diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index d8dbb32aa4..d02be30fb2 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -75,7 +75,7 @@ dependencies: version: 11.10.13 repository: https://charts.bitnami.com/bitnami - name: oauth2-proxy - version: 7.12.18 + version: 7.15.1 repository: https://oauth2-proxy.github.io/manifests - name: opentelemetry-operator alias: otel-operator diff --git a/charts/oauth2-proxy/Chart.lock b/charts/oauth2-proxy/Chart.lock index c4f231969d..b862b7e0fe 100644 --- a/charts/oauth2-proxy/Chart.lock +++ b/charts/oauth2-proxy/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami - version: 21.2.3 -digest: sha256:43cdc9bb861291fef9537f0d7186fc8db6eba1a42df5d23ddb9a39ac7917702e -generated: "2025-06-11T07:39:11.941597009Z" + version: 21.2.13 +digest: sha256:30d0d639dffab461d6ba8e398dca14de7c3f798a07111c851dc2b60d685bc24e +generated: "2025-07-31T07:39:57.497794176Z" diff --git a/charts/oauth2-proxy/Chart.yaml b/charts/oauth2-proxy/Chart.yaml index 4b14e7c09d..b2a6190c91 100644 --- a/charts/oauth2-proxy/Chart.yaml +++ b/charts/oauth2-proxy/Chart.yaml @@ -4,15 +4,15 @@ annotations: description: Updated the Redis chart to the latest version links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/316 + url: https://github.com/oauth2-proxy/manifests/pull/327 apiVersion: v2 -appVersion: 7.9.0 +appVersion: 7.10.0 dependencies: - alias: redis condition: redis.enabled name: redis repository: https://charts.bitnami.com/bitnami - version: 21.2.3 + version: 21.2.13 description: A reverse proxy that provides authentication with Google, Github or other providers home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -36,4 +36,4 @@ name: oauth2-proxy sources: - https://github.com/oauth2-proxy/oauth2-proxy - https://github.com/oauth2-proxy/manifests -version: 7.12.18 +version: 7.15.1 diff --git a/charts/oauth2-proxy/README.md b/charts/oauth2-proxy/README.md index 15b753972e..e64e1ad4f8 100644 --- a/charts/oauth2-proxy/README.md +++ b/charts/oauth2-proxy/README.md @@ -178,7 +178,8 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `podAnnotations` | annotations to add to each pod | `{}` | | `podLabels` | additional labels to add to each pod | `{}` | | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | -| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | @@ -199,6 +200,10 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | | `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | | `service.targetPort` | (optional) a numeric port number (e.g., 80) or a port name defined in the pod's container(s) (e.g., http) | `""` | +| `service.ipDualStack.enabled` | enable IPv4/IPv6 dual-stack for the service | `false` | +| `service.ipDualStack.ipFamilies` | ip families for the service if IPv4/IPv6 dual-stack is enabled | `["IPv6", "IPv4"]` | +| `service.ipDualStack.ipFamilyPolicy` | ip family policy for the service if IPv4/IPv6 dual-stack is enabled | `"PreferDualStack"` | +| `service.trafficDistribution` | traffic distribution policy for the service. See [Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution) | `""` | | `serviceAccount.enabled` | create a service account | `true` | | `serviceAccount.name` | the service account name | `` | | `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | diff --git a/charts/oauth2-proxy/charts/redis/Chart.yaml b/charts/oauth2-proxy/charts/redis/Chart.yaml index bc6f461f44..48e0cdc306 100644 --- a/charts/oauth2-proxy/charts/redis/Chart.yaml +++ b/charts/oauth2-proxy/charts/redis/Chart.yaml @@ -2,19 +2,19 @@ annotations: category: Database images: | - name: kubectl - image: docker.io/bitnami/kubectl:1.33.1-debian-12-r5 + image: docker.io/bitnami/kubectl:1.33.3-debian-12-r0 - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r46 + image: docker.io/bitnami/os-shell:12-debian-12-r48 - name: redis - image: docker.io/bitnami/redis:8.0.2-debian-12-r3 + image: docker.io/bitnami/redis:8.0.3-debian-12-r1 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.74.0-debian-12-r0 + image: docker.io/bitnami/redis-exporter:1.74.0-debian-12-r2 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:8.0.2-debian-12-r2 + image: docker.io/bitnami/redis-sentinel:8.0.3-debian-12-r1 licenses: Apache-2.0 tanzuCategory: service apiVersion: v2 -appVersion: 8.0.2 +appVersion: 8.0.3 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -36,4 +36,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 21.2.3 +version: 21.2.13 diff --git a/charts/oauth2-proxy/charts/redis/README.md b/charts/oauth2-proxy/charts/redis/README.md index e33dd3511b..6e5807729c 100644 --- a/charts/oauth2-proxy/charts/redis/README.md +++ b/charts/oauth2-proxy/charts/redis/README.md @@ -18,6 +18,17 @@ helm install my-release oci://registry-1.docker.io/bitnamicharts/redis Looking to use Redis® in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. +## ⚠️ Important Notice: Upcoming changes to the Bitnami Catalog + +Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new [Bitnami Secure Images initiative](https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications). As part of this transition: + +- Granting community users access for the first time to security-optimized versions of popular container images. +- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes +- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates. +- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support. + +These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the [Bitnami Secure Images announcement](https://github.com/bitnami/containers/issues/83267). + ## Introduction This chart bootstraps a [Redis®](https://github.com/bitnami/containers/tree/main/bitnami/redis) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -93,6 +104,17 @@ Bitnami will release a new chart updating its containers if a new version of the To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. +### Load custom modules in Redis® + +You can use the `commonConfiguration` parameter to specify the modules to load. For example, to load the RediSearch, RedisBloom, RedisJSON and RedisTimeSeries modules supported from Redis® 8+, you can set the following: + +```yaml +commonConfiguration: | + loadmodule /opt/bitnami/redis/lib/redis/modules/redisbloom.so + loadmodule /opt/bitnami/redis/lib/redis/modules/redisearch.so + loadmodule /opt/bitnami/redis/lib/redis/modules/rejson.so + loadmodule /opt/bitnami/redis/lib/redis/modules/redistimeseries.so + ### Bootstrapping with an External Cluster This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: diff --git a/charts/oauth2-proxy/charts/redis/templates/NOTES.txt b/charts/oauth2-proxy/charts/redis/templates/NOTES.txt index 7da2dedb1d..521849f821 100644 --- a/charts/oauth2-proxy/charts/redis/templates/NOTES.txt +++ b/charts/oauth2-proxy/charts/redis/templates/NOTES.txt @@ -2,7 +2,7 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} -Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. +NOTICE: Starting August 28th, 2025, only a limited subset of images/charts will remain available for free. Backup will be available for some time at the 'Bitnami Legacy' repository. More info at https://github.com/bitnami/containers/issues/83267 ** Please be patient while the chart is being deployed ** diff --git a/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml b/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml index 2fad466101..deb791a9a9 100644 --- a/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml +++ b/charts/oauth2-proxy/charts/redis/templates/scripts-configmap.yaml @@ -534,9 +534,9 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + redis-cli -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else - redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" + redis-cli -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi } sentinel_failover_finished() { @@ -545,8 +545,6 @@ data: [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" - {{ if .Values.auth.sentinel -}} # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" @@ -583,10 +581,45 @@ data: } is_master() { REDIS_ROLE=$(run_redis_command role | head -1) + echo "REDIS_ROLE: $REDIS_ROLE" [[ "$REDIS_ROLE" == "master" ]] } + {{- if .Values.sentinel.externalAccess.enabled }} + {{- if .Values.sentinel.externalAccess.service.loadBalancerIP }} + + SERVICE_NAMES="{{ + $fullname := include "common.names.fullname" . -}} + {{- range $i, $e := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ printf "%s-svc-%d" $fullname $i }} + {{- end }}" + SERVICE_IPS="{{- range $i, $ip := .Values.sentinel.externalAccess.service.loadBalancerIP -}} + {{- if $i }} {{ end }}{{ $ip }} + {{- end }}" + + + # Helper function to get IP by service name + get_service_ip() { + search_name="$1" + set -- $SERVICE_NAMES + for i in $(seq 1 $#); do + eval name=\${$i} + if [ "$name" = "$search_name" ]; then + set -- $SERVICE_IPS + eval echo \${$i} + return 0 + fi + done + return 1 + } + + SVC_NAME=$(hostname | sed 's/node/svc/g') + EXTERNAL_SERVICE="$SVC_NAME.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- else }} HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- end }} + get_full_hostname() { hostname="$1" @@ -617,19 +650,30 @@ data: run_sentinel_command() { if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" else - {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@" + {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -p "$REDIS_SENTINEL_PORT" sentinel "$@" fi } + sentinel_failover_finished() { REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) + echo "REDIS_SENTINEL_INFO: $REDIS_SENTINEL_INFO" REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + echo "REDIS_MASTER_HOST: $REDIS_MASTER_HOST" + {{- if .Values.sentinel.externalAccess.enabled }} + # Get the current service name and its IP + CURRENT_SERVICE_NAME="$SVC_NAME" + echo "CURRENT_SERVICE_NAME: $CURRENT_SERVICE_NAME" + CURRENT_SERVICE_IP=$(get_service_ip "$CURRENT_SERVICE_NAME") + echo "CURRENT_SERVICE_IP: $CURRENT_SERVICE_IP" + [[ "$REDIS_MASTER_HOST" != "$CURRENT_SERVICE_IP" ]] + {{- else }} + echo "REDIS_MASTER_HOST: $(get_full_hostname $HOSTNAME)" [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] + {{- end }} } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" - # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" @@ -867,4 +911,4 @@ data: exit fi done -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml b/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml index f54f3f9307..34f20250e4 100644 --- a/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml +++ b/charts/oauth2-proxy/charts/redis/templates/svc-external.yaml @@ -19,7 +19,9 @@ metadata: labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} pod: {{ $targetPod }} {{- if or - (ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion "") }} + (ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion "") + $root.Values.sentinel.externalAccess.service.annotations + $root.Values.sentinel.commonAnnotations }} {{- $loadBalancerIPAnnotaion := "" }} {{- if ne $root.Values.sentinel.externalAccess.service.loadBalancerIPAnnotaion ""}} {{- $loadBalancerIPAnnotaion = printf diff --git a/charts/oauth2-proxy/charts/redis/values.yaml b/charts/oauth2-proxy/charts/redis/values.yaml index 552421296c..48ffce4dd1 100644 --- a/charts/oauth2-proxy/charts/redis/values.yaml +++ b/charts/oauth2-proxy/charts/redis/values.yaml @@ -114,7 +114,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 8.0.2-debian-12-r3 + tag: 8.0.3-debian-12-r1 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1186,7 +1186,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 8.0.2-debian-12-r2 + tag: 8.0.3-debian-12-r1 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1785,7 +1785,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.74.0-debian-12-r0 + tag: 1.74.0-debian-12-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2163,7 +2163,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r46 + tag: 12-debian-12-r48 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2227,7 +2227,7 @@ kubectl: image: registry: docker.io repository: bitnami/kubectl - tag: 1.33.1-debian-12-r5 + tag: 1.33.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -2296,7 +2296,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r46 + tag: 12-debian-12-r48 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/oauth2-proxy/templates/poddisruptionbudget.yaml b/charts/oauth2-proxy/templates/poddisruptionbudget.yaml index 1fc8ecc005..c9521c5a46 100644 --- a/charts/oauth2-proxy/templates/poddisruptionbudget.yaml +++ b/charts/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -11,5 +11,10 @@ spec: selector: matchLabels: {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} {{- end }} diff --git a/charts/oauth2-proxy/templates/service.yaml b/charts/oauth2-proxy/templates/service.yaml index ab63c0daa2..04d105caee 100644 --- a/charts/oauth2-proxy/templates/service.yaml +++ b/charts/oauth2-proxy/templates/service.yaml @@ -59,3 +59,10 @@ spec: {{- end }} selector: {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} +{{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.trafficDistribution }} + trafficDistribution: {{ .Values.service.trafficDistribution }} +{{- end }} diff --git a/charts/oauth2-proxy/values.yaml b/charts/oauth2-proxy/values.yaml index 3a2d4c8507..47e4d1bf7f 100644 --- a/charts/oauth2-proxy/values.yaml +++ b/charts/oauth2-proxy/values.yaml @@ -155,6 +155,15 @@ service: internalTrafficPolicy: "" # configure service target port targetPort: "" + # Configures the service to use IPv4/IPv6 dual-stack. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + # Configure traffic distribution for the service + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" ## Create or use ServiceAccount serviceAccount: @@ -297,8 +306,10 @@ enableServiceLinks: true ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## One of maxUnavailable and minAvailable must be set to null. podDisruptionBudget: enabled: true + maxUnavailable: null minAvailable: 1 ## Horizontal Pod Autoscaling