true + image: + registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io + repository: codefresh/rabbitmqadmin + tag: 2.8.0 affinity: {} nodeSelector: {} podSecurityContext: {} resources: {} tolerations: [] - # -- Maintenance postgresql clean job. # Removes a certain number of the last records in the event store table. @@ -470,7 +486,7 @@ postgresqlCleanJob: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/postgresql - tag: 17 + tag: 17.5.0-debian-12-r20 schedule: "0 0 * * *" successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 @@ -484,19 +500,19 @@ postgresqlCleanJob: # -- runtimeImages # @default -- See below runtimeImages: - COMPOSE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/compose:v2.32.2-1.5.2 - CONTAINER_LOGGER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-container-logger:1.12.5 - DIND_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/dind:26.1.4-1.28.8 - DOCKER_BUILDER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-builder:1.4.4 - DOCKER_PULLER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-puller:8.0.20 - DOCKER_PUSHER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-pusher:6.0.17 - DOCKER_TAG_PUSHER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-tag-pusher:1.3.15 - ENGINE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/engine:1.177.8 - FS_OPS_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/fs-ops:1.2.10 - GIT_CLONE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-git-cloner:10.2.0 - KUBE_DEPLOY: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-deploy-kubernetes:16.2.6 - PIPELINE_DEBUGGER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-debugger:1.3.9 - TEMPLATE_ENGINE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/pikolo:0.14.3 + COMPOSE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/compose:v2.37.0-1.5.4@sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad + CONTAINER_LOGGER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-container-logger:1.12.8@sha256:6e376bb00e824827cb038e15160ccf0fead4f868197b75bbc80dbd6bc34af8d6 + DIND_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/dind:26.1.4-1.28.8@sha256:33c343dd01e8a24f0b4a872bbe62884320719f9d9dc27b7a8fed9f7e9fc7e80e + DOCKER_BUILDER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-builder:1.4.7@sha256:1d02df4dcf703a97c7a64b147cd2c3f6ec2c708aad16be5abbd337f3c13a48ad + DOCKER_PULLER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-puller:8.0.22@sha256:914f071bcb1893bcb42c3f8907f8f3874f1f30db1a2ccaa4b825dab9bb157e60 + DOCKER_PUSHER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-pusher:6.0.20@sha256:bad3773029a68f33953f1dc245cb92c386b5311a996340eea41fe6b9cc52a96c + DOCKER_TAG_PUSHER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-docker-tag-pusher:1.3.19@sha256:ec4416525bbf4912786035fbb2e1f26ae04f94559c535f02232b48eb0a1c5fa7 + ENGINE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/engine:1.178.2@sha256:3e179cb065419699c0925bb1eccee1e1a9d3b6609859f801a85feeaef0b6c153 + FS_OPS_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/fs-ops:1.2.10@sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad + GIT_CLONE_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-git-cloner:10.3.2@sha256:2e09eef18d5caddae708058ec63247825ac4e4ee5e5763986f65e1312fbcc449 + KUBE_DEPLOY: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-deploy-kubernetes:16.2.9@sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263 + PIPELINE_DEBUGGER_IMAGE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/cf-debugger:1.3.9@sha256:37975653b4ef5378bd1e38d453c7dac4721cba1c1977a5ca6118a67b98a47925 + TEMPLATE_ENGINE: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/pikolo:0.14.6@sha256:b3f499fcf93037e69fba599d2f292cfc9f28a158052dd57d5de9cdf9756f1f60 CR_6177_FIXER: docker.io/library/alpine:3.21 GC_BUILDER_IMAGE: docker.io/library/alpine:3.21 @@ -734,6 +750,7 @@ cf-platform-analytics-etlstarter: container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io + repository: codefresh/cf-platform-analytics env: ENV: production DATASET_ID: etl @@ -756,6 +773,10 @@ cf-platform-analytics-platform: redis: enabled: true nameOverride: redis-platform-analytics + image: + registry: quay.io + repository: codefresh/redis + tag: 7.4.3-debian-12-r0 resources: requests: cpu: 100m @@ -807,7 +828,7 @@ cfsign: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/curl - tag: 8.11.1 + tag: 8.14.1 affinity: {} nodeSelector: {} podSecurityContext: {} @@ -892,6 +913,8 @@ cluster-providers: # Ref: https://github.com/bitnami/charts/blob/main/bitnami/consul/values.yaml consul: enabled: true + image: + repository: bitnamilegacy/consul datacenterName: codefresh-onprem replicaCount: 1 extraEnvVars: @@ -974,8 +997,8 @@ helm-repo-manager: ingress: enabled: false image: - repository: us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh/chartmuseum - tag: 8795e993 + repository: ghcr.io/helm/chartmuseum + tag: v0.16.3 resources: requests: cpu: 100m @@ -1092,6 +1115,8 @@ kube-integration: mongodb: enabled: true architecture: standalone + image: + repository: bitnamilegacy/mongodb useStatefulSet: true auth: enabled: true @@ -1102,7 +1127,7 @@ mongodb: cpu: 200m memory: 256Mi migration: - enabled: true + enabled: false featureCompatibilityVersion: "6.0" # -- nats @@ -1110,6 +1135,8 @@ mongodb: # Ref: https://github.com/bitnami/charts/blob/main/bitnami/nats/values.yaml nats: enabled: true + image: + repository: bitnamilegacy/nats replicaCount: 1 auth: enabled: false @@ -1142,7 +1169,7 @@ postgresql: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/postgresql - tag: 17 + tag: 17.5.0-debian-12-r20 auth: enablePostgresUser: true postgresPassword: "eC9arYka4ZbH" @@ -1198,6 +1225,10 @@ redis: requests: cpu: 200m memory: 256Mi + image: + registry: quay.io + repository: codefresh/redis + tag: 7.4.3-debian-12-r0 # -- redis-ha ## Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml @@ -1226,7 +1257,8 @@ redis-ha: rabbitmq: enabled: true image: - tag: "4.0" + repository: bitnamilegacy/rabbitmq + tag: "4.1.3" replicaCount: 1 auth: username: user @@ -1246,12 +1278,12 @@ builder: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/curl - tag: 8.11.1 + tag: 8.14.1 container: image: registry: docker.io repository: library/docker - tag: 28.0-dind + tag: 28.3-dind affinity: {} nodeSelector: {} podSecurityContext: {} @@ -1268,12 +1300,12 @@ runner: image: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/curl - tag: 8.11.1 + tag: 8.14.1 container: image: registry: docker.io repository: library/docker - tag: 28.0-dind + tag: 28.3-dind affinity: {} nodeSelector: {} podSecurityContext: {} @@ -1359,7 +1391,7 @@ argo-hub-platform: container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-hub-platform + repository: codefresh/argo-hub-platform imagePullSecrets: [] resources: requests: @@ -1422,7 +1454,7 @@ argo-platform: # -- Registry registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io # -- Repository - repository: codefresh-io/argo-platform-api-graphql + repository: codefresh/argo-platform-api-graphql # -- Env vars # @default -- See below env: @@ -1485,7 +1517,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-abac + repository: codefresh/argo-platform-abac env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options @@ -1521,7 +1553,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-analytics-reporter + repository: codefresh/argo-platform-analytics-reporter env: ENABLED_DATABASE_TYPES: POSTGRES MONGODB_PROTOCOL: *mongodb-protocol @@ -1570,7 +1602,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-api-events + repository: codefresh/argo-platform-api-events env: RABBITMQ_PROTOCOL: *rabbitmq-protocol RABBITMQ_URLS: $(RABBITMQ_PROTOCOL)://$(RABBITMQ_USER):$(RABBITMQ_PASSWORD)@$(RABBITMQ_HOST) @@ -1608,7 +1640,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-audit + repository: codefresh/argo-platform-audit env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options @@ -1651,7 +1683,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-cron-executor + repository: codefresh/argo-platform-cron-executor env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options @@ -1694,7 +1726,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-event-handler + repository: codefresh/argo-platform-event-handler env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options @@ -1747,7 +1779,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-ui + repository: codefresh/argo-platform-ui resources: requests: cpu: 100m @@ -1768,7 +1800,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-broadcaster + repository: codefresh/argo-platform-broadcaster env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options @@ -1776,6 +1808,8 @@ argo-platform: MONGODB_READMODELS_URI: '{{ include "argo-patform-libs.env-vars.mongodb-readmodels-uri-env-var-value" . }}' RABBITMQ_URLS: $(RABBITMQ_PROTOCOL)://$(RABBITMQ_USER):$(RABBITMQ_PASSWORD)@$(RABBITMQ_HOST) secrets: + v1-host: http://{{ .Release.Name }}-{{ .Values.global.cfapiEndpointsService }} + v1-internal-host: http://{{ .Release.Name }}-{{ .Values.global.cfapiService }}:{{ .Values.global.cfapiInternalPort }} mongodb-protocol: *mongodb-protocol mongodb-options: *mongodb-options mongodb-host: *mongodb-host @@ -1809,7 +1843,7 @@ argo-platform: kind: Deployment image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh-io/argo-platform-promotion-orchestrator + repository: codefresh/argo-platform-promotion-orchestrator env: MONGODB_PROTOCOL: *mongodb-protocol MONGODB_OPTIONS: *mongodb-options diff --git a/indexes/codefresh/agenttasks.json b/indexes/codefresh/agenttasks.json index 8c761fcd0..7e5b1f26f 100644 --- a/indexes/codefresh/agenttasks.json +++ b/indexes/codefresh/agenttasks.json @@ -1,29 +1,20 @@ [ { - "v" : 2.0, - "key" : { - "_id" : 1.0 - }, - "name" : "_id_" - }, - { - "v" : 2.0, - "key" : { - "metadata.accountId" : 1, - "metadata.reIdentifier" : 1, - "metadata.shouldExecute" : 1, - "metadata.startAt" : 1, - "metadata.status" : 1, - "metadata.expireAt" : 1 - }, - "name" : "metadata.accountId_1_metadata.reIdentifier_1_metadata.shouldExecute_1_metadata.startAt_1_metadata.status_1_metadata.expireAt_1" + "keys": { + "metadata.accountId": 1, + "metadata.reIdentifier": 1, + "metadata.shouldExecute": 1, + "metadata.startAt": 1, + "metadata.status": 1, + "metadata.expireAt": 1 + } }, { - "v" : 2.0, - "key" : { - "metadata.expireAt" : 1 + "keys": { + "metadata.expireAt": 1 }, - "name" : "metadata.expireAt_1", - "expireAfterSeconds" : 0.0 + "options": { + "expireAfterSeconds": 0 + } } -] +] \ No newline at end of file diff --git a/indexes/codefresh/feature-store-versioned.json b/indexes/codefresh/feature-store-versioned.json index 4be0e7132..e5c9af57f 100644 --- a/indexes/codefresh/feature-store-versioned.json +++ b/indexes/codefresh/feature-store-versioned.json @@ -1,25 +1,16 @@ [ { - "expireAfterSeconds": 43200.0, - "key": { - "createdAt": 1.0 + "keys": { + "createdAt": 1 }, - "name": "createdAt_1", - "v": 2.0 + "options": { + "expireAfterSeconds": 43200 + } }, { - "key": { - "_id": -1.0, - "LDRedisStoreVersion": 1.0 - }, - "name": "LDRedisStoreVersion_1__id_-1", - "v": 2.0 - }, - { - "key": { - "_id": 1.0 - }, - "name": "_id_", - "v": 2.0 + "keys": { + "_id": -1, + "LDRedisStoreVersion": 1 + } } -] +] \ No newline at end of file diff --git a/indexes/codefresh/users.json b/indexes/codefresh/users.json new file mode 100644 index 000000000..07200446a --- /dev/null +++ b/indexes/codefresh/users.json @@ -0,0 +1,15 @@ +[ + { + "keys": { + "account": 1, + "_id": 1 + } + }, + { + "keys": { + "role": 1, + "account": 1, + "_id": 1 + } + } +] \ No newline at end of file diff --git a/indexes/codefresh/workflowprocesses.json b/indexes/codefresh/workflowprocesses.json index e2e6e65a3..6f54ab77f 100644 --- a/indexes/codefresh/workflowprocesses.json +++ b/indexes/codefresh/workflowprocesses.json @@ -1,460 +1,382 @@ [ { - "v" : 1.0, - "key" : { - "account" : 1.0, - "pendingLicense" : 1.0, - "created" : 1.0 - }, - "name" : "account_1_pendingLicense_1_created_1" + "keys": { + "account": 1, + "pendingLicense": 1, + "created": 1 + } }, { - "v" : 1.0, - "key" : { - "pipeline" : 1.0, - "status" : 1.0 - }, - "name" : "pipeline_1_status_1" + "keys": { + "pipeline": 1, + "status": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1.0, - "triggerType" : 1.0 - }, - "name" : "account_1_triggerType_1" + "keys": { + "account": 1, + "triggerType": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1.0, - "pipelineInfo.pipelineId" : 1.0 - }, - "name" : "account_1_pipelineInfo.pipelineId_1" + "keys": { + "account": 1, + "pipelineInfo.pipelineId": 1 + } }, { - "v" : 1.0, - "key" : { - "account" : 1.0, - "startImmediately" : 1.0, - "status" : 1.0 - }, - "name" : "account_1_startImmediately_1_status_1" + "keys": { + "account": 1, + "startImmediately": 1, + "status": 1 + } }, { - "v" : 1.0, - "key" : { - "account" : 1.0, - "scmMetadata.repoName" : 1.0, - "scmMetadata.repoOwner" : 1.0, - "trigger" : 1.0, - "service" : 1.0 - }, - "name" : "account_1_scmMetadata.repoName_1_scmMetadata.repoOwner_1_trigger_1_service_1" + "keys": { + "account": 1, + "scmMetadata.repoName": 1, + "scmMetadata.repoOwner": 1, + "trigger": 1, + "service": 1 + } }, { - "v" : 1.0, - "key" : { - "isPublic" : 1.0 - }, - "name" : "isPublic_1" + "keys": { + "isPublic": 1 + } }, { - "v" : 2.0, - "key" : { - "codefreshEnv" : 1, - "status" : 1, - "shouldPerformFinishSystem" : 1, - "_id" : 1 - }, - "name" : "codefreshEnv_1_status_1_shouldPerformFinishSystem_1__id_1" + "keys": { + "codefreshEnv": 1, + "status": 1, + "shouldPerformFinishSystem": 1, + "_id": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "helmInfo.boardId" : 1 - }, - "name" : "account_1_helmInfo.boardId_1" + "keys": { + "account": 1, + "helmInfo.boardId": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1.0, - "environs" : 1.0 - }, - "name" : "account_1_environs_1" + "keys": { + "account": 1, + "environs": 1 + } }, { - "v" : 1.0, - "key" : { - "account" : 1.0, - "status" : 1.0, - "trigger" : 1.0 - }, - "name" : "account_1_status_1_trigger_1" + "keys": { + "account": 1, + "status": 1, + "trigger": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "pipeline" : 1, - "trigger" : 1, - "_id" : -1 - }, - "name" : "account_1_pipeline_1_trigger_1__id_-1" + "keys": { + "account": 1, + "pipeline": 1, + "trigger": 1, + "_id": -1 + } }, { - "v" : 1.0, - "key" : { - "scmMetadata.branchName" : 1.0, - "account" : 1.0, - "pipeline" : 1.0, - "created" : -1.0, - "finished" : 1.0 - }, - "name" : "scmMetadata.branchName_1_account_1_pipeline_1_created_-1_finished_1" + "keys": { + "scmMetadata.branchName": 1, + "account": 1, + "pipeline": 1, + "created": -1, + "finished": 1 + } }, { - "v" : 2.0, - "key" : { - "trigger" : 1.0, - "account" : 1.0, - "status" : 1.0, - "_id" : -1.0 - }, - "name" : "trigger_1_account_1_status_1__id_-1" + "keys": { + "trigger": 1, + "account": 1, + "status": 1, + "_id": -1 + } }, { - "v" : 1.0, - "key" : { - "account" : 1.0, - "trigger" : 1.0, - "scmMetadata.repoName" : 1.0, - "service" : 1.0 - }, - "name" : "account_1_trigger_1_scmMetadata.repoName_1_service_1" + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.repoName": 1, + "service": 1 + } }, { - "v" : 1.0, - "key" : { - "service" : 1.0, - "status" : 1.0 - }, - "name" : "service_1_status_1" + "keys": { + "service": 1, + "status": 1 + } }, { - "v" : 1.0, - "key" : { - "finished" : 1.0 - }, - "name" : "finished_1" + "keys": { + "finished": 1 + } }, { - "v" : 2.0, - "key" : { - "healthStatus.engine.status" : 1.0 - }, - "name" : "healthStatus.engine.status_1" + "keys": { + "healthStatus.engine.status": 1 + } }, { - "v" : 2.0, - "key" : { - "codefreshEnv" : 1, - "status" : 1, - "_id" : 1 - }, - "name" : "codefreshEnv_1_status_1__id_1" + "keys": { + "codefreshEnv": 1, + "status": 1, + "_id": 1 + } }, { - "v" : 1.0, - "key" : { - "account" : 1.0, - "service" : 1.0, - "trigger" : 1.0 - }, - "name" : "account_1_service_1_trigger_1" + "keys": { + "account": 1, + "service": 1, + "trigger": 1 + } }, { - "v" : 1.0, - "key" : { - "scmMetadata.branchName" : 1.0, - "service" : 1.0, - "status" : 1.0, - "created" : -1.0 - }, - "name" : "scmMetadata.branchName_1_service_1_status_1_created_-1" + "keys": { + "scmMetadata.branchName": 1, + "service": 1, + "status": 1, + "created": -1 + } }, { - "v" : 1.0, - "key" : { - "status" : 1.0, - "trigger" : 1.0 - }, - "name" : "status_1_trigger_1" + "keys": { + "status": 1, + "trigger": 1 + } }, { - "v" : 2.0, - "key" : { - "pipeline" : 1.0, - "finished" : -1.0 - }, - "name" : "pipeline_1_finished_-1" + "keys": { + "pipeline": 1, + "finished": -1 + } }, { - "v" : 1.0, - "key" : { - "progress" : 1.0 - }, - "name" : "progress_1" + "keys": { + "progress": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1.0, - "environ" : 1.0 - }, - "name" : "account_1_environ_1" + "keys": { + "account": 1, + "environ": 1 + } }, { - "v" : 2.0, - "key" : { - "status" : 1, - "created" : -1 - }, - "name" : "status_1_created_-1" + "keys": { + "status": 1, + "created": -1 + } }, { - "v" : 2.0, - "key" : { - "createdAt" : 1.0 - }, - "name" : "createdAt_1" + "keys": { + "createdAt": 1 + } }, { - "v" : 1.0, - "key" : { - "request" : 1.0 - }, - "name" : "request_1" + "keys": { + "request": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "_id" : 1, - "scmMetadata.repoName" : 1 - }, - "name" : "account_1__id_1_scmMetadata.repoName_1" + "keys": { + "account": 1, + "_id": 1, + "scmMetadata.repoName": 1 + } }, { - "v" : 2.0, - "key" : { - "pipeline" : 1, - "created" : -1 - }, - "name" : "pipeline_1_created_-1" + "keys": { + "pipeline": 1, + "created": -1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "status" : 1, - "created" : 1 - }, - "name" : "account_1_status_1_created_1" + "keys": { + "account": 1, + "status": 1, + "created": 1 + } }, { - "v" : 2.0, - "key" : { - "status" : 1, - "runtimeEnvironmentMetadata.agent" : 1, - "created" : 1 - }, - "name" : "status_1_runtimeEnvironmentMetadata.agent_1_created_1" + "keys": { + "status": 1, + "runtimeEnvironmentMetadata.agent": 1, + "created": 1 + } }, { - "v" : 2.0, - "key" : { - "created" : 1 - }, - "name" : "created_1", - "expireAfterSeconds" : 31536000.0 + "keys": { + "created": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "status" : 1, - "trigger" : 1, - "pipeline" : 1, - "keepPVCsForPendingApproval" : 1 - }, - "name" : "account_1_status_1_trigger_1_pipeline_1_keepPVCsForPendingApproval_1", - "partialFilterExpression" : { - "status" : { - "$in" : [ - "pending", - "delayed", - "elected", - "running", - "terminating", - "pending-approval" - ] + "keys": { + "account": 1, + "status": 1, + "trigger": 1, + "pipeline": 1, + "keepPVCsForPendingApproval": 1 + }, + "options": { + "partialFilterExpression": { + "status": { + "$in": [ + "pending", + "delayed", + "elected", + "running", + "terminating", + "pending-approval" + ] + } } } }, { - "v" : 2.0, - "key" : { - "_id" : 1.0 + "keys": { + "account": 1, + "scmMetadata.revision": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "_id_" - }, - { - "v" : 2.0, - "key" : { - "account" : 1, - "scmMetadata.revision" : 1, - "_id" : -1, - "pipeline" : 1 - }, - "name" : "account_1_scmMetadata.revision_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.revision" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "scmMetadata.revision": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "scmMetadata.userName" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.userName": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_scmMetadata.userName_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.userName" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "scmMetadata.userName": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "annotations.key" : 1, - "annotations.value" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "annotations.key": 1, + "annotations.value": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_annotations.key_1_annotations.value_1__id_-1_pipeline_1", - "sparse" : true + "options": { + "sparse": true + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "pipelineTrigger" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "pipelineTrigger": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_pipelineTrigger_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "pipelineTrigger" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "pipelineTrigger": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "scmMetadata.branchName" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.branchName": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_scmMetadata.branchName_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.branchName" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "scmMetadata.branchName": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "_id" : -1, - "pipeline" : 1 - }, - "name" : "account_1_trigger_1__id_-1_pipeline_1" + "keys": { + "account": 1, + "trigger": 1, + "_id": -1, + "pipeline": 1 + } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "scmMetadata.provider" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.provider": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_scmMetadata.provider_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.provider" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "scmMetadata.provider": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "scmMetadata.repoName" : 1, - "_id" : -1, - "pipeline" : 1 + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.repoName": 1, + "_id": -1, + "pipeline": 1 }, - "name" : "account_1_trigger_1_scmMetadata.repoName_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.repoName" : { - "$exists" : true + "options": { + "partialFilterExpression": { + "scmMetadata.repoName": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "account" : 1, - "trigger" : 1, - "scmMetadata.provider" : 1, - "scmMetadata.event" : 1, - "_id" : -1, - "pipeline" : 1 - }, - "name" : "account_1_trigger_1_scmMetadata.provider_1_scmMetadata.event_1__id_-1_pipeline_1", - "partialFilterExpression" : { - "scmMetadata.event" : { - "$exists" : true - }, - "scmMetadata.provider" : { - "$exists" : true + "keys": { + "account": 1, + "trigger": 1, + "scmMetadata.provider": 1, + "scmMetadata.event": 1, + "_id": -1, + "pipeline": 1 + }, + "options": { + "partialFilterExpression": { + "scmMetadata.event": { + "$exists": true + }, + "scmMetadata.provider": { + "$exists": true + } } } }, { - "v" : 2.0, - "key" : { - "pipeline" : 1, - "_id" : -1 - }, - "name" : "pipeline_1__id_-1" + "keys": { + "pipeline": 1, + "_id": -1 + } } ] diff --git a/indexes/read-models/analysisruns.json b/indexes/read-models/analysisruns.json index 2a5c93752..7c8071247 100644 --- a/indexes/read-models/analysisruns.json +++ b/indexes/read-models/analysisruns.json @@ -1,332 +1,313 @@ [ { - "v" : 2.0, - "key" : { - "_id" : 1.0 + "keys": { + "__passiveReferencedBy.name": 1 }, - "name" : "_id_" - }, - { - "v" : 2.0, - "key" : { - "__passiveReferencedBy.name" : 1.0 - }, - "name" : "__passiveReferencedBy.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferencedBy.name" : 1.0, - "__passiveReferencedBy.kind" : 1.0, - "__passiveReferencedBy.namespace" : 1.0, - "__passiveReferencedBy.group" : 1.0, - "__passiveReferencedBy.version" : 1.0 + "keys": { + "__passiveReferencedBy.name": 1, + "__passiveReferencedBy.kind": 1, + "__passiveReferencedBy.namespace": 1, + "__passiveReferencedBy.group": 1, + "__passiveReferencedBy.version": 1 }, - "name" : "__passiveReferencedBy.name_1___passiveReferencedBy.kind_1___passiveReferencedBy.namespace_1___passiveReferencedBy.group_1___passiveReferencedBy.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferences.name" : 1.0 + "keys": { + "__passiveReferences.name": 1 }, - "name" : "__passiveReferences.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferences.name" : 1.0, - "__passiveReferences.kind" : 1.0, - "__passiveReferences.namespace" : 1.0, - "__passiveReferences.group" : 1.0, - "__passiveReferences.version" : 1.0 + "keys": { + "__passiveReferences.name": 1, + "__passiveReferences.kind": 1, + "__passiveReferences.namespace": 1, + "__passiveReferences.group": 1, + "__passiveReferences.version": 1 }, - "name" : "__passiveReferences.name_1___passiveReferences.kind_1___passiveReferences.namespace_1___passiveReferences.group_1___passiveReferences.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferencedBy.name" : 1.0 + "keys": { + "__inferredReferencedBy.name": 1 }, - "name" : "__inferredReferencedBy.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferencedBy.name" : 1.0, - "__inferredReferencedBy.kind" : 1.0, - "__inferredReferencedBy.namespace" : 1.0, - "__inferredReferencedBy.group" : 1.0, - "__inferredReferencedBy.version" : 1.0 + "keys": { + "__inferredReferencedBy.name": 1, + "__inferredReferencedBy.kind": 1, + "__inferredReferencedBy.namespace": 1, + "__inferredReferencedBy.group": 1, + "__inferredReferencedBy.version": 1 }, - "name" : "__inferredReferencedBy.name_1___inferredReferencedBy.kind_1___inferredReferencedBy.namespace_1___inferredReferencedBy.group_1___inferredReferencedBy.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferences.name" : 1.0 + "keys": { + "__inferredReferences.name": 1 }, - "name" : "__inferredReferences.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferences.name" : 1.0, - "__inferredReferences.kind" : 1.0, - "__inferredReferences.namespace" : 1.0, - "__inferredReferences.group" : 1.0, - "__inferredReferences.version" : 1.0 + "keys": { + "__inferredReferences.name": 1, + "__inferredReferences.kind": 1, + "__inferredReferences.namespace": 1, + "__inferredReferences.group": 1, + "__inferredReferences.version": 1 }, - "name" : "__inferredReferences.name_1___inferredReferences.kind_1___inferredReferences.namespace_1___inferredReferences.group_1___inferredReferences.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "updatedAt" : 1.0 + "keys": { + "updatedAt": 1 }, - "name" : "updatedAt_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "projects" : 1.0 + "keys": { + "projects": 1 }, - "name" : "projects_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.name" : 1.0 + "keys": { + "metadata.name": 1 }, - "name" : "metadata.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.labels" : 1.0 + "keys": { + "metadata.labels": 1 }, - "name" : "metadata.labels_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.accountId" : 1.0, - "metadata.runtime" : 1.0, - "metadata.cluster" : 1.0, - "metadata.namespace" : 1.0, - "metadata.group" : 1.0, - "metadata.version" : 1.0, - "metadata.kind" : 1.0, - "metadata.name" : 1.0, - "metadata.uid" : 1.0, - "metadata.revision" : 1.0 + "keys": { + "metadata.accountId": 1, + "metadata.runtime": 1, + "metadata.cluster": 1, + "metadata.namespace": 1, + "metadata.group": 1, + "metadata.version": 1, + "metadata.kind": 1, + "metadata.name": 1, + "metadata.uid": 1, + "metadata.revision": 1 }, - "name" : "metadata.accountId_1_metadata.runtime_1_metadata.cluster_1_metadata.namespace_1_metadata.group_1_metadata.version_1_metadata.kind_1_metadata.name_1_metadata.uid_1_metadata.revision_1", - "unique" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "unique": true, + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.accountId" : 1, - "revision" : 1, - "metadata.labels.rollout-type" : 1, - "metadata.runtime" : 1, - "metadata.labels.step-index" : 1 - }, - "name" : "metadata.accountId_1_revision_1_metadata.labels.rollout-type_1_metadata.runtime_1_metadata.labels.step-index_1" + "keys": { + "metadata.accountId": 1, + "revision": 1, + "metadata.labels.rollout-type": 1, + "metadata.runtime": 1, + "metadata.labels.step-index": 1 + } }, { - "v" : 2.0, - "key" : { - "metadata.accountId" : 1, - "revision" : 1, - "metadata.labels.rollout-type" : 1, - "metadata.runtime" : 1, - "metadata.creationTimestamp" : -1 - }, - "name" : "metadata.accountId_1_revision_1_metadata.labels.rollout-type_1_metadata.runtime_1_metadata.creationTimestamp_-1" + "keys": { + "metadata.accountId": 1, + "revision": 1, + "metadata.labels.rollout-type": 1, + "metadata.runtime": 1, + "metadata.creationTimestamp": -1 + } }, { - "v" : 2.0, - "key" : { - "ownerReferences.uid" : 1, - "revision" : 1 + "keys": { + "ownerReferences.uid": 1, + "revision": 1 }, - "name" : "ownerReferences.uid_1_revision_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } } -] +] \ No newline at end of file diff --git a/indexes/read-models/images-binaries.json b/indexes/read-models/images-binaries.json index 338df48e6..c8efda894 100644 --- a/indexes/read-models/images-binaries.json +++ b/indexes/read-models/images-binaries.json @@ -1,95 +1,68 @@ [ { - "v" : 2.0, - "key" : { - "_id" : 1.0 - }, - "name" : "_id_" - }, - { - "v" : 2.0, - "key" : { - "accountId" : 1.0, - "imageName" : 1.0, - "repositoryName" : 1.0 - }, - "name" : "accountId_1_imageName_1_repositoryName_1", - "background" : true + "keys": { + "accountId": 1, + "imageName": 1, + "repositoryName": 1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1.0, - "repositoryName" : 1.0, - "gitRepository" : 1.0 - }, - "name" : "accountId_1_repositoryName_1_gitRepository_1", - "background" : true + "keys": { + "accountId": 1, + "repositoryName": 1, + "gitRepository": 1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1.0, - "repositoryName" : 1.0, - "branch" : 1.0 - }, - "name" : "accountId_1_repositoryName_1_branch_1", - "background" : true + "keys": { + "accountId": 1, + "repositoryName": 1, + "branch": 1 + } }, { - "v" : 2.0, - "key" : { - "runtime.name" : 1.0 - }, - "name" : "runtime.name_1", - "background" : true + "keys": { + "runtime.name": 1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1.0, - "repoDigest" : 1.0 - }, - "name" : "accountId_1_repoDigest_1", - "background" : true + "keys": { + "accountId": 1, + "repoDigest": 1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1.0, - "internalImageId" : 1.0 - }, - "name" : "accountId_1_internalImageId_1", - "background" : true + "keys": { + "accountId": 1, + "internalImageId": 1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1, - "binaryId" : 1, - "lastUpdate" : -1, - "_id" : -1 - }, - "name" : "accountId_1_binaryId_1_lastUpdate_-1__id_-1" + "keys": { + "accountId": 1, + "binaryId": 1, + "lastUpdate": -1, + "_id": -1 + } }, { - "v" : 2.0, - "key" : { - "accountId" : 1, - "imageName" : 1 + "keys": { + "accountId": 1, + "imageName": 1 }, - "name" : "accountId_1_imageName_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } } -] +] \ No newline at end of file diff --git a/indexes/read-models/product-releases.json b/indexes/read-models/product-releases.json new file mode 100644 index 000000000..0588ba775 --- /dev/null +++ b/indexes/read-models/product-releases.json @@ -0,0 +1,105 @@ +[ + { + "keys": { + "status": 1 + }, + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } + } + }, + { + "keys": { + "accountId": 1, + "updatedAt": -1 + }, + "options": { + "collation": { + "locale": "en", + "caseLevel": false, + "caseFirst": "off", + "strength": 2, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } + } + }, + { + "keys": { + "accountId": 1, + "productName": 1, + "triggerCommit.sha": 1 + }, + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } + } + }, + { + "keys": { + "accountId": 1, + "productName": 1, + "status": 1, + "triggerEnvironment": 1, + "triggerCommit.sha": 1 + }, + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } + } + }, + { + "keys": { + "accountId": 1, + "productName": 1 + }, + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } + } + } +] \ No newline at end of file diff --git a/indexes/read-models/releases.json b/indexes/read-models/releases.json index e48f117e5..731a06bb0 100644 --- a/indexes/read-models/releases.json +++ b/indexes/read-models/releases.json @@ -1,196 +1,140 @@ [ { - "v" : 2.0, - "key" : { - "_id" : 1.0 - }, - "name" : "_id_" + "keys": { + "applicationMetadata.name": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.name" : 1.0 - }, - "name" : "applicationMetadata.name_1", - "background" : true + "keys": { + "applicationMetadata.labels": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.labels" : 1.0 - }, - "name" : "applicationMetadata.labels_1", - "background" : true + "keys": { + "application.prs.type": 1 + } }, { - "v" : 2.0, - "key" : { - "application.prs.type" : 1.0 - }, - "name" : "application.prs.type_1", - "background" : true + "keys": { + "application.prs.key": 1 + } }, { - "v" : 2.0, - "key" : { - "application.prs.key" : 1.0 - }, - "name" : "application.prs.key_1", - "background" : true + "keys": { + "application.prs.accountId": 1 + } }, { - "v" : 2.0, - "key" : { - "application.prs.accountId" : 1.0 - }, - "name" : "application.prs.accountId_1", - "background" : true + "keys": { + "application.issues.type": 1 + } }, { - "v" : 2.0, - "key" : { - "application.issues.type" : 1.0 - }, - "name" : "application.issues.type_1", - "background" : true + "keys": { + "application.issues.key": 1 + } }, { - "v" : 2.0, - "key" : { - "application.issues.key" : 1.0 - }, - "name" : "application.issues.key_1", - "background" : true + "keys": { + "application.issues.accountId": 1 + } }, { - "v" : 2.0, - "key" : { - "application.issues.accountId" : 1.0 - }, - "name" : "application.issues.accountId_1", - "background" : true + "keys": { + "applicationMetadata.accountId": 1, + "applicationMetadata.runtime": 1, + "applicationMetadata.name": 1, + "applicationMetadata.namespace": 1, + "application.issues.key": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.accountId" : 1.0, - "applicationMetadata.runtime" : 1.0, - "applicationMetadata.name" : 1.0, - "applicationMetadata.namespace" : 1.0, - "application.issues.key" : 1.0 - }, - "name" : "applicationMetadata.accountId_1_applicationMetadata.runtime_1_applicationMetadata.name_1_applicationMetadata.namespace_1_application.issues.key_1", - "background" : true + "keys": { + "applicationMetadata.accountId": 1, + "applicationMetadata.runtime": 1, + "applicationMetadata.name": 1, + "applicationMetadata.namespace": 1, + "application.prs.key": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.accountId" : 1.0, - "applicationMetadata.runtime" : 1.0, - "applicationMetadata.name" : 1.0, - "applicationMetadata.namespace" : 1.0, - "application.prs.key" : 1.0 - }, - "name" : "applicationMetadata.accountId_1_applicationMetadata.runtime_1_applicationMetadata.name_1_applicationMetadata.namespace_1_application.prs.key_1", - "background" : true + "keys": { + "applicationMetadata.accountId": 1, + "applicationMetadata.runtime": 1, + "applicationMetadata.name": 1, + "applicationMetadata.namespace": 1, + "application.committers.userName": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.accountId" : 1.0, - "applicationMetadata.runtime" : 1.0, - "applicationMetadata.name" : 1.0, - "applicationMetadata.namespace" : 1.0, - "application.committers.userName" : 1.0 - }, - "name" : "applicationMetadata.accountId_1_applicationMetadata.runtime_1_applicationMetadata.name_1_applicationMetadata.namespace_1_application.committers.userName_1", - "background" : true - }, - { - "v" : 2.0, - "key" : { - "applicationMetadata.accountId" : 1.0, - "applicationMetadata.runtime" : 1.0, - "applicationMetadata.name" : 1.0, - "applicationMetadata.namespace" : 1.0, - "applicationMetadata.group" : 1.0, - "applicationMetadata.version" : 1.0, - "applicationMetadata.kind" : 1.0, - "historyId" : -1.0 - }, - "name" : "applicationMetadata.accountId_1_applicationMetadata.runtime_1_applicationMetadata.name_1_applicationMetadata.namespace_1_applicationMetadata.group_1_applicationMetadata.version_1_applicationMetadata.kind_1_historyId_-1", - "background" : true, - "unique" : true - }, - { - "v" : 2.0, - "key" : { - "applicationMetadata.accountId" : 1.0, - "applicationMetadata.runtime" : 1.0, - "applicationMetadata.name" : 1.0, - "applicationMetadata.namespace" : 1.0, - "applicationMetadata.group" : 1.0, - "applicationMetadata.version" : 1.0, - "reportedToJira" : 1.0, - "historyId" : 1.0, - "application.status.syncStartedAt" : 1.0 + "keys": { + "applicationMetadata.accountId": 1, + "applicationMetadata.runtime": 1, + "applicationMetadata.name": 1, + "applicationMetadata.namespace": 1, + "applicationMetadata.group": 1, + "applicationMetadata.version": 1, + "applicationMetadata.kind": 1, + "historyId": -1 }, - "name" : "applicationMetadata.accountId_1_applicationMetadata.runtime_1_applicationMetadata.name_1_applicationMetadata.namespace_1_applicationMetadata.group_1_applicationMetadata.version_1_reportedToJira_1_historyId_1_application.status.syncStartedAt_1", - "background" : true + "options": { + "unique": true + } }, { - "v" : 2.0, - "key" : { - "fromState.services.revision" : 1, - "fromState.services.name" : 1, - "applicationMetadata.accountId" : 1 - }, - "name" : "fromState.services.revision_1_fromState.services.name_1_applicationMetadata.accountId_1" + "keys": { + "applicationMetadata.accountId": 1, + "applicationMetadata.runtime": 1, + "applicationMetadata.name": 1, + "applicationMetadata.namespace": 1, + "applicationMetadata.group": 1, + "applicationMetadata.version": 1, + "reportedToJira": 1, + "historyId": 1, + "application.status.syncStartedAt": 1 + } }, { - "v" : 2.0, - "key" : { - "syncOperationRevision" : 1, - "applicationMetadata.name" : 1, - "applicationMetadata.accountId" : 1, - "historyId" : -1 - }, - "name" : "syncOperationRevision_1_applicationMetadata.name_1_applicationMetadata.accountId_1_historyId_-1" + "keys": { + "fromState.services.revision": 1, + "fromState.services.name": 1, + "applicationMetadata.accountId": 1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.name" : 1, - "applicationMetadata.accountId" : 1, - "historyId" : -1 - }, - "name" : "applicationMetadata.name_1_applicationMetadata.accountId_1_historyId_-1" + "keys": { + "syncOperationRevision": 1, + "applicationMetadata.name": 1, + "applicationMetadata.accountId": 1, + "historyId": -1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.name" : 1, - "applicationMetadata.accountId" : 1, - "application.status.healthStatus" : 1 - }, - "name" : "applicationMetadata.name_1_applicationMetadata.accountId_1_application.status.healthStatus_1" + "keys": { + "applicationMetadata.name": 1, + "applicationMetadata.accountId": 1, + "historyId": -1 + } }, { - "v" : 2.0, - "key" : { - "applicationMetadata.name" : 1, - "applicationMetadata.accountId" : 1, - "current" : 1 - }, - "name" : "applicationMetadata.name_1_applicationMetadata.accountId_1_current_1" + "keys": { + "applicationMetadata.name": 1, + "applicationMetadata.accountId": 1, + "application.status.healthStatus": 1 + } }, { - "v" : 2.0, - "key" : { - "application.status.revision" : 1, - "applicationMetadata.name" : 1, - "applicationMetadata.accountId" : 1 - }, - "name" : "application.status.revision_1_applicationMetadata.name_1_applicationMetadata.accountId_1" + "keys": { + "applicationMetadata.name": 1, + "applicationMetadata.accountId": 1, + "current": 1 + } + }, + { + "keys": { + "application.status.revision": 1, + "applicationMetadata.name": 1, + "applicationMetadata.accountId": 1 + } } -] +] \ No newline at end of file diff --git a/indexes/read-models/rollouts.json b/indexes/read-models/rollouts.json index 7d4519f14..0bb53806c 100644 --- a/indexes/read-models/rollouts.json +++ b/indexes/read-models/rollouts.json @@ -1,393 +1,374 @@ [ { - "v" : 2.0, - "key" : { - "_id" : 1.0 + "keys": { + "__passiveReferencedBy.name": 1 }, - "name" : "_id_" - }, - { - "v" : 2.0, - "key" : { - "__passiveReferencedBy.name" : 1.0 - }, - "name" : "__passiveReferencedBy.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferencedBy.name" : 1.0, - "__passiveReferencedBy.kind" : 1.0, - "__passiveReferencedBy.namespace" : 1.0, - "__passiveReferencedBy.group" : 1.0, - "__passiveReferencedBy.version" : 1.0 + "keys": { + "__passiveReferencedBy.name": 1, + "__passiveReferencedBy.kind": 1, + "__passiveReferencedBy.namespace": 1, + "__passiveReferencedBy.group": 1, + "__passiveReferencedBy.version": 1 }, - "name" : "__passiveReferencedBy.name_1___passiveReferencedBy.kind_1___passiveReferencedBy.namespace_1___passiveReferencedBy.group_1___passiveReferencedBy.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferences.name" : 1.0 + "keys": { + "__passiveReferences.name": 1 }, - "name" : "__passiveReferences.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__passiveReferences.name" : 1.0, - "__passiveReferences.kind" : 1.0, - "__passiveReferences.namespace" : 1.0, - "__passiveReferences.group" : 1.0, - "__passiveReferences.version" : 1.0 + "keys": { + "__passiveReferences.name": 1, + "__passiveReferences.kind": 1, + "__passiveReferences.namespace": 1, + "__passiveReferences.group": 1, + "__passiveReferences.version": 1 }, - "name" : "__passiveReferences.name_1___passiveReferences.kind_1___passiveReferences.namespace_1___passiveReferences.group_1___passiveReferences.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferencedBy.name" : 1.0 + "keys": { + "__inferredReferencedBy.name": 1 }, - "name" : "__inferredReferencedBy.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferencedBy.name" : 1.0, - "__inferredReferencedBy.kind" : 1.0, - "__inferredReferencedBy.namespace" : 1.0, - "__inferredReferencedBy.group" : 1.0, - "__inferredReferencedBy.version" : 1.0 + "keys": { + "__inferredReferencedBy.name": 1, + "__inferredReferencedBy.kind": 1, + "__inferredReferencedBy.namespace": 1, + "__inferredReferencedBy.group": 1, + "__inferredReferencedBy.version": 1 }, - "name" : "__inferredReferencedBy.name_1___inferredReferencedBy.kind_1___inferredReferencedBy.namespace_1___inferredReferencedBy.group_1___inferredReferencedBy.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferences.name" : 1.0 + "keys": { + "__inferredReferences.name": 1 }, - "name" : "__inferredReferences.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "__inferredReferences.name" : 1.0, - "__inferredReferences.kind" : 1.0, - "__inferredReferences.namespace" : 1.0, - "__inferredReferences.group" : 1.0, - "__inferredReferences.version" : 1.0 + "keys": { + "__inferredReferences.name": 1, + "__inferredReferences.kind": 1, + "__inferredReferences.namespace": 1, + "__inferredReferences.group": 1, + "__inferredReferences.version": 1 }, - "name" : "__inferredReferences.name_1___inferredReferences.kind_1___inferredReferences.namespace_1___inferredReferences.group_1___inferredReferences.version_1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "updatedAt" : 1.0 + "keys": { + "updatedAt": 1 }, - "name" : "updatedAt_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "projects" : 1.0 + "keys": { + "projects": 1 }, - "name" : "projects_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.name" : 1.0 + "keys": { + "metadata.name": 1 }, - "name" : "metadata.name_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.labels" : 1.0 + "keys": { + "metadata.labels": 1 }, - "name" : "metadata.labels_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "source.syncStartedAt" : 1.0 + "keys": { + "source.syncStartedAt": 1 }, - "name" : "source.syncStartedAt_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "source.gitSource" : 1.0 + "keys": { + "source.gitSource": 1 }, - "name" : "source.gitSource_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.accountId" : 1.0, - "metadata.runtime" : 1.0, - "metadata.cluster" : 1.0, - "metadata.namespace" : 1.0, - "metadata.group" : 1.0, - "metadata.version" : 1.0, - "metadata.kind" : 1.0, - "metadata.name" : 1.0, - "metadata.revision" : 1.0, - "metadata.uid" : 1.0, - "metadata.labels.app\\u002ekubernetes\\u002eio/instance" : 1.0 + "keys": { + "metadata.accountId": 1, + "metadata.runtime": 1, + "metadata.cluster": 1, + "metadata.namespace": 1, + "metadata.group": 1, + "metadata.version": 1, + "metadata.kind": 1, + "metadata.name": 1, + "metadata.revision": 1, + "metadata.uid": 1, + "metadata.labels.app\\u002ekubernetes\\u002eio/instance": 1 }, - "name" : "metadata.accountId_1_metadata.runtime_1_metadata.cluster_1_metadata.namespace_1_metadata.group_1_metadata.version_1_metadata.kind_1_metadata.name_1_metadata.revision_1_metadata.uid_1_metadata.labels.app\\u002ekubernetes\\u002eio/instance_1", - "unique" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "unique": true, + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "source.gitSourceUID" : 1.0 + "keys": { + "source.gitSourceUID": 1 }, - "name" : "source.gitSourceUID_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "source.gitSourceNamespace" : 1.0 + "keys": { + "source.gitSourceNamespace": 1 }, - "name" : "source.gitSourceNamespace_1", - "background" : true, - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } }, { - "v" : 2.0, - "key" : { - "metadata.appName" : 1, - "metadata.accountId" : 1, - "metadata.runtime" : 1, - "_id" : -1 + "keys": { + "metadata.appName": 1, + "metadata.accountId": 1, + "metadata.runtime": 1, + "_id": -1 }, - "name" : "metadata.appName_1_metadata.accountId_1_metadata.runtime_1__id_-1", - "collation" : { - "locale" : "en_US", - "caseLevel" : false, - "caseFirst" : "off", - "strength" : 1.0, - "numericOrdering" : false, - "alternate" : "non-ignorable", - "maxVariable" : "punct", - "normalization" : false, - "backwards" : false, - "version" : "57.1" + "options": { + "collation": { + "locale": "en_US", + "caseLevel": false, + "caseFirst": "off", + "strength": 1, + "numericOrdering": false, + "alternate": "non-ignorable", + "maxVariable": "punct", + "normalization": false, + "backwards": false, + "version": "57.1" + } } } -] +] \ No newline at end of file diff --git a/scripts/update_re_images.sh b/scripts/update_re_images.sh index e5f6d31ac..184f3af09 100755 --- a/scripts/update_re_images.sh +++ b/scripts/update_re_images.sh @@ -20,7 +20,7 @@ msg() { echo -e "\e[32mINFO ---> $1\e[0m"; } err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; } runtimeJson=$(mktemp) -codefresh get sys-re system/root --extend -o json > $runtimeJson +codefresh get sys-re system/linux_paying_plan --extend -o json > $runtimeJson RUNTIME_IMAGES=( ENGINE_IMAGE From 40860bde97edef53f63767d56f35ca46f5c04d17 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Tue, 2 Sep 2025 17:38:08 +0300 Subject: [PATCH 02/15] onprem: 3.0 --- charts/codefresh/Chart.lock | 61 ++++++++++++++++---------------- charts/codefresh/Chart.yaml | 67 ++++++++++++++++-------------------- charts/codefresh/values.yaml | 29 ---------------- 3 files changed, 58 insertions(+), 99 deletions(-) diff --git a/charts/codefresh/Chart.lock b/charts/codefresh/Chart.lock index 7c8f22d3a..e024d39b8 100644 --- a/charts/codefresh/Chart.lock +++ b/charts/codefresh/Chart.lock @@ -30,11 +30,8 @@ dependencies: repository: https://charts.bitnami.com/bitnami version: 9.0.22 - name: builder - repository: oci://quay.io/codefresh/charts - version: 1.4.0 -- name: runner - repository: oci://quay.io/codefresh/charts - version: 1.4.0 + repository: oci://quay.io/codefresh/charts/dev + version: 2.0.0 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx version: 4.12.5 @@ -46,7 +43,7 @@ dependencies: version: 1.32.0 - name: charts-manager repository: oci://quay.io/codefresh/charts - version: 1.23.4 + version: 1.25.0 - name: cfsign repository: oci://quay.io/codefresh/charts version: 1.8.10 @@ -55,76 +52,76 @@ dependencies: version: 1.27.0 - name: context-manager repository: oci://quay.io/codefresh/charts - version: 2.34.5 + version: 2.36.0 - name: pipeline-manager repository: oci://quay.io/codefresh/charts - version: 3.139.5 + version: 3.141.0 - name: gitops-dashboard-manager repository: oci://quay.io/codefresh/charts version: 1.15.0 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.279.8 + version: 21.291.7 - name: cfui repository: oci://quay.io/codefresh/charts - version: 14.98.29 + version: 14.99.34 - name: k8s-monitor repository: oci://quay.io/codefresh/charts version: 4.11.16 - name: runtime-environment-manager repository: oci://quay.io/codefresh/charts - version: 3.41.5 + version: 3.43.0 - name: cf-broadcaster repository: oci://quay.io/codefresh/charts version: 1.14.0 @@ -133,7 +130,7 @@ dependencies: version: 0.20.2 - name: hermes repository: oci://quay.io/codefresh/charts - version: 0.21.20 + version: 0.21.21 - name: nomios repository: oci://quay.io/codefresh/charts version: 0.11.11 @@ -148,7 +145,7 @@ dependencies: version: 0.51.0 - name: argo-platform repository: oci://quay.io/codefresh/charts - version: 1.3525.3-onprem-24aeab4 + version: 1.3728.0 - name: argo-hub-platform repository: oci://quay.io/codefresh/charts version: 0.1.27 @@ -167,5 +164,5 @@ dependencies: - name: salesforce-reporter repository: oci://quay.io/codefresh/charts version: 1.30.11 -digest: sha256:4e7b52e0ee6d81e910d3e7352b14cb5a7d01c51a7bcd7a8e455c53cc2564d982 -generated: "2025-08-29T15:06:33.935106+03:00" +digest: sha256:0c279c1100957c6e34ee053e05ce59e5c10ca83b1d4995320682254700d3c978 +generated: "2025-09-02T17:05:39.300533+03:00" diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 622c9b297..319b51e50 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 2.8.13 +version: 3.0.0 keywords: - codefresh home: https://codefresh.io/ @@ -11,7 +11,7 @@ sources: maintainers: - name: codefresh url: https://codefresh-io.github.io/ -appVersion: 2.8.0 +appVersion: 3.0.0 annotations: artifacthub.io/prerelease: "false" artifacthub.io/alternativeName: "codefresh-onprem" @@ -19,12 +19,7 @@ annotations: # supported kinds are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | - kind: changed - description: "Update internal-gateway" - - kind: changed - description: "Change bitnami subcharts to use bitnamilegacy repository" - links: - - name: GitHub Issue - url: https://github.com/bitnami/charts/issues/35164 + description: "Initial onprem 3.0 release" dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts @@ -66,13 +61,9 @@ dependencies: repository: https://charts.bitnami.com/bitnami condition: nats.enabled - name: builder - repository: oci://quay.io/codefresh/charts + repository: oci://quay.io/codefresh/charts/dev condition: builder.enabled - version: 1.4.0 - - name: runner - repository: oci://quay.io/codefresh/charts - condition: runner.enabled - version: 1.4.0 + version: 2.0.0 - name: ingress-nginx version: 4.12.5 repository: https://kubernetes.github.io/ingress-nginx @@ -86,7 +77,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: kube-integration.enabled - name: charts-manager - version: "~1.23.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: charts-manager.enabled - name: cfsign @@ -98,11 +89,11 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: tasker-kubernetes.enabled - name: context-manager - version: "~2.34.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: context-manager.enabled - name: pipeline-manager - version: "~3.139.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: pipeline-manager.enabled - name: gitops-dashboard-manager @@ -111,96 +102,96 @@ dependencies: condition: gitops-dashboard-manager.enabled - name: cfapi alias: cfapi - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi.enabled - name: cfapi alias: cfapi-auth - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-auth.enabled - name: cfapi alias: cfapi-internal - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-internal.enabled - name: cfapi alias: cfapi-ws - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-ws.enabled - name: cfapi alias: cfapi-admin - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-admin.enabled - name: cfapi alias: cfapi-endpoints - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-endpoints.enabled - name: cfapi alias: cfapi-terminators - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-terminators.enabled - name: cfapi alias: cfapi-sso-group-synchronizer - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-sso-group-synchronizer.enabled - name: cfapi alias: cfapi-buildmanager - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-buildmanager.enabled - name: cfapi alias: cfapi-cacheevictmanager - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-cacheevictmanager.enabled - name: cfapi alias: cfapi-eventsmanagersubscriptions - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-eventsmanagersubscriptions.enabled - name: cfapi alias: cfapi-kubernetesresourcemonitor - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-kubernetesresourcemonitor.enabled - name: cfapi alias: cfapi-environments - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-environments.enabled - name: cfapi alias: cfapi-gitops-resource-receiver - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-gitops-resource-receiver.enabled - name: cfapi alias: cfapi-downloadlogmanager - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-downloadlogmanager.enabled - name: cfapi alias: cfapi-teams - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-teams.enabled - name: cfapi alias: cfapi-kubernetes-endpoints - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-kubernetes-endpoints.enabled - name: cfapi alias: cfapi-test-reporting - version: "~21.279.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfapi-test-reporting.enabled - name: cfui - version: "~14.98.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: cfui.enabled - name: k8s-monitor @@ -208,7 +199,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: k8s-monitor.enabled - name: runtime-environment-manager - version: "~3.41.0" + version: "*" repository: oci://quay.io/codefresh/charts condition: runtime-environment-manager.enabled - name: cf-broadcaster @@ -242,7 +233,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: argo-platform.enabled - name: argo-platform - version: "1.3525.3-onprem-24aeab4" + version: "*" repository: oci://quay.io/codefresh/charts condition: argo-platform.enabled - name: argo-hub-platform diff --git a/charts/codefresh/values.yaml b/charts/codefresh/values.yaml index 3b5d09448..d3e1b084c 100644 --- a/charts/codefresh/values.yaml +++ b/charts/codefresh/values.yaml @@ -360,8 +360,6 @@ global: cfapiEndpointsService: cfapi # -- Default builder service name. builderService: builder - # -- Default runner service name. - runnerService: runner # -- Default tls-sign service name. tlsSignService: cfsign # -- Default tls-sign service port. @@ -1279,33 +1277,6 @@ builder: registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io repository: codefresh/curl tag: 8.14.1 - container: - image: - registry: docker.io - repository: library/docker - tag: 28.3-dind - affinity: {} - nodeSelector: {} - podSecurityContext: {} - resources: {} - tolerations: [] - -# -- runner -# @default -- See below -runner: - enabled: true - imagePullSecrets: [] - initContainers: - register: - image: - registry: us-docker.pkg.dev/codefresh-inc/public-gcr-io - repository: codefresh/curl - tag: 8.14.1 - container: - image: - registry: docker.io - repository: library/docker - tag: 28.3-dind affinity: {} nodeSelector: {} podSecurityContext: {} From cbe936ba2af522e77a7698b8a2177b70c2b70ee2 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Tue, 2 Sep 2025 17:43:38 +0300 Subject: [PATCH 03/15] onprem: 3.0 --- charts/codefresh/Chart.yaml | 6 +++++- charts/codefresh/README.md | 6 ++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 319b51e50..129eef098 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -19,7 +19,11 @@ annotations: # supported kinds are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | - kind: changed - description: "Initial onprem 3.0 release" + description: "Initial onprem 3.0 release. Update microservices" + - kind: changed + description: "Change cf-builder image to use codefresh/dind image instead of library/docker" + - kind: deprecated + description: "Remove cf-runner subchart (was used for deprecated launch-composition step)" dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/charts/codefresh/README.md b/charts/codefresh/README.md index e0b141dc2..58a21930f 100644 --- a/charts/codefresh/README.md +++ b/charts/codefresh/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 2.8.13](https://img.shields.io/badge/Version-2.8.13-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square) +![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. @@ -2450,7 +2450,7 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | | argo-platform.ui | object | See below | ui | | argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | -| builder | object | `{"affinity":{},"container":{"image":{"registry":"docker.io","repository":"library/docker","tag":"28.3-dind"}},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.14.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | +| builder | object | `{"affinity":{},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.14.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | | cf-broadcaster | object | See below | broadcaster | | cf-oidc-provider | object | See below | cf-oidc-provider | | cf-platform-analytics-etlstarter | object | See below | etl-starter | @@ -2600,7 +2600,6 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | global.redisService | string | `"redis-master"` | Default internal redis service address from bitnami/redis subchart | | global.redisUrl | string | `""` | Set redis hostname in plain text. Takes precedence over `global.redisService`! | | global.redisUrlSecretKeyRef | object | `{}` | Set redis hostname from existing secret. | -| global.runnerService | string | `"runner"` | Default runner service name. | | global.runtimeEnvironmentManagerPort | int | `80` | Default runtime-environment-manager service port. | | global.runtimeEnvironmentManagerService | string | `"runtime-environment-manager"` | Default runtime-environment-manager service name. | | global.security | object | `{"allowInsecureImages":true}` | Bitnami | @@ -2643,7 +2642,6 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | rabbitmq | object | See below | rabbitmq Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | | redis | object | See below | redis Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | | redis-ha | object | `{"auth":true,"enabled":false,"haproxy":{"enabled":true,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"persistentVolume":{"enabled":true,"size":"10Gi"},"redis":{"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"redisPassword":"hoC9szf7NtrU"}` | redis-ha # Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml | -| runner | object | See below | runner | | runtime-environment-manager | object | See below | runtime-environment-manager | | runtimeImages | object | See below | runtimeImages | | salesforce-reporter.enabled | bool | `false` | | From a7ac4318b194a549d9f44435998c7e1c167bc98c Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Tue, 2 Sep 2025 18:24:12 +0300 Subject: [PATCH 04/15] onprem: 3.0 --- README.md | 2677 ++++++++++++++++- .../README.md.gotmpl => README.md.gotmpl | 0 RELEASE.md | 20 + charts/codefresh-gitops/README.md | 189 -- charts/codefresh/.ci/helm-docs.sh | 10 +- charts/codefresh/README.md | 2666 +--------------- scripts/helm-docs.sh | 6 + 7 files changed, 2695 insertions(+), 2873 deletions(-) rename charts/codefresh/README.md.gotmpl => README.md.gotmpl (100%) create mode 100644 RELEASE.md delete mode 100644 charts/codefresh-gitops/README.md create mode 100755 scripts/helm-docs.sh diff --git a/README.md b/README.md index 0a5850c7b..58a21930f 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,2665 @@ -## codefresh-onprem-helm +## Codefresh On-Premises -This repository contains the Helm chart for Codefresh On-Prem installation. +![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) -### How-to create on-prem patch release: +Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. -- Checkout from the corresponding `release-.` branch +## Table of Content + +- [Prerequisites](#prerequisites) +- [Get Repo Info](#get-repo-info) +- [Install Chart](#install-chart) +- [Chart Configuration](#chart-configuration) + - [Persistent services](#persistent-services) + - [Configuring external services](#configuring-external-services) + - [External MongoDB](#external-mongodb) + - [External MongoDB with MTLS](#external-mongodb-with-mtls) + - [External PostgresSQL](#external-postgressql) + - [External Redis](#external-redis) + - [External Redis with MTLS](#external-redis-with-mtls) + - [External RabbitMQ](#external-rabbitmq) + - [Configuring Ingress-NGINX](#configuring-ingress-nginx) + - [ELB with SSL Termination (Classic Load Balancer)](#elb-with-ssl-termination-classic-load-balancer) + - [NLB (Network Load Balancer)](#nlb-network-load-balancer) + - [Configuration with ALB (Application Load Balancer)](#configuration-with-alb-application-load-balancer) + - [Configuration with Private Registry](#configuration-with-private-registry) + - [Configuration with multi-role CF-API](#configuration-with-multi-role-cf-api) + - [High Availability](#high-availability) + - [Mounting private CA certs](#mounting-private-ca-certs) +- [Installing on OpenShift](#installing-on-openshift) +- [Firebase Configuration](#firebase-configuration) +- [Additional configuration](#additional-configuration) + - [Retention policy for builds and logs](#retention-policy-for-builds-and-logs) + - [Projects pipelines limit](#projects-pipelines-limit) + - [Enable session cookie](#enable-session-cookie) + - [X-Frame-Options response header](#x-frame-options-response-header) + - [Image digests in containers](#image-digests-in-containers) +- [Configuring OIDC Provider](#configuring-oidc-provider) +- [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) +- [Upgrading](#upgrading) + - [To 2.0.0](#to-2-0-0) + - [To 2.0.12](#to-2-0-12) + - [To 2.0.17](#to-2-0-17) + - [To 2.1.0](#to-2-1-0) + - [To 2.1.7](#to-2-1-7) + - [To 2.2.0](#to-2-2-0) + - [To 2.3.0](#to-2-3-0) + - [To 2.4.0](#to-2-4-0) + - [To 2.5.0](#to-2-5-0) + - [To 2.6.0](#to-2-6-0) + - [To 2.7.0](#to-2-7-0) + - [To 2.8.0](#to-2-8-0) +- [Rollback](#rollback) +- [Troubleshooting](#troubleshooting) +- [Values](#values) + +⚠️⚠️⚠️ +> Since version 2.1.7 chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/codefresh` + +> Versions prior to 2.1.7 are still available in ChartMuseum at `http://chartmuseum.codefresh.io/codefresh` + +## Prerequisites + +- Kubernetes **>= 1.28 && <= 1.32** (Supported versions mean that installation passed for the versions listed; however, it **may** work on older k8s versions as well) +- Helm **3.8.0+** +- PV provisioner support in the underlying infrastructure (with [resizing](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) available) +- Minimal 4vCPU and 8Gi Memory available in the cluster (for production usage the recommended minimal cluster capacity is at least 12vCPUs and 36Gi Memory) +- GCR Service Account JSON `sa.json` (provided by Codefresh, contact support@codefresh.io) +- Firebase [Realtime Database URL](https://firebase.google.com/docs/database/web/start#create_a_database) with [legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens). See [Firebase Configuration](#firebase-configuration) +- Valid TLS certificates for Ingress +- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)). The `pg_cron` extension should be the 1.4 version or higher for Azure Postgres DB. + +## Get Repo Info + +```console +helm show all oci://quay.io/codefresh/codefresh +``` +See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) + +## Install Chart + +**Important:** only helm 3.8.0+ is supported + +Edit default `values.yaml` or create empty `cf-values.yaml` + +- Pass `sa.json` (as a single line) to `.Values.imageCredentials.password` + +```yaml +# -- Credentials for Image Pull Secret object +imageCredentials: + registry: us-docker.pkg.dev + username: _json_key + password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' +``` + +- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl`, `.Values.global.firebaseSecret`, `.Values.global.env.MONGOOSE_AUTO_INDEX`, `.Values.global.env.MONGO_AUTOMATIC_INDEX_CREATION` + +```yaml +global: + # -- Application root url. Will be used in Ingress as hostname + appUrl: onprem.mydomain.com + + # -- Firebase URL for logs streaming. + firebaseUrl: <> + # -- Firebase URL for logs streaming from existing secret + firebaseUrlSecretKeyRef: {} + # E.g. + # firebaseUrlSecretKeyRef: + # name: my-secret + # key: firebase-url + + # -- Firebase Secret. + firebaseSecret: <> + # -- Firebase Secret from existing secret + firebaseSecretSecretKeyRef: {} + # E.g. + # firebaseSecretSecretKeyRef: + # name: my-secret + # key: firebase-secret + + # -- Enable index creation in MongoDB + # This is required for first-time installations! + # Before usage in Production, you must set it to `false` or remove it! + env: + MONGOOSE_AUTO_INDEX: "true" + MONGO_AUTOMATIC_INDEX_CREATION: "true" + +``` + +- Specify `.Values.ingress.tls.cert` and `.Values.ingress.tls.key` OR `.Values.ingress.tls.existingSecret` + +```yaml +ingress: + # -- Enable the Ingress + enabled: true + # -- Set the ingressClass that is used for the ingress. + # Default `nginx-codefresh` is created from `ingress-nginx` controller subchart + # If you specify a different ingress class, disable `ingress-nginx` subchart (see below) + ingressClassName: nginx-codefresh + tls: + # -- Enable TLS + enabled: true + # -- Default secret name to be created with provided `cert` and `key` below + secretName: "star.codefresh.io" + # -- Certificate (base64 encoded) + cert: "" + # -- Private key (base64 encoded) + key: "" + # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) + existingSecret: "" + +ingress-nginx: + # -- Enable ingress-nginx controller + enabled: true +``` + +- *Or specify your own `.Values.ingress.ingressClassName` (disable built-in ingress-nginx subchart)* + +```yaml +ingress: + # -- Enable the Ingress + enabled: true + # -- Set the ingressClass that is used for the ingress. + ingressClassName: nginx + +ingress-nginx: + # -- Disable ingress-nginx controller + enabled: false +``` + +- Install the chart + +```console + helm upgrade --install cf oci://quay.io/codefresh/codefresh \ + -f cf-values.yaml \ + --namespace codefresh \ + --create-namespace \ + --debug \ + --wait \ + --timeout 15m + ``` + +### ⚠️ **MANDATORY** Post-Installation Action Items + +Once your Codefresh On-Prem instance is installed, configured, and confirmed to be ready for production use, the following variables must be set to `false` or removed: + +```yaml +global: + env: + MONGOOSE_AUTO_INDEX: "false" + MONGO_AUTOMATIC_INDEX_CREATION: "false" +``` + +## Chart Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values codefresh/codefresh +``` + +### Persistent services + +The following table displays the list of **persistent** services created as part of the on-premises installation: + +| Database | Purpose | Required version | +| :--- | :---- | :--- | +| MongoDB | Stores all account data (account settings, users, projects, pipelines, builds etc.) | 7.x | +| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 16.x or 17.x | +| Redis | Used for caching, and as a key-value store for cron trigger manager. | 7.0.x | +| RabbitMQ | Used for message queueing. | 3.13 \| 4.0.x | + +> Running on netfs (nfs, cifs) is not recommended. + +> Docker daemon (`cf-builder` stateful set) can be run on block storage only. + +All of them can be externalized. See the next sections. + +### Configuring external services + +The chart contains required dependencies for the corresponding services +- [bitnami/mongodb](https://github.com/bitnami/charts/tree/main/bitnami/mongodb) +- [bitnami/postgresql](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) +- [bitnami/redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) +- [bitnami/rabbitmq](https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq) + +However, you might need to use external services like [MongoDB Atlas Database](https://www.mongodb.com/atlas/database) or [Amazon RDS for PostgreSQL](https://aws.amazon.com/rds/postgresql/). In order to use them, adjust the values accordingly: + +#### External MongoDB + +> ⚠️ **Important!** If you use MongoDB Atlas, you must create user with `Write` permissions before installing Codefresh:
+> Then, provide the user credentials in the chart values at
+`.Values.global.mongodbUser/mongodbRootUserSecretKeyRef`
+`.Values.global.mongodbPassword/mongodbRootPasswordSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootUser/mongodbRootUserSecretKeyRef`
+`.Values.seed.mongoSeedJob.mongodbRootPassword/mongodbRootPasswordSecretKeyRef`
+> Ref:
+> [Create Users in Atlas](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#configure-database-users) + +`values.yaml` for external MongoDB: + +```yaml +seed: + mongoSeedJob: + # -- Enable mongo seed job. Seeds the required data (default idp/user/account), creates cfuser and required databases. + enabled: true + # -- Root user in plain text (required ONLY for seed job!). + mongodbRootUser: "root" + # -- Root user from existing secret + mongodbRootUserSecretKeyRef: {} + # E.g. + # mongodbRootUserSecretKeyRef: + # name: my-secret + # key: mongodb-root-user + + # -- Root password in plain text (required ONLY for seed job!). + mongodbRootPassword: "password" + # -- Root password from existing secret + mongodbRootPasswordSecretKeyRef: {} + # E.g. + # mongodbRootPasswordSecretKeyRef: + # name: my-secret + # key: mongodb-root-password + +global: + # -- LEGACY (but still supported) - Use `.global.mongodbProtocol` + `.global.mongodbUser/mongodbUserSecretKeyRef` + `.global.mongodbPassword/mongodbPasswordSecretKeyRef` + `.global.mongodbHost/mongodbHostSecretKeyRef` + `.global.mongodbOptions` instead + # Default MongoDB URI. Will be used by ALL services to communicate with MongoDB. + # Ref: https://www.mongodb.com/docs/manual/reference/connection-string/ + # Note! `defaultauthdb` is omitted on purpose (i.e. mongodb://.../[defaultauthdb]). + mongoURI: "" + # E.g. + # mongoURI: "mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/" + + # -- Set mongodb protocol (`mongodb` / `mongodb+srv`) + mongodbProtocol: mongodb + # -- Set mongodb user in plain text + mongodbUser: "cfuser" + # -- Set mongodb user from existing secret + mongodbUserSecretKeyRef: {} + # E.g. + # mongodbUserSecretKeyRef: + # name: my-secret + # key: mongodb-user + + # -- Set mongodb password in plain text + mongodbPassword: "password" + # -- Set mongodb password from existing secret + mongodbPasswordSecretKeyRef: {} + # E.g. + # mongodbPasswordSecretKeyRef: + # name: my-secret + # key: mongodb-password + + # -- Set mongodb host in plain text + mongodbHost: "my-mongodb.prod.svc.cluster.local:27017" + # -- Set mongodb host from existing secret + mongodbHostSecretKeyRef: {} + # E.g. + # mongodbHostSecretKeyRef: + # name: my-secret + # key: monogdb-host + + # -- Set mongodb connection string options + # Ref: https://www.mongodb.com/docs/manual/reference/connection-string/#connection-string-options + mongodbOptions: "retryWrites=true" + +mongodb: + # -- Disable mongodb subchart installation + enabled: false +``` + +#### External MongoDB with MTLS + +In order to use MTLS (Mutual TLS) for MongoDB, you need: + +* Create a K8S secret that contains the certificate (certificate file and private key). + The K8S secret should have one `ca.pem` key. +```console +cat cert.crt > ca.pem +cat cert.key >> ca.pem +kubectl create secret generic my-mongodb-tls --from-file=ca.pem +``` + +* Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services. +```yaml +global: + volumes: + mongodb-tls: + enabled: true + type: secret + nameOverride: my-mongodb-tls + optional: true + + volumeMounts: + mongodb-tls: + path: + - mountPath: /etc/ssl/mongodb/ca.pem + subPath: ca.pem + + env: + MONGODB_SSL_ENABLED: true + MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem + RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem + RUNTIME_MONGO_TLS: "true" + # Set these env vars to 'false' if self-signed certificate is used to avoid x509 errors + RUNTIME_MONGO_TLS_VALIDATE: "false" + MONGO_MTLS_VALIDATE: "false" +``` + +#### External PostgresSQL + +```yaml +seed: + postgresSeedJob: + # -- Enable postgres seed job. Creates required user and databases. + enabled: true + # -- (optional) "postgres" admin user in plain text (required ONLY for seed job!) + # Must be a privileged user allowed to create databases and grant roles. + # If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. + postgresUser: "postgres" + # -- (optional) "postgres" admin user from exising secret + postgresUserSecretKeyRef: {} + # E.g. + # postgresUserSecretKeyRef: + # name: my-secret + # key: postgres-user + + # -- (optional) Password for "postgres" admin user (required ONLY for seed job!) + postgresPassword: "password" + # -- (optional) Password for "postgres" admin user from existing secret + postgresPasswordSecretKeyRef: {} + # E.g. + # postgresPasswordSecretKeyRef: + # name: my-secret + # key: postgres-password + +global: + # -- Set postgres user in plain text + postgresUser: cf_user + # -- Set postgres user from existing secret + postgresUserSecretKeyRef: {} + # E.g. + # postgresUserSecretKeyRef: + # name: my-secret + # key: postgres-user + + # -- Set postgres password in plain text + postgresPassword: password + # -- Set postgres password from existing secret + postgresPasswordSecretKeyRef: {} + # E.g. + # postgresPasswordSecretKeyRef: + # name: my-secret + # key: postgres-password + + # -- Set postgres service address in plain text. + postgresHostname: "my-postgres.domain.us-east-1.rds.amazonaws.com" + # -- Set postgres service from existing secret + postgresHostnameSecretKeyRef: {} + # E.g. + # postgresHostnameSecretKeyRef: + # name: my-secret + # key: postgres-hostname + + # -- Set postgres port number + postgresPort: 5432 + +postgresql: + # -- Disable postgresql subchart installation + enabled: false +``` + +##### Using SSL with a PostgreSQL + +Provide the following env vars to enforce SSL connection to PostgresSQL: + +```yaml +global: + env: + # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html + PGSSLMODE: "require" + +helm-repo-manager: + env: + POSTGRES_DISABLE_SSL: "false" +``` + +> ⚠️ **Important!**
+> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
+> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
+> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs) + +#### External Redis + +```yaml +global: + # -- Set redis password in plain text + redisPassword: password + # -- Set redis service port + redisPort: 6379 + # -- Set redis password from existing secret + redisPasswordSecretKeyRef: {} + # E.g. + # redisPasswordSecretKeyRef: + # name: my-secret + # key: redis-password + + # -- Set redis hostname in plain text. Takes precedence over `global.redisService`! + redisUrl: "my-redis.namespace.svc.cluster.local" + # -- Set redis hostname from existing secret. + redisUrlSecretKeyRef: {} + # E.g. + # redisUrlSecretKeyRef: + # name: my-secret + # key: redis-url + +redis: + # -- Disable redis subchart installation + enabled: false + +``` + +> If ElastiCache is used, set `REDIS_TLS` to `true` in `.Values.global.env` + +> ⚠️ ElastiCache with **Cluster mode** is not supported! + +```yaml +global: + env: + REDIS_TLS: true +``` + +#### External Redis with MTLS + +In order to use [MTLS (Mutual TLS) for Redis](https://redis.io/docs/management/security/encryption/), you need: + +* Create a K8S secret that contains the certificate (ca, certificate and private key). +```console +cat ca.crt tls.crt > tls.crt +kubectl create secret tls my-redis-tls --cert=tls.crt --key=tls.key --dry-run=client -o yaml | kubectl apply -f - +``` + +* Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services. +```yaml +global: + volumes: + redis-tls: + enabled: true + type: secret + # Existing secret with TLS certificates (keys: `ca.crt` , `tls.crt`, `tls.key`) + nameOverride: my-redis-tls + optional: true + + volumeMounts: + redis-tls: + path: + - mountPath: /etc/ssl/redis + + env: + REDIS_TLS: true + REDIS_CA_PATH: /etc/ssl/redis/ca.crt + REDIS_CLIENT_CERT_PATH : /etc/ssl/redis/tls.crt + REDIS_CLIENT_KEY_PATH: /etc/ssl/redis/tls.key + # Set these env vars like that if self-signed certificate is used to avoid x509 errors + REDIS_REJECT_UNAUTHORIZED: false + REDIS_TLS_SKIP_VERIFY: true +``` + +#### External RabbitMQ + +```yaml +global: + # -- Set rabbitmq protocol (`amqp/amqps`) + rabbitmqProtocol: amqp + # -- Set rabbitmq username in plain text + rabbitmqUsername: user + # -- Set rabbitmq username from existing secret + rabbitmqUsernameSecretKeyRef: {} + # E.g. + # rabbitmqUsernameSecretKeyRef: + # name: my-secret + # key: rabbitmq-username + + # -- Set rabbitmq password in plain text + rabbitmqPassword: password + # -- Set rabbitmq password from existing secret + rabbitmqPasswordSecretKeyRef: {} + # E.g. + # rabbitmqPasswordSecretKeyRef: + # name: my-secret + # key: rabbitmq-password + + # -- Set rabbitmq service address in plain text. Takes precedence over `global.rabbitService`! + rabbitmqHostname: "my-rabbitmq.namespace.svc.cluster.local:5672" + # -- Set rabbitmq service address from existing secret. + rabbitmqHostnameSecretKeyRef: {} + # E.g. + # rabbitmqHostnameSecretKeyRef: + # name: my-secret + # key: rabbitmq-hostname + +rabbitmq: + # -- Disable rabbitmq subchart installation + enabled: false +``` + +### Configuring Ingress-NGINX + +The chart deploys the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) and exposes controller behind a Service of `Type=LoadBalancer` + +All installation options for `ingress-nginx` are described at [Configuration](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#configuration) + +Relevant examples for Codefesh are below: + +#### ELB with SSL Termination (Classic Load Balancer) + +*certificate provided from ACM* + +```yaml +ingress-nginx: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: < CERTIFICATE ARN > + targetPorts: + http: http + https: http + +# -- Ingress +ingress: + tls: + # -- Disable TLS + enabled: false +``` + +#### NLB (Network Load Balancer) + +*certificate provided as base64 string or as exisiting k8s secret* + +```yaml +ingress-nginx: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + +# -- Ingress +ingress: + tls: + # -- Enable TLS + enabled: true + # -- Default secret name to be created with provided `cert` and `key` below + secretName: "star.codefresh.io" + # -- Certificate (base64 encoded) + cert: "LS0tLS1CRUdJTiBDRVJ...." + # -- Private key (base64 encoded) + key: "LS0tLS1CRUdJTiBSU0E..." + # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) + existingSecret: "" +``` + +### Configuration with ALB (Application Load Balancer) + +*[Application Load Balancer](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller) should be deployed to the cluster* + +```yaml +ingress-nginx: + # -- Disable ingress-nginx subchart installation + enabled: false + +ingress: + # -- ALB contoller ingress class + ingressClassName: alb + annotations: + alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' + alb.ingress.kubernetes.io/backend-protocol: HTTP + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/success-codes: 200,404 + alb.ingress.kubernetes.io/target-type: ip + services: + # For ALB /* asterisk is required in path + internal-gateway: + - /* + +``` + +### Configuration with Private Registry + +If you install/upgrade Codefresh on an air-gapped environment without access to public registries (i.e. `quay.io`/`docker.io`) or Codefresh Enterprise registry at `gcr.io`, you will have to mirror the images to your organization’s container registry. + +- Obtain [image list](https://github.com/codefresh-io/onprem-images/tree/master/releases) for specific release + +- [Push images](https://github.com/codefresh-io/onprem-images/blob/master/push-to-registry.sh) to private docker registry + +- Specify image registry in values + +```yaml +global: + imageRegistry: myregistry.domain.com + +``` + +There are 3 types of images, with the values above in rendered manifests images will be converted as follows: + +**non-Codefresh** like: + +```yaml +bitnami/mongo:4.2 +registry.k8s.io/ingress-nginx/controller:v1.4.0 +postgres:13 +``` +converted to: +```yaml +myregistry.domain.com/bitnami/mongodb:4.2 +myregistry.domain.com/ingress-nginx/controller:v1.2.0 +myregistry.domain.com/postgres:13 +``` + +Codefresh **public** images like: +```yaml +quay.io/codefresh/dind:20.10.13-1.25.2 +quay.io/codefresh/engine:1.147.8 +quay.io/codefresh/cf-docker-builder:1.1.14 +``` +converted to: +```yaml +myregistry.domain.com/codefresh/dind:20.10.13-1.25.2 +myregistry.domain.com/codefresh/engine:1.147.8 +myregistry.domain.com/codefresh/cf-docker-builder:1.1.14 +``` + +Codefresh **private** images like: +```yaml +gcr.io/codefresh-enterprise/codefresh/cf-api:21.153.6 +gcr.io/codefresh-enterprise/codefresh/cf-ui:14.69.38 +gcr.io/codefresh-enterprise/codefresh/pipeline-manager:3.121.7 +``` +converted to: + +```yaml +myregistry.domain.com/codefresh/cf-api:21.153.6 +myregistry.domain.com/codefresh/cf-ui:14.69.38 +myregistry.domain.com/codefresh/pipeline-manager:3.121.7 +``` + +Use the example below to override repository for all templates: + +```yaml + +global: + imagePullSecrets: + - cf-registry + +ingress-nginx: + controller: + image: + registry: myregistry.domain.com + image: codefresh/controller + +mongodb: + image: + repository: codefresh/mongodb + +postgresql: + image: + repository: codefresh/postgresql + +consul: + image: + repository: codefresh/consul + +redis: + image: + repository: codefresh/redis + +rabbitmq: + image: + repository: codefresh/rabbitmq + +nats: + image: + repository: codefresh/nats + +builder: + container: + image: + repository: codefresh/docker + +runner: + container: + image: + repository: codefresh/docker + +internal-gateway: + container: + image: + repository: codefresh/nginx-unprivileged + +helm-repo-manager: + chartmuseum: + image: + repository: myregistry.domain.com/codefresh/chartmuseum + +cf-platform-analytics-platform: + redis: + image: + repository: codefresh/redis +``` + +### Configuration with multi-role CF-API + +The chart installs cf-api as a single deployment. Though, at a larger scale, we do recommend to split cf-api to multiple roles (one deployment per role) as follows: + +```yaml + +global: + # -- Change internal cfapi service address + cfapiService: cfapi-internal + # -- Change endpoints cfapi service address + cfapiEndpointsService: cfapi-endpoints + +cfapi: &cf-api + # -- Disable default cfapi deployment + enabled: false + # -- (optional) Enable the autoscaler + # The value will be merged into each cfapi role. So you can specify it once. + hpa: + enabled: true +# Enable cf-api roles +cfapi-auth: + <<: *cf-api + enabled: true +cfapi-internal: + <<: *cf-api + enabled: true +cfapi-ws: + <<: *cf-api + enabled: true +cfapi-admin: + <<: *cf-api + enabled: true +cfapi-endpoints: + <<: *cf-api + enabled: true +cfapi-terminators: + <<: *cf-api + enabled: true +cfapi-sso-group-synchronizer: + <<: *cf-api + enabled: true +cfapi-buildmanager: + <<: *cf-api + enabled: true +cfapi-cacheevictmanager: + <<: *cf-api + enabled: true +cfapi-eventsmanagersubscriptions: + <<: *cf-api + enabled: true +cfapi-kubernetesresourcemonitor: + <<: *cf-api + enabled: true +cfapi-environments: + <<: *cf-api + enabled: true +cfapi-gitops-resource-receiver: + <<: *cf-api + enabled: true +cfapi-downloadlogmanager: + <<: *cf-api + enabled: true +cfapi-teams: + <<: *cf-api + enabled: true +cfapi-kubernetes-endpoints: + <<: *cf-api + enabled: true +cfapi-test-reporting: + <<: *cf-api + enabled: true +``` + +### High Availability + +The chart installs the non-HA version of Codefresh by default. If you want to run Codefresh in HA mode, use the example values below. + +> **Note!** `cronus` is not supported in HA mode, otherwise builds with CRON triggers will be duplicated + +`values.yaml` +```yaml +cfapi: + hpa: + enabled: true + # These are the defaults for all Codefresh subcharts + # minReplicas: 2 + # maxReplicas: 10 + # targetCPUUtilizationPercentage: 70 + +argo-platform: + abac: + hpa: + enabled: true + + analytics-reporter: + hpa: + enabled: true + + api-events: + hpa: + enabled: true + + api-graphql: + hpa: + enabled: true + + audit: + hpa: + enabled: true + + cron-executor: + hpa: + enabled: true + + event-handler: + hpa: + enabled: true + + ui: + hpa: + enabled: true + +cfui: + hpa: + enabled: true + +internal-gateway: + hpa: + enabled: true + +cf-broadcaster: + hpa: + enabled: true + +cf-platform-analytics-platform: + hpa: + enabled: true + +charts-manager: + hpa: + enabled: true + +cluster-providers: + hpa: + enabled: true + +context-manager: + hpa: + enabled: true + +gitops-dashboard-manager: + hpa: + enabled: true + +helm-repo-manager: + hpa: + enabled: true + +hermes: + hpa: + enabled: true + +k8s-monitor: + hpa: + enabled: true + +kube-integration: + hpa: + enabled: true + +nomios: + hpa: + enabled: true + +pipeline-manager: + hpa: + enabled: true + +runtime-environment-manager: + hpa: + enabled: true + +tasker-kubernetes: + hpa: + enabled: true + +``` + +For infra services (MongoDB, PostgreSQL, RabbitMQ, Redis, Consul, Nats, Ingress-NGINX) from built-in Bitnami charts you can use the following example: + +> **Note!** Use [topologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods) for better resiliency + +`values.yaml` +```yaml +global: + postgresService: postgresql-ha-pgpool + mongodbHost: cf-mongodb-0,cf-mongodb-1,cf-mongodb-2 # Replace `cf` with your Helm Release name + mongodbOptions: replicaSet=rs0&retryWrites=true + redisUrl: cf-redis-ha-haproxy + +builder: + controller: + replicas: 3 + +consul: + replicaCount: 3 + +cfsign: + controller: + replicas: 3 + persistence: + certs-data: + enabled: false + volumes: + certs-data: + type: emptyDir + initContainers: + volume-permissions: + enabled: false + +ingress-nginx: + controller: + autoscaling: + enabled: true + +mongodb: + architecture: replicaset + replicaCount: 3 + externalAccess: + enabled: true + service: + type: ClusterIP + +nats: + replicaCount: 3 + +postgresql: + enabled: false + +postgresql-ha: + enabled: true + volumePermissions: + enabled: true + +rabbitmq: + replicaCount: 3 + +redis: + enabled: false + +redis-ha: + enabled: true +``` + +### Mounting private CA certs + +```yaml +global: + env: + NODE_EXTRA_CA_CERTS: /etc/ssl/custom/ca.crt + + volumes: + custom-ca: + enabled: true + type: secret + existingName: my-custom-ca-cert # exisiting K8s secret object with the CA cert + optional: true + + volumeMounts: + custom-ca: + path: + - mountPath: /etc/ssl/custom/ca.crt + subPath: ca.crt +``` + +## Installing on OpenShift + +To deploy Codefresh On-Prem on OpenShift use the following values example: + +```yaml +ingress: + ingressClassName: openshift-default + +global: + dnsService: dns-default + dnsNamespace: openshift-dns + clusterDomain: cluster.local + +# Requires privileged SCC. +builder: + enabled: false + +cfapi: + podSecurityContext: + enabled: false + +cf-platform-analytics-platform: + redis: + master: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +cfsign: + podSecurityContext: + enabled: false + initContainers: + volume-permissions: + enabled: false + +cfui: + podSecurityContext: + enabled: false + +internal-gateway: + podSecurityContext: + enabled: false + +helm-repo-manager: + chartmuseum: + securityContext: + enabled: false + +consul: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +cronus: + podSecurityContext: + enabled: false + +ingress-nginx: + enabled: false + +mongodb: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +postgresql: + primary: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +redis: + master: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +rabbitmq: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false + +# Requires privileged SCC. +runner: + enabled: false +``` + +## Firebase Configuration + +As outlined in [prerequisites](#prerequisites), it's required to set up a Firebase database for builds logs streaming: + +- [Create a Database](https://firebase.google.com/docs/database/web/start#create_a_database). +- Create a [Legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens) for authentication. +- Set the following rules for the database: +```json +{ + "rules": { + "build-logs": { + "$jobId":{ + ".read": "!root.child('production/build-logs/'+$jobId).exists() || (auth != null && auth.admin == true) || (auth == null && data.child('visibility').exists() && data.child('visibility').val() == 'public') || ( auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val() )", + ".write": "auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val()" + } + }, + "environment-logs": { + "$environmentId":{ + ".read": "!root.child('production/environment-logs/'+$environmentId).exists() || ( auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val() )", + ".write": "auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val()" + } + } + } +} +``` + +However, if you're in an air-gapped environment, you can omit this prerequisite and use a built-in logging system (i.e. `OfflineLogging` feature-flag). +See [feature management](https://codefresh.io/docs/docs/installation/on-premises/on-prem-feature-management) + +## Additional configuration + +### Retention policy for builds and logs + +With this method, Codefresh by default deletes builds older than six months. + +The retention mechanism removes data from the following collections: `workflowproccesses`, `workflowrequests`, `workflowrevisions` + +```yaml +cfapi: + env: + # Determines if automatic build deletion through the Cron job is enabled. + RETENTION_POLICY_IS_ENABLED: true + # The maximum number of builds to delete by a single Cron job. To avoid database issues, especially when there are large numbers of old builds, we recommend deleting them in small chunks. You can gradually increase the number after verifying that performance is not affected. + RETENTION_POLICY_BUILDS_TO_DELETE: 50 + # The number of days for which to retain builds. Builds older than the defined retention period are deleted. + RETENTION_POLICY_DAYS: 180 +``` + +### Retention policy for builds and logs +> Configuration for Codefresh On-Prem >= 2.x + +> Previous configuration example (i.e. `RETENTION_POLICY_IS_ENABLED=true` ) is also supported in Codefresh On-Prem >= 2.x + +**For existing environments, for the retention mechanism to work, you must first drop the `created ` index in `workflowprocesses` collection. This requires a maintenance window that depends on the number of builds.** + +```yaml +cfapi: + env: + # Determines if automatic build deletion is enabled. + TTL_RETENTION_POLICY_IS_ENABLED: true + # The number of days for which to retain builds, and can be between 30 (minimum) and 365 (maximum). Builds older than the defined retention period are deleted. + TTL_RETENTION_POLICY_IN_DAYS: 180 +``` + +### Projects pipelines limit + +```yaml +pipeline-manager: + env: + # Determines project's pipelines limit (default: 500) + PROJECT_PIPELINES_LIMIT: 500 +``` + +### Enable session cookie + +```yaml +cfapi: + env: + # Generate a unique session cookie (cf-uuid) on each login + DISABLE_CONCURRENT_SESSIONS: true + # Customize cookie domain + CF_UUID_COOKIE_DOMAIN: .mydomain.com +``` + +> **Note!** Ingress host for [gitops-runtime](https://artifacthub.io/packages/helm/codefresh-gitops-runtime/gitops-runtime) and ingress host for control plane must share the same root domain (i.e. `onprem.mydomain.com` and `runtime.mydomain.com`) + +### X-Frame-Options response header + +```yaml +cfapi: + env: + # Set value to the `X-Frame-Options` response header. Control the restrictions of embedding Codefresh page into the iframes. + # Possible values: sameorigin(default) / deny + FRAME_OPTIONS: sameorigin + +cfui: + env: + FRAME_OPTIONS: sameorigin +``` + +Read more about header at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. + +### Configure CSP (Content Security Policy) + +`CONTENT_SECURITY_POLICY` is the string describing content policies. Use semi-colons to separate between policies. `CONTENT_SECURITY_POLICY_REPORT_TO` is a comma-separated list of JSON objects. Each object must have a name and an array of endpoints that receive the incoming CSP reports. + +For detailed information, see the [Content Security Policy article on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). + +```yaml +cfui: + env: + CONTENT_SECURITY_POLICY: "" + CONTENT_SECURITY_POLICY_REPORT_ONLY: "default-src 'self'; font-src 'self' + https://fonts.gstatic.com; script-src 'self' https://unpkg.com https://js.stripe.com; + style-src 'self' https://fonts.googleapis.com; 'unsafe-eval' 'unsafe-inline'" + CONTENT_SECURITY_POLICY_REPORT_TO: "" +``` + +### x-hub-signature-256 signature for GitHub AE + +For detailed information, see the [Securing your webhooks](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks) and [Webhooks](https://docs.github.com/en/github-ae@latest/rest/webhooks). + +``` +cfapi: + env: + USE_SHA256_GITHUB_SIGNATURE: "true" +``` + +### Image digests in containers + +In Codefresh On-Prem 2.6.x all Codefresh owner microservices include image digests in the default subchart values. + +For example, default values for `cfapi` might look like this: + +```yaml +container: + image: + registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io + repository: codefresh/cf-api + tag: 21.268.1 + digest: "sha256:bae42f8efc18facc2bf93690fce4ab03ef9607cec4443fada48292d1be12f5f8" + pullPolicy: IfNotPresent +``` + +this resulting in the following image reference in the pod spec: + +```yaml +spec: + containers: + - name: cfapi + image: us-docker.pkg.dev/codefresh-enterprise/gcr.io/codefresh/cf-api:21.268.1@sha256:bae42f8efc18facc2bf93690fce4ab03ef9607cec4443fada48292d1be12f5f8 +``` + +> **Note!** When the `digest` is providerd, the `tag` is ignored! You can omit digest and use tag only like the following `values.yaml` example: + +```yaml +cfapi: + container: + image: + tag: 21.268.1 + # -- Set empty tag for digest + digest: "" +``` + +## Configuring OIDC Provider + +OpenID Connect (OIDC) allows Codefresh Builds to access resources in your cloud provider (such as AWS, Azure, GCP), without needing to store cloud credentials as long-lived pipeline secret variables. + +### Enabling the OIDC Provider in Codefresh On-Prem + +#### Prerequisites: + +- DNS name for OIDC Provider +- Valid TLS certificates for Ingress +- K8S secret containing JWKS (JSON Web Key Sets). Can be generated at [mkjwk.org](https://mkjwk.org/) +- K8S secret containing Cliend ID (public identifier for app) and Client Secret (application password; cryptographically strong random string) + +> **NOTE!** In production usage use [External Secrets Operator](https://external-secrets.io/latest/) or [HashiCorp Vault](https://developer.hashicorp.com/vault/docs/platform/k8s) to create secrets. The following example uses `kubectl` for brevity. + +For JWKS use **Public and Private Keypair Set** (if generated at [mkjwk.org](https://mkjwk.org/)), for example: + +`cf-oidc-provider-jwks.json`: +```json +{ + "keys": [ + { + "p": "...", + "kty": "RSA", + "q": "...", + "d": "...", + "e": "AQAB", + "use": "sig", + "qi": "...", + "dp": "...", + "alg": "RS256", + "dq": "...", + "n": "..." + } + ] +} +``` + +```console +# Creating secret containing JWKS. +# The secret KEY is `cf-oidc-provider-jwks.json`. It then referenced in `OIDC_JWKS_PRIVATE_KEYS_PATH` environment variable in `cf-oidc-provider`. +# The secret NAME is referenced in `.volumes.jwks-file.nameOverride` (volumeMount is configured in the chart already) +kubectl create secret generic cf-oidc-provider-jwks \ + --from-file=cf-oidc-provider-jwks.json \ + -n $NAMESPACE + +# Creating secret containing Client ID and Client Secret +# Secret NAME is `cf-oidc-provider-client-secret`. +# It then referenced in `OIDC_CF_PLATFORM_CLIENT_ID` and `OIDC_CF_PLATFORM_CLIENT_SECRET` environment variables in `cf-oidc-provider` +# and in `OIDC_PROVIDER_CLIENT_ID` and `OIDC_PROVIDER_CLIENT_SECRET` in `cfapi`. +kubectl create secret generic cf-oidc-provider-client-secret \ + --from-literal=client-id=codefresh \ + --from-literal=client-secret='verysecureclientsecret' \ + -n $NAMESPACE +``` + +`values.yaml` +```yaml +global: + # -- Set OIDC Provider URL + oidcProviderService: "oidc.mydomain.com" + # -- Default OIDC Provider service client ID in plain text. + # Optional! If specified here, no need to specify CLIENT_ID/CLIENT_SECRET env vars in cfapi and cf-oidc-provider below. + oidcProviderClientId: null + # -- Default OIDC Provider service client secret in plain text. + # Optional! If specified here, no need to specify CLIENT_ID/CLIENT_SECRET env vars in cfapi and cf-oidc-provider below. + oidcProviderClientSecret: null + +cfapi: + # -- Set additional variables for cfapi + # Reference a secret containing Client ID and Client Secret + env: + OIDC_PROVIDER_CLIENT_ID: + valueFrom: + secretKeyRef: + name: cf-oidc-provider-client-secret + key: client-id + OIDC_PROVIDER_CLIENT_SECRET: + valueFrom: + secretKeyRef: + name: cf-oidc-provider-client-secret + key: client-secret + +cf-oidc-provider: + # -- Enable OIDC Provider + enabled: true + + container: + env: + OIDC_JWKS_PRIVATE_KEYS_PATH: /secrets/jwks/cf-oidc-provider-jwks.json + # -- Reference a secret containing Client ID and Client Secret + OIDC_CF_PLATFORM_CLIENT_ID: + valueFrom: + secretKeyRef: + name: cf-oidc-provider-client-secret + key: client-id + OIDC_CF_PLATFORM_CLIENT_SECRET: + valueFrom: + secretKeyRef: + name: cf-oidc-provider-client-secret + key: client-secret + + volumes: + jwks-file: + enabled: true + type: secret + # -- Secret name containing JWKS + nameOverride: "cf-oidc-provider-jwks" + optional: false + + ingress: + main: + # -- Enable ingress for OIDC Provider + enabled: true + annotations: {} + # -- Set ingress class name + ingressClassName: "" + hosts: + # -- Set OIDC Provider URL + - host: "oidc.mydomain.com" + paths: + - path: / + # For ALB (Application Load Balancer) /* asterisk is required in path + # e.g. + # - path: /* + tls: [] +``` + +Deploy HELM chart with new `values.yaml` + +Use https://oidc.mydomain.com/.well-known/openid-configuration to verify OIDC Provider configuration + +### Adding the identity provider in AWS + +To add Codefresh OIDC provider to IAM, see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) +- For the **provider URL**: Use `.Values.global.oidcProviderService` value with `https://` prefix (i.e. https://oidc.mydomain.com) +- For the **Audienece**: Use `.Values.global.appUrl` value with `https://` prefix (i.e. https://onprem.mydomain.com) + +#### Configuring the role and trust policy + +To configure the role and trust in IAM, see [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html) + +Edit the trust policy to add the sub field to the validation conditions. For example, use `StringLike` to allow only builds from specific pipeline to assume a role in AWS. +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam:::oidc-provider/oidc.mydomain.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.mydomain.com:aud": "https://onprem.mydomain.com" + }, + "StringLike": { + "oidc.mydomain.com:sub": "account:64884faac2751b77ca7ab324:pipeline:64f7232ab698cfcb95d93cef:*" + } + } + } + ] +} +``` + +To see all the claims supported by Codefresh OIDC provider, see `claims_supported` entries at https://oidc.mydomain.com/.well-known/openid-configuration +```json +"claims_supported": [ + "sub", + "account_id", + "account_name", + "pipeline_id", + "pipeline_name", + "workflow_id", + "initiator", + "scm_user_name", + "scm_repo_url", + "scm_ref", + "scm_pull_request_target_branch", + "sid", + "auth_time", + "iss" +] +``` + +#### Using OIDC in Codefresh Builds + +Use [obtain-oidc-id-token](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/obtain-oidc-id-token/step.yaml#L27-L58) and [aws-sts-assume-role-with-web-identity](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/aws-sts-assume-role-with-web-identity/step.yaml#L29-L63) steps to exchange the OIDC token (JWT) for a cloud access token. + +## Maintaining MongoDB Indexes + +Sometimes, in new releases of Codefresh On-Prem, index requirements change. When this happens, it's mentioned in the [Upgrading section](#upgrading) for the specific release. + +> ℹ️ If you're upgrading from version `X` to version `Y`, and index requirements were updated in any of the intermediate versions, you only need to align your indexes with the index requirements of version `Y`. To do that, follow [Index alignment](#index-alignment) instructions. + +### Index alignment + +The required index definitions for each release can be found at the following resources: + +- `2.6` +- `2.7` +- `2.8` + +The indexes are stored in JSON files with keys and options specified. + +The directory structure is: + +```console +indexes +├── # MongoDB database name +│ ├── .json # MongoDB indexes for the specified collection +``` + +**Overview of the index alignment process:** + +1. Identify the differences between the indexes in your MongoDB instance and the required index definitions. +2. Create any missing indexes one by one. (It's important not to create them in bulk.) +3. Perform the upgrade of Codefresh On-Prem installation. +4. Then remove any unnecessary indexes. + +> ⚠️ **Note! Any changes to indexes should be performed during a defined maintenance window or during periods of lowest traffic to MongoDB.** +> +> Building indexes during time periods where the target collection is under heavy write load can result in reduced write performance and longer index builds. ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/index-creation/#index-build-impact-on-database-performance)) +> +> Even minor changes to indexes (e.g., index removal) can cause brief but noticeable performance degradation ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/query-plans/#plan-cache-flushes)) + +#### Self-hosted MongoDB + +For self-hosted MongoDB, follow the instructions below: + +- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing `` with the appropriate MongoDB connection string for your server: + +```shell +mongosh "" +``` + +- Retrieve the list of indexes for a specific collection: + +```js +db.getSiblingDB('').getCollection('').getIndexes() +``` + +- Compare your indexes with the required indexes for the target release, and adjust them by creating any missing indexes or removing any unnecessary ones + +**Index creation** + +> ⚠ **Note! Always create indexes sequentially, one by one. Don't create them in bulk.** + +- To create an index, use the `createIndex()` method: + +```js +db.getSiblingDB('').getCollection('').createIndex(, ) +``` + +After executing the `createIndex()` command, you should see a result indicating that the index was created successfully. + +**Index removal** + +- To remove an index, use the `dropIndex()` method with ``: + +```js +db.getSiblingDB('').getCollection('').dropIndex('') +``` + +#### Atlas Database + +If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Manage Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to View, Create or Remove indexes. + +> ⚠️ **Important!** In Atlas, for production environments, it is recommended to use rolling index builds by enabling the "Build index via rolling process" checkbox. ([*MongoDB official documentation*](https://www.mongodb.com/docs/v6.0/tutorial/build-indexes-on-replica-sets/)) + +## Upgrading + +### To 2-0-0 + +This major chart version change (v1.4.X -> v2.0.0) contains some **incompatible breaking change needing manual actions**. + +**Before applying the upgrade, read through this section!** + +#### ⚠️ New Services + +Codefesh 2.0 chart includes additional dependent microservices (charts): +- `argo-platform`: Main Codefresh GitOps module. +- `internal-gateway`: NGINX that proxies requests to the correct components (api-graphql, api-events, ui). +- `argo-hub-platform`: Service for Argo Workflow templates. +- `platform-analytics` and `etl-starter`: Service for [Pipelines dasboard](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) + +These services require additional databases in MongoDB (`audit`/`read-models`/`platform-analytics-postgres`) and in Postgresql (`analytics` and `analytics_pre_aggregations`) +The helm chart is configured to re-run seed jobs to create necessary databases and users during the upgrade. + +```yaml +seed: + # -- Enable all seed jobs + enabled: true +``` + +#### ⚠️ New MongoDB Indexes + +Starting from version 2.0.0, two new MongoDB indexes have been added that are vital for optimizing database queries and enhancing overall system performance. It is crucial to create these indexes before performing the upgrade to avoid any potential performance degradation. + +- `account_1_annotations.key_1_annotations.value_1` (db: `codefresh`; collection: `annotations`) +```json +{ + "account" : 1, + "annotations.key" : 1, + "annotations.value" : 1 +} +``` + +- `accountId_1_entityType_1_entityId_1` (db: `codefresh`; collection: `workflowprocesses`) + +```json +{ + "accountId" : 1, + "entityType" : 1, + "entityId" : 1 +} +``` + +To prevent potential performance degradation during the upgrade, it is important to schedule a maintenance window during a period of low activity or minimal user impact and create the indexes mentioned above before initiating the upgrade process. By proactively creating these indexes, you can avoid the application automatically creating them during the upgrade and ensure a smooth transition with optimized performance. + +**Index Creation** + +If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Create, View, Drop, and Hide Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to create indexes mentioned above. It's important to create them in a rolling fashion (i.e. **Build index via rolling process** checkbox enabled) in produciton environment. + +For self-hosted MongoDB, see the following instruction: + +- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing with the appropriate MongoDB connection string for your server: +```console +mongosh "" +``` + +- Once connected, switch to the `codefresh` database where the index will be located using the `use` command. +```console +use codefresh +``` + +- To create the indexes, use the createIndex() method. The createIndex() method should be executed on the db object. +```console +db.workflowprocesses.createIndex({ account: 1, 'annotations.key': 1, 'annotations.value': 1 }, { name: 'account_1_annotations.key_1_annotations.value_1', sparse: true, background: true }) +``` + +```console +db.annotations.createIndex({ accountId: 1, entityType: 1, entityId: 1 }, { name: 'accountId_1_entityType_1_entityId_1', background: true }) +``` +After executing the createIndex() command, you should see a result indicating the successful creation of the index. + +#### ⚠️ [Kcfi](https://github.com/codefresh-io/kcfi) Deprecation + +This major release deprecates [kcfi](https://github.com/codefresh-io/kcfi) installer. The recommended way to install Codefresh On-Prem is **Helm**. +Due to that, Kcfi `config.yaml` will not be compatible for Helm-based installation. +You still can reuse the same `config.yaml` for the Helm chart, but you need to remove (or update) the following sections. + +* `.Values.metadata` is deprecated. Remove it from `config.yaml` + +*1.4.x `config.yaml`* +```yaml +metadata: + kind: codefresh + installer: + type: helm + helm: + chart: codefresh + repoUrl: http://chartmuseum.codefresh.io/codefresh + version: 1.4.x +``` + +* `.Values.kubernetes` is deprecated. Remove it from `config.yaml` + +*1.4.x `config.yaml`* +```yaml +kubernetes: + namespace: codefresh + context: context-name +``` + +* `.Values.tls` (`.Values.webTLS`) is moved under `.Values.ingress.tls`. Remove `.Values.tls` from `config.yaml` afterwards. + + See full [values.yaml](./values.yaml#L92). + +*1.4.x `config.yaml`* +```yaml +tls: + selfSigned: false + cert: certs/certificate.crt + key: certs/private.key +``` + +*2.0.0 `config.yaml`* +```yaml +# -- Ingress +ingress: + # -- Enable the Ingress + enabled: true + # -- Set the ingressClass that is used for the ingress. + ingressClassName: nginx-codefresh + tls: + # -- Enable TLS + enabled: true + # -- Default secret name to be created with provided `cert` and `key` below + secretName: "star.codefresh.io" + # -- Certificate (base64 encoded) + cert: "LS0tLS1CRUdJTiBDRVJ...." + # -- Private key (base64 encoded) + key: "LS0tLS1CRUdJTiBSU0E..." + # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) + existingSecret: "" +``` + +* `.Values.images` is deprecated. Remove `.Values.images` from `config.yaml`. + + - `.Values.images.codefreshRegistrySa` is changed to `.Values.imageCredentials` + + - `.Values.privateRegistry.address` is changed to `.Values.global.imageRegistry` (no trailing slash `/` at the end) + + See full `values.yaml` [here](./values.yaml#L2) and [here](./values.yaml#L143). + +*1.4.x `config.yaml`* +```yaml +images: + codefreshRegistrySa: sa.json + usePrivateRegistry: true + privateRegistry: + address: myprivateregistry.domain + username: username + password: password +``` + +*2.0.0 `config.yaml`* +```yaml +# -- Credentials for Image Pull Secret object +imageCredentials: {} +# Pass sa.json (as a single line). Obtain GCR Service Account JSON (sa.json) at support@codefresh.io +# E.g.: +# imageCredentials: +# registry: gcr.io +# username: _json_key +# password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' +``` + +*2.0.0 `config.yaml`* +```yaml +global: + # -- Global Docker image registry + imageRegistry: "myprivateregistry.domain" +``` + +* `.Values.dbinfra` is deprecated. Remove it from `config.yaml` + +*1.4.x `config.yaml`* +```yaml +dbinfra: + enabled: false +``` + +* `.Values.firebaseUrl` and `.Values.firebaseSecret` is moved under `.Values.global` + +*1.4.x `config.yaml`* +```yaml +firebaseUrl: +firebaseSecret: +newrelicLicenseKey: +``` + +*2.0.0 `config.yaml`* +```yaml +global: + # -- Firebase URL for logs streaming. + firebaseUrl: "" + # -- Firebase Secret. + firebaseSecret: "" + # -- New Relic Key + newrelicLicenseKey: "" +``` + +* `.Values.global.certsJobs` and `.Values.global.seedJobs` is deprecated. Use `.Values.seed.mongoSeedJob` and `.Values.seed.postgresSeedJob`. + + See full [values.yaml](./values.yaml#L42). + +*1.4.x `config.yaml`* +```yaml +global: + certsJobs: true + seedJobs: true +``` + +*2.0.0 `config.yaml`* +```yaml +seed: + # -- Enable all seed jobs + enabled: true + # -- Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. + # @default -- See below + mongoSeedJob: + enabled: true + # -- Postgres Seed Job. Required at first install. Creates required user and databases. + # @default -- See below + postgresSeedJob: + enabled: true +``` + +#### ⚠️ Migration to [Library Charts](https://helm.sh/docs/topics/library_charts/) + +All Codefresh subchart templates (i.e. `cfapi`, `cfui`, `pipeline-manager`, `context-manager`, etc) have been migrated to use Helm [library charts](https://helm.sh/docs/topics/library_charts/). +That allows unifying the values structure across all Codefresh-owned charts. However, there are some **immutable** fields in the old charts which cannot be upgraded during a regular `helm upgrade`, and require additional manual actions. + +Run the following commands before appying the upgrade. + +* Delete `cf-runner` and `cf-builder` stateful sets. + +```console +kubectl delete sts cf-runner --namespace $NAMESPACE +kubectl delete sts cf-builder --namespace $NAMESPACE +``` + +* Delete all jobs + +```console +kubectl delete job --namespace $NAMESPACE -l release=cf +``` + +* In `values.yaml`/`config.yaml` remove `.Values.nomios.ingress` section if you have it + +```yaml +nomios: + # Remove ingress section + ingress: + ... +``` + +### To 2-0-12 + +#### ⚠️ Legacy ChartMuseum subchart deprecation + +Due to deprecation of legacy ChartMuseum subchart in favor of upstream [chartmuseum](https://github.com/chartmuseum/charts/tree/main/src/chartmuseum), you need to remove the old deployment before the upgrade due to **immutable** `matchLabels` field change in the deployment spec. + +```console +kubectl delete deploy cf-chartmuseum --namespace $NAMESPACE +``` + +#### ⚠️ Affected values + +- If you have `.persistence.enabled=true` defined and NOT `.persistence.existingClaim` like: + +```yaml +helm-repo-manager: + chartmuseum: + persistence: + enabled: true +``` +then you **have to backup** the content of old PVC (mounted as `/storage` in the old deployment) **before the upgrade**! + +```shell +POD_NAME=$(kubectl get pod -l app=chartmuseum -n $NAMESPACE --no-headers -o custom-columns=":metadata.name") +kubectl cp -n $NAMESPACE $POD_NAME:/storage $(pwd)/storage +``` + +**After the upgrade**, restore the content into new deployment: ```shell -git checkout -b onprem-X.Y.Z release-X.Y -``` -- Update `.version` in Chart.yaml -- Update `artifacthub.io/changes` annotation in Chart.yaml -- *optional* Update `dependencies` in Chart.yaml -- *optional* Update `values.yaml`, `templates/**`, etc with required changes -- Run `helm dep update` to update dependencies -- *optional* Run `./codefresh/.ci/runtime-images.sh` -- Run `./codefresh/.ci/helm-docs.sh` -- Commit changes and open the PR against the corresponding `release-.` branch -- Comment `/test` to trigger CI pipeline -- Merge the PR after successful CI build +POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=chartmuseum -n $NAMESPACE --no-headers -o custom-columns=":metadata.name") +kubectl cp -n $NAMESPACE $(pwd)/storage $POD_NAME:/storage +``` + +- If you have `.persistence.existingClaim` defined, you can keep it as is: +```yaml +helm-repo-manager: + chartmuseum: + existingClaim: my-claim-name +``` + +- If you have `.Values.global.imageRegistry` specified, it **won't be** applied for the new chartmuseum subchart. Add image registry explicitly for the subchart as follows + +```yaml +global: + imageRegistry: myregistry.domain.com + +helm-repo-manager: + chartmuseum: + image: + repository: myregistry.domain.com/codefresh/chartmuseum +``` + +### To 2-0-17 + +#### ⚠️ Affected values + +Values structure for argo-platform images has been changed. +Added `registry` to align with the rest of the services. + +> values for <= v2.0.16 +```yaml +argo-platform: + api-graphql: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-api-graphql + abac: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-abac + analytics-reporter: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-analytics-reporter + api-events: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-api-events + audit: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-audit + cron-executor: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-cron-executor + event-handler: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-event-handler + ui: + image: + repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-ui +``` + +> values for >= v2.0.17 + +```yaml +argo-platform: + api-graphql: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-api-graphql + abac: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-abac + analytics-reporter: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-analytics-reporter + api-events: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-api-events + audit: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-audit + cron-executor: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-cron-executor + event-handler: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-event-handler + ui: + image: + registry: gcr.io/codefresh-enterprise + repository: codefresh-io/argo-platform-ui +``` + +### To 2-1-0 + +### [What's new in 2.1.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-21) + +#### Affected values: + +- [Legacy ChartMuseum subchart deprecation](#to-2-0-12) +- [Argo-Platform images values structure change](#to-2-0-17) +- **Changed** default ingress paths. All paths point to `internal-gateway` now. **Remove any overrides at `.Values.ingress.services`!** (updated example for ALB) +- **Deprecated** `global.mongoURI`. **Supported for backward compatibility!** +- **Added** `global.mongodbProtocol` / `global.mongodbUser` / `global.mongodbPassword` / `global.mongodbHost` / `global.mongodbOptions` +- **Added** `global.mongodbUserSecretKeyRef` / `global.mongodbPasswordSecretKeyRef` / `global.mongodbHostSecretKeyRef` +- **Added** `seed.mongoSeedJob.mongodbRootUserSecretKeyRef` / `seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef` +- **Added** `seed.postgresSeedJob.postgresUserSecretKeyRef` / `seed.postgresSeedJob.postgresPasswordSecretKeyRef` +- **Added** `global.firebaseUrlSecretKeyRef` / `global.firebaseSecretSecretKeyRef` +- **Added** `global.postgresUserSecretKeyRef` / `global.postgresPasswordSecretKeyRef` / `global.postgresHostnameSecretKeyRef` +- **Added** `global.rabbitmqUsernameSecretKeyRef` / `global.rabbitmqPasswordSecretKeyRef` / `global.rabbitmqHostnameSecretKeyRef` +- **Added** `global.redisPasswordSecretKeyRef` / `global.redisUrlSecretKeyRef` + +- **Removed** `global.runtimeMongoURI` (defaults to `global.mongoURI` or `global.mongodbHost`/`global.mongodbHostSecretKeyRef`/etc like values) +- **Removed** `global.runtimeMongoDb` (defaults to `global.mongodbDatabase`) +- **Removed** `global.runtimeRedisHost` (defaults to `global.redisUrl`/`global.redisUrlSecretKeyRef` or `global.redisService`) +- **Removed** `global.runtimeRedisPort` (defaults to `global.redisPort`) +- **Removed** `global.runtimeRedisPassword` (defaults to `global.redisPassword`/`global.redisPasswordSecretKeyRef`) +- **Removed** `global.runtimeRedisDb` (defaults to values below) + +```yaml +cfapi: + env: + RUNTIME_REDIS_DB: 0 + +cf-broadcaster: + env: + REDIS_DB: 0 +``` + +### To 2-1-7 + +⚠️⚠️⚠️ +> Since version 2.1.7 chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/codefresh` + +> Versions prior to 2.1.7 are still available in ChartMuseum at `http://chartmuseum.codefresh.io/codefresh` + +### To 2-2-0 + +### [What's new in 2.2.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-22) + +#### MongoDB 5.x + +Codefresh On-Prem 2.2.x uses MongoDB 5.x (4.x is still supported). If you run external MongoDB, it is **highly** recommended to upgrade it to 5.x after upgrading Codefresh On-Prem to 2.2.x. + +#### Redis HA + +> If you run external Redis, this is not applicable to you. + +Codefresh On-Prem 2.2.x adds (not replaces!) an **optional** Redis-HA (master/slave configuration with Sentinel sidecars for failover management) instead of a single Redis instance. +To enable it, see the following values: + +```yaml +global: + redisUrl: cf-redis-ha-haproxy # Replace `cf` with your Helm release name + +# -- Disable standalone Redis instance +redis: + enabled: false + +# -- Enable Redis HA +redis-ha: + enabled: true +``` + +### To 2-3-0 + +### [What's new in 2.3.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-23) + +⚠️ This major release changes default registry for Codefresh **private** images from GCR (`gcr.io`) to GAR (`us-docker.pkg.dev`) + +Update `.Values.imageCredentials.registry` to `us-docker.pkg.dev` if it's explicitly set to `gcr.io` in your values file. + +Default `.Values.imageCredentials` for Onprem **v2.2.x and below** +```yaml +imageCredentials: + registry: gcr.io + username: _json_key + password: +``` + +Default `.Values.imageCredentials` for Onprem **v2.3.x and above** +```yaml +imageCredentials: + registry: us-docker.pkg.dev + username: _json_key + password: +``` + +## Rollback + +Use `helm history` to determine which release has worked, then use `helm rollback` to perform a rollback + +> When rollback from 2.x prune these resources due to immutabled fields changes + +```console +kubectl delete sts cf-runner --namespace $NAMESPACE +kubectl delete sts cf-builder --namespace $NAMESPACE +kubectl delete deploy cf-chartmuseum --namespace $NAMESPACE +kubectl delete job --namespace $NAMESPACE -l release=$RELEASE_NAME +``` + +```console +helm rollback $RELEASE_NAME $RELEASE_NUMBER \ + --namespace $NAMESPACE \ + --debug \ + --wait +``` + +### To 2-4-0 + +### [What's new in 2.4.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-24) + +#### New cfapi-auth role + +New `cfapi-auth` role is introduced in 2.4.x. + +If you run onprem with [multi-role cfapi configuration](#configuration-with-multi-role-cf-api), make sure to **enable** `cfapi-auth` role: + +```yaml +cfapi-auth: + <<: *cf-api + enabled: true +``` + +#### Default SYSTEM_TYPE for acccounts + +Since 2.4.x, `SYSTEM_TYPE` is changed to `PROJECT_ONE` by default. + +If you want to preserve original `CLASSIC` values, update cfapi environment variables: + +```yaml +cfapi: + container: + env: + DEFAULT_SYSTEM_TYPE: CLASSIC +``` + +### To 2-5-0 + +### [What's new in 2.5.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-25) + +### To 2-6-0 + +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + +### [What's new in 2.6.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-26) + +#### Affected values + +[Image digests in containers](#image-digests-in-containers) + +### To 2-7-0 + +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + +### [What's new in 2.7.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-27) + +#### Affected values + +- Added option to provide global `tolerations`/`nodeSelector`/`affinity` for all Codefresh subcharts +> **Note!** These global settings will not be applied to Bitnami subcharts (e.g. `mongodb`, `redis`, `rabbitmq`, `postgres`. etc) + +```yaml +global: + tolerations: + - key: "key" + operator: "Equal" + value: "value" + effect: "NoSchedule" + + nodeSelector: + key: "value" + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "key" + operator: "In" + values: + - "value" +``` + +### To 2-8-0 + +> ⚠️ **WARNING! MongoDB indexes changed!** +> +> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. + +### [What's new in 2.8.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-28) + +### ⚠️ ⚠️ ⚠️ Breaking changes. Read before upgrading! + +### MongoDB update + +Default MongoDB image is changed from 6.x to 7.x. + +If you run external MongoDB (i.e. [Atlas](https://cloud.mongodb.com)), it is **required** to upgrade it to 7.x after upgrading Codefresh On-Prem to 2.8.x. + +- **Before the upgrade**, for backward compatibility (in case you need to rollback to 6.x), you should set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. + +```yaml +mongodb: + migration: + enabled: true + featureCompatibilityVersion: "6.0" +``` + +- Perform Codefresh On-Prem upgrade to 2.8.x. Make sure all systems are up and running. + +- **After the upgrade**, if all system are stable, you need to set `featureCompatibilityVersion` to `7.0` in your values file and re-deploy the chart. + +```yaml +mongodb: + migration: + enabled: true + featureCompatibilityVersion: "7.0" +``` + +⚠️ ⚠️ ⚠️ If FCV (FeatureCompatibilityVersion) is managed by MongoDB itself (i.e. Atlas), you can disable it completely (that is default value in Helm chart) + +```yaml +mongodb: + migration: + enabled: false +``` + +### PostgreSQL update + +Default PostgreSQL image is changed from 13.x to 17.x + +If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x. + +> ⚠️ **Important!**
+> The default SSL configuration may change on your provider's side when you upgrade.
+> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql) + +⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers) + +⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs: +``` +postgresql 17:36:28.41 INFO ==> ** Starting PostgreSQL ** +2025-05-21 17:36:28.432 GMT [1] FATAL: database files are incompatible with server +2025-05-21 17:36:28.432 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 13, which is not compatible with this version 17.2. +``` +You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. + +- **Before the upgrade**, backup your data on a separate PVC + +- Create PVC with the same or bigger size as your current PostgreSQL PVC: + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgresql-dump +spec: + storageClassName: + resources: + requests: + storage: + volumeMode: Filesystem + accessModes: + - ReadWriteOnce +``` + +- Create a job to dump the data from the old PostgreSQL StatefulSet into the new PVC: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-dump +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-dump + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + pg_dumpall --verbose > /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never +``` + +- Delete old PostgreSQL StatefulSet and PVC + +```console +STS_NAME=$(kubectl get sts -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') +PVC_NAME=$(kubectl get pvc -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') + +kubectl delete sts $STS_NAME -n $NAMESPACE +kubectl delete pvc $PVC_NAME -n $NAMESPACE +``` + +- Peform the upgrade to 2.8.x with PostgreSQL seed job enabled to re-create users and databases + +```yaml +seed: + postgresSeedJob: + enabled: true +``` + +- Create a job to restore the data from the new PVC into the new PostgreSQL StatefulSet: + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: postgresql-restore +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + containers: + - name: postgresql-restore + image: quay.io/codefresh/postgresql:17 + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1" + env: + - name: PGUSER + value: "" + - name: PGPASSWORD + value: "" + - name: PGHOST + value: "" + - name: PGPORT + value: "" + command: + - "/bin/bash" + - "-c" + - | + psql -f /opt/postgresql-dump/dump.sql + volumeMounts: + - name: postgresql-dump + mountPath: /opt/postgresql-dump + securityContext: + runAsUser: 0 + fsGroup: 0 + volumes: + - name: postgresql-dump + persistentVolumeClaim: + claimName: postgresql-dump + restartPolicy: Never +``` + +### RabbitMQ update + +Default RabbitMQ image is changed from 3.x to 4.0 + +If you run external RabbitMQ, follow the [official instructions](https://www.rabbitmq.com/docs/upgrade) to upgrade to 4.0 + +For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to enable all stable feature flags. + +#### Affected values + +- Added option to provide `.Values.global.tolerations`/`.Values.global.nodeSelector`/`.Values.global.affinity` for all Codefresh subcharts + +- Changed default location for public images from `quay.io/codefresh` to `us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh` + +- `.Values.hooks` was splitted into `.Values.hooks.mongodb` and `.Values.hooks.consul` + +## Troubleshooting + +### Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired + +Builds are stuck in pending with `Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired` + +**Reason:** Runtime certificates have expiried. + +To check if runtime internal CA expired: + +```console +kubectl -n $NAMESPACE get secret/cf-codefresh-certs-client -o jsonpath="{.data['ca\.pem']}" | base64 -d | openssl x509 -enddate -noout +``` + +**Resolution:** Replace internal CA and re-issue dind certs for runtime + +- Delete k8s secret with expired certificate +```console +kubectl -n $NAMESPACE delete secret cf-codefresh-certs-client +``` + +- Set `.Values.global.gencerts.enabled=true` (`.Values.global.certsJob=true` for onprem < 2.x version) + +```yaml +# -- Job to generate internal runtime secrets. +# @default -- See below +gencerts: + enabled: true +``` + +- Upgrade Codefresh On-Prem Helm release. It will recreate `cf-codefresh-certs-client` secret +```console +helm upgrade --install cf codefresh/codefresh \ + -f cf-values.yaml \ + --namespace codefresh \ + --create-namespace \ + --debug \ + --wait \ + --timeout 15m +``` + +- Restart `cfapi` and `cfsign` deployments + +```console +kubectl -n $NAMESPACE rollout restart deployment/cf-cfapi +kubectl -n $NAMESPACE rollout restart deployment/cf-cfsign +``` + +**Case A:** Codefresh Runner installed with HELM chart ([charts/cf-runtime](https://github.com/codefresh-io/venona/tree/release-1.0/charts/cf-runtime)) + +Re-apply the `cf-runtime` helm chart. Post-upgrade `gencerts-dind` helm hook will regenerate the dind certificates using a new CA. + +**Case B:** Codefresh Runner installed with legacy CLI ([codefresh runner init](https://codefresh-io.github.io/cli/runner/init/)) + +Delete `codefresh-certs-server` k8s secret and run [./configure-dind-certs.sh](https://github.com/codefresh-io/venona/blob/release-1.0/charts/cf-runtime/files/configure-dind-certs.sh) in your runtime namespace. + +```console +kubectl -n $NAMESPACE delete secret codefresh-certs-server +./configure-dind-certs.sh -n $RUNTIME_NAMESPACE https://$CODEFRESH_HOST $CODEFRESH_API_TOKEN +``` + +### Consul Error: Refusing to rejoin cluster because the server has been offline for more than the configured server_rejoin_age_max + +After platform upgrade, Consul fails with the error `refusing to rejoin cluster because the server has been offline for more than the configured server_rejoin_age_max - consider wiping your data dir`. There is [known issue](https://github.com/hashicorp/consul/issues/20722) of **hashicorp/consul** behaviour. Try to wipe out or delete the consul PV with config data and restart Consul StatefulSet. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| argo-hub-platform | object | See below | argo-hub-platform | +| argo-platform | object | See below | argo-platform | +| argo-platform.abac | object | See below | abac | +| argo-platform.analytics-reporter | object | See below | analytics-reporter | +| argo-platform.anchors | object | See below | Anchors | +| argo-platform.api-events | object | See below | api-events | +| argo-platform.api-graphql | object | See below | api-graphql All other services under `.Values.argo-platform` follows the same values structure. | +| argo-platform.api-graphql.affinity | object | `{}` | Set pod's affinity | +| argo-platform.api-graphql.env | object | See below | Env vars | +| argo-platform.api-graphql.hpa | object | `{"enabled":false}` | HPA | +| argo-platform.api-graphql.hpa.enabled | bool | `false` | Enable autoscaler | +| argo-platform.api-graphql.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/argo-platform-api-graphql"}` | Image | +| argo-platform.api-graphql.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry | +| argo-platform.api-graphql.image.repository | string | `"codefresh/argo-platform-api-graphql"` | Repository | +| argo-platform.api-graphql.kind | string | `"Deployment"` | Controller kind. Currently, only `Deployment` is supported | +| argo-platform.api-graphql.pdb | object | `{"enabled":false}` | PDB | +| argo-platform.api-graphql.pdb.enabled | bool | `false` | Enable pod disruption budget | +| argo-platform.api-graphql.podAnnotations | object | `{"checksum/secret":"{{ include (print $.Template.BasePath \"/api-graphql/secret.yaml\") . | sha256sum }}"}` | Set pod's annotations | +| argo-platform.api-graphql.resources | object | See below | Resource limits and requests | +| argo-platform.api-graphql.secrets | object | See below | Secrets | +| argo-platform.api-graphql.tolerations | list | `[]` | Set pod's tolerations | +| argo-platform.argocd-hooks | object | See below | argocd-hooks Don't enable! Not used in onprem! | +| argo-platform.audit | object | See below | audit | +| argo-platform.broadcaster | object | See below | broadcaster | +| argo-platform.cron-executor | object | See below | cron-executor | +| argo-platform.event-handler | object | See below | event-handler | +| argo-platform.promotion-orchestrator | object | See below | promotion-orchestrator | +| argo-platform.runtime-manager | object | See below | runtime-manager Don't enable! Not used in onprem! | +| argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | +| argo-platform.ui | object | See below | ui | +| argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | +| builder | object | `{"affinity":{},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.14.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | +| cf-broadcaster | object | See below | broadcaster | +| cf-oidc-provider | object | See below | cf-oidc-provider | +| cf-platform-analytics-etlstarter | object | See below | etl-starter | +| cf-platform-analytics-etlstarter.redis.enabled | bool | `false` | Disable redis subchart | +| cf-platform-analytics-etlstarter.system-etl-postgres | object | `{"container":{"env":{"BLUE_GREEN_ENABLED":true}},"controller":{"cronjob":{"ttlSecondsAfterFinished":300}},"enabled":true}` | Only postgres ETL should be running in onprem | +| cf-platform-analytics-platform | object | See below | platform-analytics | +| cfapi | object | `{"affinity":{},"container":{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}},"controller":{"replicas":2},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false,"minAvailable":"50%"},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}},"secrets":{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}},"tolerations":[]}` | cf-api | +| cfapi-internal.<<.affinity | object | `{}` | Affinity configuration | +| cfapi-internal.<<.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | +| cfapi-internal.<<.container.env | object | See below | Env vars | +| cfapi-internal.<<.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | +| cfapi-internal.<<.container.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry prefix | +| cfapi-internal.<<.container.image.repository | string | `"codefresh/cf-api"` | Repository | +| cfapi-internal.<<.controller | object | `{"replicas":2}` | Controller configuration | +| cfapi-internal.<<.controller.replicas | int | `2` | Replicas number | +| cfapi-internal.<<.enabled | bool | `true` | Enable cf-api | +| cfapi-internal.<<.hpa | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70}` | Autoscaler configuration | +| cfapi-internal.<<.hpa.enabled | bool | `false` | Enable HPA | +| cfapi-internal.<<.hpa.maxReplicas | int | `10` | Maximum number of replicas | +| cfapi-internal.<<.hpa.minReplicas | int | `2` | Minimum number of replicas | +| cfapi-internal.<<.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | +| cfapi-internal.<<.imagePullSecrets | list | `[]` | Image pull secrets | +| cfapi-internal.<<.nodeSelector | object | `{}` | Node selector configuration | +| cfapi-internal.<<.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | +| cfapi-internal.<<.pdb.enabled | bool | `false` | Enable PDB | +| cfapi-internal.<<.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | +| cfapi-internal.<<.podSecurityContext | object | `{}` | Pod security context configuration | +| cfapi-internal.<<.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | +| cfapi-internal.<<.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | +| cfapi-internal.<<.tolerations | list | `[]` | Tolerations configuration | +| cfapi-internal.enabled | bool | `false` | | +| cfapi.affinity | object | `{}` | Affinity configuration | +| cfapi.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | +| cfapi.container.env | object | See below | Env vars | +| cfapi.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | +| cfapi.container.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry prefix | +| cfapi.container.image.repository | string | `"codefresh/cf-api"` | Repository | +| cfapi.controller | object | `{"replicas":2}` | Controller configuration | +| cfapi.controller.replicas | int | `2` | Replicas number | +| cfapi.enabled | bool | `true` | Enable cf-api | +| cfapi.hpa | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70}` | Autoscaler configuration | +| cfapi.hpa.enabled | bool | `false` | Enable HPA | +| cfapi.hpa.maxReplicas | int | `10` | Maximum number of replicas | +| cfapi.hpa.minReplicas | int | `2` | Minimum number of replicas | +| cfapi.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | +| cfapi.imagePullSecrets | list | `[]` | Image pull secrets | +| cfapi.nodeSelector | object | `{}` | Node selector configuration | +| cfapi.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | +| cfapi.pdb.enabled | bool | `false` | Enable PDB | +| cfapi.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | +| cfapi.podSecurityContext | object | `{}` | Pod security context configuration | +| cfapi.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | +| cfapi.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | +| cfapi.tolerations | list | `[]` | Tolerations configuration | +| cfsign | object | See below | tls-sign | +| cfui | object | See below | cf-ui | +| charts-manager | object | See below | charts-manager | +| ci.enabled | bool | `false` | | +| cluster-providers | object | See below | cluster-providers | +| consul | object | See below | consul Ref: https://github.com/bitnami/charts/blob/main/bitnami/consul/values.yaml | +| context-manager | object | See below | context-manager | +| cronus | object | See below | cronus | +| developmentChart | bool | `false` | | +| dockerconfigjson | object | `{}` | DEPRECATED - Use `.imageCredentials` instead dockerconfig (for `kcfi` tool backward compatibility) for Image Pull Secret. Obtain GCR Service Account JSON (sa.json) at support@codefresh.io ```shell GCR_SA_KEY_B64=$(cat sa.json | base64) DOCKER_CFG_VAR=$(echo -n "_json_key:$(echo ${GCR_SA_KEY_B64} | base64 -d)" | base64 | tr -d '\n') ``` E.g.: dockerconfigjson: auths: gcr.io: auth: | +| gencerts | object | See below | Job to generate internal runtime secrets. Required at first install. | +| gitops-dashboard-manager | object | See below | gitops-dashboard-manager | +| global | object | See below | Global parameters | +| global.affinity | object | `{}` | Global affinity constraints Apply affinity to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | +| global.appProtocol | string | `"https"` | Application protocol. | +| global.appUrl | string | `"onprem.codefresh.local"` | Application root url. Will be used in Ingress objects as hostname | +| global.broadcasterPort | int | `80` | Default broadcaster service port. | +| global.broadcasterService | string | `"cf-broadcaster"` | Default broadcaster service name. | +| global.builderService | string | `"builder"` | Default builder service name. | +| global.cfapiEndpointsService | string | `"cfapi"` | Default API endpoints service name | +| global.cfapiInternalPort | int | `3000` | Default API service port. | +| global.cfapiService | string | `"cfapi"` | Default API service name. | +| global.cfk8smonitorService | string | `"k8s-monitor"` | Default k8s-monitor service name. | +| global.chartsManagerPort | int | `9000` | Default chart-manager service port. | +| global.chartsManagerService | string | `"charts-manager"` | Default charts-manager service name. | +| global.clusterProvidersPort | int | `9000` | Default cluster-providers service port. | +| global.clusterProvidersService | string | `"cluster-providers"` | Default cluster-providers service name. | +| global.codefresh | string | `"codefresh"` | LEGACY - Keep as is! Used for subcharts to access external secrets and configmaps. | +| global.consulHttpPort | int | `8500` | Default Consul service port. | +| global.consulService | string | `"consul-headless"` | Default Consul service name. | +| global.contextManagerPort | int | `9000` | Default context-manager service port. | +| global.contextManagerService | string | `"context-manager"` | Default context-manager service name. | +| global.dnsService | string | `"kube-dns"` | Definitions for internal-gateway nginx resolver | +| global.env | object | `{}` | Global Env vars | +| global.firebaseSecret | string | `""` | Firebase Secret in plain text | +| global.firebaseSecretSecretKeyRef | object | `{}` | Firebase Secret from existing secret | +| global.firebaseUrl | string | `"https://codefresh-on-prem.firebaseio.com/on-prem"` | Firebase URL for logs streaming in plain text | +| global.firebaseUrlSecretKeyRef | object | `{}` | Firebase URL for logs streaming from existing secret | +| global.gitopsDashboardManagerDatabase | string | `"pipeline-manager"` | Default gitops-dashboarad-manager db collection. | +| global.gitopsDashboardManagerPort | int | `9000` | Default gitops-dashboarad-manager service port. | +| global.gitopsDashboardManagerService | string | `"gitops-dashboard-manager"` | Default gitops-dashboarad-manager service name. | +| global.helmRepoManagerService | string | `"helm-repo-manager"` | Default helm-repo-manager service name. | +| global.hermesService | string | `"hermes"` | Default hermes service name. | +| global.imagePullSecrets | list | `["codefresh-registry"]` | Global Docker registry secret names as array | +| global.imageRegistry | string | `""` | Global Docker image registry | +| global.kubeIntegrationPort | int | `9000` | Default kube-integration service port. | +| global.kubeIntegrationService | string | `"kube-integration"` | Default kube-integration service name. | +| global.mongoURI | string | `""` | LEGACY (but still supported) - Use `.global.mongodbProtocol` + `.global.mongodbUser/mongodbUserSecretKeyRef` + `.global.mongodbPassword/mongodbPasswordSecretKeyRef` + `.global.mongodbHost/mongodbHostSecretKeyRef` + `.global.mongodbOptions` instead Default MongoDB URI. Will be used by ALL services to communicate with MongoDB. Ref: https://www.mongodb.com/docs/manual/reference/connection-string/ Note! `defaultauthdb` is omitted on purpose (i.e. mongodb://.../[defaultauthdb]). | +| global.mongodbDatabase | string | `"codefresh"` | Default MongoDB database name. Don't change! | +| global.mongodbHost | string | `"cf-mongodb"` | Set mongodb host in plain text | +| global.mongodbHostSecretKeyRef | object | `{}` | Set mongodb host from existing secret | +| global.mongodbOptions | string | `"retryWrites=true"` | Set mongodb connection string options Ref: https://www.mongodb.com/docs/manual/reference/connection-string/#connection-string-options | +| global.mongodbPassword | string | `"mTiXcU2wafr9"` | Set mongodb password in plain text | +| global.mongodbPasswordSecretKeyRef | object | `{}` | Set mongodb password from existing secret | +| global.mongodbProtocol | string | `"mongodb"` | Set mongodb protocol (`mongodb` / `mongodb+srv`) | +| global.mongodbRootUser | string | `""` | DEPRECATED Use `.Values.seed.mongoSeedJob` instead. | +| global.mongodbUser | string | `"cfuser"` | Set mongodb user in plain text | +| global.mongodbUserSecretKeyRef | object | `{}` | Set mongodb user from existing secret | +| global.natsPort | int | `4222` | Default nats service port. | +| global.natsService | string | `"nats"` | Default nats service name. | +| global.newrelicLicenseKey | string | `""` | New Relic Key | +| global.nodeSelector | object | `{}` | Global nodeSelector constraints Apply nodeSelector to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | +| global.oidcProviderClientId | string | `nil` | Default OIDC Provider service client ID in plain text. | +| global.oidcProviderClientSecret | string | `nil` | Default OIDC Provider service client secret in plain text. | +| global.oidcProviderPort | int | `443` | Default OIDC Provider service port. | +| global.oidcProviderProtocol | string | `"https"` | Default OIDC Provider service protocol. | +| global.oidcProviderService | string | `""` | Default OIDC Provider service name (Provider URL). | +| global.oidcProviderTokenEndpoint | string | `"/token"` | Default OIDC Provider service token endpoint. | +| global.pipelineManagerPort | int | `9000` | Default pipeline-manager service port. | +| global.pipelineManagerService | string | `"pipeline-manager"` | Default pipeline-manager service name. | +| global.platformAnalyticsPort | int | `80` | Default platform-analytics service port. | +| global.platformAnalyticsService | string | `"platform-analytics"` | Default platform-analytics service name. | +| global.postgresDatabase | string | `"codefresh"` | Set postgres database name | +| global.postgresHostname | string | `""` | Set postgres service address in plain text. Takes precedence over `global.postgresService`! | +| global.postgresHostnameSecretKeyRef | object | `{}` | Set postgres service from existing secret | +| global.postgresPassword | string | `"eC9arYka4ZbH"` | Set postgres password in plain text | +| global.postgresPasswordSecretKeyRef | object | `{}` | Set postgres password from existing secret | +| global.postgresPort | int | `5432` | Set postgres port number | +| global.postgresService | string | `"postgresql"` | Default internal postgresql service address from bitnami/postgresql subchart | +| global.postgresUser | string | `"postgres"` | Set postgres user in plain text | +| global.postgresUserSecretKeyRef | object | `{}` | Set postgres user from existing secret | +| global.rabbitService | string | `"rabbitmq:5672"` | Default internal rabbitmq service address from bitnami/rabbitmq subchart. | +| global.rabbitmqHostname | string | `""` | Set rabbitmq service address in plain text. Takes precedence over `global.rabbitService`! | +| global.rabbitmqHostnameSecretKeyRef | object | `{}` | Set rabbitmq service address from existing secret. | +| global.rabbitmqPassword | string | `"cVz9ZdJKYm7u"` | Set rabbitmq password in plain text | +| global.rabbitmqPasswordSecretKeyRef | object | `{}` | Set rabbitmq password from existing secret | +| global.rabbitmqProtocol | string | `"amqp"` | Set rabbitmq protocol (`amqp/amqps`) | +| global.rabbitmqUsername | string | `"user"` | Set rabbitmq username in plain text | +| global.rabbitmqUsernameSecretKeyRef | object | `{}` | Set rabbitmq username from existing secret | +| global.redisPassword | string | `"hoC9szf7NtrU"` | Set redis password in plain text | +| global.redisPasswordSecretKeyRef | object | `{}` | Set redis password from existing secret | +| global.redisPort | int | `6379` | Set redis service port | +| global.redisService | string | `"redis-master"` | Default internal redis service address from bitnami/redis subchart | +| global.redisUrl | string | `""` | Set redis hostname in plain text. Takes precedence over `global.redisService`! | +| global.redisUrlSecretKeyRef | object | `{}` | Set redis hostname from existing secret. | +| global.runtimeEnvironmentManagerPort | int | `80` | Default runtime-environment-manager service port. | +| global.runtimeEnvironmentManagerService | string | `"runtime-environment-manager"` | Default runtime-environment-manager service name. | +| global.security | object | `{"allowInsecureImages":true}` | Bitnami | +| global.storageClass | string | `""` | Global StorageClass for Persistent Volume(s) | +| global.tlsSignPort | int | `4999` | Default tls-sign service port. | +| global.tlsSignService | string | `"cfsign"` | Default tls-sign service name. | +| global.tolerations | list | `[]` | Global tolerations constraints Apply toleratons to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | +| helm-repo-manager | object | See below | helm-repo-manager | +| hermes | object | See below | hermes | +| hooks | object | See below | Pre/post-upgrade Job hooks. | +| hooks.consul | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/kubectl","tag":"1.33.3"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Recreates `consul-headless` service due to duplicated ports in Service during the upgrade. | +| hooks.mongodb | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/mongosh","tag":"2.5.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Updates images in `system/default` runtime. | +| hooks.rabbitmq | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/rabbitmqadmin","tag":"2.8.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Enable stable feature flags in RabbitMQ. | +| imageCredentials | object | `{}` | Credentials for Image Pull Secret object | +| ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/service-upstream":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false","nginx.org/redirect-to-https":"false"},"enabled":true,"ingressClassName":"nginx-codefresh","labels":{},"nameOverride":"","services":{"internal-gateway":["/"]},"tls":{"cert":"","enabled":false,"existingSecret":"","key":"","secretName":"star.codefresh.io"}}` | Ingress | +| ingress-nginx | object | See below | ingress-nginx Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml | +| ingress.annotations | object | See below | Set annotations for ingress. | +| ingress.enabled | bool | `true` | Enable the Ingress | +| ingress.ingressClassName | string | `"nginx-codefresh"` | Set the ingressClass that is used for the ingress. Default `nginx-codefresh` is created from `ingress-nginx` controller subchart | +| ingress.labels | object | `{}` | Set labels for ingress | +| ingress.nameOverride | string | `""` | Override Ingress resource name | +| ingress.services | object | See below | Default services and corresponding paths | +| ingress.tls.cert | string | `""` | Certificate (base64 encoded) | +| ingress.tls.enabled | bool | `false` | Enable TLS | +| ingress.tls.existingSecret | string | `""` | Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) | +| ingress.tls.key | string | `""` | Private key (base64 encoded) | +| ingress.tls.secretName | string | `"star.codefresh.io"` | Default secret name to be created with provided `cert` and `key` below | +| internal-gateway | object | See below | internal-gateway | +| k8s-monitor | object | See below | k8s-monitor | +| kube-integration | object | See below | kube-integration | +| mailer.enabled | bool | `false` | | +| mongodb | object | See below | mongodb Ref: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml | +| nats | object | See below | nats Ref: https://github.com/bitnami/charts/blob/main/bitnami/nats/values.yaml | +| nomios | object | See below | nomios | +| payments.enabled | bool | `false` | | +| pipeline-manager | object | See below | pipeline-manager | +| postgresql | object | See below | postgresql Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml | +| postgresql-ha | object | See below | postgresql Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/values.yaml | +| postgresqlCleanJob | object | See below | Maintenance postgresql clean job. Removes a certain number of the last records in the event store table. | +| rabbitmq | object | See below | rabbitmq Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | +| redis | object | See below | redis Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | +| redis-ha | object | `{"auth":true,"enabled":false,"haproxy":{"enabled":true,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"persistentVolume":{"enabled":true,"size":"10Gi"},"redis":{"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"redisPassword":"hoC9szf7NtrU"}` | redis-ha # Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml | +| runtime-environment-manager | object | See below | runtime-environment-manager | +| runtimeImages | object | See below | runtimeImages | +| salesforce-reporter.enabled | bool | `false` | | +| seed | object | See below | Seed jobs | +| seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI | +| seed.enabled | bool | `true` | Enable all seed jobs | +| seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. | +| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. | +| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). | +| seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). | +| seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret | +| seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). | +| seed.mongoSeedJob.mongodbRootUserSecretKeyRef | object | `{}` | Root user from existing secret | +| seed.postgresSeedJob | object | See below | Postgres Seed Job. Required at first install. Creates required user and databases. | +| seed.postgresSeedJob.postgresPassword | optional | `""` | Password for "postgres" admin user (required ONLY for seed job!) | +| seed.postgresSeedJob.postgresPasswordSecretKeyRef | optional | `{}` | Password for "postgres" admin user from existing secret | +| seed.postgresSeedJob.postgresUser | optional | `""` | "postgres" admin user in plain text (required ONLY for seed job!) Must be a privileged user allowed to create databases and grant roles. If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. | +| seed.postgresSeedJob.postgresUserSecretKeyRef | optional | `{}` | "postgres" admin user from exising secret | +| segment-reporter.enabled | bool | `false` | | +| tasker-kubernetes | object | `{"affinity":{},"container":{"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/tasker-kubernetes"}},"enabled":true,"hpa":{"enabled":false},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | tasker-kubernetes | +| webTLS | object | `{"cert":"","enabled":false,"key":"","secretName":"star.codefresh.io"}` | DEPRECATED - Use `.Values.ingress.tls` instead TLS secret for Ingress | diff --git a/charts/codefresh/README.md.gotmpl b/README.md.gotmpl similarity index 100% rename from charts/codefresh/README.md.gotmpl rename to README.md.gotmpl diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 000000000..af3dfcceb --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,20 @@ +# Release Process + +## Releasing a new version + +For a **PATCH** release: + +- Checkout from the corresponding `release-.` branch +```shell +git checkout -b onprem-X.Y.Z release-X.Y +``` +- Update `.version` in Chart.yaml +- Update `artifacthub.io/changes` annotation in Chart.yaml +- *optional* Update `dependencies` in Chart.yaml +- *optional* Update `values.yaml`, `templates/**`, etc with required changes +- Run `helm dep update` to update dependencies +- *optional* Run `./charts/codefresh/.ci/runtime-images.sh` +- Run `./charts/codefresh/.ci/helm-docs.sh` +- Commit changes and open the PR against the corresponding `release-.` branch +- Comment `/test` to trigger CI pipeline +- Merge the PR after successful CI build diff --git a/charts/codefresh-gitops/README.md b/charts/codefresh-gitops/README.md deleted file mode 100644 index 5aa1422cd..000000000 --- a/charts/codefresh-gitops/README.md +++ /dev/null @@ -1,189 +0,0 @@ -# codefresh-gitops - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) - -Helm Chart for Codefresh GitOps On-Prem - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| codefresh | | | - -## Source Code - -* - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.bitnami.com/bitnami | mongodb | 15.6.26 | -| https://charts.bitnami.com/bitnami | postgresql | 16.7.4 | -| https://charts.bitnami.com/bitnami | rabbitmq | 15.5.3 | -| https://charts.bitnami.com/bitnami | redis | 20.13.4 | -| oci://quay.io/codefresh/charts | argo-hub-platform | * | -| oci://quay.io/codefresh/charts | argo-platform | * | -| oci://quay.io/codefresh/charts | cf-common | 0.27.0 | -| oci://quay.io/codefresh/charts | cf-platform-analytics-platform(cf-platform-analytics) | * | -| oci://quay.io/codefresh/charts | cf-platform-analytics-etlstarter(cf-platform-analytics) | * | -| oci://quay.io/codefresh/charts | cfapi(cfapi) | * | -| oci://quay.io/codefresh/charts | cfui | * | -| oci://quay.io/codefresh/charts | internal-gateway | 0.10.4 | -| oci://quay.io/codefresh/charts | runtime-environment-manager | * | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| argo-hub-platform | object | See below | argo-hub-platform | -| argo-platform | object | See below | argo-platform | -| argo-platform.abac | object | See below | abac | -| argo-platform.analytics-reporter | object | See below | analytics-reporter | -| argo-platform.anchors | object | See below | Anchors | -| argo-platform.api-events | object | See below | api-events | -| argo-platform.api-graphql | object | See below | api-graphql All other services under `.Values.argo-platform` follows the same values structure. | -| argo-platform.api-graphql.affinity | object | `{}` | Set pod's affinity | -| argo-platform.api-graphql.env | object | See below | Env vars | -| argo-platform.api-graphql.hpa | object | `{"enabled":false}` | HPA | -| argo-platform.api-graphql.hpa.enabled | bool | `false` | Enable autoscaler | -| argo-platform.api-graphql.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh-io/argo-platform-api-graphql"}` | Image | -| argo-platform.api-graphql.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry | -| argo-platform.api-graphql.image.repository | string | `"codefresh-io/argo-platform-api-graphql"` | Repository | -| argo-platform.api-graphql.kind | string | `"Deployment"` | Controller kind. Currently, only `Deployment` is supported | -| argo-platform.api-graphql.pdb | object | `{"enabled":false}` | PDB | -| argo-platform.api-graphql.pdb.enabled | bool | `false` | Enable pod disruption budget | -| argo-platform.api-graphql.podAnnotations | object | `{"checksum/secret":"{{ include (print $.Template.BasePath \"/api-graphql/secret.yaml\") . | sha256sum }}"}` | Set pod's annotations | -| argo-platform.api-graphql.resources | object | See below | Resource limits and requests | -| argo-platform.api-graphql.secrets | object | See below | Secrets | -| argo-platform.api-graphql.tolerations | list | `[]` | Set pod's tolerations | -| argo-platform.argocd-hooks | object | See below | argocd-hooks Don't enable! Not used in onprem! | -| argo-platform.audit | object | See below | audit | -| argo-platform.broadcaster | object | See below | broadcaster | -| argo-platform.cron-executor | object | See below | cron-executor | -| argo-platform.event-handler | object | See below | event-handler | -| argo-platform.promotion-orchestrator | object | See below | promotion-orchestrator | -| argo-platform.runtime-manager | object | See below | runtime-manager Don't enable! Not used in onprem! | -| argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | -| argo-platform.ui | object | See below | ui | -| argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | -| cf-platform-analytics-etlstarter | object | See below | etl-starter | -| cf-platform-analytics-etlstarter.redis.enabled | bool | `false` | Disable redis subchart | -| cf-platform-analytics-etlstarter.system-etl-postgres | object | `{"container":{"env":{"BLUE_GREEN_ENABLED":true}},"controller":{"cronjob":{"ttlSecondsAfterFinished":300}},"enabled":true,"fullnameOverride":"system-etl-postgres"}` | Only postgres ETL should be running in onprem | -| cf-platform-analytics-platform | object | See below | platform-analytics | -| cfapi | object | `{"affinity":{},"container":{"env":{"API_URI":"cfapi","AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"GITOPS","LOGGER_LEVEL":"debug","ON_PREMISE":true,"PIPELINE_MANAGER_URI":"pipeline-manager","PLATFORM_ANALYTICS_URI":"platform-analytics","RUNTIME_ENVIRONMENT_MANAGER_URI":"runtime-environment-manager"},"image":{"digest":"","registry":"us-docker.pkg.dev/codefresh-inc/gcr.io","repository":"codefresh/dev/cf-api","tag":"21.283.0-test-gitops-system-type"}},"controller":{"replicas":2},"enabled":true,"fullnameOverride":"cfapi","hpa":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false,"minAvailable":"50%"},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}},"tolerations":[]}` | cf-api | -| cfapi.affinity | object | `{}` | Affinity configuration | -| cfapi.container | object | `{"env":{"API_URI":"cfapi","AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"GITOPS","LOGGER_LEVEL":"debug","ON_PREMISE":true,"PIPELINE_MANAGER_URI":"pipeline-manager","PLATFORM_ANALYTICS_URI":"platform-analytics","RUNTIME_ENVIRONMENT_MANAGER_URI":"runtime-environment-manager"},"image":{"digest":"","registry":"us-docker.pkg.dev/codefresh-inc/gcr.io","repository":"codefresh/dev/cf-api","tag":"21.283.0-test-gitops-system-type"}}` | Container configuration | -| cfapi.container.env | object | See below | Env vars | -| cfapi.container.image | object | `{"digest":"","registry":"us-docker.pkg.dev/codefresh-inc/gcr.io","repository":"codefresh/dev/cf-api","tag":"21.283.0-test-gitops-system-type"}` | Image | -| cfapi.container.image.digest | string | `""` | Digest | -| cfapi.container.image.registry | string | `"us-docker.pkg.dev/codefresh-inc/gcr.io"` | Registry prefix | -| cfapi.container.image.repository | string | `"codefresh/dev/cf-api"` | Repository | -| cfapi.container.image.tag | string | `"21.283.0-test-gitops-system-type"` | Tag | -| cfapi.controller | object | `{"replicas":2}` | Controller configuration | -| cfapi.controller.replicas | int | `2` | Replicas number | -| cfapi.enabled | bool | `true` | Enable cf-api | -| cfapi.fullnameOverride | string | `"cfapi"` | Override name | -| cfapi.hpa | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70}` | Autoscaler configuration | -| cfapi.hpa.enabled | bool | `false` | Enable HPA | -| cfapi.hpa.maxReplicas | int | `10` | Maximum number of replicas | -| cfapi.hpa.minReplicas | int | `2` | Minimum number of replicas | -| cfapi.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | -| cfapi.imagePullSecrets | list | `[]` | Image pull secrets | -| cfapi.nodeSelector | object | `{}` | Node selector configuration | -| cfapi.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | -| cfapi.pdb.enabled | bool | `false` | Enable PDB | -| cfapi.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | -| cfapi.podSecurityContext | object | `{}` | Pod security context configuration | -| cfapi.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | -| cfapi.tolerations | list | `[]` | Tolerations configuration | -| cfui | object | See below | cf-ui | -| global | object | See below | Global parameters | -| global.affinity | object | `{}` | Global affinity constraints Apply affinity to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| global.appProtocol | string | `"https"` | Application protocol. | -| global.appUrl | string | `"onprem.codefresh.local"` | Application root url. Will be used in Ingress objects as hostname | -| global.cfapiEndpointsService | string | `"cfapi"` | Default API endpoints service name | -| global.cfapiInternalPort | int | `3000` | Default API service port. | -| global.cfapiService | string | `"cfapi"` | Default API service name. | -| global.dnsService | string | `"kube-dns"` | Definitions for internal-gateway nginx resolver | -| global.env | object | `{}` | Global Env vars | -| global.imagePullSecrets | list | `["codefresh-registry"]` | Global Docker registry secret names as array | -| global.imageRegistry | string | `""` | Global Docker image registry | -| global.mongoURI | string | `""` | Legacy MongoDB connection string. Keep empty! | -| global.mongodbDatabase | string | `"codefresh"` | Default MongoDB database name. Don't change! | -| global.mongodbHost | string | `"mongodb"` | Set mongodb host in plain text | -| global.mongodbHostSecretKeyRef | object | `{}` | Set mongodb host from existing secret | -| global.mongodbOptions | string | `"retryWrites=true"` | Set mongodb connection string options Ref: https://www.mongodb.com/docs/manual/reference/connection-string/#connection-string-options | -| global.mongodbPassword | string | `"password"` | Set mongodb password in plain text | -| global.mongodbPasswordSecretKeyRef | object | `{}` | Set mongodb password from existing secret | -| global.mongodbProtocol | string | `"mongodb"` | Set mongodb protocol (`mongodb` / `mongodb+srv`) | -| global.mongodbUser | string | `"user"` | Set mongodb user in plain text | -| global.mongodbUserSecretKeyRef | object | `{}` | Set mongodb user from existing secret | -| global.newrelicLicenseKey | string | `""` | New Relic Key | -| global.nodeSelector | object | `{}` | Global nodeSelector constraints Apply nodeSelector to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| global.platformAnalyticsPort | int | `80` | Default platform-analytics service port. | -| global.platformAnalyticsService | string | `"platform-analytics"` | Default platform-analytics service name. | -| global.postgresDatabase | string | `"codefresh"` | Set postgres database name | -| global.postgresHostname | string | `"postgresql"` | Set postgres service address in plain text. Takes precedence over `global.postgresService`! | -| global.postgresHostnameSecretKeyRef | object | `{}` | Set postgres service from existing secret | -| global.postgresPassword | string | `"postgres"` | Set postgres password in plain text | -| global.postgresPasswordSecretKeyRef | object | `{}` | Set postgres password from existing secret | -| global.postgresPort | int | `5432` | Set postgres port number | -| global.postgresService | string | `"postgresql"` | Default internal postgresql service address from bitnami/postgresql subchart | -| global.postgresUser | string | `"postgres"` | Set postgres user in plain text | -| global.postgresUserSecretKeyRef | object | `{}` | Set postgres user from existing secret | -| global.rabbitService | string | `"rabbitmq:5672"` | Default internal rabbitmq service address from bitnami/rabbitmq subchart. | -| global.rabbitmqHostname | string | `"rabbitmq:5672"` | Set rabbitmq service address in plain text. Takes precedence over `global.rabbitService`! | -| global.rabbitmqHostnameSecretKeyRef | object | `{}` | Set rabbitmq service address from existing secret. | -| global.rabbitmqPassword | string | `"rabbitmq"` | Set rabbitmq password in plain text | -| global.rabbitmqPasswordSecretKeyRef | object | `{}` | Set rabbitmq password from existing secret | -| global.rabbitmqProtocol | string | `"amqp"` | Set rabbitmq protocol (`amqp/amqps`) | -| global.rabbitmqUsername | string | `"user"` | Set rabbitmq username in plain text | -| global.rabbitmqUsernameSecretKeyRef | object | `{}` | Set rabbitmq username from existing secret | -| global.redisPassword | string | `"redis"` | Set redis password in plain text | -| global.redisPasswordSecretKeyRef | object | `{}` | Set redis password from existing secret | -| global.redisPort | int | `6379` | Set redis service port | -| global.redisService | string | `"redis-master"` | Default internal redis service address from bitnami/redis subchart | -| global.redisUrl | string | `"redis-master"` | Set redis hostname in plain text. Takes precedence over `global.redisService`! | -| global.redisUrlSecretKeyRef | object | `{}` | Set redis hostname from existing secret. | -| global.security | object | `{"allowInsecureImages":true}` | Bitnami | -| global.storageClass | string | `""` | Global StorageClass for Persistent Volume(s) | -| global.tolerations | list | `[]` | Global tolerations constraints Apply toleratons to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| hooks | object | See below | Pre/post-upgrade Job hooks. | -| hooks.mongodb | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/mongosh","tag":"2.5.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Sets feature compatibility version | -| imageCredentials | object | `{}` | Credentials for Image Pull Secret object | -| ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/service-upstream":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false","nginx.org/redirect-to-https":"false"},"enabled":true,"ingressClassName":"","labels":{},"nameOverride":"","services":{"internal-gateway":["/"]},"tls":{"cert":"","enabled":false,"existingSecret":"","key":"","secretName":"star.codefresh.io"}}` | Ingress | -| ingress.annotations | object | See below | Set annotations for ingress. | -| ingress.enabled | bool | `true` | Enable the Ingress | -| ingress.ingressClassName | string | `""` | Set the ingressClass that is used for the ingress. Default `nginx-codefresh` is created from `ingress-nginx` controller subchart | -| ingress.labels | object | `{}` | Set labels for ingress | -| ingress.nameOverride | string | `""` | Override Ingress resource name | -| ingress.services | object | See below | Default services and corresponding paths | -| ingress.tls.cert | string | `""` | Certificate (base64 encoded) | -| ingress.tls.enabled | bool | `false` | Enable TLS | -| ingress.tls.existingSecret | string | `""` | Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) | -| ingress.tls.key | string | `""` | Private key (base64 encoded) | -| ingress.tls.secretName | string | `"star.codefresh.io"` | Default secret name to be created with provided `cert` and `key` below | -| internal-gateway | object | See below | internal-gateway | -| mongodb | object | See below | mongodb Ref: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml | -| postgresql | object | See below | postgresql Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml | -| rabbitmq | object | See below | rabbitmq Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | -| redis | object | See below | redis Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | -| runtime-environment-manager | object | See below | runtime-environment-manager | -| seed | object | See below | Seed jobs | -| seed.enabled | bool | `true` | Enable all seed jobs | -| seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. | -| seed.mongoSeedJob.mongodbRootPassword | string | `"password"` | Root password in plain text (required ONLY for seed job!). | -| seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret | -| seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). | -| seed.mongoSeedJob.mongodbRootUserSecretKeyRef | object | `{}` | Root user from existing secret | -| seed.postgresSeedJob | object | See below | Postgres Seed Job. Required at first install. Creates required user and databases. | -| seed.postgresSeedJob.postgresPassword | optional | `""` | Password for "postgres" admin user (required ONLY for seed job!) | -| seed.postgresSeedJob.postgresPasswordSecretKeyRef | optional | `{}` | Password for "postgres" admin user from existing secret | -| seed.postgresSeedJob.postgresUser | optional | `""` | "postgres" admin user in plain text (required ONLY for seed job!) Must be a privileged user allowed to create databases and grant roles. If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. | -| seed.postgresSeedJob.postgresUserSecretKeyRef | optional | `{}` | "postgres" admin user from exising secret | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/codefresh/.ci/helm-docs.sh b/charts/codefresh/.ci/helm-docs.sh index 97e5b0b59..dada6923f 100755 --- a/charts/codefresh/.ci/helm-docs.sh +++ b/charts/codefresh/.ci/helm-docs.sh @@ -1,7 +1,7 @@ #!/bin/bash ## Reference: https://github.com/norwoodj/helm-docs set -eux -REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" +REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)" echo "$REPO_ROOT" echo "Running Helm-Docs" @@ -10,9 +10,9 @@ docker run \ -u $(id -u) \ --rm \ --entrypoint /bin/sh \ - jnorwood/helm-docs:v1.11.0 \ + jnorwood/helm-docs:v1.14.2 \ -c \ helm-docs \ - --chart-search-root=codefresh \ - --template-files=./_templates.gotmpl \ - --template-files=README.md.gotmpl \ \ No newline at end of file + --chart-search-root=charts/codefresh \ + --template-files=README.md.gotmpl \ + --output-file=README.md diff --git a/charts/codefresh/README.md b/charts/codefresh/README.md index 58a21930f..0c7934757 100644 --- a/charts/codefresh/README.md +++ b/charts/codefresh/README.md @@ -1,2665 +1,5 @@ -## Codefresh On-Premises +# Codefresh Helm Chart -![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) +## Documentation -Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. - -## Table of Content - -- [Prerequisites](#prerequisites) -- [Get Repo Info](#get-repo-info) -- [Install Chart](#install-chart) -- [Chart Configuration](#chart-configuration) - - [Persistent services](#persistent-services) - - [Configuring external services](#configuring-external-services) - - [External MongoDB](#external-mongodb) - - [External MongoDB with MTLS](#external-mongodb-with-mtls) - - [External PostgresSQL](#external-postgressql) - - [External Redis](#external-redis) - - [External Redis with MTLS](#external-redis-with-mtls) - - [External RabbitMQ](#external-rabbitmq) - - [Configuring Ingress-NGINX](#configuring-ingress-nginx) - - [ELB with SSL Termination (Classic Load Balancer)](#elb-with-ssl-termination-classic-load-balancer) - - [NLB (Network Load Balancer)](#nlb-network-load-balancer) - - [Configuration with ALB (Application Load Balancer)](#configuration-with-alb-application-load-balancer) - - [Configuration with Private Registry](#configuration-with-private-registry) - - [Configuration with multi-role CF-API](#configuration-with-multi-role-cf-api) - - [High Availability](#high-availability) - - [Mounting private CA certs](#mounting-private-ca-certs) -- [Installing on OpenShift](#installing-on-openshift) -- [Firebase Configuration](#firebase-configuration) -- [Additional configuration](#additional-configuration) - - [Retention policy for builds and logs](#retention-policy-for-builds-and-logs) - - [Projects pipelines limit](#projects-pipelines-limit) - - [Enable session cookie](#enable-session-cookie) - - [X-Frame-Options response header](#x-frame-options-response-header) - - [Image digests in containers](#image-digests-in-containers) -- [Configuring OIDC Provider](#configuring-oidc-provider) -- [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) -- [Upgrading](#upgrading) - - [To 2.0.0](#to-2-0-0) - - [To 2.0.12](#to-2-0-12) - - [To 2.0.17](#to-2-0-17) - - [To 2.1.0](#to-2-1-0) - - [To 2.1.7](#to-2-1-7) - - [To 2.2.0](#to-2-2-0) - - [To 2.3.0](#to-2-3-0) - - [To 2.4.0](#to-2-4-0) - - [To 2.5.0](#to-2-5-0) - - [To 2.6.0](#to-2-6-0) - - [To 2.7.0](#to-2-7-0) - - [To 2.8.0](#to-2-8-0) -- [Rollback](#rollback) -- [Troubleshooting](#troubleshooting) -- [Values](#values) - -⚠️⚠️⚠️ -> Since version 2.1.7 chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/codefresh` - -> Versions prior to 2.1.7 are still available in ChartMuseum at `http://chartmuseum.codefresh.io/codefresh` - -## Prerequisites - -- Kubernetes **>= 1.28 && <= 1.32** (Supported versions mean that installation passed for the versions listed; however, it **may** work on older k8s versions as well) -- Helm **3.8.0+** -- PV provisioner support in the underlying infrastructure (with [resizing](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) available) -- Minimal 4vCPU and 8Gi Memory available in the cluster (for production usage the recommended minimal cluster capacity is at least 12vCPUs and 36Gi Memory) -- GCR Service Account JSON `sa.json` (provided by Codefresh, contact support@codefresh.io) -- Firebase [Realtime Database URL](https://firebase.google.com/docs/database/web/start#create_a_database) with [legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens). See [Firebase Configuration](#firebase-configuration) -- Valid TLS certificates for Ingress -- When [external](#external-postgressql) PostgreSQL is used, `pg_cron` and `pg_partman` extensions **must be enabled** for [analytics](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) to work (see [AWS RDS example](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable)). The `pg_cron` extension should be the 1.4 version or higher for Azure Postgres DB. - -## Get Repo Info - -```console -helm show all oci://quay.io/codefresh/codefresh -``` -See [Use OCI-based registries](https://helm.sh/docs/topics/registries/) - -## Install Chart - -**Important:** only helm 3.8.0+ is supported - -Edit default `values.yaml` or create empty `cf-values.yaml` - -- Pass `sa.json` (as a single line) to `.Values.imageCredentials.password` - -```yaml -# -- Credentials for Image Pull Secret object -imageCredentials: - registry: us-docker.pkg.dev - username: _json_key - password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' -``` - -- Specify `.Values.global.appUrl`, `.Values.global.firebaseUrl`, `.Values.global.firebaseSecret`, `.Values.global.env.MONGOOSE_AUTO_INDEX`, `.Values.global.env.MONGO_AUTOMATIC_INDEX_CREATION` - -```yaml -global: - # -- Application root url. Will be used in Ingress as hostname - appUrl: onprem.mydomain.com - - # -- Firebase URL for logs streaming. - firebaseUrl: <> - # -- Firebase URL for logs streaming from existing secret - firebaseUrlSecretKeyRef: {} - # E.g. - # firebaseUrlSecretKeyRef: - # name: my-secret - # key: firebase-url - - # -- Firebase Secret. - firebaseSecret: <> - # -- Firebase Secret from existing secret - firebaseSecretSecretKeyRef: {} - # E.g. - # firebaseSecretSecretKeyRef: - # name: my-secret - # key: firebase-secret - - # -- Enable index creation in MongoDB - # This is required for first-time installations! - # Before usage in Production, you must set it to `false` or remove it! - env: - MONGOOSE_AUTO_INDEX: "true" - MONGO_AUTOMATIC_INDEX_CREATION: "true" - -``` - -- Specify `.Values.ingress.tls.cert` and `.Values.ingress.tls.key` OR `.Values.ingress.tls.existingSecret` - -```yaml -ingress: - # -- Enable the Ingress - enabled: true - # -- Set the ingressClass that is used for the ingress. - # Default `nginx-codefresh` is created from `ingress-nginx` controller subchart - # If you specify a different ingress class, disable `ingress-nginx` subchart (see below) - ingressClassName: nginx-codefresh - tls: - # -- Enable TLS - enabled: true - # -- Default secret name to be created with provided `cert` and `key` below - secretName: "star.codefresh.io" - # -- Certificate (base64 encoded) - cert: "" - # -- Private key (base64 encoded) - key: "" - # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) - existingSecret: "" - -ingress-nginx: - # -- Enable ingress-nginx controller - enabled: true -``` - -- *Or specify your own `.Values.ingress.ingressClassName` (disable built-in ingress-nginx subchart)* - -```yaml -ingress: - # -- Enable the Ingress - enabled: true - # -- Set the ingressClass that is used for the ingress. - ingressClassName: nginx - -ingress-nginx: - # -- Disable ingress-nginx controller - enabled: false -``` - -- Install the chart - -```console - helm upgrade --install cf oci://quay.io/codefresh/codefresh \ - -f cf-values.yaml \ - --namespace codefresh \ - --create-namespace \ - --debug \ - --wait \ - --timeout 15m - ``` - -### ⚠️ **MANDATORY** Post-Installation Action Items - -Once your Codefresh On-Prem instance is installed, configured, and confirmed to be ready for production use, the following variables must be set to `false` or removed: - -```yaml -global: - env: - MONGOOSE_AUTO_INDEX: "false" - MONGO_AUTOMATIC_INDEX_CREATION: "false" -``` - -## Chart Configuration - -See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: - -```console -helm show values codefresh/codefresh -``` - -### Persistent services - -The following table displays the list of **persistent** services created as part of the on-premises installation: - -| Database | Purpose | Required version | -| :--- | :---- | :--- | -| MongoDB | Stores all account data (account settings, users, projects, pipelines, builds etc.) | 7.x | -| Postgresql | Stores data about events for the account (pipeline updates, deletes, etc.). The audit log uses the data from this database. | 16.x or 17.x | -| Redis | Used for caching, and as a key-value store for cron trigger manager. | 7.0.x | -| RabbitMQ | Used for message queueing. | 3.13 \| 4.0.x | - -> Running on netfs (nfs, cifs) is not recommended. - -> Docker daemon (`cf-builder` stateful set) can be run on block storage only. - -All of them can be externalized. See the next sections. - -### Configuring external services - -The chart contains required dependencies for the corresponding services -- [bitnami/mongodb](https://github.com/bitnami/charts/tree/main/bitnami/mongodb) -- [bitnami/postgresql](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) -- [bitnami/redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) -- [bitnami/rabbitmq](https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq) - -However, you might need to use external services like [MongoDB Atlas Database](https://www.mongodb.com/atlas/database) or [Amazon RDS for PostgreSQL](https://aws.amazon.com/rds/postgresql/). In order to use them, adjust the values accordingly: - -#### External MongoDB - -> ⚠️ **Important!** If you use MongoDB Atlas, you must create user with `Write` permissions before installing Codefresh:
-> Then, provide the user credentials in the chart values at
-`.Values.global.mongodbUser/mongodbRootUserSecretKeyRef`
-`.Values.global.mongodbPassword/mongodbRootPasswordSecretKeyRef`
-`.Values.seed.mongoSeedJob.mongodbRootUser/mongodbRootUserSecretKeyRef`
-`.Values.seed.mongoSeedJob.mongodbRootPassword/mongodbRootPasswordSecretKeyRef`
-> Ref:
-> [Create Users in Atlas](https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#configure-database-users) - -`values.yaml` for external MongoDB: - -```yaml -seed: - mongoSeedJob: - # -- Enable mongo seed job. Seeds the required data (default idp/user/account), creates cfuser and required databases. - enabled: true - # -- Root user in plain text (required ONLY for seed job!). - mongodbRootUser: "root" - # -- Root user from existing secret - mongodbRootUserSecretKeyRef: {} - # E.g. - # mongodbRootUserSecretKeyRef: - # name: my-secret - # key: mongodb-root-user - - # -- Root password in plain text (required ONLY for seed job!). - mongodbRootPassword: "password" - # -- Root password from existing secret - mongodbRootPasswordSecretKeyRef: {} - # E.g. - # mongodbRootPasswordSecretKeyRef: - # name: my-secret - # key: mongodb-root-password - -global: - # -- LEGACY (but still supported) - Use `.global.mongodbProtocol` + `.global.mongodbUser/mongodbUserSecretKeyRef` + `.global.mongodbPassword/mongodbPasswordSecretKeyRef` + `.global.mongodbHost/mongodbHostSecretKeyRef` + `.global.mongodbOptions` instead - # Default MongoDB URI. Will be used by ALL services to communicate with MongoDB. - # Ref: https://www.mongodb.com/docs/manual/reference/connection-string/ - # Note! `defaultauthdb` is omitted on purpose (i.e. mongodb://.../[defaultauthdb]). - mongoURI: "" - # E.g. - # mongoURI: "mongodb://cfuser:mTiXcU2wafr9@cf-mongodb:27017/" - - # -- Set mongodb protocol (`mongodb` / `mongodb+srv`) - mongodbProtocol: mongodb - # -- Set mongodb user in plain text - mongodbUser: "cfuser" - # -- Set mongodb user from existing secret - mongodbUserSecretKeyRef: {} - # E.g. - # mongodbUserSecretKeyRef: - # name: my-secret - # key: mongodb-user - - # -- Set mongodb password in plain text - mongodbPassword: "password" - # -- Set mongodb password from existing secret - mongodbPasswordSecretKeyRef: {} - # E.g. - # mongodbPasswordSecretKeyRef: - # name: my-secret - # key: mongodb-password - - # -- Set mongodb host in plain text - mongodbHost: "my-mongodb.prod.svc.cluster.local:27017" - # -- Set mongodb host from existing secret - mongodbHostSecretKeyRef: {} - # E.g. - # mongodbHostSecretKeyRef: - # name: my-secret - # key: monogdb-host - - # -- Set mongodb connection string options - # Ref: https://www.mongodb.com/docs/manual/reference/connection-string/#connection-string-options - mongodbOptions: "retryWrites=true" - -mongodb: - # -- Disable mongodb subchart installation - enabled: false -``` - -#### External MongoDB with MTLS - -In order to use MTLS (Mutual TLS) for MongoDB, you need: - -* Create a K8S secret that contains the certificate (certificate file and private key). - The K8S secret should have one `ca.pem` key. -```console -cat cert.crt > ca.pem -cat cert.key >> ca.pem -kubectl create secret generic my-mongodb-tls --from-file=ca.pem -``` - -* Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services. -```yaml -global: - volumes: - mongodb-tls: - enabled: true - type: secret - nameOverride: my-mongodb-tls - optional: true - - volumeMounts: - mongodb-tls: - path: - - mountPath: /etc/ssl/mongodb/ca.pem - subPath: ca.pem - - env: - MONGODB_SSL_ENABLED: true - MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem - RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem - RUNTIME_MONGO_TLS: "true" - # Set these env vars to 'false' if self-signed certificate is used to avoid x509 errors - RUNTIME_MONGO_TLS_VALIDATE: "false" - MONGO_MTLS_VALIDATE: "false" -``` - -#### External PostgresSQL - -```yaml -seed: - postgresSeedJob: - # -- Enable postgres seed job. Creates required user and databases. - enabled: true - # -- (optional) "postgres" admin user in plain text (required ONLY for seed job!) - # Must be a privileged user allowed to create databases and grant roles. - # If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. - postgresUser: "postgres" - # -- (optional) "postgres" admin user from exising secret - postgresUserSecretKeyRef: {} - # E.g. - # postgresUserSecretKeyRef: - # name: my-secret - # key: postgres-user - - # -- (optional) Password for "postgres" admin user (required ONLY for seed job!) - postgresPassword: "password" - # -- (optional) Password for "postgres" admin user from existing secret - postgresPasswordSecretKeyRef: {} - # E.g. - # postgresPasswordSecretKeyRef: - # name: my-secret - # key: postgres-password - -global: - # -- Set postgres user in plain text - postgresUser: cf_user - # -- Set postgres user from existing secret - postgresUserSecretKeyRef: {} - # E.g. - # postgresUserSecretKeyRef: - # name: my-secret - # key: postgres-user - - # -- Set postgres password in plain text - postgresPassword: password - # -- Set postgres password from existing secret - postgresPasswordSecretKeyRef: {} - # E.g. - # postgresPasswordSecretKeyRef: - # name: my-secret - # key: postgres-password - - # -- Set postgres service address in plain text. - postgresHostname: "my-postgres.domain.us-east-1.rds.amazonaws.com" - # -- Set postgres service from existing secret - postgresHostnameSecretKeyRef: {} - # E.g. - # postgresHostnameSecretKeyRef: - # name: my-secret - # key: postgres-hostname - - # -- Set postgres port number - postgresPort: 5432 - -postgresql: - # -- Disable postgresql subchart installation - enabled: false -``` - -##### Using SSL with a PostgreSQL - -Provide the following env vars to enforce SSL connection to PostgresSQL: - -```yaml -global: - env: - # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html - PGSSLMODE: "require" - -helm-repo-manager: - env: - POSTGRES_DISABLE_SSL: "false" -``` - -> ⚠️ **Important!**
-> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
-> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
-> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs) - -#### External Redis - -```yaml -global: - # -- Set redis password in plain text - redisPassword: password - # -- Set redis service port - redisPort: 6379 - # -- Set redis password from existing secret - redisPasswordSecretKeyRef: {} - # E.g. - # redisPasswordSecretKeyRef: - # name: my-secret - # key: redis-password - - # -- Set redis hostname in plain text. Takes precedence over `global.redisService`! - redisUrl: "my-redis.namespace.svc.cluster.local" - # -- Set redis hostname from existing secret. - redisUrlSecretKeyRef: {} - # E.g. - # redisUrlSecretKeyRef: - # name: my-secret - # key: redis-url - -redis: - # -- Disable redis subchart installation - enabled: false - -``` - -> If ElastiCache is used, set `REDIS_TLS` to `true` in `.Values.global.env` - -> ⚠️ ElastiCache with **Cluster mode** is not supported! - -```yaml -global: - env: - REDIS_TLS: true -``` - -#### External Redis with MTLS - -In order to use [MTLS (Mutual TLS) for Redis](https://redis.io/docs/management/security/encryption/), you need: - -* Create a K8S secret that contains the certificate (ca, certificate and private key). -```console -cat ca.crt tls.crt > tls.crt -kubectl create secret tls my-redis-tls --cert=tls.crt --key=tls.key --dry-run=client -o yaml | kubectl apply -f - -``` - -* Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services. -```yaml -global: - volumes: - redis-tls: - enabled: true - type: secret - # Existing secret with TLS certificates (keys: `ca.crt` , `tls.crt`, `tls.key`) - nameOverride: my-redis-tls - optional: true - - volumeMounts: - redis-tls: - path: - - mountPath: /etc/ssl/redis - - env: - REDIS_TLS: true - REDIS_CA_PATH: /etc/ssl/redis/ca.crt - REDIS_CLIENT_CERT_PATH : /etc/ssl/redis/tls.crt - REDIS_CLIENT_KEY_PATH: /etc/ssl/redis/tls.key - # Set these env vars like that if self-signed certificate is used to avoid x509 errors - REDIS_REJECT_UNAUTHORIZED: false - REDIS_TLS_SKIP_VERIFY: true -``` - -#### External RabbitMQ - -```yaml -global: - # -- Set rabbitmq protocol (`amqp/amqps`) - rabbitmqProtocol: amqp - # -- Set rabbitmq username in plain text - rabbitmqUsername: user - # -- Set rabbitmq username from existing secret - rabbitmqUsernameSecretKeyRef: {} - # E.g. - # rabbitmqUsernameSecretKeyRef: - # name: my-secret - # key: rabbitmq-username - - # -- Set rabbitmq password in plain text - rabbitmqPassword: password - # -- Set rabbitmq password from existing secret - rabbitmqPasswordSecretKeyRef: {} - # E.g. - # rabbitmqPasswordSecretKeyRef: - # name: my-secret - # key: rabbitmq-password - - # -- Set rabbitmq service address in plain text. Takes precedence over `global.rabbitService`! - rabbitmqHostname: "my-rabbitmq.namespace.svc.cluster.local:5672" - # -- Set rabbitmq service address from existing secret. - rabbitmqHostnameSecretKeyRef: {} - # E.g. - # rabbitmqHostnameSecretKeyRef: - # name: my-secret - # key: rabbitmq-hostname - -rabbitmq: - # -- Disable rabbitmq subchart installation - enabled: false -``` - -### Configuring Ingress-NGINX - -The chart deploys the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) and exposes controller behind a Service of `Type=LoadBalancer` - -All installation options for `ingress-nginx` are described at [Configuration](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#configuration) - -Relevant examples for Codefesh are below: - -#### ELB with SSL Termination (Classic Load Balancer) - -*certificate provided from ACM* - -```yaml -ingress-nginx: - controller: - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: < CERTIFICATE ARN > - targetPorts: - http: http - https: http - -# -- Ingress -ingress: - tls: - # -- Disable TLS - enabled: false -``` - -#### NLB (Network Load Balancer) - -*certificate provided as base64 string or as exisiting k8s secret* - -```yaml -ingress-nginx: - controller: - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-type: nlb - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - -# -- Ingress -ingress: - tls: - # -- Enable TLS - enabled: true - # -- Default secret name to be created with provided `cert` and `key` below - secretName: "star.codefresh.io" - # -- Certificate (base64 encoded) - cert: "LS0tLS1CRUdJTiBDRVJ...." - # -- Private key (base64 encoded) - key: "LS0tLS1CRUdJTiBSU0E..." - # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) - existingSecret: "" -``` - -### Configuration with ALB (Application Load Balancer) - -*[Application Load Balancer](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller) should be deployed to the cluster* - -```yaml -ingress-nginx: - # -- Disable ingress-nginx subchart installation - enabled: false - -ingress: - # -- ALB contoller ingress class - ingressClassName: alb - annotations: - alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' - alb.ingress.kubernetes.io/backend-protocol: HTTP - alb.ingress.kubernetes.io/certificate-arn: - alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' - alb.ingress.kubernetes.io/scheme: internet-facing - alb.ingress.kubernetes.io/success-codes: 200,404 - alb.ingress.kubernetes.io/target-type: ip - services: - # For ALB /* asterisk is required in path - internal-gateway: - - /* - -``` - -### Configuration with Private Registry - -If you install/upgrade Codefresh on an air-gapped environment without access to public registries (i.e. `quay.io`/`docker.io`) or Codefresh Enterprise registry at `gcr.io`, you will have to mirror the images to your organization’s container registry. - -- Obtain [image list](https://github.com/codefresh-io/onprem-images/tree/master/releases) for specific release - -- [Push images](https://github.com/codefresh-io/onprem-images/blob/master/push-to-registry.sh) to private docker registry - -- Specify image registry in values - -```yaml -global: - imageRegistry: myregistry.domain.com - -``` - -There are 3 types of images, with the values above in rendered manifests images will be converted as follows: - -**non-Codefresh** like: - -```yaml -bitnami/mongo:4.2 -registry.k8s.io/ingress-nginx/controller:v1.4.0 -postgres:13 -``` -converted to: -```yaml -myregistry.domain.com/bitnami/mongodb:4.2 -myregistry.domain.com/ingress-nginx/controller:v1.2.0 -myregistry.domain.com/postgres:13 -``` - -Codefresh **public** images like: -```yaml -quay.io/codefresh/dind:20.10.13-1.25.2 -quay.io/codefresh/engine:1.147.8 -quay.io/codefresh/cf-docker-builder:1.1.14 -``` -converted to: -```yaml -myregistry.domain.com/codefresh/dind:20.10.13-1.25.2 -myregistry.domain.com/codefresh/engine:1.147.8 -myregistry.domain.com/codefresh/cf-docker-builder:1.1.14 -``` - -Codefresh **private** images like: -```yaml -gcr.io/codefresh-enterprise/codefresh/cf-api:21.153.6 -gcr.io/codefresh-enterprise/codefresh/cf-ui:14.69.38 -gcr.io/codefresh-enterprise/codefresh/pipeline-manager:3.121.7 -``` -converted to: - -```yaml -myregistry.domain.com/codefresh/cf-api:21.153.6 -myregistry.domain.com/codefresh/cf-ui:14.69.38 -myregistry.domain.com/codefresh/pipeline-manager:3.121.7 -``` - -Use the example below to override repository for all templates: - -```yaml - -global: - imagePullSecrets: - - cf-registry - -ingress-nginx: - controller: - image: - registry: myregistry.domain.com - image: codefresh/controller - -mongodb: - image: - repository: codefresh/mongodb - -postgresql: - image: - repository: codefresh/postgresql - -consul: - image: - repository: codefresh/consul - -redis: - image: - repository: codefresh/redis - -rabbitmq: - image: - repository: codefresh/rabbitmq - -nats: - image: - repository: codefresh/nats - -builder: - container: - image: - repository: codefresh/docker - -runner: - container: - image: - repository: codefresh/docker - -internal-gateway: - container: - image: - repository: codefresh/nginx-unprivileged - -helm-repo-manager: - chartmuseum: - image: - repository: myregistry.domain.com/codefresh/chartmuseum - -cf-platform-analytics-platform: - redis: - image: - repository: codefresh/redis -``` - -### Configuration with multi-role CF-API - -The chart installs cf-api as a single deployment. Though, at a larger scale, we do recommend to split cf-api to multiple roles (one deployment per role) as follows: - -```yaml - -global: - # -- Change internal cfapi service address - cfapiService: cfapi-internal - # -- Change endpoints cfapi service address - cfapiEndpointsService: cfapi-endpoints - -cfapi: &cf-api - # -- Disable default cfapi deployment - enabled: false - # -- (optional) Enable the autoscaler - # The value will be merged into each cfapi role. So you can specify it once. - hpa: - enabled: true -# Enable cf-api roles -cfapi-auth: - <<: *cf-api - enabled: true -cfapi-internal: - <<: *cf-api - enabled: true -cfapi-ws: - <<: *cf-api - enabled: true -cfapi-admin: - <<: *cf-api - enabled: true -cfapi-endpoints: - <<: *cf-api - enabled: true -cfapi-terminators: - <<: *cf-api - enabled: true -cfapi-sso-group-synchronizer: - <<: *cf-api - enabled: true -cfapi-buildmanager: - <<: *cf-api - enabled: true -cfapi-cacheevictmanager: - <<: *cf-api - enabled: true -cfapi-eventsmanagersubscriptions: - <<: *cf-api - enabled: true -cfapi-kubernetesresourcemonitor: - <<: *cf-api - enabled: true -cfapi-environments: - <<: *cf-api - enabled: true -cfapi-gitops-resource-receiver: - <<: *cf-api - enabled: true -cfapi-downloadlogmanager: - <<: *cf-api - enabled: true -cfapi-teams: - <<: *cf-api - enabled: true -cfapi-kubernetes-endpoints: - <<: *cf-api - enabled: true -cfapi-test-reporting: - <<: *cf-api - enabled: true -``` - -### High Availability - -The chart installs the non-HA version of Codefresh by default. If you want to run Codefresh in HA mode, use the example values below. - -> **Note!** `cronus` is not supported in HA mode, otherwise builds with CRON triggers will be duplicated - -`values.yaml` -```yaml -cfapi: - hpa: - enabled: true - # These are the defaults for all Codefresh subcharts - # minReplicas: 2 - # maxReplicas: 10 - # targetCPUUtilizationPercentage: 70 - -argo-platform: - abac: - hpa: - enabled: true - - analytics-reporter: - hpa: - enabled: true - - api-events: - hpa: - enabled: true - - api-graphql: - hpa: - enabled: true - - audit: - hpa: - enabled: true - - cron-executor: - hpa: - enabled: true - - event-handler: - hpa: - enabled: true - - ui: - hpa: - enabled: true - -cfui: - hpa: - enabled: true - -internal-gateway: - hpa: - enabled: true - -cf-broadcaster: - hpa: - enabled: true - -cf-platform-analytics-platform: - hpa: - enabled: true - -charts-manager: - hpa: - enabled: true - -cluster-providers: - hpa: - enabled: true - -context-manager: - hpa: - enabled: true - -gitops-dashboard-manager: - hpa: - enabled: true - -helm-repo-manager: - hpa: - enabled: true - -hermes: - hpa: - enabled: true - -k8s-monitor: - hpa: - enabled: true - -kube-integration: - hpa: - enabled: true - -nomios: - hpa: - enabled: true - -pipeline-manager: - hpa: - enabled: true - -runtime-environment-manager: - hpa: - enabled: true - -tasker-kubernetes: - hpa: - enabled: true - -``` - -For infra services (MongoDB, PostgreSQL, RabbitMQ, Redis, Consul, Nats, Ingress-NGINX) from built-in Bitnami charts you can use the following example: - -> **Note!** Use [topologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods) for better resiliency - -`values.yaml` -```yaml -global: - postgresService: postgresql-ha-pgpool - mongodbHost: cf-mongodb-0,cf-mongodb-1,cf-mongodb-2 # Replace `cf` with your Helm Release name - mongodbOptions: replicaSet=rs0&retryWrites=true - redisUrl: cf-redis-ha-haproxy - -builder: - controller: - replicas: 3 - -consul: - replicaCount: 3 - -cfsign: - controller: - replicas: 3 - persistence: - certs-data: - enabled: false - volumes: - certs-data: - type: emptyDir - initContainers: - volume-permissions: - enabled: false - -ingress-nginx: - controller: - autoscaling: - enabled: true - -mongodb: - architecture: replicaset - replicaCount: 3 - externalAccess: - enabled: true - service: - type: ClusterIP - -nats: - replicaCount: 3 - -postgresql: - enabled: false - -postgresql-ha: - enabled: true - volumePermissions: - enabled: true - -rabbitmq: - replicaCount: 3 - -redis: - enabled: false - -redis-ha: - enabled: true -``` - -### Mounting private CA certs - -```yaml -global: - env: - NODE_EXTRA_CA_CERTS: /etc/ssl/custom/ca.crt - - volumes: - custom-ca: - enabled: true - type: secret - existingName: my-custom-ca-cert # exisiting K8s secret object with the CA cert - optional: true - - volumeMounts: - custom-ca: - path: - - mountPath: /etc/ssl/custom/ca.crt - subPath: ca.crt -``` - -## Installing on OpenShift - -To deploy Codefresh On-Prem on OpenShift use the following values example: - -```yaml -ingress: - ingressClassName: openshift-default - -global: - dnsService: dns-default - dnsNamespace: openshift-dns - clusterDomain: cluster.local - -# Requires privileged SCC. -builder: - enabled: false - -cfapi: - podSecurityContext: - enabled: false - -cf-platform-analytics-platform: - redis: - master: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -cfsign: - podSecurityContext: - enabled: false - initContainers: - volume-permissions: - enabled: false - -cfui: - podSecurityContext: - enabled: false - -internal-gateway: - podSecurityContext: - enabled: false - -helm-repo-manager: - chartmuseum: - securityContext: - enabled: false - -consul: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -cronus: - podSecurityContext: - enabled: false - -ingress-nginx: - enabled: false - -mongodb: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -postgresql: - primary: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -redis: - master: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -rabbitmq: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false - -# Requires privileged SCC. -runner: - enabled: false -``` - -## Firebase Configuration - -As outlined in [prerequisites](#prerequisites), it's required to set up a Firebase database for builds logs streaming: - -- [Create a Database](https://firebase.google.com/docs/database/web/start#create_a_database). -- Create a [Legacy token](https://firebase.google.com/docs/database/rest/auth#legacy_tokens) for authentication. -- Set the following rules for the database: -```json -{ - "rules": { - "build-logs": { - "$jobId":{ - ".read": "!root.child('production/build-logs/'+$jobId).exists() || (auth != null && auth.admin == true) || (auth == null && data.child('visibility').exists() && data.child('visibility').val() == 'public') || ( auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val() )", - ".write": "auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val()" - } - }, - "environment-logs": { - "$environmentId":{ - ".read": "!root.child('production/environment-logs/'+$environmentId).exists() || ( auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val() )", - ".write": "auth != null && data.child('accountId').exists() && auth.accountId == data.child('accountId').val()" - } - } - } -} -``` - -However, if you're in an air-gapped environment, you can omit this prerequisite and use a built-in logging system (i.e. `OfflineLogging` feature-flag). -See [feature management](https://codefresh.io/docs/docs/installation/on-premises/on-prem-feature-management) - -## Additional configuration - -### Retention policy for builds and logs - -With this method, Codefresh by default deletes builds older than six months. - -The retention mechanism removes data from the following collections: `workflowproccesses`, `workflowrequests`, `workflowrevisions` - -```yaml -cfapi: - env: - # Determines if automatic build deletion through the Cron job is enabled. - RETENTION_POLICY_IS_ENABLED: true - # The maximum number of builds to delete by a single Cron job. To avoid database issues, especially when there are large numbers of old builds, we recommend deleting them in small chunks. You can gradually increase the number after verifying that performance is not affected. - RETENTION_POLICY_BUILDS_TO_DELETE: 50 - # The number of days for which to retain builds. Builds older than the defined retention period are deleted. - RETENTION_POLICY_DAYS: 180 -``` - -### Retention policy for builds and logs -> Configuration for Codefresh On-Prem >= 2.x - -> Previous configuration example (i.e. `RETENTION_POLICY_IS_ENABLED=true` ) is also supported in Codefresh On-Prem >= 2.x - -**For existing environments, for the retention mechanism to work, you must first drop the `created ` index in `workflowprocesses` collection. This requires a maintenance window that depends on the number of builds.** - -```yaml -cfapi: - env: - # Determines if automatic build deletion is enabled. - TTL_RETENTION_POLICY_IS_ENABLED: true - # The number of days for which to retain builds, and can be between 30 (minimum) and 365 (maximum). Builds older than the defined retention period are deleted. - TTL_RETENTION_POLICY_IN_DAYS: 180 -``` - -### Projects pipelines limit - -```yaml -pipeline-manager: - env: - # Determines project's pipelines limit (default: 500) - PROJECT_PIPELINES_LIMIT: 500 -``` - -### Enable session cookie - -```yaml -cfapi: - env: - # Generate a unique session cookie (cf-uuid) on each login - DISABLE_CONCURRENT_SESSIONS: true - # Customize cookie domain - CF_UUID_COOKIE_DOMAIN: .mydomain.com -``` - -> **Note!** Ingress host for [gitops-runtime](https://artifacthub.io/packages/helm/codefresh-gitops-runtime/gitops-runtime) and ingress host for control plane must share the same root domain (i.e. `onprem.mydomain.com` and `runtime.mydomain.com`) - -### X-Frame-Options response header - -```yaml -cfapi: - env: - # Set value to the `X-Frame-Options` response header. Control the restrictions of embedding Codefresh page into the iframes. - # Possible values: sameorigin(default) / deny - FRAME_OPTIONS: sameorigin - -cfui: - env: - FRAME_OPTIONS: sameorigin -``` - -Read more about header at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. - -### Configure CSP (Content Security Policy) - -`CONTENT_SECURITY_POLICY` is the string describing content policies. Use semi-colons to separate between policies. `CONTENT_SECURITY_POLICY_REPORT_TO` is a comma-separated list of JSON objects. Each object must have a name and an array of endpoints that receive the incoming CSP reports. - -For detailed information, see the [Content Security Policy article on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). - -```yaml -cfui: - env: - CONTENT_SECURITY_POLICY: "" - CONTENT_SECURITY_POLICY_REPORT_ONLY: "default-src 'self'; font-src 'self' - https://fonts.gstatic.com; script-src 'self' https://unpkg.com https://js.stripe.com; - style-src 'self' https://fonts.googleapis.com; 'unsafe-eval' 'unsafe-inline'" - CONTENT_SECURITY_POLICY_REPORT_TO: "" -``` - -### x-hub-signature-256 signature for GitHub AE - -For detailed information, see the [Securing your webhooks](https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks) and [Webhooks](https://docs.github.com/en/github-ae@latest/rest/webhooks). - -``` -cfapi: - env: - USE_SHA256_GITHUB_SIGNATURE: "true" -``` - -### Image digests in containers - -In Codefresh On-Prem 2.6.x all Codefresh owner microservices include image digests in the default subchart values. - -For example, default values for `cfapi` might look like this: - -```yaml -container: - image: - registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io - repository: codefresh/cf-api - tag: 21.268.1 - digest: "sha256:bae42f8efc18facc2bf93690fce4ab03ef9607cec4443fada48292d1be12f5f8" - pullPolicy: IfNotPresent -``` - -this resulting in the following image reference in the pod spec: - -```yaml -spec: - containers: - - name: cfapi - image: us-docker.pkg.dev/codefresh-enterprise/gcr.io/codefresh/cf-api:21.268.1@sha256:bae42f8efc18facc2bf93690fce4ab03ef9607cec4443fada48292d1be12f5f8 -``` - -> **Note!** When the `digest` is providerd, the `tag` is ignored! You can omit digest and use tag only like the following `values.yaml` example: - -```yaml -cfapi: - container: - image: - tag: 21.268.1 - # -- Set empty tag for digest - digest: "" -``` - -## Configuring OIDC Provider - -OpenID Connect (OIDC) allows Codefresh Builds to access resources in your cloud provider (such as AWS, Azure, GCP), without needing to store cloud credentials as long-lived pipeline secret variables. - -### Enabling the OIDC Provider in Codefresh On-Prem - -#### Prerequisites: - -- DNS name for OIDC Provider -- Valid TLS certificates for Ingress -- K8S secret containing JWKS (JSON Web Key Sets). Can be generated at [mkjwk.org](https://mkjwk.org/) -- K8S secret containing Cliend ID (public identifier for app) and Client Secret (application password; cryptographically strong random string) - -> **NOTE!** In production usage use [External Secrets Operator](https://external-secrets.io/latest/) or [HashiCorp Vault](https://developer.hashicorp.com/vault/docs/platform/k8s) to create secrets. The following example uses `kubectl` for brevity. - -For JWKS use **Public and Private Keypair Set** (if generated at [mkjwk.org](https://mkjwk.org/)), for example: - -`cf-oidc-provider-jwks.json`: -```json -{ - "keys": [ - { - "p": "...", - "kty": "RSA", - "q": "...", - "d": "...", - "e": "AQAB", - "use": "sig", - "qi": "...", - "dp": "...", - "alg": "RS256", - "dq": "...", - "n": "..." - } - ] -} -``` - -```console -# Creating secret containing JWKS. -# The secret KEY is `cf-oidc-provider-jwks.json`. It then referenced in `OIDC_JWKS_PRIVATE_KEYS_PATH` environment variable in `cf-oidc-provider`. -# The secret NAME is referenced in `.volumes.jwks-file.nameOverride` (volumeMount is configured in the chart already) -kubectl create secret generic cf-oidc-provider-jwks \ - --from-file=cf-oidc-provider-jwks.json \ - -n $NAMESPACE - -# Creating secret containing Client ID and Client Secret -# Secret NAME is `cf-oidc-provider-client-secret`. -# It then referenced in `OIDC_CF_PLATFORM_CLIENT_ID` and `OIDC_CF_PLATFORM_CLIENT_SECRET` environment variables in `cf-oidc-provider` -# and in `OIDC_PROVIDER_CLIENT_ID` and `OIDC_PROVIDER_CLIENT_SECRET` in `cfapi`. -kubectl create secret generic cf-oidc-provider-client-secret \ - --from-literal=client-id=codefresh \ - --from-literal=client-secret='verysecureclientsecret' \ - -n $NAMESPACE -``` - -`values.yaml` -```yaml -global: - # -- Set OIDC Provider URL - oidcProviderService: "oidc.mydomain.com" - # -- Default OIDC Provider service client ID in plain text. - # Optional! If specified here, no need to specify CLIENT_ID/CLIENT_SECRET env vars in cfapi and cf-oidc-provider below. - oidcProviderClientId: null - # -- Default OIDC Provider service client secret in plain text. - # Optional! If specified here, no need to specify CLIENT_ID/CLIENT_SECRET env vars in cfapi and cf-oidc-provider below. - oidcProviderClientSecret: null - -cfapi: - # -- Set additional variables for cfapi - # Reference a secret containing Client ID and Client Secret - env: - OIDC_PROVIDER_CLIENT_ID: - valueFrom: - secretKeyRef: - name: cf-oidc-provider-client-secret - key: client-id - OIDC_PROVIDER_CLIENT_SECRET: - valueFrom: - secretKeyRef: - name: cf-oidc-provider-client-secret - key: client-secret - -cf-oidc-provider: - # -- Enable OIDC Provider - enabled: true - - container: - env: - OIDC_JWKS_PRIVATE_KEYS_PATH: /secrets/jwks/cf-oidc-provider-jwks.json - # -- Reference a secret containing Client ID and Client Secret - OIDC_CF_PLATFORM_CLIENT_ID: - valueFrom: - secretKeyRef: - name: cf-oidc-provider-client-secret - key: client-id - OIDC_CF_PLATFORM_CLIENT_SECRET: - valueFrom: - secretKeyRef: - name: cf-oidc-provider-client-secret - key: client-secret - - volumes: - jwks-file: - enabled: true - type: secret - # -- Secret name containing JWKS - nameOverride: "cf-oidc-provider-jwks" - optional: false - - ingress: - main: - # -- Enable ingress for OIDC Provider - enabled: true - annotations: {} - # -- Set ingress class name - ingressClassName: "" - hosts: - # -- Set OIDC Provider URL - - host: "oidc.mydomain.com" - paths: - - path: / - # For ALB (Application Load Balancer) /* asterisk is required in path - # e.g. - # - path: /* - tls: [] -``` - -Deploy HELM chart with new `values.yaml` - -Use https://oidc.mydomain.com/.well-known/openid-configuration to verify OIDC Provider configuration - -### Adding the identity provider in AWS - -To add Codefresh OIDC provider to IAM, see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) -- For the **provider URL**: Use `.Values.global.oidcProviderService` value with `https://` prefix (i.e. https://oidc.mydomain.com) -- For the **Audienece**: Use `.Values.global.appUrl` value with `https://` prefix (i.e. https://onprem.mydomain.com) - -#### Configuring the role and trust policy - -To configure the role and trust in IAM, see [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html) - -Edit the trust policy to add the sub field to the validation conditions. For example, use `StringLike` to allow only builds from specific pipeline to assume a role in AWS. -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam:::oidc-provider/oidc.mydomain.com" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.mydomain.com:aud": "https://onprem.mydomain.com" - }, - "StringLike": { - "oidc.mydomain.com:sub": "account:64884faac2751b77ca7ab324:pipeline:64f7232ab698cfcb95d93cef:*" - } - } - } - ] -} -``` - -To see all the claims supported by Codefresh OIDC provider, see `claims_supported` entries at https://oidc.mydomain.com/.well-known/openid-configuration -```json -"claims_supported": [ - "sub", - "account_id", - "account_name", - "pipeline_id", - "pipeline_name", - "workflow_id", - "initiator", - "scm_user_name", - "scm_repo_url", - "scm_ref", - "scm_pull_request_target_branch", - "sid", - "auth_time", - "iss" -] -``` - -#### Using OIDC in Codefresh Builds - -Use [obtain-oidc-id-token](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/obtain-oidc-id-token/step.yaml#L27-L58) and [aws-sts-assume-role-with-web-identity](https://github.com/codefresh-io/steps/blob/822afc0a9a128384e76459c6573628020a2cf404/incubating/aws-sts-assume-role-with-web-identity/step.yaml#L29-L63) steps to exchange the OIDC token (JWT) for a cloud access token. - -## Maintaining MongoDB Indexes - -Sometimes, in new releases of Codefresh On-Prem, index requirements change. When this happens, it's mentioned in the [Upgrading section](#upgrading) for the specific release. - -> ℹ️ If you're upgrading from version `X` to version `Y`, and index requirements were updated in any of the intermediate versions, you only need to align your indexes with the index requirements of version `Y`. To do that, follow [Index alignment](#index-alignment) instructions. - -### Index alignment - -The required index definitions for each release can be found at the following resources: - -- `2.6` -- `2.7` -- `2.8` - -The indexes are stored in JSON files with keys and options specified. - -The directory structure is: - -```console -indexes -├── # MongoDB database name -│ ├── .json # MongoDB indexes for the specified collection -``` - -**Overview of the index alignment process:** - -1. Identify the differences between the indexes in your MongoDB instance and the required index definitions. -2. Create any missing indexes one by one. (It's important not to create them in bulk.) -3. Perform the upgrade of Codefresh On-Prem installation. -4. Then remove any unnecessary indexes. - -> ⚠️ **Note! Any changes to indexes should be performed during a defined maintenance window or during periods of lowest traffic to MongoDB.** -> -> Building indexes during time periods where the target collection is under heavy write load can result in reduced write performance and longer index builds. ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/index-creation/#index-build-impact-on-database-performance)) -> -> Even minor changes to indexes (e.g., index removal) can cause brief but noticeable performance degradation ([*Source: MongoDB official documentation*](https://www.mongodb.com/docs/manual/core/query-plans/#plan-cache-flushes)) - -#### Self-hosted MongoDB - -For self-hosted MongoDB, follow the instructions below: - -- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing `` with the appropriate MongoDB connection string for your server: - -```shell -mongosh "" -``` - -- Retrieve the list of indexes for a specific collection: - -```js -db.getSiblingDB('').getCollection('').getIndexes() -``` - -- Compare your indexes with the required indexes for the target release, and adjust them by creating any missing indexes or removing any unnecessary ones - -**Index creation** - -> ⚠ **Note! Always create indexes sequentially, one by one. Don't create them in bulk.** - -- To create an index, use the `createIndex()` method: - -```js -db.getSiblingDB('').getCollection('').createIndex(, ) -``` - -After executing the `createIndex()` command, you should see a result indicating that the index was created successfully. - -**Index removal** - -- To remove an index, use the `dropIndex()` method with ``: - -```js -db.getSiblingDB('').getCollection('').dropIndex('') -``` - -#### Atlas Database - -If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Manage Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to View, Create or Remove indexes. - -> ⚠️ **Important!** In Atlas, for production environments, it is recommended to use rolling index builds by enabling the "Build index via rolling process" checkbox. ([*MongoDB official documentation*](https://www.mongodb.com/docs/v6.0/tutorial/build-indexes-on-replica-sets/)) - -## Upgrading - -### To 2-0-0 - -This major chart version change (v1.4.X -> v2.0.0) contains some **incompatible breaking change needing manual actions**. - -**Before applying the upgrade, read through this section!** - -#### ⚠️ New Services - -Codefesh 2.0 chart includes additional dependent microservices (charts): -- `argo-platform`: Main Codefresh GitOps module. -- `internal-gateway`: NGINX that proxies requests to the correct components (api-graphql, api-events, ui). -- `argo-hub-platform`: Service for Argo Workflow templates. -- `platform-analytics` and `etl-starter`: Service for [Pipelines dasboard](https://codefresh.io/docs/docs/dashboards/home-dashboard/#pipelines-dashboard) - -These services require additional databases in MongoDB (`audit`/`read-models`/`platform-analytics-postgres`) and in Postgresql (`analytics` and `analytics_pre_aggregations`) -The helm chart is configured to re-run seed jobs to create necessary databases and users during the upgrade. - -```yaml -seed: - # -- Enable all seed jobs - enabled: true -``` - -#### ⚠️ New MongoDB Indexes - -Starting from version 2.0.0, two new MongoDB indexes have been added that are vital for optimizing database queries and enhancing overall system performance. It is crucial to create these indexes before performing the upgrade to avoid any potential performance degradation. - -- `account_1_annotations.key_1_annotations.value_1` (db: `codefresh`; collection: `annotations`) -```json -{ - "account" : 1, - "annotations.key" : 1, - "annotations.value" : 1 -} -``` - -- `accountId_1_entityType_1_entityId_1` (db: `codefresh`; collection: `workflowprocesses`) - -```json -{ - "accountId" : 1, - "entityType" : 1, - "entityId" : 1 -} -``` - -To prevent potential performance degradation during the upgrade, it is important to schedule a maintenance window during a period of low activity or minimal user impact and create the indexes mentioned above before initiating the upgrade process. By proactively creating these indexes, you can avoid the application automatically creating them during the upgrade and ensure a smooth transition with optimized performance. - -**Index Creation** - -If you're hosting MongoDB on [Atlas](https://www.mongodb.com/atlas/database), use the following [Create, View, Drop, and Hide Indexes](https://www.mongodb.com/docs/atlas/atlas-ui/indexes/) guide to create indexes mentioned above. It's important to create them in a rolling fashion (i.e. **Build index via rolling process** checkbox enabled) in produciton environment. - -For self-hosted MongoDB, see the following instruction: - -- Connect to the MongoDB server using the [mongosh](https://www.mongodb.com/docs/mongodb-shell/install/) shell. Open your terminal or command prompt and run the following command, replacing with the appropriate MongoDB connection string for your server: -```console -mongosh "" -``` - -- Once connected, switch to the `codefresh` database where the index will be located using the `use` command. -```console -use codefresh -``` - -- To create the indexes, use the createIndex() method. The createIndex() method should be executed on the db object. -```console -db.workflowprocesses.createIndex({ account: 1, 'annotations.key': 1, 'annotations.value': 1 }, { name: 'account_1_annotations.key_1_annotations.value_1', sparse: true, background: true }) -``` - -```console -db.annotations.createIndex({ accountId: 1, entityType: 1, entityId: 1 }, { name: 'accountId_1_entityType_1_entityId_1', background: true }) -``` -After executing the createIndex() command, you should see a result indicating the successful creation of the index. - -#### ⚠️ [Kcfi](https://github.com/codefresh-io/kcfi) Deprecation - -This major release deprecates [kcfi](https://github.com/codefresh-io/kcfi) installer. The recommended way to install Codefresh On-Prem is **Helm**. -Due to that, Kcfi `config.yaml` will not be compatible for Helm-based installation. -You still can reuse the same `config.yaml` for the Helm chart, but you need to remove (or update) the following sections. - -* `.Values.metadata` is deprecated. Remove it from `config.yaml` - -*1.4.x `config.yaml`* -```yaml -metadata: - kind: codefresh - installer: - type: helm - helm: - chart: codefresh - repoUrl: http://chartmuseum.codefresh.io/codefresh - version: 1.4.x -``` - -* `.Values.kubernetes` is deprecated. Remove it from `config.yaml` - -*1.4.x `config.yaml`* -```yaml -kubernetes: - namespace: codefresh - context: context-name -``` - -* `.Values.tls` (`.Values.webTLS`) is moved under `.Values.ingress.tls`. Remove `.Values.tls` from `config.yaml` afterwards. - - See full [values.yaml](./values.yaml#L92). - -*1.4.x `config.yaml`* -```yaml -tls: - selfSigned: false - cert: certs/certificate.crt - key: certs/private.key -``` - -*2.0.0 `config.yaml`* -```yaml -# -- Ingress -ingress: - # -- Enable the Ingress - enabled: true - # -- Set the ingressClass that is used for the ingress. - ingressClassName: nginx-codefresh - tls: - # -- Enable TLS - enabled: true - # -- Default secret name to be created with provided `cert` and `key` below - secretName: "star.codefresh.io" - # -- Certificate (base64 encoded) - cert: "LS0tLS1CRUdJTiBDRVJ...." - # -- Private key (base64 encoded) - key: "LS0tLS1CRUdJTiBSU0E..." - # -- Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) - existingSecret: "" -``` - -* `.Values.images` is deprecated. Remove `.Values.images` from `config.yaml`. - - - `.Values.images.codefreshRegistrySa` is changed to `.Values.imageCredentials` - - - `.Values.privateRegistry.address` is changed to `.Values.global.imageRegistry` (no trailing slash `/` at the end) - - See full `values.yaml` [here](./values.yaml#L2) and [here](./values.yaml#L143). - -*1.4.x `config.yaml`* -```yaml -images: - codefreshRegistrySa: sa.json - usePrivateRegistry: true - privateRegistry: - address: myprivateregistry.domain - username: username - password: password -``` - -*2.0.0 `config.yaml`* -```yaml -# -- Credentials for Image Pull Secret object -imageCredentials: {} -# Pass sa.json (as a single line). Obtain GCR Service Account JSON (sa.json) at support@codefresh.io -# E.g.: -# imageCredentials: -# registry: gcr.io -# username: _json_key -# password: '{ "type": "service_account", "project_id": "codefresh-enterprise", "private_key_id": ... }' -``` - -*2.0.0 `config.yaml`* -```yaml -global: - # -- Global Docker image registry - imageRegistry: "myprivateregistry.domain" -``` - -* `.Values.dbinfra` is deprecated. Remove it from `config.yaml` - -*1.4.x `config.yaml`* -```yaml -dbinfra: - enabled: false -``` - -* `.Values.firebaseUrl` and `.Values.firebaseSecret` is moved under `.Values.global` - -*1.4.x `config.yaml`* -```yaml -firebaseUrl: -firebaseSecret: -newrelicLicenseKey: -``` - -*2.0.0 `config.yaml`* -```yaml -global: - # -- Firebase URL for logs streaming. - firebaseUrl: "" - # -- Firebase Secret. - firebaseSecret: "" - # -- New Relic Key - newrelicLicenseKey: "" -``` - -* `.Values.global.certsJobs` and `.Values.global.seedJobs` is deprecated. Use `.Values.seed.mongoSeedJob` and `.Values.seed.postgresSeedJob`. - - See full [values.yaml](./values.yaml#L42). - -*1.4.x `config.yaml`* -```yaml -global: - certsJobs: true - seedJobs: true -``` - -*2.0.0 `config.yaml`* -```yaml -seed: - # -- Enable all seed jobs - enabled: true - # -- Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. - # @default -- See below - mongoSeedJob: - enabled: true - # -- Postgres Seed Job. Required at first install. Creates required user and databases. - # @default -- See below - postgresSeedJob: - enabled: true -``` - -#### ⚠️ Migration to [Library Charts](https://helm.sh/docs/topics/library_charts/) - -All Codefresh subchart templates (i.e. `cfapi`, `cfui`, `pipeline-manager`, `context-manager`, etc) have been migrated to use Helm [library charts](https://helm.sh/docs/topics/library_charts/). -That allows unifying the values structure across all Codefresh-owned charts. However, there are some **immutable** fields in the old charts which cannot be upgraded during a regular `helm upgrade`, and require additional manual actions. - -Run the following commands before appying the upgrade. - -* Delete `cf-runner` and `cf-builder` stateful sets. - -```console -kubectl delete sts cf-runner --namespace $NAMESPACE -kubectl delete sts cf-builder --namespace $NAMESPACE -``` - -* Delete all jobs - -```console -kubectl delete job --namespace $NAMESPACE -l release=cf -``` - -* In `values.yaml`/`config.yaml` remove `.Values.nomios.ingress` section if you have it - -```yaml -nomios: - # Remove ingress section - ingress: - ... -``` - -### To 2-0-12 - -#### ⚠️ Legacy ChartMuseum subchart deprecation - -Due to deprecation of legacy ChartMuseum subchart in favor of upstream [chartmuseum](https://github.com/chartmuseum/charts/tree/main/src/chartmuseum), you need to remove the old deployment before the upgrade due to **immutable** `matchLabels` field change in the deployment spec. - -```console -kubectl delete deploy cf-chartmuseum --namespace $NAMESPACE -``` - -#### ⚠️ Affected values - -- If you have `.persistence.enabled=true` defined and NOT `.persistence.existingClaim` like: - -```yaml -helm-repo-manager: - chartmuseum: - persistence: - enabled: true -``` -then you **have to backup** the content of old PVC (mounted as `/storage` in the old deployment) **before the upgrade**! - -```shell -POD_NAME=$(kubectl get pod -l app=chartmuseum -n $NAMESPACE --no-headers -o custom-columns=":metadata.name") -kubectl cp -n $NAMESPACE $POD_NAME:/storage $(pwd)/storage -``` - -**After the upgrade**, restore the content into new deployment: -```shell -POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=chartmuseum -n $NAMESPACE --no-headers -o custom-columns=":metadata.name") -kubectl cp -n $NAMESPACE $(pwd)/storage $POD_NAME:/storage -``` - -- If you have `.persistence.existingClaim` defined, you can keep it as is: -```yaml -helm-repo-manager: - chartmuseum: - existingClaim: my-claim-name -``` - -- If you have `.Values.global.imageRegistry` specified, it **won't be** applied for the new chartmuseum subchart. Add image registry explicitly for the subchart as follows - -```yaml -global: - imageRegistry: myregistry.domain.com - -helm-repo-manager: - chartmuseum: - image: - repository: myregistry.domain.com/codefresh/chartmuseum -``` - -### To 2-0-17 - -#### ⚠️ Affected values - -Values structure for argo-platform images has been changed. -Added `registry` to align with the rest of the services. - -> values for <= v2.0.16 -```yaml -argo-platform: - api-graphql: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-api-graphql - abac: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-abac - analytics-reporter: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-analytics-reporter - api-events: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-api-events - audit: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-audit - cron-executor: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-cron-executor - event-handler: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-event-handler - ui: - image: - repository: gcr.io/codefresh-enterprise/codefresh-io/argo-platform-ui -``` - -> values for >= v2.0.17 - -```yaml -argo-platform: - api-graphql: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-api-graphql - abac: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-abac - analytics-reporter: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-analytics-reporter - api-events: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-api-events - audit: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-audit - cron-executor: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-cron-executor - event-handler: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-event-handler - ui: - image: - registry: gcr.io/codefresh-enterprise - repository: codefresh-io/argo-platform-ui -``` - -### To 2-1-0 - -### [What's new in 2.1.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-21) - -#### Affected values: - -- [Legacy ChartMuseum subchart deprecation](#to-2-0-12) -- [Argo-Platform images values structure change](#to-2-0-17) -- **Changed** default ingress paths. All paths point to `internal-gateway` now. **Remove any overrides at `.Values.ingress.services`!** (updated example for ALB) -- **Deprecated** `global.mongoURI`. **Supported for backward compatibility!** -- **Added** `global.mongodbProtocol` / `global.mongodbUser` / `global.mongodbPassword` / `global.mongodbHost` / `global.mongodbOptions` -- **Added** `global.mongodbUserSecretKeyRef` / `global.mongodbPasswordSecretKeyRef` / `global.mongodbHostSecretKeyRef` -- **Added** `seed.mongoSeedJob.mongodbRootUserSecretKeyRef` / `seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef` -- **Added** `seed.postgresSeedJob.postgresUserSecretKeyRef` / `seed.postgresSeedJob.postgresPasswordSecretKeyRef` -- **Added** `global.firebaseUrlSecretKeyRef` / `global.firebaseSecretSecretKeyRef` -- **Added** `global.postgresUserSecretKeyRef` / `global.postgresPasswordSecretKeyRef` / `global.postgresHostnameSecretKeyRef` -- **Added** `global.rabbitmqUsernameSecretKeyRef` / `global.rabbitmqPasswordSecretKeyRef` / `global.rabbitmqHostnameSecretKeyRef` -- **Added** `global.redisPasswordSecretKeyRef` / `global.redisUrlSecretKeyRef` - -- **Removed** `global.runtimeMongoURI` (defaults to `global.mongoURI` or `global.mongodbHost`/`global.mongodbHostSecretKeyRef`/etc like values) -- **Removed** `global.runtimeMongoDb` (defaults to `global.mongodbDatabase`) -- **Removed** `global.runtimeRedisHost` (defaults to `global.redisUrl`/`global.redisUrlSecretKeyRef` or `global.redisService`) -- **Removed** `global.runtimeRedisPort` (defaults to `global.redisPort`) -- **Removed** `global.runtimeRedisPassword` (defaults to `global.redisPassword`/`global.redisPasswordSecretKeyRef`) -- **Removed** `global.runtimeRedisDb` (defaults to values below) - -```yaml -cfapi: - env: - RUNTIME_REDIS_DB: 0 - -cf-broadcaster: - env: - REDIS_DB: 0 -``` - -### To 2-1-7 - -⚠️⚠️⚠️ -> Since version 2.1.7 chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/codefresh` - -> Versions prior to 2.1.7 are still available in ChartMuseum at `http://chartmuseum.codefresh.io/codefresh` - -### To 2-2-0 - -### [What's new in 2.2.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-22) - -#### MongoDB 5.x - -Codefresh On-Prem 2.2.x uses MongoDB 5.x (4.x is still supported). If you run external MongoDB, it is **highly** recommended to upgrade it to 5.x after upgrading Codefresh On-Prem to 2.2.x. - -#### Redis HA - -> If you run external Redis, this is not applicable to you. - -Codefresh On-Prem 2.2.x adds (not replaces!) an **optional** Redis-HA (master/slave configuration with Sentinel sidecars for failover management) instead of a single Redis instance. -To enable it, see the following values: - -```yaml -global: - redisUrl: cf-redis-ha-haproxy # Replace `cf` with your Helm release name - -# -- Disable standalone Redis instance -redis: - enabled: false - -# -- Enable Redis HA -redis-ha: - enabled: true -``` - -### To 2-3-0 - -### [What's new in 2.3.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-23) - -⚠️ This major release changes default registry for Codefresh **private** images from GCR (`gcr.io`) to GAR (`us-docker.pkg.dev`) - -Update `.Values.imageCredentials.registry` to `us-docker.pkg.dev` if it's explicitly set to `gcr.io` in your values file. - -Default `.Values.imageCredentials` for Onprem **v2.2.x and below** -```yaml -imageCredentials: - registry: gcr.io - username: _json_key - password: -``` - -Default `.Values.imageCredentials` for Onprem **v2.3.x and above** -```yaml -imageCredentials: - registry: us-docker.pkg.dev - username: _json_key - password: -``` - -## Rollback - -Use `helm history` to determine which release has worked, then use `helm rollback` to perform a rollback - -> When rollback from 2.x prune these resources due to immutabled fields changes - -```console -kubectl delete sts cf-runner --namespace $NAMESPACE -kubectl delete sts cf-builder --namespace $NAMESPACE -kubectl delete deploy cf-chartmuseum --namespace $NAMESPACE -kubectl delete job --namespace $NAMESPACE -l release=$RELEASE_NAME -``` - -```console -helm rollback $RELEASE_NAME $RELEASE_NUMBER \ - --namespace $NAMESPACE \ - --debug \ - --wait -``` - -### To 2-4-0 - -### [What's new in 2.4.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-24) - -#### New cfapi-auth role - -New `cfapi-auth` role is introduced in 2.4.x. - -If you run onprem with [multi-role cfapi configuration](#configuration-with-multi-role-cf-api), make sure to **enable** `cfapi-auth` role: - -```yaml -cfapi-auth: - <<: *cf-api - enabled: true -``` - -#### Default SYSTEM_TYPE for acccounts - -Since 2.4.x, `SYSTEM_TYPE` is changed to `PROJECT_ONE` by default. - -If you want to preserve original `CLASSIC` values, update cfapi environment variables: - -```yaml -cfapi: - container: - env: - DEFAULT_SYSTEM_TYPE: CLASSIC -``` - -### To 2-5-0 - -### [What's new in 2.5.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-25) - -### To 2-6-0 - -> ⚠️ **WARNING! MongoDB indexes changed!** -> -> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. - -### [What's new in 2.6.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-26) - -#### Affected values - -[Image digests in containers](#image-digests-in-containers) - -### To 2-7-0 - -> ⚠️ **WARNING! MongoDB indexes changed!** -> -> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. - -### [What's new in 2.7.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-27) - -#### Affected values - -- Added option to provide global `tolerations`/`nodeSelector`/`affinity` for all Codefresh subcharts -> **Note!** These global settings will not be applied to Bitnami subcharts (e.g. `mongodb`, `redis`, `rabbitmq`, `postgres`. etc) - -```yaml -global: - tolerations: - - key: "key" - operator: "Equal" - value: "value" - effect: "NoSchedule" - - nodeSelector: - key: "value" - - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: "key" - operator: "In" - values: - - "value" -``` - -### To 2-8-0 - -> ⚠️ **WARNING! MongoDB indexes changed!** -> -> Please, follow [Maintaining MongoDB indexes](#maintaining-mongodb-indexes) guide to meet index requirements **BEFORE** the upgrade process. - -### [What's new in 2.8.x](https://codefresh.io/docs/docs/whats-new/on-prem-release-notes/#on-premises-version-28) - -### ⚠️ ⚠️ ⚠️ Breaking changes. Read before upgrading! - -### MongoDB update - -Default MongoDB image is changed from 6.x to 7.x. - -If you run external MongoDB (i.e. [Atlas](https://cloud.mongodb.com)), it is **required** to upgrade it to 7.x after upgrading Codefresh On-Prem to 2.8.x. - -- **Before the upgrade**, for backward compatibility (in case you need to rollback to 6.x), you should set [`featureCompatibilityVersion`](https://www.mongodb.com/docs/v6.0/reference/command/setFeatureCompatibilityVersion/) to `6.0` in your values file. - -```yaml -mongodb: - migration: - enabled: true - featureCompatibilityVersion: "6.0" -``` - -- Perform Codefresh On-Prem upgrade to 2.8.x. Make sure all systems are up and running. - -- **After the upgrade**, if all system are stable, you need to set `featureCompatibilityVersion` to `7.0` in your values file and re-deploy the chart. - -```yaml -mongodb: - migration: - enabled: true - featureCompatibilityVersion: "7.0" -``` - -⚠️ ⚠️ ⚠️ If FCV (FeatureCompatibilityVersion) is managed by MongoDB itself (i.e. Atlas), you can disable it completely (that is default value in Helm chart) - -```yaml -mongodb: - migration: - enabled: false -``` - -### PostgreSQL update - -Default PostgreSQL image is changed from 13.x to 17.x - -If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x. - -> ⚠️ **Important!**
-> The default SSL configuration may change on your provider's side when you upgrade.
-> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql) - -⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers) - -⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs: -``` -postgresql 17:36:28.41 INFO ==> ** Starting PostgreSQL ** -2025-05-21 17:36:28.432 GMT [1] FATAL: database files are incompatible with server -2025-05-21 17:36:28.432 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 13, which is not compatible with this version 17.2. -``` -You need to backup your data, delete the old PostgreSQL StatefulSet with PVCs and restore the data into a new PostgreSQL StatefulSet. - -- **Before the upgrade**, backup your data on a separate PVC - -- Create PVC with the same or bigger size as your current PostgreSQL PVC: - -```yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: postgresql-dump -spec: - storageClassName: - resources: - requests: - storage: - volumeMode: Filesystem - accessModes: - - ReadWriteOnce -``` - -- Create a job to dump the data from the old PostgreSQL StatefulSet into the new PVC: - -```yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: postgresql-dump -spec: - ttlSecondsAfterFinished: 300 - template: - spec: - containers: - - name: postgresql-dump - image: quay.io/codefresh/postgresql:17 - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - env: - - name: PGUSER - value: "" - - name: PGPASSWORD - value: "" - - name: PGHOST - value: "" - - name: PGPORT - value: "" - command: - - "/bin/bash" - - "-c" - - | - pg_dumpall --verbose > /opt/postgresql-dump/dump.sql - volumeMounts: - - name: postgresql-dump - mountPath: /opt/postgresql-dump - securityContext: - runAsUser: 0 - fsGroup: 0 - volumes: - - name: postgresql-dump - persistentVolumeClaim: - claimName: postgresql-dump - restartPolicy: Never -``` - -- Delete old PostgreSQL StatefulSet and PVC - -```console -STS_NAME=$(kubectl get sts -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') -PVC_NAME=$(kubectl get pvc -n $NAMESPACE -l app.kubernetes.io/instance=$RELEASE_NAME -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}') - -kubectl delete sts $STS_NAME -n $NAMESPACE -kubectl delete pvc $PVC_NAME -n $NAMESPACE -``` - -- Peform the upgrade to 2.8.x with PostgreSQL seed job enabled to re-create users and databases - -```yaml -seed: - postgresSeedJob: - enabled: true -``` - -- Create a job to restore the data from the new PVC into the new PostgreSQL StatefulSet: - -```yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: postgresql-restore -spec: - ttlSecondsAfterFinished: 300 - template: - spec: - containers: - - name: postgresql-restore - image: quay.io/codefresh/postgresql:17 - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - env: - - name: PGUSER - value: "" - - name: PGPASSWORD - value: "" - - name: PGHOST - value: "" - - name: PGPORT - value: "" - command: - - "/bin/bash" - - "-c" - - | - psql -f /opt/postgresql-dump/dump.sql - volumeMounts: - - name: postgresql-dump - mountPath: /opt/postgresql-dump - securityContext: - runAsUser: 0 - fsGroup: 0 - volumes: - - name: postgresql-dump - persistentVolumeClaim: - claimName: postgresql-dump - restartPolicy: Never -``` - -### RabbitMQ update - -Default RabbitMQ image is changed from 3.x to 4.0 - -If you run external RabbitMQ, follow the [official instructions](https://www.rabbitmq.com/docs/upgrade) to upgrade to 4.0 - -For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to enable all stable feature flags. - -#### Affected values - -- Added option to provide `.Values.global.tolerations`/`.Values.global.nodeSelector`/`.Values.global.affinity` for all Codefresh subcharts - -- Changed default location for public images from `quay.io/codefresh` to `us-docker.pkg.dev/codefresh-inc/public-gcr-io/codefresh` - -- `.Values.hooks` was splitted into `.Values.hooks.mongodb` and `.Values.hooks.consul` - -## Troubleshooting - -### Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired - -Builds are stuck in pending with `Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired` - -**Reason:** Runtime certificates have expiried. - -To check if runtime internal CA expired: - -```console -kubectl -n $NAMESPACE get secret/cf-codefresh-certs-client -o jsonpath="{.data['ca\.pem']}" | base64 -d | openssl x509 -enddate -noout -``` - -**Resolution:** Replace internal CA and re-issue dind certs for runtime - -- Delete k8s secret with expired certificate -```console -kubectl -n $NAMESPACE delete secret cf-codefresh-certs-client -``` - -- Set `.Values.global.gencerts.enabled=true` (`.Values.global.certsJob=true` for onprem < 2.x version) - -```yaml -# -- Job to generate internal runtime secrets. -# @default -- See below -gencerts: - enabled: true -``` - -- Upgrade Codefresh On-Prem Helm release. It will recreate `cf-codefresh-certs-client` secret -```console -helm upgrade --install cf codefresh/codefresh \ - -f cf-values.yaml \ - --namespace codefresh \ - --create-namespace \ - --debug \ - --wait \ - --timeout 15m -``` - -- Restart `cfapi` and `cfsign` deployments - -```console -kubectl -n $NAMESPACE rollout restart deployment/cf-cfapi -kubectl -n $NAMESPACE rollout restart deployment/cf-cfsign -``` - -**Case A:** Codefresh Runner installed with HELM chart ([charts/cf-runtime](https://github.com/codefresh-io/venona/tree/release-1.0/charts/cf-runtime)) - -Re-apply the `cf-runtime` helm chart. Post-upgrade `gencerts-dind` helm hook will regenerate the dind certificates using a new CA. - -**Case B:** Codefresh Runner installed with legacy CLI ([codefresh runner init](https://codefresh-io.github.io/cli/runner/init/)) - -Delete `codefresh-certs-server` k8s secret and run [./configure-dind-certs.sh](https://github.com/codefresh-io/venona/blob/release-1.0/charts/cf-runtime/files/configure-dind-certs.sh) in your runtime namespace. - -```console -kubectl -n $NAMESPACE delete secret codefresh-certs-server -./configure-dind-certs.sh -n $RUNTIME_NAMESPACE https://$CODEFRESH_HOST $CODEFRESH_API_TOKEN -``` - -### Consul Error: Refusing to rejoin cluster because the server has been offline for more than the configured server_rejoin_age_max - -After platform upgrade, Consul fails with the error `refusing to rejoin cluster because the server has been offline for more than the configured server_rejoin_age_max - consider wiping your data dir`. There is [known issue](https://github.com/hashicorp/consul/issues/20722) of **hashicorp/consul** behaviour. Try to wipe out or delete the consul PV with config data and restart Consul StatefulSet. - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| argo-hub-platform | object | See below | argo-hub-platform | -| argo-platform | object | See below | argo-platform | -| argo-platform.abac | object | See below | abac | -| argo-platform.analytics-reporter | object | See below | analytics-reporter | -| argo-platform.anchors | object | See below | Anchors | -| argo-platform.api-events | object | See below | api-events | -| argo-platform.api-graphql | object | See below | api-graphql All other services under `.Values.argo-platform` follows the same values structure. | -| argo-platform.api-graphql.affinity | object | `{}` | Set pod's affinity | -| argo-platform.api-graphql.env | object | See below | Env vars | -| argo-platform.api-graphql.hpa | object | `{"enabled":false}` | HPA | -| argo-platform.api-graphql.hpa.enabled | bool | `false` | Enable autoscaler | -| argo-platform.api-graphql.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/argo-platform-api-graphql"}` | Image | -| argo-platform.api-graphql.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry | -| argo-platform.api-graphql.image.repository | string | `"codefresh/argo-platform-api-graphql"` | Repository | -| argo-platform.api-graphql.kind | string | `"Deployment"` | Controller kind. Currently, only `Deployment` is supported | -| argo-platform.api-graphql.pdb | object | `{"enabled":false}` | PDB | -| argo-platform.api-graphql.pdb.enabled | bool | `false` | Enable pod disruption budget | -| argo-platform.api-graphql.podAnnotations | object | `{"checksum/secret":"{{ include (print $.Template.BasePath \"/api-graphql/secret.yaml\") . | sha256sum }}"}` | Set pod's annotations | -| argo-platform.api-graphql.resources | object | See below | Resource limits and requests | -| argo-platform.api-graphql.secrets | object | See below | Secrets | -| argo-platform.api-graphql.tolerations | list | `[]` | Set pod's tolerations | -| argo-platform.argocd-hooks | object | See below | argocd-hooks Don't enable! Not used in onprem! | -| argo-platform.audit | object | See below | audit | -| argo-platform.broadcaster | object | See below | broadcaster | -| argo-platform.cron-executor | object | See below | cron-executor | -| argo-platform.event-handler | object | See below | event-handler | -| argo-platform.promotion-orchestrator | object | See below | promotion-orchestrator | -| argo-platform.runtime-manager | object | See below | runtime-manager Don't enable! Not used in onprem! | -| argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | -| argo-platform.ui | object | See below | ui | -| argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | -| builder | object | `{"affinity":{},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/curl","tag":"8.14.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | -| cf-broadcaster | object | See below | broadcaster | -| cf-oidc-provider | object | See below | cf-oidc-provider | -| cf-platform-analytics-etlstarter | object | See below | etl-starter | -| cf-platform-analytics-etlstarter.redis.enabled | bool | `false` | Disable redis subchart | -| cf-platform-analytics-etlstarter.system-etl-postgres | object | `{"container":{"env":{"BLUE_GREEN_ENABLED":true}},"controller":{"cronjob":{"ttlSecondsAfterFinished":300}},"enabled":true}` | Only postgres ETL should be running in onprem | -| cf-platform-analytics-platform | object | See below | platform-analytics | -| cfapi | object | `{"affinity":{},"container":{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}},"controller":{"replicas":2},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false,"minAvailable":"50%"},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}},"secrets":{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}},"tolerations":[]}` | cf-api | -| cfapi-internal.<<.affinity | object | `{}` | Affinity configuration | -| cfapi-internal.<<.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | -| cfapi-internal.<<.container.env | object | See below | Env vars | -| cfapi-internal.<<.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | -| cfapi-internal.<<.container.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry prefix | -| cfapi-internal.<<.container.image.repository | string | `"codefresh/cf-api"` | Repository | -| cfapi-internal.<<.controller | object | `{"replicas":2}` | Controller configuration | -| cfapi-internal.<<.controller.replicas | int | `2` | Replicas number | -| cfapi-internal.<<.enabled | bool | `true` | Enable cf-api | -| cfapi-internal.<<.hpa | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70}` | Autoscaler configuration | -| cfapi-internal.<<.hpa.enabled | bool | `false` | Enable HPA | -| cfapi-internal.<<.hpa.maxReplicas | int | `10` | Maximum number of replicas | -| cfapi-internal.<<.hpa.minReplicas | int | `2` | Minimum number of replicas | -| cfapi-internal.<<.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | -| cfapi-internal.<<.imagePullSecrets | list | `[]` | Image pull secrets | -| cfapi-internal.<<.nodeSelector | object | `{}` | Node selector configuration | -| cfapi-internal.<<.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | -| cfapi-internal.<<.pdb.enabled | bool | `false` | Enable PDB | -| cfapi-internal.<<.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | -| cfapi-internal.<<.podSecurityContext | object | `{}` | Pod security context configuration | -| cfapi-internal.<<.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | -| cfapi-internal.<<.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | -| cfapi-internal.<<.tolerations | list | `[]` | Tolerations configuration | -| cfapi-internal.enabled | bool | `false` | | -| cfapi.affinity | object | `{}` | Affinity configuration | -| cfapi.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | -| cfapi.container.env | object | See below | Env vars | -| cfapi.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | -| cfapi.container.image.registry | string | `"us-docker.pkg.dev/codefresh-enterprise/gcr.io"` | Registry prefix | -| cfapi.container.image.repository | string | `"codefresh/cf-api"` | Repository | -| cfapi.controller | object | `{"replicas":2}` | Controller configuration | -| cfapi.controller.replicas | int | `2` | Replicas number | -| cfapi.enabled | bool | `true` | Enable cf-api | -| cfapi.hpa | object | `{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70}` | Autoscaler configuration | -| cfapi.hpa.enabled | bool | `false` | Enable HPA | -| cfapi.hpa.maxReplicas | int | `10` | Maximum number of replicas | -| cfapi.hpa.minReplicas | int | `2` | Minimum number of replicas | -| cfapi.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | -| cfapi.imagePullSecrets | list | `[]` | Image pull secrets | -| cfapi.nodeSelector | object | `{}` | Node selector configuration | -| cfapi.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | -| cfapi.pdb.enabled | bool | `false` | Enable PDB | -| cfapi.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | -| cfapi.podSecurityContext | object | `{}` | Pod security context configuration | -| cfapi.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | -| cfapi.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | -| cfapi.tolerations | list | `[]` | Tolerations configuration | -| cfsign | object | See below | tls-sign | -| cfui | object | See below | cf-ui | -| charts-manager | object | See below | charts-manager | -| ci.enabled | bool | `false` | | -| cluster-providers | object | See below | cluster-providers | -| consul | object | See below | consul Ref: https://github.com/bitnami/charts/blob/main/bitnami/consul/values.yaml | -| context-manager | object | See below | context-manager | -| cronus | object | See below | cronus | -| developmentChart | bool | `false` | | -| dockerconfigjson | object | `{}` | DEPRECATED - Use `.imageCredentials` instead dockerconfig (for `kcfi` tool backward compatibility) for Image Pull Secret. Obtain GCR Service Account JSON (sa.json) at support@codefresh.io ```shell GCR_SA_KEY_B64=$(cat sa.json | base64) DOCKER_CFG_VAR=$(echo -n "_json_key:$(echo ${GCR_SA_KEY_B64} | base64 -d)" | base64 | tr -d '\n') ``` E.g.: dockerconfigjson: auths: gcr.io: auth: | -| gencerts | object | See below | Job to generate internal runtime secrets. Required at first install. | -| gitops-dashboard-manager | object | See below | gitops-dashboard-manager | -| global | object | See below | Global parameters | -| global.affinity | object | `{}` | Global affinity constraints Apply affinity to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| global.appProtocol | string | `"https"` | Application protocol. | -| global.appUrl | string | `"onprem.codefresh.local"` | Application root url. Will be used in Ingress objects as hostname | -| global.broadcasterPort | int | `80` | Default broadcaster service port. | -| global.broadcasterService | string | `"cf-broadcaster"` | Default broadcaster service name. | -| global.builderService | string | `"builder"` | Default builder service name. | -| global.cfapiEndpointsService | string | `"cfapi"` | Default API endpoints service name | -| global.cfapiInternalPort | int | `3000` | Default API service port. | -| global.cfapiService | string | `"cfapi"` | Default API service name. | -| global.cfk8smonitorService | string | `"k8s-monitor"` | Default k8s-monitor service name. | -| global.chartsManagerPort | int | `9000` | Default chart-manager service port. | -| global.chartsManagerService | string | `"charts-manager"` | Default charts-manager service name. | -| global.clusterProvidersPort | int | `9000` | Default cluster-providers service port. | -| global.clusterProvidersService | string | `"cluster-providers"` | Default cluster-providers service name. | -| global.codefresh | string | `"codefresh"` | LEGACY - Keep as is! Used for subcharts to access external secrets and configmaps. | -| global.consulHttpPort | int | `8500` | Default Consul service port. | -| global.consulService | string | `"consul-headless"` | Default Consul service name. | -| global.contextManagerPort | int | `9000` | Default context-manager service port. | -| global.contextManagerService | string | `"context-manager"` | Default context-manager service name. | -| global.dnsService | string | `"kube-dns"` | Definitions for internal-gateway nginx resolver | -| global.env | object | `{}` | Global Env vars | -| global.firebaseSecret | string | `""` | Firebase Secret in plain text | -| global.firebaseSecretSecretKeyRef | object | `{}` | Firebase Secret from existing secret | -| global.firebaseUrl | string | `"https://codefresh-on-prem.firebaseio.com/on-prem"` | Firebase URL for logs streaming in plain text | -| global.firebaseUrlSecretKeyRef | object | `{}` | Firebase URL for logs streaming from existing secret | -| global.gitopsDashboardManagerDatabase | string | `"pipeline-manager"` | Default gitops-dashboarad-manager db collection. | -| global.gitopsDashboardManagerPort | int | `9000` | Default gitops-dashboarad-manager service port. | -| global.gitopsDashboardManagerService | string | `"gitops-dashboard-manager"` | Default gitops-dashboarad-manager service name. | -| global.helmRepoManagerService | string | `"helm-repo-manager"` | Default helm-repo-manager service name. | -| global.hermesService | string | `"hermes"` | Default hermes service name. | -| global.imagePullSecrets | list | `["codefresh-registry"]` | Global Docker registry secret names as array | -| global.imageRegistry | string | `""` | Global Docker image registry | -| global.kubeIntegrationPort | int | `9000` | Default kube-integration service port. | -| global.kubeIntegrationService | string | `"kube-integration"` | Default kube-integration service name. | -| global.mongoURI | string | `""` | LEGACY (but still supported) - Use `.global.mongodbProtocol` + `.global.mongodbUser/mongodbUserSecretKeyRef` + `.global.mongodbPassword/mongodbPasswordSecretKeyRef` + `.global.mongodbHost/mongodbHostSecretKeyRef` + `.global.mongodbOptions` instead Default MongoDB URI. Will be used by ALL services to communicate with MongoDB. Ref: https://www.mongodb.com/docs/manual/reference/connection-string/ Note! `defaultauthdb` is omitted on purpose (i.e. mongodb://.../[defaultauthdb]). | -| global.mongodbDatabase | string | `"codefresh"` | Default MongoDB database name. Don't change! | -| global.mongodbHost | string | `"cf-mongodb"` | Set mongodb host in plain text | -| global.mongodbHostSecretKeyRef | object | `{}` | Set mongodb host from existing secret | -| global.mongodbOptions | string | `"retryWrites=true"` | Set mongodb connection string options Ref: https://www.mongodb.com/docs/manual/reference/connection-string/#connection-string-options | -| global.mongodbPassword | string | `"mTiXcU2wafr9"` | Set mongodb password in plain text | -| global.mongodbPasswordSecretKeyRef | object | `{}` | Set mongodb password from existing secret | -| global.mongodbProtocol | string | `"mongodb"` | Set mongodb protocol (`mongodb` / `mongodb+srv`) | -| global.mongodbRootUser | string | `""` | DEPRECATED Use `.Values.seed.mongoSeedJob` instead. | -| global.mongodbUser | string | `"cfuser"` | Set mongodb user in plain text | -| global.mongodbUserSecretKeyRef | object | `{}` | Set mongodb user from existing secret | -| global.natsPort | int | `4222` | Default nats service port. | -| global.natsService | string | `"nats"` | Default nats service name. | -| global.newrelicLicenseKey | string | `""` | New Relic Key | -| global.nodeSelector | object | `{}` | Global nodeSelector constraints Apply nodeSelector to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| global.oidcProviderClientId | string | `nil` | Default OIDC Provider service client ID in plain text. | -| global.oidcProviderClientSecret | string | `nil` | Default OIDC Provider service client secret in plain text. | -| global.oidcProviderPort | int | `443` | Default OIDC Provider service port. | -| global.oidcProviderProtocol | string | `"https"` | Default OIDC Provider service protocol. | -| global.oidcProviderService | string | `""` | Default OIDC Provider service name (Provider URL). | -| global.oidcProviderTokenEndpoint | string | `"/token"` | Default OIDC Provider service token endpoint. | -| global.pipelineManagerPort | int | `9000` | Default pipeline-manager service port. | -| global.pipelineManagerService | string | `"pipeline-manager"` | Default pipeline-manager service name. | -| global.platformAnalyticsPort | int | `80` | Default platform-analytics service port. | -| global.platformAnalyticsService | string | `"platform-analytics"` | Default platform-analytics service name. | -| global.postgresDatabase | string | `"codefresh"` | Set postgres database name | -| global.postgresHostname | string | `""` | Set postgres service address in plain text. Takes precedence over `global.postgresService`! | -| global.postgresHostnameSecretKeyRef | object | `{}` | Set postgres service from existing secret | -| global.postgresPassword | string | `"eC9arYka4ZbH"` | Set postgres password in plain text | -| global.postgresPasswordSecretKeyRef | object | `{}` | Set postgres password from existing secret | -| global.postgresPort | int | `5432` | Set postgres port number | -| global.postgresService | string | `"postgresql"` | Default internal postgresql service address from bitnami/postgresql subchart | -| global.postgresUser | string | `"postgres"` | Set postgres user in plain text | -| global.postgresUserSecretKeyRef | object | `{}` | Set postgres user from existing secret | -| global.rabbitService | string | `"rabbitmq:5672"` | Default internal rabbitmq service address from bitnami/rabbitmq subchart. | -| global.rabbitmqHostname | string | `""` | Set rabbitmq service address in plain text. Takes precedence over `global.rabbitService`! | -| global.rabbitmqHostnameSecretKeyRef | object | `{}` | Set rabbitmq service address from existing secret. | -| global.rabbitmqPassword | string | `"cVz9ZdJKYm7u"` | Set rabbitmq password in plain text | -| global.rabbitmqPasswordSecretKeyRef | object | `{}` | Set rabbitmq password from existing secret | -| global.rabbitmqProtocol | string | `"amqp"` | Set rabbitmq protocol (`amqp/amqps`) | -| global.rabbitmqUsername | string | `"user"` | Set rabbitmq username in plain text | -| global.rabbitmqUsernameSecretKeyRef | object | `{}` | Set rabbitmq username from existing secret | -| global.redisPassword | string | `"hoC9szf7NtrU"` | Set redis password in plain text | -| global.redisPasswordSecretKeyRef | object | `{}` | Set redis password from existing secret | -| global.redisPort | int | `6379` | Set redis service port | -| global.redisService | string | `"redis-master"` | Default internal redis service address from bitnami/redis subchart | -| global.redisUrl | string | `""` | Set redis hostname in plain text. Takes precedence over `global.redisService`! | -| global.redisUrlSecretKeyRef | object | `{}` | Set redis hostname from existing secret. | -| global.runtimeEnvironmentManagerPort | int | `80` | Default runtime-environment-manager service port. | -| global.runtimeEnvironmentManagerService | string | `"runtime-environment-manager"` | Default runtime-environment-manager service name. | -| global.security | object | `{"allowInsecureImages":true}` | Bitnami | -| global.storageClass | string | `""` | Global StorageClass for Persistent Volume(s) | -| global.tlsSignPort | int | `4999` | Default tls-sign service port. | -| global.tlsSignService | string | `"cfsign"` | Default tls-sign service name. | -| global.tolerations | list | `[]` | Global tolerations constraints Apply toleratons to all Codefresh subcharts. Will not be applied on Bitnami subcharts. | -| helm-repo-manager | object | See below | helm-repo-manager | -| hermes | object | See below | hermes | -| hooks | object | See below | Pre/post-upgrade Job hooks. | -| hooks.consul | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/kubectl","tag":"1.33.3"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Recreates `consul-headless` service due to duplicated ports in Service during the upgrade. | -| hooks.mongodb | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/mongosh","tag":"2.5.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Updates images in `system/default` runtime. | -| hooks.rabbitmq | object | `{"affinity":{},"enabled":true,"image":{"registry":"us-docker.pkg.dev/codefresh-inc/public-gcr-io","repository":"codefresh/rabbitmqadmin","tag":"2.8.0"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | Enable stable feature flags in RabbitMQ. | -| imageCredentials | object | `{}` | Credentials for Image Pull Secret object | -| ingress | object | `{"annotations":{"nginx.ingress.kubernetes.io/service-upstream":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false","nginx.org/redirect-to-https":"false"},"enabled":true,"ingressClassName":"nginx-codefresh","labels":{},"nameOverride":"","services":{"internal-gateway":["/"]},"tls":{"cert":"","enabled":false,"existingSecret":"","key":"","secretName":"star.codefresh.io"}}` | Ingress | -| ingress-nginx | object | See below | ingress-nginx Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml | -| ingress.annotations | object | See below | Set annotations for ingress. | -| ingress.enabled | bool | `true` | Enable the Ingress | -| ingress.ingressClassName | string | `"nginx-codefresh"` | Set the ingressClass that is used for the ingress. Default `nginx-codefresh` is created from `ingress-nginx` controller subchart | -| ingress.labels | object | `{}` | Set labels for ingress | -| ingress.nameOverride | string | `""` | Override Ingress resource name | -| ingress.services | object | See below | Default services and corresponding paths | -| ingress.tls.cert | string | `""` | Certificate (base64 encoded) | -| ingress.tls.enabled | bool | `false` | Enable TLS | -| ingress.tls.existingSecret | string | `""` | Existing `kubernetes.io/tls` type secret with TLS certificates (keys: `tls.crt`, `tls.key`) | -| ingress.tls.key | string | `""` | Private key (base64 encoded) | -| ingress.tls.secretName | string | `"star.codefresh.io"` | Default secret name to be created with provided `cert` and `key` below | -| internal-gateway | object | See below | internal-gateway | -| k8s-monitor | object | See below | k8s-monitor | -| kube-integration | object | See below | kube-integration | -| mailer.enabled | bool | `false` | | -| mongodb | object | See below | mongodb Ref: https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml | -| nats | object | See below | nats Ref: https://github.com/bitnami/charts/blob/main/bitnami/nats/values.yaml | -| nomios | object | See below | nomios | -| payments.enabled | bool | `false` | | -| pipeline-manager | object | See below | pipeline-manager | -| postgresql | object | See below | postgresql Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml | -| postgresql-ha | object | See below | postgresql Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/values.yaml | -| postgresqlCleanJob | object | See below | Maintenance postgresql clean job. Removes a certain number of the last records in the event store table. | -| rabbitmq | object | See below | rabbitmq Ref: https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml | -| redis | object | See below | redis Ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml | -| redis-ha | object | `{"auth":true,"enabled":false,"haproxy":{"enabled":true,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"persistentVolume":{"enabled":true,"size":"10Gi"},"redis":{"resources":{"requests":{"cpu":"100m","memory":"128Mi"}}},"redisPassword":"hoC9szf7NtrU"}` | redis-ha # Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml | -| runtime-environment-manager | object | See below | runtime-environment-manager | -| runtimeImages | object | See below | runtimeImages | -| salesforce-reporter.enabled | bool | `false` | | -| seed | object | See below | Seed jobs | -| seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI | -| seed.enabled | bool | `true` | Enable all seed jobs | -| seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. | -| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. | -| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). | -| seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). | -| seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret | -| seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). | -| seed.mongoSeedJob.mongodbRootUserSecretKeyRef | object | `{}` | Root user from existing secret | -| seed.postgresSeedJob | object | See below | Postgres Seed Job. Required at first install. Creates required user and databases. | -| seed.postgresSeedJob.postgresPassword | optional | `""` | Password for "postgres" admin user (required ONLY for seed job!) | -| seed.postgresSeedJob.postgresPasswordSecretKeyRef | optional | `{}` | Password for "postgres" admin user from existing secret | -| seed.postgresSeedJob.postgresUser | optional | `""` | "postgres" admin user in plain text (required ONLY for seed job!) Must be a privileged user allowed to create databases and grant roles. If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. | -| seed.postgresSeedJob.postgresUserSecretKeyRef | optional | `{}` | "postgres" admin user from exising secret | -| segment-reporter.enabled | bool | `false` | | -| tasker-kubernetes | object | `{"affinity":{},"container":{"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/tasker-kubernetes"}},"enabled":true,"hpa":{"enabled":false},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | tasker-kubernetes | -| webTLS | object | `{"cert":"","enabled":false,"key":"","secretName":"star.codefresh.io"}` | DEPRECATED - Use `.Values.ingress.tls` instead TLS secret for Ingress | +For full Codefresh On-Prem Helm chart documentation please checkout [README.md](https://github.com/codefresh-io/codefresh-onprem-helm/blob/onprem-3.0/README.md) diff --git a/scripts/helm-docs.sh b/scripts/helm-docs.sh new file mode 100755 index 000000000..5b323435f --- /dev/null +++ b/scripts/helm-docs.sh @@ -0,0 +1,6 @@ +#!/bin/bash +## Reference: https://github.com/norwoodj/helm-docs +helm-docs \ + --chart-search-root=charts/codefresh \ + --template-files=../../README.md.gotmpl \ + --output-file=../../README.md From 94deb5211b55a51f461042da2a2c8795d358a977 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 09:24:32 +0300 Subject: [PATCH 05/15] onprem: 3.0 --- .../tests/misc/global_constrains_test.yaml | 32 ------------------- .../private-registry/cf_charts_test.yaml | 6 ---- 2 files changed, 38 deletions(-) diff --git a/charts/codefresh/tests/misc/global_constrains_test.yaml b/charts/codefresh/tests/misc/global_constrains_test.yaml index 903a5358f..903808c14 100644 --- a/charts/codefresh/tests/misc/global_constrains_test.yaml +++ b/charts/codefresh/tests/misc/global_constrains_test.yaml @@ -394,38 +394,6 @@ tests: values: - "value" - - it: cf-runner should have global tolerations/nodeSelector/affinity/imagePullSecret - values: - - ../values/global.yaml - template: charts/runner/templates/controller.yaml - asserts: - - contains: - path: spec.template.spec.imagePullSecrets - content: - name: my-secret - - contains: - path: spec.template.spec.tolerations - content: - key: "key" - operator: "Equal" - value: "value" - effect: "NoSchedule" - - equal: - path: spec.template.spec.nodeSelector - value: - key: "value" - - equal: - path: spec.template.spec.affinity - value: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: "key" - operator: "In" - values: - - "value" - - it: cf-broadcaster should have global tolerations/nodeSelector/affinity/imagePullSecret values: - ../values/global.yaml diff --git a/charts/codefresh/tests/private-registry/cf_charts_test.yaml b/charts/codefresh/tests/private-registry/cf_charts_test.yaml index c03ce1391..d817a35ea 100644 --- a/charts/codefresh/tests/private-registry/cf_charts_test.yaml +++ b/charts/codefresh/tests/private-registry/cf_charts_test.yaml @@ -19,7 +19,6 @@ templates: - charts/hermes/templates/*.yaml - charts/nomios/templates/*.yaml - charts/builder/templates/*.yaml - - charts/runner/templates/*.yaml - charts/cf-oidc-provider/templates/*.yaml tests: - it: "(Codefresh subcharts) should test image private registry prefix" @@ -116,11 +115,6 @@ tests: path: spec.template.spec.containers[0].image pattern: ^myregistry.io/.*$ template: charts/builder/templates/controller.yaml - # cf-runner - - matchRegex: - path: spec.template.spec.containers[0].image - pattern: ^myregistry.io/.*$ - template: charts/runner/templates/controller.yaml # cf-oidc-provider - matchRegex: path: spec.template.spec.containers[0].image From 2a9259d9ac1e48f35d33f67d3a5864e5229d75e1 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 09:43:56 +0300 Subject: [PATCH 06/15] onprem: 3.0 --- charts/codefresh/.ci/values/mtls-mongodb-redis.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml index f3b58710c..c829d463b 100644 --- a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml +++ b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml @@ -60,6 +60,8 @@ mongodb: enabled: true rootUser: root rootPassword: "XT9nmM8dZDZ" + image: + repository: bitnamilegacy/mongodb initdbScripts: my_init_script.sh: | #!/bin/bash From 46b6bc8944ede3b9cde83c142ed51217d09c5e76 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 09:48:47 +0300 Subject: [PATCH 07/15] onprem: 3.0 --- charts/codefresh/.ci/values/mtls-mongodb-redis.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml index c829d463b..eae6fdcff 100644 --- a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml +++ b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml @@ -60,8 +60,6 @@ mongodb: enabled: true rootUser: root rootPassword: "XT9nmM8dZDZ" - image: - repository: bitnamilegacy/mongodb initdbScripts: my_init_script.sh: | #!/bin/bash @@ -110,6 +108,8 @@ mongodb: caCert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGVENDQWYyZ0F3SUJBZ0lRZWVySXdOWkNpdyt1alRPdHZ2TEZLREFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwdGVVMXZibWR2TFdOaE1CNFhEVEl5TVRFd01qRTRNRFl6TWxvWERUTXlNVEF6TURFNApNRFl6TWxvd0ZURVRNQkVHQTFVRUF4TUtiWGxOYjI1bmJ5MWpZVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBTGxpV3dIVDQ5OWE0MzgrUWZjcExTNThVT2FsV3ArVXhkWVYwQjZkVTlFejlQSW4KTncydXZqNWtjN3RtU08xUk5ReEJRVjZpOHNBWHdQcTM1WlZYdTQ2OHhURkdHMXZBTWhrTkQ1OTJWd3JFNElCSgpTMm9XNEV6UWJPR3Fsd2ZBanNMZ1VlRjdBbHRuUEVNMjBSQ3hpMzhPNGY0VHZNZHpQamhIa2NNU2NMaHNhYjRlCjYrbVA0MFJBcEdLc2hwV2YwbnoyMXErWU83Zm4wNjVYd3dvUVBvL1BZa0FLdWNHZk1xRjltYXRCYWdUMlVwT0cKSFlRa2pzRW1zSmxEdkhsV1RBdzU2eFl4UU9UbUVWU2hkYzlKRDNmWEZEVkd6L1NVYkZXQTVualBLL0QvbXdpawppM0RaL0h6SUVEbXBJUElxRERsTGdIL3F6b3Jlb0NKMjB1YnlCb1VDQXdFQUFhTmhNRjh3RGdZRFZSMFBBUUgvCkJBUURBZ0trTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQVBCZ05WSFJNQkFmOEUKQlRBREFRSC9NQjBHQTFVZERnUVdCQlFXTWg5RDRiVkljRWQ2dVBOZ1RqWGpMWUpoSmpBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFSUTBaV3F0dUlLWHNHTTJ4TW1Za0VJTHprckJySktiWXhIOFlCUEJFTjZZT09la0o2Q1FhCjQzZitmaHJlQ2o4NFdwSzdwckNEcjJYTmlHNHJlYjBrU2dYdmpyZUVBTzU0Q1FzelJwR0xUVjROMTBjTDdHUVoKaXd6OElGMXppTld4WXVXK29aSFRBQ2NMRkJkUnFFZWNSWUJXTU0vaDhZcldoWTRIaXlIMHp4UkRsOGNpU2ZOMApoa2lURzZQd0V0S29ZRWUwZ21OWXhkWFNzZ2FMZFlUMjNiMGJsMlB3OUdZdkJlWmFpZlZTbllDYmhmTDNPVkQxCjV6YnBXNHhmMEJyM0VGbStrUHh0SGxVR2FsUXdFb3NSVy9kWEpFWFVQTHNGb2xPRDRiR0xvblE4Z2VHcFVYVzQKR3prV0g5QTFXUlE4bWIxd0ZDTkZNVjgvUWxKams3MEJFUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=" caKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdVdKYkFkUGozMXJqZno1Qjl5a3RMbnhRNXFWYW41VEYxaFhRSHAxVDBUUDA4aWMzCkRhNitQbVJ6dTJaSTdWRTFERUZCWHFMeXdCZkErcmZsbFZlN2pyekZNVVliVzhBeUdRMFBuM1pYQ3NUZ2dFbEwKYWhiZ1ROQnM0YXFYQjhDT3d1QlI0WHNDVzJjOFF6YlJFTEdMZnc3aC9oTzh4M00rT0VlUnd4Snd1R3hwdmg3cgo2WS9qUkVDa1lxeUdsWi9TZlBiV3I1Zzd0K2ZUcmxmRENoQStqODlpUUFxNXdaOHlvWDJacTBGcUJQWlNrNFlkCmhDU093U2F3bVVPOGVWWk1ERG5yRmpGQTVPWVJWS0YxejBrUGQ5Y1VOVWJQOUpSc1ZZRG1lTThyOFArYkNLU0wKY05uOGZNZ1FPYWtnOGlvTU9VdUFmK3JPaXQ2Z0luYlM1dklHaFFJREFRQUJBb0lCQUNIQ3JxNHJoMkVpclRGOApCZ2xiMzFXSzREVFF3aXN6cmIrcUkwZWdBU2FsSHFPR3pyallMTjh4N2YyZnlBSW4rdEFyaGhzVTg3NVYxUmdUCnEyVENJRzhESTZvd2lVVHhRRzVkZVkzaHdFSSt6bCt1ZVdSdG5CV0JFNE1aVFAzbGJGcEMvY1poWDNHRDRHNmgKS2Z1dlNhY3U3NnNVcnhsbmZGcEZkbDhmR1pZTUlOOUNZWHArWWVJZzRuYW5ZSFJsbk1LM05QSjIzZUVHdkpjeQpLdUZWNndIUzFlWmg1M0J0aWRlY3czcmFzZFhJWmMzdFJidlFid3lDbjZ5dVlING0vUXJzMVFUckp2dzdyWU1sCkxyZGxlZm5uWk9XNFNVc3dINkVCWmF3RC9FTFc4eFNORVhudUkzUFp0di9oRVVZd3RKOVdMbk0rRitzc21ldm8KaHVGMUI5VUNnWUVBMFBHSmc2U3N6dHlKNkhyM0tTaEhyN3h5eVVPOVJTK0N3LzBSV2cranJ3SGFlRGRIalpvKwpaYXhxWVdoRUR0aUZieWpJdWR2MFF1aUZhMHVObDUvMGl3YXR2Tm81RitNZWV3WGt1T0YraWE3RFdFODk0a2ZECkVqYXJYWUk3ZkpnTkdxVmthWUw1cGdGcmxpUDhkZDFkK0VlTWV4dmJadTdwYUZzaXBaZWs1NE1DZ1lFQTR5S0cKdzAyMHJTTGRwdlYyQmE2WG4zbFRXUW0wMFlOaVFuY0YrVjJXNm95RjREK2liRUppTUdUZzRESzZLVllNVElpNQpmaVV4WHlib0Fkd1hvTlpqMmhPWmhmMVZSa3g1WGIrOVorbDV3ZFlBMGR4RmV1ajBDakpmd3p1UTNuOUxZOWxlCnJSSi91SklkbHhKWkx2Z0RLZzdRZ2NuNkJCN2Y1Ujlwa1JKaTgxY0NnWUJYZ2xITnlOSjNjUFp4WDg3VWRnSlEKSCtVVFZrT1hEbWIrSHFkOXlMOE5OUUdEQitQMzhubmZxMjZDaldDenR3dHJtdkUycG1DUEJVT2J4SER3NkJWTApoT2lQQi9hUmdwWHBnSFppMkU1ZTY4cjAyWHRab2lTWkpEeHhWWElFcE1vWU50enZNK1BMR3gwc0xMWTN4eGJzClBVc2c1SEhua25nL05LdzJIbVQ2Y1FLQmdEaW9lQzFueU5ZWGlHc0pkL05hNWYrbDZDQ2h4elVzTE9xZmZpSUMKTW84M2xuMmw0Z0pYWE43dGl4cmlESVliTE40NmpPcm1wRFkwSWxPMGIwQnp1bHkvM3VBSm5hZjNrNTdMSVpnMgpLV1VzMk8rQW51UldEK29yUHJBWXY3NkF5bkdSMjRnWXdUdHRWMnhENjNOSDhxSWZKK3Y0VWlHTkFoVEpqUy9mCkFrZnBBb0dBQ0pRS0lOU0hZOWN2RGZseWNWNmRCcndGS0hRb3oyZGg5Z0EvSjBGazYyc0VrNDY1SUtINm96VDQKQTlSZi8yMHBLZG40dmRnTktJQ3R1cUNKN1JIMC82bVRZWXUwSEJTWHo1elZIdWczTHpFbGxOdVB4MnRhc0x0MgpjdElsVkVrdk96L1hCa3BMVUE2TDlaR01Ha2tyeUJoNEdXd2FCajBHeldUQ2JMUGZ3N3c9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t" mode: allowTLS + image: + repository: bitnamilegacy/nginx redis: tls: From 407c06aa1b5292b2416ac50f4d863511c29dd88e Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 10:04:16 +0300 Subject: [PATCH 08/15] onprem: 3.0 --- charts/codefresh/.ci/values/defaults.yaml | 2 +- charts/codefresh/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/codefresh/.ci/values/defaults.yaml b/charts/codefresh/.ci/values/defaults.yaml index 2f80ae4cd..0bae9c1e0 100644 --- a/charts/codefresh/.ci/values/defaults.yaml +++ b/charts/codefresh/.ci/values/defaults.yaml @@ -78,7 +78,7 @@ argo-platform: mongodb: migration: - enabled: true + enabled: false image: repository: bitnamilegacy/mongodb nodeSelector: diff --git a/charts/codefresh/values.yaml b/charts/codefresh/values.yaml index d3e1b084c..466263a26 100644 --- a/charts/codefresh/values.yaml +++ b/charts/codefresh/values.yaml @@ -1126,7 +1126,7 @@ mongodb: memory: 256Mi migration: enabled: false - featureCompatibilityVersion: "6.0" + featureCompatibilityVersion: "7.0" # -- nats # @default -- See below From 848dc78cf2ef39c0cf616175992c0746bca37bf0 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 10:40:02 +0300 Subject: [PATCH 09/15] onprem: 3.0 --- charts/codefresh/.ci/values/mtls-mongodb-redis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml index eae6fdcff..abaff8144 100644 --- a/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml +++ b/charts/codefresh/.ci/values/mtls-mongodb-redis.yaml @@ -51,7 +51,7 @@ global: ingress: enabled: true - ingressClassName: nginx-internal + ingressClassName: nginx tls: enabled: false From f5e1ce28516864f9e0bfeeebc59d51130e9aba47 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 10:48:14 +0300 Subject: [PATCH 10/15] onprem: 3.0 --- charts/codefresh/Chart.lock | 40 ++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/charts/codefresh/Chart.lock b/charts/codefresh/Chart.lock index e024d39b8..dceaf9954 100644 --- a/charts/codefresh/Chart.lock +++ b/charts/codefresh/Chart.lock @@ -61,58 +61,58 @@ dependencies: version: 1.15.0 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.7 + version: 21.291.8 - name: cfui repository: oci://quay.io/codefresh/charts version: 14.99.34 @@ -164,5 +164,5 @@ dependencies: - name: salesforce-reporter repository: oci://quay.io/codefresh/charts version: 1.30.11 -digest: sha256:0c279c1100957c6e34ee053e05ce59e5c10ca83b1d4995320682254700d3c978 -generated: "2025-09-02T17:05:39.300533+03:00" +digest: sha256:1cfe44b9fabdfa3157a7c3ee21b427088df11c8b5aee87e8bbcf0f43643ca4a0 +generated: "2025-09-03T10:46:38.458055+03:00" From 16fb14653fd74e20beb0cdd5134814c916129666 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 11:44:03 +0300 Subject: [PATCH 11/15] onprem: 3.0 --- README.md | 7 +++++++ README.md.gotmpl | 8 ++++++++ charts/codefresh/Chart.lock | 6 +++--- charts/codefresh/Chart.yaml | 2 +- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 58a21930f..a81db7735 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [To 2.6.0](#to-2-6-0) - [To 2.7.0](#to-2-7-0) - [To 2.8.0](#to-2-8-0) + - [To 3.0.0](#to-3-0-0) - [Rollback](#rollback) - [Troubleshooting](#troubleshooting) - [Values](#values) @@ -2350,6 +2351,12 @@ For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to - `.Values.hooks` was splitted into `.Values.hooks.mongodb` and `.Values.hooks.consul` +### To 3-0-0 + +#### Affected values + +- `.Values.runner` is removed + ## Troubleshooting ### Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired diff --git a/README.md.gotmpl b/README.md.gotmpl index 2c178c7a0..ddceb2b5c 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -49,6 +49,7 @@ Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/ - [To 2.6.0](#to-2-6-0) - [To 2.7.0](#to-2-7-0) - [To 2.8.0](#to-2-8-0) + - [To 3.0.0](#to-3-0-0) - [Rollback](#rollback) - [Troubleshooting](#troubleshooting) - [Values](#values) @@ -2360,6 +2361,13 @@ For built-in RabbitMQ `bitnami/rabbitmq` subchart, pre-upgrade hook was added to - `.Values.hooks` was splitted into `.Values.hooks.mongodb` and `.Values.hooks.consul` +### To 3-0-0 + +#### Affected values + +- `.Values.runner` is removed + + ## Troubleshooting ### Error: Failed to validate connection to Docker daemon; caused by Error: certificate has expired diff --git a/charts/codefresh/Chart.lock b/charts/codefresh/Chart.lock index dceaf9954..c36349be5 100644 --- a/charts/codefresh/Chart.lock +++ b/charts/codefresh/Chart.lock @@ -30,7 +30,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami version: 9.0.22 - name: builder - repository: oci://quay.io/codefresh/charts/dev + repository: oci://quay.io/codefresh/charts version: 2.0.0 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx @@ -164,5 +164,5 @@ dependencies: - name: salesforce-reporter repository: oci://quay.io/codefresh/charts version: 1.30.11 -digest: sha256:1cfe44b9fabdfa3157a7c3ee21b427088df11c8b5aee87e8bbcf0f43643ca4a0 -generated: "2025-09-03T10:46:38.458055+03:00" +digest: sha256:866a3afb20203f99718457d1c5fab7d578367570f501fbb3b73cad2af0e19d38 +generated: "2025-09-03T11:38:43.238346+03:00" diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 129eef098..5948880e8 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -65,7 +65,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami condition: nats.enabled - name: builder - repository: oci://quay.io/codefresh/charts/dev + repository: oci://quay.io/codefresh/charts condition: builder.enabled version: 2.0.0 - name: ingress-nginx From f4123a9045a6f34de7d2a580e0de4d1defb22ed4 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 11:45:11 +0300 Subject: [PATCH 12/15] onprem: 3.0 --- README.md | 2 +- charts/codefresh/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a81db7735..b09c98415 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) +![Version: 3.0.0-rc.1](https://img.shields.io/badge/Version-3.0.0--rc.1-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 5948880e8..88de7fb80 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 3.0.0 +version: 3.0.0-rc.1 keywords: - codefresh home: https://codefresh.io/ @@ -13,7 +13,7 @@ maintainers: url: https://codefresh-io.github.io/ appVersion: 3.0.0 annotations: - artifacthub.io/prerelease: "false" + artifacthub.io/prerelease: "true" artifacthub.io/alternativeName: "codefresh-onprem" artifacthub.io/containsSecurityUpdates: "true" # supported kinds are added, changed, deprecated, removed, fixed and security. From a6508765a8edff09de9685d8f87672d47d2348ff Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 12:55:56 +0300 Subject: [PATCH 13/15] onprem: 3.0 --- RELEASE.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index af3dfcceb..cc3650c92 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -2,6 +2,30 @@ ## Releasing a new version +For a **MAJOR** or **MINOR** release: + +- Checkout from `main` branch +```shell +git checkout -b onprem-X.Y main +``` +- Merge latest `release-X.Y` into the new branch +```shell +git merge --no-ff release-X.Y +``` +- Resolve any merge conflicts. +- In `Chart.yaml`: + - Update `.version` and `.appVersion` + - For Codefresh dependencies (i.e. with `repository: oci://quay.io/codefresh/charts`) update version to use latest (i.e. `version: *`) + - Update `artifacthub.io/changes` annotation +- Update `values.yaml`, `templates/**`, etc with required changes +- Run `helm dep update` to update dependencies +- Run `./charts/codefresh/.ci/runtime-images.sh` +- Run `./scripts/helm-docs.sh` +- Commit changes and open the PR against the `main` branch +- Comment `/test` to trigger CI pipeline +- Merge the PR after successful CI build +- After merging the PR the corresponding `release-X.Y` branch will be created. For the next patches, `release-X.Y` branch must be used as BASE branch! + For a **PATCH** release: - Checkout from the corresponding `release-.` branch @@ -14,7 +38,7 @@ git checkout -b onprem-X.Y.Z release-X.Y - *optional* Update `values.yaml`, `templates/**`, etc with required changes - Run `helm dep update` to update dependencies - *optional* Run `./charts/codefresh/.ci/runtime-images.sh` -- Run `./charts/codefresh/.ci/helm-docs.sh` +- Run `./scripts/helm-docs.sh` - Commit changes and open the PR against the corresponding `release-.` branch - Comment `/test` to trigger CI pipeline - Merge the PR after successful CI build From be51dff51206dcee7fbc032413b6a4bb0c01da29 Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Wed, 3 Sep 2025 20:18:10 +0300 Subject: [PATCH 14/15] onprem: 3.0 --- charts/codefresh/Chart.lock | 42 ++++++++++++++++++------------------- charts/codefresh/Chart.yaml | 2 +- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/charts/codefresh/Chart.lock b/charts/codefresh/Chart.lock index c36349be5..04e832213 100644 --- a/charts/codefresh/Chart.lock +++ b/charts/codefresh/Chart.lock @@ -61,58 +61,58 @@ dependencies: version: 1.15.0 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfapi repository: oci://quay.io/codefresh/charts - version: 21.291.8 + version: 21.291.10 - name: cfui repository: oci://quay.io/codefresh/charts version: 14.99.34 @@ -127,7 +127,7 @@ dependencies: version: 1.14.0 - name: helm-repo-manager repository: oci://quay.io/codefresh/charts - version: 0.20.2 + version: 0.23.0 - name: hermes repository: oci://quay.io/codefresh/charts version: 0.21.21 @@ -164,5 +164,5 @@ dependencies: - name: salesforce-reporter repository: oci://quay.io/codefresh/charts version: 1.30.11 -digest: sha256:866a3afb20203f99718457d1c5fab7d578367570f501fbb3b73cad2af0e19d38 -generated: "2025-09-03T11:38:43.238346+03:00" +digest: sha256:d1695e2604961bf299ea44243a6fbf535d7109a87bfdc5fcdaf6f7d015b8206e +generated: "2025-09-03T19:27:21.888711+03:00" diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 88de7fb80..2605d3dd6 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -211,7 +211,7 @@ dependencies: repository: oci://quay.io/codefresh/charts condition: cf-broadcaster.enabled - name: helm-repo-manager - version: "0.20.2" + version: "*" repository: oci://quay.io/codefresh/charts condition: helm-repo-manager.enabled - name: hermes From 0a667f146b82a807e7bc5db20453434ff767522b Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Mon, 8 Sep 2025 11:14:37 +0300 Subject: [PATCH 15/15] wip: Mon Sep 8 11:14:37 +03 2025 --- README.md | 2 +- charts/codefresh/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b09c98415..2fff995f7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 3.0.0-rc.1](https://img.shields.io/badge/Version-3.0.0--rc.1-informational?style=flat-square) ![AppVersion: 3.0.0](https://img.shields.io/badge/AppVersion-3.0.0-informational?style=flat-square) +![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. diff --git a/charts/codefresh/Chart.yaml b/charts/codefresh/Chart.yaml index 2605d3dd6..aa2f765fb 100644 --- a/charts/codefresh/Chart.yaml +++ b/charts/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 3.0.0-rc.1 +version: 0.0.0 keywords: - codefresh home: https://codefresh.io/ @@ -11,7 +11,7 @@ sources: maintainers: - name: codefresh url: https://codefresh-io.github.io/ -appVersion: 3.0.0 +appVersion: 0.0.0 annotations: artifacthub.io/prerelease: "true" artifacthub.io/alternativeName: "codefresh-onprem"