Merge branch 'main' into main

Author: kleberbaum

.github/workflows/lint.yml

@@ -0,0 +1,52 @@
+name: 'Lint Charts'
+
+on:
+  pull_request:
+    paths:
+      - 'charts/zitadel/templates/**'
+      - 'charts/zitadel/values.yaml'
+      - 'charts/zitadel/Chart.yaml'
+
+jobs:
+
+  lint:
+
+    runs-on: 'ubuntu-20.04'
+
+    steps:
+      - id: 'checkout'
+        name: Check The Repo Out
+        uses: 'actions/checkout@v3'
+        with:
+          fetch-depth: 0
+
+      - id: 'set-up-helm'
+        name: Install Helm (The Chart Testing CLI Depends On It)
+        uses: 'azure/setup-helm@v3.5'
+        with:
+          version: latest
+
+      - id: 'set-up-python'
+        name: Install Python (The Chart Testing CLI Depends On It)
+        uses: 'actions/setup-python@v3.1.4'
+        with:
+          python-version: 3.11.4
+
+      - id: 'set-up-chart-testing'
+        name: Install Chart Testing CLI
+        uses: 'helm/chart-testing-action@v2.6.1'
+        with:
+          version: 'v3.8.0'
+
+      - id: 'list-changed'
+        name: Check If The Chart Has Changes (not only comments, for example)
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - id: 'lint'
+        name: Lint The Chart
+        run: 'ct lint --target-branch ${{ github.event.repository.default_branch }}'
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/test.yml

@@ -1,6 +1,12 @@
 name: 'Test Charts'
 
-on: 'pull_request'
+on:
+  pull_request:
+    paths:
+      - 'charts/zitadel/**'
+      - 'examples/**/*.yaml'
+      - 'go.mod'
+      - 'go.sum'
 
 jobs:
   test:
@@ -50,56 +56,13 @@ jobs:
       with:
         fetch-depth: 0
 
-    - id: 'set-up-helm'
-      name: Install Helm (The Chart Testing CLI Depends On It)
-      uses: 'azure/setup-helm@v3.5'
-      with:
-        version: '${{ matrix.helm-version }}'
-        token: ${{ secrets.GITHUB_TOKEN }}
-
-    - id: 'set-up-python'
-      name: Install Python (The Chart Testing CLI Depends On It)
-      uses: 'actions/setup-python@v3.1.4'
-      with:
-        python-version: 3.11.4
-
-    - id: 'set-up-chart-testing'
-      name: Install Chart Testing CLI
-      uses: 'helm/chart-testing-action@v2.6.1'
-      with:
-        version: 'v3.8.0'
-
-    - id: 'list-changed'
-      name: Check If The Chart Has Changes
-      run: |
-        changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
-        if [[ -n "$changed" ]]; then
-          echo "changed=true" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Get Changed Test Relevant Files
-      id: 'list-changed-test'
-      uses: tj-actions/changed-files@v42
-      with:
-        files: |
-          go.mod
-          go.sum
-          charts/zitadel/acceptance/**
-
     - id: 'add-cockroachdb-repo'
       name: Add The CockroachDB Helm Repo
       run: 'helm repo add cockroachdb https://charts.cockroachdb.com/'
-      if: steps.list-changed.outputs.changed == 'true' || steps.list-changed-test.outputs.any_changed == 'true'
-
-    - id: 'lint'
-      name: Lint The Chart
-      run: 'ct lint --target-branch ${{ github.event.repository.default_branch }}'
-      if: steps.list-changed.outputs.changed == 'true' || steps.list-changed-test.outputs.any_changed == 'true'
 
     - id: 'create-kind'
       name: Create Kubernetes Cluster with KinD
       uses: 'helm/kind-action@v1.8.0'
-      if: steps.list-changed.outputs.changed == 'true' || steps.list-changed-test.outputs.any_changed == 'true'
       with:
         node_image: 'kindest/node:${{ matrix.k8s.kindest-image-tag }}'
         version: 'v0.20.0'
@@ -112,7 +75,6 @@ jobs:
     - id: 'test'
       name: Run Go Tests
       run: 'go test -p 1 ./...'
-      if: steps.list-changed.outputs.changed == 'true' || steps.list-changed-test.outputs.any_changed == 'true'
 
     - id: 'zitadel-test-namespaces'
       name: Grep Created Namespaces

charts/zitadel/acceptance/service_tunnel.go

@@ -16,12 +16,11 @@ func (c CloseFunc) Close() {
 // ServiceTunnel must be closed using the returned close function
 func ServiceTunnel(cfg *ConfigurationTest) func() {
 	serviceTunnel := k8s.NewTunnel(cfg.KubeOptions, k8s.ResourceTypeService, cfg.zitadelRelease, int(cfg.Port), 8080)
-	awaitServicePortToBeFree(cfg)
-	serviceTunnel.ForwardPort(cfg.T())
+	awaitServicePortForward(cfg, serviceTunnel)
 	return serviceTunnel.Close
 }
 
-func awaitServicePortToBeFree(cfg *ConfigurationTest) {
+func awaitServicePortForward(cfg *ConfigurationTest, tunnel *k8s.Tunnel) {
 	t := cfg.T()
 	addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("127.0.0.1:%d", cfg.Port))
 	if err != nil {
@@ -32,7 +31,9 @@ func awaitServicePortToBeFree(cfg *ConfigurationTest) {
 		if err != nil {
 			return err
 		}
-		defer l.Close()
-		return nil
+		if err := l.Close(); err != nil {
+			panic(err)
+		}
+		return tunnel.ForwardPortE(cfg.T())
 	})
 }

charts/zitadel/acceptance/teardown.go

@@ -1,8 +1,6 @@
 package acceptance
 
-import (
-	"github.com/gruntwork-io/terratest/modules/k8s"
-)
+import "github.com/gruntwork-io/terratest/modules/k8s"
 
 func (s *ConfigurationTest) TearDownTest() {
 	if !s.T().Failed() {

charts/zitadel/templates/deployment.yaml

@@ -79,6 +79,12 @@ spec:
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
               value: /.secrets/db-ssl-user-crt/tls.key
             {{- end }}
+            {{- if .Values.zitadel.serverSslCrtSecret }}
+            - name: ZITADEL_TLS_CERTPATH
+              value: /.secrets/server-ssl-crt/tls.crt
+            - name: ZITADEL_TLS_KEYPATH
+              value: /.secrets/server-ssl-crt/tls.key
+            {{- end }}
             {{- if .Values.zitadel.selfSignedCert.enabled }}
             - name: ZITADEL_TLS_CERTPATH
               value: /etc/tls/tls.crt
@@ -163,6 +169,7 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" ))
               )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
@@ -189,6 +196,10 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
+          {{- if .Values.zitadel.serverSslCrtSecret }}
+          - name: server-ssl-crt
+            mountPath: /server-ssl-crt
+          {{- end }}
           securityContext:
             runAsNonRoot: false
             runAsUser: 0
@@ -246,6 +257,11 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
       {{- end }}
+      {{- if .Values.zitadel.serverSslCrtSecret }}
+      - name: server-ssl-crt
+        secret:
+          secretName: {{ .Values.zitadel.serverSslCrtSecret }}
+      {{- end }}
       - name: chowned-secrets
         emptyDir: {}
       {{- if .Values.zitadel.selfSignedCert.enabled }}

charts/zitadel/values.yaml

@@ -53,6 +53,9 @@ zitadel:
   # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
   dbSslUserCrtSecret: ""
 
+  # The Secret containing the certificate at key tls.crt and tls.key for listening on HTTPS
+  serverSslCrtSecret: ""
+
   # Generate a self-signed certificate using an init container
   # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
   # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt

go.mod

@@ -1,19 +1,19 @@
 module github.com/zitadel/zitadel-charts
 
-go 1.21
+go 1.22.0
 
-toolchain go1.21.4
+toolchain go1.22.2
 
 require (
-	github.com/gruntwork-io/terratest v0.46.13
+	github.com/gruntwork-io/terratest v0.46.14
 	github.com/jinzhu/copier v0.4.0
 	github.com/stretchr/testify v1.9.0
 	github.com/zitadel/oidc v1.13.5
-	github.com/zitadel/zitadel-go/v2 v2.1.11
+	github.com/zitadel/zitadel-go/v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.29.3
-	k8s.io/apimachinery v0.29.3
-	k8s.io/client-go v0.29.3
+	k8s.io/api v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
 )
 
 require (
@@ -26,7 +26,7 @@ require (
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -44,6 +44,7 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/schema v1.2.0 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/gruntwork-io/go-commons v0.8.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
@@ -76,23 +77,23 @@ require (
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/oauth2 v0.19.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
-	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/grpc v1.63.2 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect