feat(chart): allow using dex in development mode

deployment/chainloop/Chart.yaml

@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.233.0
+version: 1.233.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v1.7.0
 

deployment/chainloop/README.md

@@ -489,6 +489,27 @@ chainloop config save \
   --artifact-cas cas.acme.com:443
 ```
 
+### Use the built-in Dex Instance in development mode 
+
+In development mode, a Dex instance is deployed by default, to use it, you need configure it in the `values.yaml` file like this:
+
+> **CAUTION**: Do not use this mode in production, for that, deploy in [standard mode](#standard-default) and connect your OIDC provider.
+
+```yaml
+# Yes, dex.dex, since we are overriding the dex section in the dex subchart
+dex:
+  dex:
+    # Point to the [controlplane http ingress]/auth/callback
+    redirectURL: https://[your controlplane hostname]/auth/callback
+    # Expose the dex instance to the outside world
+    ingress:
+      enabled: true
+      tls: true
+      hostname: [your dex hostname]
+```
+
+Once done, you can access with [two predefined users](https://github.com/chainloop-dev/chainloop/blob/0b165fa27d1973be55422065bd25efee95c5db9b/deployment/chainloop/charts/dex/values.yaml#L48), but is highly recommended to change those users to your own.
+
 ## Parameters
 
 ### Global parameters
@@ -927,7 +948,7 @@ service_registration "kubernetes" {}` |
 
 ## License
 
-Copyright © 2023 The Chainloop Authors
+Copyright © 2023-2025 The Chainloop Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

deployment/chainloop/charts/dex/Chart.yaml

@@ -7,7 +7,7 @@ description: Dex is an identity service that uses OpenID Connect to drive authen
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 0.0.2
+version: 0.0.3
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v0.0.1
 
@@ -20,5 +20,5 @@ dependencies:
 
 annotations:
   images: |
-    - image: docker.io/bitnami/dex:2.40.0-debian-12-r1
+    - image: docker.io/bitnami/dex:2.43.1-debian-12-r4
       name: dex

deployment/chainloop/charts/dex/templates/_helpers.tpl

@@ -11,13 +11,6 @@ Return the proper Dex image name
 {{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }}
 {{- end -}}
 
-{{/*
-Return the proper service name for Dex
-*/}}
-{{- define "chainloop.dex" -}}
-  {{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
-{{- end -}}
-
 {{/*
 Create the name of the service account to use for Dex
 */}}
@@ -29,9 +22,41 @@ Create the name of the service account to use for Dex
 {{- end -}}
 {{- end -}}
 
+{{/*
+Chainloop Dex name
+*/}}
+{{- define "chainloop.dex.name" -}}
+{{- printf "%s-%s" (include "common.names.name" .) "dex" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
 {{/*
 Chainloop Dex release name
 */}}
 {{- define "chainloop.dex.fullname" -}}
-{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Figure out the external URL for Dex service
+*/}}
+{{- define "chainloop.dex.external_url" -}}
+{{- $service := .Values.dex.service }}
+{{- $ingress := .Values.dex.ingress }}
+
+{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
+{{- printf "%s://%s/dex" (ternary "https" "http" $ingress.tls ) $ingress.hostname }}
+{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }}
+{{- printf "http://localhost:%s" $service.nodePorts.http }}
+{{- else -}}
+{{- printf "http://%s-dex:%d/dex" ( include "chainloop.dex.fullname" . ) ( int $service.ports.http ) }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "chainloop.dex.labels" -}}
+{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }}
+app.kubernetes.io/component: dex
+{{- end }}

deployment/chainloop/charts/dex/templates/deployment.yaml

@@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0
 apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
 kind: Deployment
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
@@ -26,8 +26,10 @@ spec:
       app.kubernetes.io/component: dex
   template:
     metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
       {{- if .Values.dex.podAnnotations }}
-      annotations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }}
+      {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }}
       {{- end }}
       labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
         app.kubernetes.io/component: dex

deployment/chainloop/charts/dex/templates/ingress.yaml

@@ -0,0 +1,66 @@
+{{- /*
+Copyright Chainloop, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.dex.ingress.enabled }}
+{{- $fullName := include "chainloop.dex.fullname" . -}}
+
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.dex.labels" . | nindent 4 }}
+  {{- if or .Values.dex.ingress.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.dex.ingress.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.dex.ingress.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.dex.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.dex.ingress.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.dex.ingress.hostname }}
+    - host: {{ .Values.dex.ingress.hostname }}
+      http:
+        paths:
+          {{- if .Values.dex.ingress.extraPaths }}
+          {{- toYaml .Values.dex.ingress.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.dex.ingress.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.dex.ingress.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.dex.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.dex.ingress.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.dex.ingress.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.dex.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.dex.ingress.annotations )) .Values.dex.ingress.selfSigned)) .Values.dex.ingress.extraTls }}
+  tls:
+    {{- if and .Values.dex.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.dex.ingress.annotations )) .Values.dex.ingress.selfSigned) }}
+    - hosts:
+        - {{ .Values.dex.ingress.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.dex.ingress.hostname }}
+    {{- end }}
+    {{- if .Values.dex.ingress.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.dex.ingress.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }} 

deployment/chainloop/charts/dex/templates/metrics-svc.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "chainloop.dex" . }}-metrics
+  name: {{ include "chainloop.dex.fullname" . }}-metrics
   namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}

deployment/chainloop/charts/dex/templates/networkpolicy.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 kind: NetworkPolicy
 apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: dex
@@ -66,7 +66,7 @@ spec:
             matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
         - podSelector:
             matchLabels:
-              {{ include "chainloop.dex" . }}-client: "true"
+              {{ include "chainloop.dex.fullname" . }}-client: "true"
         {{- if .Values.dex.networkPolicy.ingressNSMatchLabels }}
         - namespaceSelector:
             matchLabels:

deployment/chainloop/charts/dex/templates/pdb.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
 kind: PodDisruptionBudget
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
     app.kubernetes.io/component: dex

deployment/chainloop/charts/dex/templates/role.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 kind: Role
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}

deployment/chainloop/charts/dex/templates/rolebinding.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 kind: RoleBinding
 apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
@@ -21,5 +21,5 @@ subjects:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
 {{- end }}

deployment/chainloop/charts/dex/templates/secret.yaml

@@ -16,7 +16,7 @@ metadata:
 type: Opaque
 stringData:
   config.yaml: |
-    issuer: http://{{ include "chainloop.dex" . }}:{{ .Values.dex.containerPorts.http }}/dex
+    issuer: {{include "chainloop.dex.external_url" . }}
 
     storage:
       type: memory
@@ -31,6 +31,9 @@ stringData:
         redirectURIs:
           - "http://0.0.0.0:8000/auth/callback"
           - "http://localhost:8000/auth/callback"
+          {{- if .Values.dex.redirectURL }}
+          - {{ .Values.dex.redirectURL | quote }}
+          {{- end }}
 
     # required to enable static passwords
     enablePasswordDB: true

deployment/chainloop/charts/dex/templates/service.yaml

@@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ include "common.names.namespace" . | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}

deployment/chainloop/charts/dex/templates/servicemonitor.yaml

@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ include "chainloop.dex" . }}
+  name: {{ include "chainloop.dex.fullname" . }}
   namespace: {{ default include ( "common.names.namespace" . ) .Values.dex.metrics.serviceMonitor.namespace | quote }}
   {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
   {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}