chore: dependency updates (#83)

* fix: upgrade mlflow to 3.4.0 to address high-severity security vulnerabilities

Author: chris-sanders

applications/mlflow/charts/infra/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.2.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

applications/mlflow/charts/infra/values.yaml

@@ -6,9 +6,9 @@ crdCheck:
     # -- Image registry
     registry: docker.io
     # -- Image repository
-    repository: bitnami/kubectl
+    repository: bitnamilegacy/kubectl
     # -- Image tag
-    tag: latest
+    tag: "1.33.4-debian-12-r0"
   # -- CRDs to check
   crds:
     - name: tenants.minio.min.io

applications/mlflow/charts/mlflow/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: replicated
   repository: oci://registry.replicated.com/library
-  version: 1.5.1
-digest: sha256:743ca58f2dbfd1408d98b10e27b95f55f5dff2cfc3020e14c707822a5d0f88e0
-generated: "2025-04-16T12:26:22.509901-04:00"
+  version: 1.8.0
+digest: sha256:3221c305cc2c7284ade24c125055434cd813f9107e05c36154668d2f7176055e
+generated: "2025-09-30T15:07:20.581924-05:00"

applications/mlflow/charts/mlflow/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: mlflow
 description: A Helm chart for MLflow - Open source platform for the machine learning lifecycle.
 type: application
-version: "0.4.0"
-appVersion: "2.10.0"
+version: "0.5.1"
+appVersion: "3.3.2"
 home: https://github.com/mlflow/mlflow/tree/master/charts/mlflow
 sources:
   - https://github.com/mlflow/mlflow/tree/master/charts/mlflow

applications/mlflow/charts/mlflow/templates/deployment.yaml

@@ -93,17 +93,15 @@ spec:
       {{- end }}
       {{- end }}
       initContainers:
-      {{- if .Values.mlflow.trackingServer.basicAuth.enabled }}
-      {{- if not .Values.mlflow.trackingServer.basicAuth.existingSecret }}
+      {{- if .Values.postgres.embedded.enabled }}
       - name: wait-for-postgresql
-        image: docker.io/bitnami/postgresql:15.3.0-debian-11-r0
-        imagePullPolicy: {{ .Values.mlflow.image.pullPolicy }}
+        image: "{{ .Values.postgres.backup.image.registry }}/{{ .Values.postgres.backup.image.repository }}:{{ .Values.postgres.backup.image.tag }}"
+        imagePullPolicy: {{ .Values.postgres.backup.image.pullPolicy }}
         command: ["sh", "-c", "until PGPASSWORD=$POSTGRES_PASSWORD psql -U $POSTGRES_USER -h $POSTGRES_HOST -p 5432 -d $POSTGRES_DB -c 'SELECT 1'; do sleep 1; done;"]
         envFrom:
         - secretRef:
             name: {{ printf "%s-waitfor-postgres" (include "mlflow.fullname" .)  | trunc 63 | trimAll "-" }}
       {{- end }}
-      {{- end }}
       {{- if .Values.mlflow.backendStore.databaseUpgrade }}
       - name: mlflow-database-upgrade
         image: {{ .Values.mlflow.image.registry | default "docker.io" }}/{{ .Values.mlflow.image.repository }}:{{ .Values.mlflow.image.tag | default (printf "v%s" .Chart.AppVersion) }}
@@ -129,7 +127,7 @@ spec:
             name: {{ include "mlflow.fullname" . }}
       {{- end }}
       {{- with .Values.mlflow.extraInitContainers }}
-        {{ toYaml . | nindent 8 }}
+      {{ toYaml . | nindent 6 }}
       {{- end }}
       containers:
       - name: {{ include "mlflow.fullname" . }}
@@ -235,7 +233,7 @@ spec:
           {{- end }}
       {{- end }}
       {{- with .Values.mlflow.extraVolumes }}
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- with .Values.mlflow.hostAliases }}
       hostAliases:

applications/mlflow/charts/mlflow/templates/mlflow-auth-secret.yaml

@@ -19,9 +19,9 @@ stringData:
   basic_auth.ini: |
     [mlflow]
     default_permission = {{ .defaultPermission }}
-    database_uri = {{ $dbUri }}
-    admin_username = {{ .adminUsername | quote }}
-    admin_password = {{ .adminPassword | quote }}
+    database_uri = sqlite:////tmp/basic_auth.db
+    admin_username = {{ .adminUsername }}
+    admin_password = {{ .adminPassword }}
     authorization_function = {{ .authorizationFunction }}
   {{- end }}
 {{- end }}

applications/mlflow/charts/mlflow/templates/mlflow-waitfor-secret.yaml

@@ -1,5 +1,4 @@
-{{- if .Values.mlflow.trackingServer.basicAuth.enabled }}
-{{- if not .Values.mlflow.trackingServer.basicAuth.existingSecret }}
+{{- if .Values.postgres.embedded.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -20,4 +19,3 @@ stringData:
   POSTGRES_DB: {{ .Values.postgres.embedded.initdb.database | quote }}
   {{- end }}
 {{- end }}
-{{- end }}

applications/mlflow/charts/mlflow/templates/postgres-backup-deployment.yaml

@@ -25,8 +25,8 @@ spec:
             defaultMode: 0777
       initContainers:
         - name: wait-for-postgresql
-          image: docker.io/bitnami/postgresql:15.3.0-debian-11-r0
-          imagePullPolicy: {{ .Values.mlflow.image.pullPolicy }}
+          image: "{{ .Values.postgres.backup.image.registry }}/{{ .Values.postgres.backup.image.repository }}:{{ .Values.postgres.backup.image.tag }}"
+          imagePullPolicy: {{ .Values.postgres.backup.image.pullPolicy }}
           command:
             [
               "sh",
@@ -37,8 +37,8 @@ spec:
             - secretRef:
                 name: {{ printf "%s-waitfor-postgres" (include "mlflow.fullname" .)  | trunc 63 | trimAll "-" }}
         - name: restore-db
-          image: docker.io/bitnami/postgresql:15.3.0-debian-11-r0
-          imagePullPolicy: {{ .Values.mlflow.image.pullPolicy }}
+          image: "{{ .Values.postgres.backup.image.registry }}/{{ .Values.postgres.backup.image.repository }}:{{ .Values.postgres.backup.image.tag }}"
+          imagePullPolicy: {{ .Values.postgres.backup.image.pullPolicy }}
           command: ["/bin/sh", "/scripts/db-restore.sh"]
           envFrom:
             - secretRef:
@@ -50,7 +50,7 @@ spec:
               mountPath: /scripts
       containers:
         - name: sleep
-          image: docker.io/bitnami/postgresql:15.3.0-debian-11-r0
+          image: "{{ .Values.postgres.backup.image.registry }}/{{ .Values.postgres.backup.image.repository }}:{{ .Values.postgres.backup.image.tag }}"
           command: ["sh", "-c", "sleep infinity"]
           envFrom:
               - secretRef:

applications/mlflow/charts/mlflow/values.yaml

@@ -39,9 +39,9 @@ mlflow:
     # -- Image registry
     registry: docker.io
     # -- Image repository
-    repository: bitnami/mlflow
+    repository: bitnamilegacy/mlflow
     # -- Image tag
-    tag: 2.12.2-debian-12-r1
+    tag: 3.3.2-debian-12-r0
     # -- Image pull policy
     pullPolicy: IfNotPresent
   # -- Pod Labels for the mlflow deployment
@@ -73,7 +73,7 @@ mlflow:
     # ENV_NAME_1: value
     # ENV_NAME_2: value
 
-    # Extra environment variables in mlflow container
+    # Extra environment variables in mlflow container (not in init containers)
     container: []
     # - name: extra-env-name-1
     #   value: extra-env-value-1
@@ -103,19 +103,9 @@ mlflow:
 
   # -- Extra volumes that can be mounted by containers belonging to the mlflow pod
   extraVolumes: []
-  # - name: mlflow-volume
-  #   persistentVolumeClaim:
-  #     name: mlflow-pvc
-  # - name: mlflow-configmap-volume
-  #   configMap:
-  #     name: mlflow-configmap
 
   # -- Extra volume mounts to mount into the mlflow container's file system
   extraVolumeMounts: []
-  # - name: mlflow-volume
-  #   mountPath: /opt/mlflow
-  # - name: mlflow-configmap-volume
-  #   mountPath: /etc/mlflow
 
   # -- Use hostAliases to add custom entries to /etc/hosts - mapping IP addresses to hostnames.
   # [[ref]](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)
@@ -251,7 +241,7 @@ mlflow:
     # -- Number of gunicorn worker processes to handle requests
     workers: 1
     # -- Extra arguments passed to the `mlflow server` command
-    extraArgs:
+    extraArgs: []
     # A prefix which will be prepended to the path of all static paths
     # - --static-prefix TEXT
     # Additional command line options forwarded to gunicorn processes
@@ -260,14 +250,14 @@ mlflow:
     # - --waitress-opts TEXT
     # Path to the directory where metrics will be stored
     # - --expose-prometheus /metrics
-    # If enabled, run the server with debug logging and auto-reload
-    - --dev
+    # Note: --dev flag cannot be used with --app-name in MLflow 3.x+
 
     # Basic authentication configuration,
     # for more information, please visit https://mlflow.org/docs/latest/auth/index.html#configuration
+    # NOTE: Basic auth is disabled due to compatibility issues with MLflow 3.x
     basicAuth:
       # -- Specifies whether to enable basic authentication
-      enabled: true
+      enabled: false
       # -- Name of an existing secret which contains key `basic_auth.ini`
       existingSecret: ""
       # If enables BasicAuth and no existing secret is specified, creates a secret to store authentication configurations
@@ -276,14 +266,15 @@ mlflow:
         defaultPermission: READ
         # -- Default admin username if the admin is not already created
         adminUsername: admin
-        # -- Default admin password if the admin is not already created
-        adminPassword: password
+        # -- Default admin password if the admin is not already created (min 12 chars for MLflow 3.x)
+        adminPassword: password123456
         # -- Function to authenticate requests
         authorizationFunction: mlflow.server.auth:authenticate_request_basic_auth
 
   # For more information about how to configure backend store, please visit https://mlflow.org/docs/latest/tracking/backend-stores.html
   backendStore:
     # -- Specifies whether to run `mlflow db upgrade ${MLFLOW_BACKEND_STORE_URI}` to upgrade database schema when use a database as backend store
+    # MLflow 3.x with basic auth will auto-create auth tables on first run
     databaseUpgrade: false
     # -- Name of an existing secret which contains key `MLFLOW_BACKEND_STORE_URI`
     # If an existing secret is not provided, a new secret will be created to store the backend store URI using the details from .Values.postgres when Embedded PostgreSQL is enabled
@@ -688,3 +679,16 @@ postgres:
     port: 5432
     # -- External Postgres database
     database: mlflow
+
+  # -- Postgres backup configuration
+  backup:
+    # -- Image details for the postgres backup deployment
+    image:
+      # -- Image registry
+      registry: docker.io
+      # -- Image repository
+      repository: bitnamilegacy/postgresql
+      # -- Image tag
+      tag: "17.6.0-debian-12-r4"
+      # -- Image pull policy
+      pullPolicy: IfNotPresent

applications/mlflow/release/infra-chart.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   chart:
     name: infra
-    chartVersion: 0.2.0
+    chartVersion: 0.2.1
   exclude: 'repl{{ ConfigOptionEquals `postgres_type` `external_postgres` }}'
   weight: -10
   helmUpgradeFlags:
@@ -16,7 +16,7 @@ spec:
     crdCheck:
       image:
         registry: repl{{ HasLocalRegistry | ternary LocalRegistryHost "docker.io" }}
-        repository: 'repl{{HasLocalRegistry | ternary LocalRegistryNamespace "bitnami" }}/kubectl'
+        repository: 'repl{{HasLocalRegistry | ternary LocalRegistryNamespace "bitnamilegacy" }}/kubectl'
     cloudnative-pg:
       image:
         repository: '{{repl HasLocalRegistry | ternary LocalRegistryHost "ghcr.io" }}/{{repl HasLocalRegistry | ternary LocalRegistryNamespace "cloudnative-pg" }}/cloudnative-pg'