Merge branch 'release/0.6.1'

passbolt · Nov 20, 2023 · 24efd2c · 24efd2c
2 parents 6f0ed72 + b62f007
commit 24efd2c
Show file tree

Hide file tree

Showing 25 changed files with 665 additions and 61 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,25 +3,49 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.4.4...HEAD)
+## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.6.1...HEAD)
+
+## [0.6.1] - 2023-11-20
+### Fixed
+
+- Removed debug line from deployment.yaml that leaks pgpassword to stdout
+## [0.6.0] - 2023-11-17
+
+### Fixed
+
+- [#33](https://github.com/passbolt/charts-passbolt/issues/33) Helm charts generating incorrect jwt key and pem
+
+## [0.5.0] - 2023-11-15
+
+### Fixed
+
+- [#56](https://github.com/passbolt/charts-passbolt/issues/56) Cronjob "cron-proc-email" and few other resources doesn't take imageRegistry global parameter
+
+### Added
+
+- [#55](https://github.com/passbolt/charts-passbolt/issues/55) Deploying with postgres db
 
 ## [0.4.4] - 2023-10-09
 
 ### Fixed
+
 - [#52](https://github.com/passbolt/charts-passbolt/issues/52) pullPolicy incorrect rendering
 
 ## [0.4.3] - 2023-10-06
 
 ### Added
+
 - New values tls.existingSecret and tls.autogenerate to control injecting ssl certificates in passbolt containers and ingress
 
 ### Fixed
+
 - [#51](https://github.com/passbolt/charts-passbolt/issues/51) ability to use external tls secret
 - [#49](https://github.com/passbolt/charts-passbolt/issues/49) ability to use custom registries and custom pullSecrets
 
 ## [0.4.2] - 2023-08-31
 
 ### Added
+
 - Bump passbolt version 4.1.2-1-ce
 
 ## [0.4.1] - 2023-06-11
@@ -76,7 +100,6 @@ This release includes breaking changes .Values.redisProxyResources now is .Value
 
 - Added tests for disabled redis proxy
 
-
 ## [0.3.0] - 2023-05-03
 
 ### Fixed

diff --git a/Chart.lock b/Chart.lock
@@ -8,5 +8,8 @@ dependencies:
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
   version: 11.5.7
-digest: sha256:2b667ef711638e19c9541150634312e835a86608ba730c139408d98f85be6cc7
-generated: "2023-08-10T18:47:01.974503483+02:00"
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 13.2.3
+digest: sha256:541a5a0685f8f792ef99c2de7c29b73ae543563f4ff4f795797d65bfc88c3222
+generated: "2023-11-09T16:43:25.437028891+01:00"
diff --git a/Chart.yaml b/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.4
+version: 0.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.3.0-1-ce
+appVersion: 4.4.0-1-ce
 dependencies:
   - name: passbolt-library
     version: 0.2.7
@@ -33,3 +33,7 @@ dependencies:
     version: 11.5.7
     repository: "https://charts.bitnami.com/bitnami"
     condition: mariadbDependencyEnabled
+  - name: postgresql
+    version: 13.2.3
+    repository: "https://charts.bitnami.com/bitnami"
+    condition: postgresqlDependencyEnabled
diff --git a/README.md b/README.md
@@ -4,21 +4,28 @@
     <img src="./.assets/helm_passbolt.png" alt="passbolt sails kubernetes" width="500"/>
 </h3>
 
-![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.3.0-1-ce](https://img.shields.io/badge/AppVersion-4.3.0--1--ce-informational?style=flat-square)
+![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.0-1-ce](https://img.shields.io/badge/AppVersion-4.4.0--1--ce-informational?style=flat-square)
 
 Passbolt is an open source, security first password manager with strong focus on
 collaboration.
 
 ## TL;DR
 
-The following command is not recommended for production deployments as it will
+The following commands are not recommended for production deployments as they will
 use default passwords for internal databases:
 
 ```bash
 helm repo add my-repo https://download.passbolt.com/charts/passbolt
 helm install my-release my-repo/passbolt
 ```
 
+In case you prefer to use postgresql intead of mariadb, a sample config is provided in the examples directory:
+
+```
+helm repo add my-repo https://download.passbolt.com/charts/passbolt
+helm install my-release my-repo/passbolt -f examples/postgresql.yaml
+```
+
 Production workloads should change the fields with values 'CHANGEME' on values.yaml
 and deploy the chart as follows:
 
@@ -105,16 +112,12 @@ chart and deletes the release.
 | app.cache.redis.sentinelProxy.image.repository | string | `"haproxy"` | Configure redis sentinel image repository |
 | app.cache.redis.sentinelProxy.image.tag | string | `"latest"` | Configure redis sentinel image tag |
 | app.cache.redis.sentinelProxy.resources | object | `{}` | Configure redis sentinel container resources |
+| app.database.kind | string | `"mariadb"` |  |
 | app.extraPodLabels | object | `{}` |  |
 | app.image.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy |
 | app.image.registry | string | `""` | Configure pasbolt deployment image repsitory |
 | app.image.repository | string | `"passbolt/passbolt"` |  |
-| app.image.tag | string | `"4.3.0-1-ce"` | Overrides the image tag whose default is the chart appVersion. |
-| app.initImage.client | string | `"mariadb"` | Configure pasbolt deployment init container image client for database |
-| app.initImage.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy |
-| app.initImage.registry | string | `""` |  |
-| app.initImage.repository | string | `"mariadb"` | Configure pasbolt deployment image repsitory |
-| app.initImage.tag | string | `"latest"` | Overrides the image tag whose default is the chart appVersion. |
+| app.image.tag | string | `"4.4.0-1-ce"` | Overrides the image tag whose default is the chart appVersion. |
 | app.resources | object | `{}` |  |
 | autoscaling.enabled | bool | `false` | Enable autoscaling on passbolt deployment |
 | autoscaling.maxReplicas | int | `100` | Configure autoscaling maximum replicas |
@@ -135,9 +138,11 @@ chart and deletes the release.
 | ingress.hosts | list | `[]` | Configure passbolt ingress hosts |
 | ingress.tls | list | `[]` | Configure passbolt ingress tls |
 | jobCreateGpgKeys.extraPodLabels | object | `{}` |  |
+| jobCreateJwtKeys.extraPodLabels | object | `{}` |  |
+| jwtCreateKeysForced | bool | `false` | Forces overwrite JWT keys |
 | jwtPath | string | `"/etc/passbolt/jwt"` | Configure passbolt jwt directory |
-| jwtServerPrivate | string | `nil` | JWT server private key in base64 |
-| jwtServerPublic | string | `nil` | JWT server public key in base64 |
+| jwtServerPrivate | string | `""` | JWT server private key in base64 |
+| jwtServerPublic | string | `""` | JWT server public key in base64 |
 | livenessProbe | object | `{"initialDelaySeconds":20,"periodSeconds":10}` | Configure passbolt container livenessProbe |
 | mariadb.architecture | string | `"replication"` | Configure mariadb architecture |
 | mariadb.auth.database | string | `"passbolt"` | Configure mariadb auth database |
@@ -200,6 +205,7 @@ chart and deletes the release.
 | passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_USERNAME | string | `"CHANGEME"` | Configure passbolt default email service username |
 | podAnnotations | object | `{}` | Map of annotation for passbolt server pod |
 | podSecurityContext | object | `{}` | Security Context configuration for passbolt server pod |
+| postgresqlDependencyEnabled | bool | `false` | Install mariadb as a depending chart |
 | rbacEnabled | bool | `true` | Enable role based access control |
 | readinessProbe | object | `{"initialDelaySeconds":5,"periodSeconds":10}` | Configure passbolt container RadinessProbe |
 | redis.auth.enabled | bool | `true` | Enable redis authentication |

diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -11,14 +11,21 @@ collaboration.
 
 ## TL;DR
 
-The following command is not recommended for production deployments as it will
+The following commands are not recommended for production deployments as they will
 use default passwords for internal databases:
 
 ```bash
 helm repo add my-repo https://download.passbolt.com/charts/passbolt
 helm install my-release my-repo/passbolt
 ```
 
+In case you prefer to use postgresql intead of mariadb, a sample config is provided in the examples directory:
+
+```
+helm repo add my-repo https://download.passbolt.com/charts/passbolt
+helm install my-release my-repo/passbolt -f examples/postgresql.yaml
+```
+
 Production workloads should change the fields with values 'CHANGEME' on values.yaml
 and deploy the chart as follows:
 

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,5 +1,3 @@
-This is a small hotfix release that fixes issues reported
-by the community regarding the imagePullPolicy on the
-deployment resource.
+Announcing the immediate availability of passbolt's official helm chart 0.6.1.
 
-For more information please check our [changelog](https://github.com/passbolt/charts-passbolt/blob/0.4.4/CHANGELOG.md)
+This release removes a leak of the pgpass to the stdout when installing psql.
diff --git a/examples/postgresql.yaml b/examples/postgresql.yaml
@@ -0,0 +1,14 @@
+postgresqlDependencyEnabled: true
+mariadbDependencyEnabled: false
+
+postgresql:
+  auth:
+    # -- Configure postgresql auth username
+    username: CHANGEME
+    # -- Configure postgresql auth password
+    password: CHANGEME
+    # -- Configure postgresql auth database
+    database: passbolt
+app:
+  database:
+    kind: postgresql
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
@@ -20,4 +20,4 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-{{- include "passbolt.validateGpgKey" . }}
+{{- include "passbolt.validateValues" . }}
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -65,32 +65,55 @@ Create the name of the service account to use
 Render the value of the database service
 */}}
 {{- define "passbolt.databaseServiceName" -}}
+{{- if and ( eq .Values.mariadbDependencyEnabled true ) (or ( eq .Values.app.database.kind "mariadb") ( eq .Values.app.database.kind "mysql") ) }}
 {{- if eq .Values.mariadb.architecture "replication" }}
 {{- default ( printf "%s-%s-primary" .Release.Name "mariadb" ) .Values.passboltEnv.plain.DATASOURCES_DEFAULT_HOST | quote }}
 {{- else }}
 {{- default ( printf "%s-%s" .Release.Name "mariadb" ) .Values.passboltEnv.plain.DATASOURCES_DEFAULT_HOST | quote }}
 {{- end -}}
+{{- else if and ( eq .Values.postgresqlDependencyEnabled true ) ( eq .Values.app.database.kind "postgresql" ) }}
+{{- default ( printf "%s-postgresql" .Release.Name ) .Values.passboltEnv.plain.DATASOURCES_DEFAULT_HOST | quote }}
+{{- else if ( hasKey .Values.passboltEnv.plain "DATASOURCES_DEFAULT_HOST" )  -}}
+{{- printf "%s" .Values.passboltEnv.plain.DATASOURCES_DEFAULT_HOST }}
+{{- else }}
+{{- fail "DATASOURCES_DEFAULT_HOST can't be empty when mariadbDependencyEnabled and postgresqlDependencyEnabled are disabled"}}
+{{- end }}
 {{- end }}
 
 {{/*
-Show error message if the user didn't set the gpg key after upgrade
+Show error message if the user didn't set the needed values during upgrade
 */}}
-{{- define "passbolt.validateGpgKey" -}}
+{{- define "passbolt.validateValues" -}}
+{{- $arguments := "" }}
+{{- $message := "" -}}
+{{- $header := "" -}}
 {{ if and $.Release.IsUpgrade (or ( not $.Values.gpgServerKeyPublic ) ( not $.Values.gpgServerKeyPrivate )) }}
 {{- $secretName := printf "%s-%s-%s" (include "passbolt-library.fullname" . ) "sec" "gpg" -}}
 {{- $dpName := printf "%s-%s-%s" (include "passbolt-library.fullname" . ) "depl" "srv" -}}
 {{- $containerName := printf "%s-%s-%s" (include "passbolt-library.fullname" . ) "depl" "srv" -}}
-{{- $message := "" -}}
-{{- $message := printf "  GPG key values should not be empty after during upgrade process. Please update your values file or add the following arguments to the helm upgrade commmand:" -}}
-{{- $message := printf "%s\n%s" $message (printf "  export PRIVATE_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "serverkey_private\\.asc") -}}
-{{- $message := printf "%s\n%s" $message (printf "  export PUBLIC_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "serverkey\\.asc") -}}
-{{- $message := printf "%s\n%s" $message (printf "  export FINGERPRINT=$(kubectl exec deploy/%s -c %s -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/\"/, \"\"); print $2}')" $dpName $containerName) -}}
-{{- $message := printf "%s\n%s" $message (printf "  And add '--set %s=$%s --set %s=$%s --set %s=$%s' to the upgrade command." "gpgServerKeyPrivate" "PRIVATE_KEY" "gpgServerKeyPublic" "PUBLIC_KEY" "passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT" "FINGERPRINT" ) -}}
+{{- $header = printf "GPG" -}}
+{{- $message = printf "%s\n%s" $message (printf "  export PRIVATE_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "serverkey_private\\.asc") -}}
+{{- $message = printf "%s\n%s" $message (printf "  export PUBLIC_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "serverkey\\.asc") -}}
+{{- $message = printf "%s\n%s" $message (printf "  export FINGERPRINT=$(kubectl exec deploy/%s -c %s -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/\"/, \"\"); print $2}')" $dpName $containerName) -}}
+{{- $arguments = printf "%s %s" $arguments (printf "--set %s=$%s --set %s=$%s --set %s=$%s" "gpgServerKeyPrivate" "PRIVATE_KEY" "gpgServerKeyPublic" "PUBLIC_KEY" "passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT" "FINGERPRINT" ) -}}
+{{- end }}
+{{ if and $.Release.IsUpgrade .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtCreateKeysForced ) (or ( not $.Values.jwtServerPublic ) ( not $.Values.jwtServerPrivate )) }}
+{{- if eq $header "" }}
+{{- $header = printf "JWT" -}}
+{{- else }}
+{{- $header = printf "%s and JWT" $header -}}
+{{- end -}}
+{{- $secretName := printf "%s-%s-%s" (include "passbolt-library.fullname" . ) "sec" "jwt" -}}
+{{- $message = printf "%s\n%s" $message (printf "  export JWT_PRIVATE_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "jwt\\.key") -}}
+{{- $message = printf "%s\n%s" $message (printf "  export JWT_PUBLIC_KEY=$(kubectl get secret %s --namespace %s -o jsonpath=\"{.data.%s}\")" $secretName $.Release.Namespace "jwt\\.pem") -}}
+{{- $arguments = printf "%s %s" $arguments (printf "--set %s=$%s --set %s=$%s" "jwtServerPrivate" "JWT_PRIVATE_KEY" "jwtServerPublic" "JWT_PUBLIC_KEY" ) -}}
+{{- end }}
 {{if $message }}
+{{- $header = printf "  %s key values should not be empty after during upgrade process. Please update your values file or add the following arguments to the helm upgrade commmand:" $header -}}
+{{- $message = printf "%s%s\n%s" $header $message (printf "  And add '%s' to the upgrade command." $arguments ) -}}
 {{ printf "\nDATA VALIDATION ERROR:\n%s" $message | fail }}
 {{- end }}
 {{- end }}
-{{- end }}
 
 {{- define "passbolt.tls.secretName" -}}
 {{- if .globalTLS.existingSecret -}}
@@ -116,18 +139,49 @@ Show error message if the user didn't set the gpg key after upgrade
 {{- $repositoryName := .imageRoot.repository -}}
 {{- $separator := ":" -}}
 {{- $termination := .imageRoot.tag | toString -}}
-{{- if .global }}
-  {{- if .global.imageRegistry }}
+{{- if .global -}}
+  {{- if .global.imageRegistry -}}
     {{- $registryName = .global.imageRegistry -}}
   {{- end -}}
 {{- end -}}
-{{- if $registryName }}
+{{- if $registryName -}}
     {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
 {{- else -}}
     {{- printf "%s%s%s"  $repositoryName $separator $termination -}}
 {{- end -}}
 {{- end -}}
 
+{{- define "passbolt.initImage" -}}
+{{- $registryName := "" -}}
+{{- $repositoryName := "" -}}
+{{- $image := "" -}}
+{{- $imagePullPolicy := "" -}}
+{{- if .Values.app.initImage }}
+  {{- $image = (include "passbolt.image" (dict "imageRoot" .Values.app.initImage "global" .Values.global)) }}
+  {{- $imagePullPolicy = (default "IfNotPresent" .Values.app.initImage.pullPolicy) }}
+{{- else -}}
+  {{- if .Values.global -}}
+    {{- if .Values.global.imageRegistry -}}
+      {{- $registryName = .Values.global.imageRegistry -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if or (eq .Values.app.database.kind "mariadb" ) ( eq .Values.app.database.kind "mysql" ) }}
+    {{- $repositoryName = "mariadb" -}}
+  {{- else if eq .Values.app.database.kind "postgresql" }}
+    {{- $repositoryName = "postgres" -}}
+  {{- end }}
+  {{- if not (eq $registryName "") }}
+    {{- $image = printf "%s/%s" $registryName $repositoryName }}
+    {{- $imagePullPolicy = default "IfNotPresent" .Values.global.imagePullPolicy }}
+  {{- else }}
+    {{- $image = printf "%s" $repositoryName }}
+    {{- $imagePullPolicy = default "IfNotPresent" .Values.global.imagePullPolicy }}
+  {{- end -}}
+{{- end -}}
+image: {{ printf "%s" $image }}
+imagePullPolicy: {{ printf "%s" $imagePullPolicy }}
+{{- end -}}
+
 {{- define "passbolt.pullSecrets" -}}
   {{- $pullSecrets := list }}
 
@@ -150,3 +204,13 @@ imagePullSecrets:
     {{- end }}
   {{- end }}
 {{- end -}}
+
+{{- define "passbolt.databaseClient" -}}
+{{- $client := "mariadb" -}}
+{{- if .Values.app.initImage -}}
+  {{- $client = (default $client .Values.app.initImage.client ) }}
+{{- else if eq .Values.app.database.kind "postgresql" -}}
+  {{- $client = "pg_isready" -}}
+{{- end -}}
+{{- printf "%s" $client }}
+{{- end -}}
diff --git a/templates/configmap-env.yaml b/templates/configmap-env.yaml
@@ -16,3 +16,7 @@ metadata:
     {{- include "passbolt-library.typelabels" (dict "action" $action "type" $type) | nindent 4 }}
 data:
 {{ include "passbolt-library.configmap-envvar.tpl" .Values.passboltEnv.plain | nindent 2 }}
+{{- if eq .Values.app.database.kind "postgresql" }}
+    DATASOURCES_DEFAULT_DRIVER: 'Cake\Database\Driver\Postgres'
+    DATASOURCES_DEFAULT_ENCODING: "utf8"
+{{- end -}}
diff --git a/templates/cronjob-proc-email.yaml b/templates/cronjob-proc-email.yaml
@@ -31,7 +31,8 @@ spec:
             fsGroup: 33
           containers:
             - name: {{ $fullName }}
-          {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.image) | nindent 14 }}
+              image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.image "global" .Values.global) }}
+              imagePullPolicy: {{ .Values.app.image.pullPolicy }}
               command:
                 - "/bin/bash"
               args:
@@ -63,7 +64,8 @@ spec:
                   readOnly: true
             {{- if .Values.app.cache.redis.sentinelProxy.enabled }}
             - name: {{ $fullName }}-redisproxy
-              {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.cache.redis.sentinelProxy.image) | nindent 14 }}
+              image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.cache.redis.sentinelProxy.image "global" .Values.global) }}
+              imagePullPolicy: {{ .Values.app.cache.redis.sentinelProxy.pullPolicy }}
               command:
                 - "/bin/bash"
               args: