zitadel-7.15.0 Merge remote-tracking branch 'upstream/main'

charts/zitadel/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 name: zitadel
 description: A Helm chart for ZITADEL
 type: application
-appVersion: 'v2.46.0'
-version: 7.11.1
-kubeVersion: '>= 1.21.0-0'
+appVersion: "v2.51.3"
+version: 7.15.0
+kubeVersion: ">= 1.21.0-0"
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:
   - name: zitadel

charts/zitadel/acceptance/service_tunnel.go

@@ -16,12 +16,11 @@ func (c CloseFunc) Close() {
 // ServiceTunnel must be closed using the returned close function
 func ServiceTunnel(cfg *ConfigurationTest) func() {
 	serviceTunnel := k8s.NewTunnel(cfg.KubeOptions, k8s.ResourceTypeService, cfg.zitadelRelease, int(cfg.Port), 8080)
-	awaitServicePortToBeFree(cfg)
-	serviceTunnel.ForwardPort(cfg.T())
+	awaitServicePortForward(cfg, serviceTunnel)
 	return serviceTunnel.Close
 }
 
-func awaitServicePortToBeFree(cfg *ConfigurationTest) {
+func awaitServicePortForward(cfg *ConfigurationTest, tunnel *k8s.Tunnel) {
 	t := cfg.T()
 	addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("127.0.0.1:%d", cfg.Port))
 	if err != nil {
@@ -32,7 +31,9 @@ func awaitServicePortToBeFree(cfg *ConfigurationTest) {
 		if err != nil {
 			return err
 		}
-		defer l.Close()
-		return nil
+		if err := l.Close(); err != nil {
+			panic(err)
+		}
+		return tunnel.ForwardPortE(cfg.T())
 	})
 }

charts/zitadel/acceptance/teardown.go

@@ -1,8 +1,6 @@
 package acceptance
 
-import (
-	"github.com/gruntwork-io/terratest/modules/k8s"
-)
+import "github.com/gruntwork-io/terratest/modules/k8s"
 
 func (s *ConfigurationTest) TearDownTest() {
 	if !s.T().Failed() {

charts/zitadel/templates/deployment.yaml

@@ -79,6 +79,12 @@ spec:
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
               value: /.secrets/db-ssl-user-crt/tls.key
             {{- end }}
+            {{- if .Values.zitadel.serverSslCrtSecret }}
+            - name: ZITADEL_TLS_CERTPATH
+              value: /.secrets/server-ssl-crt/tls.crt
+            - name: ZITADEL_TLS_KEYPATH
+              value: /.secrets/server-ssl-crt/tls.key
+            {{- end }}
             {{- if .Values.zitadel.selfSignedCert.enabled }}
             - name: ZITADEL_TLS_CERTPATH
               value: /etc/tls/tls.crt
@@ -154,6 +160,9 @@ spec:
           - name: tls
             mountPath: /etc/tls
           {{- end }}
+          {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 14 }}
       initContainers:
@@ -163,6 +172,7 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" ))
               )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
@@ -189,6 +199,10 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
+          {{- if .Values.zitadel.serverSslCrtSecret }}
+          - name: server-ssl-crt
+            mountPath: /server-ssl-crt
+          {{- end }}
         {{- if .Values.zitadel.selfSignedCert.enabled }}
         - name: generate-self-signed-cert
           image: alpine/openssl
@@ -243,12 +257,20 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
       {{- end }}
+      {{- if .Values.zitadel.serverSslCrtSecret }}
+      - name: server-ssl-crt
+        secret:
+          secretName: {{ .Values.zitadel.serverSslCrtSecret }}
+      {{- end }}
       - name: chowned-secrets
         emptyDir: {}
       {{- if .Values.zitadel.selfSignedCert.enabled }}
       - name: tls
         emptyDir: {}
       {{- end }}
+      {{- with .Values.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/zitadel/templates/initjob.yaml

@@ -94,6 +94,9 @@ spec:
             mountPath: /config
           - name: chowned-secrets
             mountPath: /.secrets
+          {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.initJob.resources | nindent 14 }}
         {{- if .Values.initJob.extraContainers }}
@@ -175,6 +178,9 @@ spec:
       {{- end }}
       - name: chowned-secrets
         emptyDir: {}
+      {{- with .Values.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/zitadel/templates/service.yaml

@@ -19,7 +19,7 @@ spec:
     - port: {{ .Values.service.port }}
       targetPort: 8080
       protocol: TCP
-      name: {{ .Values.service.protocol }}-server
+      name: {{ regexReplaceAll "\\W+" .Values.service.protocol "-" }}-server
       {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
       appProtocol: {{ .Values.service.protocol }}
       {{- end }}

charts/zitadel/templates/servicemonitor.yaml

@@ -13,7 +13,7 @@ metadata:
     {{- end }}
 spec:
   endpoints:
-  - port: {{ .Values.service.protocol }}-server
+  - port: {{ regexReplaceAll "\\W+" .Values.service.protocol "-" }}-server
     {{- if .Values.metrics.serviceMonitor.scrapeInterval }}
     interval: {{ .Values.metrics.serviceMonitor.scrapeInterval }}
     {{- end }}

charts/zitadel/templates/setupjob.yaml

@@ -101,6 +101,9 @@ spec:
           - name: machinekey
             mountPath: "/machinekey"
           {{- end}}
+          {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.setupJob.resources | nindent 12 }}
         {{- if include "deepCheck" (dict "root" .Values "path" (splitList "." "zitadel.configmapConfig.FirstInstance.Org.Machine")) }}
@@ -197,6 +200,9 @@ spec:
       {{- end }}
       - name: chowned-secrets
         emptyDir: {}
+      {{- with .Values.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/zitadel/values.yaml

@@ -53,6 +53,9 @@ zitadel:
   # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
   dbSslUserCrtSecret: ""
 
+  # The Secret containing the certificate at key tls.crt and tls.key for listening on HTTPS
+  serverSslCrtSecret: ""
+
   # Generate a self-signed certificate using an init container
   # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
   # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
@@ -241,4 +244,15 @@ autoscaling:
   minReplicas: 3
   maxReplicas: 11
   targetCPU: 80
-  targetMemory: 80
+  targetMemory: 80
+extraVolumes: []
+  # - name: ca-certs
+  #   secret:
+  #     defaultMode: 420
+  #     secretName: ca-certs
+
+extraVolumeMounts: []
+  # - name: ca-certs
+  #   mountPath: /etc/ssl/certs/myca.pem
+  #   subPath: myca.pem
+  #   readOnly: true

go.mod

@@ -1,63 +1,63 @@
 module github.com/zitadel/zitadel-charts
 
-go 1.21
-
-toolchain go1.21.4
+go 1.22.3
 
 require (
-	github.com/gruntwork-io/terratest v0.46.13
+	github.com/gruntwork-io/terratest v0.46.15
 	github.com/jinzhu/copier v0.4.0
 	github.com/stretchr/testify v1.9.0
 	github.com/zitadel/oidc v1.13.5
-	github.com/zitadel/zitadel-go/v2 v2.1.11
+	github.com/zitadel/zitadel-go/v2 v2.2.4
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.29.3
-	k8s.io/apimachinery v0.29.3
-	k8s.io/client-go v0.29.3
+	k8s.io/api v0.30.1
+	k8s.io/apimachinery v0.30.1
+	k8s.io/client-go v0.30.1
 )
 
 require (
-	github.com/BurntSushi/toml v1.3.2 // indirect
-	github.com/aws/aws-sdk-go v1.44.122 // indirect
-	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/aws/aws-sdk-go v1.53.10 // indirect
+	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-sql-driver/mysql v1.4.1 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-sql-driver/mysql v1.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/gonvenience/bunt v1.3.5 // indirect
-	github.com/gonvenience/neat v1.3.12 // indirect
+	github.com/gonvenience/neat v1.3.13 // indirect
 	github.com/gonvenience/term v1.0.2 // indirect
 	github.com/gonvenience/text v1.0.7 // indirect
-	github.com/gonvenience/wrap v1.1.2 // indirect
+	github.com/gonvenience/wrap v1.2.0 // indirect
 	github.com/gonvenience/ytbx v1.4.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/schema v1.2.0 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
-	github.com/gruntwork-io/go-commons v0.8.0 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.0 // indirect
-	github.com/homeport/dyff v1.6.0 // indirect
-	github.com/imdario/mergo v0.3.11 // indirect
+	github.com/gorilla/schema v1.3.0 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/gruntwork-io/go-commons v0.17.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/homeport/dyff v1.7.1 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-zglob v0.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
@@ -69,32 +69,32 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
-	github.com/urfave/cli v1.22.2 // indirect
+	github.com/urfave/cli/v2 v2.27.2 // indirect
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240125205218-1f4bbc51befe // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe // indirect
-	google.golang.org/grpc v1.62.1 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect
+	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )