From fbebaea029e35f90c8e36d0bbf5917bb9170845a Mon Sep 17 00:00:00 2001 From: Claude Ebaneck Date: Mon, 20 Apr 2020 13:21:35 +0200 Subject: [PATCH 1/3] renderer: Fix bad naming for `__url__` in `render.py` Since we are simply justing magically escaping unquoted strings, urls etc from jinja to yaml, the naming of the variable could be made generic and explicit at thesame time Now, let us use `__escape__` instead of `__url__`` --- charts/dex.yaml | 6 +++--- charts/prometheus-operator.yaml | 8 ++++---- charts/render.py | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/dex.yaml b/charts/dex.yaml index 8e328a4ad8..7ff7ba13ef 100644 --- a/charts/dex.yaml +++ b/charts/dex.yaml @@ -47,7 +47,7 @@ certs: create: false config: - issuer: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc)' + issuer: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc)' web: tlsCert: /etc/dex/tls/https/server/tls.crt tlsKey: /etc/dex/tls/https/server/tls.key @@ -77,13 +77,13 @@ config: - grafana-ui - id: metalk8s-ui redirectURIs: - - '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback)' + - '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback)' name: 'MetalK8s UI' secret: "ybrMJpVMQxsiZw26MhJzCjA2ut" - id: grafana-ui name: 'Grafana UI' redirectURIs: - - '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth)' + - '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth)' secret: "4lqK98NcsWG5qBRHJUqYM1" enablePasswordDB: '__var__(dex.spec.localuserstore.enabled)' diff --git a/charts/prometheus-operator.yaml b/charts/prometheus-operator.yaml index adfc268fb5..6cd6bec51a 100644 --- a/charts/prometheus-operator.yaml +++ b/charts/prometheus-operator.yaml @@ -148,7 +148,7 @@ grafana: grafana.ini: server: - root_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana)' + root_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana)' analytics: reporting_enabled: false check_for_updates: false @@ -160,9 +160,9 @@ grafana: scopes: "openid profile email groups" client_id: "grafana-ui" client_secret: "4lqK98NcsWG5qBRHJUqYM1" - auth_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/auth)' - token_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token)' - api_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/userinfo)' + auth_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/auth)' + token_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token)' + api_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/userinfo)' testFramework: enabled: false diff --git a/charts/render.py b/charts/render.py index 7176e83bd5..e138e69007 100755 --- a/charts/render.py +++ b/charts/render.py @@ -141,9 +141,9 @@ def replace_magic_strings(rendered_yaml): result, ) - # Handle __url__ + # Handle __escape__ result = re.sub( - r'__url__\((?P.*)\)', + r'__escape__\((?P.*)\)', r'"{% endraw -%}\g{%- raw %}"', result, ) From f8dcb8d9c25628d83cfd0041402f9bfac4b2e1b3 Mon Sep 17 00:00:00 2001 From: Claude Ebaneck Date: Mon, 20 Apr 2020 17:16:44 +0200 Subject: [PATCH 2/3] charts: update `dex` to 2.23.0 This chart was updated using: ``` $ rm -rf charts/dex/ $ helm repo update $ helm fetch -d charts --untar stable/dex ``` Note: Local changes to the charts were made in `secret.yaml` The chart was re-rendered using: ``` ./charts/render.py dex --namespace metalk8s-auth charts/dex.yaml --service-config dex metalk8s-dex-config charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls ``` --- charts/dex/Chart.yaml | 7 +-- charts/dex/README.md | 21 ++++++-- charts/dex/templates/NOTES.txt | 6 +-- charts/dex/templates/clusterrole.yaml | 2 +- charts/dex/templates/clusterrolebinding.yaml | 2 +- charts/dex/templates/deployment.yaml | 35 +++++++++++++ charts/dex/templates/role.yaml | 9 +++- charts/dex/templates/rolebinding.yaml | 2 +- charts/dex/templates/secret.yaml | 4 ++ charts/dex/templates/service.yaml | 8 +++ charts/dex/values.yaml | 55 ++++++++++++++++++-- salt/metalk8s/addons/dex/deployed/chart.sls | 32 ++++++------ 12 files changed, 149 insertions(+), 34 deletions(-) diff --git a/charts/dex/Chart.yaml b/charts/dex/Chart.yaml index 8c848bb14e..31b3ac2116 100644 --- a/charts/dex/Chart.yaml +++ b/charts/dex/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v1 -appVersion: 2.19.0 -description: CoreOS Dex +appVersion: 2.23.0 +description: OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable + Connectors home: https://github.com/dexidp/dex/ icon: https://github.com/dexidp/dex/raw/master/Documentation/logos/dex-glyph-color.png keywords: @@ -16,4 +17,4 @@ maintainers: - email: vi7alya@gmail.com name: vi7 name: dex -version: 2.4.0 +version: 2.10.0 diff --git a/charts/dex/README.md b/charts/dex/README.md index 788bcffe9b..0b156098ae 100644 --- a/charts/dex/README.md +++ b/charts/dex/README.md @@ -4,7 +4,7 @@ ## Introduction -Dex acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. +Dex acts as a portal to other identity providers through "connectors". This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. **Kubernetes authentication note** @@ -27,7 +27,7 @@ To install the chart with the release name `my-release`: $ helm install --name my-release stable/dex ``` -It'll install chart with the default parameters. However most probably it won't work for you as-is, thus before installing the chart you need to consult to the [values.yaml](values.yaml) notes as well as [dex documentation][dex]. +It'll install the chart with the default parameters. However most probably it won't work for you as-is, thus before installing the chart you need to consult the [values.yaml](values.yaml) notes as well as [dex documentation][dex]. ## Uninstalling the Chart @@ -84,16 +84,31 @@ Parameters introduced starting from v2 | `config.web.tlsKey` | Maps to the dex config `web.tlsKey` param | `/etc/dex/tls/https/server/tls.key` | | `config.expiry.signingKeys` | Maps to the dex config `expiry.signingKeys` param | `6h` | | `config.expiry.idTokens` | Maps to the dex config `expiry.idTokens` param | `24h` | +| `crd.present` | Whether dex's CRDs are already present (if not cluster role and cluster role binding will be created to enable dex to create them). Depends on `rbac.create` | `false` | | `grpc` | Enable dex grpc endpoint | `true` | | `https` | Enable TLS termination for the dex http endpoint | `false` | +| `podLabels` | Custom pod labels | `{}` | | `ports.grpc.containerPort` | grpc port listened by the dex | `5000` | | `ports.grpc.nodePort` | K8S Service node port for the dex grpc listener | `35000` | | `ports.grpc.servicePort` | K8S Service port for the dex grpc listener | `35000` | | `ports.web.containerPort` | http/https port listened by the dex | `5556` | | `ports.web.nodePort` | K8S Service node port for the dex http/https listener | `32000` | | `ports.web.servicePort` | K8S Service port for the dex http/https listener | `32000` | +| `rbac.create` | If `true`, create & use RBAC resources | `true` | +| `securityContext` | Allow setting the securityContext of the main dex deployment | `` | | `service.loadBalancerIP` | IP override for K8S LoadBalancer Service | `""` | - +| `livenessProbe.enabled` | k8s liveness probe enabled (cannot be enabled when `https = true`) | `false` | +| `livenessProbe.path` | k8s liveness probe http path | `"/healthz"` | +| `livenessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probe is initiated. | `1` | +| `livenessProbe.periodSeconds` | How often (in seconds) to perform the probe | `10` | +| `livenessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `1` | +| `livenessProbe.failureThreshold` | Times to perform probe before restarting the container | `3` | +| `readinessProbe.enabled` | k8s readiness probe enabled (cannot be enabled when `https = true`) | `false` | +| `readinessProbe.path` | k8s readiness probe http path | `"/healthz"` | +| `readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before readiness probe is initiated. | `1` | +| `readinessProbe.periodSeconds` | How often (in seconds) to perform the probe | `10` | +| `readinessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `1` | +| `readinessProbe.failureThreshold` | Times to perform probe before marking the container `Unready` | `3` | Check [values.yaml](values.yaml) notes together with [dex documentation][dex] and [config examples](https://github.com/dexidp/dex/tree/master/examples) for all the possible configuration options. diff --git a/charts/dex/templates/NOTES.txt b/charts/dex/templates/NOTES.txt index b0010d49b1..b256cd39b9 100644 --- a/charts/dex/templates/NOTES.txt +++ b/charts/dex/templates/NOTES.txt @@ -14,7 +14,7 @@ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "dex.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo https://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "dex.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit https://127.0.0.1:8080/.well-known/openid-configuration to use your application" - kubectl port-forward $POD_NAME 8080:5556 + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080/.well-known/openid-configuration to use your application" + kubectl port-forward $POD_NAME 8080:{{ .Values.ports.web.containerPort }} {{- end }} diff --git a/charts/dex/templates/clusterrole.yaml b/charts/dex/templates/clusterrole.yaml index 2dea792e57..cfef7e7bdd 100644 --- a/charts/dex/templates/clusterrole.yaml +++ b/charts/dex/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create }} +{{- if and .Values.rbac.create (not .Values.crd.present) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/dex/templates/clusterrolebinding.yaml b/charts/dex/templates/clusterrolebinding.yaml index bc7370d9f5..4ded42a5af 100644 --- a/charts/dex/templates/clusterrolebinding.yaml +++ b/charts/dex/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create }} +{{- if and .Values.rbac.create (not .Values.crd.present) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/dex/templates/deployment.yaml b/charts/dex/templates/deployment.yaml index 97d4035268..2b515cc00a 100644 --- a/charts/dex/templates/deployment.yaml +++ b/charts/dex/templates/deployment.yaml @@ -31,12 +31,19 @@ spec: app.kubernetes.io/name: {{ include "dex.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: dex + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} spec: +{{- if .Values.initContainers }} + initContainers: + {{- toYaml .Values.initContainers | nindent 8 }} +{{- end }} serviceAccountName: {{ template "dex.serviceAccountName" . }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -48,6 +55,9 @@ spec: affinity: {{ toYaml . | indent 8 }} {{- end }} + {{- if .Values.securityContext }} + securityContext: {{ toYaml .Values.securityContext | nindent 8 }} + {{- end }} containers: - name: main image: "{{ .Values.image }}:{{ .Values.imageTag }}" @@ -67,6 +77,31 @@ spec: containerPort: {{ .Values.ports.grpc.containerPort }} protocol: TCP {{- end }} + {{- if .Values.telemetry }} + - name: telemetry + containerPort: {{ .Values.ports.telemetry.containerPort }} + protocol: TCP + {{- end }} +{{- if and (not .Values.https) .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.livenessProbe.httpPath }} + port: {{ if .Values.https }}https{{ else }}http{{ end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} +{{- end }} +{{- if and (not .Values.https) .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ .Values.readinessProbe.httpPath }} + port: {{ if .Values.https }}https{{ else }}http{{ end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} +{{- end }} env: {{ toYaml .Values.env | indent 10 }} volumeMounts: diff --git a/charts/dex/templates/role.yaml b/charts/dex/templates/role.yaml index 055a1a272a..344a532759 100644 --- a/charts/dex/templates/role.yaml +++ b/charts/dex/templates/role.yaml @@ -1,5 +1,5 @@ {{- if .Values.rbac.create }} -{{- if or .Values.certs.grpc.create .Values.certs.web.create }} +{{- if or .Values.certs.grpc.create .Values.certs.web.create .Values.crd.present }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -8,8 +8,15 @@ metadata: name: {{ template "dex.fullname" . }} namespace: {{ .Release.Namespace }} rules: +{{- if .Values.crd.present }} +- apiGroups: ["dex.coreos.com"] # API group created by dex + resources: ["*"] + verbs: ["*"] +{{- end -}} +{{- if or .Values.certs.grpc.create .Values.certs.web.create }} - apiGroups: [""] resources: ["configmaps", "secrets"] verbs: ["create", "delete"] {{- end -}} {{- end -}} +{{- end -}} diff --git a/charts/dex/templates/rolebinding.yaml b/charts/dex/templates/rolebinding.yaml index 89e9334aae..22fe3cf0d0 100644 --- a/charts/dex/templates/rolebinding.yaml +++ b/charts/dex/templates/rolebinding.yaml @@ -1,5 +1,5 @@ {{- if .Values.rbac.create }} -{{- if or .Values.certs.grpc.create .Values.certs.web.create }} +{{- if or .Values.certs.grpc.create .Values.certs.web.create .Values.crd.present }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/dex/templates/secret.yaml b/charts/dex/templates/secret.yaml index 74e01ef80c..9f75b33e01 100644 --- a/charts/dex/templates/secret.yaml +++ b/charts/dex/templates/secret.yaml @@ -27,6 +27,10 @@ stringData: tlsKey: {{ .grpc.tlsKey }} tlsClientCA: {{ .grpc.tlsClientCA }} {{- end }} + {{- if $.Values.telemetry }} + telemetry: + http: {{ $.Values.config.web.address }}:{{ $.Values.ports.telemetry.containerPort }} + {{- end }} {{- if .connectors }} connectors: {{ toYaml .connectors | indent 4 }} diff --git a/charts/dex/templates/service.yaml b/charts/dex/templates/service.yaml index 19231f47f6..747cbb9bdd 100644 --- a/charts/dex/templates/service.yaml +++ b/charts/dex/templates/service.yaml @@ -26,6 +26,14 @@ spec: {{- end }} port: {{ .Values.ports.grpc.servicePort }} {{- end }} +{{- if .Values.telemetry }} + - name: telemetry + targetPort: telemetry + {{- if eq "NodePort" .Values.service.type }} + nodePort: {{ .Values.ports.telemetry.nodePort }} + {{- end }} + port: {{ .Values.ports.telemetry.servicePort }} +{{- end }} {{- if hasKey .Values.service "externalIPs" }} externalIPs: {{ toYaml .Values.service.externalIPs | indent 4 }} diff --git a/charts/dex/values.yaml b/charts/dex/values.yaml index 82406ff017..bb8694cfb2 100644 --- a/charts/dex/values.yaml +++ b/charts/dex/values.yaml @@ -4,15 +4,19 @@ # name: value image: quay.io/dexidp/dex -imageTag: "v2.19.0" +imageTag: "v2.23.0" imagePullPolicy: "IfNotPresent" inMiniKube: false nodeSelector: {} +podLabels: {} + podAnnotations: {} +initContainers: [] + tolerations: [] # - key: CriticalAddonsOnly # operator: Exists @@ -21,6 +25,18 @@ tolerations: [] # value: bar # effect: NoSchedule +securityContext: + # Rejecting containers trying to run with root privileges + # runAsNonRoot: true + # Preventing privilege escalation to root privileges + # allowPrivilegeEscalation: false + # Set the user ID used to run the container + # runAsUser: 1001 + # Set the primary group ID used to run all processes within any container of the pod + # runAsGroup: 1001 + # Set the group ID associated with the container + # fsGroup: 1001 + replicas: 1 # resources: @@ -37,6 +53,9 @@ grpc: true # https termination by dex itself https: false +# expose prometheus metrics ? +telemetry: false + ports: web: containerPort: 5556 @@ -49,6 +68,27 @@ ports: # for service.type: NodePort nodePort: 35000 servicePort: 35000 + telemetry: + containerPort: 5558 + # for service.type: NodePort + nodePort: 37000 + servicePort: 37000 + +livenessProbe: + enabled: true + initialDelaySeconds: 1 + failureThreshold: 1 + httpPath: "/healthz" + periodSeconds: 10 + timeoutSeconds: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 1 + failureThreshold: 1 + httpPath: "/healthz" + periodSeconds: 10 + timeoutSeconds: 1 service: type: ClusterIP @@ -88,7 +128,7 @@ certs: caDays: 10000 certDays: 10000 altNames: - - dex.io + - dex.example.com altIPs: {} secret: tlsName: dex-web-server-tls @@ -100,7 +140,7 @@ certs: create: true activeDeadlineSeconds: 300 altNames: - - dex.io + - dex.example.com altIPs: {} secret: serverTlsName: dex-grpc-server-tls @@ -115,6 +155,11 @@ rbac: # Specifies whether RBAC resources should be created create: true +crd: + # Specifies whether dex's CRDs are already present (if not cluster role and cluster role binding will be created + # to enable dex to create them). Depends on rbac.create + present: false + serviceAccount: # Specifies whether a ServiceAccount should be created create: true @@ -137,7 +182,7 @@ podDisruptionBudget: {} # maxUnavailable: 1 config: - issuer: http://dex.io:8080 + issuer: http://dex.example.com:8080 storage: type: kubernetes config: @@ -156,7 +201,7 @@ config: tlsCert: /etc/dex/tls/grpc/server/tls.crt tlsKey: /etc/dex/tls/grpc/server/tls.key tlsClientCA: /etc/dex/tls/grpc/ca/tls.crt - connectors: {} + connectors: [] # - type: github # id: github # name: GitHub diff --git a/salt/metalk8s/addons/dex/deployed/chart.sls b/salt/metalk8s/addons/dex/deployed/chart.sls index 4372ea2c18..4a1c2c360c 100644 --- a/salt/metalk8s/addons/dex/deployed/chart.sls +++ b/salt/metalk8s/addons/dex/deployed/chart.sls @@ -13,8 +13,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -77,8 +77,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -91,8 +91,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -118,8 +118,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -140,8 +140,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -166,8 +166,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth @@ -186,7 +186,7 @@ spec: template: metadata: annotations: - checksum/config: ad6c30825bdc913fdb7dd6486fd137e443001efd3f183aa7ae13f013bc6f6c38 + checksum/config: d58a2489f8f7fd4df3f78cad5ea6ac51e7eda9ca076c41689ce853539ff2a15b labels: app.kubernetes.io/component: dex app.kubernetes.io/instance: dex @@ -198,7 +198,7 @@ spec: - serve - /etc/dex/cfg/config.yaml env: [] - image: {% endraw -%}{{ build_image_name("dex", False) }}{%- raw %}:v2.19.0 + image: {% endraw -%}{{ build_image_name("dex", False) }}{%- raw %}:v2.23.0 imagePullPolicy: IfNotPresent name: main ports: @@ -250,8 +250,8 @@ metadata: app.kubernetes.io/managed-by: salt app.kubernetes.io/name: dex app.kubernetes.io/part-of: metalk8s - app.kubernetes.io/version: 2.19.0 - helm.sh/chart: dex-2.4.0 + app.kubernetes.io/version: 2.23.0 + helm.sh/chart: dex-2.10.0 heritage: metalk8s name: dex namespace: metalk8s-auth From 54f7296741b013aaf2cf094ba907531df06fba8a Mon Sep 17 00:00:00 2001 From: Claude Ebaneck Date: Mon, 20 Apr 2020 18:03:16 +0200 Subject: [PATCH 3/3] buildchain: bump dex version to `2.23.0` Closes: #2429 --- buildchain/buildchain/versions.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index ae02d0512d..986493c04f 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -104,8 +104,8 @@ def _version_prefix(version: str, prefix: str = 'v') -> str: ), Image( name='dex', - version='v2.19.0', - digest='sha256:132523cc3e9402a5e12c3b7d837da6f0c96d8a05f27bf6ba42458c2a0d1c01f5', + version='v2.23.0', + digest='sha256:b0bbc14a503a97587b365113a2f171a04ee7a6fd6f84c52e9384400533c9276c', ), Image( name='etcd',