chore(release): promote release to master#41961
Merged
Merged
Conversation
#41935) ## Description > [!TIP] > **TL;DR:** Follow-up to #41926. The dependency-build step it added ran inside the unittest container, where the non-root container user can't write to the bind-mounted workdir on Linux CI (`mkdir charts: permission denied`). This runs `helm dependency build` natively on the runner via `azure/setup-helm`, matching the pattern already used in `helm-release.yml` / `helm-docs.yml`. #41926 added a `helm dependency update` step so the Helm unit tests have their subcharts available (the `.tgz` files under `deploy/helm/charts/` are gitignored). That step ran helm **inside** the `helmunittest/helm-unittest` container: ```yaml docker run --rm -v $(pwd):/apps --entrypoint helm helmunittest/helm-unittest dependency update . ``` On the Linux CI runner the container runs as a non-root user that cannot write into the bind-mounted workdir (owned by the runner user), so it failed: ``` Error: mkdir charts: permission denied ``` It passed locally only because Docker Desktop on macOS ignores bind-mount ownership. **Fix:** install helm on the runner with `azure/setup-helm@v4` (pinned `v4.1.4`) and run `helm dependency build` natively — the same approach already used in `helm-release.yml` and `helm-docs.yml`. The `charts/` dir is then created as the runner user, and the existing unittest container reads it without issue. ```yaml - name: Setup Helm uses: azure/setup-helm@v4 with: version: v4.1.4 - name: Build chart dependencies run: helm dependency build ``` ## Verification Ran the new sequence locally against the chart: - `helm dependency build` (native) → all 5 subcharts resolved (redis, mongodb, postgresql, prometheus, mongodb-kubernetes) - `helm-unittest .` (docker) → 13 suites, 67 tests, 7 snapshots — all passing Fixes `N/A` — CI infrastructure fix; follow-up to #41926. ## Automation /ok-to-test tags="@tag.Sanity" ### 🔍 Cypress test results <!-- This is an auto-generated comment: Cypress test results --> > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: <https://github.com/appsmithorg/appsmith/actions/runs/28547318249> > Commit: 2b49886 > <a href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28547318249&attempt=1" target="_blank">Cypress dashboard</a>. > Tags: `@tag.Sanity` > Spec: > <hr>Wed, 01 Jul 2026 21:31:26 UTC <!-- end of auto-generated comment: Cypress test results --> ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated the Helm unit test workflow to install a pinned Helm binary before running tests. * Simplified chart dependency preparation in CI to use a runner-native build, improving consistency. * **Tests** * Helm unit tests now run using the pinned Helm version and updated dependency build flow for more reliable chart validation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
## Description Adds authenticated Redis support to the Helm chart. A pre-install/pre-upgrade hook Job generates the Redis password Secret (referenced by `redis.auth.existingSecret`) when it does not already exist, keeping the password stable across upgrades and ArgoCD re-syncs. The password is injected into the Appsmith deployment by Secret reference, so cleartext never lands in the ConfigMap. **What changed** - New helpers `appsmith.redisMasterHost`, `appsmith.redisSecretName`, and `appsmith.redisPasswordInitImage`. - Deployment assembles an authenticated `APPSMITH_REDIS_URL` from the Secret (password var precedes the URL that references it via `$(VAR)`); skipped when the user supplies their own `applicationConfig.APPSMITH_REDIS_URL`. - Redis init-container `ping` now passes `REDISCLI_AUTH` when auth is enabled. - ConfigMap-derived Redis URL and init-container host are gated on `redis.auth.enabled` and routed through the shared host helper. - New `redisAuth.passwordInit` image config (defaults to `alpine/kubectl`) plus a pre-install/pre-upgrade hook (`templates/hooks/redis.yaml`) that bootstraps the password Secret. - `values.yaml` now enables `redis.auth` by default with `existingSecret: appsmith-redis-secret` / `existingSecretPasswordKey: redis-password`. - `values.schema.json` entries and snapshot/test coverage (`tests/redis_auth_test.yaml`, updated default snapshot). **Reviewer notes** - The Redis host helper assumes the release name does not contain "redis" (otherwise the Bitnami subchart collapses its fullname and the host would not match). - `redisAuth` is intentionally kept separate from `redis` so it is never forwarded to the Bitnami subchart. - `passwordInit.image.tag` defaults to a floating `latest` because upstream `alpine/kubectl` periodically retires older patch tags; pin it for byte-level reproducibility. ## Automation /ok-to-test tags="@tag.Sanity" ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Redis authentication enabled by default. * Automatic Redis password initialization and secure Secret creation. * **Improvements** * Deployment now reliably wires Redis credentials and connection URL. * Init/job logic uses computed Redis host and preserves existing passwords across upgrades. * **Tests** * Added Helm chart tests covering Redis auth behaviors and deployment wiring. * **Documentation** * Updated Helm README and values schema for Redis auth configuration. * **Chores** * Helm chart version bumped to 3.8.2. <!-- end of auto-generated comment: release notes by coderabbit.ai --> <!-- This is an auto-generated comment: Cypress test results --> > [!IMPORTANT] > 🟣 🟣 🟣 Your tests are running. > Tests running at: <https://github.com/appsmithorg/appsmith/actions/runs/28814168686> > Commit: 5b16282 > Workflow: `PR Automation test suite` > Tags: `@tag.Sanity` > Spec: `` > <hr>Mon, 06 Jul 2026 18:31:09 UTC <!-- end of auto-generated comment: Cypress test results --> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: subratadeypappu <subrata@appsmith.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Wyatt Walter <wyatt@appsmith.com> Co-authored-by: Wyatt Walter <wyattwalter@gmail.com>
## Description > [!TIP] > **TL;DR** — On a private registry that only mirrors MongoDB's `-ubi8` tags, there was no single value of `mongodbCommunity.version` that worked, because the chart feeds it to two consumers with contradictory suffix expectations. This makes the init-container image helper's `-ubi8` append idempotent so one value drives both. Helm-chart-only change; default behavior is byte-identical. The chart derives **two** image references from the single `mongodbCommunity.version` value, and on a **private registry** (a mirror that only carries `-ubi8` tags) the two consumers demand contradictory formats: 1. **MongoDBCommunity CR `spec.version`** (`deploy/helm/templates/mongodb-community.yaml`) — consumed **verbatim** by the MongoDB Community Operator. The operator only auto-appends `-ubi8` for MongoDB's *official* registry URLs; for a private mirror it uses the value as-is, so the CR must carry `8.0.20-ubi8` or `mongod` can't pull. 2. **Init-container wait image** via the `appsmith.mongoInitContainerImage` helper (`deploy/helm/templates/_helpers.tpl`) — **always** appended `-ubi8`, so a `8.0.20-ubi8` value produced `...:8.0.20-ubi8-ubi8`, which fails. **Net:** with a single bare value there was no correct setting on a private registry. The only workaround was to set `version: "8.0.20-ubi8"` **and** separately override `initContainer.mongodb.image` to the full path — two knobs kept in sync on every version bump. ### What changed Make the helper strip a trailing `-ubi8` before re-appending it, so the append is idempotent — both `8.0.20` and `8.0.20-ubi8` render `...:8.0.20-ubi8`. The suffix is now defined once (`$suffix`) and used for both the trim and the append, so they can't drift if it ever changes. Private-registry users can now drive both consumers from `version` alone; the `initContainer.mongodb.image` override is no longer needed. | `version` value | Registry | CR `spec.version` | Init image | Result | |---|---|---|---|---| | `8.0.20` | official (default) | `8.0.20` (operator appends `-ubi8`) | `…:8.0.20-ubi8` | ✅ unchanged | | `8.0.20-ubi8` | private mirror | `8.0.20-ubi8` (verbatim) | `…:8.0.20-ubi8` (trimmed, not `-ubi8-ubi8`) | ✅ fixed, single knob | The operator-side behavior (auto-append only for official URLs) is a MongoDB limitation outside Appsmith's control; this fixes only the chart-helper side. The default path is byte-identical (`8.0.20` still renders `…:8.0.20-ubi8`), so existing snapshots are unaffected. **Files:** `deploy/helm/templates/_helpers.tpl` (idempotent trim + doc), `deploy/helm/values.yaml` (private-registry guidance), `deploy/helm/tests/mongodb_operator_test.yaml` (2 new unittest cases). **Testing:** `helm unittest deploy/helm` → 69 passed, 7 snapshots, 0 failed. Verified renders: `8.0.20` → `…:8.0.20-ubi8`; `8.0.20-ubi8` → init `…:8.0.20-ubi8` (no double suffix) and CR `spec.version: "8.0.20-ubi8"`. Fixes #41937 ## Automation /ok-to-test tags="" ### 🔍 Cypress test results <!-- This is an auto-generated comment: Cypress test results --> > [!WARNING] > Tests have not run on the HEAD 8fa87fc yet > <hr>Mon, 06 Jul 2026 18:38:07 UTC <!-- end of auto-generated comment: Cypress test results --> ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Fixed MongoDB image tag handling so version strings that already include the `-ubi8` suffix are no longer duplicated. * Improved compatibility with private registries and mirrored image tags. * **Documentation** * Added guidance on how to set MongoDB version values for registry setups that use `-ubi8` tags. * **Tests** * Added coverage for MongoDB version rendering and container image tag behavior when `-ubi8` is already present. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Wyatt Walter <wyattwalter@gmail.com>
## Description `SmtpPluginTest` uses the `maildev/maildev` Testcontainers image without a tag, which resolves to `:latest`. Maildev recently published a new RC and tagged it `latest`, and it's broken in our test setup: the container's internal exec-based readiness check fails (`/bin/sh: /bin/bash: not found`, exit 137), and the test connects to the mapped SMTP port before the listener is actually ready, causing intermittent connection failures. This pins both `GenericContainer` instances in `SmtpPluginTest` to `maildev/maildev:2.2.1`, the last known-good tag (see [tags on Docker Hub](https://hub.docker.com/r/maildev/maildev/tags)), to stop tracking `latest` and avoid future silent breaks from upstream RCs. ### Context Observed as a repeated CI failure on an EE release-promotion PR (`server-unit-tests` shard 5), reproduced on both the initial run and a retry. ## Test plan - [ ] `server-unit-tests` (specifically `SmtpPluginTest`) passes reliably in CI <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Tests** * Updated SMTP test containers to use a pinned MailDev image version for more consistent test execution. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (2)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…HSA-qhfj-g87x-m39w) (#41921) ## Summary Closes [GHSA-qhfj-g87x-m39w](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-qhfj-g87x-m39w). The Redis datasource plugin opened a Jedis connection to a user-controlled host/port with no IP-class filtering, so a user with datasource-create permission could point a Redis datasource at the internal Appsmith Redis. The existing HTTP-side filter doesn't cover Redis — Jedis uses the JVM's default resolver and bypasses the Reactor Netty hook. This PR also closes a DNS-rebinding TOCTOU on the same path and enforces TLS certificate hostname verification for `rediss://` datasources (items 4 and 5 below). ## Changes 1. **Block Redis datasources from reaching the internal Appsmith Redis.** `RedisPlugin.datasourceCreate` now consults a shared `RestrictedHostFilter`. Blocks literal hostname / IP matches against `APPSMITH_REDIS_URL` and `APPSMITH_REDIS_GIT_URL`, plus loopback / link-local / cloud-metadata literals. Enforcement is connection-time only — `PluginExecutor.validateDatasource` is documented format-only, so host-policy belongs on the connection path. UX: Save succeeds, "Test Datasource" rejects with `Host not allowed.`. 2. **Make SSRF protections always-on; rename `IN_DOCKER` to `APPSMITH_DISABLE_SSRF_FILTER`.** The previous filter gated the loopback / link-local block on `IN_DOCKER=1`, which Appsmith's official Docker image always sets — so users on documented deployment paths were already getting this protection. This change closes the gap for unofficial distributions (self-built images, bare-metal, etc.) and replaces a poorly-named variable with one that actually describes what it does. The most likely place to hit this is a development machine running the server directly against `http://localhost:*` — set `APPSMITH_DISABLE_SSRF_FILTER=true` to allow it. 3. **Extract `RestrictedHostFilter` from `WebClientUtils`.** Pure refactor — the host-filter logic had already grown several non-HTTP call sites and the class name had outgrown its scope. 4. **Close the DNS-rebinding TOCTOU on the Redis path (upgrade Jedis 3.3.0 → 5.2.0 + pin the resolved IP).** The create-time pre-check in (1) and Jedis's own connection-time lookup resolved the hostname independently, so a hostile resolver could return an allowed IP to the check and the internal Redis IP to the driver. Jedis 5.2.0 (up from 3.3.0, which predated the API) allows injecting a `JedisSocketFactory`; the new `RestrictedHostJedisSocketFactory` resolves once at connect time, validates every resolved address, and connects directly to the pinned IP — so the driver never re-resolves and the window is closed. The create-time check stays as fast Save/Test UX and now logs the block at WARN, tagged with the requesting user/org/trace (a useful reconnaissance signal). Jedis is plugin-isolated (PF4J + shaded); the server's own Redis runs on Lettuce and is untouched. 5. **Enforce TLS certificate hostname verification for `rediss://` datasources.** Jedis 5.2.0 validates the certificate trust chain but does not verify that the cert's SAN/CN matches the host (it only does so by default in 7.5.0+), so a man-in-the-middle presenting any CA-trusted-but-mismatched cert on the pinned IP would have been accepted. The socket factory now sets the endpoint identification algorithm to `HTTPS`, verifying against the configured hostname (we connect to the pinned IP but hand the original hostname to the TLS layer for SNI and verification). This was a pre-existing gap, not introduced here; closing it now is low-risk because Redis TLS support is recent (#41587, ~2026-03) and barely adopted, and chain validation was already on — so only CA-trusted-but-mismatched certs and IP-addressed `rediss://` (certs rarely carry IP SANs) are newly rejected. 6. **Housekeeping: drop dead `IN_DOCKER` references from Dockerfile / deploy scripts / CI workflow.** No consumer left after the rename in (2). /ok-to-test tags="@tag.All" ## Test plan - [x] CI green across all commits (Jedis 5.2.0 upgrade, socket factory, TLS verification, logging). - [x] Deploy preview: Redis datasource at \`localhost\` / in-cluster Redis service DNS — Save accepted, Test rejected with \`Host not allowed.\`. Legitimate external Redis works. - [x] Connect-time SSRF rejection (the rebinding gate) covered by `RedisPluginTest` (`socketFactory_blockedHost_failsAtConnectTime`). A live end-to-end rebinding flip needs a changing resolver and was not exercised on the DP (rbndr.us is unreachable from AWS). - [x] Confirm the one existing `rediss://` user (Appsmith internal) connects via a hostname matching its cert, now that hostname verification is enforced. - [x] Dev environment: confirm \`APPSMITH_DISABLE_SSRF_FILTER=true\` unblocks \`http://localhost:*\` datasources during local development. 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: Cypress test results --> > [!TIP] > 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉 > Workflow run: <https://github.com/appsmithorg/appsmith/actions/runs/28840292682> > Commit: c795905 > <a href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=28840292682&attempt=2" target="_blank">Cypress dashboard</a>. > Tags: `@tag.All` > Spec: > <hr>Tue, 07 Jul 2026 13:31:52 UTC <!-- end of auto-generated comment: Cypress test results --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added centralized SSRF/restricted host filtering with denylisting and normalization. * Enabled consistent enforcement across outbound web requests, Elasticsearch DNS resolution, SMTP test-email, and Redis datasource connections. * Mitigated Redis DNS rebinding by validating once and pinning the resolved address. * **Bug Fixes** * Blocked hosts now fail with a consistent “Host not allowed” error across execution paths. * **Tests** * Added dedicated host/IP blocking test suite. * Updated integration tests to explicitly control SSRF filtering enablement and state restoration during runs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Open
1 task
sebastianiv21
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Promotes the
releasebranch intomaster.Commits included
Automation
/ok-to-test tags="@tag.All"
Communication
Should the DevRel and Marketing teams be notified?
Tip
🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/28883809142
Commit: 48ac053
Cypress dashboard.
Tags:
@tag.AllSpec:
Tue, 07 Jul 2026 18:26:26 UTC