diff --git a/codefresh/Chart.lock b/codefresh/Chart.lock index f33e781fb..e492fbeeb 100644 --- a/codefresh/Chart.lock +++ b/codefresh/Chart.lock @@ -121,13 +121,13 @@ dependencies: version: 14.97.50 - name: k8s-monitor repository: oci://quay.io/codefresh/charts - version: 4.11.13 + version: 4.11.14 - name: runtime-environment-manager repository: oci://quay.io/codefresh/charts version: 3.39.4 - name: cf-broadcaster repository: oci://quay.io/codefresh/charts - version: 1.12.22 + version: 1.13.0 - name: helm-repo-manager repository: oci://quay.io/codefresh/charts version: 0.20.2 @@ -142,10 +142,10 @@ dependencies: version: 0.8.10 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.85 + version: 0.49.86 - name: cf-platform-analytics repository: oci://quay.io/codefresh/charts - version: 0.49.85 + version: 0.49.86 - name: argo-platform repository: oci://quay.io/codefresh/charts version: 1.3344.0-onprem-5c8af92 @@ -170,5 +170,5 @@ dependencies: - name: onboarding-status repository: oci://quay.io/codefresh/charts version: 1.8.8 -digest: sha256:2ebb0041093b91a6e3aa653e7a1730f208a7f7cc67b5e295fee67d07e3b592c5 -generated: "2025-04-16T07:13:53.947555+03:00" +digest: sha256:6a3903f52d8a056d7d95f295ca3303f62ceb32532be77795a4703147a4cbb9b5 +generated: "2025-04-30T11:54:17.265065+03:00" diff --git a/codefresh/Chart.yaml b/codefresh/Chart.yaml index db3c511bb..8229842e8 100644 --- a/codefresh/Chart.yaml +++ b/codefresh/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Helm Chart for Codefresh On-Prem name: codefresh -version: 2.7.9 +version: 2.7.10 keywords: - codefresh home: https://codefresh.io/ @@ -18,8 +18,12 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" # supported kinds are added, changed, deprecated, removed, fixed and security. artifacthub.io/changes: | + - kind: fixed + description: "Remove duplicated cf-codefresh-registry imagePullSecret secret from workloads" - kind: security - description: "Contains security updates" + description: "Misc security updates" + - kind: fixed + description: "Fix mongoimport in mongo-seed job" dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/codefresh/README.md b/codefresh/README.md index 69f659075..aafa22f75 100644 --- a/codefresh/README.md +++ b/codefresh/README.md @@ -1,6 +1,6 @@ ## Codefresh On-Premises -![Version: 2.7.9](https://img.shields.io/badge/Version-2.7.9-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square) +![Version: 2.7.10](https://img.shields.io/badge/Version-2.7.10-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square) Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes. @@ -2132,15 +2132,15 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | argo-platform.runtime-monitor | object | See below | runtime-monitor Don't enable! Not used in onprem! | | argo-platform.ui | object | See below | ui | | argo-platform.useExternalSecret | bool | `false` | Use regular k8s secret object. Keep `false`! | -| builder | object | `{"affinity":{},"container":{"image":{"registry":"docker.io","repository":"library/docker","tag":"28.0-dind"}},"enabled":true,"initContainers":{"register":{"image":{"registry":"quay.io","repository":"codefresh/curl","tag":"8.11.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | +| builder | object | `{"affinity":{},"container":{"image":{"registry":"docker.io","repository":"library/docker","tag":"28.0-dind"}},"enabled":true,"imagePullSecrets":[],"initContainers":{"register":{"image":{"registry":"quay.io","repository":"codefresh/curl","tag":"8.11.1"}}},"nodeSelector":{},"podSecurityContext":{},"resources":{},"tolerations":[]}` | builder | | cf-broadcaster | object | See below | broadcaster | | cf-oidc-provider | object | See below | cf-oidc-provider | | cf-platform-analytics-etlstarter | object | See below | etl-starter | | cf-platform-analytics-etlstarter.redis.enabled | bool | `false` | Disable redis subchart | | cf-platform-analytics-etlstarter.system-etl-postgres | object | `{"container":{"env":{"BLUE_GREEN_ENABLED":true}},"controller":{"cronjob":{"ttlSecondsAfterFinished":300}},"enabled":true}` | Only postgres ETL should be running in onprem | | cf-platform-analytics-platform | object | See below | platform-analytics | -| cfapi | object | `{"affinity":{},"container":{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}},"controller":{"replicas":2},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70},"nodeSelector":{},"pdb":{"enabled":false,"minAvailable":"50%"},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}},"secrets":{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}},"tolerations":[]}` | cf-api | -| cfapi-internal.<<.affinity | object | `{}` | | +| cfapi | object | `{"affinity":{},"container":{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}},"controller":{"replicas":2},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":70},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false,"minAvailable":"50%"},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}},"secrets":{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}},"tolerations":[]}` | cf-api | +| cfapi-internal.<<.affinity | object | `{}` | Affinity configuration | | cfapi-internal.<<.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | | cfapi-internal.<<.container.env | object | See below | Env vars | | cfapi-internal.<<.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | @@ -2154,18 +2154,17 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | cfapi-internal.<<.hpa.maxReplicas | int | `10` | Maximum number of replicas | | cfapi-internal.<<.hpa.minReplicas | int | `2` | Minimum number of replicas | | cfapi-internal.<<.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | -| cfapi-internal.<<.nodeSelector | object | `{}` | | +| cfapi-internal.<<.imagePullSecrets | list | `[]` | Image pull secrets | +| cfapi-internal.<<.nodeSelector | object | `{}` | Node selector configuration | | cfapi-internal.<<.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | | cfapi-internal.<<.pdb.enabled | bool | `false` | Enable PDB | | cfapi-internal.<<.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | -| cfapi-internal.<<.podSecurityContext | object | `{}` | | +| cfapi-internal.<<.podSecurityContext | object | `{}` | Pod security context configuration | | cfapi-internal.<<.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | -| cfapi-internal.<<.secrets.secret.enabled | bool | `true` | | -| cfapi-internal.<<.secrets.secret.stringData.OIDC_PROVIDER_CLIENT_ID | string | `"{{ .Values.global.oidcProviderClientId }}"` | | -| cfapi-internal.<<.secrets.secret.stringData.OIDC_PROVIDER_CLIENT_SECRET | string | `"{{ .Values.global.oidcProviderClientSecret }}"` | | -| cfapi-internal.<<.secrets.secret.type | string | `"Opaque"` | | -| cfapi-internal.<<.tolerations | list | `[]` | | +| cfapi-internal.<<.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | +| cfapi-internal.<<.tolerations | list | `[]` | Tolerations configuration | | cfapi-internal.enabled | bool | `false` | | +| cfapi.affinity | object | `{}` | Affinity configuration | | cfapi.container | object | `{"env":{"AUDIT_AUTO_CREATE_DB":true,"DEFAULT_SYSTEM_TYPE":"PROJECT_ONE","GITHUB_API_PATH_PREFIX":"/api/v3","LOGGER_LEVEL":"debug","OIDC_PROVIDER_PORT":"{{ .Values.global.oidcProviderPort }}","OIDC_PROVIDER_PROTOCOL":"{{ .Values.global.oidcProviderProtocol }}","OIDC_PROVIDER_TOKEN_ENDPOINT":"{{ .Values.global.oidcProviderTokenEndpoint }}","OIDC_PROVIDER_URI":"{{ .Values.global.oidcProviderService }}","ON_PREMISE":true,"RUNTIME_MONGO_DB":"codefresh","RUNTIME_REDIS_DB":0},"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}}` | Container configuration | | cfapi.container.env | object | See below | Env vars | | cfapi.container.image | object | `{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/cf-api"}` | Image | @@ -2179,10 +2178,15 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | cfapi.hpa.maxReplicas | int | `10` | Maximum number of replicas | | cfapi.hpa.minReplicas | int | `2` | Minimum number of replicas | | cfapi.hpa.targetCPUUtilizationPercentage | int | `70` | Average CPU utilization percentage | +| cfapi.imagePullSecrets | list | `[]` | Image pull secrets | +| cfapi.nodeSelector | object | `{}` | Node selector configuration | | cfapi.pdb | object | `{"enabled":false,"minAvailable":"50%"}` | Pod disruption budget configuration | | cfapi.pdb.enabled | bool | `false` | Enable PDB | | cfapi.pdb.minAvailable | string | `"50%"` | Minimum number of replicas in percentage | +| cfapi.podSecurityContext | object | `{}` | Pod security context configuration | | cfapi.resources | object | `{"limits":{},"requests":{"cpu":"200m","memory":"256Mi"}}` | Resource requests and limits | +| cfapi.secrets | object | `{"secret":{"enabled":true,"stringData":{"OIDC_PROVIDER_CLIENT_ID":"{{ .Values.global.oidcProviderClientId }}","OIDC_PROVIDER_CLIENT_SECRET":"{{ .Values.global.oidcProviderClientSecret }}"},"type":"Opaque"}}` | Secrets configuration | +| cfapi.tolerations | list | `[]` | Tolerations configuration | | cfsign | object | See below | tls-sign | | cfui | object | See below | cf-ui | | charts-manager | object | See below | charts-manager | @@ -2337,5 +2341,5 @@ After platform upgrade, Consul fails with the error `refusing to rejoin cluster | seed.postgresSeedJob.postgresUser | optional | `""` | "postgres" admin user in plain text (required ONLY for seed job!) Must be a privileged user allowed to create databases and grant roles. If omitted, username and password from `.Values.global.postgresUser/postgresPassword` will be used. | | seed.postgresSeedJob.postgresUserSecretKeyRef | optional | `{}` | "postgres" admin user from exising secret | | segment-reporter.enabled | bool | `false` | | -| tasker-kubernetes | object | `{"affinity":{},"container":{"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/tasker-kubernetes"}},"enabled":true,"hpa":{"enabled":false},"nodeSelector":{},"pdb":{"enabled":false},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | tasker-kubernetes | +| tasker-kubernetes | object | `{"affinity":{},"container":{"image":{"registry":"us-docker.pkg.dev/codefresh-enterprise/gcr.io","repository":"codefresh/tasker-kubernetes"}},"enabled":true,"hpa":{"enabled":false},"imagePullSecrets":[],"nodeSelector":{},"pdb":{"enabled":false},"podSecurityContext":{},"resources":{"limits":{},"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | tasker-kubernetes | | webTLS | object | `{"cert":"","enabled":false,"key":"","secretName":"star.codefresh.io"}` | DEPRECATED - Use `.Values.ingress.tls` instead TLS secret for Ingress | diff --git a/codefresh/values.yaml b/codefresh/values.yaml index 5d66e8d4e..14ffd7592 100644 --- a/codefresh/values.yaml +++ b/codefresh/values.yaml @@ -36,7 +36,7 @@ seed: image: registry: quay.io repository: codefresh/mongosh - tag: 2.4.2 + tag: 2.5.0 # -- Root user in plain text (required ONLY for seed job!). mongodbRootUser: "root" # -- Root user from existing secret @@ -441,7 +441,7 @@ hooks: image: registry: quay.io repository: codefresh/mongosh - tag: 2.4.2 + tag: 2.5.0 affinity: {} nodeSelector: {} podSecurityContext: {} @@ -494,6 +494,8 @@ runtimeImages: cfapi: &cf-api # -- Enable cf-api enabled: true + # -- Image pull secrets + imagePullSecrets: [] # -- Controller configuration controller: # -- Replicas number @@ -520,6 +522,7 @@ cfapi: &cf-api OIDC_PROVIDER_PROTOCOL: '{{ .Values.global.oidcProviderProtocol }}' OIDC_PROVIDER_TOKEN_ENDPOINT: '{{ .Values.global.oidcProviderTokenEndpoint }}' DEFAULT_SYSTEM_TYPE: PROJECT_ONE + # -- Secrets configuration secrets: secret: enabled: true @@ -527,7 +530,6 @@ cfapi: &cf-api stringData: OIDC_PROVIDER_CLIENT_ID: '{{ .Values.global.oidcProviderClientId }}' OIDC_PROVIDER_CLIENT_SECRET: '{{ .Values.global.oidcProviderClientSecret }}' - # -- Resource requests and limits resources: requests: @@ -550,9 +552,13 @@ cfapi: &cf-api enabled: false # -- Minimum number of replicas in percentage minAvailable: "50%" + # -- Affinity configuration affinity: {} + # -- Node selector configuration nodeSelector: {} + # -- Pod security context configuration podSecurityContext: {} + # -- Tolerations configuration tolerations: [] # cfapi roles @@ -659,6 +665,7 @@ internal-gateway: # @default -- See below cf-broadcaster: enabled: true + imagePullSecrets: [] controller: replicas: 3 container: @@ -690,6 +697,7 @@ cf-platform-analytics-etlstarter: redis: # -- Disable redis subchart enabled: false + imagePullSecrets: [] controller: # - Disable default deployment controller enabled: false @@ -726,6 +734,7 @@ cf-platform-analytics-etlstarter: cf-platform-analytics-platform: nameOverride: platform-analytics mongodbDatabase: "platform-analytics-postgres" + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -755,6 +764,7 @@ cf-platform-analytics-platform: # @default -- See below cfsign: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -794,6 +804,7 @@ cfsign: # @default -- See below cfui: enabled: true + imagePullSecrets: [] controller: replicas: 2 container: @@ -820,6 +831,7 @@ cfui: # @default -- See below charts-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -842,6 +854,7 @@ charts-manager: # @default -- See below cluster-providers: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -875,6 +888,7 @@ consul: # @default -- See below context-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -897,6 +911,7 @@ context-manager: # @default -- See below cronus: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -910,6 +925,7 @@ cronus: # @default -- See below gitops-dashboard-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -932,6 +948,7 @@ gitops-dashboard-manager: # @default -- See below helm-repo-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -962,6 +979,7 @@ helm-repo-manager: # -- hermes # @default -- See below hermes: + imagePullSecrets: [] controller: replicas: 1 container: @@ -1012,6 +1030,7 @@ ingress-nginx: # @default -- See below k8s-monitor: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1034,6 +1053,7 @@ k8s-monitor: # @default -- See below kube-integration: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1089,6 +1109,7 @@ nats: # @default -- See below nomios: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1207,6 +1228,7 @@ rabbitmq: # -- builder builder: enabled: true + imagePullSecrets: [] initContainers: register: image: @@ -1228,6 +1250,7 @@ builder: # @default -- See below runner: enabled: true + imagePullSecrets: [] initContainers: register: image: @@ -1249,6 +1272,7 @@ runner: # @default -- See below pipeline-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1271,6 +1295,7 @@ pipeline-manager: # @default -- See below runtime-environment-manager: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1294,6 +1319,7 @@ runtime-environment-manager: # -- tasker-kubernetes tasker-kubernetes: enabled: true + imagePullSecrets: [] container: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io @@ -1322,8 +1348,7 @@ argo-hub-platform: image: registry: us-docker.pkg.dev/codefresh-enterprise/gcr.io repository: codefresh-io/argo-hub-platform - imagePullSecrets: - - '{{ .Release.Name }}-registry' + imagePullSecrets: [] resources: requests: cpu: 100m