diff --git a/Dockerfile b/Dockerfile
index 621733b18d29b64ee18dab61375e63e9ff93c947..51a10593c8cf6aaf6c298d440216982e74fbaa9b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ ADD https://github.com/fluxcd/flux2/releases/download/v0.22.0/flux_0.22.0_linux_
COPY ./requirements.txt /requirements.txt
RUN \
# Install kubectl from alpine edge until alpine 3.16 is released
- apk --no-cache add kubectl=~1.22.4-r0 \
+ apk --no-cache add kubectl=~1.23.1-r0 \
--repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing && \
apk --no-cache add \
bash=~5.1.8-r0 \
diff --git a/docs/requirements.txt b/docs/requirements.txt
index 23e421fb63a763c50d138b5bc2b16cc044729ebe..6d82e36a4e81bf18128f34932ef75a250af022d5 100644
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -10,7 +10,7 @@ babel==2.9.1
# via sphinx
certifi==2021.10.8
# via requests
-charset-normalizer==2.0.9
+charset-normalizer==2.0.10
# via requests
commonmark==0.9.1
# via recommonmark
@@ -29,17 +29,15 @@ markupsafe==2.0.1
# via jinja2
packaging==21.3
# via sphinx
-pygments==2.10.0
- # via
- # -r requirements.in
- # sphinx
+pygments==2.11.2
+ # via sphinx
pyparsing==3.0.6
# via packaging
pytz==2021.3
# via babel
recommonmark==0.7.1
# via -r requirements.in
-requests==2.26.0
+requests==2.27.1
# via sphinx
snowballstemmer==2.2.0
# via sphinx
@@ -65,7 +63,7 @@ sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
-urllib3==1.26.7
+urllib3==1.26.8
# via requests
# The following packages are considered to be unsafe in a requirements file:
diff --git a/docs/usage.rst b/docs/usage.rst
index d7ea1299e7f7a1b03872b917062dd4f63625b707..2c72761e7651a1e6d9909fda655c464a358bb7ab 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -145,3 +145,15 @@ WordPress
~~~~~~~~~
`WordPress <https://wordpress.com>`__ is a website content management system.
+
+Known issues
+''''''''''''
+
+If you want admin privileges inside WordPress, you need to set this in the
+Dashboard. Then, you need to log into WordPress again.
+
+If this is your first time logging into WordPress, you have to log out and in
+again for your admin privileges to be applied.
+
+For more information and technical details, refer to `the issue in our issue
+tracker <https://open.greenhost.net/stackspin/wordpress-helm/-/issues/97>`__.
diff --git a/flux2/apps/monitoring/kube-prometheus-stack-release.yaml b/flux2/apps/monitoring/kube-prometheus-stack-release.yaml
index 21bc15c05f2ac8902cbac62cc3cf39b0700e9cf2..5cb39f76c1ec8f442ec9af7b3e8b1ca30db8ef12 100644
--- a/flux2/apps/monitoring/kube-prometheus-stack-release.yaml
+++ b/flux2/apps/monitoring/kube-prometheus-stack-release.yaml
@@ -11,7 +11,7 @@ spec:
# https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
# renovate: registryUrl=https://prometheus-community.github.io/helm-charts
chart: kube-prometheus-stack
- version: 25.0.0
+ version: 25.1.0
sourceRef:
kind: HelmRepository
name: prometheus-community
diff --git a/flux2/apps/monitoring/kustomization.yaml b/flux2/apps/monitoring/kustomization.yaml
index d3c8daccb628557825f849a4f4852a5407673dfb..3d0a9c08622f7457b54a2be86e33715df9c39949 100644
--- a/flux2/apps/monitoring/kustomization.yaml
+++ b/flux2/apps/monitoring/kustomization.yaml
@@ -9,6 +9,10 @@ resources:
- kube-prometheus-stack-values-configmap.yaml
- loki-configmap.yaml
- loki-release.yaml
+ - loki-restart-cronjob.yaml
+ - loki-restart-role.yaml
+ - loki-restart-rolebinding.yaml
+ - loki-restart-serviceaccount.yaml
- loki-values-configmap.yaml
- promtail-release.yaml
- promtail-values-configmap.yaml
diff --git a/flux2/apps/monitoring/loki-restart-cronjob.yaml b/flux2/apps/monitoring/loki-restart-cronjob.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6302df656a0c8f347323e52e5fdff62f03150d72
--- /dev/null
+++ b/flux2/apps/monitoring/loki-restart-cronjob.yaml
@@ -0,0 +1,25 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: loki-restart
+ namespace: stackspin
+spec:
+ concurrencyPolicy: Forbid
+ schedule: '0 4 * * *'
+ jobTemplate:
+ spec:
+ backoffLimit: 2
+ activeDeadlineSeconds: 600
+ template:
+ spec:
+ serviceAccountName: loki-restart
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ # https://hub.docker.com/r/bitnami/kubectl
+ image: bitnami/kubectl:1.21.8
+ command:
+ - 'kubectl'
+ - 'rollout'
+ - 'restart'
+ - 'statefulset/loki'
diff --git a/flux2/apps/monitoring/loki-restart-role.yaml b/flux2/apps/monitoring/loki-restart-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4299a61c52dfafe63c8faff0f72eae8d783af2d3
--- /dev/null
+++ b/flux2/apps/monitoring/loki-restart-role.yaml
@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: loki-restart
+ namespace: stackspin
+rules:
+ - apiGroups: ["apps", "extensions"]
+ resources: ["statefulsets"]
+ resourceNames: ["loki"]
+ verbs: ["get", "patch"]
diff --git a/flux2/apps/monitoring/loki-restart-rolebinding.yaml b/flux2/apps/monitoring/loki-restart-rolebinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6c35b703a96f149494bf5b453849b0d3d4d7acfe
--- /dev/null
+++ b/flux2/apps/monitoring/loki-restart-rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: loki-restart
+ namespace: stackspin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: loki-restart
+subjects:
+ - kind: ServiceAccount
+ name: loki-restart
+ namespace: stackspin
diff --git a/flux2/apps/monitoring/loki-restart-serviceaccount.yaml b/flux2/apps/monitoring/loki-restart-serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..71245bba952a467be372a1ab6b91d429b547016a
--- /dev/null
+++ b/flux2/apps/monitoring/loki-restart-serviceaccount.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: loki-restart
+ namespace: stackspin
diff --git a/flux2/apps/monitoring/loki-values-configmap.yaml b/flux2/apps/monitoring/loki-values-configmap.yaml
index ca408a8ea2b0d927944d8457a13f35cfc33bf19b..c8ba88c9ebb94a1ad659ca0b05bd0770d557c598 100644
--- a/flux2/apps/monitoring/loki-values-configmap.yaml
+++ b/flux2/apps/monitoring/loki-values-configmap.yaml
@@ -7,11 +7,6 @@ metadata:
data:
values.yaml: |
# https://github.com/grafana/helm-charts/blob/main/charts/loki/values.yaml
- image:
- repository: grafana/loki
- # Downgrade loki because of mem leak
- # (https://open.greenhost.net/stackspin/stackspin/-/issues/1077)
- tag: 2.4.0
resources:
limits:
cpu: 800m
diff --git a/flux2/apps/monitoring/promtail-release.yaml b/flux2/apps/monitoring/promtail-release.yaml
index e5f95e775c4813211c71989c3d6c9103c1760734..ad87de7b204930c81b9219539fb68b7eabd15f83 100644
--- a/flux2/apps/monitoring/promtail-release.yaml
+++ b/flux2/apps/monitoring/promtail-release.yaml
@@ -11,7 +11,7 @@ spec:
# https://artifacthub.io/packages/helm/grafana/promtail
# renovate: registryUrl=https://grafana.github.io/helm-charts
chart: promtail
- version: 3.9.1
+ version: 3.9.2
sourceRef:
kind: HelmRepository
name: grafana
diff --git a/flux2/apps/velero/release.yaml b/flux2/apps/velero/release.yaml
index 35323922224a334d35d26860eb290ea5e1ed087e..c8e02e0b902d5069c2ecba80767d6fd0cb728b4f 100644
--- a/flux2/apps/velero/release.yaml
+++ b/flux2/apps/velero/release.yaml
@@ -10,7 +10,7 @@ spec:
spec:
# renovate: registryUrl=https://vmware-tanzu.github.io/helm-charts
chart: velero
- version: 2.27.1
+ version: 2.27.3
sourceRef:
kind: HelmRepository
name: vmware-tanzu
diff --git a/flux2/apps/wordpress/wordpress-values-configmap.yaml b/flux2/apps/wordpress/wordpress-values-configmap.yaml
index db2261fd8e698e8bf00b4a3c0dff32e6b5d61ed0..e2b92b8149df68b08806c0a6af933cae19b8f544 100644
--- a/flux2/apps/wordpress/wordpress-values-configmap.yaml
+++ b/flux2/apps/wordpress/wordpress-values-configmap.yaml
@@ -13,6 +13,7 @@ data:
adm:
usid: admin
pssw: "${wordpress_admin_password}"
+ email: "${admin_email}"
site:
# NOTE: Make sure you use underscore and that the localisation is in full caps
locale: en_US
@@ -31,6 +32,10 @@ data:
endpoint_userinfo: https://sso.${domain}/userinfo
endpoint_token: https://sso.${domain}/oauth2/token
endpoint_end_session: ""
+ # If a WordPress account already exists with the same identity as a
+ # newly-authenticated user over OpenID Connect, login as that user
+ # instead of generating an error.
+ link_existing_users: "1"
# After our SSO supports it, we should set this as the logout URL
# https://open.greenhost.net/stackspin/single-sign-on/issues/28
# endpoint_end_session: https://sso.${domain}/oauth2/sessions/logout
diff --git a/flux2/cluster/base/single-sign-on.yaml b/flux2/cluster/base/single-sign-on.yaml
index 711a56d589c93ed9621ef9c63618dff3c8077436..2663c71dd27bb1b83865ef5fa003950db23fab2f 100644
--- a/flux2/cluster/base/single-sign-on.yaml
+++ b/flux2/cluster/base/single-sign-on.yaml
@@ -22,6 +22,10 @@ spec:
- kind: Secret
name: stackspin-cluster-variables
healthChecks:
+ - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+ kind: HelmRelease
+ name: single-sign-on-database
+ namespace: stackspin
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: single-sign-on
diff --git a/flux2/core/base/metallb/release.yaml b/flux2/core/base/metallb/release.yaml
index 02ab0403a130af9b15f508c088fb1d176cdadb9d..e2efbf5eb3b38a8c89e29291815887ce268b706b 100644
--- a/flux2/core/base/metallb/release.yaml
+++ b/flux2/core/base/metallb/release.yaml
@@ -11,7 +11,7 @@ spec:
# https://artifacthub.io/packages/helm/bitnami/metallb
# renovate: registryUrl=https://charts.bitnami.com/bitnami
chart: metallb
- version: 2.5.16
+ version: 2.6.0
sourceRef:
kind: HelmRepository
name: bitnami
diff --git a/flux2/core/base/single-sign-on/kustomization.yaml b/flux2/core/base/single-sign-on/kustomization.yaml
index 0103cabedd67afd76a28bf0a0d4621dd5425300b..64929c1103bb721a6c39c4e4b6315e4c6cc41e4a 100644
--- a/flux2/core/base/single-sign-on/kustomization.yaml
+++ b/flux2/core/base/single-sign-on/kustomization.yaml
@@ -4,5 +4,7 @@ kind: Kustomization
namespace: stackspin
resources:
- pvc-database.yaml
- - release.yaml
+ - single-sign-on-release.yaml
- single-sign-on-values-configmap.yaml
+ - single-sign-on-database-release.yaml
+ - single-sign-on-database-values-configmap.yaml
diff --git a/flux2/core/base/single-sign-on/single-sign-on-database-release.yaml b/flux2/core/base/single-sign-on/single-sign-on-database-release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f6b27cb9e01192398e6179cf8df48ef1ede301a1
--- /dev/null
+++ b/flux2/core/base/single-sign-on/single-sign-on-database-release.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: single-sign-on-database
+spec:
+ releaseName: single-sign-on-database
+ chart:
+ spec:
+ # renovate: registryUrl=https://charts.bitnami.com/bitnami
+ chart: postgresql
+ version: 10.15.1
+ sourceRef:
+ kind: HelmRepository
+ name: bitnami
+ namespace: flux-system
+ interval: 1h0m0s
+ install:
+ timeout: 10m
+ valuesFrom:
+ - kind: ConfigMap
+ name: stackspin-single-sign-on-database-values
+ # Allow overriding values by ConfigMap or Secret
+ - kind: ConfigMap
+ name: stackspin-single-sign-on-database-override
+ optional: true
+ - kind: Secret
+ name: stackspin-single-sign-on-database-override
+ optional: true
diff --git a/flux2/core/base/single-sign-on/single-sign-on-database-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-database-values-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8e0ff3551998b3b4e104ab00edb0383ad3f5f5bc
--- /dev/null
+++ b/flux2/core/base/single-sign-on/single-sign-on-database-values-configmap.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: stackspin-single-sign-on-database-values
+data:
+ values.yaml: |
+ persistence:
+ enabled: true
+ existingClaim: single-sign-on-database
+ initdbScripts:
+ setup.sql: |
+ CREATE USER hydra WITH PASSWORD '${hydra_postgresql_password}';
+ CREATE USER kratos WITH PASSWORD '${kratos_postgresql_password}';
+ CREATE USER stackspin WITH PASSWORD '${dashboard_postgresql_password}';
+ CREATE DATABASE kratos WITH OWNER kratos;
+ CREATE DATABASE hydra WITH OWNER hydra;
+ CREATE DATABASE stackspin WITH OWNER stackspin;
diff --git a/flux2/core/base/single-sign-on/release.yaml b/flux2/core/base/single-sign-on/single-sign-on-release.yaml
similarity index 93%
rename from flux2/core/base/single-sign-on/release.yaml
rename to flux2/core/base/single-sign-on/single-sign-on-release.yaml
index 37e4834a20affad2bb2cf831af0a9b4a552a86f9..ee1065928db46880c8a294b26b3bf1cab1809240 100644
--- a/flux2/core/base/single-sign-on/release.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-release.yaml
@@ -6,12 +6,12 @@ metadata:
spec:
releaseName: single-sign-on
dependsOn:
- - name: nginx
+ - name: single-sign-on-database
chart:
spec:
# renovate: registryUrl=https://open.greenhost.net/api/v4/projects/8/packages/helm/stable
chart: single-sign-on
- version: 0.5.1
+ version: 0.7.0
sourceRef:
kind: HelmRepository
name: single-sign-on
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index 2556b1ffc1c7ae6d36271a3c50cb541a09f79f0b..5adcd3f3d0c8093c32057afc035486bf17326c29 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -11,19 +11,8 @@ data:
user: ${admin_email}
password: ${userbackend_admin_password}
db:
- password: ${userbackend_postgres_password}
-
- postgresql:
- persistence:
- existingClaim: single-sign-on-database
- initdbScripts:
- setup.sql: |
- CREATE USER hydra WITH PASSWORD '${hydra_postgresql_password}';
- CREATE USER kratos WITH PASSWORD '${kratos_postgresql_password}';
- CREATE USER stackspin WITH PASSWORD '${dashboard_postgresql_password}';
- CREATE DATABASE kratos WITH OWNER kratos;
- CREATE DATABASE hydra WITH OWNER hydra;
- CREATE DATABASE stackspin WITH OWNER stackspin;
+ hostname: single-sign-on-database-postgresql
+ password: ${dashboard_postgresql_password}
hydra-maester:
# Watches the flux-system namespace because that is where the app
@@ -44,7 +33,7 @@ data:
secrets:
system:
- "${hydra_system_secret}"
- dsn: "postgres://hydra:${hydra_postgresql_password}@single-sign-on-postgresql:5432/hydra"
+ dsn: "postgres://hydra:${hydra_postgresql_password}@single-sign-on-database-postgresql:5432/hydra"
ingress:
public:
enabled: true
@@ -66,7 +55,7 @@ data:
kratos:
kratos:
config:
- dsn: "postgres://kratos:${kratos_postgresql_password}@single-sign-on-postgresql:5432/kratos"
+ dsn: "postgres://kratos:${kratos_postgresql_password}@single-sign-on-database-postgresql:5432/kratos"
serve:
public:
base_url: https://sso.${domain}/api/
diff --git a/install/templates/stackspin-single-sign-on-variables.yaml.jinja b/install/templates/stackspin-single-sign-on-variables.yaml.jinja
index 56ccc93f9bc7c944bc362d67afa7c01d83cb28f5..e11fbae5df1d5141d39404c0558ad599cb2e2152 100644
--- a/install/templates/stackspin-single-sign-on-variables.yaml.jinja
+++ b/install/templates/stackspin-single-sign-on-variables.yaml.jinja
@@ -10,4 +10,3 @@ data:
kratos_postgresql_password: "{{ 32 | generate_password | b64encode }}"
kratos_session_secret: "{{ 32 | generate_password | b64encode }}"
userbackend_admin_password: "{{ 32 | generate_password | b64encode }}"
- userbackend_postgres_password: "{{ 32 | generate_password | b64encode }}"
diff --git a/requirements.txt b/requirements.txt
index fe57c8e280fa63baac77356b87bf4558089f8306..cff8ccbcd53eef3989c9092fb76b89150534f7e4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,7 +8,7 @@
# via -r requirements.in
ansible==2.9.27
# via -r requirements.in
-attrs==21.2.0
+attrs==21.4.0
# via pytest
bcrypt==3.2.0
# via paramiko
@@ -23,7 +23,7 @@ cffi==1.15.0
# bcrypt
# cryptography
# pynacl
-charset-normalizer==2.0.9
+charset-normalizer==2.0.10
# via requests
cryptography==36.0.1
# via
@@ -56,13 +56,13 @@ orderedmultidict==1.0.1
# via htpasswd
packaging==21.3
# via pytest
-paramiko==2.8.1
+paramiko==2.9.2
# via -r requirements.in
passlib==1.7.4
# via -r requirements.in
pluggy==1.0.0
# via pytest
-psutil==5.8.0
+psutil==5.9.0
# via -r requirements.in
py==1.11.0
# via pytest
@@ -74,11 +74,11 @@ pyasn1-modules==0.2.8
# via google-auth
pycparser==2.21
# via cffi
-pynacl==1.4.0
+pynacl==1.5.0
# via paramiko
pyopenssl==21.0.0
# via -r requirements.in
-pyparsing==2.4.7
+pyparsing==3.0.6
# via packaging
pytest==6.2.5
# via
@@ -96,7 +96,7 @@ pyyaml==6.0
# via
# ansible
# kubernetes
-requests==2.26.0
+requests==2.27.1
# via
# greenhost-cloud
# kubernetes
@@ -111,7 +111,6 @@ six==1.16.0
# google-auth
# kubernetes
# orderedmultidict
- # pynacl
# pyopenssl
# python-dateutil
tabulate==0.8.9
@@ -120,13 +119,13 @@ tld==0.12.6
# via -r requirements.in
toml==0.10.2
# via pytest
-urllib3==1.26.7
+urllib3==1.26.8
# via
# kubernetes
# requests
websocket-client==1.2.3
# via kubernetes
-wheel==0.37.0
+wheel==0.37.1
# via -r requirements.in
# The following packages are considered to be unsafe in a requirements file:
diff --git a/stackspin/cluster.py b/stackspin/cluster.py
index c98858ac3bd05b86ff5e0a326b43133cd2809b1f..fd9f8fdd539a8354c469126569c97906211e038f 100644
--- a/stackspin/cluster.py
+++ b/stackspin/cluster.py
@@ -210,7 +210,7 @@ KUBECONFIG={cluster_dir}/kube_config_cluster.yml
'onlyoffice_rabbitmq_password'],
'stackspin-single-sign-on-variables': [
'userbackend_admin_password',
- 'userbackend_postgres_password',
+ 'dashboard_postgresql_password',
'hydra_system_secret'],
'stackspin-wordpress-variables': [
'wordpress_admin_password',