Merge branch 'main' into feature-release-v3

Author: Shivam-nagar23

CHANGELOG/release-notes-v0.7.0.md

@@ -0,0 +1,88 @@
+## v0.7.0
+
+## Bugs
+- fix: extra labels propagation made env driven (#5274)
+- fix: App clone config map fix (#5268)
+- fix: latest version in default cluster and on UI (#5259)
+- fix: update CVE's severity and store multiple same CVE's in multiple packages (#5168)
+- fix: fixing force push for gitops (#5152)
+- fix: extra labels propagation based on k8s label regex matching (#5216)
+- fix: invalid runner status (#5189)
+- fix: revert changes from main (#5206)
+- fix: apps and jobs permission (#5110)
+- fix: added Copyright (#5172)
+- fix:removed unused env var (#5174)
+- fix: Handling all cases for 5xx (#5100)
+- fix: trivy scan step command fix (#5162)
+- fix: added extra args in trivy cmds (#5146)
+- fix: proxyRouter empty data err panic handling (#5147)
+- fix: handling side-effects for displaying external helm apps with same name across diff namespaces and clusters (#4951)
+- fix: fatal log removed (#5043)
+- fix: added a check for restricting managers to assign superadmin through permission groups (#5025)
+- fix: SHOW_DOCKER_BUILD_ARGS variable not working as expected (#5117)
+- fix: dependabot version upgrade (#5089)
+- fix: containers are missing from app-details page in argocd app  (#4973)
+- fix:resolved PR review comments also remove check for virtual cluster (#5095)
+- fix:handled namespace case if deleted by kubectl (#5081)
+- fix: oci chart were getting deployed through gitops (#5088)
+- fix: argocd config update fix (#5074)
+- fix: handle 5xx in fetch resource tree api and cd-trigger (#5050)
+- fix: gitops update updated (#5055)
+- fix: App create api validations (#5019)
+- fix: git material saved in transaction (#5040)
+- fix: panic while pulling images (#5036)
+- fix: terminal stuck in connecting state (#4989)
+- fix: handle for wrong format of k8s version in semvercompare func in cronjob template charts (#5016)
+- fix: Dockerfile ubuntu version (#5022)
+- fix: application status changes to HIBERNATING, when hibernation fails due to some reason (#5005)
+- fix: deleted api token can be reused if created again with same name (#4978)
+- fix: Kubelink Requests getting Failed for gRPC method GetAppDetails (#5012)
+- fix: terminate sync if in progress  (#4946)
+- fix: grpc error handling for TemplateChart req (#4980)
+- fix: removed redundant import (#5004)
+- fix: image promotion sql script (#4996)
+- fix: image-approval-migartion fix (#4994)
+- fix: ci-cd count per day in telemetry data (#4931)
+## Enhancements
+- feat: notifier behind nats (#5185)
+- feat: cd pipeline deployment history refactoring (#5200)
+- feat: wire nil test in pre ci pipeline (#4858)
+- feat: added recovery counter metrics (#5124)
+- feat: auto remediation (#5137)
+- feat: support for ca cert in trivy (#5064)
+- feat: validation for pipeline Type (#4670)
+- feat: propagate labels such as envName and projectName (#5063)
+- feat: Plugin to trigger Devtron Job (#5053)
+- feat: CD Trigger Plugin (#4810)
+- feat: Introduction to feasibility in Deployment (#4862)
+## Documentation
+- doc: Created Resource Watcher Doc (#5193)
+- doc: Modified Portforward Section to Kubectl Section (#5236)
+- doc: Added enhancements to security doc (#5203)
+- docs: update readme to include multi arch flag (#4998)
+- docs: config.md updatation for new flag (#5061)
+- doc: Fixes in Documentation for May Month (#5150)
+- doc: Created Resource Watcher Doc (#5193)
+- doc: Modified Portforward Section to Kubectl Section (#5236)
+- doc: Added enhancements to security doc (#5203)
+- docs: update readme to include multi arch flag (#4998)
+- docs: config.md updatation for new flag (#5061)
+- doc: Added kubectl port-fwd section in RB (#5139)
+- doc: Added Bitbucket Data Center in GitOps doc (#5075)
+- doc: Image promotion policy (#4762)
+- doc: Revamped Resource Browser Doc (#5035)
+- doc: Added Bulk Restart in Application Groups doc (#5080)
+- doc: Added new doc in the index (#5029)
+- doc: Changes made in the doc according to the newer version (#5024)
+- doc: Added Linked CI with Child Info + Runtime Build Parameters (#4991)
+## Others
+- chore: updated vendor (#5166)
+- chore: gitops validation in api (#5082)
+- chore: release v2 migration (#5126)
+- chore: migration update for remote connection config (#5113)
+- chore: added sql for release and release channels (#4898)
+- chore: resource scan migration (#4977)
+- chore: image promotion migration (#4992)
+- misc: uniform GitHub action (#5069)
+
+

api/auth/user/UserAuthHandler.go

@@ -237,7 +237,7 @@ func (handler UserAuthHandlerImpl) AddDefaultPolicyAndRoles(w http.ResponseWrite
 
 }
 func (handler UserAuthHandlerImpl) AuthVerification(w http.ResponseWriter, r *http.Request) {
-	verified, err := handler.userAuthService.AuthVerification(r)
+	verified, _, err := handler.userAuthService.AuthVerification(r)
 	if err != nil {
 		handler.logger.Errorw("service err, AuthVerification", "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
@@ -253,13 +253,14 @@ func (handler UserAuthHandlerImpl) AuthVerificationV2(w http.ResponseWriter, r *
 		isSuperAdmin = true
 	}
 	response := make(map[string]interface{})
-	verified, err := handler.userAuthService.AuthVerification(r)
+	verified, emailId, err := handler.userAuthService.AuthVerification(r)
 	if err != nil {
 		handler.logger.Errorw("service err, AuthVerification", "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		return
 	}
 	response["isSuperAdmin"] = isSuperAdmin
 	response["isVerified"] = verified
+	response["emailId"] = emailId
 	common.WriteJsonResp(w, nil, response, http.StatusOK)
 }

api/k8s/application/k8sApplicationRestHandler.go

@@ -89,9 +89,10 @@ type K8sApplicationRestHandlerImpl struct {
 	helmAppService         client.HelmAppService
 	userService            user.UserService
 	k8sCommonService       k8s.K8sCommonService
+	terminalEnvVariables   *util.TerminalEnvVariables
 }
 
-func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate) *K8sApplicationRestHandlerImpl {
+func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate, envVariables *util.EnvironmentVariables) *K8sApplicationRestHandlerImpl {
 	return &K8sApplicationRestHandlerImpl{
 		logger:                 logger,
 		k8sApplicationService:  k8sApplicationService,
@@ -104,6 +105,7 @@ func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationS
 		helmAppService:         helmAppService,
 		userService:            userService,
 		k8sCommonService:       k8sCommonService,
+		terminalEnvVariables:   envVariables.TerminalEnvVariables,
 	}
 }
 
@@ -820,6 +822,17 @@ func (handler *K8sApplicationRestHandlerImpl) requestValidationAndRBAC(w http.Re
 	}
 }
 
+func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(w http.ResponseWriter, token string) bool {
+	// if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers
+	if handler.terminalEnvVariables.RestrictTerminalAccessForNonSuperUser {
+		if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin {
+			common.WriteJsonResp(w, errors.New("unauthorized, only super-admins can access terminal"), nil, http.StatusForbidden)
+			return true
+		}
+	}
+	return false
+}
+
 func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
@@ -836,6 +849,11 @@ func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.Response
 		return
 	}
 	request.ExternalArgoApplicationName = vars.Get("externalArgoApplicationName")
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	if resourceRequestBean.AppIdentifier != nil {
 		// RBAC enforcer applying For Helm App
 		rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(resourceRequestBean.AppIdentifier.ClusterId, resourceRequestBean.AppIdentifier.Namespace, resourceRequestBean.AppIdentifier.ReleaseName)
@@ -1013,6 +1031,7 @@ func (handler *K8sApplicationRestHandlerImpl) verifyRbacForCluster(token string,
 }
 
 func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -1034,6 +1053,11 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	//rbac applied in below function
 	resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r)
 	if resourceRequestBean == nil {
@@ -1057,6 +1081,7 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re
 }
 
 func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -1078,6 +1103,11 @@ func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.Re
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	//rbac applied in below function
 	resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r)
 	if resourceRequestBean == nil {

charts/devtron/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: devtron-operator
-appVersion: 0.6.29
+appVersion: 0.7.0
 description: Chart to configure and install Devtron. Devtron is a Kubernetes Orchestration system.
 keywords:
   - Devtron
@@ -11,7 +11,7 @@ keywords:
   - argocd
   - Hyperion
 engine: gotpl
-version: 0.22.71
+version: 0.22.72
 sources:
   - https://github.com/devtron-labs/charts
 dependencies:

charts/devtron/devtron-bom.yaml

@@ -8,12 +8,13 @@ global:
     runAsUser: 1000
     runAsNonRoot: true
   containerRegistry: "quay.io/devtron"
-
+  
 installer:
-  release: "v0.6.29"
+  release: "v0.7.0"
   registry: ""
   image: "inception"
   tag: "473deaa4-185-21582"
+  
 components:
   dashboard:
     config:
@@ -30,31 +31,30 @@ components:
         SERVICE_WORKER_TIMEOUT: "1"
         API_BATCH_SIZE: "30"
     registry: ""
-    image: "dashboard:1c86e84e-325-22108"
+    image: "dashboard:87aaf7ac-690-23135"
     imagePullPolicy: IfNotPresent
-
+    
   devtron:
     registry: ""
-    image: "hyperion:e7f34f5a-280-22107"
-    cicdImage: "devtron:e7f34f5a-434-22106"
+    image: "hyperion:3aa7e420-280-23147"
+    cicdImage: "devtron:3aa7e420-434-23146"
     imagePullPolicy: IfNotPresent
     customOverrides: {}
-
+    
   ciRunner:
     registry: ""
-    image: "ci-runner:f5614d79-541-22176"
-
-
+    image: "ci-runner:6e721248-138-23081"
+    
   argocdDexServer:
     registry: ""
     image: "dex:v2.30.2"
     imagePullPolicy: IfNotPresent
     initContainer:
       authenticator: "authenticator:e414faff-393-13273"
-
+      
   kubelink:
     registry: ""
-    image: "kubelink:2610ac5a-564-22109"
+    image: "kubelink:a810dbae-564-23055"
     imagePullPolicy: IfNotPresent
     configs:
       ENABLE_HELM_RELEASE_CACHE: "true"
@@ -69,18 +69,18 @@ components:
     dbconfig:
       secretName: postgresql-postgresql
       keyName: postgresql-password
-
+      
   kubewatch:
     registry: ""
-    image: "kubewatch:50d4d32d-419-22116"
+    image: "kubewatch:f8ac0fe6-419-23054"
     imagePullPolicy: IfNotPresent
     configs:
       devtroncd_NAMESPACE: "devtron-ci"
       CI_INFORMER: "true"
       ACD_NAMESPACE: "devtroncd"
       ACD_INFORMER: "true"
       NATS_STREAM_MAX_AGE: "10800"
-
+      
   postgres:
     registry: ""
     image: "postgres:11.9.0-debian-10-r26"
@@ -90,6 +90,7 @@ components:
     metrics:
       image: postgres_exporter:v0.4.7
       armImage: postgres_exporter:v0.10.1
+      
   gitsensor:
     registry: ""
     image: "git-sensor:8545feb5-200-22005"
@@ -107,10 +108,10 @@ components:
     dbconfig:
       secretName: postgresql-postgresql
       keyName: postgresql-password
-# Values for lens
+  # Values for lens
   lens:
     registry: ""
-    image: "lens:70577aaa-333-21179"
+    image: "lens:3d3e8f08-333-23057"
     imagePullPolicy: IfNotPresent
     configs:
       GIT_SENSOR_PROTOCOL: GRPC
@@ -123,7 +124,7 @@ components:
     dbconfig:
       secretName: postgresql-postgresql
       keyName: postgresql-password
-# Change below values for nats
+  # Change below values for nats
   nats:
     registry: ""
     image: nats:2.9.3-alpine
@@ -139,6 +140,7 @@ components:
       enabled: false
     persistence:
       storage: 5Gi
+      
   migrator:
     registry: ""
     image: "migrator:v4.16.2"
@@ -151,13 +153,11 @@ components:
         DB_NAME: "casbin"
       gitsensor:
         DB_NAME: "git_sensor"
-      lens: 
+      lens:
         DB_NAME: "lens"
-
   chartSync:
     registry: ""
-    image: chart-sync:d0dcc590-373-21074
-  
+    image: chart-sync:b67ab589-150-23082
 # values for argocd integration
 argo-cd:
   global:
@@ -175,21 +175,22 @@ workflowController:
   executorImage: "argoexec:v3.4.3"
   IMDSv1Image: "workflow-controller:v3.0.7"
   IMDSv1ExecutorImage: "argoexec:v3.0.7"
+  
 security:
   imageScanner:
-    image: "image-scanner:c0416bc2-334-22111"
+    image: "image-scanner:3ab2ba46-141-23064"
   clair:
     image:
       repository: clair
       tag: 4.3.6
 # Values for notifier integration
 notifier:
   image: "notifier:924a17f6-372-22110"
+  
 minio:
   image: "minio:RELEASE.2021-02-14T04-01-33Z"
   mbImage: "minio-mc:RELEASE.2021-02-14T04-28-06Z"
   gatewayImage: "minio:RELEASE.2020-12-03T05-49-24Z"
-
 # Values for grafana integration
 monitoring:
   grafana:

charts/devtron/templates/_helpers.tpl

@@ -19,7 +19,6 @@ it randomly.
 {{- end -}}
 {{- end }}
 
-
 {{/*
 Return full image
 {{ include "common.image" ( dict "component" .Values.path.to.the.component "global" .Values.global .extraImage .extraImageTag .extraImageDigest ) }}
@@ -50,4 +49,4 @@ Return full image
         {{- printf "%s" $imageName -}}
     {{- end }}
 {{- end -}}
-{{- end -}}
+{{- end -}}