Merge remote-tracking branch 'upstream/main'

README.md

@@ -23,6 +23,30 @@ Either follow the [guide for deploying ZITADEL on Kubernetes](https://zitadel.co
 - [Referenced Secrets Example](examples/5-referenced-secrets/README.md)
 - [Machine User Setup Example](examples/6-machine-user/README.md)
 
+## Upgrade from v7
+
+The default ZITADEL version is now >= v2.55.
+[This requires Cockroach DB to be at >= v23.2](https://zitadel.com/docs/support/advisory/a10009)
+If you are using an older version of Cockroach DB, please upgrade it before upgrading ZITADEL.
+
+Note that in order to upgrade cockroach, you should not jump minor versions.
+For example:
+
+```bash
+# install Cockroach DB v23.1.14
+helm upgrade db cockroachdb/cockroachdb --version 11.2.4 --reuse-values
+# install Cockroach DB v23.2.5
+helm upgrade db cockroachdb/cockroachdb --version 12.0.5 --reuse-values
+# install Cockroach DB v24.1.1
+helm upgrade db cockroachdb/cockroachdb --version 13.0.1 --reuse-values
+# install ZITADEL v2.55.0
+helm upgrade my-zitadel zitadel/zitadel --version 8.0.0 --reuse-values
+```
+
+Please refer to the docs by Cockroach Labs. The ZITADEL tests run against the [official CockroachDB chart](https://artifacthub.io/packages/helm/cockroachdb/cockroachdb).
+
+(Credits to @panapol-p and @kleberbaum :pray:)
+
 ## Upgrade from v6
 
 - Now, you have the flexibility to define resource requests and limits separately for the machineKeyWriter,

charts/zitadel/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: zitadel
 description: A Helm chart for ZITADEL
 type: application
-appVersion: "v2.51.3"
-version: 7.15.0
+appVersion: "v2.55.0"
+version: 8.1.0
 kubeVersion: ">= 1.21.0-0"
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:

charts/zitadel/acceptance/accessibility.go

@@ -5,13 +5,14 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	mgmt_api "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
+	mgmt_api "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
+
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	corev1 "k8s.io/api/core/v1"
 )
@@ -87,7 +88,9 @@ func (s *ConfigurationTest) checkAccessibility(pods []corev1.Pod) {
 			}
 			_, err = conn.Healthz(ctx, &mgmt_api.HealthzRequest{})
 			// TODO: Why is the key checked on the healthz RPC?
-			if strings.Contains(err.Error(), "Errors.AuthNKey.NotFound") || strings.Contains(err.Error(), "assertion invalid") {
+			if strings.Contains(err.Error(), "Errors.AuthNKey.NotFound") ||
+				strings.Contains(err.Error(), "Errors.User.NotFound") ||
+				strings.Contains(err.Error(), "assertion invalid") {
 				err = nil
 			}
 			return err

charts/zitadel/acceptance/config.go

@@ -43,7 +43,7 @@ var (
 	Cockroach = databaseChart{
 		repoUrl: "https://charts.cockroachdb.com/",
 		name:    "cockroachdb",
-		version: "11.1.5",
+		version: "13.0.1",
 		testValues: map[string]string{
 			"statefulset.replicas": "1",
 			"conf.single-node":     "true",

charts/zitadel/templates/_helpers.tpl

@@ -67,28 +67,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/*
-Create copy command or empty string
-*/}}
-{{- define "zitadel.makecpcommand" -}}
-{{- if .value -}}
-{{ printf "cp -r %s /chowned-secrets/" .path }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Join copy commands
-*/}}
-{{- define "zitadel.joincpcommands" -}}
-{{- $cmd := "" }}
-    {{- range .commands -}}
-        {{- if . -}}
-            {{- $cmd = printf "%s && %s" ( default "yes" . ) $cmd  -}}
-        {{- end -}}
-    {{- end -}}
-{{ print $cmd }}
-{{- end -}}
-
 {{/*
 Returns true if the full path is defined and the value at the end of the path is not empty
 */}}
@@ -107,7 +85,7 @@ Returns true if the full path is defined and the value at the end of the path is
 {{- end -}}
 
 {{/*
-Returns the database config from the secreConfig or else from the configmapConfig
+Returns the database config from the secretConfig or else from the configmapConfig
 */}}
 {{- define "zitadel.dbconfig.json" -}}
     {{- if include "deepCheck" (dict "root" . "path" (splitList "." "Values.zitadel.secretConfig.Database")) -}}

charts/zitadel/templates/debug_replicaset.yaml

@@ -37,7 +37,7 @@ spec:
             {{- toYaml .Values.securityContext | nindent 14 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}-debug"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the directories /config and /.secrets for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ]
+          command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the /config directory and the secret mounts for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ]
           env:
             - name: ZITADEL_MASTERKEY
               valueFrom:
@@ -49,59 +49,43 @@ spec:
             {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
-              value: /.secrets/db-ssl-ca-crt/ca.crt
+              value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
-              value: /.secrets/db-ssl-user-crt/tls.crt
+              value: /db-ssl-user-crt/tls.crt
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
-              value: /.secrets/db-ssl-user-crt/tls.key
+              value: /db-ssl-user-crt/tls.key
             {{- end}}
             {{- with .Values.env }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
-            mountPath: /.secrets
-          resources:
-            {{- toYaml .Values.initJob.resources | nindent 14 }}
-      {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }}
-      initContainers:
-        - args:
-          - "{{ include "zitadel.joincpcommands" (dict "commands" (list
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
-              )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
-          command:
-          - sh
-          - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
-          volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+            readOnly: true
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.configSecretName }}
           - name: zitadel-secret-config-yaml
             mountPath: /zitadel-secret-config-yaml
+            readOnly: true
           {{- end }}
           {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
           - name: db-ssl-ca-crt
             mountPath: /db-ssl-ca-crt
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.dbSslUserCrtSecret }}
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
+            readOnly: true
           {{- end }}
-      {{- end }}
+          resources:
+            {{- toYaml .Values.initJob.resources | nindent 14 }}
       volumes:
       - name: zitadel-config-yaml
         configMap:
@@ -110,29 +94,32 @@ spec:
       - name: zitadel-secrets-yaml
         secret:
           secretName: zitadel-secrets-yaml
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.configSecretName }}
       - name: zitadel-secret-config-yaml
         secret:
           secretName: {{ .Values.zitadel.configSecretName }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrt }}
       - name: db-ssl-ca-crt
         secret:
           secretName: db-ssl-ca-crt
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrtSecret }}
       - name: db-ssl-ca-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslCaCrtSecret }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslUserCrtSecret }}
       - name: db-ssl-user-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
+          defaultMode: 0440
       {{- end }}
-      - name: chowned-secrets
-        emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -145,4 +132,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- end }}
+    {{- end }}