Merge branch 'jp-10.20.0' into Fix_for_ClusterIP_type_service

stable/artifactory-cpp-ce/CHANGELOG.md

@@ -1,7 +1,7 @@
 # JFrog Artifactory CE for C++ Chart Changelog
 All changes to this chart will be documented in this file
 
-## [107.84.17] - Feb 20, 2024
+## [107.90.15] - Feb 20, 2024
 * Updated `artifactory.installerInfo` content
 
 ## [107.80.0] - Feb 1, 2024

stable/artifactory-cpp-ce/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: 7.84.17
+appVersion: 7.90.15
 dependencies:
 - name: artifactory
   repository: file://charts/artifactory
-  version: 107.84.17
+  version: 107.90.15
 description: JFrog Artifactory CE for C++
 home: https://www.jfrog.com/artifactory/
 icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-cpp-ce/logo/conan.png
@@ -21,4 +21,4 @@ name: artifactory-cpp-ce
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 107.84.17
+version: 107.90.15

stable/artifactory-cpp-ce/values.yaml

@@ -69,7 +69,7 @@ postgresql:
   enabled: true
 router:
   image:
-    tag: 7.105.1
+    tag: 7.118.3
 initContainers:
   image:
-    tag: 9.4.949
+    tag: 9.4.949.1716471857

stable/artifactory-ha/CHANGELOG.md

@@ -1,7 +1,39 @@
 # JFrog Artifactory-ha Chart Changelog
-All changes to this chart will be documented in this file
+All changes to this chart will be documented in this file.
 
-## [107.84.17] - June 27, 2024
+## [107.90.15] - July 18, 2024
+* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892)
+* Added new `nginx.hosts` to use Nginx server_name directive instead of `ingress.hosts`
+* Added a deprecation notice of ingress.hosts when `ngnix.enabled` is true
+* Added new evidence service
+* Corrected database connection values based on sizing 
+* **IMPORTANT**
+* Separate access from artifactory tomcat to run on its own dedicated tomcat
+  * With this change access will be running in its own dedicated container
+  * This will give the ability to control resources and java options specific to access
+    Can be done by passing the following,
+    `access.javaOpts.other`
+    `access.resources`
+    `access.extraEnvironmentVariables`
+* Updating the example link for downloading the DB driver
+* Added Binary Provider recommendations
+* Add support for EnvironmentVaraiables on Filebeat Sidecar
+
+## [107.89.0] - May 30, 2024
+* Fix the indentation of the commented-out sections in the values.yaml file
+
+## [107.88.0] - May 29, 2024
+* **IMPORTANT**
+* Refactored `nginx.artifactoryConf` and `nginx.mainConf` configuration (moved to files/nginx-artifactory-conf.yaml  and files/nginx-main-conf.yaml instead of keys in values.yaml)
+
+## [107.87.0] - May 29, 2024
+* Renamed `.Values.artifactory.openMetrics` to `.Values.artifactory.metrics`
+* Align all liveness and readiness probes (Removed hard-coded values)
+
+## [107.85.0] - May 29, 2024
+* Changed `migration.enabled` to false by default. For 6.x to 7.x migration, this flag needs to be set to `true`
+
+## [107.84.0] - May 29, 2024
 * Added image section for `initContainers` instead of `initContainerImage`
 * Renamed `router.image.imagePullPolicy` to `router.image.pullPolicy`
 * Removed loggers.image section
@@ -14,7 +46,7 @@ All changes to this chart will be documented in this file
 * Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy`
 * Renamed `artifactory.seLinuxOptions` to `artifactory.podSecurityContext.seLinuxOptions`
 * Added flag `allowNonPostgresql` defaults to false
-* Update postgresql tag version to `15.6.0-debian-11-r16`
+* Update postgresql tag version to `15.6.0-debian-12-r5`
 * Added a check if `initContainerImage` exists
 * Fixed a wrong imagePullPolicy configuration
 * Fixed an issue to generate unified secret to support artifactory fullname [GH-1882](https://github.com/jfrog/charts/issues/1882)
@@ -23,7 +55,6 @@ All changes to this chart will be documented in this file
 * Fixed resource constraints for "setup" initContainer of nginx deployment [GH-962] (https://github.com/jfrog/charts/issues/962)
 * Added .Values.artifactory.unifiedSecretsPrependReleaseName` for unified secret to prepend release name
 * Fixed maxCacheSize and cacheProviderDir mix up under azure-blob-storage-v2-direct template in binarystore.xml
-* Fixed #adding colon in image registry which breaks deployment [GH-1892](https://github.com/jfrog/charts/pull/1892)
 
 ## [107.83.0] - Mar 12, 2024
 * Added image section for `metadata` and `observability`

stable/artifactory-ha/Chart.yaml

@@ -1,7 +1,7 @@
 annotations:
-  artifactoryServiceVersion: 7.84.20
+  artifactoryServiceVersion: 7.90.21
 apiVersion: v2
-appVersion: 7.84.17
+appVersion: 7.90.15
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -23,4 +23,4 @@ name: artifactory-ha
 sources:
 - https://github.com/jfrog/charts
 type: application
-version: 107.84.17
+version: 107.90.15

stable/artifactory-ha/ci/test-values.yaml

@@ -1,6 +1,6 @@
 databaseUpgradeReady: true
 artifactory:
-  openMetrics:
+  metrics:
     enabled: true
   podSecurityContext:
     fsGroupChangePolicy: "OnRootMismatch"

stable/artifactory-ha/files/nginx-artifactory-conf.yaml

@@ -0,0 +1,98 @@
+{{- if .Values.nginx.https.enabled }}
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_certificate  {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt;
+ssl_certificate_key  {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key;
+ssl_session_cache shared:SSL:1m;
+ssl_prefer_server_ciphers   on;
+{{- end }}
+## server configuration
+server {
+{{- if .Values.nginx.internalPortHttps }}
+{{- if .Values.nginx.singleStackIPv6Cluster }}
+listen [::]:{{ .Values.nginx.internalPortHttps }} ssl;
+{{- else -}}
+listen {{ .Values.nginx.internalPortHttps }} ssl;
+{{- end }}
+{{- else -}}
+{{- if .Values.nginx.https.enabled }}
+{{- if .Values.nginx.singleStackIPv6Cluster }}
+listen [::]:{{ .Values.nginx.https.internalPort }} ssl;
+{{- else -}}
+listen {{ .Values.nginx.https.internalPort }} ssl;
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if .Values.nginx.internalPortHttp }}
+{{- if .Values.nginx.singleStackIPv6Cluster }}
+listen [::]:{{ .Values.nginx.internalPortHttp }};
+{{- else -}}
+listen {{ .Values.nginx.internalPortHttp }};
+{{- end }}
+{{- else -}}
+{{- if .Values.nginx.http.enabled }}
+{{- if .Values.nginx.singleStackIPv6Cluster }}
+listen [::]:{{ .Values.nginx.http.internalPort }};
+{{- else -}}
+listen {{ .Values.nginx.http.internalPort }};
+{{- end }}
+{{- end }}
+{{- end }}
+server_name ~(?<repo>.+)\.{{ include "artifactory-ha.fullname" . }} {{ include "artifactory-ha.fullname" . }}
+{{ tpl (include "artifactory.nginx.hosts" .) . }};
+
+if ($http_x_forwarded_proto = '') {
+  set $http_x_forwarded_proto  $scheme;
+}
+set $host_port {{ .Values.nginx.https.externalPort }};
+if ( $scheme = "http" ) {
+  set $host_port {{ .Values.nginx.http.externalPort }};
+}
+## Application specific logs
+## access_log /var/log/nginx/artifactory-access.log timing;
+## error_log /var/log/nginx/artifactory-error.log;
+rewrite ^/artifactory/?$ / redirect;
+if ( $repo != "" ) {
+  rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break;
+}
+chunked_transfer_encoding on;
+client_max_body_size 0;
+
+location / {
+  proxy_read_timeout  900;
+  proxy_pass_header   Server;
+  proxy_cookie_path   ~*^/.* /;
+  proxy_pass          {{ include "artifactory-ha.scheme" . }}://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalPort }}/;
+  {{- if .Values.nginx.service.ssloffload}}
+  proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host;
+  {{- else }}
+  proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port;
+  proxy_set_header    X-Forwarded-Port  $server_port;
+  {{- end }}
+  proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
+  proxy_set_header    Host              $http_host;
+  proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
+  {{- if .Values.nginx.disableProxyBuffering}}
+  proxy_http_version 1.1;
+  proxy_request_buffering off;
+  proxy_buffering off;
+  {{- end }}
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  location /artifactory/ {
+    if ( $request_uri ~ ^/artifactory/(.*)$ ) {
+      proxy_pass       http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1;
+    }
+    proxy_pass         http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/;
+  }
+  location /pipelines/ {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $http_host;
+    {{- if .Values.router.tlsEnabled }}
+    proxy_pass  https://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }};
+    {{- else }}
+    proxy_pass  http://{{ include "artifactory-ha.fullname" . }}:{{ .Values.router.internalPort }};
+    {{- end }}
+  }
+}
+}

stable/artifactory-ha/files/nginx-main-conf.yaml

@@ -0,0 +1,83 @@
+# Main Nginx configuration file
+worker_processes  4;
+
+{{- if .Values.nginx.logs.stderr }}
+error_log  stderr {{ .Values.nginx.logs.level }};
+{{- else -}}
+error_log  {{ .Values.nginx.persistence.mountPath }}/logs/error.log {{ .Values.nginx.logs.level }};
+{{- end }}
+pid        /var/run/nginx.pid;
+
+{{- if .Values.artifactory.ssh.enabled }}
+## SSH Server Configuration
+stream {
+  server {
+    {{- if .Values.nginx.singleStackIPv6Cluster }}
+    listen [::]:{{ .Values.nginx.ssh.internalPort }};
+    {{- else -}}
+    listen {{ .Values.nginx.ssh.internalPort }};
+    {{- end }}
+    proxy_pass {{ include "artifactory-ha.fullname" . }}:{{ .Values.artifactory.ssh.externalPort }};
+  }
+}
+{{- end }}
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  variables_hash_max_size 1024;
+  variables_hash_bucket_size 64;
+  server_names_hash_max_size 4096;
+  server_names_hash_bucket_size 128;
+  types_hash_max_size 2048;
+  types_hash_bucket_size 64;
+  proxy_read_timeout 2400s;
+  client_header_timeout 2400s;
+  client_body_timeout 2400s;
+  proxy_connect_timeout 75s;
+  proxy_send_timeout 2400s;
+  proxy_buffer_size 128k;
+  proxy_buffers 40 128k;
+  proxy_busy_buffers_size 128k;
+  proxy_temp_file_write_size 250m;
+  proxy_http_version 1.1;
+  client_body_buffer_size 128k;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+  '$status $body_bytes_sent "$http_referer" '
+  '"$http_user_agent" "$http_x_forwarded_for"';
+
+  log_format timing 'ip = $remote_addr '
+  'user = \"$remote_user\" '
+  'local_time = \"$time_local\" '
+  'host = $host '
+  'request = \"$request\" '
+  'status = $status '
+  'bytes = $body_bytes_sent '
+  'upstream = \"$upstream_addr\" '
+  'upstream_time = $upstream_response_time '
+  'request_time = $request_time '
+  'referer = \"$http_referer\" '
+  'UA = \"$http_user_agent\"';
+
+  {{- if .Values.nginx.logs.stdout }}
+  access_log /dev/stdout timing;
+  {{- else -}}
+  access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;
+  {{- end }}
+
+  sendfile        on;
+  #tcp_nopush     on;
+
+  keepalive_timeout  65;
+
+  #gzip  on;
+
+  include /etc/nginx/conf.d/*.conf;
+
+}

stable/artifactory-ha/files/system.yaml

@@ -6,13 +6,7 @@ shared:
   jfrogColdStorage:
     coldInstanceEnabled: true
 {{- end }}
-{{- if  .Values.artifactory.openMetrics.enabled }}
-  metrics:
-    enabled: true
-  {{- if .Values.artifactory.openMetrics.filebeat.enabled }}
-    filebeat: {{ toYaml .Values.artifactory.openMetrics.filebeat | nindent 6 }}
-  {{- end }}
-{{- end }}
+{{ tpl (include "artifactory.metrics" .) . }}
   logging:
     consoleLog:
       enabled: {{ .Values.artifactory.consoleLog }}
@@ -86,8 +80,21 @@ frontend:
   session:
     timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }}
 access:
+  runOnArtifactoryTomcat: {{ .Values.access.runOnArtifactoryTomcat | default false }}
   database:
     maxOpenConnections: {{ .Values.access.database.maxOpenConnections }}
+  {{- if not (.Values.access.runOnArtifactoryTomcat | default false) }}
+  extraJavaOpts: >
+  {{- if .Values.splitServicesToContainers }}
+    -XX:InitialRAMPercentage=20
+    -XX:MaxRAMPercentage=70
+  {{- end }}
+  {{- with .Values.access.javaOpts }}
+  {{- if .other }}
+    {{ .other }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
   tomcat:
     connector:
       maxThreads: {{ .Values.access.tomcat.connector.maxThreads }}
@@ -146,4 +153,11 @@ federation:
 {{- if .Values.event.webhooks }}
 event:
   webhooks: {{ toYaml .Values.event.webhooks | nindent 6 }}
+{{- end }}
+{{- if .Values.evidence.enabled }}
+evidence:
+  enabled: true
+{{- else }}
+evidence:
+  enabled: false
 {{- end }}

stable/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml

@@ -30,6 +30,10 @@ access:
   tomcat:
     connector:
       maxThreads: 200
+  javaOpts:
+    other: >
+      -XX:InitialRAMPercentage=20
+      -XX:MaxRAMPercentage=60
 
   database:
     maxOpenConnections: 200

stable/artifactory-ha/sizing/artifactory-2xlarge.yaml

@@ -65,6 +65,15 @@ event:
       # cpu: "1"
       memory: 500Mi
 
+access:
+  resources:
+    requests:
+      cpu: 1
+      memory: 2Gi
+    limits:
+      # cpu: 2
+      memory: 4Gi
+
 observability:
   resources:
     requests:
@@ -96,7 +105,7 @@ nginx:
 
 postgresql:
   postgresqlExtendedConf:
-    maxConnections: "2500"
+    maxConnections: "5000"
   primary:
     affinity:
       # Require PostgreSQL pod to run on a different node than Artifactory pods