jfrog / charts

JFrog official Helm Charts
https://jfrog.com/integration/helm-repository/
Apache License 2.0
259 stars 448 forks source link

artifactory-oss does not deploy on Openshift due to securityContext issues #1910

Closed rafaeltuelho closed 3 months ago

rafaeltuelho commented 3 months ago

Is this a request for help?: no

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

Version of Helm and Kubernetes: Openshift 4.14.15 (Kubernetes v1.27.11+ec42b99) Helm v3.15.0

Which chart: artifactory-oss

Which product license (Enterprise/Pro/oss): oss

JFrog support reference (if already raised with support team): n/a

What happened: artifactory STS fail to create initContainers due to seccomp not defined

What you expected to happen: properly deployed

How to reproduce it (as minimally and precisely as possible):

helm repo add jfrog https://charts.jfrog.io/
helm install -name artifactory jfrog/artifactory-oss --namespace artifactory --create-namespace -f values.yaml

Anything else we need to know: my values.yaml

# Default values for artifactory-oss.
# This is a YAML-formatted file.

# Beware when changing values here. You should know what you are doing!
# Access the values with {{ .Values.key.subkey }}

# This chart is based on the main artifactory chart with some customizations.
# See all supported configuration keys in https://github.com/jfrog/charts/tree/master/stable/artifactory

containerSecurityContext:
  enabled: false
## All values are under the 'artifactory' sub chart.
artifactory:
  podSecurityContext:
    enabled: false
  ## Artifactory
  ## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
  artifactory:
    ## Default tag is from the artifactory sub-chart in the requirements.yaml
    image:
      registry: releases-docker.jfrog.io
      repository: jfrog/artifactory-oss
      # tag:
    ## Uncomment the following resources definitions or pass them from command line
    ## to control the cpu and memory resources allocated by the Kubernetes cluster
    resources: {}
    #  requests:
    #    memory: "1Gi"
    #    cpu: "500m"
    #  limits:
    #    memory: "4Gi"
    #    cpu: "1"
    ## The following Java options are passed to the java process running Artifactory.
    ## You should set them according to the resources set above.
    ## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx.
    javaOpts: {}
    # xms: "1g"
    # xmx: "3g"
    # other: ""
  installer:
    platform: art-oss-helm
  installerInfo: '{"productId":"Helm_artifactory-oss/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}'
  ## Nginx
  ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
  nginx:
    enabled: false
    podSecurityContext:
      enabled: false
    containerSecurityContext:
      enabled: false
    tlsSecretName: ""
    service:
      type: LoadBalancer
  ## Ingress
  ## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
  ingress:
    enabled: false
    tls:
  ## PostgreSQL
  ## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
  ## Configuration values for the PostgreSQL dependency sub-chart
  ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
  postgresql:
    enabled: true
  ## This key is required for upgrades to protect old PostgreSQL chart's breaking changes.
  databaseUpgradeReady: "yes"
  ## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false),
  ## specify custom database details here or leave empty and Artifactory will use embedded derby.
  ## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
  # database:
  jfconnect:
    enabled: false
  federation:
    enabled: false
## Enable the PostgreSQL sub chart
postgresql:
  enabled: true
  securityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
router:
  image:
    tag: 7.118.0
initContainers:
  image:
    tag: 9.4.949.1716471857
shahiinn commented 3 months ago

@rafaeltuelho : Can you refer to this documentation and make sure all the required parameters are added correctly. On a quick look, the below configuration is missing.

artifactory:
  setSecurityContext: false
rafaeltuelho commented 3 months ago

@shahiinn if you look at the CHANGELOG this key artifactory.setSecurityContext was renamed to artifactory.podSecurityContext. As you can see in my values.yaml, I'm setting it, but it has no effect on the deployment.

artifactory:
  podSecurityContext:
    enabled: false
shahiinn commented 3 months ago

@rafaeltuelho : You are right. Sorry for the wrong guidance. I guess you need to add the configuration within the parent artifactory block. something like :

artifactory:
  artifactory:
    podSecurityContext:
      enabled: false
rafaeltuelho commented 3 months ago

I don't thnk so. Looking at the original chart values this key is under artifactory at the global level https://github.com/jfrog/charts/blob/128fea59fc39a754853e75365a9bf84782438cde/stable/artifactory/values.yaml

shahiinn commented 3 months ago

@rafaeltuelho : The original chart you have mentioned here is being used as a dependent chart for the oss chart hence the whole changes that need to be performed for the dependent chart need to be mentioned within a block of it. (ref)

for example : if in the original chart, we are providing a config like below

containerSecurityContext:
  enabled: false
artifactory:
  podSecurityContext: 
    enabled: false
postgresql:
  securityContext:
    enabled: false
  containerSecurityContext:
    enabled: false
nginx:
  podSecurityContext:
    enabled: false
  containerSecurityContext:
    enabled: false   

If the same changes need to be done to a dependent chart, the equivalent block should be like

artifactory:
  containerSecurityContext:
    enabled: false
  artifactory:
    podSecurityContext: 
      enabled: false
  postgresql:
    securityContext:
      enabled: false
    containerSecurityContext:
      enabled: false
  nginx:
    podSecurityContext:
      enabled: false
    containerSecurityContext:
      enabled: false
rafaeltuelho commented 3 months ago

Good catch, @shahiinn! I will give it a try and update the results here.

rafaeltuelho commented 3 months ago

It worked here @shahiinn ! Thanks for looking at this. At the end was the dammed YAML indentation :-)

rafaeltuelho commented 3 months ago

With that I believe this one can be closed!