Merge branch 'main' into include-app-roles

1fbae687 · Maarten de Waard · 14b35281 · 46bf9c0c · 1fbae687 · 1fbae687
Verified Commit 1fbae687 authored 3 years ago by Maarten de Waard
--- a/docs/helmchart.md
+++ b/docs/helmchart.md
@@ -184,4 +184,27 @@ $ helm delete single-sign-on

 > **WARNING**: Executing the `delete` command will delete all data that is related to the applications. Don't run this command in a production environment if you are not absolutely sure that you have a restorable backup of your data.

+## Known issues
+
+Short after the installation, the Hydra and Kratos pod will error a few times
+before they run correctly and enter the "Ready" state. This is because the Hydra
+helm chart is not built for running your PostgresQL server in
+the same Kubernetes cluster as the helm chart. The problem is that the Hydra
+"automigration" usually runs as a pre-install step of the helm chart. We cannot
+do that because in this chart the Hydra database is actually installed after
+pre-install hooks have finished running. Ory doesn't want to solve this issue,
+because they're fundamentally against running databases on Kubernetes.
+
+As a result, we've had to include [jobs that run the
+[Hydra](https://open.greenhost.net/stackspin/single-sign-on/-/blob/main/helmchart/single-sign-on/templates/job-migration-hydra.yaml)
+and [Kratos
+migration](https://open.greenhost.net/stackspin/single-sign-on/-/blob/main/helmchart/single-sign-on/templates/job-migration-kratos.yaml)
+inside our single sign-on helm chart. However, we can't modify the Hydra and
+Kratos pods without forking the whole helm charts. As a result the Hydra and
+Kratos container will fail to come up before those jobs have finished.
+
+Once the jobs have finished, they should work well, though. The migration jobs
+are run on upgrades as well, but might cause less issues there because they take
+less time.
+
 [^1]: If you want to test a version that is not on the `main` branch yet, use `https://open.greenhost.net/api/v4/projects/8/packages/helm/unstable`
--- a/helmchart/single-sign-on/CHANGELOG.md
+++ b/helmchart/single-sign-on/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this helm chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.6.1] - 2021-12-22
+
+- Include dependencies in Chart.yaml
+- Use default hydra image
+
 ## [0.6.0] - 2021-12-21

 - Switch to using Hydra Maester instead of cronjobs for creating OAuth2 clients

--- a/helmchart/single-sign-on/Chart.yaml
+++ b/helmchart/single-sign-on/Chart.yaml
-apiVersion: v1
+apiVersion: v2
 description: A Helm chart for Stackspin's Single sign-on components
 name: single-sign-on
-version: 0.6.1
+version: 0.7.0
 icon: https://stackspin.net/assets/images/logo.svg
+dependencies:
+  # https://k8s.ory.sh/helm/hydra.html
+  - name: hydra
+    version: 0.21.0
+    repository: "https://k8s.ory.sh/helm/charts"
+    tags:
+      - single-sign-on
+  # https://github.com/bitnami/charts/tree/master/bitnami/postgresql
+  # https://artifacthub.io/packages/helm/bitnami/postgresql
+  - name: postgresql
+    version: 10.12.4
+    repository: "https://charts.bitnami.com/bitnami"
+    tags:
+      - single-sign-on
+  # https://k8s.ory.sh/helm/kratos.html
+  - name: kratos
+    version: 0.21.0
+    repository: "https://k8s.ory.sh/helm/charts"
+    tags:
+      - single-sign-on
--- a/helmchart/single-sign-on/requirements.yaml
+++ b/helmchart/single-sign-on/requirements.yaml
-# https://k8s.ory.sh/helm/hydra.html
-dependencies:
-  - name: hydra
-    version: 0.21.0
-    repository: "https://k8s.ory.sh/helm/charts"
-    tags:
-      - single-sign-on
-
-
-# https://github.com/bitnami/charts/tree/master/bitnami/postgresql
-# https://artifacthub.io/packages/helm/bitnami/postgresql
-  - name: postgresql
-    version: 10.12.4
-    repository: "https://charts.bitnami.com/bitnami"
-    tags:
-      - single-sign-on
-
-
-# https://k8s.ory.sh/helm/kratos.html
-  - name: kratos
-    version: 0.21.0
-    repository: "https://k8s.ory.sh/helm/charts"
-    tags:
-      - single-sign-on
-
-
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -96,7 +96,7 @@ kratos:

    config:
      identity:
-        # This points to the filename in above identitySchemas section. 
+        # This points to the filename in above identitySchemas section.
        default_schema_url: file:///etc/config/identity.default.schema.json

      dsn: postgres://kratos:kratos@single-sign-on-postgresql:5432/kratos
@@ -140,15 +140,12 @@ kratos:
      log:
        level: info

-      courier: 
-        smtp: 
+      courier:
+        smtp:
          connection_uri: smtps://username:password@smtp.example.net:456/
          from_address: no-reply@example.net

 hydra:
-  # Fix for this issue: https://github.com/ory/k8s/issues/367
-  image:
-    tag: v1.10.5-sqlite
  hydra:
    # hydra.hydra.dangerousForceHttp allows access to the hydra admin API over http. The
    # hydra admin API is only accessible by services within the same namespace unless you