Helm Charts Release Notes

Updated charts to allow control of the medium of the default tmp directory that several services use. Previously, the settings for the tmp directory were hard-coded and could not be customized. A new helm value, tmpDirMedium, has been added that allows changing the medium of the volume. In order to disable the explicit medium setting and instead use the Kubernetes default, set tmpDirMedium to null.

Updated ZooKeeper, Solr, and Kafka to use storageClassName instead of storageClass in the statefulset volumeClaimTemplates section. For ZooKeeper, also distinguishing between dataDir and dataLog for both storageClassName and volumeMode.

Update the Zookeeper, Kafka, and Solr helm charts to redefine the podAnnotation helm values block. This addresses a bug that was preventing the custom annotations from being applied correctly. The block now has a specific enabled value that must be toggled to true to enable any custom annotations. The custom annotations have also been moved to the new value label nested under podAnnotations. If you are using custom annotations defined under podAnnotations and apply this upgrade, you will need to adopt this new format for the annotations to work.

Update the Zookeeper, Kafka, and Solr helm charts to allow the storage class name and volume mode to be changed using the following helm values. The storageClassName is commented out by default to ensure safety and backwards compatibility.

Update the Prometheus JMX Exporter images on the Zookeeper and Kafka helm charts to allow setting explicit JVM memory settings instead of using the UseCGroupMemoryLimitForHeap option. UseCGroupMemoryLimitForHeap will be used as long as the Xmx and Xms settings are not explicitly set. The options should only be set if there is an explicit need to set them. They can be configured with:

Update the 'flex-balanced-browse' chart to no longer hard-code the maximum file and request sizes used by Spring. These can now be changed using the following helm values:

Add ability to disable certain fields in the flex-balanced-common-env helm chart. If a key is supplied with no value, the key will be skipped. For example, the JAVA_OPTS can be supplied with no value to remove it from the configmap.

The podAnnotations value for the kafka, solr, and zookeeper helm charts has been implemented. Additional annotations for the pods can now be set using podAnnotations. No additional annotations are added by default.

Add helm values to all charts that override the pod termination grace period and lifecycle hook settings. The termination grace period can be controlled with terminationGracePeriodSeconds and defaults to 30 seconds for all pods except solr, which defaults to 180 seconds. Pod lifecycles hooks can be setup using the lifecycle value. By default, no lifecycle hooks are configured.

Added the ability to include hostAliases to the spec block for all services and flex packages. This can be done by adding an hostAliases section to your override file and adding the required key/value pairs.

Added the ability to include extra volumes and volumeMounts to the auth deployment. As with other services, this can be done by adding extraVolumes and extraVolumeMounts sections to your override file and adding the required key/value pairs.

Added the ability to include extra envFrom to the pod spec.containers block for all services and flex packages. This can be done by adding an extraEnvFrom section to your override file and adding the required key/value pairs.

Added option to allow skipping the creation of a PVC in the flex-balanced-browse package.

This is to support release train 1.8.5-GA. The Search Service now does a Tenant look up to get required locale information. This Chart update adds in the necessary Search Client / Tenant Provider references into the base charts.

flex-balanced-supporting / flex-min-core

flex-granular-search

Added the ability to include extra annotations to the pod spec.template.metadata.annotations block. This can be done by adding an extraAnnotations section to your override file and adding the required key/value pairs.

Added support for Broadleaf’s Fulfillment Microservice. More details can be found here (https://developer.broadleafcommerce.com/services/fulfillment-services)

Bumped the Admin Gateway version from 1.4.7-GA to 1.4.10-GA

Bumped the Commerce Gateway version from 1.4.7-GA to 1.4.10-GA

Updated charts with deprecated Kubernetes API definitions (to support K8 cluster versions of 1.25+). This included the following resources: solr: poddisruptionbudget, zookeeper: poddisruptionbudget, psp-default: podsecuritypolicy, psp-permissive: podsecuritypolicy. These resources previously defined the apiVersion: policy/v1beta1 and has now been updated to be apiVersion: policy/v1

Added an elasticAPM block to admingateway, commercegateway, and auth. For these services, it adds a volume, volume mount, and initContainer to load and run the Elastic APM Java agent. It also provided environment variables to do some needed configuration of the agent. The new helm values and their defaults are below. Note that imageVersion is only used by Java services and serviceName defaults to the appropriate service name.

Whitelisted the 4WL (4 letter word) commands for Zookeeper. Both Solr monitoring of the Zookeeper status as well as Kubernetes health probes make use of these commands. The key change was adding a new Java "-D" runtime argument to the helm values.yaml to enabled this feature:

Added the ability to enable and define standard health probes. As with other probes, any valid probe definition can be added within a spec: block. When enabled, defaults will be used unless specifically overridden. The following is the default probe definition. Note that the spec: block should NOT define the probe type (eg. startupProbe):

Added an elasticAPM block to all flex-* charts, commerceweb, and adminweb. For the Java services, it adds a volume, volume mount, and initContainer to load and run the Elastic APM Java agent. It also provided environment variables to do some needed configuration of the agent. For Node services, it only adds the environment variables and depends on the service image having the APM agent within it and set to run on application start. The new helm values and their defaults are below. Note that imageVersion is only used by Java services and serviceName defaults to the appropriate service name.

Refactored startupProbe, readinessProbe, and livenessProbe to allow for complete definition of the specification of the probe. Any valid probe definition can be added within a spec: block.

Added startupProbe, readinessProbe, and livenessProbe blocks to the primary application Chart for:

Set the "fsGroup": 1000 property in the zookeeper chart as the default image defaults to a user and group 1000 (#81)

Fix the BROADLEAF_AUTH_SECURITY_PKCE_ENABLED ENV variable in the auth chart as it was incorrectly gated by the .Values.seedDataLoad.enabled property (#87)

Move the deploymentStrategy value from the pod specification block to the deployment specification block. Add deploymentStrategy to admingateway, adminweb, auth, commercegateway, and commerceweb (#88)

Removed the previously required BROADLEAF_TENANT_LIQUIBASE_CHANGELOG ENV property in the flex-balanced-supporting, flex-granular-tenant, and flex-min-core charts. Going forward this should be specified in your extraEnvs if applicable for your implementation (#62)

Fix the flex-granular-content chart to apply default chart configurability options: i.e. podSecurityContext and jaegerAgentSidecar etc…​

Ability to override default Chart name by specifying appContainerName - applies to most charts (#66)

Enable PKCE by default on the adminweb chart. This introduces the following ENV properties: VITE_ENABLE_DEV_SETTINGS and VITE_ENABLE_PKCE (#73)

Enable PKCE by default on the auth chart. This introduces the following ENV property: BROADLEAF_AUTH_SECURITY_PKCE_ENABLED which defaults to true. (#73)

Ability to optionally enable/disable the SPRING_DATASOURCE_URL and SPRING_DATASOURCE_USERNAME ENV properties in the auth chart using the property datasource.enabled

Add support for SSL database connections using the property: db.sslCertificates.enabled and db.sslCertificates.secretName which mounts the following default path: /etc/db-ssl-certs. This applies to all charts with DB connectivity (e.g. auth and all flex-* charts). (#58)

Make the following ENV properties optional: BROADLEAF_COMPOSITE_DATASOURCE_URL, BROADLEAF_COMPOSITE_DATASOURCE_USERNAME, and BROADLEAF_COMPOSITE_DATASOURCE_PASSWORD - this applies to all flex-* charts using the property: compositedatasource.enabled which is defaulted to true

Optionally enable a debug port using the debug.enabled and debug.port properties. Debug is set to false by default and is applicable to the flex-* charts.

The introduction of the following ENV properties: BROADLEAF_CARTOPERATION_CREDITACCOUNTPROVIDER_URL, BROADLEAF_STORE_CREDIT_CREDITACCOUNTPROVIDER_URL, BROADLEAF_CARTOPERATION_CUSTOMERPROVIDER_URL, and SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_STORECREDITCLIENT_TOKENURI in the flex-balanced-cart chart (CreditAccountServices#9)

The introduction of the following ENV properties: BROADLEAF_CARTOPERATION_CREDITACCOUNTPROVIDER_URL and BROADLEAF_CARTOPERATION_CUSTOMERPROVIDER_URL in the flex-granular-cartops chart (CreditAccountServices#9)

The introduction of the following ENV properties: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_STORECREDITCLIENT_TOKENURI and BROADLEAF_STORE_CREDIT_CREDITACCOUNTPROVIDER_URL in the flex-granular-paymenttransaction chart (CreditAccountServices#9)

The introduction of the following ENV properties: BROADLEAF_CARTOPERATION_CREDITACCOUNTPROVIDER_URL, BROADLEAF_STORE_CREDIT_CREDITACCOUNTPROVIDER_URL, BROADLEAF_CARTOPERATION_CUSTOMERPROVIDER_URL and SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_STORECREDITCLIENT_TOKENURI to the flex-min-core chart (CreditAccountServices#9)

Introduce the flex-granular-creditaccount chart (CreditAccountServices#9)

Adding the default BROADLEAF_GATEWAY_PROXYURLS_CREDITACCOUNT value to flex-balanced-routes-env, flex-granular-routes-env, and flex-min-routes-env charts (CreditAccountServices#9)

Adding an optional block where users can specify a "strategy" for the deployment using the deploymentStrategy property. Applies to all flex-* charts. (MPM#3509)

Enhanced the Zookeeper cart to enable 4WL commands and added standard health probes. See Version 1.8.4 Release Notes for details for this feature.

Refactored startupProbe, readinessProbe, and livenessProbe to allow for complete definition of the specification of the probe. Any valid probe definition can be added within a spec: block. See Version 1.8.3 Release Notes for details for this feature.

Added startupProbe, readinessProbe, and livenessProbe blocks to the primary application Chart - See Version 1.8.2 Release Notes for details for this feature.

Added an elasticAPM block to all flex-* charts, commerceweb, and adminweb. For the Java services, it adds a volume, volume mount, and initContainer to load and run the Elastic APM Java agent. It also provided environment variables to do some needed configuration of the agent. For Node services, it only adds the environment variables and depends on the service image having the APM agent within it and set to run on application start. The new helm values and their defaults are below. Note that imageVersion is only used by Java services and serviceName defaults to the appropriate service name.

Update MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE to include the health actuator endpoint. This impacts the flex-balanced-common-env, flex-granular-common-env, and flex-min-common-env Config Map charts. (MPM#3544)

Remove BROADLEAFDEMO_ACTUATOR_ANONYMOUS from being explicitly defined in the base Config Map charts - impacts flex-balanced-common-env, flex-granular-common-env, and flex-min-common-env. Going forward, you can specify your implementation-specific property override in your umbrella chart or specifically in your application. (#85)

Ability to override resources definitions (e.g. cpu and memory requests and limits) on several supporting service charts: job-zk-upconfig, kafka, openapi-ui, solr, zookeeper, job-solr-create-collections (#54)

Ability to override resources definitions (e.g. cpu and memory requests and limits) for kafka - checkZK (initContainer) and zookeeper - jmx (init container)

Updated the default confluentinc/cp-zookeeper image tag from 5.5.0 to 7.2.1

Updated the default confluentinc/cp-kafka image tag from 7.0.0 to 7.2.1

Move the BROADLEAF_ADMINUSER_AUTHPROPERTIES_AUTHURI ENV property out of the .Values.seedDataLoad.enabled check - impacts flex-balanced-supporting and flex-granular-adminuser charts (#43)

Update the BROADLEAF_CARTOPERATION_CATALOGPROVIDER_URL ENV property default value to be BROADLEAF_GATEWAY_PROXYURLS_CATALOGBROWSE - impacts flex-min-core, flex-granular-cartops, and flex-balanced-cart charts (#50)

On the existing (prior-version) deployment, temporarily eliminate the securityContext setup on Kafka and Zookeeper. This is necessary to allow chown commands to work.

Apply the updates to the blc-supporting-stack chart by running a Helm upgrade

Now, you should be able to change ownership/permissions of files in each of the affected volumes. The containers will still be running as root at this point.

Use kubectl or an equivalent tool to get a shell terminal open on each of the zookeeper-* pods and run chown -R 1000:0 /var/lib/zookeeper/data && chown -R 1000:0 /var/lib/zookeeper/log

(only if Kafka is currently on a version prior to 7.0.0 and is currently running as root, which is unlikely) Use kubectl or an equivalent tool to get a shell terminal open on each of the kafkacluster-* pods and run chown -R 1000:0 /opt/kafka/data

Now that you have updated the file permissions, you can start the process of moving to the new versions of Zookeeper and Kafka charts.

Run a Helm upgrade on the blc-supporting-stack chart to force all pods to be recreated with the new versions and have the security context settings re-applied. Start up should succeed with this change.

You can now shell into the Zookeeper pods again and examine the /var/lib/zookeeper contents to confirm the mounted volume ownership and permissions are correct:

[appuser@zookeeper-0 zookeeper]$ ls -lah
total 16K
drwxr-x--- 4 appuser root    4.0K Jul 15 00:50 .
drwxr-xr-x 1 root    root    4.0K Jul 15 00:50 ..
drwxrwsr-x 4 root    appuser 4.0K Jan 11 17:29 data
drwxrwsr-x 4 root    appuser 4.0K Jan 11 17:29 log
[appuser@zookeeper-0 zookeeper]$ cd data/
[appuser@zookeeper-0 data]$ ls -lah
total 32K
drwxrwsr-x 4 root    appuser 4.0K Jan 11 17:29 .
drwxr-x--- 4 appuser root    4.0K Jul 15 00:50 ..
drwxrws--- 2 root    appuser  16K Jan 11 17:29 lost+found
-rw-r--r-- 1 appuser appuser    1 Jan 11 17:29 myid
drwxr-sr-x 2 appuser appuser 4.0K Jan 11 17:29 version-2

Ensure to re-enable your Pod Security Policy configuration as well if you disabled it in a previous step.

Add ContentServices to support the 1.7.2 RT (MPM#2679)

Update default docker image tag for adminweb (MPM#2819)

Remove default user security contexts in the admingateway and commercegateway charts to match the defaults in the flex-package charts

Remove the cors spring active profile as a default for the commercegateway (#40)

Update the default tag for admingateway and commercegateway

Allow overriding of default busybox and curl image for the check-zk and check-solr initContainer (#23)

Allow Security Context Overrides. If you would like to override the default podSecurityContext or the containerSecurityContext, you can define the respective overrides: podSecurityContextCustom, and containerSecurityContextCustom (#27)

Ability to override image, imageTag, and imagePullSecrets for solr-exporter (#32)

Ability to specify additional annotations for the blc-assets-pvc resource (#32)

Ability to override imagePullSecretes for kafka and zookeeper (#36)

Ability to override backOffLimit for job-zk-upconfig and job-solr-create-collections (#36)

Ability to specify podAnnotations for the flex-balanced-processing and flex-balanced-supporting charts (#38)