Merge branch 'improvement/2429-bump-dex-version-to-2.23.0' into q/2.5

buildchain/buildchain/versions.py

@@ -104,8 +104,8 @@ def _version_prefix(version: str, prefix: str = 'v') -> str:
     ),
     Image(
         name='dex',
-        version='v2.19.0',
-        digest='sha256:132523cc3e9402a5e12c3b7d837da6f0c96d8a05f27bf6ba42458c2a0d1c01f5',
+        version='v2.23.0',
+        digest='sha256:b0bbc14a503a97587b365113a2f171a04ee7a6fd6f84c52e9384400533c9276c',
     ),
     Image(
         name='etcd',

charts/dex.yaml

@@ -47,7 +47,7 @@ certs:
     create: false
 
 config:
-  issuer: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc)'
+  issuer: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc)'
   web:
     tlsCert: /etc/dex/tls/https/server/tls.crt
     tlsKey: /etc/dex/tls/https/server/tls.key
@@ -77,13 +77,13 @@ config:
     - grafana-ui
   - id: metalk8s-ui
     redirectURIs:
-    - '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback)'
+    - '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback)'
     name: 'MetalK8s UI'
     secret: "ybrMJpVMQxsiZw26MhJzCjA2ut"
   - id: grafana-ui
     name: 'Grafana UI'
     redirectURIs:
-    - '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth)'
+    - '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth)'
     secret: "4lqK98NcsWG5qBRHJUqYM1"
 
   enablePasswordDB: '__var__(dex.spec.localuserstore.enabled)'

charts/dex/Chart.yaml

@@ -1,6 +1,7 @@
 apiVersion: v1
-appVersion: 2.19.0
-description: CoreOS Dex
+appVersion: 2.23.0
+description: OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable
+  Connectors
 home: https://github.com/dexidp/dex/
 icon: https://github.com/dexidp/dex/raw/master/Documentation/logos/dex-glyph-color.png
 keywords:
@@ -16,4 +17,4 @@ maintainers:
 - email: [email protected]
   name: vi7
 name: dex
-version: 2.4.0
+version: 2.10.0

charts/dex/README.md

@@ -4,7 +4,7 @@
 
 ## Introduction
 
-Dex acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.
+Dex acts as a portal to other identity providers through "connectors". This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.
 
 **Kubernetes authentication note**
 
@@ -27,7 +27,7 @@ To install the chart with the release name `my-release`:
 $ helm install --name my-release stable/dex
 ```
 
-It'll install chart with the default parameters. However most probably it won't work for you as-is, thus before installing the chart you need to consult to the [values.yaml](values.yaml) notes as well as [dex documentation][dex].
+It'll install the chart with the default parameters. However most probably it won't work for you as-is, thus before installing the chart you need to consult the [values.yaml](values.yaml) notes as well as [dex documentation][dex].
 
 ## Uninstalling the Chart
 
@@ -84,16 +84,31 @@ Parameters introduced starting from v2
 | `config.web.tlsKey` | Maps to the dex config `web.tlsKey` param | `/etc/dex/tls/https/server/tls.key` |
 | `config.expiry.signingKeys` | Maps to the dex config `expiry.signingKeys` param | `6h` |
 | `config.expiry.idTokens` | Maps to the dex config `expiry.idTokens` param | `24h` |
+| `crd.present` | Whether dex's CRDs are already present (if not cluster role and cluster role binding will be created to enable dex to create them). Depends on `rbac.create` | `false` |
 | `grpc` | Enable dex grpc endpoint | `true` |
 | `https` | Enable TLS termination for the dex http endpoint | `false` |
+| `podLabels` | Custom pod labels | `{}` |
 | `ports.grpc.containerPort` | grpc port listened by the dex | `5000` |
 | `ports.grpc.nodePort` | K8S Service node port for the dex grpc listener | `35000` |
 | `ports.grpc.servicePort` | K8S Service port for the dex grpc listener | `35000` |
 | `ports.web.containerPort` | http/https port listened by the dex | `5556` |
 | `ports.web.nodePort` | K8S Service node port for the dex http/https listener | `32000` |
 | `ports.web.servicePort` | K8S Service port for the dex http/https listener | `32000` |
+| `rbac.create` | If `true`, create & use RBAC resources | `true` |
+| `securityContext` | Allow setting the securityContext of the main dex deployment | `` |
 | `service.loadBalancerIP` | IP override for K8S LoadBalancer Service | `""` |
-
+| `livenessProbe.enabled` | k8s liveness probe enabled (cannot be enabled when `https = true`) | `false` |
+| `livenessProbe.path` |  k8s liveness probe http path | `"/healthz"`  |
+| `livenessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probe is initiated.  |  `1` |
+| `livenessProbe.periodSeconds` | How often (in seconds) to perform the probe | `10`  |
+| `livenessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `1`  |
+| `livenessProbe.failureThreshold` | Times to perform probe before restarting the container | `3`  |
+| `readinessProbe.enabled` | k8s readiness probe enabled (cannot be enabled when `https = true`) | `false`  |
+| `readinessProbe.path` |  k8s readiness probe http path | `"/healthz"`  |
+| `readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before readiness probe is initiated.  |  `1` |
+| `readinessProbe.periodSeconds` | How often (in seconds) to perform the probe  |  `10` |
+| `readinessProbe.timeoutSeconds` | Number of seconds after which the probe times out | `1`  |
+| `readinessProbe.failureThreshold` | Times to perform probe before marking the container `Unready` |  `3` |
 
 
 Check [values.yaml](values.yaml) notes together with [dex documentation][dex] and [config examples](https://github.com/dexidp/dex/tree/master/examples) for all the possible configuration options.

charts/dex/templates/NOTES.txt

@@ -14,7 +14,7 @@
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "dex.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
   echo https://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "dex.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit https://127.0.0.1:8080/.well-known/openid-configuration to use your application"
-  kubectl port-forward $POD_NAME 8080:5556
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080/.well-known/openid-configuration to use your application"
+  kubectl port-forward $POD_NAME 8080:{{ .Values.ports.web.containerPort }}
 {{- end }}

charts/dex/templates/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create (not .Values.crd.present) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/dex/templates/clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create (not .Values.crd.present) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/dex/templates/deployment.yaml

@@ -31,12 +31,19 @@ spec:
         app.kubernetes.io/name: {{ include "dex.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/component: dex
+        {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+        {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
         {{- end }}
     spec:
+{{- if .Values.initContainers }}
+      initContainers:
+        {{- toYaml .Values.initContainers | nindent 8 }}
+{{- end }}
       serviceAccountName: {{ template "dex.serviceAccountName" . }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
@@ -48,6 +55,9 @@ spec:
       affinity:
 {{ toYaml . | indent 8 }}
     {{- end }}
+      {{- if .Values.securityContext }}
+      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
       containers:
       - name: main
         image: "{{ .Values.image }}:{{ .Values.imageTag }}"
@@ -67,6 +77,31 @@ spec:
           containerPort: {{ .Values.ports.grpc.containerPort }}
           protocol: TCP
         {{- end }}
+        {{- if .Values.telemetry }}
+        - name: telemetry
+          containerPort: {{ .Values.ports.telemetry.containerPort }}
+          protocol: TCP
+        {{- end  }}
+{{- if and (not .Values.https) .Values.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: {{ .Values.livenessProbe.httpPath }}
+            port: {{ if .Values.https }}https{{ else }}http{{ end }}
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+{{- end }}
+{{- if and (not .Values.https) .Values.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: {{ .Values.readinessProbe.httpPath }}
+            port: {{ if .Values.https }}https{{ else }}http{{ end }}
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+{{- end }}
         env:
 {{ toYaml .Values.env | indent 10 }}
         volumeMounts:

charts/dex/templates/role.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.rbac.create }}
-{{- if or .Values.certs.grpc.create .Values.certs.web.create }}
+{{- if or .Values.certs.grpc.create .Values.certs.web.create .Values.crd.present }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -8,8 +8,15 @@ metadata:
   name: {{ template "dex.fullname" . }}
   namespace: {{ .Release.Namespace }}
 rules:
+{{- if .Values.crd.present }}
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+{{- end -}}
+{{- if or .Values.certs.grpc.create .Values.certs.web.create }}
 - apiGroups: [""]
   resources: ["configmaps", "secrets"]
   verbs: ["create", "delete"]
 {{- end -}}
 {{- end -}}
+{{- end -}}

charts/dex/templates/rolebinding.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.rbac.create }}
-{{- if or .Values.certs.grpc.create .Values.certs.web.create }}
+{{- if or .Values.certs.grpc.create .Values.certs.web.create .Values.crd.present }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

charts/dex/templates/secret.yaml

@@ -27,6 +27,10 @@ stringData:
       tlsKey: {{ .grpc.tlsKey }}
       tlsClientCA: {{ .grpc.tlsClientCA }}
     {{- end }}
+    {{- if $.Values.telemetry }}
+    telemetry:
+      http: {{ $.Values.config.web.address }}:{{ $.Values.ports.telemetry.containerPort }}
+    {{- end }}
     {{- if .connectors }}
     connectors:
 {{ toYaml .connectors | indent 4 }}

charts/dex/templates/service.yaml

@@ -26,6 +26,14 @@ spec:
   {{- end }}
     port: {{ .Values.ports.grpc.servicePort }}
 {{- end }}
+{{- if .Values.telemetry }}
+  - name: telemetry
+    targetPort: telemetry
+  {{- if eq "NodePort" .Values.service.type }}
+    nodePort: {{ .Values.ports.telemetry.nodePort }}
+  {{- end }}
+    port: {{ .Values.ports.telemetry.servicePort }}
+{{- end }}
 {{- if hasKey .Values.service "externalIPs" }}
   externalIPs:
 {{ toYaml .Values.service.externalIPs | indent 4 }}

charts/dex/values.yaml

@@ -4,15 +4,19 @@
 # name: value
 
 image: quay.io/dexidp/dex
-imageTag: "v2.19.0"
+imageTag: "v2.23.0"
 imagePullPolicy: "IfNotPresent"
 
 inMiniKube: false
 
 nodeSelector: {}
 
+podLabels: {}
+
 podAnnotations: {}
 
+initContainers: []
+
 tolerations: []
   # - key: CriticalAddonsOnly
   #   operator: Exists
@@ -21,6 +25,18 @@ tolerations: []
   #   value: bar
   #   effect: NoSchedule
 
+securityContext:
+  # Rejecting containers trying to run with root privileges
+  # runAsNonRoot: true
+  # Preventing privilege escalation to root privileges
+  # allowPrivilegeEscalation: false
+  # Set the user ID used to run the container
+  # runAsUser: 1001
+  # Set the primary group ID used to run all processes within any container of the pod
+  # runAsGroup: 1001
+  # Set the group ID associated with the container
+  # fsGroup: 1001
+
 replicas: 1
 
 # resources:
@@ -37,6 +53,9 @@ grpc: true
 # https termination by dex itself
 https: false
 
+# expose prometheus metrics ?
+telemetry: false
+
 ports:
   web:
     containerPort: 5556
@@ -49,6 +68,27 @@ ports:
     # for service.type: NodePort
     nodePort: 35000
     servicePort: 35000
+  telemetry:
+    containerPort: 5558
+    # for service.type: NodePort
+    nodePort: 37000
+    servicePort: 37000
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 1
+  failureThreshold: 1
+  httpPath: "/healthz"
+  periodSeconds: 10
+  timeoutSeconds: 1
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 1
+  failureThreshold: 1
+  httpPath: "/healthz"
+  periodSeconds: 10
+  timeoutSeconds: 1
 
 service:
   type: ClusterIP
@@ -88,7 +128,7 @@ certs:
     caDays: 10000
     certDays: 10000
     altNames:
-      - dex.io
+      - dex.example.com
     altIPs: {}
     secret:
       tlsName: dex-web-server-tls
@@ -100,7 +140,7 @@ certs:
     create: true
     activeDeadlineSeconds: 300
     altNames:
-      - dex.io
+      - dex.example.com
     altIPs: {}
     secret:
       serverTlsName: dex-grpc-server-tls
@@ -115,6 +155,11 @@ rbac:
   # Specifies whether RBAC resources should be created
   create: true
 
+crd:
+  # Specifies whether dex's CRDs are already present (if not cluster role and cluster role binding will be created
+  # to enable dex to create them). Depends on rbac.create
+  present: false
+
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true
@@ -137,7 +182,7 @@ podDisruptionBudget: {}
   # maxUnavailable: 1
 
 config:
-  issuer: http://dex.io:8080
+  issuer: http://dex.example.com:8080
   storage:
     type: kubernetes
     config:
@@ -156,7 +201,7 @@ config:
     tlsCert: /etc/dex/tls/grpc/server/tls.crt
     tlsKey: /etc/dex/tls/grpc/server/tls.key
     tlsClientCA: /etc/dex/tls/grpc/ca/tls.crt
-  connectors: {}
+  connectors: []
 #  - type: github
 #    id: github
 #    name: GitHub

charts/prometheus-operator.yaml

@@ -148,7 +148,7 @@ grafana:
 
   grafana.ini:
     server:
-      root_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana)'
+      root_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana)'
     analytics:
       reporting_enabled: false
       check_for_updates: false
@@ -160,9 +160,9 @@ grafana:
       scopes: "openid profile email groups"
       client_id: "grafana-ui"
       client_secret: "4lqK98NcsWG5qBRHJUqYM1"
-      auth_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/auth)'
-      token_url:  '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token)'
-      api_url: '__url__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/userinfo)'
+      auth_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/auth)'
+      token_url:  '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/token)'
+      api_url: '__escape__(https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc/userinfo)'
 
   testFramework:
     enabled: false