feat: Add pre-upgrade hook to delete jobs

stable/dex/templates/pre-upgrade-delete-jobs.yaml

@@ -0,0 +1,74 @@
+# For upgrades to 2.12.3+.
+# Delete the Jobs created by the dex chart prior to upgrading. Priority class was added
+# to Job specs, which is an immutable field and requires the Job to be
+# deleted and recreated. After this release, we can remove this pre-upgrade hook because
+# TTL will be set on the Job to automatically clean it up after it runs.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "watch", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "dex.fullname" . }}-pre-upgrade
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "dex.fullname" . }}-delete-jobs
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "dex.fullname" . }}-delete-jobs
+    spec:
+      serviceAccountName: {{ template "dex.fullname" . }}-pre-upgrade
+      restartPolicy: OnFailure
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.kubectlImage }}"
+          command:
+            - sh
+            - -c
+            - kubectl delete jobs.batch -l 'app.kubernetes.io/component in (job-grpc-certs, job-web-certs),app.kubernetes.io/name=dex' --cascade=orphan -n {{ .Release.Namespace }}

stable/dex/values.yaml

@@ -24,6 +24,9 @@ priorityClassName: ""
 # it is required to set ttl for jobs to avoid immutable errors during upgrades if certain spec fields change
 ttlSecondsAfterFinished: 100
 
+# kubectl image to use for jobs
+kubectlImage: "bitnami/kubectl:1.26.4"
+
 tolerations: []
   # - key: CriticalAddonsOnly
   #   operator: Exists