scality · bert-e · Apr 9, 2025 · Apr 8, 2025 · Apr 8, 2025 · Apr 8, 2025
@@ -11,6 +11,12 @@
 - Bump etcd version to [3.5.16](https://github.com/etcd-io/etcd/releases/tag/v3.5.16)
   (PR[#4497](https://github.com/scality/metalk8s/pull/4497))
 
+- Bump dex chart version to
+  [0.23.0](https://github.com/dexidp/helm-charts/releases/tag/dex-0.23.0)
+  Dex itself has been bumped accordingly to
+  [v2.42.0](https://github.com/dexidp/dex/releases/tag/v2.42.0)
+  (PR[#4558](https://github.com/scality/metalk8s/pull/4558))
+
 ## Release 129.0.1 (in development)
 
 ### Enhancements

@@ -135,8 +135,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
     ),
     Image(
         name="dex",
-        version="v2.41.1",
-        digest="sha256:bc7cfce7c17f52864e2bb2a4dc1d2f86a41e3019f6d42e81d92a301fad0c8a1d",
+        version="v2.42.0",
+        digest="sha256:1b4a6eee8550240b0faedad04d984ca939513650e1d9bd423502c67355e3822f",
     ),
     Image(
         name="etcd",

@@ -1,12 +1,12 @@
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: "Dex 2.41.1 release"
+    - kind: added
+      description: "Use tpl for dynamic image values and add digest support"
   artifacthub.io/images: |
     - name: dex
-      image: ghcr.io/dexidp/dex:v2.41.1
+      image: ghcr.io/dexidp/dex:v2.42.0
 apiVersion: v2
-appVersion: 2.41.1
+appVersion: 2.42.0
 description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable
   connectors.
 home: https://dexidp.io/
@@ -20,10 +20,10 @@ kubeVersion: '>=1.14.0-0'
 maintainers:
 - email: mark.sagikazar@gmail.com
   name: sagikazarmark
-  url: https://sagikazarmark.hu
+  url: https://sagikazarmark.com
 name: dex
 sources:
 - https://github.com/dexidp/dex
 - https://github.com/dexidp/helm-charts/tree/master/charts/dex
 type: application
-version: 0.19.1
+version: 0.23.0
@@ -1,6 +1,6 @@
 # dex
 
-![version: 0.19.1](https://img.shields.io/badge/version-0.19.1-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.41.1](https://img.shields.io/badge/app%20version-2.41.1-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
+![version: 0.23.0](https://img.shields.io/badge/version-0.23.0-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.42.0](https://img.shields.io/badge/app%20version-2.42.0-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
 
 OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
 
@@ -115,7 +115,9 @@ ingress:
 | image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. |
 | image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. |
 | image.tag | string | `""` | Image tag override for the default value (chart appVersion). |
+| image.digest | string | `""` | When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). |
 | imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). |
+| namespaceOverride | string | `""` | A namespace in place of the release namespace for all resources. |
 | nameOverride | string | `""` | A name in place of the chart name for `app:` labels. |
 | fullnameOverride | string | `""` | A name to substitute for the full names of resources. |
 | hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) |
@@ -148,6 +150,7 @@ ingress:
 | service.annotations | object | `{}` | Annotations to be added to the service. |
 | service.type | string | `"ClusterIP"` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). |
 | service.clusterIP | string | `""` | Internal cluster service IP (when applicable) |
+| service.loadBalancerIP | string | `""` | Load balancer service IP (when applicable) |
 | service.ports.http.port | int | `5556` | HTTP service port |
 | service.ports.http.nodePort | int | `nil` | HTTP node port (when applicable) |
 | service.ports.https.port | int | `5554` | HTTPS service port |

@@ -6,17 +6,21 @@
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_PORT=$(kubectl get --namespace {{ include "dex.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "dex.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dex.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+           You can watch the status of by running 'kubectl get --namespace {{ include "dex.namespace" . }} svc -w {{ include "dex.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "dex.namespace" . }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- if .Values.service.loadBalancerIP }}
+
+WARNING: The.spec.loadBalancerIP field for a Service was deprecated in Kubernetes v1.24.
+{{- end }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  export POD_NAME=$(kubectl get pods --namespace {{ include "dex.namespace" . }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "dex.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+  kubectl --namespace {{ include "dex.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
@@ -5,6 +5,31 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+
+This gets around an problem within helm discussed here
+https://github.com/helm/helm/issues/5358
+*/}}
+{{- define "dex.namespace" -}}
+{{ .Values.namespaceOverride | default (.Release.Namespace | trunc 63 | trimSuffix "-") }}
+{{- end -}}
+
+{{/*
+    Override the namespace for the serviceMonitor
+
+    Fallback to the namespaceOverride if serviceMonitor.namespace is not set
+*/}}
+{{- define "dex.serviceMonitor.namespace" -}}
+{{- if .Values.serviceMonitor.namespace }}
+{{- .Values.serviceMonitor.namespace -}}
+{{- else }}
+{{- template "dex.namespace" . -}}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
     {{ with .Values.deploymentLabels }}
@@ -56,7 +57,11 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+          {{- if .Values.image.digest }}
+          image: "{{ tpl .Values.image.repository . }}@{{ tpl .Values.image.digest . }}"
+          {{- else }}
+          image: "{{ tpl .Values.image.repository . }}:{{ tpl .Values.image.tag . | default (printf "v%s" .Chart.AppVersion) }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - dex

@@ -7,6 +7,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 spec:

@@ -19,6 +19,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

@@ -7,6 +7,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 spec:

@@ -7,6 +7,7 @@ apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
 {{ include "dex.labels" . | indent 4 }}
 spec:

@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 rules:
@@ -14,15 +15,16 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 roleRef:
   kind: Role
   apiGroup: rbac.authorization.k8s.io
-  name: {{ include "dex.fullname" . }}  
+  name: {{ include "dex.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "dex.namespace" . }}
   name: {{ include "dex.serviceAccountName" . }}
 {{- if .Values.rbac.createClusterScoped }}
 ---
@@ -49,7 +51,7 @@ roleRef:
   name: {{ include "dex.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "dex.namespace" . }}
   name: {{ include "dex.serviceAccountName" . }}
 {{- end }}
 {{- end }}
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "dex.configSecretName" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
 type: Opaque

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "dex.fullname" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
   {{- with .Values.service.annotations }}
@@ -13,6 +14,11 @@ spec:
   {{- with .Values.service.clusterIP }}
   clusterIP: {{ . }}
   {{- end }}
+  {{- if eq .Values.service.type "LoadBalancer" }}
+  {{- with .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ . }}
+  {{- end }}
+  {{- end }}
   ports:
     - name: http
       port: {{ .Values.service.ports.http.port }}

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "dex.serviceAccountName" . }}
+  namespace: {{ include "dex.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

@@ -7,9 +7,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   name: {{ include "dex.fullname" . }}
-  {{- with .Values.serviceMonitor.namespace }}
-  namespace: {{ . }}
-  {{- end }}
+  namespace: {{ include "dex.serviceMonitor.namespace" . }}
   labels:
     {{- include "dex.labels" . | nindent 4 }}
     {{- with .Values.serviceMonitor.labels }}
@@ -50,5 +48,5 @@ spec:
       {{- include "dex.selectorLabels" . | nindent 6 }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "dex.namespace" . }}
 {{- end }}
@@ -19,9 +19,15 @@ image:
   # -- Image tag override for the default value (chart appVersion).
   tag: ""
 
+  # -- When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value).
+  digest: ""
+
 # -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries).
 imagePullSecrets: []
 
+# -- A namespace in place of the release namespace for all resources.
+namespaceOverride: ""
+
 # -- A name in place of the chart name for `app:` labels.
 nameOverride: ""
 
@@ -162,6 +168,9 @@ service:
   # -- Internal cluster service IP (when applicable)
   clusterIP: ""
 
+  # -- Load balancer service IP (when applicable)
+  loadBalancerIP: ""
+
   ports:
     http:
       # -- HTTP service port