rebasing feature branch

Barkha Choithani · Barkha Choithani · commit ddc5cf84990d · 2023-01-19T10:56:10.000-08:00
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -139,6 +139,17 @@ void pullImage() {
     }
 }
 
+String getVersionDiv(mlVersion) {
+    switch (mlVersion) {
+        case '10.0':
+            return '-'
+        case '9.0':
+            return '-'
+        default:
+            return '.'
+    }
+}
+
 pipeline {
     agent {
         label {
@@ -157,13 +168,15 @@ pipeline {
         timeStamp = sh(returnStdout: true, script: "date +%Y%m%d -d '-5 hours'").trim()
         dockerRegistry = 'ml-docker-dev.marklogic.com'
         dockerRepository = "${dockerRegistry}/marklogic/marklogic-server-centos"
-        dockerVersion = "${ML_VERSION}-${timeStamp}-centos-1.0.1"
+        dockerVerDivider = getVersionDiv(params.ML_VERSION)
+        dockerVersion = "${ML_VERSION}${dockerVerDivider}${timeStamp}-centos-${dockerReleaseVer}"
     }
 
     parameters {
         string(name: 'emailList', defaultValue: emailList, description: 'List of email for build notification', trim: true)
-        choice(name: 'ML_VERSION', choices: '10.0\n11.0\n9.0', description: 'MarkLogic version. used to pick appropriate docker image')
+        choice(name: 'ML_VERSION', choices: '11.0\n12.0\n10.0\n9.0', description: 'MarkLogic version. used to pick appropriate docker image')
         booleanParam(name: 'KUBERNETES_TESTS', defaultValue: true, description: 'Run kubernetes tests')
+        string(name: 'dockerReleaseVer', defaultValue: '1.0.1', description: 'Current Docker version. (e.g. 1.0.1)', trim: true)
     }
 
     stages {
diff --git a/README.md b/README.md
@@ -35,6 +35,8 @@
   - [Notice](#notice)
 - [Uninstalling the Chart](#uninstalling-thechart)
 - [Parameters](#parameters)
+- [Known Issues and Limitations](#Known-Issues-and-Limitations)
+
 
 # Introduction
 
@@ -475,3 +477,7 @@ This table describes the list of available parameters for Helm Chart.
 | `logCollection.files.requestLogs`    | Enable this parameter to enable collection of Marklogics request logs when log collection is enabled           | `true`                               |
 | `logCollection.files.crashLogs`      | Enable this parameter to enable collection of Marklogics crash logs when log collection is enabled             | `true`                               |
 | `logCollection.files.auditLogs`      | Enable this parameter to enable collection of Marklogics audit logs when log collection is enabled             | `true`                               |
+
+# Known Issues and Limitations
+
+1. If the hostname is greater than 64 characters there may be issues with certificates. The certificates may shorten the name or use SANs for hostnames in the certificates.
diff --git a/charts/templates/NOTES.txt b/charts/templates/NOTES.txt
@@ -1,12 +1,13 @@
-{{- define "marklogic.fqdn" -}}
-{{- printf "%s-0.%s.%s.svc.cluster.local" (include "marklogic.fullname" .) (include "marklogic.headlessServiceName" .) .Release.Namespace }}
-{{- end}}
-
 Thank you for installing {{ .Chart.Name }}.
 
 Your release is named {{ .Release.Name }}.
 
 FQDN is {{ include "marklogic.fqdn" . }}
+{{- if gt (len (include "marklogic.fqdn" .)) 64 }}
+WARNING:    The hostname is greater than 64 characters
+            There may be issues with certificates
+            The certificates may shorten the name or use SANs for hostnames in the certificates
+{{- end }}
 
 Group {{ .Values.group.name }} is created on the MarkLogic cluster.
 
diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl
@@ -75,3 +75,10 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Fully qualified domain name
+*/}}
+{{- define "marklogic.fqdn" -}}
+{{- printf "%s-0.%s.%s.svc.cluster.local" (include "marklogic.fullname" .) (include "marklogic.headlessServiceName" .) .Release.Namespace }}
+{{- end}}
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -206,6 +206,9 @@ spec:
                             sleep 10s
                         fi
                     done
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           {{- if .Values.livenessProbe.enabled }}
           livenessProbe:
             httpGet:
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -25,7 +25,7 @@ image:
 # Init container image parameters
 initContainerImage:
   repository: curlimages/curl
-  tag: 7.85.0
+  tag: 7.87.0
   pullPolicy: IfNotPresent
 
 # Configure the imagePullSecret to pull the image from private repository that requires credential
@@ -113,6 +113,13 @@ networkPolicy:
     - port: 8002
       protocol: TCP
     
+# Below are the security configurations for container, by default security will be enabled
+containerSecurityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsNonRoot: true
+  allowPrivilegeEscalation: true
+
 # Below are the advanced configurations, please understand read the reference before you make changes
 
 # Configure options for liveness probe
@@ -150,7 +157,7 @@ startupProbe:
 # And export them to a logging backend specified in the outputs section below
 logCollection:
   enabled: false
-  image: fluent/fluent-bit:1.9.7
+  image: fluent/fluent-bit:2.0.6
   resources:
     requests:
       cpu: "100m"
diff --git a/test/template/sec_template_test.go b/test/template/sec_template_test.go
@@ -0,0 +1,94 @@
+package template_test
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
+	"github.com/gruntwork-io/terratest/modules/random"
+)
+
+func TestChartTemplateSecurityEnabled(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../charts")
+	releaseName := "marklogic-sec-test"
+	t.Log(helmChartPath, releaseName)
+	require.NoError(t, err)
+
+	// Set up the namespace; confirm that the template renders the expected value for the namespace.
+	namespaceName := "marklogic-" + strings.ToLower(random.UniqueId())
+	t.Logf("Namespace: %s\n", namespaceName)
+
+	// Setup the args for helm install
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"image.repository":                 "marklogicdb/marklogic-db",
+			"image.tag":                        "latest",
+			"persistence.enabled":              "false",
+			"containerSecurityContext.enabled": "true",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	// render the tempate
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/statefulset.yaml"})
+
+	var statefulset appsv1.StatefulSet
+	helm.UnmarshalK8SYaml(t, output, &statefulset)
+
+	// Verify the name and namespace matches
+	require.Equal(t, namespaceName, statefulset.Namespace)
+
+	// Verify the securityContext values are set for container
+	expectedRunAsUser := 1000
+	statefulSetContainers := statefulset.Spec.Template.Spec.Containers
+	actualRunAsUser := *(statefulSetContainers[0].SecurityContext.RunAsUser)
+	require.Equal(t, len(statefulSetContainers), 1)
+	require.Equal(t, int(actualRunAsUser), expectedRunAsUser)
+}
+
+func TestChartTemplateSecurityDisabled(t *testing.T) {
+	t.Parallel()
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../charts")
+	releaseName := "marklogic-sec-test"
+	t.Log(helmChartPath, releaseName)
+	require.NoError(t, err)
+
+	// Set up the namespace; confirm that the template renders the expected value for the namespace.
+	namespaceName := "marklogic-" + strings.ToLower(random.UniqueId())
+	t.Logf("Namespace: %s\n", namespaceName)
+
+	// Setup the args for helm install
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"image.repository":                 "marklogicdb/marklogic-db",
+			"image.tag":                        "latest",
+			"persistence.enabled":              "false",
+			"containerSecurityContext.enabled": "false",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	// render the tempate
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/statefulset.yaml"})
+
+	var statefulset appsv1.StatefulSet
+	helm.UnmarshalK8SYaml(t, output, &statefulset)
+
+	// Verify the name and namespace matches
+	require.Equal(t, namespaceName, statefulset.Namespace)
+
+	// Verify SecurityContext is not set for container
+	statefulSetContainers := statefulset.Spec.Template.Spec.Containers
+	require.Equal(t, len(statefulSetContainers), 1)
+	require.Nil(t, statefulSetContainers[0].SecurityContext)
+}
diff --git a/test/template/template_test.go b/test/template/template_test.go
@@ -90,7 +90,7 @@ func TestChartTemplateLogCollection(t *testing.T) {
 
 	// Verify the image matches
 	expectedImage1 := "marklogicdb/marklogic-db:latest"
-	expectedImage2 := "fluent/fluent-bit:1.9.7"
+	expectedImage2 := "fluent/fluent-bit:2.0.6"
 
 	statefulSetContainers := statefulset.Spec.Template.Spec.Containers
 	require.Equal(t, len(statefulSetContainers), 2)
