Merge pull request #241 from marklogic/release/1.1.2

pengzhouml · web-flow · commit c2bb1423fcf9 · 2024-05-29T14:20:41.000-07:00
Release Kubernetes Helm Chart 1.1.2
diff --git a/README.md b/README.md
@@ -107,11 +107,13 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 | `updateStrategy.type`                               | Update strategy for MarkLogic pods                                                                                                                                                     | `OnDelete`                 |
 | `terminationGracePeriod`                            | Seconds the MarkLogic Pod terminate gracefully                                                                                                                                         | `120`                      |
 | `clusterDomain`                                     | Domain for the Kubernetes cluster                                                                                                                                                      | `cluster.local`            |
+| `allowLongHostnames`                                | Allow deployment with hostname over 64 characters                                                    | `false` |
+| `useLegacyHostnames`                                | Use the lagecy hostnames that is used before 1.1.0 version.                                          | `false` |
 | `group.name`                                        | Group name for joining MarkLogic cluster                                                                                                                                               | `Default`                  |
 | `group.enableXdqpSsl`                               | SSL encryption for XDQP                                                                                                                                                                | `true`                     |
 | `bootstrapHostName`                                 | Host name of MarkLogic bootstrap host (to join a cluster)                                                                                                                              | `""`                       |
 | `image.repository`                                  | Repository for MarkLogic image                                                                                                                                                         | `marklogicdb/marklogic-db` |
-| `image.tag`                                         | Image tag for MarkLogic image                                                                                                                                                          | `11.1.0-centos-1.1.2`      |
+| `image.tag`                                         | Image tag for MarkLogic image                                                                                                                                                          | `11.2.0-centos-1.1.2`      |
 | `image.pullPolicy`                                  | Image pull policy for MarkLogic image                                                                                                                                                  | `IfNotPresent`             |
 | `initContainers.configureGroup.image`               | Image for configureGroup InitContainer                                                                                                                                                 | `curlimages/curl:8.6.0`    |
 | `initContainers.configureGroup.pullPolicy`          | Pull policy for configureGroup InitContainer                                                                                                                                           | `IfNotPresent`             |
@@ -213,5 +215,6 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 2. The MarkLogic Docker image must be run in privileged mode. At the moment if the image isn't run as privileged many calls that use sudo during the startup script will fail due to lack of required permissions as the image will not be able to create a user with the required permissions.
 3. The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, no fixes have been made available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself, hence there is no impact or mitigation required.
 4. The latest released version of fluent/fluent-bit:2.2.2 has known security vulnerabilities with respect to libcom-err2 CVE-2022-1304, libgcrypt20 CVE-2021-33560, libgnutls30 CVE-2024-0567, libldap-2.4-2 CVE-2023-2953, libzstd1 CVE-2022-4899, zlib1g CVE-2023-45853. These libraries are included in the Debian base image but, to-date, no fixes have been made available. For libpq5 CVE-2024-0985, we wait for a future upgrade of the fluent-bit image to include the fix. We will provide updates and mitigation strategies as soon as more information becomes available.
-5. The latest released version of redhat/ubi9:9.3 has known security vulnerabilities with respect to setuptools GHSA-r9hx-vwmv-q579, we wait for a future upgrade of the redhad ubi image to include the fix.
+5. The latest released version of redhat/ubi9:9.3 has known security vulnerabilities with respect to setuptools GHSA-r9hx-vwmv-q579. We wait for a future upgrade of the redhad ubi image to include the fix.
 6. The security context “allowPrivilegeEscalation” is set to TRUE by default in values.yaml file and cannot be changed to run the current MarkLogic container. Work is in progress to run MarkLogic container in "rootless" mode.
+7. Known Issues and Limitations for the MarkLogic Server Docker image can be viewed using the link: https://github.com/marklogic/marklogic-docker?tab=readme-ov-file#Known-Issues-and-Limitations
diff --git a/charts/Chart.yaml b/charts/Chart.yaml
@@ -8,7 +8,7 @@ dependencies:
     version: "1.18.0"
 name: marklogic
 description: MarkLogic Server is a multi-model database that has both NoSQL and trusted enterprise data management capabilities.
-appVersion: "11.1.0"
+appVersion: "11.2.0"
 type: application
 keywords:
   - marklogic
@@ -17,4 +17,4 @@ keywords:
 sources:
   - https://github.com/marklogic/marklogic-kubernetes
   - https://www.marklogic.com/
-version: 1.1.1
+version: 1.1.2
diff --git a/charts/templates/NOTES.txt b/charts/templates/NOTES.txt
@@ -16,8 +16,7 @@ WARNING
 FQDN is {{ include "marklogic.fqdn" . }}
 {{- if gt (len (include "marklogic.fqdn" .)) 64 }}
 WARNING:    The hostname is greater than 64 characters
-            There may be issues with certificates
-            The certificates may shorten the name or use SANs for hostnames in the certificates
+            There may be issues with certificates in MarkLogic App Server
 {{- end }}
 
 Group {{ .Values.group.name }} is created on the MarkLogic cluster.
diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl
@@ -5,16 +5,84 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/* 
+newFullname is the name used after 1.1.x release, in an effort to make the release name shorter.
+*/}}
+{{- define "marklogic.newFullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+
+{{/* 
+oldFullname is the name used before 1.1.x release
+*/}}
+{{- define "marklogic.oldFullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "marklogic.shouldUseNewName" -}}
+{{- if .Release.IsInstall -}}
+{{- true }}
+{{- else }}
+{{- if eq .Values.useLegacyHostnames true -}}
+{{- false }}
+{{- else }}
+{{- true }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "marklogic.checkUpgradeError" -}}
+{{- if and .Release.IsUpgrade (ne .Values.useLegacyHostnames true) -}}
+{{- $stsName := trim (include "marklogic.oldFullname" .) -}}
+{{- if .Values.fullnameOverride  -}}
+{{- $stsName := trim .Values.fullnameOverride -}}
+{{- end }}
+{{- $sts := lookup "apps/v1" "StatefulSet" .Release.Namespace $stsName }}
+{{- if $sts }}
+{{- $labels := $sts.metadata.labels }}
+{{- $chartVersionFull := get $labels "helm.sh/chart" }}
+{{- if $chartVersionFull }}
+{{- $chartVersionWithDot := trimPrefix "marklogic-" $chartVersionFull }}
+{{- $chartVersionString := $chartVersionWithDot | replace "." "" }}
+{{- $chartVersionDigit := int $chartVersionString }}
+{{- if lt $chartVersionDigit 110 -}}
+{{- $errorMessage := printf "A new algorithm for generating hostnames was introduced in version 1.1.0. When upgrading from version %s to version %s, the \"useLegacyHostnames\" setting must be set to true to prevent the StatefulSet from being recreated. Please add the following to the values file and attempt the upgrade again: \n\nuseLegacyHostnames: true\n" $chartVersionWithDot .Chart.Version }}
+{{- fail $errorMessage }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+{{- end }}
+{{- end }}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-The release name will be used as full name
+To surrport the upgrade from 1.0.x to 1.1.x, we keep the old name when doing upgrade from 1.0.x.
+For the new install, we use the new name, which is the release name.
 */}}
 {{- define "marklogic.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- if eq (include "marklogic.shouldUseNewName" .) "true" -}}
+{{- include "marklogic.newFullname" . }}
 {{- else }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- include "marklogic.oldFullname" . }}
 {{- end }}
 {{- end }}
 
@@ -29,7 +97,27 @@ Create chart name and version as used by the chart label.
 Create headless service name for statefulset
 */}}
 {{- define "marklogic.headlessServiceName" -}}
-{{- include "marklogic.fullname" . }}
+{{- if eq (include "marklogic.shouldUseNewName" .) "true" -}}
+{{- include "marklogic.newFullname" . }}
+{{- else }}
+{{- printf "%s-headless" (include "marklogic.oldFullname" .) }}
+{{- end }}
+{{- end }}
+{{/*
+{{- end}}
+
+
+{{/*
+Create cluster service name for statefulset
+*/}}
+{{- define "marklogic.clusterServiceName" -}}
+{{- if eq (include "marklogic.shouldUseNewName" .) "true" -}}
+{{- include "marklogic.newFullname" . }}-cluster
+{{- else }}
+{{- include "marklogic.oldFullname" . }}
+{{- end }}
+{{- end }}
+{{/*
 {{- end}}
 
 
@@ -102,8 +190,8 @@ Validate values file
 */}}
 {{- define "marklogic.checkInputError" -}}
 {{- $fqdn := include "marklogic.fqdn" . }}
-{{- if gt (len $fqdn) 64}}
-{{- $errorMessage := printf "%s%s%s" "The FQDN: " $fqdn " is longer than 64. Please use a shorter release name and try again."  }}
+{{- if and (gt (len $fqdn) 64) (not .Values.allowLongHostnames) }}
+{{- $errorMessage := printf "%s%s%s" "The FQDN: " $fqdn " is longer than 64. Please use a shorter release name and try again. MarkLogic App Server does not support turning on SSL with FQDN over 64 characters. If you still want to install with an FQDN longer than 64 characters, you can override this restriction by setting allowLongHostnames: true in your Helm values file." }}
 {{- fail $errorMessage }}
 {{- end }}
 {{- end }}
diff --git a/charts/templates/configmap-haproxy.yaml b/charts/templates/configmap-haproxy.yaml
@@ -1,6 +1,7 @@
 {{- if .Values.haproxy.enabled }}
 {{- $replicas := int .Values.replicaCount }}
 {{- $releaseName := include "marklogic.fullname" . }}
+{{- $headlessServiceName := include "marklogic.headlessServiceName" . }}
 {{- $namespace := .Release.Namespace }}
 {{- $clusterDomain := .Values.clusterDomain }}
 {{- $haproxyTlsEnabled := .Values.haproxy.tls.enabled }}
@@ -75,12 +76,12 @@ data:
     {{ $portType := upper (printf "%s" $v.type) }}
 
     {{- if eq $portType "TCP"  -}}
-      listen odbc
+      listen marklogic-TCP-{{$portNumber}}
         bind :{{ $portNumber }}
         mode tcp
         balance leastconn
         {{- range $i := until $replicas }}
-        server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $releaseName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} check resolvers dns init-addr none
+        server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $headlessServiceName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} check resolvers dns init-addr none
         {{- end }}
     {{- else if eq $portType "HTTP" }}
 
@@ -107,9 +108,9 @@ data:
       default-server check
       {{- range $i := until $replicas }}
       {{- if $appServerTlsEnabled }}
-      server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $releaseName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} resolvers dns init-addr none cookie {{ $releaseName }}-{{ $portNumber }}-{{ $i }} ssl verify none
+      server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $headlessServiceName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} resolvers dns init-addr none cookie {{ $releaseName }}-{{ $portNumber }}-{{ $i }} ssl verify none
       {{- else }}
-      server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $releaseName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} resolvers dns init-addr none cookie {{ $releaseName }}-{{ $portNumber }}-{{ $i }}
+      server {{ printf "ml-%s-%s-%v" $releaseName $portNumber $i }} {{ $releaseName }}-{{ $i }}.{{ $headlessServiceName }}.{{ $namespace }}.svc.{{ $clusterDomain }}:{{ $portNumber }} resolvers dns init-addr none cookie {{ $releaseName }}-{{ $portNumber }}-{{ $i }}
       {{- end }}
       {{- end }}
     {{- end }}
diff --git a/charts/templates/configmap-scripts.yaml b/charts/templates/configmap-scripts.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Release.Name }}-scripts
+  name: {{ include "marklogic.fullname" . }}-scripts
 data:
   liveness-probe.sh: |
     #!/bin/bash
diff --git a/charts/templates/service.yaml b/charts/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "marklogic.fullname" . }}-cluster
+  name: {{ include "marklogic.clusterServiceName" . }}
   namespace: {{ .Values.namespace}}
   labels:
     {{- include "marklogic.labels" . | nindent 4 }}
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -1,3 +1,4 @@
+{{- include "marklogic.checkUpgradeError" . -}}
 {{- include "marklogic.checkInputError" . }}
 apiVersion: apps/v1
 kind: StatefulSet
@@ -315,8 +316,12 @@ spec:
                     # Begin Group Configuration
                     if [[ $POD_NAME == *-0 ]] && [[ $MARKLOGIC_CLUSTER_TYPE == "bootstrap" ]]; then
                       [ -f /var/opt/MarkLogic/group_cfg ] && current_group_cfg=$(cat /var/opt/MarkLogic/group_cfg)
-                      if [ "${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}:${MARKLOGIC_JOIN_TLS_ENABLED}" = "${current_group_cfg}" ]; then
-                        log "Info: [poststart] Group config has not changed, complete group configuration"
+                      colon_count=$(echo "$current_group_cfg" | awk -F':' '{print NF-1}')
+                      if [ "$colon_count" -eq 2 ]; then
+                        current_group_cfg="${current_group_cfg%:*}"
+                      fi
+                      if [ "${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}" = "${current_group_cfg}" ]; then
+                          log "Info: [poststart] Group config has not changed, skip group configuration"
                       else 
                         log "Info: [poststart] Begin group configuration."
                         while [ ! -f /var/opt/MarkLogic/ready ]; do
@@ -339,9 +344,9 @@ spec:
                             restart_check ${TIMESTAMP}
                           fi
                           if [[ $MARKLOGIC_IMAGE_TYPE == "rootless" ]]; then
-                            sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}:${MARKLOGIC_JOIN_TLS_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
+                            sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
                           else
-                            sudo sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}:${MARKLOGIC_JOIN_TLS_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
+                            sudo sh -c 'echo -n '"${MARKLOGIC_GROUP}:${XDQP_SSL_ENABLED}"' > /var/opt/MarkLogic/group_cfg'
                           fi
                           log "Info: [poststart] ${GROUP_CFG} saved"
                         else
@@ -359,7 +364,7 @@ spec:
                       https_error_message="You have attempted to access an HTTPS server using HTTP."
                       resp=$(curl -s http://localhost:8001)
                       if [[ "$resp" == *"$https_error_message"* ]]; then
-                          log "Info: [poststart] MarkLogic server has already configured HTTPS"
+                        log "Info: [poststart] MarkLogic server has already configured HTTPS"
                         exit 0
                       else 
                         log "Info: [poststart] MARKLOGIC_JOIN_TLS_ENABLED is set to true, configuring SSL"
@@ -659,7 +664,7 @@ spec:
             secretName: {{ include "marklogic.authSecretNameToMount" . }}
         - name: scripts
           configMap:
-            name: {{ .Release.Name }}-scripts
+            name: {{ include "marklogic.fullname" . }}-scripts
             defaultMode: 0755
         {{- if .Values.logCollection.enabled }}
         - name: {{ include "marklogic.fullname" . }}-fb-config-map
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -15,6 +15,17 @@ terminationGracePeriod: 120
 ## Kubernetes cluster domain name
 clusterDomain: cluster.local
 
+## Allow deployment with hostname over 64 characters
+## This is not remmended as it may cause issues when turning on TLS on MarkLogic Server
+## Because MarkLogic Server only supports using CN as hostname in the certificate
+## There is a limit of 64 characters for CN in the certificate
+allowLongHostnames: false
+
+## This flag facilitates upgrading from version 1.0.x of the chart while retaining the use of legacy hostnames. 
+## When upgrading from version 1.0.x to any version above 1.1.0, this flag must be set to true.
+## It should remain true for all future upgrades. For new installations, this flag should be set to false.
+useLegacyHostnames: false
+
 ## Group related settings
 group:
   ## the group name of the current Marklogic Helm Deployment
@@ -28,7 +39,7 @@ bootstrapHostName: ""
 ## Marklogic image parameters
 image:
   repository: marklogicdb/marklogic-db
-  tag: 11.1.0-centos-1.1.2
+  tag: 11.2.0-centos-1.1.2
   pullPolicy: IfNotPresent
 
 ## Init container image parameters
diff --git a/makefile b/makefile
@@ -70,7 +70,7 @@ prepare:
 .PHONY: lint
 lint:
 	@echo "> Linting helm charts....."
-	helm lint --with-subcharts charts/ $(if $(saveOutput),> helm-lint-output.txt,)
+	helm lint --set allowLongHostnames=true --with-subcharts charts/ $(if $(saveOutput),> helm-lint-output.txt,)
 
 	@echo "> Linting all tests....."
 	golangci-lint run --timeout=5m $(if $(saveOutput),> test-lint-output.txt,)
diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go
diff --git a/test/template/template_test.go b/test/template/template_test.go
diff --git a/test/test_data/values/tls_dnode_values.yaml b/test/test_data/values/tls_dnode_values.yaml
diff --git a/test/test_data/values/tls_enode_values.yaml b/test/test_data/values/tls_enode_values.yaml
diff --git a/test/test_data/values/tls_twonode_values.yaml b/test/test_data/values/tls_twonode_values.yaml
