Merge remote-tracking branch 'upstream/main'

README.md

@@ -1,20 +1,23 @@
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/zitadel)](https://artifacthub.io/packages/search?repo=zitadel)
 
-# ZITADEL
+# Zitadel
 
 ## A Better Identity and Access Management Solution
 
 Identity infrastructure, simplified for you.
 
-Learn more about ZITADEL by checking out the [source repository on GitHub](https://github.com/zitadel/zitadel)
+Learn more about Zitadel by checking out the [source repository on GitHub](https://github.com/zitadel/zitadel)
 
 ## What's in the Chart
 
-By default, this chart installs a highly available ZITADEL deployment.
+By default, this chart installs a highly available Zitadel deployment.
+
+The chart deploys a Zitadel init job, a Zitadel setup job and a Zitadel deployment.
+By default, the execution order is orchestrated using Helm hooks on installations and upgrades.
 
 ## Install the Chart
 
-Either follow the [guide for deploying ZITADEL on Kubernetes](https://zitadel.com/docs/self-hosting/deploy/kubernetes) or follow one of the example guides:
+Either follow the [guide for deploying Zitadel on Kubernetes](https://zitadel.com/docs/self-hosting/deploy/kubernetes) or follow one of the example guides:
 
 - [Insecure Postgres Example](examples/1-postgres-insecure/README.md)
 - [Secure Postgres Example](examples/2-postgres-secure/README.md)
@@ -25,9 +28,9 @@ Either follow the [guide for deploying ZITADEL on Kubernetes](https://zitadel.co
 
 ## Upgrade from v7
 
-The default ZITADEL version is now >= v2.55.
+The default Zitadel version is now >= v2.55.
 [This requires Cockroach DB to be at >= v23.2](https://zitadel.com/docs/support/advisory/a10009)
-If you are using an older version of Cockroach DB, please upgrade it before upgrading ZITADEL.
+If you are using an older version of Cockroach DB, please upgrade it before upgrading Zitadel.
 
 Note that in order to upgrade cockroach, you should not jump minor versions.
 For example:
@@ -39,11 +42,11 @@ helm upgrade db cockroachdb/cockroachdb --version 11.2.4 --reuse-values
 helm upgrade db cockroachdb/cockroachdb --version 12.0.5 --reuse-values
 # install Cockroach DB v24.1.1
 helm upgrade db cockroachdb/cockroachdb --version 13.0.1 --reuse-values
-# install ZITADEL v2.55.0
+# install Zitadel v2.55.0
 helm upgrade my-zitadel zitadel/zitadel --version 8.0.0 --reuse-values
 ```
 
-Please refer to the docs by Cockroach Labs. The ZITADEL tests run against the [official CockroachDB chart](https://artifacthub.io/packages/helm/cockroachdb/cockroachdb).
+Please refer to the docs by Cockroach Labs. The Zitadel tests run against the [official CockroachDB chart](https://artifacthub.io/packages/helm/cockroachdb/cockroachdb).
 
 (Credits to @panapol-p and @kleberbaum :pray:)
 
@@ -65,7 +68,7 @@ Please refer to the docs by Cockroach Labs. The ZITADEL tests run against the [o
 ## Upgrade from v5
 
 - CockroachDB is not in the default configuration anymore.
-  If you use CockroachDB, please check the host and ssl mode in your ZITADEL Database configuration section.
+  If you use CockroachDB, please check the host and ssl mode in your Zitadel Database configuration section.
 
 - The properties for database certificates are renamed and the defaults are removed.
   If you use one of the following properties, please check the new names and set the values accordingly:
@@ -79,9 +82,9 @@ Please refer to the docs by Cockroach Labs. The ZITADEL tests run against the [o
 
 ## Uninstalling the Chart
 
-The ZITADEL chart uses Helm hooks,
+The Zitadel chart uses Helm hooks,
 [which are not garbage collected by helm uninstall, yet](https://helm.sh/docs/topics/charts_hooks/#hook-resources-are-not-managed-with-corresponding-releases).
-Therefore, to also remove hooks installed by the ZITADEL Helm chart,
+Therefore, to also remove hooks installed by the Zitadel Helm chart,
 delete them manually:
 
 ```bash
@@ -96,7 +99,7 @@ done
 ### Debug Pod
 
 For troubleshooting, you can deploy a debug pod by setting the `zitadel.debug.enabled` property to `true`.
-You can then use this pod to inspect the ZITADEL configuration and run zitadel commands using the zitadel binary.
+You can then use this pod to inspect the Zitadel configuration and run zitadel commands using the zitadel binary.
 For more information, print the debug pods logs using something like the following command:
 
 ```bash 

charts/zitadel/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 name: zitadel
 description: A Helm chart for ZITADEL
 type: application
-appVersion: "v2.65.1"
-version: 8.5.1
-kubeVersion: ">= 1.21.0-0"
+appVersion: v2.67.2
+version: 8.11.2
+kubeVersion: '>= 1.21.0-0'
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:
   - name: zitadel

charts/zitadel/templates/debug_replicaset.yaml

@@ -32,6 +32,12 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       enableServiceLinks: false
       containers:
+      {{- if .Values.zitadel.extraContainers }}
+        {{- toYaml .Values.zitadel.extraContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.zitadel.debug.extraContainers }}
+        {{- toYaml .Values.zitadel.debug.extraContainers | nindent 8 }}
+      {{- end }}
         - name: "{{ .Chart.Name }}-debug"
           securityContext:
             {{- toYaml .Values.securityContext | nindent 14 }}

charts/zitadel/templates/deployment.yaml

@@ -39,6 +39,12 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       enableServiceLinks: false
       containers:
+      {{- if .Values.zitadel.extraContainers }}
+        {{- toYaml .Values.zitadel.extraContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+      {{- end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 14 }}

charts/zitadel/templates/extra_manifests.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraManifests }}
+---
+{{ tpl (toYaml .) $ }}
+{{ end }}

charts/zitadel/templates/initjob.yaml

@@ -36,6 +36,12 @@ spec:
       enableServiceLinks: false
       restartPolicy: OnFailure
       containers:
+      {{- if .Values.zitadel.extraContainers }}
+        {{- toYaml .Values.zitadel.extraContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.initJob.extraContainers }}
+        {{- toYaml .Values.initJob.extraContainers | nindent 8 }}
+      {{- end }}
         - name: "{{ .Chart.Name }}-init"
           securityContext:
             {{- toYaml .Values.securityContext | nindent 14 }}
@@ -127,9 +133,6 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.initJob.resources | nindent 14 }}
-        {{- if .Values.initJob.extraContainers }}
-        {{- toYaml .Values.initJob.extraContainers | nindent 8 }}
-        {{- end }}
       volumes:
       - name: zitadel-config-yaml
         configMap:

charts/zitadel/templates/service.yaml

@@ -10,18 +10,24 @@ metadata:
   {{- end }}
   labels:
     {{- include "zitadel.labels" . | nindent 4 }}
+    {{- with .Values.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   type: {{ .Values.service.type }}
   {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
   clusterIP: {{ .Values.service.clusterIP }}
   {{- end }}
+  {{- if and .Values.service.externalTrafficPolicy (eq .Values.service.type "LoadBalancer") }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: {{ .Values.service.port }}
       targetPort: 8080
       protocol: TCP
       name: {{ regexReplaceAll "\\W+" .Values.service.protocol "-" }}-server
       {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-      appProtocol: {{ .Values.service.protocol }}
+      appProtocol: {{ .Values.service.appProtocol }}
       {{- end }}
   selector:
     {{- include "zitadel.selectorLabels" . | nindent 4 }}

charts/zitadel/templates/setupjob.yaml

@@ -38,6 +38,12 @@ spec:
       enableServiceLinks: false
       restartPolicy: OnFailure
       containers:
+      {{- if .Values.zitadel.extraContainers }}
+        {{- toYaml .Values.zitadel.extraContainers | nindent 8 }}
+      {{- end }}
+      {{- if .Values.setupJob.extraContainers }}
+        {{- toYaml .Values.setupJob.extraContainers | nindent 8 }}
+      {{- end }}
         - name: "{{ .Chart.Name }}-setup"
           securityContext:
             {{- toYaml .Values.securityContext | nindent 14 }}
@@ -152,9 +158,6 @@ spec:
             {{- toYaml .Values.setupJob.resources | nindent 12 }}
           {{- end }}
       {{- end }}
-      {{- if .Values.setupJob.extraContainers }}
-        {{- toYaml .Values.setupJob.extraContainers | nindent 8 }}
-      {{- end }}
       volumes:
       - name: zitadel-config-yaml
         configMap:

charts/zitadel/values.yaml

@@ -73,6 +73,46 @@ zitadel:
     annotations:
       helm.sh/hook: pre-install,pre-upgrade
       helm.sh/hook-weight: "1"
+    extraContainers: []
+
+  # extraContainers allows you to add any sidecar containers you wish to use globally.
+  # Currently this is the Zitadel Deployment, Setup Job**, Init Job** and debug_replicaset**  **If Enabled
+  extraContainers: []
+    # # Example; You wish to deploy a cloud-sql-proxy sidecar to all deployments:
+    # - name: cloud-sql-proxy
+    #   image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.1
+    #   command:
+    #     - /cloud-sql-proxy
+    #   args:
+    #     - my-project:my-region:my-instance
+    #     - --port=5432
+    #     - --auto-iam-authn
+    #     - --health-check
+    #     - "--http-address=0.0.0.0"
+    #   ports:
+    #     - containerPort: 5432
+    #   startupProbe:
+    #     httpGet:
+    #       path: /startup
+    #       port: 9090
+    #     periodSeconds: 1
+    #     timeoutSeconds: 5
+    #   livenessProbe:
+    #     httpGet:
+    #       path: /liveness
+    #       port: 9090
+    #     initialDelaySeconds: 0
+    #     periodSeconds: 60
+    #     timeoutSeconds: 30
+    #     failureThreshold: 5
+    #   securityContext:
+    #     runAsNonRoot: true
+    #     readOnlyRootFilesystem: true
+    #     allowPrivilegeEscalation: false
+    #   lifecycle:
+    #     postStart:
+    #       exec:
+    #         command: ["/cloud-sql-proxy", "wait"]
 
 replicaCount: 3
 
@@ -141,9 +181,13 @@ service:
   type: ClusterIP
   # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
   clusterIP: ""
+  # If service type is "LoadBalancer", this can optionally be set to either "Cluster" or "Local"
+  externalTrafficPolicy: ""
   port: 8080
   protocol: http2
+  appProtocol: kubernetes.io/h2c
   annotations: {}
+  labels: {}
   scheme: HTTP
 
 ingress:
@@ -241,6 +285,9 @@ pdb:
   # maxUnavailable: 1
   annotations: {}
 
+# extraContainers allows you to add any sidecar containers you wish to use in the Zitadel pod.
+extraContainers: []
+
 networkPolicies:
   enabled: true
 
@@ -261,3 +308,14 @@ extraVolumeMounts: []
   #   mountPath: /etc/ssl/certs/myca.pem
   #   subPath: myca.pem
   #   readOnly: true
+
+# extraManifests allows you to add your own Kubernetes manifests
+# You can use templating logic like {{ .Release.Namespace }} and {{ .Values.replicaCount }} as long as your manifest is a valid YAML
+extraManifests: []
+  # - apiVersion: v1
+  #   kind: Secret
+  #   metadata:
+  #     name: {{ include "zitadel.fullname" . }}-my-secret
+  #   stringData:
+  #     key: value
+  #   type: Opaque