feat: bump dex chart to support webhooks (#1458)

* feat: bump dex chart to support webhooks * Update stable/dex/values.yaml Co-authored-by: Martin Hrabovcin <[email protected]> * Update stable/dex/values.yaml Co-authored-by: Martin Hrabovcin <[email protected]> * feat: bump dex chart to support webhooks --------- Co-authored-by: Martin Hrabovcin <[email protected]>
mesosphere · Oct 20, 2023 · 52ce25c · 52ce25c
1 parent 284998b
commit 52ce25c
Show file tree

Hide file tree

Showing 8 changed files with 165 additions and 5 deletions.
diff --git a/stable/dex/Chart.yaml b/stable/dex/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: dex
-version: 2.12.4
-appVersion: 2.35.3
+version: 2.13.0
+appVersion: 2.37.0
 description: Dex
 keywords:
 - dex

diff --git a/stable/dex/charts/dex-controller-v0.11.0.tgz b/stable/dex/charts/dex-controller-v0.11.0.tgz
diff --git a/stable/dex/charts/dex-controller-v0.9.1.tgz b/stable/dex/charts/dex-controller-v0.9.1.tgz
diff --git a/stable/dex/templates/client-certificate.yaml b/stable/dex/templates/client-certificate.yaml
@@ -0,0 +1,40 @@
+---
+{{- if  (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+{{- else }}
+apiVersion: certmanager.k8s.io/v1alpha1
+{{- end }}
+kind: Certificate
+metadata:
+  name: {{ template "dex.fullname" . }}-client-tls
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    # We have to add the following annotation so that the upgrade does
+    # not fail with "already exists" error. See more details in:
+    # https://github.com/helm/helm/issues/5482
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  secretName: {{ template "dex.fullname" . }}-client-tls
+  issuerRef:
+    name: {{ .Release.Name }}-dex-controller-ca-issuer
+    kind: Issuer
+  # The use of the common name field has been deprecated since 2000 and is
+  duration: 87600h
+{{- if  (.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+  subject:
+    organizations:
+      - D2iQ
+{{- else }}
+  organization:
+    - D2iQ
+{{- end }}
+  dnsNames:
+    # names are the <name of the service>.<namespace>.svc.<domain> and
+    # shortened variations. However, there is no way to determine the domain,
+    # so we only include up to svc.
+    - {{ template "dex.fullname" . }}
+    - {{ template "dex.fullname" . }}.{{ .Release.Namespace }}
+    - {{ template "dex.fullname" . }}.{{ .Release.Namespace }}.svc
+  usages:
+    - client auth
diff --git a/stable/dex/templates/deployment.yaml b/stable/dex/templates/deployment.yaml
@@ -117,6 +117,8 @@ spec:
         - mountPath: /etc/dex/tls/grpc/ca
           name: grpc-tls-ca
 {{- end }}
+        - mountPath: /etc/dex/tls/client
+          name: multi-tenancy-tls
 {{- if ne (len .Values.extraVolumeMounts) 0 }}
 {{ toYaml .Values.extraVolumeMounts | indent 8 }}
 {{- end }}
@@ -144,6 +146,10 @@ spec:
           defaultMode: 420
           secretName: {{ $grpcCaSecretName| quote }}
 {{- end }}
+      - name: multi-tenancy-tls
+        secret:
+          defaultMode: 420
+          secretName: {{ template "dex.fullname" . }}-client-tls
 {{- if ne (len .Values.extraVolumes) 0 }}
 {{ toYaml .Values.extraVolumes | indent 6 }}
 {{- end }}
diff --git a/stable/dex/templates/job-pre-upgrade-webhook.yaml b/stable/dex/templates/job-pre-upgrade-webhook.yaml
@@ -0,0 +1,79 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pre-upgrade-job
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
+      serviceAccountName: {{ .Release.Name }}-dex-pre-upgrade-hook
+      containers:
+        - name: create-secret
+          image: "{{ .Values.kubectlImage }}"
+          command: [ "/bin/sh" ]
+          args:
+            - -c
+            - |
+              kubectl get secret {{ template "dex.fullname" . }}-client-tls -n {{ .Release.namespace }} || \
+              kubectl apply -f - <<EOF
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                labels:
+                  app: {{ template "dex.fullname" . }}
+                  controller.cert-manager.io/fao: "true"
+                name: {{ template "dex.fullname" . }}-client-tls
+                namespace: {{ .Release.namespace }}
+              data: {}
+              EOF
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dex-pre-upgrade-hook
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dex-pre-upgrade-hook
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: dex-pre-upgrade-hook
+subjects:
+    - kind: ServiceAccount
+      name: {{ .Release.Name }}-dex-pre-upgrade-hook
+      namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-dex-pre-upgrade-hook
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
diff --git a/stable/dex/templates/secret.yaml b/stable/dex/templates/secret.yaml
@@ -49,4 +49,8 @@ stringData:
     {{- if .frontend }}
     frontend: {{ toYaml .frontend | nindent 6 }}
     {{- end }}
-    {{- end }}
+    connectorFiltersHooks:
+{{ toYaml .connectorFiltersHooks | indent 6 }}
+    tokenClaimsHooks:
+{{ toYaml .tokenClaimsHooks | indent 6 }}
+    {{- end }}
diff --git a/stable/dex/values.yaml b/stable/dex/values.yaml
@@ -4,7 +4,7 @@
 # name: value
 
 image: docker.io/mesosphere/dex
-imageTag: "v2.35.1-d2iq.1"
+imageTag: "v2.37.0-d2iq.1"
 imagePullPolicy: "IfNotPresent"
 
 inMiniKube: false
@@ -192,7 +192,38 @@ config:
     tlsCert: /etc/dex/tls/grpc/server/tls.crt
     tlsKey: /etc/dex/tls/grpc/server/tls.key
     tlsClientCA: /etc/dex/tls/grpc/ca/tls.crt
-
+#  connectorFiltersHooks:
+#    filterHooks:
+#    - name: "dex-controller"
+#      type: "external"
+#      requestContext:
+#        params:
+#          - "state"
+#          - "tenant-id"
+#      config:
+#        url: "https://fulmicotone-dex-controller-webhook-service:18443/connectors"
+#        tlsRootCAFile: "/etc/dex/tls/client/ca.crt"
+#        clientAuthentication:
+#          clientKeyFile: "/etc/dex/tls/client/tls.key"
+#          clientCertificateFile: "/etc/dex/tls/client/tls.crt"
+#          clientCAFile: "/etc/dex/tls/client/ca.crt"
+#  tokenClaimsHooks:
+#    mutatingHooks:
+#    - name: "dex-controller"
+#      type: "external"
+#      claims:
+#        - "groups"
+#        - "email"
+#        - "username"
+#        - "preferred_username"
+#      config:
+#        url: "https://fulmicotone-dex-controller-webhook-service:18443/claims"
+#        tlsRootCAFile: "/etc/dex/tls/client/ca.crt"
+#        clientAuthentication:
+#          clientKeyFile: "/etc/dex/tls/client/tls.key"
+#          clientCertificateFile: "/etc/dex/tls/client/tls.crt"
+#          clientCAFile: "/etc/dex/tls/client/ca.crt"
+#
   lazyInitConnectors: false
   connectors: []
 #  - type: github