Merge branch 'main' into fix/cluster-cache-list

Author: Ash-exp

CHANGELOG/release-notes-v2.0.0.md

@@ -0,0 +1,31 @@
+## v2.0.0
+
+## Enhancements
+- feat: Rollout 5.2.0 (#6889)
+- feat: Added support for tcp in virtual service and changed the apiVersion for externalSecrets (#6892)
+- feat: add helm_take_ownership and helm_redeployment_request columns to user_deployment_request table (#6888)
+- feat: Revamped Devtron UI with multiple dashboards (#6884)
+- feat: Added support to override container name (#6880)
+- feat: Increase max length for TeamRequest name field (#6876)
+- feat: Added namespace support for virtualService and destinationRule (#6868)
+- feat: feature flag for encryption (#6856)
+- feat: encryption for db credentials (#6852)
+## Bugs
+- fix: migrate proxy chart dependencies and refactor related functions (#6899)
+- fix: enhance validation and error handling in cluster update process (#6887)
+- fix: Invalid type casting error for custom charts (#6883)
+- fix: validation on team name (#6872)
+- fix: sql injection  (#6861)
+- fix: user manager fix (#6854)
+## Others
+- misc: Add support for migrating plugin metadata to parent metadata (#6902)
+- misc: update UserDeploymentRequestWithAdditionalFields struct to include tableName for PostgreSQL compatibility (#6896)
+- chore: rename SQL migration files for consistency (#6885)
+- misc: Vc empty ns fix (#6871)
+- misc: added validation on create environment (#6859)
+- misc: migration unique constraint on mpc (#6851)
+- misc: helm app details API spec (#6850)
+- misc: api Spec Added for draft (#6849)
+- misc: api Specs added for lock config (#6847)
+
+

api/restHandler/ImageScanRestHandler.go

@@ -428,99 +428,55 @@ func (impl ImageScanRestHandlerImpl) VulnerabilitySummary(w http.ResponseWriter,
 		return
 	}
 
-	// Create ImageScanRequest with filters for fetching deploy info
-	request := &securityBean.ImageScanRequest{
-		ImageScanFilter: bean.ImageScanFilter{
-			EnvironmentIds: summaryRequest.EnvironmentIds,
-			ClusterIds:     summaryRequest.ClusterIds,
-		},
-	}
-
-	deployInfoList, err := impl.imageScanService.FetchAllDeployInfo(request)
-	if err != nil {
-		impl.logger.Errorw("service err, VulnerabilitySummary", "err", err)
-		if util.IsErrNoRows(err) {
-			emptySummary := &securityBean.VulnerabilitySummary{
-				TotalVulnerabilities: 0,
-				SeverityCount: &securityBean.SeverityCount{
-					Critical: 0,
-					High:     0,
-					Medium:   0,
-					Low:      0,
-					Unknown:  0,
-				},
-				FixableVulnerabilities:    0,
-				NotFixableVulnerabilities: 0,
-			}
-			common.WriteJsonResp(w, nil, emptySummary, http.StatusOK)
-		} else {
-			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		}
-		return
-	}
-
-	filteredDeployInfoList, err := impl.imageScanService.FilterDeployInfoByScannedArtifactsDeployedInEnv(deployInfoList)
-	if err != nil {
-		impl.logger.Errorw("request err, FilterDeployInfoListForScannedArtifacts", "err", err)
-		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		return
-	}
-
-	_, rbacSpan := otel.Tracer("imageScanRestHandler").Start(ctx, "RBACProcessing")
+	// Check if user is super admin first - this determines the optimization path
+	_, rbacSpan := otel.Tracer("imageScanRestHandler").Start(ctx, "RBACCheck")
 	token := r.Header.Get("token")
-	isSuperAdmin := false
-	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
-		isSuperAdmin = true
-	}
+	isSuperAdmin := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*")
+	rbacSpan.End()
+
 	var ids []int
+
 	if isSuperAdmin {
-		ids = sliceUtil.NewSliceFromFuncExec(filteredDeployInfoList, func(item *security2.ImageScanDeployInfo) int {
-			return item.Id
-		})
+		// OPTIMIZATION: For super-admin users, skip deploy info fetching and filtering entirely
+		// The GetVulnerabilityRawData query already handles all filtering (env, cluster, app) at DB level
+		// When ids is empty, it doesn't apply RBAC filtering, which is correct for super-admins
+		ids = nil
 	} else {
+		// OPTIMIZATION: For non-super-admin users, use optimized single query
+		_, fetchSpan := otel.Tracer("imageScanRestHandler").Start(ctx, "FetchScannedDeployInfo")
+		filteredDeployInfoList, err := impl.imageScanService.FetchScannedDeployInfoWithFilters(ctx, summaryRequest.EnvironmentIds, summaryRequest.ClusterIds)
+		fetchSpan.End()
+		if err != nil {
+			impl.logger.Errorw("service err, VulnerabilitySummary", "err", err)
+			if util.IsErrNoRows(err) {
+				common.WriteJsonResp(w, nil, impl.getEmptyVulnerabilitySummary(), http.StatusOK)
+			} else {
+				common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			}
+			return
+		}
+
+		// Apply RBAC filtering
+		_, rbacProcessSpan := otel.Tracer("imageScanRestHandler").Start(ctx, "RBACProcessing")
 		ids, err = impl.getAuthorisedImageScanDeployInfoIds(token, filteredDeployInfoList)
+		rbacProcessSpan.End()
 		if err != nil {
 			impl.logger.Errorw("error in getting authorised image scan deploy info ids", "err", err)
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 			return
 		}
-	}
-	rbacSpan.End()
 
-	if len(ids) == 0 {
-		emptySummary := &securityBean.VulnerabilitySummary{
-			TotalVulnerabilities: 0,
-			SeverityCount: &securityBean.SeverityCount{
-				Critical: 0,
-				High:     0,
-				Medium:   0,
-				Low:      0,
-				Unknown:  0,
-			},
-			FixableVulnerabilities:    0,
-			NotFixableVulnerabilities: 0,
+		if len(ids) == 0 {
+			common.WriteJsonResp(w, nil, impl.getEmptyVulnerabilitySummary(), http.StatusOK)
+			return
 		}
-		common.WriteJsonResp(w, nil, emptySummary, http.StatusOK)
-		return
 	}
 
 	summary, err := impl.imageScanService.FetchVulnerabilitySummary(ctx, summaryRequest, ids)
 	if err != nil {
 		impl.logger.Errorw("service err, VulnerabilitySummary", "err", err)
 		if util.IsErrNoRows(err) {
-			emptySummary := &securityBean.VulnerabilitySummary{
-				TotalVulnerabilities: 0,
-				SeverityCount: &securityBean.SeverityCount{
-					Critical: 0,
-					High:     0,
-					Medium:   0,
-					Low:      0,
-					Unknown:  0,
-				},
-				FixableVulnerabilities:    0,
-				NotFixableVulnerabilities: 0,
-			}
-			common.WriteJsonResp(w, nil, emptySummary, http.StatusOK)
+			common.WriteJsonResp(w, nil, impl.getEmptyVulnerabilitySummary(), http.StatusOK)
 		} else {
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		}
@@ -529,6 +485,22 @@ func (impl ImageScanRestHandlerImpl) VulnerabilitySummary(w http.ResponseWriter,
 	common.WriteJsonResp(w, err, summary, http.StatusOK)
 }
 
+// getEmptyVulnerabilitySummary returns an empty vulnerability summary response
+func (impl ImageScanRestHandlerImpl) getEmptyVulnerabilitySummary() *securityBean.VulnerabilitySummary {
+	return &securityBean.VulnerabilitySummary{
+		TotalVulnerabilities: 0,
+		SeverityCount: &securityBean.SeverityCount{
+			Critical: 0,
+			High:     0,
+			Medium:   0,
+			Low:      0,
+			Unknown:  0,
+		},
+		FixableVulnerabilities:    0,
+		NotFixableVulnerabilities: 0,
+	}
+}
+
 func (impl ImageScanRestHandlerImpl) VulnerabilityListing(w http.ResponseWriter, r *http.Request) {
 	ctx, span := otel.Tracer("imageScanRestHandler").Start(r.Context(), "VulnerabilityListing")
 	defer span.End()

api/util/logger.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/devtron-labs/devtron/internal/middleware"
 	"github.com/devtron-labs/devtron/pkg/auth/user"
+	"github.com/devtron-labs/devtron/util"
 )
 
 type AuditLoggerDTO struct {
@@ -36,6 +37,7 @@ type AuditLoggerDTO struct {
 	RequestPayload  []byte        `json:"requestPayload"`
 	RequestMethod   string        `json:"requestMethod"`
 	ResponseTime    time.Duration `json:"responseTime"`
+	ClientIp        string        `json:"clientIp"`
 }
 
 type LoggingMiddlewareImpl struct {
@@ -56,13 +58,12 @@ type LoggingMiddleware interface {
 func (impl LoggingMiddlewareImpl) LoggingMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		d := middleware.NewDelegator(w, nil)
-
 		token := r.Header.Get("token")
 		userEmail, err := impl.userService.GetEmailFromToken(token)
 		if err != nil {
 			log.Printf("AUDIT_LOG: user does not exists")
 		}
-
+		clientIp := util.GetClientIP(r)
 		// Read the request body into a buffer
 		var bodyBuffer bytes.Buffer
 		_, err = io.Copy(&bodyBuffer, r.Body)
@@ -83,6 +84,7 @@ func (impl LoggingMiddlewareImpl) LoggingMiddleware(next http.Handler) http.Hand
 			QueryParams:    r.URL.Query().Encode(),
 			RequestPayload: bodyBuffer.Bytes(),
 			RequestMethod:  r.Method,
+			ClientIp:       clientIp,
 		}
 		// Call the next handler in the chain.
 		next.ServeHTTP(d, r)
@@ -95,5 +97,5 @@ func (impl LoggingMiddlewareImpl) LoggingMiddleware(next http.Handler) http.Hand
 }
 
 func LogRequest(auditLogDto *AuditLoggerDTO) {
-	log.Printf("AUDIT_LOG: requestMethod: %s, urlPath: %s, queryParams: %s, updatedBy: %s, updatedOn: %s, apiResponseCode: %d, responseTime: %s, requestPayload: %s", auditLogDto.RequestMethod, auditLogDto.UrlPath, auditLogDto.QueryParams, auditLogDto.UserEmail, auditLogDto.UpdatedOn, auditLogDto.ApiResponseCode, auditLogDto.ResponseTime, auditLogDto.RequestPayload)
+	log.Printf("AUDIT_LOG: clientIp: %s, requestMethod: %s, urlPath: %s, queryParams: %s, updatedBy: %s, updatedOn: %s, apiResponseCode: %d, responseTime: %s, requestPayload: %s", auditLogDto.ClientIp, auditLogDto.RequestMethod, auditLogDto.UrlPath, auditLogDto.QueryParams, auditLogDto.UserEmail, auditLogDto.UpdatedOn, auditLogDto.ApiResponseCode, auditLogDto.ResponseTime, auditLogDto.RequestPayload)
 }

charts/devtron/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: devtron-operator
-appVersion: 1.8.2
+appVersion: 2.0.0
 description: Chart to configure and install Devtron. Devtron is a Kubernetes Orchestration system.
 keywords:
   - Devtron
@@ -11,7 +11,7 @@ keywords:
   - argocd
   - Hyperion
 engine: gotpl
-version: 0.22.98
+version: 0.22.99
 sources:
   - https://github.com/devtron-labs/charts
 dependencies:

charts/devtron/devtron-bom.yaml

@@ -15,7 +15,7 @@ global:
     PG_DATABASE: orchestrator
 extraManifests: []
 installer:
-  release: "v1.8.2"
+  release: "v2.0.0"
   registry: ""
   image: "inception"
   tag: "473deaa4-185-21582"
@@ -41,13 +41,13 @@ components:
         FEATURE_CODE_MIRROR_ENABLE: "true"
         FEATURE_GROUPED_APP_LIST_FILTERS_ENABLE: "true"
     registry: ""
-    image: "dashboard:b00aa204-690-36533"
+    image: "dashboard:b48d0910-690-38228"
     imagePullPolicy: IfNotPresent
     healthPort: 8080
   devtron:
     registry: ""
-    image: "hyperion:261df88d-280-36531"
-    cicdImage: "devtron:261df88d-434-36530"
+    image: "hyperion:f0c18f20-280-38148"
+    cicdImage: "devtron:f0c18f20-434-38146"
     imagePullPolicy: IfNotPresent
     customOverrides: {}
     podSecurityContext:
@@ -61,7 +61,7 @@ components:
     healthPort: 8080
   ciRunner:
     registry: ""
-    image: "ci-runner:880420ac-138-36030"
+    image: "ci-runner:6b408df4-138-38163"
   argocdDexServer:
     registry: ""
     image: "dex:v2.30.2"
@@ -70,7 +70,7 @@ components:
       authenticator: "authenticator:e414faff-393-13273"
   kubelink:
     registry: ""
-    image: "kubelink:880420ac-564-36036"
+    image: "kubelink:6b408df4-564-38159"
     imagePullPolicy: IfNotPresent
     configs:
       ENABLE_HELM_RELEASE_CACHE: "true"
@@ -93,10 +93,11 @@ components:
     healthPort: 50052
   kubewatch:
     registry: ""
-    image: "kubewatch:880420ac-419-36026"
+    image: "kubewatch:6b408df4-419-38172"
     imagePullPolicy: IfNotPresent
     healthPort: 8080
     configs:
+      VELERO_INFORMER: "false"
       devtroncd_NAMESPACE: "devtron-ci"
       USE_CUSTOM_HTTP_TRANSPORT: "true"
       CI_INFORMER: "true"
@@ -117,7 +118,7 @@ components:
       image: postgres_exporter:v0.10.1
   gitsensor:
     registry: ""
-    image: "git-sensor:b82f5fdb-200-36532"
+    image: "git-sensor:6b408df4-200-38174"
     imagePullPolicy: IfNotPresent
     serviceMonitor:
       enabled: false
@@ -135,7 +136,7 @@ components:
   # Values for lens
   lens:
     registry: ""
-    image: "lens:880420ac-333-36029"
+    image: "lens:6b408df4-333-38167"
     imagePullPolicy: IfNotPresent
     configs:
       GIT_SENSOR_PROTOCOL: GRPC
@@ -170,7 +171,7 @@ components:
     entMigratorImage: "devtron-utils:geni-v1.1.4"
   chartSync:
     registry: ""
-    image: chart-sync:880420ac-836-36037
+    image: chart-sync:6b408df4-836-38155
     schedule: "0 19 * * *"
     podSecurityContext:
       fsGroup: 1001
@@ -208,7 +209,7 @@ workflowController:
   IMDSv1ExecutorImage: "argoexec:v3.0.7"
 security:
   imageScanner:
-    image: "image-scanner:f21e02cb-141-34534"
+    image: "image-scanner:6b408df4-141-38158"
     healthPort: 8080
     configs:
       TRIVY_DB_REPOSITORY: mirror.gcr.io/aquasec/trivy-db
@@ -219,7 +220,7 @@ security:
       tag: 4.3.6
 # Values for notifier integration
 notifier:
-  image: "notifier:00f17215-372-36041"
+  image: "notifier:5c4b5b3a-372-38153"
   healthPort: 3000
 minio:
   image: "minio:RELEASE.2021-02-14T04-01-33Z"
@@ -241,6 +242,15 @@ monitoring:
       imagePullPolicy: IfNotPresent
 devtronEnterprise:
   enabled: false
+  finops:
+    enabled: false
+    costSync:
+      image: "cost-sync:46ed7c67-1159-38183"
+      schedule: "0 * * * *"
+      timeZone: UTC
+    timescale:
+      image: "timescaledb-ha:pg18"
+      volumeSize: 5Gi
   casbin:
     registry: ""
     image: "casbin:f6ff5f74-064b67e5-462-30822"

charts/devtron/templates/NOTES.txt

@@ -2,7 +2,7 @@
     {{- $liveCm := lookup "v1" "ConfigMap" "devtroncd" "devtron-custom-cm" }}
     {{- $currentValue := pluck "POSTGRES_MIGRATED" $liveCm.data | first | default "" }}
     {{- if ne $currentValue "14" }}
-      {{- fail "Upgrade Failed Please ensure that you have completed the pre-requisites mentioned in https://docs.devtron.ai/upgrade/devtron-upgrade-1.5.0" }}
+      {{- fail "Upgrade Failed Please ensure that you have completed the pre-requisites mentioned in https://docs.devtron.ai/docs/devtron/v1.7/setup/upgrade/devtron-upgrade-1.5.0" }}
     {{- end }}
 {{- end }}
 

charts/devtron/templates/_helpers.tpl

@@ -115,4 +115,4 @@ securityContext:
 securityContext:
 {{ toYaml .global.containerSecurityContext | indent 2 }}
   {{- end }}
-{{- end }}
+{{- end }}