From 972b8956c5a111a396026b2a0cb2ddf73053e10c Mon Sep 17 00:00:00 2001 From: Subrat kumar gantayat <66821171+sgantaya@users.noreply.github.com> Date: Mon, 27 Jan 2025 11:17:49 +0530 Subject: [PATCH] Publishing Tibco developer hub 1.4.0 Charts. (#162) --- charts/tibco-developer-hub/Chart.yaml | 4 +- .../charts/postgresql/Chart.lock | 6 -- .../templates/primary/statefulset.yaml | 4 +- .../templates/_helpers.tpl | 16 ++- .../templates/backstage-deployment.yaml | 101 ++++++++++++++---- .../templates/fluentbit-configmap.yaml | 7 +- .../templates/ingress_public_traefik.yaml | 4 + ...ell-known-configuration-ingress-nginx.yaml | 14 +-- charts/tibco-developer-hub/values.yaml | 91 ++++++++++++++-- charts/tp-cp-tibcohub-contrib/Chart.yaml | 4 +- .../templates/_helpers.tpl | 8 +- .../tp-cp-tibcohub-contrib/templates/job.yaml | 24 ++++- charts/tp-cp-tibcohub-contrib/values.yaml | 26 ++++- charts/tp-cp-tibcohub-recipes/Chart.yaml | 4 +- .../templates/_helpers.tpl | 6 +- .../templates/tibcohub.yaml | 21 ++-- charts/tp-cp-tibcohub-recipes/values.yaml | 28 ++++- 17 files changed, 296 insertions(+), 72 deletions(-) delete mode 100644 charts/tibco-developer-hub/charts/postgresql/Chart.lock diff --git a/charts/tibco-developer-hub/Chart.yaml b/charts/tibco-developer-hub/Chart.yaml index 9a304f11..03483fe2 100644 --- a/charts/tibco-developer-hub/Chart.yaml +++ b/charts/tibco-developer-hub/Chart.yaml @@ -6,9 +6,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.3.18 +version: 1.4.21 -appVersion: "1.3.0" +appVersion: "1.4.0" dependencies: - name: common diff --git a/charts/tibco-developer-hub/charts/postgresql/Chart.lock b/charts/tibco-developer-hub/charts/postgresql/Chart.lock deleted file mode 100644 index 56462df8..00000000 --- a/charts/tibco-developer-hub/charts/postgresql/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: file://../common - version: 2.13.3 -digest: sha256:0f3d4f2cb13b9f1a620557909ac4199dce04d1298c4f59cddfa009b888e1534f -generated: "2023-11-01T12:43:17.8195971+05:30" diff --git a/charts/tibco-developer-hub/charts/postgresql/templates/primary/statefulset.yaml b/charts/tibco-developer-hub/charts/postgresql/templates/primary/statefulset.yaml index 3fd77f4a..19f1780a 100644 --- a/charts/tibco-developer-hub/charts/postgresql/templates/primary/statefulset.yaml +++ b/charts/tibco-developer-hub/charts/postgresql/templates/primary/statefulset.yaml @@ -94,7 +94,7 @@ spec: - name: copy-certs image: {{ include "postgresql.volumePermissions.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.primary.resources }} + {{- if and ( .Values.primary.resources ) ( .Values.global.cp.enableResourceConstraints ) }} resources: {{- toYaml .Values.primary.resources | nindent 12 }} {{- end }} # We don't require a privileged container in this case @@ -427,7 +427,7 @@ spec: {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} {{- end }} {{- end }} - {{- if .Values.primary.resources }} + {{- if and ( .Values.primary.resources ) ( .Values.global.cp.enableResourceConstraints ) }} resources: {{- toYaml .Values.primary.resources | nindent 12 }} {{- end }} {{- if .Values.primary.lifecycleHooks }} diff --git a/charts/tibco-developer-hub/templates/_helpers.tpl b/charts/tibco-developer-hub/templates/_helpers.tpl index a99f7a0f..65f3a08c 100644 --- a/charts/tibco-developer-hub/templates/_helpers.tpl +++ b/charts/tibco-developer-hub/templates/_helpers.tpl @@ -12,11 +12,25 @@ Return the proper image name {{- .Values.global.cp.containerRegistry.url }} {{- end -}} -{{/* set repository based on the registry url. We will have different repo for each one. */}} {{- define "backstage.image.repository" -}} {{- .Values.global.cp.containerRegistry.repository }} {{- end -}} +{{- define "backstage.image.backend-registry" }} + {{- if and (.Values.backstage.image.registry) (.Values.backstage.image.repository) -}} + {{- .Values.backstage.image.registry }} + {{- else -}} + {{- .Values.global.cp.containerRegistry.url }} + {{- end -}} +{{- end -}} + +{{- define "backstage.image.backend-repository" -}} + {{- if and (.Values.backstage.image.registry) (.Values.backstage.image.repository) -}} + {{- .Values.backstage.image.repository }} + {{- else -}} + {{- printf "%s/%s" .Values.global.cp.containerRegistry.repository .Values.backstage.image.name }} + {{- end -}} +{{- end -}} {{- define "postgresql.image" -}} {{ include "backstage.image.registry" .}}{{"/"}}{{ include "backstage.image.repository" .}}{{"/"}}{{ .Values.image.name }}:{{ .Values.image.tag }} diff --git a/charts/tibco-developer-hub/templates/backstage-deployment.yaml b/charts/tibco-developer-hub/templates/backstage-deployment.yaml index 9a895693..b768aeff 100644 --- a/charts/tibco-developer-hub/templates/backstage-deployment.yaml +++ b/charts/tibco-developer-hub/templates/backstage-deployment.yaml @@ -3,6 +3,7 @@ # in the license file that is distributed with this file. {{- $installDir := .Values.backstage.installDir -}} +{{ $cpHostname := (.Values.global.cp).cpHostname | required ".Values.global.cp.cpHostname is required." }} --- apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment @@ -62,15 +63,19 @@ spec: configMap: name: backstage-app-config {{- end }} + - name: logs + emptyDir: {} + - name: techdoc + emptyDir: {} + - name: db + emptyDir: {} + {{- if .Values.global.cp.cpCertificateSecret }} + - name: cp-certs + secret: + defaultMode: 420 + secretName: {{ .Values.global.cp.cpCertificateSecret }} + {{- end }} {{- if .Values.global.cp.logging.fluentbit.enabled }} - - name: podlogs - hostPath: - path: /var/log/pods - type: Directory - - name: dockercontainerlogs - hostPath: - path: /var/lib/docker/containers - type: DirectoryOrCreate - name: config-volume configMap: name: tibco-developer-hub-fluentbit-config @@ -92,12 +97,22 @@ spec: command: ['sh', '-c', 'until pg_isready -U {{ .Values.postgresql.auth.username }} -h {{ include "backstage.postgresql.host" . }} -p 5432; do echo waiting for database; sleep 2; done;'] + {{- if .Values.global.cp.enableResourceConstraints }} + {{- if .Values.appInit.resources }} + resources: + {{- toYaml .Values.appInit.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.appInit.securityContext }} + securityContext: + {{- toYaml .Values.appInit.securityContext | nindent 12 }} + {{- end }} {{- if .Values.backstage.initContainers }} {{- include "common.tplvalues.render" ( dict "value" .Values.backstage.initContainers "context" $) | nindent 8 }} {{- end }} containers: - name: backstage-backend - image: {{ include "backstage.image.registry" .}}{{"/"}}{{ include "backstage.image.repository" .}}{{"/"}}{{ .Values.backstage.image.name }}:{{ .Values.backstage.image.tag }} + image: {{ include "backstage.image.backend-registry" .}}{{"/"}}{{ include "backstage.image.backend-repository" .}}:{{ .Values.backstage.image.tag }} imagePullPolicy: {{ .Values.backstage.image.pullPolicy | quote -}} {{- if .Values.backstage.containerSecurityContext }} securityContext: @@ -133,8 +148,9 @@ spec: - "{{ $installDir }}/app-config-from-configmap.yaml" {{- end }} {{- end }} - {{- if .Values.backstage.resources }} - resources: {{- include "common.tplvalues.render" (dict "value" .Values.backstage.resources "context" $) | nindent 12 }} + {{- if .Values.global.cp.enableResourceConstraints }} + resources: + {{- toYaml .Values.resources | nindent 12 }} {{- end }} {{- if or .Values.backstage.extraEnvVarsSecrets .Values.backstage.appEnvSecrets }} envFrom: @@ -170,6 +186,8 @@ spec: env: - name: APP_CONFIG_backend_listen_port value: {{ .Values.backstage.containerPorts.backend | quote }} + - name: CP_URL + value: {{ $cpHostname }} {{- if .Values.postgresql.enabled }} - name: POSTGRES_HOST value: {{ include "backstage.postgresql.host" . }} @@ -204,8 +222,16 @@ spec: - name: backend containerPort: {{ .Values.backstage.containerPorts.backend }} protocol: TCP - {{- if (or .Values.backstage.extraAppConfig .Values.backstage.appConfig (and .Values.backstage.extraVolumeMounts .Values.backstage.extraVolumes)) }} volumeMounts: + - mountPath: /app/node_modules/@backstage/plugin-techdocs-backend/static/docs + name: techdoc + - name: logs + mountPath: /tmp + {{- if .Values.global.cp.cpCertificateSecret }} + - name: cp-certs + mountPath: /etc/ssl/custom-certs + {{- end }} + {{- if (or .Values.backstage.extraAppConfig .Values.backstage.appConfig (and .Values.backstage.extraVolumeMounts .Values.backstage.extraVolumes)) }} {{- range .Values.backstage.extraAppConfig }} - name: {{ .configMapRef }} mountPath: "{{ $installDir }}/{{ .filename }}" @@ -219,15 +245,54 @@ spec: {{- if .Values.backstage.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.backstage.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} - {{- end }} + {{- end }} {{- if .Values.global.cp.logging.fluentbit.enabled }} - name: fluentbit image: {{ include "backstage.image.registry" .}}{{"/"}}{{ include "backstage.image.repository" .}}{{"/"}}{{ .Values.global.cp.logging.fluentbit.image.name }}:{{ .Values.global.cp.logging.fluentbit.image.tag }} imagePullPolicy: {{ .Values.fluentbit.image.pullPolicy }} - {{- if .Values.fluentbit.securityContext }} + {{- if .Values.global.cp.logging.fluentbit.securityContext }} securityContext: - {{- toYaml .Values.fluentbit.securityContext | nindent 12 }} + {{- toYaml .Values.global.cp.logging.fluentbit.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.global.cp.enableResourceConstraints }} + {{- with .Values.global.cp.logging.fluentbit.resources }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} + {{- end }} + ports: + - containerPort: 2020 + protocol: TCP + startupProbe: + httpGet: + scheme: HTTP + path: /api/v1/health + port: 2020 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 50 + livenessProbe: + httpGet: + scheme: HTTP + path: /api/v1/health + port: 2020 + periodSeconds: 10 + timeoutSeconds: 2 + initialDelaySeconds: 0 + successThreshold: 1 + failureThreshold: 1 + readinessProbe: + httpGet: + scheme: HTTP + path: /api/v1/health + port: 2020 + periodSeconds: 10 + timeoutSeconds: 2 + initialDelaySeconds: 0 + successThreshold: 1 + failureThreshold: 1 env: - name: POD_NAMESPACE valueFrom: @@ -248,10 +313,10 @@ spec: fieldRef: fieldPath: status.hostIP volumeMounts: - - name: podlogs + - name: logs mountPath: /var/log/pods - - name: dockercontainerlogs - mountPath: /var/lib/docker/containers + - name: db + mountPath: /var/log/db - name: config-volume mountPath: /fluent-bit/etc/ {{- end }} diff --git a/charts/tibco-developer-hub/templates/fluentbit-configmap.yaml b/charts/tibco-developer-hub/templates/fluentbit-configmap.yaml index 73be30bb..f0526331 100644 --- a/charts/tibco-developer-hub/templates/fluentbit-configmap.yaml +++ b/charts/tibco-developer-hub/templates/fluentbit-configmap.yaml @@ -17,6 +17,9 @@ data: Log_Level info Daemon off Parsers_File parsers.conf + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_Port 2020 @INCLUDE input.conf @INCLUDE filter.conf @@ -26,9 +29,9 @@ data: [INPUT] Name tail Tag dp.${POD_NAMESPACE}.${POD_NAME}.${POD_ID}.${CONTAINER_NAME} - Path /var/log/pods/${POD_NAMESPACE}_${POD_NAME}_${POD_ID}/${CONTAINER_NAME}/*.log + Path /var/log/pods/tibco-hub-*.log multiline.parser docker, cri - DB /var/log/flb_kube.db + DB /var/log/db/flb_kube.db Mem_Buf_Limit 5MB Skip_Long_Lines On Refresh_Interval 10 diff --git a/charts/tibco-developer-hub/templates/ingress_public_traefik.yaml b/charts/tibco-developer-hub/templates/ingress_public_traefik.yaml index 91f13415..b269475f 100644 --- a/charts/tibco-developer-hub/templates/ingress_public_traefik.yaml +++ b/charts/tibco-developer-hub/templates/ingress_public_traefik.yaml @@ -43,6 +43,10 @@ spec: - X-Auth-Request-Access-Token - X-Atmosphere-Token trustForwardHeader: true + {{ if .Values.global.cp.authInsecureIngressController -}} + tls: + insecureSkipVerify: true + {{- end }} --- apiVersion: traefik.io/v1alpha1 diff --git a/charts/tibco-developer-hub/templates/well-known-configuration-ingress-nginx.yaml b/charts/tibco-developer-hub/templates/well-known-configuration-ingress-nginx.yaml index b2514d1b..c7428bbb 100644 --- a/charts/tibco-developer-hub/templates/well-known-configuration-ingress-nginx.yaml +++ b/charts/tibco-developer-hub/templates/well-known-configuration-ingress-nginx.yaml @@ -15,11 +15,7 @@ metadata: {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} annotations: - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - nginx.ingress.kubernetes.io/upstream-vhost: {{ $cpHostname }} - nginx.ingress.kubernetes.io/rewrite-target: /.well-known/openid-configuration - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_set_header x-cp-host {{ $cpHostname }}; + nginx.ingress.kubernetes.io/proxy-buffer-size: 16k {{- with .Values.global.cp.resources.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -31,9 +27,9 @@ spec: paths: - backend: service: - name: {{ include "common.names.fullname" . }}-wkc + name: {{ include "common.names.fullname" . }} port: - number: 443 - path: /tibco/hub/.well-known/openid-configuration - pathType: Exact + number: {{ .Values.service.ports.backend }} + path: /tibco/hub/.well-known/openid-configuration/ + pathType: ImplementationSpecific {{- end }} diff --git a/charts/tibco-developer-hub/values.yaml b/charts/tibco-developer-hub/values.yaml index 6011217e..71fb393e 100644 --- a/charts/tibco-developer-hub/values.yaml +++ b/charts/tibco-developer-hub/values.yaml @@ -16,9 +16,13 @@ global: imageRegistry: "" # Following parameters which are used in our chart, are passed during provisioning from control plane cp: + cpCertificateSecret: "" + # insecureSkipVerify is true by default because we are calling own services. To be more generally addressed in upcoming release. + authInsecureIngressController: true dataplaneId: "abcd" instanceId: "" cpHostname: "acme.local.my.cic2.pro" + enableResourceConstraints: true resources: serviceaccount: serviceAccountName: "" @@ -35,8 +39,24 @@ global: fluentbit: image: name: common-fluentbit - tag: 3.1.4 + tag: 3.2.2 enabled: true + resources: + requests: + cpu: 10m + memory: 15Mi + limits: + cpu: 50m + memory: 30Mi + securityContext: + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW # proxy configuration for the outward traffic from cp proxy # should have access to the proxy server and proxy server should have access to CP Subscription DNS domain proxy: @@ -115,10 +135,13 @@ ingress: # @default -- See below backstage: image: + registry: "" + + repository: "" # -- Backstage image name name: dx-tibco-hub # -- Backstage image tag (immutable tags are recommended) - tag: "591" + tag: "689" # -- Specify a imagePullPolicy. # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -193,9 +216,9 @@ backstage: # The seccomp (secure computing mode) profile is set to RuntimeDefault, which means it uses the default profile provided by the runtime. podSecurityContext: runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 fsGroupChangePolicy: "Always" seccompProfile: type: RuntimeDefault @@ -205,10 +228,12 @@ backstage: # It specifies that privilege escalation is not allowed for security reasons. # Additionally, it drops all capabilities, which is a common security practice to minimize potential risks. containerSecurityContext: + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL + - CAP_NET_RAW # Allows to define the appConfig as a multiline string that generates a ConfigMap # automatically, not requiring to have it pre provisioned as with the extraAppConfig key. @@ -306,7 +331,7 @@ networkPolicy: # - namespaceSelector: # matchLabels: # label: example - customRules: [] + customRules: {} # -- PostgreSQL [chart configuration](https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml) @@ -317,7 +342,7 @@ postgresql: enabled: false image: name: dx-postgresql - tag: 14.12.0-debian-12-r4 + tag: 14.15.0-debian-12-r6 commonLabels: '{{- include "tibcohub.platform.commonLabels" . -}}' # -- The authentication details of the Postgres database @@ -362,6 +387,7 @@ postgresql: # # It specifies that privilege escalation is not allowed for security reasons. # # Additionally, it drops all capabilities, which is a common security practice to minimize potential risks. containerSecurityContext: + readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 runAsGroup: 0 # see https://github.com/bitnami/charts/issues/13985#issuecomment-1411654273 @@ -369,6 +395,30 @@ postgresql: capabilities: drop: - ALL + - CAP_NET_RAW + + extraVolumes: + - name: tmp + emptyDir: {} + - name: conf + emptyDir: {} + - name: postgrestmp + emptyDir: {} + extraVolumeMounts: + - name: tmp + mountPath: /tmp + - name: conf + mountPath: /opt/bitnami/postgresql/conf + - name: postgrestmp + mountPath: /opt/bitnami/postgresql/tmp/ + + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + memory: 256Mi + cpu: 200m # -- PostgreSQL architecture (`standalone` or `replication`) architecture: standalone @@ -443,6 +493,7 @@ fluentbit: capabilities: drop: - ALL + - CAP_NET_RAW autoscaling: @@ -462,7 +513,7 @@ autoscaling: initContainer: image: name: dx-postgresql - tag: 14.12.0-debian-12-r4 + tag: 14.15.0-debian-12-r6 digest: "" publicApi: @@ -472,3 +523,27 @@ publicApi: className: nginx pathPrefix: /tibco/hub fqdn: "" + +resources: + requests: + cpu: 500m + memory: 700Mi + limits: + cpu: "1" + memory: 1Gi + +appInit: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: 30m + memory: 50Mi + requests: + cpu: 10m + memory: 20Mi diff --git a/charts/tp-cp-tibcohub-contrib/Chart.yaml b/charts/tp-cp-tibcohub-contrib/Chart.yaml index a6678044..6e12a84f 100644 --- a/charts/tp-cp-tibcohub-contrib/Chart.yaml +++ b/charts/tp-cp-tibcohub-contrib/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "1.3.5" +version: "1.4.5" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.3.0" +appVersion: "1.4.0" diff --git a/charts/tp-cp-tibcohub-contrib/templates/_helpers.tpl b/charts/tp-cp-tibcohub-contrib/templates/_helpers.tpl index 3f82f905..90b013cd 100644 --- a/charts/tp-cp-tibcohub-contrib/templates/_helpers.tpl +++ b/charts/tp-cp-tibcohub-contrib/templates/_helpers.tpl @@ -110,7 +110,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- include "cp-env.get" (dict "key" "CP_INSTANCE_ID" "default" "cp1" "required" "false" "Release" .Release )}} {{- end }} -{{/* Control plane provider */}} -{{- define "tp-cp-tibcohub-contrib.cp-provider" -}} -{{- include "cp-env.get" (dict "key" "CP_PROVIDER" "default" "aws" "required" "false" "Release" .Release )}} -{{- end }} +{{/* Control plane enable or disable resource constraints */}} +{{- define "tp-cp-tibcohub-contrib.enableResourceConstraints" -}} +{{- include "cp-env.get" (dict "key" "CP_ENABLE_RESOURCE_CONSTRAINTS" "default" "false" "required" "false" "Release" .Release )}} +{{- end }} \ No newline at end of file diff --git a/charts/tp-cp-tibcohub-contrib/templates/job.yaml b/charts/tp-cp-tibcohub-contrib/templates/job.yaml index 9153b53f..1a94a97f 100644 --- a/charts/tp-cp-tibcohub-contrib/templates/job.yaml +++ b/charts/tp-cp-tibcohub-contrib/templates/job.yaml @@ -1,4 +1,5 @@ {{- $targetTag := (.Values.tibcoHub.image).tag | required ".Values.tibcoHub.image.tag is required." }} +{{- $dot := . }} apiVersion: batch/v1 kind: Job metadata: @@ -31,9 +32,17 @@ spec: - name: container-image-extractor image: {{ include "tp-cp-tibcohub-contrib.image.registry" .}}{{"/"}}{{ include "tp-cp-tibcohub-contrib.image.repository" .}}{{"/"}}{{ .Values.containerImageExtractor.image.name }}:{{ .Values.containerImageExtractor.image.tag}} imagePullPolicy: IfNotPresent - {{- if .Values.securityContext }} + {{- with $.Values.probes.startupProbe }} + startupProbe: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with $.Values.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- toYaml $.Values.securityContext | nindent 10 }} + {{- end }} + {{- if eq (include "tp-cp-tibcohub-contrib.enableResourceConstraints" $dot ) "true" }} + resources: + {{- toYaml $.Values.scripts.resources | nindent 10 }} {{- end }} env: - name: DOCKER_REGISTRY @@ -41,7 +50,7 @@ spec: - name: SOURCE_DOCKER_IMAGE value: "{{ include "tp-cp-tibcohub-contrib.image.registry" .}}/{{ include "tp-cp-tibcohub-contrib.image.repository" .}}/{{ .Values.tibcoHub.image.name }}:{{ .Values.tibcoHub.image.tag }}" # source docker image name - name: IMAGE_TEMP_DIR - value: "/efs/tmp-{{ .Values.capability.name }}" # temporary directory to be used by container-image-extractor for downloading and extracting docker image + value: "/tmp/tmp-{{ .Values.capability.name }}" # temporary directory to be used by container-image-extractor for downloading and extracting docker image - name: SOURCE_DIRS value: {{ .Values.source.directory | quote }} # directory in SOURCE_DOCKER_IMAGE which needs to be copied to TARGET_DIRS - name: TARGET_DIRS @@ -52,15 +61,24 @@ spec: - mountPath: /efs name: store-vol subPath: tsc/contributors + - mountPath: /tmp + name: temp + - name: kaniko-vol + mountPath: /kaniko/.docker # mount this secret only if private container registry is configured for CP. {{- if (include "tp-cp-tibcohub-contrib.container-registry.secret" .) }} - mountPath: /tibco/containerregistry name: container-registry-secret {{- end }} volumes: + - name: temp + emptyDir: + sizeLimit: 500Mi - name: store-vol persistentVolumeClaim: claimName: {{ include "tp-cp-tibcohub-contrib.pvc-name" . }} + - emptyDir: {} + name: kaniko-vol {{- if (include "tp-cp-tibcohub-contrib.container-registry.secret" .) }} - name: container-registry-secret secret: diff --git a/charts/tp-cp-tibcohub-contrib/values.yaml b/charts/tp-cp-tibcohub-contrib/values.yaml index af381b29..26191799 100644 --- a/charts/tp-cp-tibcohub-contrib/values.yaml +++ b/charts/tp-cp-tibcohub-contrib/values.yaml @@ -7,7 +7,7 @@ source: tibcoHub: image: name: "dx-tibco-hub-cp-contrib" - tag: 133 + tag: 161 pullPolicy: IfNotPresent containerImageExtractor: @@ -43,11 +43,35 @@ securityContext: # It specifies that privilege escalation is not allowed for security reasons. # Additionally, it drops all capabilities, which is a common security practice to minimize potential risks. allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL + - CAP_NET_RAW # global values used by the chart. These values gets propagated to sub-charts. global: tibco: enableLogging: true + +scripts: + resources: + requests: + cpu: 50m + memory: 75Mi + limits: + cpu: 100m + memory: 150Mi + +probes: + startupProbe: {} + # enable startup probe only if security policy is blocking you from deployment, otherwise its not recommended to use it + # exec: + # command: + # - touch + # - /tmp/healthy + # initialDelaySeconds: 5 + # periodSeconds: 5 + # failureThreshold: 5 + # successThreshold: 1 + # timeoutSeconds: 5 diff --git a/charts/tp-cp-tibcohub-recipes/Chart.yaml b/charts/tp-cp-tibcohub-recipes/Chart.yaml index 34f28771..66f9edfe 100644 --- a/charts/tp-cp-tibcohub-recipes/Chart.yaml +++ b/charts/tp-cp-tibcohub-recipes/Chart.yaml @@ -7,8 +7,8 @@ name: tp-cp-tibcohub-recipes description: TIBCO Developer Hub Data Plane Recipes home: https://github.com/tibco/tp-dev-hub.git type: application -version: 1.3.17 -appVersion: "1.3.0" +version: 1.4.21 +appVersion: "1.4.0" keywords: - tibco-platform - control-plane diff --git a/charts/tp-cp-tibcohub-recipes/templates/_helpers.tpl b/charts/tp-cp-tibcohub-recipes/templates/_helpers.tpl index 48b3e4d3..1f94ce20 100644 --- a/charts/tp-cp-tibcohub-recipes/templates/_helpers.tpl +++ b/charts/tp-cp-tibcohub-recipes/templates/_helpers.tpl @@ -111,7 +111,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- include "cp-env.get" (dict "key" "CP_INSTANCE_ID" "default" "cp1" "required" "false" "Release" .Release )}} {{- end }} -{{/* Control plane provider */}} -{{- define "tp-cp-tibcohub-recipes.cp-provider" -}} -{{- include "cp-env.get" (dict "key" "CP_PROVIDER" "default" "aws" "required" "false" "Release" .Release )}} +{{/* Control plane enable or disable resource constraints */}} +{{- define "tp-cp-tibcohub-recipes.enableResourceConstraints" -}} +{{- include "cp-env.get" (dict "key" "CP_ENABLE_RESOURCE_CONSTRAINTS" "default" "false" "required" "false" "Release" .Release )}} {{- end }} diff --git a/charts/tp-cp-tibcohub-recipes/templates/tibcohub.yaml b/charts/tp-cp-tibcohub-recipes/templates/tibcohub.yaml index 8187ee9d..e49f88aa 100644 --- a/charts/tp-cp-tibcohub-recipes/templates/tibcohub.yaml +++ b/charts/tp-cp-tibcohub-recipes/templates/tibcohub.yaml @@ -12,7 +12,7 @@ metadata: data: version.json: | { - "capabilityVersion": "1.3.0", + "capabilityVersion": "1.4.0", "minCPVersion": "1.1.0", "maxCPVersion": "", "releaseDate": {{ .Values.capabilities.tibcohub.releaseDate | quote }}, @@ -43,7 +43,7 @@ data: { "version": [ 1, - 3, + 4, 0 ], "capabilityId": "OAUTH2PROXY", @@ -75,7 +75,7 @@ data: recipe: helmCharts: - name: tibco-developer-hub - version: 1.3.18 + version: 1.4.21 namespace: ${NAMESPACE} repository: chartMuseum: @@ -92,7 +92,7 @@ data: auth: providers: oauth2Proxy: - development: {} + production: {} enableAuthProviders: [oauth2Proxy] # only if user provides a secrets reference # extraEnvVarsSecrets: @@ -138,9 +138,17 @@ spec: - name: tibcohub image: {{ include "tp-cp-tibcohub-recipes.image.registry" .}}{{"/"}}{{ include "tp-cp-tibcohub-recipes.image.repository" .}}{{"/"}}{{ .Values.image.name }}:{{ .Values.image.tag}} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.probes.startupProbe }} + startupProbe: + {{- toYaml . | nindent 10 }} + {{- end }} {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 10 }} + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} + {{- if eq (include "tp-cp-tibcohub-recipes.enableResourceConstraints" . ) "true" }} + resources: + {{- toYaml .Values.scripts.resources | nindent 10 }} {{- end }} env: - name: CAPABILITY_NAME @@ -150,7 +158,7 @@ spec: - name: RECIPE_TARGET_LOCATION value: "/private/tsc/config/capabilities/platform" - name: RECIPE_RELEASE_VERSION - value: "1.3.0" + value: "1.4.0" - name: SPACE_SEPARATED_UNSUPPORTED_RECIPE_VERSIONS value: "" - name: OVERWRITE_RECIPE @@ -183,4 +191,3 @@ spec: {{- if (include "tp-cp-tibcohub-recipes.container-registry.secret" .) }} - name: {{ include "tp-cp-tibcohub-recipes.container-registry.secret" . }} {{- end}} - \ No newline at end of file diff --git a/charts/tp-cp-tibcohub-recipes/values.yaml b/charts/tp-cp-tibcohub-recipes/values.yaml index b62b609f..ac281d03 100644 --- a/charts/tp-cp-tibcohub-recipes/values.yaml +++ b/charts/tp-cp-tibcohub-recipes/values.yaml @@ -8,10 +8,10 @@ capabilities: # set to true for latest version of recipe isLatest: "true" # Timestamp of capability release - releaseDate: "2024/08/30" + releaseDate: "2025/01/20" # Either a link to document or the document itself specifying _what was fixed in this release. releaseNotes: "#cshid=new_features" - # helm chart and image version for bwprovisioner, default helm chart version is latest + # helm chart and image version for devhubprovisioner, default helm chart version is latest tibco-developer-hub: version: "" @@ -40,6 +40,30 @@ securityContext: # It specifies that privilege escalation is not allowed for security reasons. # Additionally, it drops all capabilities, which is a common security practice to minimize potential risks. allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL + - CAP_NET_RAW + +scripts: + resources: + requests: + cpu: 150m + memory: 150Mi + limits: + cpu: 300m + memory: 300Mi + +probes: + startupProbe: {} + # enable startup probe only if security policy is blocking you from deployment, otherwise its not recommended to use it + # exec: + # command: + # - touch + # - /tmp/healthy + # initialDelaySeconds: 5 + # periodSeconds: 5 + # failureThreshold: 5 + # successThreshold: 1 + # timeoutSeconds: 5