feat: Add priority to dex jobs (#1439)

* feat: Add priorityclass and ttl to dex jobs

* feat: Add pre-upgrade hook to delete jobs

* fix: Add trailing line

* fix: Remove ttl, select dex 2.11.1 jobs to delete

stable/dex/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: dex
-version: 2.12.2
+version: 2.12.3
 appVersion: 2.35.2
 description: Dex
 keywords:

stable/dex/templates/job-grpc-certs.yaml

@@ -28,6 +28,9 @@ spec:
 {{ toYaml .Values.certs.grpc.pod.annotations | trim | indent 8 }}
 {{- end }}
     spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+{{- end }}
       {{- if .Values.certs.securityContext.enabled }}
       securityContext:
         runAsUser: {{ .Values.certs.securityContext.runAsUser }}

stable/dex/templates/pre-upgrade-delete-jobs.yaml

@@ -0,0 +1,77 @@
+{{- if or .Values.certs.grpc.create .Values.certs.web.create }}
+# For upgrades from 2.11.1 to 2.12.3 (AKA DKP 2.5 to DKP 2.6)
+# To avoid unnecessarily rerunning the Jobs during upgrade within 2.6, select using the helm chart
+# version label to only delete the Jobs if they are on dex 2.11.1 (version shipped in DKP 2.5).
+# Delete the Jobs created by the dex chart prior to upgrading. Priority class was added
+# to Job specs, which is an immutable field and requires the Job to be
+# deleted and recreated. After this release, we can remove the pre-upgrade hook.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "watch", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "dex.fullname" . }}-pre-upgrade
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "dex.fullname" . }}-pre-upgrade
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "dex.fullname" . }}-delete-jobs
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "dex.fullname" . }}-delete-jobs
+    spec:
+      serviceAccountName: {{ template "dex.fullname" . }}-pre-upgrade
+      restartPolicy: OnFailure
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: "{{ .Values.kubectlImage }}"
+          command:
+            - sh
+            - -c
+            - kubectl delete jobs.batch -l 'app.kubernetes.io/component in (job-grpc-certs, job-web-certs),app.kubernetes.io/name=dex,helm.sh/chart=dex-2.11.1' --cascade=orphan -n {{ .Release.Namespace }}
+{{- end }}

stable/dex/values.yaml

@@ -21,6 +21,9 @@ initContainers: []
 
 priorityClassName: ""
 
+# kubectl image to use for jobs
+kubectlImage: "bitnami/kubectl:1.26.4"
+
 tolerations: []
   # - key: CriticalAddonsOnly
   #   operator: Exists