marklogic
diff --git a/‎README.md
Lines changed: 9 additions & 12 deletions b/‎README.md
Lines changed: 9 additions & 12 deletions
diff --git a/‎charts/templates/configmap-scripts.yaml
Lines changed: 3 additions & 3 deletions b/‎charts/templates/configmap-scripts.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎charts/values.yaml
Lines changed: 1 addition & 1 deletion b/‎charts/values.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎makefile
Lines changed: 1 addition & 1 deletion b/‎makefile
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/e2e/backup_restore_test.go
Lines changed: 17 additions & 3 deletions b/‎test/e2e/backup_restore_test.go
Lines changed: 17 additions & 3 deletions
diff --git a/‎test/e2e/clustering_test.go
Lines changed: 4 additions & 8 deletions b/‎test/e2e/clustering_test.go
Lines changed: 4 additions & 8 deletions
@@ -124,7 +124,7 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 | `image.pullPolicy`                                  | Image pull policy for MarkLogic image                                                                                                                                                  | `IfNotPresent`             |
 | `initContainers.configureGroup.image`               | Image for configureGroup InitContainer                                                                                                                                                 | `curlimages/curl:8.8.0`    |
 | `initContainers.configureGroup.pullPolicy`          | Pull policy for configureGroup InitContainer                                                                                                                                           | `IfNotPresent`             |
-| `initContainers.utilContainer.image`                | Image for copyCerts and volume permission change for root to rootless upgrade InitContainer                                                                                                                                                      | `redhat/ubi9:9.3`          |
+| `initContainers.utilContainer.image`                | Image for copyCerts and volume permission change for root to rootless upgrade InitContainer                                                                                                                                                      | `redhat/ubi9:9.4`          |
 | `initContainers.utilContainer.pullPolicy`           | Pull policy for copyCerts and volume permission change for root to rootless upgrade InitContainer                                                                                                                                                | `IfNotPresent`             |
 | `imagePullSecrets`                                  | Registry secret names as an array                                                                                                                                                      | `[]`                       |
 | `hugepages.enabled`                                 | Parameter to enable Hugepage on MarkLogic                                                                                                                                              | `false`                    |
@@ -170,14 +170,14 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 | `containerSecurityContext.enabled`                  | Parameter to enable security context for MarkLogic containers                                                                                                                          | `true`                     |
 | `containerSecurityContext.runAsUser`                | User ID to run the entrypoint of the container process                                                                                                                                 | `1000`                     |
 | `containerSecurityContext.runAsNonRoot`             | Indicates that the container must run as a non-root user                                                                                                                               | `true`                     |
-| `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process                                                                                                            | `true`                     |
+| `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process                                                                                                            | `false`                     |
 | `livenessProbe.enabled`                             | Parameter to enable the liveness probe                                                                                                                                                 | `true`                     |
 | `livenessProbe.initialDelaySeconds`                 | Initial delay seconds for liveness probe                                                                                                                                               | `300`                      |
 | `livenessProbe.periodSeconds`                       | Period seconds for liveness probe                                                                                                                                                      | `10`                       |
 | `livenessProbe.timeoutSeconds`                      | Timeout seconds for liveness probe                                                                                                                                                     | `5`                        |
 | `livenessProbe.failureThreshold`                    | Failure threshold for liveness probe                                                                                                                                                   | `15`                       |
 | `livenessProbe.successThreshold`                    | Success threshold for liveness probe                                                                                                                                                   | `1`                        |
-| `readinessProbe.enabled`                            | Parameter to enable the readiness probe                                                                                                                                                | `false`                    |
+| `readinessProbe.enabled`                            | Parameter to enable the readiness probe                                                                                                                                                | `true`                    |
 | `readinessProbe.initialDelaySeconds`                | Initial delay seconds for readiness probe                                                                                                                                              | `10`                       |
 | `readinessProbe.periodSeconds`                      | Period seconds for readiness probe                                                                                                                                                     | `10`                       |
 | `readinessProbe.timeoutSeconds`                     | Timeout seconds for readiness probe                                                                                                                                                    | `5`                        |
@@ -234,12 +234,9 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 
 ## Known Issues and Limitations
 
-1. If the hostname is greater than 64 characters there will be issues with certificates. It is highly recommended to use hostname shorter than 64 characters or use SANs for hostnames in the certificates.
-2. The MarkLogic Docker image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
-3. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.
-4. The latest released version of fluent/fluent-bit:2.2.2 has known security vulnerabilities with respect to libcom-err2 CVE-2022-1304, libgcrypt20 CVE-2021-33560, libgnutls30 CVE-2024-0567, libldap-2.4-2 CVE-2023-2953, libzstd1 CVE-2022-4899, zlib1g CVE-2023-45853. These libraries are included in the Debian base image but, to-date, no fixes have been made available. For libpq5 CVE-2024-0985, we wait for a future upgrade of the fluent-bit image to include the fix. We will provide updates and mitigation strategies as soon as more information becomes available.
-5. The latest released version of redhat/ubi9:9.3 has known security vulnerabilities with respect to setuptools GHSA-r9hx-vwmv-q579. We wait for a future upgrade of the redhad ubi image to include the fix.
-6. The security context “allowPrivilegeEscalation” is set to TRUE by default in values.yaml file and cannot be changed to run the current MarkLogic container. Work is in progress to run MarkLogic container in "rootless" mode.
-7. Known Issues and Limitations for the MarkLogic Server Docker image can be viewed using the link: https://github.com/marklogic/marklogic-docker?tab=readme-ov-file#Known-Issues-and-Limitations
-8. The Readiness and Startup Probe are not compatible with HA deployment. At the moment these probes may fail in the case of Security database failover. As of the 1.0.2 helm chart release, the startup and readiness probes are disabled by default.
-9. Path based routing and Ingress features are only supported with MarkLogic 11.1 and higher.
+1. If the hostname is greater than 64 characters there will be issues with certificates. It is highly recommended to use hostname shorter than 64 characters or use SANs for hostnames in the certificates. If you still choose to use hostname greater than 64 characters, set "allowLongHostnames" to true.
+2. The latest released version of fluent/fluent-bit:3.1.1 has known high and critical security vulnerabilities. If you decide to enable the log collection feature, choose and deploy the fluent-bit or an alternate image with no vulnerabilities as per your requirements. 
+3. The security context “allowPrivilegeEscalation” is set to false by default in the
+values.yaml file. This should not be changed when running the MarkLogic container with default rootless image. If you choose to use an image with root privileges, set "allowPrivilegeEscalation" to true.
+4. Known Issues and Limitations for the MarkLogic Server Docker image can be viewed using the link: https://github.com/marklogic/marklogic-docker?tab=readme-ov-file#Known-Issues-and-Limitations.
+5. Path-based routing and Ingress features are only supported with MarkLogic 11.1 and higher.
@@ -588,7 +588,7 @@ data:
                 response_code=$( \
                     curl -s --anyauth \
                     --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} \
-                    -w '%{http_code}' \
+                    -w '%{http_code}' --retry 5 \
                     -X PUT \
                     -H "Content-type: application/json" \
                     $LOCAL_HTTPS_OPTION -d "${group_cfg}" \
@@ -613,11 +613,11 @@ data:
                 info "creating group for other Helm Chart"
 
                 # Create a group if group is not already exits
-                GROUP_RESP_CODE=$( curl --anyauth -m 20 -s -o /dev/null -w "%{http_code}" $HTTPS_OPTION -X GET $HTTP_PROTOCOL://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/${MARKLOGIC_GROUP} --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} )
+                GROUP_RESP_CODE=$( curl --anyauth --retry 5 -m 20 -s -o /dev/null -w "%{http_code}" $HTTPS_OPTION -X GET $HTTP_PROTOCOL://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/${MARKLOGIC_GROUP} --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} )
                 if [[ ${GROUP_RESP_CODE} -eq 200 ]]; then
                     info "Skipping creation of group $MARKLOGIC_GROUP as it already exists on the MarkLogic cluster." 
                 else 
-                    res_code=$(curl --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} $HTTPS_OPTION -m 20 -s -w '%{http_code}' -X POST -d "${group_cfg}" -H "Content-type: application/json" $HTTP_PROTOCOL://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups)
+                    res_code=$(curl --anyauth --retry 5 --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD} $HTTPS_OPTION -m 20 -s -w '%{http_code}' -X POST -d "${group_cfg}" -H "Content-type: application/json" $HTTP_PROTOCOL://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups)
                     if [[ ${res_code} -eq 201 ]]; then
                         log "Info: [initContainer] Successfully configured group $MARKLOGIC_GROUP on the MarkLogic cluster."
                     else
 
@@ -54,7 +54,7 @@ initContainers:
     image: "curlimages/curl:8.8.0"
     pullPolicy: IfNotPresent
   utilContainer:
-    image: "redhat/ubi9:9.3"
+    image: "redhat/ubi9:9.4"
     pullPolicy: IfNotPresent
 
 ## Configure the imagePullSecrets to pull the image from private repository that requires credential
 
@@ -220,7 +220,7 @@ upgrade-test: prepare
 image-scan:
 
 	@echo "=====Scan dependent Docker images in charts/values.yaml" $(if $(saveOutput), | tee -a dep-image-scan.txt,)
-	@for depImage in $(shell grep -E "^.*\bimage:\s+(.*)" charts/values.yaml | sed 's/image: //g' | sed 's/"//g'); do\
+	@for depImage in $(shell grep -E "^\s*\bimage:\s+(.*)" charts/values.yaml | sed 's/image: //g' | sed 's/"//g'); do\
 		echo " - $${depImage}" $(if $(saveOutput), | tee -a dep-image-scan.txt,) ; \
 		docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest $${depImage} | grep 'High\|Critical' $(if $(saveOutput), | tee -a dep-image-scan.txt,);\
 		echo $(if $(saveOutput), | tee -a dep-image-scan.txt,) ;\
 
@@ -100,21 +100,35 @@ func RunRequests(t *testing.T, client *req.Client, dbReq string, hostsEndpoint s
 	var retryFn = (func(resp *req.Response, err error) bool {
 		if err != nil {
 			t.Fatalf(err.Error())
+			return true
+		}
+		if resp == nil || resp.Body == nil {
+			t.Fatalf("error in getting response body")
+			return true
 		}
 		body, err = io.ReadAll(resp.Body)
 		if err != nil {
-			t.Fatalf(err.Error())
+			t.Fatalf("error reading response body, %s", err.Error())
+			return true
 		}
 		result = (string(body))
-		return true
+		return false
 	})
 
 	if operation == "backup-status" {
 		retryFn = (func(resp *req.Response, err error) bool {
 			if err != nil {
 				t.Fatalf(err.Error())
 			}
-			body, _ := io.ReadAll(resp.Body)
+			if resp == nil || resp.Body == nil {
+				t.Fatalf("error in getting response body")
+				return true
+			}
+			body, err := io.ReadAll(resp.Body)
+			if body == nil || err != nil {
+				t.Fatalf("error reading response body")
+				return true
+			}
 			status = (gjson.Get(string(body), `status`)).Str
 			if status != "completed" {
 				fmt.Println("Waiting for backup to be completed")
 
@@ -131,20 +131,16 @@ func TestClusterJoin(t *testing.T) {
 		SetRetryCount(5).
 		SetRetryFixedInterval(10 * time.Second).
 		AddRetryCondition(func(resp *req.Response, err error) bool {
-			if resp == nil || err != nil {
+			if err != nil {
 				t.Logf("error in AddRetryCondition: %s", err.Error())
 				return true
 			}
-			if resp.Response == nil {
-				t.Log("Could not get the Response Object, Retrying...")
-				return true
-			}
-			if resp.Body == nil {
-				t.Log("Could not get the body for the response, Retrying...")
+			if resp == nil || resp.Body == nil {
+				t.Log("Could not get the Response Body, Retrying...")
 				return true
 			}
 			body, err := io.ReadAll(resp.Body)
-			if body == nil || err != nil {
+			if err != nil {
 				t.Logf("error in read response body: %s", err.Error())
 				return true
 			}