From c6fa04589386155ee2f5e3c16cd39b873e0c7345 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Fri, 13 Jun 2025 23:24:02 +0200 Subject: [PATCH 1/8] it works Signed-off-by: Miguel Martinez --- .../charts/dex/templates/_helpers.tpl | 2 +- deployment/chainloop/templates/_helpers.tpl | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/deployment/chainloop/charts/dex/templates/_helpers.tpl b/deployment/chainloop/charts/dex/templates/_helpers.tpl index 39731644e..b6ce58e0f 100644 --- a/deployment/chainloop/charts/dex/templates/_helpers.tpl +++ b/deployment/chainloop/charts/dex/templates/_helpers.tpl @@ -34,4 +34,4 @@ Chainloop Dex release name */}} {{- define "chainloop.dex.fullname" -}} {{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index cc096d9aa..e25dab6b6 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -187,7 +187,7 @@ OIDC settings, will fallback to development settings if needed {{- define "controlplane.oidc_settings" -}} {{- if .Values.development }} {{- with .Values.controlplane.auth }} - domain: "{{ coalesce .oidc.url "http://chainloop-dex:5556/dex" }}" + domain: "{{ coalesce .oidc.url (include "chainloop.dex.external_url" $ ) }}" client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}" client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}" {{- if .oidc.loginURLOverride }} @@ -451,4 +451,20 @@ Return the Nats connection string {{- $host := required "nats server hostname not set" .Values.controlplane.nats.host }} {{- $port := required "nats server port not set" .Values.controlplane.nats.port }} {{- printf "nats://%s:%d" $host ($port | int) }} +{{- end -}} + +{{/* +Figure out the external URL for Dex service +*/}} +{{- define "chainloop.dex.external_url" -}} +{{- $service := .Values.dex.dex.service }} +{{- $ingress := .Values.dex.dex.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- else -}} +{{- printf "http://%s:%d/dex" ( include "chainloop.dex.fullname" $ ) ( int $service.ports.http ) }} +{{- end -}} {{- end -}} \ No newline at end of file From 6f29ebd55330dd956ca5132ec12fca81359494ab Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sat, 14 Jun 2025 11:38:57 +0200 Subject: [PATCH 2/8] it works Signed-off-by: Miguel Martinez --- .../charts/dex/templates/_helpers.tpl | 16 ++++++++++++++++ deployment/chainloop/templates/_helpers.tpl | 18 ++---------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/deployment/chainloop/charts/dex/templates/_helpers.tpl b/deployment/chainloop/charts/dex/templates/_helpers.tpl index b6ce58e0f..b9a6fdc34 100644 --- a/deployment/chainloop/charts/dex/templates/_helpers.tpl +++ b/deployment/chainloop/charts/dex/templates/_helpers.tpl @@ -35,3 +35,19 @@ Chainloop Dex release name {{- define "chainloop.dex.fullname" -}} {{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Figure out the external URL for Dex service +*/}} +{{- define "chainloop.dex.external_url" -}} +{{- $service := .Values.dex.service }} +{{- $ingress := .Values.dex.ingress }} + +{{- if (and $ingress $ingress.enabled $ingress.hostname) }} +{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} +{{- printf "http://localhost:%s" $service.nodePorts.http }} +{{- else -}} +{{- printf "http://%s:%d/dex" ( include "chainloop.dex.fullname" $ ) ( int $service.ports.http ) }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl index e25dab6b6..e1fee827a 100644 --- a/deployment/chainloop/templates/_helpers.tpl +++ b/deployment/chainloop/templates/_helpers.tpl @@ -187,7 +187,8 @@ OIDC settings, will fallback to development settings if needed {{- define "controlplane.oidc_settings" -}} {{- if .Values.development }} {{- with .Values.controlplane.auth }} - domain: "{{ coalesce .oidc.url (include "chainloop.dex.external_url" $ ) }}" + {{- $dexContext := dict "Values" $.Values.dex "Chart" $.Chart "Release" $.Release "Capabilities" $.Capabilities "Template" $.Template }} + domain: "{{ coalesce .oidc.url (include "chainloop.dex.external_url" $dexContext ) }}" client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}" client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}" {{- if .oidc.loginURLOverride }} @@ -453,18 +454,3 @@ Return the Nats connection string {{- printf "nats://%s:%d" $host ($port | int) }} {{- end -}} -{{/* -Figure out the external URL for Dex service -*/}} -{{- define "chainloop.dex.external_url" -}} -{{- $service := .Values.dex.dex.service }} -{{- $ingress := .Values.dex.dex.ingress }} - -{{- if (and $ingress $ingress.enabled $ingress.hostname) }} -{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} -{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} -{{- printf "http://localhost:%s" $service.nodePorts.http }} -{{- else -}} -{{- printf "http://%s:%d/dex" ( include "chainloop.dex.fullname" $ ) ( int $service.ports.http ) }} -{{- end -}} -{{- end -}} \ No newline at end of file From 8ed990d89093c6d23c3f756b44d45b26c89020e7 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sat, 14 Jun 2025 12:36:45 +0200 Subject: [PATCH 3/8] fix issuer Signed-off-by: Miguel Martinez --- .../charts/dex/templates/_helpers.tpl | 31 ++++-- .../charts/dex/templates/deployment.yaml | 2 +- .../charts/dex/templates/ingress.yaml | 66 +++++++++++ .../charts/dex/templates/metrics-svc.yaml | 2 +- .../charts/dex/templates/networkpolicy.yaml | 4 +- .../chainloop/charts/dex/templates/pdb.yaml | 2 +- .../chainloop/charts/dex/templates/role.yaml | 2 +- .../charts/dex/templates/rolebinding.yaml | 4 +- .../charts/dex/templates/secret.yaml | 2 +- .../charts/dex/templates/service.yaml | 2 +- .../charts/dex/templates/servicemonitor.yaml | 2 +- deployment/chainloop/charts/dex/values.yaml | 103 +++++++++++++++++- 12 files changed, 199 insertions(+), 23 deletions(-) create mode 100644 deployment/chainloop/charts/dex/templates/ingress.yaml diff --git a/deployment/chainloop/charts/dex/templates/_helpers.tpl b/deployment/chainloop/charts/dex/templates/_helpers.tpl index b9a6fdc34..7a231f980 100644 --- a/deployment/chainloop/charts/dex/templates/_helpers.tpl +++ b/deployment/chainloop/charts/dex/templates/_helpers.tpl @@ -11,13 +11,6 @@ Return the proper Dex image name {{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }} {{- end -}} -{{/* -Return the proper service name for Dex -*/}} -{{- define "chainloop.dex" -}} - {{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} -{{- end -}} - {{/* Create the name of the service account to use for Dex */}} @@ -29,11 +22,19 @@ Create the name of the service account to use for Dex {{- end -}} {{- end -}} +{{/* +Chainloop Dex name +*/}} +{{- define "chainloop.dex.name" -}} +{{- printf "%s-%s" (include "common.names.name" .) "dex" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* Chainloop Dex release name */}} {{- define "chainloop.dex.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}} +{{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* @@ -44,10 +45,18 @@ Figure out the external URL for Dex service {{- $ingress := .Values.dex.ingress }} {{- if (and $ingress $ingress.enabled $ingress.hostname) }} -{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} +{{- printf "%s://%s/dex" (ternary "https" "http" $ingress.tls ) $ingress.hostname }} {{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }} {{- printf "http://localhost:%s" $service.nodePorts.http }} {{- else -}} -{{- printf "http://%s:%d/dex" ( include "chainloop.dex.fullname" $ ) ( int $service.ports.http ) }} +{{- printf "http://%s-dex:%d/dex" ( include "chainloop.dex.fullname" . ) ( int $service.ports.http ) }} +{{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file + +{{/* +Common labels +*/}} +{{- define "chainloop.dex.labels" -}} +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }} +app.kubernetes.io/component: dex +{{- end }} \ No newline at end of file diff --git a/deployment/chainloop/charts/dex/templates/deployment.yaml b/deployment/chainloop/charts/dex/templates/deployment.yaml index bd30e165b..261013aa8 100644 --- a/deployment/chainloop/charts/dex/templates/deployment.yaml +++ b/deployment/chainloop/charts/dex/templates/deployment.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0 apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} diff --git a/deployment/chainloop/charts/dex/templates/ingress.yaml b/deployment/chainloop/charts/dex/templates/ingress.yaml new file mode 100644 index 000000000..50760fdda --- /dev/null +++ b/deployment/chainloop/charts/dex/templates/ingress.yaml @@ -0,0 +1,66 @@ +{{- /* +Copyright Chainloop, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.dex.ingress.enabled }} +{{- $fullName := include "chainloop.dex.fullname" . -}} + +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "chainloop.dex.labels" . | nindent 4 }} + {{- if or .Values.dex.ingress.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.dex.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dex.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.dex.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.dex.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.dex.ingress.hostname }} + - host: {{ .Values.dex.ingress.hostname }} + http: + paths: + {{- if .Values.dex.ingress.extraPaths }} + {{- toYaml .Values.dex.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.dex.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.dex.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.dex.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.dex.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.dex.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.dex.ingress.annotations )) .Values.dex.ingress.selfSigned)) .Values.dex.ingress.extraTls }} + tls: + {{- if and .Values.dex.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.dex.ingress.annotations )) .Values.dex.ingress.selfSigned) }} + - hosts: + - {{ .Values.dex.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.dex.ingress.hostname }} + {{- end }} + {{- if .Values.dex.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/deployment/chainloop/charts/dex/templates/metrics-svc.yaml b/deployment/chainloop/charts/dex/templates/metrics-svc.yaml index 1bc1c7997..579a9fcc9 100644 --- a/deployment/chainloop/charts/dex/templates/metrics-svc.yaml +++ b/deployment/chainloop/charts/dex/templates/metrics-svc.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 apiVersion: v1 kind: Service metadata: - name: {{ include "chainloop.dex" . }}-metrics + name: {{ include "chainloop.dex.fullname" . }}-metrics namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} diff --git a/deployment/chainloop/charts/dex/templates/networkpolicy.yaml b/deployment/chainloop/charts/dex/templates/networkpolicy.yaml index 7945a2063..725ed38b8 100644 --- a/deployment/chainloop/charts/dex/templates/networkpolicy.yaml +++ b/deployment/chainloop/charts/dex/templates/networkpolicy.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 kind: NetworkPolicy apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: dex @@ -66,7 +66,7 @@ spec: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - podSelector: matchLabels: - {{ include "chainloop.dex" . }}-client: "true" + {{ include "chainloop.dex.fullname" . }}-client: "true" {{- if .Values.dex.networkPolicy.ingressNSMatchLabels }} - namespaceSelector: matchLabels: diff --git a/deployment/chainloop/charts/dex/templates/pdb.yaml b/deployment/chainloop/charts/dex/templates/pdb.yaml index 34e68f414..2397649b0 100644 --- a/deployment/chainloop/charts/dex/templates/pdb.yaml +++ b/deployment/chainloop/charts/dex/templates/pdb.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: dex diff --git a/deployment/chainloop/charts/dex/templates/role.yaml b/deployment/chainloop/charts/dex/templates/role.yaml index 8094d91e9..d2a787800 100644 --- a/deployment/chainloop/charts/dex/templates/role.yaml +++ b/deployment/chainloop/charts/dex/templates/role.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 kind: Role apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} diff --git a/deployment/chainloop/charts/dex/templates/rolebinding.yaml b/deployment/chainloop/charts/dex/templates/rolebinding.yaml index a19a705a3..6bd4b2f6f 100644 --- a/deployment/chainloop/charts/dex/templates/rolebinding.yaml +++ b/deployment/chainloop/charts/dex/templates/rolebinding.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 kind: RoleBinding apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} @@ -21,5 +21,5 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} {{- end }} diff --git a/deployment/chainloop/charts/dex/templates/secret.yaml b/deployment/chainloop/charts/dex/templates/secret.yaml index fdec124be..0f07adc15 100644 --- a/deployment/chainloop/charts/dex/templates/secret.yaml +++ b/deployment/chainloop/charts/dex/templates/secret.yaml @@ -16,7 +16,7 @@ metadata: type: Opaque stringData: config.yaml: | - issuer: http://{{ include "chainloop.dex" . }}:{{ .Values.dex.containerPorts.http }}/dex + issuer: {{include "chainloop.dex.external_url" . }} storage: type: memory diff --git a/deployment/chainloop/charts/dex/templates/service.yaml b/deployment/chainloop/charts/dex/templates/service.yaml index 271070a7d..79e510ce6 100644 --- a/deployment/chainloop/charts/dex/templates/service.yaml +++ b/deployment/chainloop/charts/dex/templates/service.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0 apiVersion: v1 kind: Service metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} diff --git a/deployment/chainloop/charts/dex/templates/servicemonitor.yaml b/deployment/chainloop/charts/dex/templates/servicemonitor.yaml index 8195c3fc8..20fceff23 100644 --- a/deployment/chainloop/charts/dex/templates/servicemonitor.yaml +++ b/deployment/chainloop/charts/dex/templates/servicemonitor.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ include "chainloop.dex" . }} + name: {{ include "chainloop.dex.fullname" . }} namespace: {{ default include ( "common.names.namespace" . ) .Values.dex.metrics.serviceMonitor.namespace | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} diff --git a/deployment/chainloop/charts/dex/values.yaml b/deployment/chainloop/charts/dex/values.yaml index 5cce40583..d8327f1b4 100644 --- a/deployment/chainloop/charts/dex/values.yaml +++ b/deployment/chainloop/charts/dex/values.yaml @@ -571,4 +571,105 @@ dex: pdb: create: true minAvailable: "" - maxUnavailable: "" \ No newline at end of file + maxUnavailable: "" + + ## @section Ingress configuration + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ingress: + ## @param dex.ingress.enabled Enable ingress record generation for Dex + ## + enabled: false + ## @param dex.ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param dex.ingress.hostname Default host for the ingress record + ## + hostname: dex.dev.local + ## @param dex.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param dex.ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param dex.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param dex.ingress.tls Enable TLS configuration for the host defined at `dex.ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.dex.ingress.hostname }}` + ## You can: + ## - Use the `dex.ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `dex.ingress.selfSigned=true` + ## + tls: false + ## @param dex.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param dex.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: dex.dev.local + ## path: / + ## + extraHosts: [] + ## @param dex.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param dex.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - dex.dev.local + ## secretName: dex.dev.local-tls + ## + extraTls: [] + ## @param dex.ingress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: dex.dev.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param dex.ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: example.local + ## http: + ## path: / + ## backend: + ## service: + ## name: example-svc + ## port: + ## name: http + ## + extraRules: [] \ No newline at end of file From 17c95e0e3f52d7e5e24acc2f35492e765d465f6a Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sat, 14 Jun 2025 18:58:44 +0200 Subject: [PATCH 4/8] chore: fix dex Signed-off-by: Miguel Martinez --- deployment/chainloop/charts/dex/templates/deployment.yaml | 4 +++- deployment/chainloop/charts/dex/templates/secret.yaml | 3 +++ deployment/chainloop/charts/dex/values.yaml | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/deployment/chainloop/charts/dex/templates/deployment.yaml b/deployment/chainloop/charts/dex/templates/deployment.yaml index 261013aa8..e11534b0e 100644 --- a/deployment/chainloop/charts/dex/templates/deployment.yaml +++ b/deployment/chainloop/charts/dex/templates/deployment.yaml @@ -26,8 +26,10 @@ spec: app.kubernetes.io/component: dex template: metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.dex.podAnnotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }} {{- end }} labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: dex diff --git a/deployment/chainloop/charts/dex/templates/secret.yaml b/deployment/chainloop/charts/dex/templates/secret.yaml index 0f07adc15..80aa3e772 100644 --- a/deployment/chainloop/charts/dex/templates/secret.yaml +++ b/deployment/chainloop/charts/dex/templates/secret.yaml @@ -31,6 +31,9 @@ stringData: redirectURIs: - "http://0.0.0.0:8000/auth/callback" - "http://localhost:8000/auth/callback" + {{- if .Values.dex.redirectURL }} + - {{ .Values.dex.redirectURL | quote }} + {{- end }} # required to enable static passwords enablePasswordDB: true diff --git a/deployment/chainloop/charts/dex/values.yaml b/deployment/chainloop/charts/dex/values.yaml index d8327f1b4..c5e8a1f20 100644 --- a/deployment/chainloop/charts/dex/values.yaml +++ b/deployment/chainloop/charts/dex/values.yaml @@ -39,6 +39,8 @@ rbac: ## Dex configuration running in development mode --set development=true ## dex: + ## @param dex.redirectURL Additional redirect URL for Dex + redirectURL: "" ## Bitnami Dex image ## ref: https://hub.docker.com/r/bitnami/argo-cd/tags/ ## @skip dex.staticUsers[0].email From 036ae2791a05a1f2d26f263529265a98ecbab300 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sun, 15 Jun 2025 22:23:15 +0200 Subject: [PATCH 5/8] chore: add dex Signed-off-by: Miguel Martinez --- deployment/chainloop/README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index 639f12c3e..742b3f30f 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -489,6 +489,27 @@ chainloop config save \ --artifact-cas cas.acme.com:443 ``` +### Use the built-in Dex Instance in development mode + +In development mode, a Dex instance is deployed by default, to use it, you need configure it in the `values.yaml` file like this: + +> **CAUTION**: Do not use this mode in production, for that, deploy in [standard mode](#standard-default) and connect your OIDC provider. + +```yaml +# Yes, dex.dex, since we are overriding the dex section in the dex subchart +dex: + dex: + # Point to the [controlplane http ingress]/auth/callback + redirectURL: https://[your controlplane hostname]/auth/callback + # Expose the dex instance to the outside world + ingress: + enabled: true + tls: true + hostname: [your dex hostname] +``` + +Once done, you can access with [two predefined users](https://github.com/chainloop-dev/chainloop/blob/0b165fa27d1973be55422065bd25efee95c5db9b/deployment/chainloop/charts/dex/values.yaml#L48), but is highly recommended to change those users to your own. + ## Parameters ### Global parameters @@ -927,7 +948,7 @@ service_registration "kubernetes" {}` | ## License -Copyright © 2023 The Chainloop Authors +Copyright © 2023-2025 The Chainloop Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 564f39e75dd8f4141205fb8504e0f119f13d4caa Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sun, 15 Jun 2025 22:27:10 +0200 Subject: [PATCH 6/8] upgrade chart Signed-off-by: Miguel Martinez --- deployment/chainloop/Chart.yaml | 2 +- deployment/chainloop/charts/dex/Chart.yaml | 4 ++-- deployment/chainloop/charts/dex/values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index a7e4bfc5a..70366fbbc 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.232.0 +version: 1.232.2 # Do not update appVersion, this is handled automatically by the release process appVersion: v1.6.1 diff --git a/deployment/chainloop/charts/dex/Chart.yaml b/deployment/chainloop/charts/dex/Chart.yaml index b04c10e9e..3f93428d9 100644 --- a/deployment/chainloop/charts/dex/Chart.yaml +++ b/deployment/chainloop/charts/dex/Chart.yaml @@ -7,7 +7,7 @@ description: Dex is an identity service that uses OpenID Connect to drive authen type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 0.0.2 +version: 0.0.3 # Do not update appVersion, this is handled automatically by the release process appVersion: v0.0.1 @@ -20,5 +20,5 @@ dependencies: annotations: images: | - - image: docker.io/bitnami/dex:2.40.0-debian-12-r1 + - image: docker.io/bitnami/dex:2.43.1-debian-12-r4 name: dex \ No newline at end of file diff --git a/deployment/chainloop/charts/dex/values.yaml b/deployment/chainloop/charts/dex/values.yaml index c5e8a1f20..6275665a1 100644 --- a/deployment/chainloop/charts/dex/values.yaml +++ b/deployment/chainloop/charts/dex/values.yaml @@ -64,7 +64,7 @@ dex: image: registry: docker.io repository: bitnami/dex - tag: 2.40.0-debian-12-r1 + tag: 2.43.1-debian-12-r4 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images From 9d344ac46f12799ef02a71f72ba1dceb8d523a1d Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Sun, 15 Jun 2025 22:29:08 +0200 Subject: [PATCH 7/8] upgrade chart Signed-off-by: Miguel Martinez --- deployment/chainloop/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index 70366fbbc..1ddfbdc9e 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.232.2 +version: 1.232.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v1.6.1 From 09196e28a4366c2e9520e741a2c089a948251420 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 16 Jun 2025 10:36:53 +0200 Subject: [PATCH 8/8] Update Chart.yaml Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml index 1ddfbdc9e..0a84e2fd5 100644 --- a/deployment/chainloop/Chart.yaml +++ b/deployment/chainloop/Chart.yaml @@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a type: application # Bump the patch (not minor, not major) version on each change in the Chart Source code -version: 1.232.1 +version: 1.233.1 # Do not update appVersion, this is handled automatically by the release process appVersion: v1.6.1