diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 93d3f7c6..6b4a102e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,7 +24,7 @@ jobs: - name: Add Helm repositories run: | - helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add dandydev https://dandydeveloper.github.io/charts - name: Run chart-releaser uses: helm/chart-releaser-action@v1.7.0 diff --git a/ct.yaml b/ct.yaml index 13c85f6c..00f71973 100644 --- a/ct.yaml +++ b/ct.yaml @@ -5,4 +5,4 @@ chart-dirs: target-branch: main # helm-extra-args: --timeout 600s chart-repos: - - bitnami=https://charts.bitnami.com/bitnami + - dandydev=https://dandydeveloper.github.io/charts diff --git a/helm/oauth2-proxy/Chart.lock b/helm/oauth2-proxy/Chart.lock index 71caeec8..1ac55e23 100644 --- a/helm/oauth2-proxy/Chart.lock +++ b/helm/oauth2-proxy/Chart.lock @@ -1,6 +1,6 @@ dependencies: -- name: redis - repository: https://charts.bitnami.com/bitnami - version: 22.0.1 -digest: sha256:7e8f393290629839ef212fb63e9ab4c5170ccba3da30c06c464a554987fcbb45 -generated: "2025-08-11T14:45:37.460990457Z" +- name: redis-ha + repository: https://dandydeveloper.github.io/charts + version: 4.33.8 +digest: sha256:99abe093ebc97b930cad234e3bce566bb55e11ed0b2324e195d9783aaf5d1ace +generated: "2025-08-13T08:08:37.645426006+02:00" diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 03a76823..1cdc7a9b 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 7.18.0 +version: 8.0.0 apiVersion: v2 appVersion: 7.11.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -13,9 +13,9 @@ keywords: - github - redis dependencies: - - name: redis - version: 22.0.1 - repository: https://charts.bitnami.com/bitnami + - name: redis-ha + version: 4.33.8 + repository: https://dandydeveloper.github.io/charts alias: redis condition: redis.enabled sources: @@ -31,10 +31,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: added - description: Added support for PodDisruptionBudget unhealthyPodEvictionPolicy + - kind: changed + description: Replace Redis chart by bitnami with dandydeveloper/redis-ha chart links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/336 - - name: Kubernetes documentation - url: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy + url: https://github.com/oauth2-proxy/manifests/pull/335 diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 548dd03a..7532b79b 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -94,6 +94,13 @@ Version 7.0.0 introduces a new implementation to support multiple hostAliases. You probably need to adjust your hostAliases config. See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. +### To 8.0.0 - Bitnami 💀 + +Version 8.0.0 removes the dependency on the Bitnami Redis subchart and replaces it with the `dandydeveloper/redis-ha` chart. Therefore this version introduces a breaking change to the redis subchart deployment configuration. Please refer to the official [redis-ha repository](https://github.com/DandyDeveloper/charts/tree/master/charts/redis-ha) for details. Furthermore, you can reference the redis CI test value files we use [here](https://github.com/oauth2-proxy/manifests/tree/main/helm/oauth2-proxy/ci). + +Furthermore, you can read up on why this change was necessary in [Breaking changes in Bitnami Catalog #323](https://github.com/oauth2-proxy/manifests/issues/323) + + ## Configuration The following table lists the configurable parameters of the oauth2-proxy chart and their default values. diff --git a/helm/oauth2-proxy/ci/redis-sentinel-array-values.yaml b/helm/oauth2-proxy/ci/redis-sentinel-array-values.yaml index 4e56feb6..4a34107c 100644 --- a/helm/oauth2-proxy/ci/redis-sentinel-array-values.yaml +++ b/helm/oauth2-proxy/ci/redis-sentinel-array-values.yaml @@ -6,19 +6,29 @@ sessionStorage: password: "foo" masterName: "mymaster" connectionUrls: - - "redis://oauth2-proxy-redis:26379" - - "redis://oauth2-proxy-redis:26379" + - "redis://oauth2-proxy-redis-announce-0:26379" + - "redis://oauth2-proxy-redis-announce-1:26379" + +# provision an instance of the redis-ha sub-chart redis: - # provision an instance of the redis sub-chart enabled: true fullnameOverride: oauth2-proxy-redis - architecture: replication - sentinel: - enabled: true - masterSet: mymaster - global: - redis: - password: "foo" + + redisPassword: "foo" + + redis: + masterGroupName: mymaster + + replicas: 2 + hardAntiAffinity: false + + persistentVolume: + enabled: false + haproxy: + enabled: false + exporter: + enabled: false + initContainers: waitForRedis: enabled: true diff --git a/helm/oauth2-proxy/ci/redis-sentinel-comma-values.yaml b/helm/oauth2-proxy/ci/redis-sentinel-comma-values.yaml index 0f371b90..a30a976d 100644 --- a/helm/oauth2-proxy/ci/redis-sentinel-comma-values.yaml +++ b/helm/oauth2-proxy/ci/redis-sentinel-comma-values.yaml @@ -5,18 +5,28 @@ sessionStorage: sentinel: password: "foo" masterName: "mymaster" - connectionUrls: "redis://oauth2-proxy-redis:26379,redis://oauth2-proxy-redis:26379" + connectionUrls: "redis://oauth2-proxy-redis-announce-0:26379,redis://oauth2-proxy-redis-announce-1:26379" + +# provision an instance of the redis-ha sub-chart redis: - # provision an instance of the redis sub-chart enabled: true fullnameOverride: oauth2-proxy-redis - architecture: replication - sentinel: - enabled: true - masterSet: mymaster - global: - redis: - password: "foo" + + redisPassword: "foo" + + redis: + masterGroupName: mymaster + + replicas: 2 + hardAntiAffinity: false + + persistentVolume: + enabled: false + haproxy: + enabled: false + exporter: + enabled: false + initContainers: waitForRedis: enabled: true diff --git a/helm/oauth2-proxy/ci/redis-standalone-values.yaml b/helm/oauth2-proxy/ci/redis-standalone-values.yaml index e58c32cf..880d587d 100644 --- a/helm/oauth2-proxy/ci/redis-standalone-values.yaml +++ b/helm/oauth2-proxy/ci/redis-standalone-values.yaml @@ -3,13 +3,64 @@ sessionStorage: redis: clientType: "standalone" password: "foo" + +# provision an instance of the redis-ha sub-chart redis: - # provision an instance of the redis sub-chart enabled: true - architecture: standalone - global: - redis: - password: "foo" + fullnameOverride: oauth2-proxy-redis + + redisPassword: "foo" + + replicas: 1 + + # Remove sentinel overhead, speed up startup and redis itself + sentinel: + livenessProbe: + enabled: false + readinessProbe: + enabled: false + startupProbe: + enabled: false + quorum: 1 + + hardAntiAffinity: false + + redis: + config: + min-replicas-to-write: 0 + save: "" + appendonly: "no" + + terminationGracePeriodSeconds: 10 + livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 2 + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 2 + startupProbe: + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 3 + failureThreshold: 10 + splitBrainDetection: + interval: 0 + persistentVolume: + enabled: false + emptyDir: {} + haproxy: + enabled: false + exporter: + enabled: false + sysctlImage: + enabled: false + hostPath: + chown: false + initContainers: waitForRedis: enabled: true diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index 6a9bbb32..3eb1c0e3 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -94,7 +94,7 @@ Redis subcharts fullname */}} {{- define "oauth2-proxy.redis.fullname" -}} {{- if .Values.redis.enabled -}} -{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} +{{- include "redis-ha.fullname" (dict "Chart" (dict "Name" "redis-ha") "Release" .Release "Values" .Values.redis) -}} {{- else -}} {{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} {{- end -}} @@ -107,7 +107,7 @@ Compute the redis url if not set explicitly. {{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} {{ .Values.sessionStorage.redis.standalone.connectionUrl }} {{- else if .Values.redis.enabled -}} -{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} +{{- printf "redis://%s:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.redis.port -}} {{- else -}} {{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} {{- end -}} diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index a483d27b..7982524a 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -199,7 +199,7 @@ spec: {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} - name: OAUTH2_PROXY_SESSION_STORE_TYPE value: "redis" - {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} + {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth))}} - name: OAUTH2_PROXY_REDIS_PASSWORD valueFrom: secretKeyRef: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index d3306a47..87f54152 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -31,7 +31,8 @@ config: # The name of the cookie that oauth2-proxy will create # If left empty, it will default to the release name cookieName: "" - google: {} + google: + {} # adminEmail: xxxx # useApplicationDefaultCredentials: true # targetPrincipal: xxxx @@ -83,7 +84,8 @@ image: # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -imagePullSecrets: [] +imagePullSecrets: + [] # - name: myRegistryKeySecretName # Set a custom containerPort if required. @@ -183,7 +185,7 @@ ingress: pathType: ImplementationSpecific # Used to create an Ingress record. # hosts: - # - chart-example.local + # - chart-example.local # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) # extraPaths: @@ -199,12 +201,13 @@ ingress: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # tls: - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - chart-example.local -resources: {} +resources: + {} # limits: # cpu: 100m # memory: 300Mi @@ -212,22 +215,26 @@ resources: {} # cpu: 100m # memory: 300Mi -extraVolumes: [] +extraVolumes: + [] # - name: ca-bundle-cert # secret: # secretName: -extraVolumeMounts: [] +extraVolumeMounts: + [] # - mountPath: /etc/ssl/certs/ # name: ca-bundle-cert # Additional containers to be added to the pod. -extraContainers: [] +extraContainers: + [] # - name: my-sidecar # image: nginx:latest # Additional Init containers to be added to the pod. -extraInitContainers: [] +extraInitContainers: + [] # - name: wait-for-idp # image: my-idp-wait:latest # command: @@ -288,7 +295,7 @@ securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2000 @@ -327,7 +334,8 @@ autoscaling: annotations: {} # Configure HPA behavior policies for scaling if needed # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior - behavior: {} + behavior: + {} # scaleDown: # stabilizationWindowSeconds: 300 # policies: @@ -380,7 +388,8 @@ initContainers: seccompProfile: type: RuntimeDefault timeout: 180 - resources: {} + resources: + {} # limits: # cpu: 100m # memory: 300Mi @@ -435,19 +444,25 @@ sessionStorage: # - "redis://127.0.0.1:8000" # - "redis://127.0.0.1:8001" -# Enables and configure the automatic deployment of the redis subchart +# Enables and configure the automatic deployment of the redis-ha subchart redis: - # provision an instance of the redis sub-chart + # provision an instance of the redis-ha sub-chart enabled: false # Redis specific helm chart settings, please see: - # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters - # global: - # redis: - # password: yourpassword + # https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#general-parameters + # + # Recommended: + # + # redisPassword: xxxxx + # replicas: 1 + # persistentVolume: + # enabled: false + # # If you install Redis using this sub chart, make sure that the password of the sub chart matches the password # you set in sessionStorage.redis.password (see above). - # redisPort: 6379 - # architecture: standalone + # + # If you want to use redis in sentinel mode see: + # https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#redis-sentinel-parameters # Enables apiVersion deprecation checks checkDeprecation: true @@ -515,7 +530,8 @@ metrics: # action: replace # Extra K8s manifests to deploy -extraObjects: [] +extraObjects: + [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 # kind: SecretProviderClass # metadata: