Skip to content

Commit 1bdaa2f

Browse files
barkhachoithanivitalykorolevpengzhoumlsumanthravipatisumanthravipati
authored
MLE-13136: Merging release/1.1.1 to master (#205)
* MLE-11843 fix HC tests (#189) * update pod name for the tests * update pod name for the tests in makefile * increment docker version to the latest release * MLE-12244: fixes for failing upgrade tests on jenkins (#190) * MLE-12574: Warning message changes commit while using ML rootless image (#197) Co-authored-by: sumanthravipati <[email protected]> * MLE-4146: Liveness and Readiness Probe Changes Commit (#198) * add dependent image scanning (#199) * MLE-12746: big fix for helm upgrade not working for TLS configuration * Updating chart version in chart.yaml (#204) * add TLS enable check --------- Co-authored-by: Vitaly <[email protected]> Co-authored-by: Peng Zhou <[email protected]> Co-authored-by: sumanthravipati <[email protected]> Co-authored-by: sumanthravipati <[email protected]> Co-authored-by: Peng Zhou <[email protected]> Co-authored-by: Romain Winieski <[email protected]>
1 parent 67cfd7c commit 1bdaa2f

File tree

10 files changed

+193
-98
lines changed

10 files changed

+193
-98
lines changed

Jenkinsfile

Lines changed: 27 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
import groovy.json.JsonSlurperClassic
77

88
emailList = '[email protected], [email protected], [email protected], [email protected], [email protected], [email protected]'
9+
emailSecList = '[email protected], [email protected]'
910
gitCredID = 'marklogic-builder-github'
1011
JIRA_ID = ''
1112
JIRA_ID_PATTERN = /(?i)(MLE)-\d{3,6}/
@@ -104,7 +105,7 @@ void resultNotification(message) {
104105
emailList = params.emailList
105106
}
106107
jira_link = "https://project.marklogic.com/jira/browse/${JIRA_ID}"
107-
email_body = "<b>Jenkins pipeline for</b> ${env.JOB_NAME} <br><b>Build Number: </b>${env.BUILD_NUMBER} <b><br><br>Lint Output: <br></b><pre><code>${LINT_OUTPUT}</code></pre><br><br><b>Build URL: </b><br>${env.BUILD_URL}"
108+
email_body = "<b>Jenkins pipeline for</b> ${env.JOB_NAME} <br><b>Build Number: </b>${env.BUILD_NUMBER} <br><br><b>Lint Output: </b><br><pre><code>${LINT_OUTPUT}</code></pre><br><br><b>Scan Output: </b><br><pre><code>${SCAN_OUTPUT}</code></pre><br><br><b>Build URL: </b><br>${env.BUILD_URL}"
108109
jira_email_body = "${email_body} <br><br><b>Jira URL: </b><br>${jira_link}"
109110

110111
if (JIRA_ID) {
@@ -128,6 +129,18 @@ void lint() {
128129
'''
129130
}
130131

132+
void imageScan() {
133+
sh "make image-scan saveOutput=true"
134+
135+
SCAN_OUTPUT = sh(returnStdout: true, script:'cat dep-image-scan.txt')
136+
hasCriticalOrHigh = SCAN_OUTPUT.contains("High") || SCAN_OUTPUT.contains("Critical")
137+
if (hasCriticalOrHigh) {
138+
mail charset: 'UTF-8', mimeType: 'text/html', to: "${emailSecList}", body: "<br>Jenkins pipeline for ${env.JOB_NAME} <br>Build Number: ${env.BUILD_NUMBER} <br>Vulnerabilities: <pre><code>${SCAN_OUTPUT}</code></pre>", subject: "Critical or High Security Vulnerabilities Found: ${env.JOB_NAME} #${env.BUILD_NUMBER}"
139+
}
140+
141+
sh '''rm -f dep-image-scan.txt'''
142+
}
143+
131144
void publishTestResults() {
132145
junit allowEmptyResults:true, testResults: '**/test/test_results/*.xml'
133146
archiveArtifacts artifacts: '**/test/test_results/*.xml', allowEmptyArchive: true
@@ -156,7 +169,7 @@ pipeline {
156169
skipStagesAfterUnstable()
157170
}
158171
triggers {
159-
parameterizedCron( env.BRANCH_NAME == 'develop' ? '''00 04 * * *''' : '')
172+
parameterizedCron( env.BRANCH_NAME == 'develop' ? '''00 04 * * * % IMAGE_SCAN=true''' : '')
160173
}
161174
environment {
162175
//timeStamp = sh(returnStdout: true, script: "date +%Y%m%d -d '-5 hours'").trim()
@@ -174,9 +187,10 @@ pipeline {
174187
choice(name: 'ML_VERSION', choices: '11.2\n12.0\n10.0', description: 'MarkLogic version. used to pick appropriate docker image')
175188
booleanParam(name: 'KUBERNETES_TESTS', defaultValue: true, description: 'Run kubernetes tests')
176189
booleanParam(name: 'HC_TESTS', defaultValue: false, description: 'Run Hub Central E2E UI tests (takes about 3 hours)')
177-
string(name: 'dockerReleaseVer', defaultValue: '1.1.1', description: 'Current Docker version. (e.g. 1.0.1)', trim: true)
190+
booleanParam(name: 'IMAGE_SCAN', defaultValue: false, description: 'Find and scan dependent Docker images for security vulnerabilities')
191+
string(name: 'dockerReleaseVer', defaultValue: '1.1.2', description: 'Current Docker version. (e.g. 1.0.1)', trim: true)
178192
choice(name: 'PREV_ML_VERSION', choices: '10.0\n9.0\n11.2', description: 'Previous MarkLogic version for MarkLogic upgrade tests')
179-
string(name: 'prevDockerReleaseVer', defaultValue: '1.1.1', description: 'Previous Docker version for MarkLogic upgrade tests. (e.g. 1.0.1)', trim: true)
193+
string(name: 'prevDockerReleaseVer', defaultValue: '1.1.2', description: 'Previous Docker version for MarkLogic upgrade tests. (e.g. 1.0.1)', trim: true)
180194
choice(name: 'K8_VERSION', choices: 'v1.25.8\nv1.26.3\nv1.24.12\nv1.23.17', description: 'Test Kubernetes version. (e.g. v1.25.8)')
181195
}
182196

@@ -193,6 +207,15 @@ pipeline {
193207
}
194208
}
195209

210+
stage('Image-Scan') {
211+
when {
212+
expression { return params.IMAGE_SCAN }
213+
}
214+
steps {
215+
imageScan()
216+
}
217+
}
218+
196219
stage('Kubernetes-Run-Tests') {
197220
when {
198221
expression { return params.KUBERNETES_TESTS }

README.md

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -164,22 +164,16 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
164164
| `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process | `true` |
165165
| `livenessProbe.enabled` | Parameter to enable the liveness probe | `true` |
166166
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for liveness probe | `300` |
167-
| `livenessProbe.periodSeconds` | Period seconds for liveness probe | `20` |
167+
| `livenessProbe.periodSeconds` | Period seconds for liveness probe | `10` |
168168
| `livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `5` |
169169
| `livenessProbe.failureThreshold` | Failure threshold for liveness probe | `15` |
170170
| `livenessProbe.successThreshold` | Success threshold for liveness probe | `1` |
171-
| `readinessProbe.enabled` | Use this parameter to enable the readiness probe. See [Known-Issues-and-Limitations](#known-issues-and-limitations)section | `false` |
171+
| `readinessProbe.enabled` | Parameter to enable the readiness probe | `false` |
172172
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readiness probe | `10` |
173-
| `readinessProbe.periodSeconds` | Period seconds for readiness probe | `60` |
173+
| `readinessProbe.periodSeconds` | Period seconds for readiness probe | `10` |
174174
| `readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | `5` |
175175
| `readinessProbe.failureThreshold` | Failure threshold for readiness probe | `3` |
176176
| `readinessProbe.successThreshold` | Success threshold for readiness probe | `1` |
177-
| `startupProbe.enabled` | Parameter to enable startup probe. See [Known-Issues-and-Limitations](#known-issues-and-limitations) section | `false` |
178-
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startup probe | `10` |
179-
| `startupProbe.periodSeconds` | Period seconds for startup probe | `20` |
180-
| `startupProbe.timeoutSeconds` | Timeout seconds for startup probe | `1` |
181-
| `startupProbe.failureThreshold` | Failure threshold for startup probe | `30` |
182-
| `startupProbe.successThreshold` | Success threshold for startup probe | `1` |
183177
| `logCollection.enabled` | Parameter to enable cluster wide log collection of Marklogic server logs | `false` |
184178
| `logCollection.image` | Image repository and tag for fluent-bit container | `fluent/fluent-bit:2.2.2` |
185179
| `logCollection.resources.requests.cpu` | The requested cpu resource for the fluent-bit container | `100m` |
@@ -221,4 +215,3 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
221215
4. The latest released version of fluent/fluent-bit:2.2.2 has known security vulnerabilities with respect to libcom-err2 CVE-2022-1304, libgcrypt20 CVE-2021-33560, libgnutls30 CVE-2024-0567, libldap-2.4-2 CVE-2023-2953, libzstd1 CVE-2022-4899, zlib1g CVE-2023-45853. These libraries are included in the Debian base image but, to-date, no fixes have been made available. For libpq5 CVE-2024-0985, we wait for a future upgrade of the fluent-bit image to include the fix. We will provide updates and mitigation strategies as soon as more information becomes available.
222216
5. The latest released version of redhat/ubi9:9.3 has known security vulnerabilities with respect to setuptools GHSA-r9hx-vwmv-q579, we wait for a future upgrade of the redhad ubi image to include the fix.
223217
6. The security context “allowPrivilegeEscalation” is set to TRUE by default in values.yaml file and cannot be changed to run the current MarkLogic container. Work is in progress to run MarkLogic container in "rootless" mode.
224-
7. The Readiness and Startup Probe are not compatible with HA deployment. At the moment these probes may fail in the case of Security database failover. As of the 1.0.2 helm chart release, the startup and readiness probes are disabled by default.

charts/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,4 @@ keywords:
1717
sources:
1818
- https://github.com/marklogic/marklogic-kubernetes
1919
- https://www.marklogic.com/
20-
version: 1.1.0
20+
version: 1.1.1

charts/templates/NOTES.txt

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,9 @@ Your release is named {{ .Release.Name }}.
66
{{- if .Values.containerSecurityContext.allowPrivilegeEscalation }}
77
WARNING
88
***********************************************************************************************************
9-
Setting "containerSecurityContext.allowPrivilegeEscalation" is set to true.
10-
This is not recommended and is not a secure configuration while using rootless MarkLogic images.
9+
The rootless MarkLogic container image is in use but containerSecurityContext.allowPrivilegeEscalation is set to true.
10+
Privilege escalation is not required to run the rootless MarkLogic container image. It is recommended to set
11+
containerSecurityContext.allowPrivilegeEscalation to false to secure this configuration.
1112
***********************************************************************************************************
1213
{{- end }}
1314
{{- end }}

charts/templates/configmap-scripts.yaml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
apiVersion: v1
2+
kind: ConfigMap
3+
metadata:
4+
name: {{ .Release.Name }}-scripts
5+
data:
6+
liveness-probe.sh: |
7+
#!/bin/bash
8+
9+
log () {
10+
local TIMESTAMP=$(date +"%Y-%m-%d %T.%3N")
11+
# Check to make sure pod doesn't terminate if PID value is empty for any reason
12+
if [ -n "$pid" ]; then
13+
echo "${TIMESTAMP} $@" > /proc/$pid/fd/1
14+
fi
15+
}
16+
17+
pid=$(pgrep start.marklogic)
18+
19+
# Check if ML service is running. Exit with 1 if it is other than running
20+
ml_status=$(/etc/init.d/MarkLogic status)
21+
22+
if [[ "$ml_status" =~ "running" ]]; then
23+
http_code=$(curl -o /tmp/probe_response.txt -s -w "%{http_code}" "http://${HOSTNAME}:8001/admin/v1/timestamp")
24+
curl_code=$?
25+
http_resp=$(cat /tmp/probe_response.txt)
26+
27+
if [[ $curl_code -ne 0 && $http_code -ne 401 ]]; then
28+
log "Info: [Liveness Probe] Error with MarkLogic"
29+
log "Info: [Liveness Probe] Curl response code: "$curl_code
30+
log "Info: [Liveness Probe] Http response code: "$http_code
31+
log "Info: [Liveness Probe] Http response message: "$http_resp
32+
fi
33+
rm -f /tmp/probe_response.txt
34+
exit 0
35+
else
36+
exit 1
37+
fi
38+
39+

0 commit comments

Comments
 (0)