diff --git a/README.md b/README.md index c13c2ea3..26b5ffff 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,30 @@ Either follow the [guide for deploying ZITADEL on Kubernetes](https://zitadel.co - [Referenced Secrets Example](examples/5-referenced-secrets/README.md) - [Machine User Setup Example](examples/6-machine-user/README.md) +## Upgrade from v7 + +The default ZITADEL version is now >= v2.55. +[This requires Cockroach DB to be at >= v23.2](https://zitadel.com/docs/support/advisory/a10009) +If you are using an older version of Cockroach DB, please upgrade it before upgrading ZITADEL. + +Note that in order to upgrade cockroach, you should not jump minor versions. +For example: + +```bash +# install Cockroach DB v23.1.14 +helm upgrade db cockroachdb/cockroachdb --version 11.2.4 --reuse-values +# install Cockroach DB v23.2.5 +helm upgrade db cockroachdb/cockroachdb --version 12.0.5 --reuse-values +# install Cockroach DB v24.1.1 +helm upgrade db cockroachdb/cockroachdb --version 13.0.1 --reuse-values +# install ZITADEL v2.55.0 +helm upgrade my-zitadel zitadel/zitadel --version 8.0.0 --reuse-values +``` + +Please refer to the docs by Cockroach Labs. The ZITADEL tests run against the [official CockroachDB chart](https://artifacthub.io/packages/helm/cockroachdb/cockroachdb). + +(Credits to @panapol-p and @kleberbaum :pray:) + ## Upgrade from v6 - Now, you have the flexibility to define resource requests and limits separately for the machineKeyWriter, diff --git a/charts/zitadel/Chart.yaml b/charts/zitadel/Chart.yaml index 99306791..de544604 100644 --- a/charts/zitadel/Chart.yaml +++ b/charts/zitadel/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: zitadel description: A Helm chart for ZITADEL type: application -appVersion: "v2.51.3" -version: 7.15.0 +appVersion: "v2.55.0" +version: 8.1.0 kubeVersion: ">= 1.21.0-0" icon: https://zitadel.com/zitadel-logo-dark.svg maintainers: diff --git a/charts/zitadel/acceptance/accessibility.go b/charts/zitadel/acceptance/accessibility.go index f864f3a6..d489d9de 100644 --- a/charts/zitadel/acceptance/accessibility.go +++ b/charts/zitadel/acceptance/accessibility.go @@ -5,13 +5,14 @@ import ( "crypto/x509" "errors" "fmt" - mgmt_api "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management" "net/http" "strconv" "strings" "sync" "time" + mgmt_api "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management" + "github.com/gruntwork-io/terratest/modules/k8s" corev1 "k8s.io/api/core/v1" ) @@ -87,7 +88,9 @@ func (s *ConfigurationTest) checkAccessibility(pods []corev1.Pod) { } _, err = conn.Healthz(ctx, &mgmt_api.HealthzRequest{}) // TODO: Why is the key checked on the healthz RPC? - if strings.Contains(err.Error(), "Errors.AuthNKey.NotFound") || strings.Contains(err.Error(), "assertion invalid") { + if strings.Contains(err.Error(), "Errors.AuthNKey.NotFound") || + strings.Contains(err.Error(), "Errors.User.NotFound") || + strings.Contains(err.Error(), "assertion invalid") { err = nil } return err diff --git a/charts/zitadel/acceptance/config.go b/charts/zitadel/acceptance/config.go index 7dea6dc8..909b8e07 100644 --- a/charts/zitadel/acceptance/config.go +++ b/charts/zitadel/acceptance/config.go @@ -43,7 +43,7 @@ var ( Cockroach = databaseChart{ repoUrl: "https://charts.cockroachdb.com/", name: "cockroachdb", - version: "11.1.5", + version: "13.0.1", testValues: map[string]string{ "statefulset.replicas": "1", "conf.single-node": "true", diff --git a/charts/zitadel/templates/_helpers.tpl b/charts/zitadel/templates/_helpers.tpl index 1fd7c0e5..5d047f05 100644 --- a/charts/zitadel/templates/_helpers.tpl +++ b/charts/zitadel/templates/_helpers.tpl @@ -67,28 +67,6 @@ Create the name of the service account to use {{- end }} {{- end }} -{{/* -Create copy command or empty string -*/}} -{{- define "zitadel.makecpcommand" -}} -{{- if .value -}} -{{ printf "cp -r %s /chowned-secrets/" .path }} -{{- end -}} -{{- end -}} - -{{/* -Join copy commands -*/}} -{{- define "zitadel.joincpcommands" -}} -{{- $cmd := "" }} - {{- range .commands -}} - {{- if . -}} - {{- $cmd = printf "%s && %s" ( default "yes" . ) $cmd -}} - {{- end -}} - {{- end -}} -{{ print $cmd }} -{{- end -}} - {{/* Returns true if the full path is defined and the value at the end of the path is not empty */}} @@ -107,7 +85,7 @@ Returns true if the full path is defined and the value at the end of the path is {{- end -}} {{/* -Returns the database config from the secreConfig or else from the configmapConfig +Returns the database config from the secretConfig or else from the configmapConfig */}} {{- define "zitadel.dbconfig.json" -}} {{- if include "deepCheck" (dict "root" . "path" (splitList "." "Values.zitadel.secretConfig.Database")) -}} diff --git a/charts/zitadel/templates/debug_replicaset.yaml b/charts/zitadel/templates/debug_replicaset.yaml index fc23194d..881786f3 100644 --- a/charts/zitadel/templates/debug_replicaset.yaml +++ b/charts/zitadel/templates/debug_replicaset.yaml @@ -37,7 +37,7 @@ spec: {{- toYaml .Values.securityContext | nindent 14 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}-debug" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the directories /config and /.secrets for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ] + command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the /config directory and the secret mounts for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ] env: - name: ZITADEL_MASTERKEY valueFrom: @@ -49,13 +49,13 @@ spec: {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT - value: /.secrets/db-ssl-ca-crt/ca.crt + value: /db-ssl-ca-crt/ca.crt {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT - value: /.secrets/db-ssl-user-crt/tls.crt + value: /db-ssl-user-crt/tls.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY - value: /.secrets/db-ssl-user-crt/tls.key + value: /db-ssl-user-crt/tls.key {{- end}} {{- with .Values.env }} {{- toYaml . | nindent 12 }} @@ -63,45 +63,29 @@ spec: volumeMounts: - name: zitadel-config-yaml mountPath: /config - - name: chowned-secrets - mountPath: /.secrets - resources: - {{- toYaml .Values.initJob.resources | nindent 14 }} - {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }} - initContainers: - - args: - - "{{ include "zitadel.joincpcommands" (dict "commands" (list - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" )) - )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + " - command: - - sh - - -c - image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}" - imagePullPolicy: {{ .Values.chownImage.pullPolicy }} - name: chown - volumeMounts: - - name: chowned-secrets - mountPath: /chowned-secrets + readOnly: true {{- if .Values.zitadel.secretConfig }} - name: zitadel-secrets-yaml mountPath: /zitadel-secrets-yaml + readOnly: true {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml mountPath: /zitadel-secret-config-yaml + readOnly: true {{- end }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: db-ssl-ca-crt mountPath: /db-ssl-ca-crt + readOnly: true {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt mountPath: /db-ssl-user-crt + readOnly: true {{- end }} - {{- end }} + resources: + {{- toYaml .Values.initJob.resources | nindent 14 }} volumes: - name: zitadel-config-yaml configMap: @@ -110,29 +94,32 @@ spec: - name: zitadel-secrets-yaml secret: secretName: zitadel-secrets-yaml + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml secret: secretName: {{ .Values.zitadel.configSecretName }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrt }} - name: db-ssl-ca-crt secret: secretName: db-ssl-ca-crt + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrtSecret }} - name: db-ssl-ca-crt secret: secretName: {{ .Values.zitadel.dbSslCaCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt secret: secretName: {{ .Values.zitadel.dbSslUserCrtSecret }} + defaultMode: 0440 {{- end }} - - name: chowned-secrets - emptyDir: {} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -145,4 +132,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/charts/zitadel/templates/deployment.yaml b/charts/zitadel/templates/deployment.yaml index be00ea69..3ece57f2 100644 --- a/charts/zitadel/templates/deployment.yaml +++ b/charts/zitadel/templates/deployment.yaml @@ -50,11 +50,11 @@ spec: - /config/zitadel-config-yaml {{- if .Values.zitadel.secretConfig }} - --config - - /.secrets/zitadel-secrets-yaml/zitadel-secrets-yaml + - /zitadel-secrets-yaml/zitadel-secrets-yaml {{- end }} {{- if and .Values.zitadel.configSecretName .Values.zitadel.configSecretKey }} - --config - - /.secrets/zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} + - /zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} {{- end }} - --masterkeyFromEnv env: @@ -71,19 +71,19 @@ spec: {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT - value: /.secrets/db-ssl-ca-crt/ca.crt + value: /db-ssl-ca-crt/ca.crt {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT - value: /.secrets/db-ssl-user-crt/tls.crt + value: /db-ssl-user-crt/tls.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY - value: /.secrets/db-ssl-user-crt/tls.key + value: /db-ssl-user-crt/tls.key {{- end }} {{- if .Values.zitadel.serverSslCrtSecret }} - name: ZITADEL_TLS_CERTPATH - value: /.secrets/server-ssl-crt/tls.crt + value: /server-ssl-crt/tls.crt - name: ZITADEL_TLS_KEYPATH - value: /.secrets/server-ssl-crt/tls.key + value: /server-ssl-crt/tls.key {{- end }} {{- if .Values.zitadel.selfSignedCert.enabled }} - name: ZITADEL_TLS_CERTPATH @@ -154,56 +154,43 @@ spec: volumeMounts: - name: zitadel-config-yaml mountPath: /config - - name: chowned-secrets - mountPath: /.secrets - {{- if .Values.zitadel.selfSignedCert.enabled }} - - name: tls - mountPath: /etc/tls - {{- end }} - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 14 }} - initContainers: - - args: - - "{{ include "zitadel.joincpcommands" (dict "commands" (list - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" )) - )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + " - command: - - sh - - -c - image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}" - imagePullPolicy: {{ .Values.chownImage.pullPolicy }} - name: chown - volumeMounts: - - name: chowned-secrets - mountPath: /chowned-secrets + readOnly: true {{- if .Values.zitadel.secretConfig }} - name: zitadel-secrets-yaml mountPath: /zitadel-secrets-yaml + readOnly: true {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml mountPath: /zitadel-secret-config-yaml + readOnly: true {{- end }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: db-ssl-ca-crt mountPath: /db-ssl-ca-crt + readOnly: true {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt mountPath: /db-ssl-user-crt + readOnly: true {{- end }} {{- if .Values.zitadel.serverSslCrtSecret }} - name: server-ssl-crt mountPath: /server-ssl-crt + readOnly: true + {{- end }} + {{- if .Values.zitadel.selfSignedCert.enabled }} + - name: tls + mountPath: /etc/tls {{- end }} - {{- if .Values.zitadel.selfSignedCert.enabled }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 14 }} + {{- if .Values.zitadel.selfSignedCert.enabled }} + initContainers: - name: generate-self-signed-cert image: alpine/openssl env: @@ -223,11 +210,8 @@ spec: - "-c" - "openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout /etc/tls/tls.key -out /etc/tls/tls.crt -days 3560 -subj \"/CN=ZITADEL Chart Demo\" -addext \"subjectAltName = DNS:localhost,DNS:${POD_IP},DNS:${POD_NAME}{{- if .Values.zitadel.configmapConfig.ExternalDomain -}},DNS:{{- .Values.zitadel.configmapConfig.ExternalDomain -}}{{- end -}}{{- if .Values.zitadel.selfSignedCert.additionalDnsName -}},DNS:{{- .Values.zitadel.selfSignedCert.additionalDnsName -}}{{- end -}}\"" securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - privileged: false - runAsUser: 1000 - {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} volumes: - name: zitadel-config-yaml configMap: @@ -236,34 +220,38 @@ spec: - name: zitadel-secrets-yaml secret: secretName: zitadel-secrets-yaml + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml secret: secretName: {{ .Values.zitadel.configSecretName }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrt }} - name: db-ssl-ca-crt secret: secretName: db-ssl-ca-crt + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrtSecret }} - name: db-ssl-ca-crt secret: secretName: {{ .Values.zitadel.dbSslCaCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt secret: secretName: {{ .Values.zitadel.dbSslUserCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.serverSslCrtSecret }} - name: server-ssl-crt secret: secretName: {{ .Values.zitadel.serverSslCrtSecret }} + defaultMode: 0440 {{- end }} - - name: chowned-secrets - emptyDir: {} {{- if .Values.zitadel.selfSignedCert.enabled }} - name: tls emptyDir: {} diff --git a/charts/zitadel/templates/initjob.yaml b/charts/zitadel/templates/initjob.yaml index b9a7e9e1..a8f92a47 100644 --- a/charts/zitadel/templates/initjob.yaml +++ b/charts/zitadel/templates/initjob.yaml @@ -41,7 +41,6 @@ spec: {{- toYaml .Values.securityContext | nindent 14 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - init {{- with .Values.initJob.command }} @@ -55,11 +54,11 @@ spec: - /config/zitadel-config-yaml {{- if .Values.zitadel.secretConfig }} - --config - - /.secrets/zitadel-secrets-yaml/zitadel-secrets-yaml + - /zitadel-secrets-yaml/zitadel-secrets-yaml {{- end }} {{- if and .Values.zitadel.configSecretName .Values.zitadel.configSecretKey }} - --config - - /.secrets/zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} + - /zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} {{- end }} env: - name: POD_IP @@ -70,21 +69,21 @@ spec: {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT - value: /.secrets/db-ssl-ca-crt/ca.crt + value: /db-ssl-ca-crt/ca.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_ROOTCERT - value: /.secrets/db-ssl-ca-crt/ca.crt + value: /db-ssl-ca-crt/ca.crt {{- end}} {{- if .Values.zitadel.dbSslAdminCrtSecret }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_CERT - value: /.secrets/db-ssl-admin-crt/tls.crt + value: /db-ssl-admin-crt/tls.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_ADMIN_SSL_KEY - value: /.secrets/db-ssl-admin-crt/tls.key + value: /db-ssl-admin-crt/tls.key {{- end}} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT - value: /.secrets/db-ssl-user-crt/tls.crt + value: /db-ssl-user-crt/tls.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY - value: /.secrets/db-ssl-user-crt/tls.key + value: /db-ssl-user-crt/tls.key {{- end}} {{- with .Values.env }} {{- toYaml . | nindent 12 }} @@ -92,92 +91,81 @@ spec: volumeMounts: - name: zitadel-config-yaml mountPath: /config - - name: chowned-secrets - mountPath: /.secrets - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.initJob.resources | nindent 14 }} - {{- if .Values.initJob.extraContainers }} - {{- toYaml .Values.initJob.extraContainers | nindent 8 }} - {{- end }} - {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslAdminCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }} - initContainers: - - args: - - "{{ include "zitadel.joincpcommands" (dict "commands" (list - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslAdminCrtSecret "path" "/db-ssl-admin-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" )) - )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + " - command: - - sh - - -c - image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}" - imagePullPolicy: {{ .Values.chownImage.pullPolicy }} - name: chown - volumeMounts: - - name: chowned-secrets - mountPath: /chowned-secrets + readOnly: true {{- if .Values.zitadel.secretConfig }} - name: zitadel-secrets-yaml mountPath: /zitadel-secrets-yaml + readOnly: true {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml mountPath: /zitadel-secret-config-yaml + readOnly: true {{- end }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: db-ssl-ca-crt mountPath: /db-ssl-ca-crt + readOnly: true {{- end }} {{- if .Values.zitadel.dbSslAdminCrtSecret }} - name: db-ssl-admin-crt mountPath: /db-ssl-admin-crt + readOnly: true {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt mountPath: /db-ssl-user-crt + readOnly: true {{- end }} - {{- end}} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.initJob.resources | nindent 14 }} + {{- if .Values.initJob.extraContainers }} + {{- toYaml .Values.initJob.extraContainers | nindent 8 }} + {{- end }} volumes: - name: zitadel-config-yaml configMap: name: zitadel-config-yaml + defaultMode: 0440 {{- if .Values.zitadel.secretConfig }} - name: zitadel-secrets-yaml secret: secretName: zitadel-secrets-yaml + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml secret: secretName: {{ .Values.zitadel.configSecretName }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrt }} - name: db-ssl-ca-crt secret: secretName: db-ssl-ca-crt + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrtSecret }} - name: db-ssl-ca-crt secret: secretName: {{ .Values.zitadel.dbSslCaCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslAdminCrtSecret }} - name: db-ssl-admin-crt secret: secretName: {{ .Values.zitadel.dbSslAdminCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt secret: secretName: {{ .Values.zitadel.dbSslUserCrtSecret }} + defaultMode: 0440 {{- end }} - - name: chowned-secrets - emptyDir: {} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/zitadel/templates/setupjob.yaml b/charts/zitadel/templates/setupjob.yaml index 74ebc09c..270f6700 100644 --- a/charts/zitadel/templates/setupjob.yaml +++ b/charts/zitadel/templates/setupjob.yaml @@ -52,15 +52,15 @@ spec: - /config/zitadel-config-yaml {{- if .Values.zitadel.secretConfig }} - --config - - /.secrets/zitadel-secrets-yaml/zitadel-secrets-yaml + - /zitadel-secrets-yaml/zitadel-secrets-yaml - --steps - - /.secrets/zitadel-secrets-yaml/zitadel-secrets-yaml + - /zitadel-secrets-yaml/zitadel-secrets-yaml {{- end }} {{- if and .Values.zitadel.configSecretName .Values.zitadel.configSecretKey }} - --config - - /.secrets/zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} + - /zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} - --steps - - /.secrets/zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} + - /zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }} {{- end }} {{- if .Values.setupJob.additionalArgs }} {{- toYaml .Values.setupJob.additionalArgs | nindent 12 }} @@ -81,13 +81,13 @@ spec: {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }} {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT - value: /.secrets/db-ssl-ca-crt/ca.crt + value: /db-ssl-ca-crt/ca.crt {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT - value: /.secrets/db-ssl-user-crt/tls.crt + value: /db-ssl-user-crt/tls.crt - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY - value: /.secrets/db-ssl-user-crt/tls.key + value: /db-ssl-user-crt/tls.key {{- end}} {{- with .Values.env }} {{- toYaml . | nindent 12 }} @@ -95,8 +95,27 @@ spec: volumeMounts: - name: zitadel-config-yaml mountPath: /config - - name: chowned-secrets - mountPath: /.secrets + readOnly: true + {{- if .Values.zitadel.secretConfig }} + - name: zitadel-secrets-yaml + mountPath: /zitadel-secrets-yaml + readOnly: true + {{- end }} + {{- if .Values.zitadel.configSecretName }} + - name: zitadel-secret-config-yaml + mountPath: /zitadel-secret-config-yaml + readOnly: true + {{- end }} + {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} + - name: db-ssl-ca-crt + mountPath: /db-ssl-ca-crt + readOnly: true + {{- end }} + {{- if .Values.zitadel.dbSslUserCrtSecret }} + - name: db-ssl-user-crt + mountPath: /db-ssl-user-crt + readOnly: true + {{- end }} {{- if include "deepCheck" (dict "root" .Values "path" (splitList "." "zitadel.configmapConfig.FirstInstance.Org.Machine")) }} - name: machinekey mountPath: "/machinekey" @@ -120,6 +139,7 @@ spec: volumeMounts: - name: machinekey mountPath: "/machinekey" + readOnly: true resources: {{- if .Values.setupJob.machinekeyWriter.resources }} {{- toYaml .Values.setupJob.machinekeyWriter.resources | nindent 12 }} @@ -130,76 +150,45 @@ spec: {{- if .Values.setupJob.extraContainers }} {{- toYaml .Values.setupJob.extraContainers | nindent 8 }} {{- end }} - {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }} - initContainers: - - args: - - "{{ include "zitadel.joincpcommands" (dict "commands" (list - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" )) - (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" )) - (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" )) - )) }} find /chowned-secrets/ -type f -exec chmod 400 -- {} + " - command: - - sh - - -c - image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}" - imagePullPolicy: {{ .Values.chownImage.pullPolicy }} - name: chown - volumeMounts: - - name: chowned-secrets - mountPath: /chowned-secrets - {{- if .Values.zitadel.secretConfig }} - - name: zitadel-secrets-yaml - mountPath: /zitadel-secrets-yaml - {{- end }} - {{- if .Values.zitadel.configSecretName }} - - name: zitadel-secret-config-yaml - mountPath: /zitadel-secret-config-yaml - {{- end }} - {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }} - - name: db-ssl-ca-crt - mountPath: /db-ssl-ca-crt - {{- end }} - {{- if .Values.zitadel.dbSslUserCrtSecret }} - - name: db-ssl-user-crt - mountPath: /db-ssl-user-crt - {{- end }} - {{- end }} volumes: - name: zitadel-config-yaml configMap: name: zitadel-config-yaml + defaultMode: 0440 {{- if .Values.zitadel.secretConfig }} - name: zitadel-secrets-yaml secret: secretName: zitadel-secrets-yaml + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.configSecretName }} - name: zitadel-secret-config-yaml secret: secretName: {{ .Values.zitadel.configSecretName }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrt }} - name: db-ssl-ca-crt secret: secretName: db-ssl-ca-crt + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslCaCrtSecret }} - name: db-ssl-ca-crt secret: secretName: {{ .Values.zitadel.dbSslCaCrtSecret }} + defaultMode: 0440 {{- end }} {{- if .Values.zitadel.dbSslUserCrtSecret }} - name: db-ssl-user-crt secret: secretName: {{ .Values.zitadel.dbSslUserCrtSecret }} + defaultMode: 0440 {{- end }} {{- if include "deepCheck" (dict "root" .Values "path" (splitList "." "zitadel.configmapConfig.FirstInstance.Org.Machine")) }} - name: machinekey emptyDir: { } {{- end }} - - name: chowned-secrets - emptyDir: {} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} diff --git a/charts/zitadel/values.yaml b/charts/zitadel/values.yaml index 3f48a5a1..00c14749 100644 --- a/charts/zitadel/values.yaml +++ b/charts/zitadel/values.yaml @@ -82,11 +82,6 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" -chownImage: - repository: alpine - pullPolicy: IfNotPresent - tag: "3.19" - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -120,8 +115,13 @@ podAdditionalLabels: {} podSecurityContext: runAsNonRoot: true runAsUser: 1000 + fsGroup: 1000 -securityContext: {} +securityContext: + runAsNonRoot: true + runAsUser: 1000 + readOnlyRootFilesystem: true + privileged: false # Additional environment variables env: diff --git a/examples/2-postgres-secure/certs-job.yaml b/examples/2-postgres-secure/certs-job.yaml index 1eeb1aca..e94e43bf 100644 --- a/examples/2-postgres-secure/certs-job.yaml +++ b/examples/2-postgres-secure/certs-job.yaml @@ -33,16 +33,11 @@ spec: spec: restartPolicy: OnFailure serviceAccountName: certs-creator - containers: + initContainers: - command: - - /usr/local/bin/bash - - -ecx + - /bin/ash + - -c - | - apk add openssl curl - - export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount - export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt - function createKey() { USER=$1 openssl genrsa -out ${USER}.key 2048 @@ -96,18 +91,11 @@ spec: function createCertSecret { USER=$1 - echo "CACERT value: ${CACERT}" - echo "TOKEN value: ${TOKEN}" - echo "APISERVER value: ${APISERVER}" - echo "NAMESPACE value: ${NAMESPACE}" - curl \ - --cacert ${CACERT} \ - --header "Authorization: Bearer ${TOKEN}" \ - --header "Content-Type: application/json" \ - -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \ - --data "$(echo -n $(secretJson ${USER}) | tr -d '\n')" + secretJson ${USER} >> ${USER}-cert.json } + cd /secret + # Create a CA key and cert for signing other certs createKey ca openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA" @@ -121,6 +109,40 @@ spec: createSigningRequest zitadel signCertificate zitadel.csr zitadel.crt ca.crt ca.key createCertSecret zitadel - image: bash:5.2.15 + image: alpine/openssl imagePullPolicy: IfNotPresent name: create-certs + volumeMounts: + - mountPath: /secret + name: secret + containers: + - image: alpine/curl + name: apply-certs + imagePullPolicy: IfNotPresent + command: + - /bin/ash + - -c + - | + export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt + + function uploadSecret { + USER=$1 + curl \ + --cacert ${CACERT} \ + --header "Authorization: Bearer ${TOKEN}" \ + --header "Content-Type: application/json" \ + -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \ + --data "$(tr -d '\n' < /secret/${USER}-cert.json)" \ + > /dev/null || echo "error uploading ${USER} secret: $?" + } + + uploadSecret postgres + uploadSecret zitadel + volumeMounts: + - mountPath: /secret + name: secret + volumes: + - name: secret + emptyDir: + medium: Memory diff --git a/go.mod b/go.mod index 9df7cded..5680e1c0 100644 --- a/go.mod +++ b/go.mod @@ -3,15 +3,15 @@ module github.com/zitadel/zitadel-charts go 1.22.3 require ( - github.com/gruntwork-io/terratest v0.46.15 + github.com/gruntwork-io/terratest v0.47.0 github.com/jinzhu/copier v0.4.0 github.com/stretchr/testify v1.9.0 github.com/zitadel/oidc v1.13.5 - github.com/zitadel/zitadel-go/v2 v2.2.4 + github.com/zitadel/zitadel-go/v2 v2.2.6 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.30.1 - k8s.io/apimachinery v0.30.1 - k8s.io/client-go v0.30.1 + k8s.io/api v0.30.3 + k8s.io/apimachinery v0.30.3 + k8s.io/client-go v0.30.3 ) require ( @@ -41,7 +41,7 @@ require ( github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/gorilla/schema v1.3.0 // indirect + github.com/gorilla/schema v1.4.1 // indirect github.com/gorilla/securecookie v1.1.2 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect @@ -75,19 +75,19 @@ require ( github.com/urfave/cli/v2 v2.27.2 // indirect github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect - golang.org/x/net v0.25.0 // indirect - golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect - google.golang.org/grpc v1.64.0 // indirect - google.golang.org/protobuf v1.34.1 // indirect + google.golang.org/grpc v1.64.1 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 07015f60..25415bb3 100644 --- a/go.sum +++ b/go.sum @@ -67,8 +67,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/schema v1.3.0 h1:rbciOzXAx3IB8stEFnfTwO3sYa6EWlQk79XdyustPDA= -github.com/gorilla/schema v1.3.0/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM= +github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E= +github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM= github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= @@ -78,8 +78,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1 github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.15 h1:qfqjTFveymaqe7aAWn3LjlK0SwVGpRfoOut5ggNyfQ8= -github.com/gruntwork-io/terratest v0.46.15/go.mod h1:9bd22zAojjBBiYdsp+AR1iyl2iB6bRUVm2Yf1AFhfrA= +github.com/gruntwork-io/terratest v0.47.0 h1:xIy1pT7NbGVlMLDZEHl3+3iSnvffh8tN2pL6idn448c= +github.com/gruntwork-io/terratest v0.47.0/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -174,13 +174,13 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zitadel/oidc v1.13.5 h1:7jhh68NGZitLqwLiVU9Dtwa4IraJPFF1vS+4UupO93U= github.com/zitadel/oidc v1.13.5/go.mod h1:rHs1DhU3Sv3tnI6bQRVlFa3u0lCwtR7S21WHY+yXgPA= -github.com/zitadel/zitadel-go/v2 v2.2.4 h1:Mkr19Hznm7G+Taozn9R18KUjN4ULkp99qEfxKqQxp40= -github.com/zitadel/zitadel-go/v2 v2.2.4/go.mod h1:eCUMwxKXoDz46a3wzBeT7/fiCJS89bv0bHDuWQt2ddY= +github.com/zitadel/zitadel-go/v2 v2.2.6 h1:FWpdqJ9IG30piD5BMDFIRpKNf27+jXqF7lL+Fi1mWLk= +github.com/zitadel/zitadel-go/v2 v2.2.6/go.mod h1:DBU+VTO+4fGj0XvCZlPe69A8kNAkA+73azusAMyWhM0= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -189,10 +189,10 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= -golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= -golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= -golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -202,22 +202,22 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= -golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -226,10 +226,10 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e h1: google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e/go.mod h1:LweJcLbyVij6rCex8YunD8DYR5VDonap/jYl3ZRxcIU= google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e h1:Elxv5MwEkCI9f5SkoL6afed6NTdxaGoAo39eANBwHL8= google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= -google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= -google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= -google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= -google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA= +google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -246,12 +246,12 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= -k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= -k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= -k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= -k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a h1:zD1uj3Jf+mD4zmA7W+goE5TxDkI7OGJjBNBzq5fJtLA=