diff --git a/CHANGELOG.md b/CHANGELOG.md index ff12819f58..620d6d562c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,12 @@ - Bump etcd version to [3.5.16](https://github.com/etcd-io/etcd/releases/tag/v3.5.16) (PR[#4497](https://github.com/scality/metalk8s/pull/4497)) +- Bump dex chart version to + [0.23.0](https://github.com/dexidp/helm-charts/releases/tag/dex-0.23.0) + Dex itself has been bumped accordingly to + [v2.42.0](https://github.com/dexidp/dex/releases/tag/v2.42.0) + (PR[#4558](https://github.com/scality/metalk8s/pull/4558)) + ## Release 129.0.1 (in development) ### Enhancements diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index 26b97b8fe9..38145dbc7d 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -135,8 +135,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str: ), Image( name="dex", - version="v2.41.1", - digest="sha256:bc7cfce7c17f52864e2bb2a4dc1d2f86a41e3019f6d42e81d92a301fad0c8a1d", + version="v2.42.0", + digest="sha256:1b4a6eee8550240b0faedad04d984ca939513650e1d9bd423502c67355e3822f", ), Image( name="etcd", diff --git a/charts/dex/Chart.yaml b/charts/dex/Chart.yaml index b08fdb37ce..e3b8871554 100644 --- a/charts/dex/Chart.yaml +++ b/charts/dex/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - kind: changed - description: "Dex 2.41.1 release" + - kind: added + description: "Use tpl for dynamic image values and add digest support" artifacthub.io/images: | - name: dex - image: ghcr.io/dexidp/dex:v2.41.1 + image: ghcr.io/dexidp/dex:v2.42.0 apiVersion: v2 -appVersion: 2.41.1 +appVersion: 2.42.0 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. home: https://dexidp.io/ @@ -20,10 +20,10 @@ kubeVersion: '>=1.14.0-0' maintainers: - email: mark.sagikazar@gmail.com name: sagikazarmark - url: https://sagikazarmark.hu + url: https://sagikazarmark.com name: dex sources: - https://github.com/dexidp/dex - https://github.com/dexidp/helm-charts/tree/master/charts/dex type: application -version: 0.19.1 +version: 0.23.0 diff --git a/charts/dex/README.md b/charts/dex/README.md index c66e257d13..4b93865b90 100644 --- a/charts/dex/README.md +++ b/charts/dex/README.md @@ -1,6 +1,6 @@ # dex -![version: 0.19.1](https://img.shields.io/badge/version-0.19.1-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.41.1](https://img.shields.io/badge/app%20version-2.41.1-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex) +![version: 0.23.0](https://img.shields.io/badge/version-0.23.0-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.42.0](https://img.shields.io/badge/app%20version-2.42.0-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex) OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. @@ -115,7 +115,9 @@ ingress: | image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. | | image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. | | image.tag | string | `""` | Image tag override for the default value (chart appVersion). | +| image.digest | string | `""` | When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). | | imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). | +| namespaceOverride | string | `""` | A namespace in place of the release namespace for all resources. | | nameOverride | string | `""` | A name in place of the chart name for `app:` labels. | | fullnameOverride | string | `""` | A name to substitute for the full names of resources. | | hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) | @@ -148,6 +150,7 @@ ingress: | service.annotations | object | `{}` | Annotations to be added to the service. | | service.type | string | `"ClusterIP"` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). | | service.clusterIP | string | `""` | Internal cluster service IP (when applicable) | +| service.loadBalancerIP | string | `""` | Load balancer service IP (when applicable) | | service.ports.http.port | int | `5556` | HTTP service port | | service.ports.http.nodePort | int | `nil` | HTTP node port (when applicable) | | service.ports.https.port | int | `5554` | HTTPS service port | diff --git a/charts/dex/templates/NOTES.txt b/charts/dex/templates/NOTES.txt index f324e00262..a3cdc5dddb 100644 --- a/charts/dex/templates/NOTES.txt +++ b/charts/dex/templates/NOTES.txt @@ -6,17 +6,21 @@ {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "dex.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "dex.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dex.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + You can watch the status of by running 'kubectl get --namespace {{ include "dex.namespace" . }} svc -w {{ include "dex.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "dex.namespace" . }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- if .Values.service.loadBalancerIP }} + +WARNING: The.spec.loadBalancerIP field for a Service was deprecated in Kubernetes v1.24. +{{- end }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + export POD_NAME=$(kubectl get pods --namespace {{ include "dex.namespace" . }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "dex.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT + kubectl --namespace {{ include "dex.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT {{- end }} diff --git a/charts/dex/templates/_helpers.tpl b/charts/dex/templates/_helpers.tpl index 5ca8115f88..cf0950b8b2 100644 --- a/charts/dex/templates/_helpers.tpl +++ b/charts/dex/templates/_helpers.tpl @@ -5,6 +5,31 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used + +This gets around an problem within helm discussed here +https://github.com/helm/helm/issues/5358 +*/}} +{{- define "dex.namespace" -}} +{{ .Values.namespaceOverride | default (.Release.Namespace | trunc 63 | trimSuffix "-") }} +{{- end -}} + +{{/* + Override the namespace for the serviceMonitor + + Fallback to the namespaceOverride if serviceMonitor.namespace is not set +*/}} +{{- define "dex.serviceMonitor.namespace" -}} +{{- if .Values.serviceMonitor.namespace }} +{{- .Values.serviceMonitor.namespace -}} +{{- else }} +{{- template "dex.namespace" . -}} +{{- end }} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/charts/dex/templates/deployment.yaml b/charts/dex/templates/deployment.yaml index 247dd39f07..607cafddb8 100644 --- a/charts/dex/templates/deployment.yaml +++ b/charts/dex/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} {{ with .Values.deploymentLabels }} @@ -56,7 +57,11 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + {{- if .Values.image.digest }} + image: "{{ tpl .Values.image.repository . }}@{{ tpl .Values.image.digest . }}" + {{- else }} + image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . | default (printf "v%s" .Chart.AppVersion) }}" + {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: - dex diff --git a/charts/dex/templates/hpa.yaml b/charts/dex/templates/hpa.yaml index 166faea9fd..fb4296d885 100644 --- a/charts/dex/templates/hpa.yaml +++ b/charts/dex/templates/hpa.yaml @@ -7,6 +7,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} spec: diff --git a/charts/dex/templates/ingress.yaml b/charts/dex/templates/ingress.yaml index 812e3fd8c9..a583045c81 100644 --- a/charts/dex/templates/ingress.yaml +++ b/charts/dex/templates/ingress.yaml @@ -19,6 +19,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} diff --git a/charts/dex/templates/networkpolicy.yaml b/charts/dex/templates/networkpolicy.yaml index acd51b9d89..521cd49895 100644 --- a/charts/dex/templates/networkpolicy.yaml +++ b/charts/dex/templates/networkpolicy.yaml @@ -7,6 +7,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} spec: diff --git a/charts/dex/templates/poddisruptionbudget.yaml b/charts/dex/templates/poddisruptionbudget.yaml index 6ec1032ad7..a0912093c6 100644 --- a/charts/dex/templates/poddisruptionbudget.yaml +++ b/charts/dex/templates/poddisruptionbudget.yaml @@ -7,6 +7,7 @@ apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: {{ template "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{ include "dex.labels" . | indent 4 }} spec: diff --git a/charts/dex/templates/rbac.yaml b/charts/dex/templates/rbac.yaml index 333f2f1000..8f92361a15 100644 --- a/charts/dex/templates/rbac.yaml +++ b/charts/dex/templates/rbac.yaml @@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} rules: @@ -14,15 +15,16 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} roleRef: kind: Role apiGroup: rbac.authorization.k8s.io - name: {{ include "dex.fullname" . }} + name: {{ include "dex.fullname" . }} subjects: - kind: ServiceAccount - namespace: {{ .Release.Namespace }} + namespace: {{ include "dex.namespace" . }} name: {{ include "dex.serviceAccountName" . }} {{- if .Values.rbac.createClusterScoped }} --- @@ -49,7 +51,7 @@ roleRef: name: {{ include "dex.fullname" . }} subjects: - kind: ServiceAccount - namespace: {{ .Release.Namespace }} + namespace: {{ include "dex.namespace" . }} name: {{ include "dex.serviceAccountName" . }} {{- end }} {{- end }} diff --git a/charts/dex/templates/secret.yaml b/charts/dex/templates/secret.yaml index 27d39546ed..47d3d2b741 100644 --- a/charts/dex/templates/secret.yaml +++ b/charts/dex/templates/secret.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "dex.configSecretName" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} type: Opaque diff --git a/charts/dex/templates/service.yaml b/charts/dex/templates/service.yaml index 8114e8d59e..2a0122ffc2 100644 --- a/charts/dex/templates/service.yaml +++ b/charts/dex/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "dex.fullname" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} {{- with .Values.service.annotations }} @@ -13,6 +14,11 @@ spec: {{- with .Values.service.clusterIP }} clusterIP: {{ . }} {{- end }} + {{- if eq .Values.service.type "LoadBalancer" }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- end }} ports: - name: http port: {{ .Values.service.ports.http.port }} diff --git a/charts/dex/templates/serviceaccount.yaml b/charts/dex/templates/serviceaccount.yaml index 30c3ddd90e..5c6f88f8a1 100644 --- a/charts/dex/templates/serviceaccount.yaml +++ b/charts/dex/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "dex.serviceAccountName" . }} + namespace: {{ include "dex.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/dex/templates/servicemonitor.yaml b/charts/dex/templates/servicemonitor.yaml index ce96e5be1d..aa21985368 100644 --- a/charts/dex/templates/servicemonitor.yaml +++ b/charts/dex/templates/servicemonitor.yaml @@ -7,9 +7,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "dex.fullname" . }} - {{- with .Values.serviceMonitor.namespace }} - namespace: {{ . }} - {{- end }} + namespace: {{ include "dex.serviceMonitor.namespace" . }} labels: {{- include "dex.labels" . | nindent 4 }} {{- with .Values.serviceMonitor.labels }} @@ -50,5 +48,5 @@ spec: {{- include "dex.selectorLabels" . | nindent 6 }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "dex.namespace" . }} {{- end }} diff --git a/charts/dex/values.yaml b/charts/dex/values.yaml index 7452791e07..2515f6cabc 100644 --- a/charts/dex/values.yaml +++ b/charts/dex/values.yaml @@ -19,9 +19,15 @@ image: # -- Image tag override for the default value (chart appVersion). tag: "" + # -- When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). + digest: "" + # -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). imagePullSecrets: [] +# -- A namespace in place of the release namespace for all resources. +namespaceOverride: "" + # -- A name in place of the chart name for `app:` labels. nameOverride: "" @@ -162,6 +168,9 @@ service: # -- Internal cluster service IP (when applicable) clusterIP: "" + # -- Load balancer service IP (when applicable) + loadBalancerIP: "" + ports: http: # -- HTTP service port diff --git a/salt/metalk8s/addons/dex/deployed/chart.sls b/salt/metalk8s/addons/dex/deployed/chart.sls index 9ef6d3d1c9..c9722d3014 100644 --- a/salt/metalk8s/addons/dex/deployed/chart.sls +++ b/salt/metalk8s/addons/dex/deployed/chart.sls @@ -15,8 +15,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -29,8 +29,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -51,8 +51,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex-cluster namespace: metalk8s-auth @@ -73,8 +73,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -94,8 +94,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -116,8 +116,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -152,8 +152,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -194,7 +194,7 @@ spec: env: - name: KUBERNETES_POD_NAMESPACE value: metalk8s-auth - image: {% endraw -%}{{ build_image_name("dex", False) }}{%- raw %}:v2.41.1 + image: {% endraw -%}{{ build_image_name("dex", False) }}{%- raw %}:v2.42.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -264,8 +264,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.41.1 - helm.sh/chart: dex-0.19.1 + app.kubernetes.io/version: 2.42.0 + helm.sh/chart: dex-0.23.0 heritage: metalk8s name: dex namespace: metalk8s-auth