Merge branch 'tryretool:main' into remove_unused_domain

guissalustiano · web-flow · commit 1ade41a92516 · 2025-01-24T13:32:16.000-03:00
diff --git a/.github/kubeconform.sh b/.github/kubeconform.sh
@@ -21,8 +21,12 @@ for CHART_DIR in ${CHART_DIRS}; do
   echo "Running kubeconform for folder: '$CHART_DIR'"
   helm dep up "${CHART_DIR}"
   for VALUES_FILE in $(find "${CHART_DIR}/ci" -name '*values.yaml'); do
-    echo "== Checking values file: ${VALUES_FILE}"
     helm template --kube-version "${KUBERNETES_VERSION#v}" --values "${VALUES_FILE}" "${CHART_DIR}" \
       | ./kubeconform --strict --summary --kubernetes-version "${KUBERNETES_VERSION#v}"
+    for OPTION_FILE in $(find "${CHART_DIR}/ci" -name '*option.yaml'); do
+      echo "== Checking values file: ${VALUES_FILE} and option file: ${OPTION_FILE}"
+      helm template --kube-version "${KUBERNETES_VERSION#v}" --values "${VALUES_FILE}" --values "${OPTION_FILE}" "${CHART_DIR}" \
+        | ./kubeconform --strict --summary --kubernetes-version "${KUBERNETES_VERSION#v}"
+    done
   done
 done
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -27,7 +27,7 @@ jobs:
           version: v3.6.3
       - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.3.1
       - name: Run chart-testing (list-changed)
@@ -64,7 +64,7 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.12
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.3.1
       - name: Run chart-testing (lint)
diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.2.8
+version: 6.3.2
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com
diff --git a/charts/retool/ci/kubeconform/telemetry-enabled-full-values.yaml b/charts/retool/ci/kubeconform/telemetry-enabled-full-values.yaml
@@ -50,6 +50,13 @@ replicaCount: 1
 
 persistentVolumeClaim:
   size: '3Gi'
+
+securityContext:
+  enabled: true
+  runAsUser: 1000
+  fsGroup: 2000
+  extraContainerLevelSecurityContext:
+    allowPrivilegeEscalation: false
 # ================================================
 
 # === New telemetry stuff ===
diff --git a/charts/retool/ci/test-edge-release-option.yaml b/charts/retool/ci/test-edge-release-option.yaml
@@ -0,0 +1,5 @@
+image:
+  tag: "100.100.0-edge"
+dbconnector:
+  java:
+    enabled: true
diff --git a/charts/retool/ci/test-extra-security-context-option.yaml b/charts/retool/ci/test-extra-security-context-option.yaml
@@ -0,0 +1,9 @@
+# default security context
+securityContext:
+  enabled: true
+  runAsUser: 10
+  fsGroup: 20
+  extraSecurityContext:
+    runAsNonRoot: true
+  extraContainerLevelSecurityContext:
+    allowPrivilegeEscalation: false
diff --git a/charts/retool/ci/test-invalid-semver-option.yaml b/charts/retool/ci/test-invalid-semver-option.yaml
@@ -0,0 +1,2 @@
+image:
+  tag: "i.am.not-a.real-version"
diff --git a/charts/retool/ci/test-stable-release-option.yaml b/charts/retool/ci/test-stable-release-option.yaml
@@ -0,0 +1,2 @@
+image:
+  tag: "3.0.0-stable"
diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
@@ -50,7 +50,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels for main backend. Note changes here will require deployment
 recreation and incur downtime. The "app.kubernetes.io/instance" label should
-also be included in all deployments, so telemetry knows how to find logs. 
+also be included in all deployments, so telemetry knows how to find logs.
 */}}
 {{- define "retool.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "retool.name" . }}
@@ -200,6 +200,8 @@ Usage: (include "retool.workflows.enabled" .)
 */}}
 {{- define "retool.workflows.enabled" -}}
 {{- $output := "" -}}
+{{- $valid_retool_version_regexp := "([0-9]+\\.[0-9]+(\\.[0-9]+)?(-[a-zA-Z0-9]+)?)" }}
+{{- $retool_version_with_workflows := ( and ( regexMatch $valid_retool_version_regexp $.Values.image.tag ) ( semverCompare ">= 3.6.11-0" ( regexFind $valid_retool_version_regexp $.Values.image.tag ) ) ) }}
 {{- if or
     (eq (toString .Values.workflows.enabled) "true")
     (eq (toString .Values.workflows.enabled) "false")
@@ -213,7 +215,7 @@ Usage: (include "retool.workflows.enabled" .)
   {{- $output = "" -}}
 {{- else if eq .Values.image.tag "latest" -}}
   {{- $output = "1" -}}
-{{- else if semverCompare ">= 3.6.11-0" .Values.image.tag -}}
+{{- else if $retool_version_with_workflows -}}
   {{- $output = "1" -}}
 {{- else -}}
   {{- $output = "" -}}
@@ -227,6 +229,8 @@ Usage: (include "retool.codeExecutor.enabled" .)
 */}}
 {{- define "retool.codeExecutor.enabled" -}}
 {{- $output := "" -}}
+{{- $valid_retool_version_regexp := "([0-9]+\\.[0-9]+(\\.[0-9]+)?(-[a-zA-Z0-9]+)?)" }}
+{{- $retool_version_with_ce := ( and ( regexMatch $valid_retool_version_regexp (include "retool.codeExecutor.image.tag" .) ) ( semverCompare ">= 3.20.15-0" ( regexFind $valid_retool_version_regexp (include "retool.codeExecutor.image.tag" .) ) ) ) }}
 {{- if or
     (eq (toString .Values.codeExecutor.enabled) "true")
     (eq (toString .Values.codeExecutor.enabled) "false")
@@ -240,7 +244,7 @@ Usage: (include "retool.codeExecutor.enabled" .)
   {{- $output = "" -}}
 {{- else if (or (contains "stable" (include "retool.codeExecutor.image.tag" .)) (contains "edge" (include "retool.codeExecutor.image.tag" .))) -}}
   {{- $output = "1" -}}
-{{- else if semverCompare ">= 3.20.15-0" (include "retool.codeExecutor.image.tag" .) -}}
+{{- else if $retool_version_with_ce -}}
   {{- $output = "1" -}}
 {{- else -}}
   {{- $output = "" -}}
@@ -319,11 +323,13 @@ Usage: (template "retool.codeExecutor.image.tag" .)
 {{- if .Values.codeExecutor.image.tag -}}
   {{- .Values.codeExecutor.image.tag -}}
 {{- else if .Values.image.tag  -}}
+  {{- $valid_retool_version_regexp := "([0-9]+\\.[0-9]+(\\.[0-9]+)?(-[a-zA-Z0-9]+)?)" }}
+  {{- $retool_version_with_ce := ( and ( regexMatch $valid_retool_version_regexp $.Values.image.tag ) ( semverCompare ">= 3.20.15-0" ( regexFind $valid_retool_version_regexp $.Values.image.tag ) ) ) }}
   {{- if and (eq .Values.image.tag "latest") (eq (toString .Values.codeExecutor.enabled) "true") -}}
     {{- fail "If using image.tag=latest (not recommended, select an explicit tag instead) and enabling codeExecutor, explicitly set codeExecutor.image.tag" }}
   {{- else if (eq .Values.image.tag "latest") -}}
     {{- "" -}}
-  {{- else if semverCompare ">= 3.20.15-0" .Values.image.tag -}}
+  {{- else if $retool_version_with_ce -}}
     {{- .Values.image.tag -}}
   {{- else -}}
     {{- "1.1.0" -}}
@@ -332,3 +338,16 @@ Usage: (template "retool.codeExecutor.image.tag" .)
   {{- fail "Please set a value for .Values.image.tag" }}
 {{- end -}}
 {{- end -}}
+
+{{- define "retool_version_with_java_dbconnector_opt_out" -}}
+{{- $output := "" -}}
+{{- $valid_retool_version_regexp := "([0-9]+\\.[0-9]+(\\.[0-9]+)?(-[a-zA-Z0-9]+)?)" }}
+{{- if not ( regexMatch $valid_retool_version_regexp .Values.image.tag ) -}}
+  {{- $output = "1" -}}
+{{- else if semverCompare ">= 3.93.0-0" ( regexFind $valid_retool_version_regexp .Values.image.tag ) -}}
+  {{- $output = "1" -}}
+{{- else -}}
+  {{- $output = "" -}}
+{{- end -}}
+{{- $output -}}
+{{- end -}}
diff --git a/charts/retool/templates/deployment_backend.yaml b/charts/retool/templates/deployment_backend.yaml
@@ -5,6 +5,9 @@ metadata:
   labels:
     {{- include "retool.labels" . | nindent 4 }}
     {{- include "retool.selectorLabels" . | nindent 4 }}
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels | indent 4 }}
+{{- end }}
 {{- if .Values.deployment.annotations }}
   annotations:
 {{ toYaml .Values.deployment.annotations | indent 4 }}
@@ -74,23 +77,27 @@ spec:
             value: {{ template "retool.deploymentTemplateVersion" . }}
           - name: NODE_ENV
             value: production
-          {{- if include "retool.jobRunner.enabled" . }}
-          {{ if $.Values.dbconnector.java.enabled }}
-          - name: SERVICE_TYPE
-            value: MAIN_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR,JAVA_DBCONNECTOR
-          {{ else }}
-          - name: SERVICE_TYPE
-            value: MAIN_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR
-          {{ end }}
-          {{- else }}
-          {{ if $.Values.dbconnector.java.enabled }}
-          - name: SERVICE_TYPE
-            value: MAIN_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR,JAVA_DBCONNECTOR,JOBS_RUNNER
-          {{ else }}
+          {{- $serviceType := list "MAIN_BACKEND" "DB_CONNECTOR" "DB_SSH_CONNECTOR" }}
+          {{- /*
+            JAVA_DBCONNECTOR in the service type only applies before the version of Retool that changes it to opt-out (3.93.0-edge),
+            and only if the Java dbconnector is enabled in values.yaml.
+          */}}
+          {{- if and ( not ( include "retool_version_with_java_dbconnector_opt_out" . ) ) ( $.Values.dbconnector.java.enabled ) }}
+            {{- $serviceType = append $serviceType "JAVA_DBCONNECTOR" }}
+          {{- end }}
+          {{- /*
+            It may seem counterintuitive to add the JOBS_RUNNER service type only without a jobs runner.
+            The reason for this is that the backend needs to act as a jobs runner, if the jobs runner is not enabled.
+          */}}
+          {{- if not ( include "retool.jobRunner.enabled" . ) }}
+            {{- $serviceType = append $serviceType "JOBS_RUNNER" }}
+          {{- end }}
           - name: SERVICE_TYPE
-            value: MAIN_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR,JOBS_RUNNER
+            value: {{ join "," $serviceType }}
+          {{ if and ( include "retool_version_with_java_dbconnector_opt_out" . ) ( not $.Values.dbconnector.java.enabled ) }}
+          - name: DISABLE_JAVA_DBCONNECTOR
+            value: "true"
           {{ end }}
-          {{- end }}
           - name: CLIENT_ID
             value: {{ default "" .Values.config.auth.google.clientId }}
           - name: COOKIE_INSECURE
@@ -263,6 +270,12 @@ spec:
           successThreshold: {{ .Values.readinessProbe.successThreshold }}
           periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
 {{- end }}
+{{- if .Values.preStopHook.enabled }}
+        lifecycle:
+          preStop:
+            exec:
+              command: ["sleep", "30"]
+{{- end }}
 {{- if .Values.startupProbe.enabled }}
         startupProbe:
           httpGet:
@@ -295,6 +308,10 @@ spec:
         - name: {{ .name }}
           mountPath: {{ .mountPath }}
           subPath: {{ .subPath }}
+{{- end }}
+{{- if .Values.securityContext.extraContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.securityContext.extraContainerSecurityContext | indent 10 }}
 {{- end }}
     {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
@@ -314,6 +331,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+{{- if .Values.securityContext.extraSecurityContext }}
+{{ toYaml .Values.securityContext.extraSecurityContext | indent 8 }}
+{{- end }}
 {{- end }}
       volumes:
 {{- range .Values.extraConfigMapMounts }}
diff --git a/charts/retool/templates/deployment_code_executor.yaml b/charts/retool/templates/deployment_code_executor.yaml
@@ -145,3 +145,19 @@ spec:
     targetPort: 3004
     name: http-server
 {{- end }}
+---
+{{- if .Values.podDisruptionBudget }}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
+apiVersion: policy/v1
+{{- else -}}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "retool.codeExecutor.name" . }}
+spec:
+  {{ toYaml .Values.podDisruptionBudget }}
+  selector:
+    matchLabels:
+  {{- include "retool.codeExecutor.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/charts/retool/templates/deployment_jobs.yaml b/charts/retool/templates/deployment_jobs.yaml
@@ -8,6 +8,9 @@ metadata:
     app.kubernetes.io/name: {{ include "retool.name" . }}-jobs-runner
     app.kubernetes.io/instance: {{ .Release.Name }}
     telemetry.retool.com/service-name: jobs-runner
+{{- if .Values.deployment.labels }}
+{{ toYaml .Values.deployment.labels | indent 4 }}
+{{- end }}
 {{- if .Values.deployment.annotations }}
   annotations:
 {{ toYaml .Values.deployment.annotations | indent 4 }}
@@ -163,9 +166,9 @@ spec:
         envFrom:
         - secretRef:
             name: {{ .Values.externalSecrets.name }}
-        {{- range .Values.externalSecrets.secrets }}	
-        - secretRef:	
-            name: {{ .name }}	
+        {{- range .Values.externalSecrets.secrets }}
+        - secretRef:
+            name: {{ .name }}
         {{- end }}
         {{- end }}
         {{- if .Values.externalSecrets.externalSecretsOperator.enabled  }}
@@ -176,7 +179,11 @@ spec:
         {{- end }}
         {{- end }}
         resources:
+{{- if .Values.jobRunner.resources }}
+{{ toYaml .Values.jobRunner.resources | indent 10 }}
+{{- else }}
 {{ toYaml .Values.resources | indent 10 }}
+{{- end }}
         {{- if regexMatch "^([0-9]+)\\.([0-9]+)\\.([0-9]+)" .Values.image.tag }}
         {{- if semverCompare ">=2.110.0-0" .Values.image.tag }}
         livenessProbe:
@@ -215,6 +222,10 @@ spec:
         - name: {{ .name }}
           mountPath: {{ .mountPath }}
           subPath: {{ .subPath }}
+{{- end }}
+{{- if .Values.securityContext.extraContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.securityContext.extraContainerSecurityContext | indent 10 }}
 {{- end }}
     {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
@@ -234,6 +245,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+{{- if .Values.securityContext.extraSecurityContext }}
+{{ toYaml .Values.securityContext.extraSecurityContext | indent 8 }}
+{{- end }}
 {{- end }}
       volumes:
 {{- range .Values.extraConfigMapMounts }}
diff --git a/charts/retool/templates/deployment_multiplayer_ws.yaml b/charts/retool/templates/deployment_multiplayer_ws.yaml
@@ -160,6 +160,10 @@ spec:
 {{- if .Values.extraVolumeMounts }}
 {{ toYaml .Values.extraVolumeMounts | indent 8 }}
 {{- end }}
+{{- if .Values.securityContext.extraContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.securityContext.extraContainerSecurityContext | indent 10 }}
+{{- end }}
 {{- with .Values.extraContainers }}
 {{ tpl . $ | indent 6 }}
 {{- end }}
@@ -186,6 +190,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+{{- if .Values.securityContext.extraSecurityContext }}
+{{ toYaml .Values.securityContext.extraSecurityContext | indent 8 }}
+{{- end }}
 {{- end }}
       volumes:
 {{- range .Values.extraConfigMapMounts }}
diff --git a/charts/retool/templates/deployment_workflows.yaml b/charts/retool/templates/deployment_workflows.yaml
@@ -66,12 +66,19 @@ spec:
             value: {{ template "retool.deploymentTemplateVersion" . }}
           - name: NODE_ENV
             value: production
-          {{ if $.Values.dbconnector.java.enabled }}
-          - name: SERVICE_TYPE
-            value: WORKFLOW_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR,JAVA_DBCONNECTOR
-          {{ else }}
+          {{- $serviceType := list "WORKFLOW_BACKEND" "DB_CONNECTOR" "DB_SSH_CONNECTOR" }}
+          {{- /*
+            JAVA_DBCONNECTOR in the service type only applies before the version of Retool that changes it to opt-out (3.93.0-edge),
+            and only if the Java dbconnector is enabled in values.yaml.
+          */}}
+          {{- if and ( not ( include "retool_version_with_java_dbconnector_opt_out" . ) ) ( $.Values.dbconnector.java.enabled ) }}
+            {{- $serviceType = append $serviceType "JAVA_DBCONNECTOR" }}
+          {{- end }}
           - name: SERVICE_TYPE
-            value: WORKFLOW_BACKEND,DB_CONNECTOR,DB_SSH_CONNECTOR
+            value: {{ join "," $serviceType }}
+          {{ if and ( include "retool_version_with_java_dbconnector_opt_out" . ) ( not $.Values.dbconnector.java.enabled ) }}
+          - name: DISABLE_JAVA_DBCONNECTOR
+            value: "true"
           {{ end }}
           - name: DBCONNECTOR_POSTGRES_POOL_MAX_SIZE
             value: "100"
@@ -245,7 +252,11 @@ spec:
           periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
 {{- end }}
         resources:
+{{- if .Values.workflows.backend.resources }}
+{{ toYaml .Values.workflows.backend.resources | indent 10 }}
+{{- else }}
 {{ toYaml .Values.resources | indent 10 }}
+{{- end }}
         volumeMounts:
         {{- range $configFile := (keys .Values.files) }}
         - name: {{ template "retool.name" $ }}
@@ -255,6 +266,10 @@ spec:
 {{- if .Values.extraVolumeMounts }}
 {{ toYaml .Values.extraVolumeMounts | indent 8 }}
 {{- end }}
+{{- if .Values.securityContext.extraContainerSecurityContext }}
+        securityContext:
+{{ toYaml .Values.securityContext.extraContainerSecurityContext | indent 10 }}
+{{- end }}
 {{- with .Values.extraContainers }}
 {{ tpl . $ | indent 6 }}
 {{- end }}
@@ -281,6 +296,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
+{{- if .Values.securityContext.extraSecurityContext }}
+{{ toYaml .Values.securityContext.extraSecurityContext | indent 8 }}
+{{- end }}
 {{- end }}
       volumes:
 {{- range .Values.extraConfigMapMounts }}
diff --git a/charts/retool/templates/deployment_workflows_worker.yaml b/charts/retool/templates/deployment_workflows_worker.yaml
diff --git a/charts/retool/templates/externalsecret.yaml b/charts/retool/templates/externalsecret.yaml
diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
diff --git a/values.yaml b/values.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+image:`
	`2`	`+ tag: "i.am.not-a.real-version"`