Merge branch 'master' into ob

Author: wiktorchomikaccenture

.github/workflows/docs.yaml

@@ -10,8 +10,8 @@ jobs:
   deploy-docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - run: pip install mkdocs-material

.gitlab-ci.yml

@@ -8,8 +8,8 @@ stages:
   - initialization
   - test.template
   - test.smoke
-  - test.integration
   - test.examples
+  - test.integration
   - publish
   - push
   - release
@@ -116,8 +116,7 @@ r.release:
   script:
     - ci_scripts/release_charts.sh
   rules:
-    - if: $RELEASE == "true"
-    - if: '$CI_COMMIT_TAG !~ "/^$/"'
+    - if: $RELEASE == "true" && '$CI_COMMIT_TAG !~ "/^$/"'
 
 ################################################
 #   ______ _____ _   _          _
@@ -133,3 +132,9 @@ clean-k8s:
   script:
     - ci_scripts/cleanup_kubernetes.sh
   when: always
+
+delete-old-k8s:
+  stage: final
+  script:
+    - ci_scripts/cleanup_old_kubernetes.sh
+  when: always

DISCLAIMER

@@ -1,5 +1,5 @@
 /***************************************************************************
- * Copyright (C) 2022 Ping Identity Corporation
+ * Copyright (C) 2023 Ping Identity Corporation
  * All rights reserved.
  *
  *      Ping Identity Corporation

LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2022 Ping Identity Corp.
+   Copyright 2023 Ping Identity Corp.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

charts/ping-devops/Chart.yaml

@@ -4,11 +4,11 @@
 apiVersion: v2
 name: ping-devops
 ########################################################################
-# 0.9.9 - Refer to http://helm.pingidentity.com/release-notes/currentRelease
+# 0.9.11 - Refer to http://helm.pingidentity.com/release-notes/currentRelease
 ########################################################################
-version: 0.9.9
-description: Ping Identity helm charts - 1/03/2023
+version: 0.9.11
+description: Ping Identity helm charts - 3/03/2023
 type: application
 home: https://helm.pingidentity.com/
 icon: https://helm.pingidentity.com/img/logos/ping.png
-appVersion: "2212"
+appVersion: "2302"

charts/ping-devops/templates/NOTES.txt

@@ -26,11 +26,13 @@
     {{- $tag := ternary (toString .image.tag) "" .enabled }}
     {{- $workload := "" }}
     {{- if .workload }}
-      {{- $workload := ternary (ternary "dep" "sts" (eq .workload.type "Deployment")) "" .enabled }}
+      {{- $workload = ternary (ternary "dep" "sts" (eq .workload.type "Deployment")) "" .enabled }}
     {{- end }}
     {{- $numReplica := "" }}
     {{- if .container }}
-        {{- $numReplica := ternary (toString .container.replicaCount) "" .enabled }}
+        {{- if .container.replicaCount }}
+            {{- $numReplica = ternary (toString .container.replicaCount) "" .enabled }}
+        {{- end }}
     {{- end }}
     {{- $slash := ternary "/" "" .enabled }}
     {{- $cpur := "" }}
@@ -39,15 +41,15 @@
     {{- $meml := "" }}
     {{- if .container }}
         {{- if .container.resources }}
-            {{- $cpur := ternary (toString .container.resources.requests.cpu) "" .enabled }}
-            {{- $cpul := ternary (toString .container.resources.limits.cpu) "" .enabled }}
-            {{- $memr := ternary (toString .container.resources.requests.memory) "" .enabled }}
-            {{- $meml := ternary (toString .container.resources.limits.memory) "" .enabled }}
+            {{- $cpur = ternary (toString .container.resources.requests.cpu) "" .enabled }}
+            {{- $cpul = ternary (toString .container.resources.limits.cpu) "" .enabled }}
+            {{- $memr = ternary (toString .container.resources.requests.memory) "" .enabled }}
+            {{- $meml = ternary (toString .container.resources.limits.memory) "" .enabled }}
         {{- end }}
     {{- end }}
     {{- $ingEnabled := "" }}
     {{- if .ingress }}
-        {{- $ingEnabled := .enabled | ternary (ternary " √ " "" .ingress.enabled) "" }}
+        {{- $ingEnabled = .enabled | ternary (ternary " √ " "" .ingress.enabled) "" }}
     {{- end }}
 #  {{ printf $format $prodEnabled $prodName $tag $workload $numReplica $cpur $slash $cpul $memr $slash $meml $ingEnabled  }}
 {{- if .enabled }}

charts/ping-devops/templates/pingdirectory/service-load-balancer.yaml

@@ -0,0 +1,51 @@
+{{- $top := . -}}
+{{- $prodName := "pingdirectory" -}}
+{{- $mergedValues := merge (index $top.Values "pingdirectory") $top.Values.global -}}
+{{- $params := list $top $mergedValues -}}
+
+{{- if $mergedValues.services.loadBalancerServicePerPod -}}
+  {{- range $i := until (int $mergedValues.container.replicaCount) }}
+---
+{{ $podName := (print (include "pinglib.fullname" $params) "-" $i) -}}
+    {{- $hostname := (print (include "pinglib.fullname" $params) "-" $i $mergedValues.services.loadBalancerExternalDNSHostnameSuffix) -}}
+    {{- include "pingdirectory.service-load-balancer" (list $top $mergedValues $podName $hostname $podName)  -}}
+  {{- end -}}
+{{- end -}}
+
+
+{{- define "pingdirectory.service-load-balancer" -}}
+{{- $top := index . 0 -}}
+{{- $v := index . 1 -}}
+{{- $serviceName := index . 2 -}}
+{{- $hostname := index . 3 -}}
+{{- $podName := index . 4 -}}
+apiVersion: v1
+kind: Service
+metadata:
+  {{- include "pinglib.metadata.labels" . | nindent 2  -}}
+  {{- if $v.annotations -}}
+    {{- include "pinglib.metadata.annotations" . | nindent 2 -}}
+  {{- else }}
+  annotations:
+  {{- end }}
+    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+    external-dns.alpha.kubernetes.io/hostname: {{ $hostname }}
+  name: {{ $serviceName }}
+spec:
+  type: LoadBalancer
+  selector:
+    statefulset.kubernetes.io/pod-name: {{ $podName }}
+  {{/* publishNotReadyAddresses must be true for pods to communicate via load balancers */}}
+  publishNotReadyAddresses: true
+  sessionAffinity: None
+  ports:
+  {{- range $serviceName, $val := $v.services }}
+  {{- if kindIs "map" $val }}
+  {{- if $val.loadBalancerService }}
+    - name: {{ $serviceName }}
+      port: {{ required "containerPort is required for services with loadBalancerService:true" $val.containerPort }}
+      protocol: {{ default "TCP" $val.protocol }}
+  {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end -}}

charts/ping-devops/templates/pingdirectoryproxy/env-vars.yaml

@@ -2,5 +2,9 @@
 
 
 {{- define "pingdirectoryproxy.env-vars" -}}
+{{- $top := index . 0 -}}
 data:
+  K8S_STATEFUL_SET_NAME: {{ include "pinglib.fullname" . }}
+  K8S_STATEFUL_SET_SERVICE_NAME: {{ include "pinglib.fullclusterservicename" . }}
+  LDAPS_PORT: {{ $top.Values.pingdirectoryproxy.services.ldaps.containerPort | quote }}
 {{- end -}}

charts/ping-devops/templates/pinglib/_hpa.tpl

@@ -1,7 +1,11 @@
 {{- define "pinglib.hpa.tpl" -}}
 {{- $top := index . 0 -}}
 {{- $v := index . 1 -}}
+{{- if semverCompare ">1.22" $top.Capabilities.KubeVersion.Version }}
+apiVersion: autoscaling/v2
+{{- else }}
 apiVersion: autoscaling/v2beta2
+{{- end }}
 kind: HorizontalPodAutoscaler
 metadata:
   {{ include "pinglib.metadata.labels" . | nindent 2  }}

charts/ping-devops/templates/pinglib/_service.tpl

@@ -13,6 +13,9 @@ metadata:
 {{- end }}
   name: {{ include "pinglib.fullname" . }}
 spec:
+  {{- if $v.services.useLoadBalancerForDataService }}
+  type: LoadBalancer
+  {{- end }}
   ports:
   {{- range $serviceName, $val := $v.services }}
   {{- if kindIs "map" $val }}

charts/ping-devops/values.yaml

@@ -179,7 +179,7 @@ global:
   # By default the images uses will be indicated by these
   # variables.  An example might look like:
   #
-  #   pingidentity/pingdataconsole:2212 (December, 2022)
+  #   pingidentity/pingdataconsole:2302 (February, 2023)
   #
   # @param    global.image.repository Default image registry
   # @desc     is not the fully-qualified name of the image
@@ -195,7 +195,7 @@ global:
   # @desc     Example: image.name: pingfederate
   #
   # @param    global.image.tag Default image tag
-  # @default  2212
+  # @default  2302
   #
   # @param    global.image.pullPolicy Default image pull policy
   # @default  IfNotPresent
@@ -204,7 +204,7 @@ global:
     repository: pingidentity
     repositoryFqn:
     name:
-    tag: "2212"
+    tag: "2302"
     pullPolicy: IfNotPresent
 
   ############################################################
@@ -297,6 +297,8 @@ global:
         runAsNonRoot: true
         runAsUser: 9031
         runAsGroup: 0
+        seccompProfile:
+          type: RuntimeDefault
     pingaccess:
       resources:
         limits:
@@ -310,6 +312,8 @@ global:
         runAsNonRoot: true
         runAsUser: 9031
         runAsGroup: 0
+        seccompProfile:
+          type: RuntimeDefault
 
   ############################################################
   # Services
@@ -320,11 +324,16 @@ global:
   #
   # @param    global.services.clusterExternalDNSHostname
   # @desc     Value for the external-dns.alpha.kubernetes.io/hostname annotation
+  # @desc     for the cluster service.
   # @default
   #
   # @param    global.services.clusterServiceName If set, then this name will
   # @desc     be used as the cluster service name (i.e clusterService == true).
   #
+  # @param    global.services.useLoadBalancerForDataService If true, the data service
+  # @desc     will be created with type: LoadBalancer.
+  # @default  false
+  #
   # @param    global.services.serviceName.dataService If true, a ClusterIP service is
   # @desc     created reachable within the cluster. A single IP is provided and the
   # @desc     service will round-robin across the backend containers
@@ -359,6 +368,7 @@ global:
   #    clusterService: true
   #  clusterExternalDNSHostname:
   #  clusterServiceName:
+  #  useLoadBalancerForDataService: false
 
 
   ############################################################
@@ -514,10 +524,9 @@ global:
       fsGroup: 0
       runAsUser: 9031
       runAsGroup: 0
-      # allowPrivilegeEscalation: false
-      # capabilities:
-      #   drop:
-      #   - ALL
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
 
   #############################################################
   # Horizontal Pod Autoscaling
@@ -605,7 +614,11 @@ global:
     #
     # See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
     ############################################################
-    securityContext: null
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
     # @param global.container.replicaCount Number of replicas for workload
     # @default 1
     replicaCount: 1
@@ -776,7 +789,7 @@ sidecars: {}
 # sidecars:
 #   logger:
 #     name: log-container
-#     image: pingidentity/pingtoolkit:2212
+#     image: pingidentity/pingtoolkit:2302
 #     volumeMounts:
 #       - mountPath: /tmp/logs/
 #         name: logger
@@ -793,7 +806,7 @@ initContainers: {}
 # initContainers:
 #   init-example:
 #     name: 01-init
-#     image: pingidentity/pingtoolkit:2212
+#     image: pingidentity/pingtoolkit:2302
 #     command: ['sh', '-c', 'echo "InitContainer 1"']
 
 #############################################################
@@ -840,6 +853,10 @@ ldap-sdk-tools:
   name: ldap-sdk-tools
   image:
     name: ldap-sdk-tools
+    repository: pingidentity
+    repositoryFqn:
+    tag: "2302"
+    pullPolicy: IfNotPresent
 
   container:
     command: "tail -f /dev/null"
@@ -1082,6 +1099,21 @@ pingdirectory:
   envs:
     MAKELDIF_USERS: "20000"
 
+  # @param    pingdirectory.services.serviceName.loadBalancerService If true, the
+  # @desc     per-Pod LoadBalancer services enabled with
+  # @desc     pingdirectory.services.loadBalancerServicePerPod will include this port.
+  # @default  false
+  #
+  # @param    pingdirectory.services.loadBalancerServicePerPod
+  # @desc     Set to true to create a separate LoadBalancer service for each individual
+  # @desc     Pod in the PingDirectory StatefulSet.
+  # @default  false
+  #
+  # @param    pingdirectory.services.loadBalancerExternalDNSHostnameSuffix
+  # @desc     Value used for the external-dns.alpha.kubernetes.io/hostname annotation
+  # @desc     for the LoadBalancer services. This value will be used as a suffix for
+  # @desc     the hostname for each individual pod when
+  # @desc     pingdirectory.services.loadBalancerServicePerPod is set to true.
   services:
     ldap:
       servicePort: 389
@@ -1092,12 +1124,18 @@ pingdirectory:
       containerPort: 1636
       dataService: true
       clusterService: true
+      loadBalancerService: true
     https:
       servicePort: 443
       containerPort: 1443
       ingressPort: 443
       dataService: true
+    replication:
+      containerPort: 8989
+      loadBalancerService: true
     clusterServiceName: pingdirectory-cluster
+    loadBalancerServicePerPod: false
+    #loadBalancerExternalDNSHostnameSuffix: .example.com
 
   ingress:
     hosts:
@@ -1614,6 +1652,10 @@ pd-replication-timing:
   name: pd-replication-timing
   image:
     name: pingtoolkit
+    repository: pingidentity
+    repositoryFqn:
+    tag: "2302"
+    pullPolicy: IfNotPresent
 
   envs:
     SERVER_PROFILE_URL: https://github.com/pingidentity/pingidentity-server-profiles.git
@@ -1632,6 +1674,10 @@ pingtoolkit:
   name: pingtoolkit
   image:
     name: pingtoolkit
+    repository: pingidentity
+    repositoryFqn:
+    tag: "2302"
+    pullPolicy: IfNotPresent
 
 #############################################################
 # testFramework
@@ -1733,5 +1779,9 @@ testFramework:
   #########################################################
   pod:
     securityContext:
+      fsGroup: 0
       runAsUser: 9031
       runAsGroup: 0
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault