onprem: 2.8.0-rc.3 (#67)

Author: mikhail-klimko

codefresh/.ci/values/mtls-mongodb-redis.yaml

@@ -1,6 +1,8 @@
 seed:
   mongoSeedJob:
     mongodbRootURI: mongodb://root:XT9nmM8dZDZ@cf-mongodb:27017/?authSource=admin
+    mongodbRootOptions: authSource=admin
+    mongodbRootPassword: XT9nmM8dZDZ
 
 global:
   appUrl: ""  # placeholder for ${CF_APP_HOST}
@@ -86,9 +88,9 @@ mongodb:
         mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB('${MONGODB_DATABASE}').createCollection('test')"
       done
 
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
-      mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection idps --type json --legacy --file /usr/share/extras/idps.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection accounts --type json --legacy --file /usr/share/extras/accounts.json
+# mongoimport --uri ${MONGODB_ROOT_URI} --db codefresh --collection users --type json --legacy --file /usr/share/extras/users.json
 
   extraVolumeMounts:
     - name: extras

codefresh/Chart.lock

@@ -64,58 +64,58 @@ dependencies:
   version: 1.14.22
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfapi
   repository: oci://quay.io/codefresh/charts
-  version: 21.279.3
+  version: 21.279.4
 - name: cfui
   repository: oci://quay.io/codefresh/charts
   version: 14.98.27
@@ -167,5 +167,5 @@ dependencies:
 - name: salesforce-reporter
   repository: oci://quay.io/codefresh/charts
   version: 1.30.11
-digest: sha256:657e1a67d919daf178a83ddd81736519ea6bdc9a1c0bfb2364dad583586c1c1b
-generated: "2025-06-02T16:12:53.480633+03:00"
+digest: sha256:5cfbe090f3f9e0ebf2f99d898635689d1eae3812fb3fbced10651809cb176d13
+generated: "2025-06-04T16:15:07.062564+03:00"

codefresh/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Helm Chart for Codefresh On-Prem
 name: codefresh
-version: 2.8.0-rc.2
+version: 2.8.0-rc.3
 keywords:
   - codefresh
 home: https://codefresh.io/
@@ -19,11 +19,9 @@ annotations:
   # supported kinds are added, changed, deprecated, removed, fixed and security.
   artifacthub.io/changes: |
     - kind: fixed
-      description: "Fix dependencies version"
-    - kind: added
-      description: "(cf-api): Add ability to assign admin/platform permissions for user for specified group during sync"
+      description: "(cf-api): Fix internal feature-flags"
     - kind: fixed
-      description: "(platform-analytics/postgresql): Fix pg_partman configuration"
+      description: "Fix mongo-seed job with Mongo MTLS enabled"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts

codefresh/README.md

@@ -1,6 +1,6 @@
 ## Codefresh On-Premises
 
-![Version: 2.8.0-rc.2](https://img.shields.io/badge/Version-2.8.0--rc.2-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
+![Version: 2.8.0-rc.3](https://img.shields.io/badge/Version-2.8.0--rc.3-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes.
 
@@ -389,6 +389,18 @@ postgresql:
   enabled: false
 ```
 
+Provide the following env vars to enable SSL connection to Postgres:
+
+```yaml
+global:
+  env:
+    PGSSLMODE: "require"
+
+helm-repo-manager:
+  env:
+    POSTGRES_DISABLE_SSL: "false"
+```
+
 #### External Redis
 
 ```yaml
@@ -2589,6 +2601,8 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster
 | seed-e2e | object | `{"affinity":{},"backoffLimit":10,"enabled":false,"image":{"registry":"docker.io","repository":"mongo","tag":"latest"},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":300}` | CI |
 | seed.enabled | bool | `true` | Enable all seed jobs |
 | seed.mongoSeedJob | object | See below | Mongo Seed Job. Required at first install. Seeds the required data (default idp/user/account), creates cfuser and required databases. |
+| seed.mongoSeedJob.env | object | `{}` | Extra env variables for seed job. |
+| seed.mongoSeedJob.mongodbRootOptions | string | `""` | Extra options for connection string (e.g. `authSource=admin`). |
 | seed.mongoSeedJob.mongodbRootPassword | string | `"XT9nmM8dZD"` | Root password in plain text (required ONLY for seed job!). |
 | seed.mongoSeedJob.mongodbRootPasswordSecretKeyRef | object | `{}` | Root password from existing secret |
 | seed.mongoSeedJob.mongodbRootUser | string | `"root"` | Root user in plain text (required ONLY for seed job!). |

codefresh/README.md.gotmpl

@@ -391,6 +391,18 @@ postgresql:
   enabled: false
 ```
 
+Provide the following env vars to enable SSL connection to Postgres:
+
+```yaml
+global:
+  env:
+    PGSSLMODE: "require"
+
+helm-repo-manager:
+  env:
+    POSTGRES_DISABLE_SSL: "false"
+```
+
 #### External Redis
 
 ```yaml

codefresh/files/mongoSeedJobScript.sh

@@ -12,9 +12,12 @@ export MONGODB_ROOT_PASSWORD=...
 
 COMMENT
 
-# set -eou pipefail
+if [[ -n $DEBUG ]]; then
+    set -o xtrace
+fi
 
 ASSETS_PATH=${ASSETS_PATH:-/usr/share/extras/}
+MTLS_CERT_PATH=${MTLS_CERT_PATH:-/etc/ssl/mongodb/ca.pem}
 
 MONGODB_DATABASES=(
     "archive"
@@ -34,12 +37,12 @@ MONGODB_DATABASES=(
 )
 
 disableMongoTelemetry() {
-    mongosh --nodb --eval "disableTelemetry()"
+    mongosh --nodb --eval "disableTelemetry()" || true
 }
 
 waitForMongoDB() {
     while true; do
-        status=$(mongosh ${MONGODB_ROOT_URI} --eval "db.adminCommand('ping')" 2>&1)
+        status=$(mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.adminCommand('ping')" 2>&1)
 
         echo -e "MongoDB status:\n$status"
         if $(echo $status | grep 'ok: 1' -q); then
@@ -56,12 +59,23 @@ parseMongoURI() {
     local parameters="$(echo $1 | grep '?' | cut -d '?' -f2)"; if [[ -n $parameters ]]; then parameters="?${parameters}"; fi
     local url="$(echo ${1/$proto/})"
     local userpass="$(echo $url | grep @ | cut -d@ -f1)"
-    local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+    if [[ -z $userpass ]]; then
+        local hostport="$(echo $url | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGO_URI="$proto$hostport/${MONGODB_DATABASE}$parameters"
+    else
+        local hostport="$(echo $url | sed s/$userpass// | sed "s/\/\?$parameters//" | sed -re "s/\/\?|@//g" | sed 's/\/$//')"
+        MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
+        MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
+        MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
+    fi
+
+
+    if [[ -z $MONGODB_ROOT_OPTIONS ]]; then
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
+    else
+        MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin?${MONGODB_ROOT_OPTIONS}"
+    fi
 
-    MONGODB_PASSWORD="$(echo $userpass | grep : | cut -d: -f2)"
-    MONGODB_USER="$(echo $userpass | grep : | cut -d: -f1)"
-    MONGO_URI="$proto$userpass@$hostport/${MONGODB_DATABASE}$parameters"
-    MONGODB_ROOT_URI="$proto${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$hostport/admin$parameters"
 }
 
 getMongoVersion() {
@@ -82,6 +96,14 @@ setPacks() {
 
 parseMongoURI $MONGO_URI
 
+if [[ -s ${MTLS_CERT_PATH} ]]; then
+    MONGO_URI_EXTRA_PARAMS="--tls --tlsCertificateKeyFile ${MTLS_CERT_PATH} --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates"
+    MONGOIMPORT_EXTRA_PARAMS="--ssl --sslPEMKeyFile ${MTLS_CERT_PATH} --sslAllowInvalidHostnames --sslAllowInvalidCertificates"
+else
+    MONGO_URI_EXTRA_PARAMS=""
+    MONGOIMPORT_EXTRA_PARAMS=""
+fi
+
 disableMongoTelemetry
 
 waitForMongoDB
@@ -90,20 +112,20 @@ getMongoVersion
 
 for MONGODB_DATABASE in ${MONGODB_DATABASES[@]}; do
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").createUser({user: \"${MONGODB_USER}\", pwd: \"${MONGODB_PASSWORD}\", roles: [\"readWrite\"]})" 2>&1 || true
     waitForMongoDB
-    mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+    mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"${MONGODB_DATABASE}\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 done
 
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
-mongosh ${MONGODB_ROOT_URI} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"pipeline-manager\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").grantRolesToUser( \"${MONGODB_USER}\", [ { role: \"readWrite\", db: \"platform-analytics-postgres\" } ] )" 2>&1 || true
+mongosh ${MONGODB_ROOT_URI} ${MONGO_URI_EXTRA_PARAMS} --eval "db.getSiblingDB(\"codefresh\").changeUserPassword(\"${MONGODB_USER}\",\"${MONGODB_PASSWORD}\")" 2>&1 || true
 
 if [[ $DEVELOPMENT_CHART == "true" ]]; then
     setSystemAdmin
     setPacks
 fi
 
-mongoimport --uri ${MONGO_URI} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
-mongoimport --uri ${MONGO_URI} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
-mongoimport --uri ${MONGO_URI} --collection users --type json --legacy --file ${ASSETS_PATH}users.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection idps --type json --legacy --file ${ASSETS_PATH}idps.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection accounts --type json --legacy --file ${ASSETS_PATH}accounts.json
+mongoimport --uri ${MONGO_URI} ${MONGOIMPORT_EXTRA_PARAMS} --collection users --type json --legacy --file ${ASSETS_PATH}users.json

codefresh/files/postgresSeedJobScript.sh

@@ -1,6 +1,13 @@
 #!/bin/bash
 
-set -xeuo pipefail
+DEBUG="${DEBUG:-false}"
+
+set -euo pipefail
+
+if [[ $DEBUG == "true" ]]; then
+    set -xeuo pipefail
+    echo "Running in debug mode"
+fi
 
 POSTGRES_DATABASES=(
     "codefresh"
@@ -51,4 +58,4 @@ function runSeed() {
     done
 }
 
-runSeed
+runSeed

codefresh/templates/secrets/secret.yaml

@@ -17,8 +17,8 @@ data:
   MONGODB_PROTOCOL: {{ coalesce .Values.global.mongodbProtocol | default "mongodb" | b64enc }}
 
  # legacy MONGODB_* secrets
-  MONGODB_ROOT_USER: {{ coalesce .Values.global.mongodbRootUser .Values.seed.mongoSeedJob.mongodbRootUser | b64enc }}
-  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.global.mongodbRootPassword .Values.seed.mongoSeedJob.mongodbRootPassword) | b64enc }}
+  MONGODB_ROOT_USER: {{ coalesce .Values.seed.mongoSeedJob.mongodbRootUser .Values.global.mongodbRootUser | b64enc }}
+  MONGODB_ROOT_PASSWORD: {{ urlquery (coalesce .Values.seed.mongoSeedJob.mongodbRootPassword .Values.global.mongodbRootPassword) | b64enc }}
   MONGO_URI: {{ .Values.global.mongoURI | default "empty" | b64enc}}
   MONGO_URI_RE_MANAGER: {{ include (printf "%s.classic.calculateMongoUri" $libTemplateName) (dict "dbName" "runtime-environment-manager" "mongoURI" .Values.global.mongoURI) | default "empty" | b64enc }}
   MONGODB_RE_DATABASE: {{ printf "%s" "runtime-environment-manager" | b64enc }}

codefresh/templates/seed/mongo-seed-job.yaml

@@ -52,8 +52,19 @@ spec:
           {{- include "codefresh.mongodb-root-user-env-var-value" . | indent 12 }}
           - name: MONGODB_ROOT_PASSWORD
           {{- include "codefresh.mongodb-root-password-env-var-value" . | indent 12 }}
+          - name: MONGODB_ROOT_OPTIONS
+            value: {{ .Values.seed.mongoSeedJob.mongodbRootOptions | quote }}
           - name: DEVELOPMENT_CHART
             value: {{ .Values.developmentChart | quote }}
+          {{- range $env, $val := .Values.seed.mongoSeedJob.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+          {{- range $env, $val := .Values.global.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
+
         command:
           - "/bin/bash"
           - "-exc"

codefresh/templates/seed/postgres-seed-job.yaml

@@ -49,6 +49,10 @@ spec:
           {{- include "codefresh.postgres-seed-user-env-var-value" . | indent 12 }}
           - name: POSTGRES_SEED_PASSWORD
           {{- include "codefresh.postgres-seed-password-env-var-value" . | indent 12 }}
+          {{- range $env, $val := .Values.global.env }}
+          - name: {{ $env }}
+            value: {{ $val | quote }}
+          {{ end }}
         resources:
           {{- toYaml .Values.seed.resources | nindent 10 }}
         command:

codefresh/values.yaml

@@ -55,6 +55,11 @@ seed:
     #   name: my-secret
     #   key: mongodb-root-password
 
+    # -- Extra options for connection string (e.g. `authSource=admin`).
+    mongodbRootOptions: ""
+    # -- Extra env variables for seed job.
+    env: {}
+
   # -- Postgres Seed Job. Required at first install. Creates required user and databases.
   # @default -- See below
   postgresSeedJob: