Merge branch 'main' into 963-update-k3s-and-k8s-2

0958f12b · Maarten de Waard · c3d2920e · 9c9dd960 · 0958f12b · 0958f12b
Verified Commit 0958f12b authored 3 years ago by Maarten de Waard
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ ADD https://github.com/fluxcd/flux2/releases/download/v0.22.0/flux_0.22.0_linux_
 COPY ./requirements.txt /requirements.txt
 RUN \
  # Install kubectl from alpine edge until alpine 3.16 is released
-  apk --no-cache add kubectl=~1.22.4-r0 \
+  apk --no-cache add kubectl=~1.23.1-r0 \
    --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing && \
  apk --no-cache add \
    bash=~5.1.8-r0 \

--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -10,7 +10,7 @@ babel==2.9.1
    # via sphinx
 certifi==2021.10.8
    # via requests
-charset-normalizer==2.0.9
+charset-normalizer==2.0.10
    # via requests
 commonmark==0.9.1
    # via recommonmark
@@ -29,17 +29,15 @@ markupsafe==2.0.1
    # via jinja2
 packaging==21.3
    # via sphinx
-pygments==2.10.0
+pygments==2.11.2
-    # via
+    # via sphinx
-    #   -r requirements.in
-    #   sphinx
 pyparsing==3.0.6
    # via packaging
 pytz==2021.3
    # via babel
 recommonmark==0.7.1
    # via -r requirements.in
-requests==2.26.0
+requests==2.27.1
    # via sphinx
 snowballstemmer==2.2.0
    # via sphinx
@@ -65,7 +63,7 @@ sphinxcontrib-qthelp==1.0.3
    # via sphinx
 sphinxcontrib-serializinghtml==1.1.5
    # via sphinx
-urllib3==1.26.7
+urllib3==1.26.8
    # via requests
 # The following packages are considered to be unsafe in a requirements file:

--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -145,3 +145,15 @@ WordPress
 ~~~~~~~~~
 `WordPress <https://wordpress.com>`__ is a website content management system.
+Known issues
+''''''''''''
+If you want admin privileges inside WordPress, you need to set this in the
+Dashboard. Then, you need to log into WordPress again.
+If this is your first time logging into WordPress, you have to log out and in
+again for your admin privileges to be applied.
+For more information and technical details, refer to `the issue in our issue
+tracker <https://open.greenhost.net/stackspin/wordpress-helm/-/issues/97>`__.
--- a/flux2/apps/monitoring/kube-prometheus-stack-release.yaml
+++ b/flux2/apps/monitoring/kube-prometheus-stack-release.yaml
@@ -11,7 +11,7 @@ spec:
      # https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
      # renovate: registryUrl=https://prometheus-community.github.io/helm-charts
      chart: kube-prometheus-stack
-      version: 25.0.0
+      version: 25.1.0
      sourceRef:
        kind: HelmRepository
        name: prometheus-community

--- a/flux2/apps/monitoring/kustomization.yaml
+++ b/flux2/apps/monitoring/kustomization.yaml
@@ -9,6 +9,10 @@ resources:
  - kube-prometheus-stack-values-configmap.yaml
  - loki-configmap.yaml
  - loki-release.yaml
+  - loki-restart-cronjob.yaml
+  - loki-restart-role.yaml
+  - loki-restart-rolebinding.yaml
+  - loki-restart-serviceaccount.yaml
  - loki-values-configmap.yaml
  - promtail-release.yaml
  - promtail-values-configmap.yaml

--- a/flux2/apps/monitoring/loki-restart-cronjob.yaml
+++ b/flux2/apps/monitoring/loki-restart-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: loki-restart
+  namespace: stackspin
+spec:
+  concurrencyPolicy: Forbid
+  schedule: '0 4 * * *'
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: 600
+      template:
+        spec:
+          serviceAccountName: loki-restart
+          restartPolicy: Never
+          containers:
+            - name: kubectl
+              # https://hub.docker.com/r/bitnami/kubectl
+              image: bitnami/kubectl:1.21.8
+              command:
+                - 'kubectl'
+                - 'rollout'
+                - 'restart'
+                - 'statefulset/loki'
--- a/flux2/apps/monitoring/loki-restart-role.yaml
+++ b/flux2/apps/monitoring/loki-restart-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: loki-restart
+  namespace: stackspin
+rules:
+  - apiGroups: ["apps", "extensions"]
+    resources: ["statefulsets"]
+    resourceNames: ["loki"]
+    verbs: ["get", "patch"]
--- a/flux2/apps/monitoring/loki-restart-rolebinding.yaml
+++ b/flux2/apps/monitoring/loki-restart-rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: loki-restart
+  namespace: stackspin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: loki-restart
+subjects:
+  - kind: ServiceAccount
+    name: loki-restart
+    namespace: stackspin
--- a/flux2/apps/monitoring/loki-restart-serviceaccount.yaml
+++ b/flux2/apps/monitoring/loki-restart-serviceaccount.yaml
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: loki-restart
+  namespace: stackspin
--- a/flux2/apps/monitoring/loki-values-configmap.yaml
+++ b/flux2/apps/monitoring/loki-values-configmap.yaml
@@ -7,11 +7,6 @@ metadata:
 data:
  values.yaml: |
    # https://github.com/grafana/helm-charts/blob/main/charts/loki/values.yaml
-    image:
-      repository: grafana/loki
-      # Downgrade loki because of mem leak
-      # (https://open.greenhost.net/stackspin/stackspin/-/issues/1077)
-      tag: 2.4.0
    resources:
      limits:
        cpu: 800m

--- a/flux2/apps/monitoring/promtail-release.yaml
+++ b/flux2/apps/monitoring/promtail-release.yaml
@@ -11,7 +11,7 @@ spec:
      # https://artifacthub.io/packages/helm/grafana/promtail
      # renovate: registryUrl=https://grafana.github.io/helm-charts
      chart: promtail
-      version: 3.9.1
+      version: 3.9.2
      sourceRef:
        kind: HelmRepository
        name: grafana

--- a/flux2/apps/velero/release.yaml
+++ b/flux2/apps/velero/release.yaml
@@ -10,7 +10,7 @@ spec:
    spec:
      # renovate: registryUrl=https://vmware-tanzu.github.io/helm-charts
      chart: velero
-      version: 2.27.1
+      version: 2.27.3
      sourceRef:
        kind: HelmRepository
        name: vmware-tanzu

--- a/flux2/apps/wordpress/wordpress-values-configmap.yaml
+++ b/flux2/apps/wordpress/wordpress-values-configmap.yaml
@@ -13,6 +13,7 @@ data:
        adm:
          usid: admin
          pssw: "${wordpress_admin_password}"
+          email: "${admin_email}"
      site:
        # NOTE: Make sure you use underscore and that the localisation is in full caps
        locale: en_US
@@ -31,6 +32,10 @@ data:
      endpoint_userinfo: https://sso.${domain}/userinfo
      endpoint_token: https://sso.${domain}/oauth2/token
      endpoint_end_session: ""
+      # If a WordPress account already exists with the same identity as a
+      # newly-authenticated user over OpenID Connect, login as that user
+      # instead of generating an error.
+      link_existing_users: "1"
      # After our SSO supports it, we should set this as the logout URL
      # https://open.greenhost.net/stackspin/single-sign-on/issues/28
      # endpoint_end_session: https://sso.${domain}/oauth2/sessions/logout

--- a/flux2/cluster/base/single-sign-on.yaml
+++ b/flux2/cluster/base/single-sign-on.yaml
@@ -22,6 +22,10 @@ spec:
      - kind: Secret
        name: stackspin-cluster-variables
  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: single-sign-on-database
+      namespace: stackspin
    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
      kind: HelmRelease
      name: single-sign-on

--- a/flux2/core/base/metallb/release.yaml
+++ b/flux2/core/base/metallb/release.yaml
@@ -11,7 +11,7 @@ spec:
      # https://artifacthub.io/packages/helm/bitnami/metallb
      # renovate: registryUrl=https://charts.bitnami.com/bitnami
      chart: metallb
-      version: 2.5.16
+      version: 2.6.0
      sourceRef:
        kind: HelmRepository
        name: bitnami

--- a/flux2/core/base/single-sign-on/kustomization.yaml
+++ b/flux2/core/base/single-sign-on/kustomization.yaml
@@ -4,5 +4,7 @@ kind: Kustomization
 namespace: stackspin
 resources:
  - pvc-database.yaml
-  - release.yaml
+  - single-sign-on-release.yaml
  - single-sign-on-values-configmap.yaml
+  - single-sign-on-database-release.yaml
+  - single-sign-on-database-values-configmap.yaml
--- a/flux2/core/base/single-sign-on/single-sign-on-database-release.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-database-release.yaml
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: single-sign-on-database
+spec:
+  releaseName: single-sign-on-database
+  chart:
+    spec:
+      # renovate: registryUrl=https://charts.bitnami.com/bitnami
+      chart: postgresql
+      version: 10.15.1
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h0m0s
+  install:
+    timeout: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-single-sign-on-database-values
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-single-sign-on-database-override
+      optional: true
+    - kind: Secret
+      name: stackspin-single-sign-on-database-override
+      optional: true
--- a/flux2/core/base/single-sign-on/single-sign-on-database-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-database-values-configmap.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-single-sign-on-database-values
+data:
+  values.yaml: |
+    persistence:
+      enabled: true
+      existingClaim: single-sign-on-database
+    initdbScripts:
+      setup.sql: |
+        CREATE USER hydra WITH PASSWORD '${hydra_postgresql_password}';
+        CREATE USER kratos WITH PASSWORD '${kratos_postgresql_password}';
+        CREATE USER stackspin WITH PASSWORD '${dashboard_postgresql_password}';
+        CREATE DATABASE kratos WITH OWNER kratos;
+        CREATE DATABASE hydra WITH OWNER hydra;
+        CREATE DATABASE stackspin WITH OWNER stackspin;
--- a/flux2/core/base/single-sign-on/release.yaml
+++ b/flux2/core/base/single-sign-on/release.yaml
@@ -6,12 +6,12 @@ metadata:
 spec:
  releaseName: single-sign-on
  dependsOn:
-    - name: nginx
+    - name: single-sign-on-database
  chart:
    spec:
      # renovate: registryUrl=https://open.greenhost.net/api/v4/projects/8/packages/helm/stable
      chart: single-sign-on
-      version: 0.5.1
+      version: 0.7.0
      sourceRef:
        kind: HelmRepository
        name: single-sign-on

--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -11,19 +11,8 @@ data:
      user: ${admin_email}
      password: ${userbackend_admin_password}
      db:
-        password: ${userbackend_postgres_password}
+        hostname: single-sign-on-database-postgresql
+        password: ${dashboard_postgresql_password}
-    postgresql:
-      persistence:
-        existingClaim: single-sign-on-database
-      initdbScripts:
-        setup.sql: |
-          CREATE USER hydra WITH PASSWORD '${hydra_postgresql_password}';
-          CREATE USER kratos WITH PASSWORD '${kratos_postgresql_password}';
-          CREATE USER stackspin WITH PASSWORD '${dashboard_postgresql_password}';
-          CREATE DATABASE kratos WITH OWNER kratos;
-          CREATE DATABASE hydra WITH OWNER hydra;
-          CREATE DATABASE stackspin WITH OWNER stackspin;
    hydra-maester:
      # Watches the flux-system namespace because that is where the app
@@ -44,7 +33,7 @@ data:
          secrets:
            system:
              - "${hydra_system_secret}"
-          dsn: "postgres://hydra:${hydra_postgresql_password}@single-sign-on-postgresql:5432/hydra"
+          dsn: "postgres://hydra:${hydra_postgresql_password}@single-sign-on-database-postgresql:5432/hydra"
      ingress:
        public:
          enabled: true
@@ -66,7 +55,7 @@ data:
    kratos:
      kratos:
        config:
-          dsn: "postgres://kratos:${kratos_postgresql_password}@single-sign-on-postgresql:5432/kratos"
+          dsn: "postgres://kratos:${kratos_postgresql_password}@single-sign-on-database-postgresql:5432/kratos"
          serve:
            public:
              base_url: https://sso.${domain}/api/