diff --git a/codefresh/.ci/values/defaults-hpa.yaml b/codefresh/.ci/values/defaults.yaml
similarity index 96%
rename from codefresh/.ci/values/defaults-hpa.yaml
rename to codefresh/.ci/values/defaults.yaml
index 0c97b12b7..b80ffbbe4 100644
--- a/codefresh/.ci/values/defaults-hpa.yaml
+++ b/codefresh/.ci/values/defaults.yaml
@@ -22,7 +22,7 @@ cfapi:
ingress:
enabled: true
- ingressClassName: nginx-internal
+ ingressClassName: nginx
tls:
enabled: false
diff --git a/codefresh/Chart.lock b/codefresh/Chart.lock
index dff3ca164..39379b357 100644
--- a/codefresh/Chart.lock
+++ b/codefresh/Chart.lock
@@ -40,7 +40,7 @@ dependencies:
version: 4.12.1
- name: cluster-providers
repository: oci://quay.io/codefresh/charts
- version: 1.17.15
+ version: 1.17.16
- name: kube-integration
repository: oci://quay.io/codefresh/charts
version: 1.31.19
@@ -167,5 +167,5 @@ dependencies:
- name: salesforce-reporter
repository: oci://quay.io/codefresh/charts
version: 1.30.11
-digest: sha256:95f0001ae40b171eef3adecbb31dbf3a89e8bb6e62cb9ce00e94106a18d0aa65
-generated: "2025-06-10T08:35:23.769105+03:00"
+digest: sha256:15c2385008ca0ad7f16ebef784e901c00fc78002d485832eb9bfa3242cc3726f
+generated: "2025-06-19T09:06:31.743012+03:00"
diff --git a/codefresh/Chart.yaml b/codefresh/Chart.yaml
index 1036fbc6a..265dfc961 100644
--- a/codefresh/Chart.yaml
+++ b/codefresh/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
description: Helm Chart for Codefresh On-Prem
name: codefresh
-version: 2.8.6
+version: 2.8.7
keywords:
- codefresh
home: https://codefresh.io/
@@ -18,8 +18,10 @@ annotations:
# artifacthub.io/containsSecurityUpdates: "true"
# supported kinds are added, changed, deprecated, removed, fixed and security.
artifacthub.io/changes: |
- - kind: added
- description: "Add pre-upgrade hook to enable stable feature flags in rabbitmq"
+ - kind: changed
+ description: "Improve PostgreSQL configuration documentation"
+ - kind: fixed
+ description: "Fix global image registry prefix for runtime images"
dependencies:
- name: cf-common
repository: oci://quay.io/codefresh/charts
diff --git a/codefresh/README.md b/codefresh/README.md
index 990c51dba..6c3374cc8 100644
--- a/codefresh/README.md
+++ b/codefresh/README.md
@@ -1,6 +1,6 @@
## Codefresh On-Premises
- 
+ 
Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes.
@@ -409,11 +409,14 @@ postgresql:
enabled: false
```
-Provide the following env vars to enable SSL connection to Postgres:
+##### Using SSL with a PostgreSQL
+
+Provide the following env vars to enforce SSL connection to PostgresSQL:
```yaml
global:
env:
+ # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html
PGSSLMODE: "require"
helm-repo-manager:
@@ -421,6 +424,11 @@ helm-repo-manager:
POSTGRES_DISABLE_SSL: "false"
```
+> ⚠️ **Important!**
+> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
+> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
+> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs)
+
#### External Redis
```yaml
@@ -2177,6 +2185,10 @@ Default PostgreSQL image is changed from 13.x to 17.x
If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
+> ⚠️ **Important!**
+> The default SSL configuration may change on your provider's side when you upgrade.
+> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql)
+
⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers)
⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs:
diff --git a/codefresh/README.md.gotmpl b/codefresh/README.md.gotmpl
index 538c177d0..e9fbd1646 100644
--- a/codefresh/README.md.gotmpl
+++ b/codefresh/README.md.gotmpl
@@ -411,11 +411,14 @@ postgresql:
enabled: false
```
-Provide the following env vars to enable SSL connection to Postgres:
+##### Using SSL with a PostgreSQL
+
+Provide the following env vars to enforce SSL connection to PostgresSQL:
```yaml
global:
env:
+ # More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html
PGSSLMODE: "require"
helm-repo-manager:
@@ -423,6 +426,12 @@ helm-repo-manager:
POSTGRES_DISABLE_SSL: "false"
```
+> ⚠️ **Important!**
+> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.
+> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).
+> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs)
+
+
#### External Redis
```yaml
@@ -2186,6 +2195,10 @@ Default PostgreSQL image is changed from 13.x to 17.x
If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
+> ⚠️ **Important!**
+> The default SSL configuration may change on your provider's side when you upgrade.
+> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql)
+
⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers)
⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs:
diff --git a/codefresh/templates/_helpers.tpl b/codefresh/templates/_helpers.tpl
index b657b6742..05daf4aa0 100644
--- a/codefresh/templates/_helpers.tpl
+++ b/codefresh/templates/_helpers.tpl
@@ -55,7 +55,16 @@ Return runtime image (classic runtime) with private registry prefix
*/}}
{{- define "codefresh.buildImageName" -}}
{{- if .registry -}}
- {{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}}
+ {{- $imageName := .imageFullName -}}
+ {{- if hasPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }}
+ {{- $imageName = trimPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }}
+ {{- end }}
+ {{- if hasPrefix "quay.io/" $imageName }}
+ {{- $imageName = trimPrefix "quay.io/" $imageName }}
+ {{- end }}
+ {{- if hasPrefix "docker.io/" $imageName }}
+ {{- $imageName = trimPrefix "docker.io/" $imageName | replace "library" "codefresh" }}
+ {{- end }}
{{- printf "%s/%s" .registry $imageName -}}
{{- else -}}
{{- printf "%s" .imageFullName -}}
diff --git a/codefresh/templates/configmaps/runtimeEnvironments.json.tpl b/codefresh/templates/configmaps/runtimeEnvironments.json.tpl
index cf88a3a7f..d52b9ad55 100644
--- a/codefresh/templates/configmaps/runtimeEnvironments.json.tpl
+++ b/codefresh/templates/configmaps/runtimeEnvironments.json.tpl
@@ -29,7 +29,7 @@
"inCluster": true,
"namespace": "{{ .Release.Namespace }}"
},
- "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
+ "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
"command": [
"npm",
"run",
@@ -45,19 +45,19 @@
"RUNTIME_ADDITIONAL_INTERNAL_REGISTRIES_JSON": "/etc/admin/additional-internal-registries.json",
"LOGGER_LEVEL": "debug",
"NODE_ENV": "kubernetes",
- "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
- "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
- "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
- "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
- "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
- "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
- "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
- "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
- "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
- "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
- "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
- "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
- "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
+ "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
+ "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
+ "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
+ "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
+ "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
+ "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
+ "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
+ "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
+ "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
+ "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
+ "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
+ "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
+ "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
},
"volumeMounts": {
@@ -109,7 +109,7 @@
},
"description": "System hybrid runtime environment for kubernetes",
"runtimeScheduler": {
- "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
+ "image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
"command": [
"npm",
"run",
@@ -121,19 +121,19 @@
"LOGGER_LEVEL": "debug",
"NODE_ENV": "kubernetes",
"METRICS_CODEFRESH_ENABLED": "true",
- "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
- "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
- "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
- "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
- "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
- "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
- "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
- "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
- "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
- "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
- "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
- "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
- "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
+ "DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
+ "DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
+ "DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
+ "CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
+ "GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
+ "DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
+ "FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
+ "COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
+ "KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
+ "TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
+ "PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
+ "CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
+ "GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
"NO_EXT_MONITOR": "true",
"DISABLE_WORKSPACE_CACHE": "true",
"NODE_TLS_REJECT_UNAUTHORIZED": "0",
@@ -170,7 +170,7 @@
"cluster": {
"namespace": "{{ .Release.Namespace }}"
},
- "dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}",
+ "dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}",
"defaultDindResources": {
"requests": {
"cpu": "390m",
@@ -267,6 +267,6 @@
"extends": [
"system/default"
]
- }
+ }
]
{{- end -}}