From 1fa0577ce4683c7d4a061598275e2a0dda81d4eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Wed, 14 Aug 2024 08:12:37 +0300 Subject: [PATCH] passmower: Cleanup --- passmower/.gitignore | 1 + passmower/README.md | 29 +- passmower/application-extras.yaml | 15 +- passmower/application.yaml | 659 ------------------------------ passmower/proxmox.yaml | 139 +++---- passmower/prusa.yaml | 25 +- passmower/texts.yml | 1 + passmower/values.yaml | 30 +- passmower/voron.yaml | 25 +- 9 files changed, 139 insertions(+), 785 deletions(-) create mode 100644 passmower/.gitignore delete mode 100644 passmower/application.yaml diff --git a/passmower/.gitignore b/passmower/.gitignore new file mode 100644 index 0000000..d02bd12 --- /dev/null +++ b/passmower/.gitignore @@ -0,0 +1 @@ +application.yaml diff --git a/passmower/README.md b/passmower/README.md index 7481460..56af473 100644 --- a/passmower/README.md +++ b/passmower/README.md @@ -1,3 +1,30 @@ +# Passmower + +Passmower provides magic login link based OIDC provider for all hackerspace services. +The link is sent via e-mail and Slack bot. +Passmower replaces previously used Samba (Active Directory) and +[Authelia](https://www.authelia.com/) combo as it provides Kubernetes native +declarative user and application management, +automatic OIDC secret provisioning within the cluster, +and more. + +For official documentation refer to +[github.com/passmower/passmower](https://github.com/passmower/passmower) + + +# For users + +To login and list the applications enrolled with Passmower visit +[auth.k-space.ee](https://auth.k-space.ee/) + +To add applications refer to the [official docs](https://github.com/passmower/passmower?tab=readme-ov-file#application-enrollment) + +For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/branch/master/grafana/application.yml) + +# For administrators + +Passmower was deployed with Helm chart: + ``` helm template --include-crds -n passmower passmower ../passmower/ -f passmower/values.yaml > passmower/application.yaml -``` \ No newline at end of file +``` diff --git a/passmower/application-extras.yaml b/passmower/application-extras.yaml index ceba4b4..bd0ab36 100644 --- a/passmower/application-extras.yaml +++ b/passmower/application-extras.yaml @@ -1,3 +1,4 @@ +--- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -16,10 +17,10 @@ spec: entryPoints: - websecure routes: - - match: Host(`auth2.k-space.ee`) - kind: Rule - middlewares: - - name: auth2-redirect - services: - - kind: TraefikService - name: api@internal \ No newline at end of file + - match: Host(`auth2.k-space.ee`) + kind: Rule + middlewares: + - name: auth2-redirect + services: + - kind: TraefikService + name: api@internal diff --git a/passmower/application.yaml b/passmower/application.yaml deleted file mode 100644 index e8297a4..0000000 --- a/passmower/application.yaml +++ /dev/null @@ -1,659 +0,0 @@ ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcusers.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcusers - singular: oidcuser - kind: OIDCUser - listKind: OIDCUserList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - github: - type: object - properties: - company: - type: string - email: - type: string - emails: - type: array - items: - type: object - properties: - email: - type: string - primary: - type: boolean - default: false - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - enum: - - github.com - id: - type: integer - login: - type: string - name: - type: string - passmower: - type: object - properties: - company: - type: string - email: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - name: - type: string - slack: - type: object - properties: - id: - type: string - spec: - type: object - required: - - type - properties: - companyEmail: - type: string - email: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - type: - type: string - default: person - enum: - - person - - org - - service - - banned - - group - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - emails: - type: array - items: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - primaryEmail: - type: string - profile: - type: object - properties: - company: - type: string - name: - type: string - x-kubernetes-preserve-unknown-fields: true - slackId: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Type - type: string - jsonPath: .spec.type - - name: Name - type: string - jsonPath: .status.profile.name - - name: Display e-mail - type: string - jsonPath: .status.primaryEmail - - name: Upstream IdP e-mail - type: string - jsonPath: .spec.github.emails[?(@.primary==true)].email - - name: GH ID - type: string - jsonPath: .spec.github.id - - name: Groups - type: string - jsonPath: .status.groups - conversion: - strategy: None ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcclients.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcclients - singular: oidcclient - kind: OIDCClient - listKind: OIDCClientList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - redirectUris - - grantTypes - - responseTypes - properties: - allowedCORSOrigins: - type: array - items: - type: string - allowedGroups: - type: array - items: - type: string - availableScopes: - type: array - default: - - openid - items: - type: string - enum: - - openid - - profile - - offline_access - displayName: - type: string - grantTypes: - type: array - items: - type: string - enum: - - implicit - - authorization_code - - refresh_token - idTokenSignedResponseAlg: - type: string - enum: - - PS256 - - RS256 - - ES256 - overrideIncomingScopes: - type: boolean - default: false - pkce: - type: boolean - default: true - redirectUris: - type: array - items: - type: string - responseTypes: - type: array - items: - type: string - enum: - - code id_token - - code - - id_token - - none - secretMetadata: - type: object - properties: - annotations: - type: object - x-kubernetes-preserve-unknown-fields: true - labels: - type: object - x-kubernetes-preserve-unknown-fields: true - secretRefreshPod: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - tokenEndpointAuthMethod: - type: string - enum: - - client_secret_basic - - client_secret_jwt - - client_secret_post - - private_key_jwt - - none - uri: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - instance: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Instance - type: string - description: Passmower deployment which manages this client - jsonPath: .status.instance - - name: Uris - type: string - description: Redirect URLs configured for this client - jsonPath: .spec.redirectUris - - name: Allowed groups - type: string - description: Groups allowed to this client - jsonPath: .spec.allowedGroups - conversion: - strategy: None ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcmiddlewareclients.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcmiddlewareclients - singular: oidcmiddlewareclient - kind: OIDCMiddlewareClient - listKind: OIDCMiddlewareClientList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - properties: - allowedGroups: - type: array - items: - type: string - displayName: - type: string - headerMapping: - type: object - default: - email: Remote-Email - groups: Remote-Groups - name: Remote-Name - user: Remote-User - properties: - email: - type: string - groups: - type: string - name: - type: string - user: - type: string - uri: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - instance: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Instance - type: string - description: Passmower deployment which manages this client - jsonPath: .status.instance - - name: Uri - type: string - description: URL configured for this client - jsonPath: .spec.uri - - name: Allowed groups - type: string - description: Groups allowed to this client - jsonPath: .spec.allowedGroups - conversion: - strategy: None ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm -rules: - - verbs: - - get - - list - - watch - - create - - update - - patch - apiGroups: - - codemowers.cloud - resources: - - oidcusers - - oidcusers/status - - oidcclients - - oidcclients/status - - oidcmiddlewareclients - - oidcmiddlewareclients/status - - verbs: - - get - - create - - patch - - delete - apiGroups: - - '' - resources: - - secrets - - verbs: - - create - apiGroups: - - '' - resources: - - pods - - verbs: - - get - - create - - update - - patch - - delete - apiGroups: - - traefik.io - resources: - - middlewares ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: passmower - namespace: passmower -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: passmower ---- -# Source: passmower/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower ---- -# Source: passmower/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 3 - selector: - matchLabels: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - template: - metadata: - labels: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - spec: - serviceAccountName: passmower - securityContext: - {} - containers: - - name: passmower - securityContext: - {} - image: "passmower/passmower:develop" - imagePullPolicy: Always - ports: - - containerPort: 3000 - name: http - - containerPort: 9090 - name: metrics - env: - - name: ISSUER_URL - value: https://auth.k-space.ee/ - - name: DEPLOYMENT_NAME - value: passmower - - name: GROUP_PREFIX - value: "k-space" - - name: ADMIN_GROUP - value: "k-space:onboarding" - - name: REQUIRED_GROUP - value: "" - - name: GITHUB_ORGANIZATION - value: "codemowers" - - name: ENROLL_USERS - value: "false" - - name: NAMESPACE_SELECTOR - value: "*" - - name: PREFERRED_EMAIL_DOMAIN - value: "k-space.ee" - - name: REQUIRE_CUSTOM_USERNAME - value: "true" - - name: NORMALIZE_EMAIL_ADDRESSES - value: "true" - - name: REDIS_URI - valueFrom: - secretKeyRef: - name: dragonfly-auth - key: REDIS_URI - envFrom: - - secretRef: - name: oidc-keys - - secretRef: - name: email-credentials - - secretRef: - name: github-client - - secretRef: - name: slack-client - readinessProbe: - httpGet: - path: /.well-known/openid-configuration - port: 3000 - httpHeaders: - - name: x-forwarded-for # suppress oidc-provider warning - value: https://auth.k-space.ee/ - - name: x-forwarded-proto # suppress oidc-provider warning - value: https - livenessProbe: - httpGet: - path: /health - port: 9090 - httpHeaders: - - name: x-forwarded-for # suppress oidc-provider warning - value: https://auth.k-space.ee/ - - name: x-forwarded-proto # suppress oidc-provider warning - value: https - initialDelaySeconds: 30 - periodSeconds: 3 - volumeMounts: - - mountPath: /app/tos - name: tos - - mountPath: /app/approval - name: approval - - mountPath: /app/src/views/custom/emails - name: email-templates - resources: - {} - volumes: - - name: tos - configMap: - name: passmower-tos - - name: approval - configMap: - name: passmower-approval - - name: email-templates - configMap: - name: passmower-email-templates ---- -# Source: passmower/templates/deployment.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: passmower-key-manager - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm -spec: - template: - spec: - serviceAccountName: passmower - containers: - - name: oidc-key-manager - image: "passmower/passmower:develop" - command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] - restartPolicy: Never ---- -# Source: passmower/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: passmower - labels: - helm.sh/chart: passmower-0.1.0 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "0.1.0" - app.kubernetes.io/managed-by: Helm - annotations: - external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee - kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" -spec: - tls: - - hosts: - - "*.k-space.ee" - secretName: - rules: - - host: "auth.k-space.ee" - http: - paths: - - path: "/" - pathType: Prefix - backend: - service: - name: passmower - port: - number: 80 ---- -# Source: passmower/templates/texts.yaml ---- diff --git a/passmower/proxmox.yaml b/passmower/proxmox.yaml index cc681da..bdfbce3 100644 --- a/passmower/proxmox.yaml +++ b/passmower/proxmox.yaml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCMiddlewareClient @@ -144,43 +145,43 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - - host: proxmox.k-space.ee - http: - paths: - - pathType: Prefix - path: / - backend: - service: - name: whoami - port: - number: 80 - - host: pve.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: pve1 - port: - number: 8006 - - pathType: Prefix - path: "/" - backend: - service: - name: pve8 - port: - number: 8006 - - pathType: Prefix - path: "/" - backend: - service: - name: pve9 - port: - number: 8006 + - host: proxmox.k-space.ee + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: whoami + port: + number: 80 + - host: pve.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: pve1 + port: + number: 8006 + - pathType: Prefix + path: "/" + backend: + service: + name: pve8 + port: + number: 8006 + - pathType: Prefix + path: "/" + backend: + service: + name: pve9 + port: + number: 8006 tls: - - hosts: - - "*.k-space.ee" + - hosts: + - "*.k-space.ee" --- apiVersion: traefik.io/v1alpha1 kind: Middleware @@ -200,13 +201,13 @@ spec: entryPoints: - websecure routes: - - match: Host(`proxmox.k-space.ee`) - kind: Rule - middlewares: - - name: proxmox-redirect - services: # Dirty workaround, service can't be empty - - kind: TraefikService - name: api@internal + - match: Host(`proxmox.k-space.ee`) + kind: Rule + middlewares: + - name: proxmox-redirect + services: # Dirty workaround, service can't be empty + - kind: TraefikService + name: api@internal --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -220,33 +221,33 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - - host: pve-internal.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: pve1 - port: - number: 8006 - - pathType: Prefix - path: "/" - backend: - service: - name: pve8 - port: - number: 8006 - - pathType: Prefix - path: "/" - backend: - service: - name: pve9 - port: - number: 8006 + - host: pve-internal.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: pve1 + port: + number: 8006 + - pathType: Prefix + path: "/" + backend: + service: + name: pve8 + port: + number: 8006 + - pathType: Prefix + path: "/" + backend: + service: + name: pve9 + port: + number: 8006 tls: - - hosts: - - "*.k-space.ee" + - hosts: + - "*.k-space.ee" --- apiVersion: traefik.io/v1alpha1 kind: Middleware diff --git a/passmower/prusa.yaml b/passmower/prusa.yaml index e5e33be..645fb40 100644 --- a/passmower/prusa.yaml +++ b/passmower/prusa.yaml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCMiddlewareClient @@ -38,16 +39,16 @@ metadata: external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - - host: prusa.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: prusa - port: - name: http + - host: prusa.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: prusa + port: + name: http tls: - - hosts: - - "*.k-space.ee" + - hosts: + - "*.k-space.ee" diff --git a/passmower/texts.yml b/passmower/texts.yml index 0c769ac..ed51171 100644 --- a/passmower/texts.yml +++ b/passmower/texts.yml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length --- apiVersion: v1 kind: ConfigMap diff --git a/passmower/values.yaml b/passmower/values.yaml index fb3f832..39b54c4 100644 --- a/passmower/values.yaml +++ b/passmower/values.yaml @@ -1,3 +1,5 @@ +# yamllint disable rule:line-length +--- nameOverride: "" fullnameOverride: "" @@ -5,7 +7,7 @@ passmower: # Hostname on which Passmower will be deployed to. Will be used as ingress host. host: "auth.k-space.ee" # Local groups will be created with given prefix. - group_prefix: 'k-space' + group_prefix: 'k-space' # Local or remote group which members will automatically become admins. admin_group: 'k-space:onboarding' # If set, require all users to be member of the given local or remote group. @@ -17,7 +19,7 @@ passmower: # Comma-separated, wildcard enabled namespace selector to select, in which namespaces Passmower looks for client CRDs. namespace_selector: "*" # Domain which will be preferred for determining primary emails. - preferred_email_domain: 'k-space.ee' + preferred_email_domain: 'k-space.ee' # Require users to set a custom username instead of system generated one. Will be used as OIDCUser CRD name and OIDC username claim. require_custom_username: true # Normalize incoming email addresses by removing aliases (e.g. username+alias@gmail.com) etc. @@ -39,7 +41,7 @@ passmower: terms_of_service: configMapRef: name: passmower-tos - + redis: # Requires the Codemowers redis-operator to be installed: https://github.com/codemowers/operatorlib/tree/main/samples/redis-operator redisClaim: @@ -69,14 +71,9 @@ ingress: traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" tls: - hosts: - "*.k-space.ee" - # - secretName: chart-example-tls - # hosts: - # - chart-example.local image: repository: passmower/passmower @@ -85,29 +82,12 @@ image: tag: "develop" podSecurityContext: {} - # fsGroup: 2000 securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 replicaCount: 3 resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi nodeSelector: {} diff --git a/passmower/voron.yaml b/passmower/voron.yaml index 1596e4b..a80f9af 100644 --- a/passmower/voron.yaml +++ b/passmower/voron.yaml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCMiddlewareClient @@ -38,16 +39,16 @@ metadata: external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - - host: voron.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: voron - port: - name: http + - host: voron.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: voron + port: + name: http tls: - - hosts: - - "*.k-space.ee" + - hosts: + - "*.k-space.ee"