k-space/kube
9
1
Fork 3
Code Issues 34 Pull Requests Activity

migrate to new passmower

Browse Source
This commit is contained in:
Erki Aas 2024-07-27 03:15:41 +03:00
parent ca623c11fd
commit 2e77813162
24 changed files with 1230 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
argocd/application-extras.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: argocd
namespace: argocd

2
argocd/values.yaml
View File

@ -84,7 +84,7 @@ configs:
oidc.config: |
name: OpenID Connect
issuer: https://auth2.k-space.ee/
issuer: https://auth.k-space.ee/
clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET

4
camtiler/ingress.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: sso
spec:

80
freescout/application.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: freescout
spec:
@ -14,8 +14,8 @@ spec:
name: Remote-Name
user: Remote-User
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: freescout
spec:
@ -34,11 +34,77 @@ spec:
- openid
- profile
pkce: false
secretRefreshPod:
apiVersion: v1
kind: Pod
spec:
volumes:
- name: tmp
emptyDir: {}
initContainers:
- name: jq
image: >-
alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153
command:
- /bin/bash
- '-c'
- >-
rm -fv /tmp/update.sql; jq
'{"name":"oauth.client_id","value":$ENV.OIDC_CLIENT_ID} | "UPDATE
options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.client_secret","value":$ENV.OIDC_CLIENT_SECRET} |
"UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.auth_url","value":$ENV.OIDC_IDP_AUTH_URI} |
"UPDATE options SET value=\(.value + "?scope=openid+profile"
|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r
>> /tmp/update.sql; jq
'{"name":"oauth.token_url","value":$ENV.OIDC_IDP_TOKEN_URI} |
"UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq
'{"name":"oauth.user_url","value":$ENV.OIDC_IDP_USERINFO_URI}
| "UPDATE options SET value=\(.value|tostring|@sh) WHERE
name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
cat /tmp/update.sql
envFrom:
- secretRef:
name: oidc-client-freescout-owner-secrets
resources: {}
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
containers:
- name: mysql
image: mysql
command:
- /bin/bash
- '-c'
- >-
mysql -u kspace_freescout kspace_freescout -h 172.20.36.1
-p${MYSQL_PWD} < /tmp/update.sql
env:
- name: MYSQL_PWD
valueFrom:
secretKeyRef:
name: freescout-secrets
key: DB_PASS
resources: {}
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: OnFailure
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oidc-gateway
name: freescout
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
@ -92,7 +158,7 @@ spec:
spec:
containers:
- name: freescout
image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58
image: harbor.k-space.ee/k-space/freescout
ports:
- containerPort: 8080
env:
@ -153,7 +219,7 @@ spec:
spec:
containers:
- name: freescout-cron
image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58
image: harbor.k-space.ee/k-space/freescout
imagePullPolicy: Always
command:
- php

18
kubernetes-dashboard/application.yml
View File

@ -272,7 +272,7 @@ metadata:
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: kubernetes-dashboard-sso@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
@ -289,3 +289,19 @@ spec:
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: sso
spec:
displayName: Kubernetes dashboard
uri: 'https://dashboard.k-space.ee'
allowedGroups:
- k-space:kubernetes:developers
- k-space:kubernetes:admins
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username

4
logmower/application.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: frontend
spec:

4
longhorn-system/application-extras.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: ui
spec:

8
monitoring/prometheus.yaml
View File

@ -455,8 +455,8 @@ spec:
matchLabels:
app.kubernetes.io/name: kubelet
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: prometheus
spec:
@ -470,8 +470,8 @@ spec:
name: Remote-Name
user: Remote-Username
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: alertmanager
spec:

4
mysql-clusters/phpmyadmin.yaml
View File

@ -54,8 +54,8 @@ spec:
configMap:
name: phpmyadmin
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: phpmyadmin
spec:

16
nextcloud/application.yaml
View File

@ -17,8 +17,8 @@ spec:
class: ephemeral
capacity: 100Mi
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: nextcloud
spec:
@ -86,16 +86,16 @@ spec:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_CLIENT_SECRET
- name: OIDC_GATEWAY_AUTH_URI
- name: OIDC_IDP_AUTH_URI
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_GATEWAY_AUTH_URI
- name: OIDC_GATEWAY_URI
key: OIDC_IDP_AUTH_URI
- name: OIDC_IDP_URI
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_GATEWAY_URI
key: OIDC_IDP_URI
- name: UPLOAD_LIMIT
value: 10G
- name: MYSQL_USER
@ -265,11 +265,11 @@ data:
$CONFIG = array (
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'),
'oidc_login_provider_url' => getenv('OIDC_IDP_URI'),
'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'),
'oidc_login_logout_url' => getenv('OIDC_IDP_URI'),
'oidc_login_end_session_redirect' => false,
'oidc_login_default_quota' => '250000000000',
'oidc_login_button_text' => 'Log in with OpenID',

3
passmower/README.md Normal file
View File

@ -0,0 +1,3 @@
```
helm template --include-crds -n passmower passmower ../passmower/ -f passmower/values.yaml > passmower/application.yaml
```

669
passmower/application.yaml Normal file
View File

@ -0,0 +1,669 @@
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
---
# Source: passmower/templates/texts.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-email-templates
data:
link.subject: "Passmower login link"
link.txt: "Open the following link to log in: <%= url %>"
link.ejs: ""
tos.subject: "Terms of Service agreement confirmation"
tos.txt: ""
tos.ejs: ""
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcusers.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcusers
singular: oidcuser
kind: OIDCUser
listKind: OIDCUserList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
github:
type: object
properties:
company:
type: string
email:
type: string
emails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
enum:
- github.com
id:
type: integer
login:
type: string
name:
type: string
passmower:
type: object
properties:
company:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
name:
type: string
slack:
type: object
properties:
id:
type: string
spec:
type: object
required:
- type
properties:
companyEmail:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
type:
type: string
default: person
enum:
- person
- org
- service
- banned
- group
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
primaryEmail:
type: string
profile:
type: object
properties:
company:
type: string
name:
type: string
x-kubernetes-preserve-unknown-fields: true
slackId:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Type
type: string
jsonPath: .spec.type
- name: Name
type: string
jsonPath: .status.profile.name
- name: Display e-mail
type: string
jsonPath: .status.primaryEmail
- name: Upstream IdP e-mail
type: string
jsonPath: .spec.github.emails[?(@.primary==true)].email
- name: GH ID
type: string
jsonPath: .spec.github.id
- name: Groups
type: string
jsonPath: .status.groups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcclients
singular: oidcclient
kind: OIDCClient
listKind: OIDCClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- redirectUris
- grantTypes
- responseTypes
properties:
allowedCORSOrigins:
type: array
items:
type: string
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
default:
- openid
items:
type: string
enum:
- openid
- profile
- offline_access
displayName:
type: string
grantTypes:
type: array
items:
type: string
enum:
- implicit
- authorization_code
- refresh_token
idTokenSignedResponseAlg:
type: string
enum:
- PS256
- RS256
- ES256
overrideIncomingScopes:
type: boolean
default: false
pkce:
type: boolean
default: true
redirectUris:
type: array
items:
type: string
responseTypes:
type: array
items:
type: string
enum:
- code id_token
- code
- id_token
- none
secretMetadata:
type: object
properties:
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
secretRefreshPod:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
tokenEndpointAuthMethod:
type: string
enum:
- client_secret_basic
- client_secret_jwt
- client_secret_post
- private_key_jwt
- none
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uris
type: string
description: Redirect URLs configured for this client
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcmiddlewareclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcmiddlewareclients
singular: oidcmiddlewareclient
kind: OIDCMiddlewareClient
listKind: OIDCMiddlewareClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
properties:
allowedGroups:
type: array
items:
type: string
displayName:
type: string
headerMapping:
type: object
default:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-User
properties:
email:
type: string
groups:
type: string
name:
type: string
user:
type: string
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uri
type: string
description: URL configured for this client
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
rules:
- verbs:
- get
- list
- watch
- create
- update
- patch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
- oidcclients
- oidcclients/status
- oidcmiddlewareclients
- oidcmiddlewareclients/status
- verbs:
- get
- create
- patch
- delete
apiGroups:
- ''
resources:
- secrets
- verbs:
- create
apiGroups:
- ''
resources:
- pods
- verbs:
- get
- create
- update
- patch
- delete
apiGroups:
- traefik.io
resources:
- middlewares
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: passmower
namespace: passmower
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: passmower
---
# Source: passmower/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
---
# Source: passmower/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
template:
metadata:
labels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
spec:
serviceAccountName: passmower
securityContext:
{}
containers:
- name: passmower
securityContext:
{}
image: "passmower/passmower:develop"
imagePullPolicy: Always
ports:
- containerPort: 3000
name: http
- containerPort: 9090
name: metrics
env:
- name: ISSUER_URL
value: https://auth.k-space.ee/
- name: DEPLOYMENT_NAME
value: passmower
- name: GROUP_PREFIX
value: "k-space"
- name: ADMIN_GROUP
value: "k-space:onboarding"
- name: REQUIRED_GROUP
value: "github.com:foo:bar"
- name: GITHUB_ORGANIZATION
value: "codemowers"
- name: ENROLL_USERS
value: "false"
- name: NAMESPACE_SELECTOR
value: "*"
- name: PREFERRED_EMAIL_DOMAIN
value: "k-space.ee"
- name: REQUIRE_CUSTOM_USERNAME
value: "true"
- name: NORMALIZE_EMAIL_ADDRESSES
value: "true"
- name: REDIS_URI
valueFrom:
secretKeyRef:
name: dragonfly-auth
key: REDIS_URI
envFrom:
- secretRef:
name: oidc-keys
- secretRef:
name: email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
livenessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 5
periodSeconds: 1
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/src/views/custom/emails
name: email-templates
resources:
{}
volumes:
- name: tos
configMap:
name: passmower-tos
- name: approval
configMap:
name: passmower-approval
- name: email-templates
configMap:
name: passmower-email-templates
---
# Source: passmower/templates/deployment.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: passmower-key-manager
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
template:
spec:
serviceAccountName: passmower
containers:
- name: oidc-key-manager
image: "passmower/passmower:develop"
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never
---
# Source: passmower/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
annotations:
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "*.k-space.ee"
secretName:
rules:
- host: "auth.k-space.ee"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: passmower
port:
number: 80

34
passmower/dragonfly.yaml Normal file
View File

@ -0,0 +1,34 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: dragonfly-auth
namespace: passmower
spec:
size: 32
mapping:
- key: password
value: "%(plaintext)s"
- key: REDIS_URI
value: "redis://:%(plaintext)s@redis"
---
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: redis
namespace: passmower
status:
phase: ready
spec:
authentication:
passwordFromSecret:
key: password
name: dragonfly-auth
replicas: 3
resources:
limits:
cpu: 600m
memory: 750Mi
requests:
cpu: 500m
memory: 500Mi

18
oidc-gateway/proxmox.yaml → passmower/proxmox.yaml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: proxmox
spec:
@ -10,8 +10,8 @@ spec:
- k-space:floor
- k-space:friends
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: proxmox
spec:
@ -95,7 +95,7 @@ kind: Service
metadata:
name: pve1
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve1.proxmox.infra.k-space.ee
@ -109,7 +109,7 @@ kind: Service
metadata:
name: pve8
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve8.proxmox.infra.k-space.ee
@ -123,7 +123,7 @@ kind: Service
metadata:
name: pve9
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve9.proxmox.infra.k-space.ee
@ -140,7 +140,7 @@ metadata:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-proxmox@kubernetescrd,oidc-gateway-proxmox-redirect@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd,passmower-proxmox-redirect@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
@ -200,7 +200,7 @@ metadata:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-codemowers-cloud-ip-whitelist@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: passmower-codemowers-cloud-ip-whitelist@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:

6
oidc-gateway/prusa.yaml → passmower/prusa.yaml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: prusa
spec:
@ -33,7 +33,7 @@ metadata:
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-prusa@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: passmower-prusa@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:

180
passmower/texts.yml Normal file
View File

@ -0,0 +1,180 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-tos
data:
tos.md: |
Rules
Also known as code of conduct, guidelines, member vows, values etc. Please keep em' on one wiki page. Canonical URL shall be [k-space.ee/rules](http://k-space.ee/rules) which will redirect to right wiki page.
These rules were approved 30. October 2020. Current version contains minor corrections. For future amendments of the rules please put your ideas and thoughts into [pad.k-space.ee/p/rules](https://pad.k-space.ee/p/rules), they will be taken into account during next General Assembly.
Upon becoming a member I solemny swear that
1. **Who's who**
- I acknowledge the management of the hackerspace is governed by K-SPACE MTÜ (non-profit organization), it's [charter](/pohikiri_80397632_716212.pdf) and [Non-profit Associations Act](https://www.riigiteataja.ee/en/eli/528052020003/consolide)
- I acknowledge there are different membership forms listed under [membership#packages](/about/membership#packages) which can be largely broken down to affiliates (Regulars, Associates, Residents) who are at the hackerspace to make use of some services and members who are more involved in making the hackerspace happen.
- I acknowledge that in order to participate in the K-SPACE MTÜ management processes I need to obtain the [Member Tier](/about/membership#member-tier) status, note that this is different from the 'Member package' which was renamed to 'Associate tier' in October of 2020 in order to clarify what member of an non-profit association means.
- Among the ['Member Tier'](https://members.k-space.ee/?filter=resident-member&filter=associate-member) people the board is elected which represents K-SPACE MTÜ in legal matters such as getting bills paid, signing rental contracts and so forth. Currently board members include Erki Naumanis only. Bearing the responsibility also means that board has the final word in many cases.
- I acknowledge K-SPACE MTÜ is renting rooms from SA Tallinna Teaduspark Tehnopol. The rental agreement imposes numerous conditions and constraints due to safety reasons. Eg corridors must be kept accessible and free of flammable materials.
1. **Stay positive.**
- I will set up a recurring payment (püsikorraldus) or pay up front in bulk.
- I will not go in debt.
- I acknowledge failing to pay membership fees for 2 months results in door access cancellation.
- I will mark my payments clearly and consistenly with my full name, so the payments can be automatically procesed.
1. **Clarity not obscurity.**
- I will mark my equipment, server, locker, desk with my full name, phone number and e-mail.
- I acknowledge that my unlabelled stuff will be unplugged.
- Before asking questions I will familiarize myself [how to ask questions](https://www.khanacademy.org/computing/computer-programming/programming/becoming-a-community-coder/a/ask-for-program-help) and provide enough details.
1. **Communication is vital**
- I will proactively communicate need to cancel or pause my subscription, e.g. in case of being unable to pay.
- Upon leaving I will vacate the locker and return any keys given to me.
- I acknowledge Slack is primary communications platform for K-SPACE MTÜ. This is mainly due to wanting to have a way to communicate even if all the selfhosted infra is down. I will request access to the channel from any of the onboarders. I will not complain about being left out of the loop about changes etc if I am not on the #members channel.
1. **Access controls**
- I acknowledge primary method of accessing the floor is by using some of my own NFC cards (eg green Ühiskaart) or keyfobs.
- I will get my token registered in the door system of the day. To be on the safe side I will register multiple cards and/or keyfobs.
- I acknowledge Slack bot for opening the doors supplements the primary one, eg I can get in if I have forgot my card at home.
- I acknowledge that when it comes to security of doorcards it's nonexistant. I will not make copies of my card or distribute it's unique identifier sequence.
1. **Treat as your own -- with care**
- I will do my best to take care of the equipment and the space.
- I acknowledge that I must turn off the lights and leave windows in microventilation mode when I am the last one to leave.
- In case of equiment breakage I will notify info@k-space.ee immediately for resolution options. Any K-SPACE MTÜ owned equiment replacements must be purchased by K-SPACE MTÜ, see below under 'Regarding the toys' why.
- Upon losing (physical metal) key I will compensate 10EUR to K-SPACE MTÜ for it
1. **Contributions are welcome**
- I acknowledge that my immaterial contributions (e.g. building something for the hackerspace or helping others) doesn't compensate my membership fees. The only discount option is the 'Student discount'. Flexing with your contributions on your CV is OK.
- Before bringing any items for donation I will consult with a board member. K-SPACE is not my free (e-)junk disposal station.
- Donations don't compensate for my membership fees. K-SPACE MTÜ still needs to pay rent and electricity bills.
1. **Underpromise, overdeliver**
- I acknowledge there are many fun activities I want to be part of.
- I acknowledge I have obligations elsewhere as well (eg school, work, family).
- I will do my best to fulfill what I have promised to other members.
- I will rather say no in first place than say yes and fail to fulfill the promise.
- I will let the relying party know as soon as possible if I am not able to handle something I promised to do.
1. **Regarding the toys**
- I acknowledge I can bring my own equipment to hackerspace for common use. I acknowledge many others already do that. Lasercutter, CNC cutter, and many power tools are not owned by K-SPACE MTÜ. I take extra care of other members' equipment and before making use of them request training from the machine owner.
- I agree not to utilise any tool or piece of equipment unless I am competent in its use (and have completed induction/training where necessary) or are under the direct supervision of a competent user.
- I agree that the space is a potentially dangerous environment and that I may be exposed to various risks as a result of work undertaken by me or others. Notwithstanding all reasonable attempts by K-Space to ensure the safety of me and others, I agree to the full extent permitted by law to assume complete responsibility for my own actions and their consequences.
- If I think some new equipment would be useful for the space to be purchased by K-SPACE MTÜ I will make a suggestion to K-SPACE MTÜ board via board@k-space.ee.
- If I want to build something for the hackerspace I will consult with a board member for the compensation of materials.
- I acknowledge that my membership fees contribute towards refreshing equipment in common use, that is soldering irons, switches in server room etc.
- Purchases related to the hackerspace must be made by K-SPACE MTÜ.
- This is the clearest option from accounting perspective.
- It's also important that so any warranty, receipts and other documents would be correctly assigned to K-SPACE MTÜ and usable should you give up your membership at some point.
- Preferred option is to ask for proforma invoice for K-SPACE MTÜ, Akadeemia tee 21/1 and send it to info@k-space.ee - the payment will be executed by a board member.
- In case of Internet shops ask for the credit card from a board member.
1. **No borrowing or lending equipment**
- I acknowledge that equipment provided by K-SPACE MTÜ or it's members is for on-prem use only
- I will not take any of the equipment with me
- Only exception to this is workshops happening outside (eg visiting Robotex, Lapikud, IT College etc)
- I will notify info@k-space.ee about what I am going to take with me and why
- I will return equipment immediately after the event
- I acknowledge that this rule is due to numerous occasions people forgetting to return borrowed stuff
1. **Sharing is caring**
- I acknowledge that flexidesks also known as hot desks (8 desks in the middle of big room with projector) are to be cleaned by the end of the day.
- Sometimes exprompt events are scheduled in the room - I will not leave my stuff on flexidesks over night. If I come in often I can leave my screen and keyboard on one of the desks near the window.
- I acknowledge that for more persistent setup I should really switch to resident tier
1. **Being Mindful**
- While being active in the hackerspace I will make sure that my activites are not disturbing others, my activites are not causing exess financial drain on the K-SPACE MTÜ.
- Wearing earphones is generally sign of working on something and not wanting to be interrupted.
- I will act frugal. For example running additional servers without paying or running Bitcoin miner on the expense of K-SPACE MTÜ is NOT okay.
- Causing interruptions in the server room operation during working hours is NOT okay. Designated timeslot for disruptive changes is Thursday 19:00 until Friday 6:00. I recognize that occasionally hardware fails and non-disruptive changes might turn into disruptive outside that timeslot.
- I will not smoke inside the hackerspace rooms. I will exit the building for a cigarette.
1. **Striving for improvement***
- I acknowledge that hackerspace is a vague term ranging from anarchocommunist potsmoking to <a href="https://www.fablab.berlin/">fullblown commercial operation</a>.
- I will do my best to educate myself about <a href="https://github.com/0x20/hackerspace-blueprint/releases/latest/download/hackerspace-blueprint.pdf">hackerspace and makerspace</a> scene in general and I will not indulge in flamewars.
1. **Lock and stock**
- I acknowledge one locker is available for me for no charge with supporter and member tiers.
- I acknowledge that if would switch to resident tier I would be not eligible for a free locker as I would already have whole desk for my stuff
- I acknowledge additional lockers are available for 10EUR per month.
1. **Run the jewels**
- I will not make use of a blade server without legit reason, eg running hypervisor host. For single web application obtain VM from our Proxmox cluster.
- I will shut down machine not in use and I will make sure it stays shut. It's recurring issue that servers that have been shut down are discovered powered on again, eg in BIOS make sure it says 'last state' not 'always on' or even better disconnect power.
1. **Community FTW!**
- I acknowledge that people who take time to deal with me are not paid, they do it voluntarily off their free time for sh\*ts and giggles.
- They still pay membership fees.
- I will treat them and their time with respect.
- I will not become a burden for them.
- I acknowledge rules above are not exhaustive.
- I will do my best to act in good faith and not try to work around the rules.
- I accept that there will always be certain amount chaos at the hackerspace.
**Disclaimer**: Lauri (K-SPACE founder) believes that:
* a) we can have a hackerspace that is not utter chaos
* b) that is financially in order
* c) offers friendly/flexible pricing for students
* d) keeps doors open for companies and startups
* e) allows reasonable buffer for experimentation.
Lauri's favourite example hackerspaces include [AFRA](https://wiki.hackerspaces.org/AFRA) and [Raumfahrtagentur](https://wiki.hackerspaces.org/Raumfahrtagentur)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-approval
data:
approval.txt: |
Dear User,
Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee
Also see https://www.k-space.ee/
Best regards, K-Space MTÜ
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-email-templates
data:
tos.txt: |
Hi, <%= name %>!
You agreed with the Terms of Service at <%= timestamp %>
Content SHA256 hash: <%= hash %>
Best regards,
K-Space MTÜ
tos.ejs: |
<div>
<p>Hi, <%= name %>!</p>
<p>You agreed with the following Terms of Service at <%= timestamp %></p>
<p>Content SHA256 hash: <%= hash %></p>
<blockquote>
<%- content -%>
</blockquote>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
tos.subject: |
Terms of Service agreement confirmation
link.txt: |
Open the following link to log in: <%= url %>
Best regards,
K-Space MTÜ
link.ejs: |
<div>
<p>Open the following link to log in: <%= url %></p>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
link.subject: |
auth2.k-space.ee login link

92
passmower/users.yaml Normal file
View File

@ -0,0 +1,92 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: eaas
spec:
type: person
email: erkiaas@gmail.com
companyEmail: eaas@k-space.ee
groups:
- name: floor
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: onboarding
prefix: k-space
- name: youtube
prefix: k-space
- name: gitlab
prefix: k-space
- name: legalmember
prefix: k-space
- name: matomo
prefix: k-space
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: lauri
spec:
type: person
email: lauri.vosandi@gmail.com
companyEmail: lauri@k-space.ee
groups:
- name: board
prefix: k-space
- name: info
prefix: k-space
- name: workshop
prefix: k-space
- name: floor
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: youtube
prefix: k-space
- name: facebook
prefix: k-space
- name: instagram
prefix: k-space
- name: gitlab
prefix: k-space
- name: legalmember
prefix: k-space
- name: onboarding
prefix: k-space
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: rasmus
spec:
type: person
email: github@c7.ee
companyEmail: rasmus@k-space.ee
groups:
- name: info
prefix: k-space
- name: onboarding
prefix: k-space
- name: workshop
prefix: k-space
- name: floor
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: kubernetes:developers
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: instagram
prefix: k-space
- name: facebook
prefix: k-space
- name: youtube
prefix: k-space
- name: gitlab
prefix: k-space

115
passmower/values.yaml Normal file
View File

@ -0,0 +1,115 @@
nameOverride: ""
fullnameOverride: ""
passmower:
# Hostname on which Passmower will be deployed to. Will be used as ingress host.
host: "auth.k-space.ee"
# Local groups will be created with given prefix.
group_prefix: 'k-space'
# Local or remote group which members will automatically become admins.
admin_group: 'k-space:onboarding'
# If set, require all users to be member of the given local or remote group.
# required_group: ""
# GitHub organization to pull groups from. Set to keep users other organizations private from Passmower.
github_organization: "codemowers"
# Allow enrolling new users automatically. Actual access will be based on required_group parameter. Disable to only manually provision users.
enroll_users: false
# Comma-separated, wildcard enabled namespace selector to select, in which namespaces Passmower looks for client CRDs.
namespace_selector: "*"
# Domain which will be preferred for determining primary emails.
preferred_email_domain: 'k-space.ee'
# Require users to set a custom username instead of system generated one. Will be used as OIDCUser CRD name and OIDC username claim.
require_custom_username: true
# Normalize incoming email addresses by removing aliases (e.g. username+alias@gmail.com) etc.
normalize_email_addresses: true
# Email credentials secret name. Secret must contain EMAIL_HOST, EMAIL_PASSWORD, EMAIL_PORT, EMAIL_SSL and EMAIL_USERNAME
email_credentials_secretRef: "email-credentials"
# GitHub OAuth client secret name. Secret must contain GH_CLIENT_ID and GH_CLIENT_SECRET
github_client_secretRef: "github-client"
# Slack API client secret name. Secret must contain SLACK_TOKEN
slack_client_secretRef: "slack-client"
# Different texts displayed and sent to the user
texts:
approval:
configMapRef:
name: passmower-approval
emails:
configMapRef:
name: passmower-email-templates
terms_of_service:
configMapRef:
name: passmower-tos
redis:
# Requires the Codemowers redis-operator to be installed: https://github.com/codemowers/operatorlib/tree/main/samples/redis-operator
redisClaim:
enabled: false
spec:
capacity: 100Mi
class: ephemeral
# Deploys a simple, non persistent Redis deployment.
internal:
enabled: false
# Use your own implementation - just provide a secret with a valid Redis URL.
external:
enabled: true
secretKeyRef:
name: "dragonfly-auth"
key: "REDIS_URI"
service:
type: ClusterIP
port: 80
ingress:
className: ""
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
- hosts:
- "*.k-space.ee"
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
image:
repository: passmower/passmower
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "develop"
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
replicaCount: 1
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

6
oidc-gateway/voron.yaml → passmower/voron.yaml
View File

@ -1,6 +1,6 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: voron
spec:
@ -33,7 +33,7 @@ metadata:
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-voron@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: passmower-voron@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:

4
postgres-clusters/pgweb.yaml
View File

@ -35,8 +35,8 @@ spec:
port: 8081
targetPort: 8081
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: pgweb
spec:

4
traefik/application-extras.yml
View File

@ -13,8 +13,8 @@ spec:
port: 9100
targetPort: 9100
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: dashboard
spec:

5
traefik/values.yml
View File

@ -45,8 +45,9 @@ ingressRoute:
domain: traefik.k-space.ee
matchRule: Host(`traefik.k-space.ee`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
entryPoints: ["websecure"]
#middlewares:
# - name: "sso"
middlewares:
- name: "dashboard"
- name: "dashboard-redirect"
tlsOptions:
default:

4
wildduck/webmail.yaml
View File

@ -7,8 +7,8 @@ spec:
class: ephemeral
capacity: 100Mi
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: webmail
spec:

14
woodpecker/woodpecker-server.yml
View File

@ -1,18 +1,4 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
name: woodpecker
spec:
displayName: Woodpecker CI
uri: https://woodpecker.k-space.ee/
redirectUris: []
allowedGroups:
- k-space:floor
grantTypes: []
responseTypes: []
availableScopes: []
---
apiVersion: v1
kind: Service
metadata: