From 2e77813162667f9da297305acbd739aff0a8d4f6 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Sat, 27 Jul 2024 03:15:41 +0300 Subject: [PATCH] migrate to new passmower --- argocd/application-extras.yml | 4 +- argocd/values.yaml | 2 +- camtiler/ingress.yml | 4 +- freescout/application.yml | 80 ++- kubernetes-dashboard/application.yml | 18 +- logmower/application.yml | 4 +- longhorn-system/application-extras.yml | 4 +- monitoring/prometheus.yaml | 8 +- mysql-clusters/phpmyadmin.yaml | 4 +- nextcloud/application.yaml | 16 +- passmower/README.md | 3 + passmower/application.yaml | 669 +++++++++++++++++++++++ passmower/dragonfly.yaml | 34 ++ {oidc-gateway => passmower}/proxmox.yaml | 18 +- {oidc-gateway => passmower}/prusa.yaml | 6 +- passmower/texts.yml | 180 ++++++ passmower/users.yaml | 92 ++++ passmower/values.yaml | 115 ++++ {oidc-gateway => passmower}/voron.yaml | 6 +- postgres-clusters/pgweb.yaml | 4 +- traefik/application-extras.yml | 4 +- traefik/values.yml | 5 +- wildduck/webmail.yaml | 4 +- woodpecker/woodpecker-server.yml | 14 - 24 files changed, 1230 insertions(+), 68 deletions(-) create mode 100644 passmower/README.md create mode 100644 passmower/application.yaml create mode 100644 passmower/dragonfly.yaml rename {oidc-gateway => passmower}/proxmox.yaml (90%) rename {oidc-gateway => passmower}/prusa.yaml (86%) create mode 100644 passmower/texts.yml create mode 100644 passmower/users.yaml create mode 100644 passmower/values.yaml rename {oidc-gateway => passmower}/voron.yaml (86%) diff --git a/argocd/application-extras.yml b/argocd/application-extras.yml index 409f50a..aa25138 100644 --- a/argocd/application-extras.yml +++ b/argocd/application-extras.yml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient metadata: name: argocd namespace: argocd diff --git a/argocd/values.yaml b/argocd/values.yaml index c5a2ed3..9b632e3 100644 --- a/argocd/values.yaml +++ b/argocd/values.yaml @@ -84,7 +84,7 @@ configs: oidc.config: | name: OpenID Connect - issuer: https://auth2.k-space.ee/ + issuer: https://auth.k-space.ee/ clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET diff --git a/camtiler/ingress.yml b/camtiler/ingress.yml index 6575150..1ccf059 100644 --- a/camtiler/ingress.yml +++ b/camtiler/ingress.yml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: sso spec: diff --git a/freescout/application.yml b/freescout/application.yml index c2caf69..9735959 100644 --- a/freescout/application.yml +++ b/freescout/application.yml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: freescout spec: @@ -14,8 +14,8 @@ spec: name: Remote-Name user: Remote-User --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient metadata: name: freescout spec: @@ -34,11 +34,77 @@ spec: - openid - profile pkce: false + secretRefreshPod: + apiVersion: v1 + kind: Pod + spec: + volumes: + - name: tmp + emptyDir: {} + initContainers: + - name: jq + image: >- + alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153 + command: + - /bin/bash + - '-c' + - >- + rm -fv /tmp/update.sql; jq + '{"name":"oauth.client_id","value":$ENV.OIDC_CLIENT_ID} | "UPDATE + options SET value=\(.value|tostring|@sh) WHERE + name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq + '{"name":"oauth.client_secret","value":$ENV.OIDC_CLIENT_SECRET} | + "UPDATE options SET value=\(.value|tostring|@sh) WHERE + name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq + '{"name":"oauth.auth_url","value":$ENV.OIDC_IDP_AUTH_URI} | + "UPDATE options SET value=\(.value + "?scope=openid+profile" + |tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r + >> /tmp/update.sql; jq + '{"name":"oauth.token_url","value":$ENV.OIDC_IDP_TOKEN_URI} | + "UPDATE options SET value=\(.value|tostring|@sh) WHERE + name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; jq + '{"name":"oauth.user_url","value":$ENV.OIDC_IDP_USERINFO_URI} + | "UPDATE options SET value=\(.value|tostring|@sh) WHERE + name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql; + cat /tmp/update.sql + envFrom: + - secretRef: + name: oidc-client-freescout-owner-secrets + resources: {} + volumeMounts: + - name: tmp + mountPath: /tmp + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + imagePullPolicy: IfNotPresent + containers: + - name: mysql + image: mysql + command: + - /bin/bash + - '-c' + - >- + mysql -u kspace_freescout kspace_freescout -h 172.20.36.1 + -p${MYSQL_PWD} < /tmp/update.sql + env: + - name: MYSQL_PWD + valueFrom: + secretKeyRef: + name: freescout-secrets + key: DB_PASS + resources: {} + volumeMounts: + - name: tmp + mountPath: /tmp + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: oidc-gateway + name: freescout annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure @@ -92,7 +158,7 @@ spec: spec: containers: - name: freescout - image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58 + image: harbor.k-space.ee/k-space/freescout ports: - containerPort: 8080 env: @@ -153,7 +219,7 @@ spec: spec: containers: - name: freescout-cron - image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58 + image: harbor.k-space.ee/k-space/freescout imagePullPolicy: Always command: - php diff --git a/kubernetes-dashboard/application.yml b/kubernetes-dashboard/application.yml index 8021881..4510529 100644 --- a/kubernetes-dashboard/application.yml +++ b/kubernetes-dashboard/application.yml @@ -272,7 +272,7 @@ metadata: external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: kubernetes-dashboard-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: @@ -289,3 +289,19 @@ spec: tls: - hosts: - "*.k-space.ee" +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient +metadata: + name: sso +spec: + displayName: Kubernetes dashboard + uri: 'https://dashboard.k-space.ee' + allowedGroups: + - k-space:kubernetes:developers + - k-space:kubernetes:admins + headerMapping: + email: Remote-Email + groups: Remote-Groups + name: Remote-Name + user: Remote-Username diff --git a/logmower/application.yml b/logmower/application.yml index f386932..86469be 100644 --- a/logmower/application.yml +++ b/logmower/application.yml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: frontend spec: diff --git a/longhorn-system/application-extras.yml b/longhorn-system/application-extras.yml index d675e92..d7f79e0 100644 --- a/longhorn-system/application-extras.yml +++ b/longhorn-system/application-extras.yml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: ui spec: diff --git a/monitoring/prometheus.yaml b/monitoring/prometheus.yaml index 5eb3fd4..a4d6cbf 100644 --- a/monitoring/prometheus.yaml +++ b/monitoring/prometheus.yaml @@ -455,8 +455,8 @@ spec: matchLabels: app.kubernetes.io/name: kubelet --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: prometheus spec: @@ -470,8 +470,8 @@ spec: name: Remote-Name user: Remote-Username --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: alertmanager spec: diff --git a/mysql-clusters/phpmyadmin.yaml b/mysql-clusters/phpmyadmin.yaml index 15178f3..6db7069 100644 --- a/mysql-clusters/phpmyadmin.yaml +++ b/mysql-clusters/phpmyadmin.yaml @@ -54,8 +54,8 @@ spec: configMap: name: phpmyadmin --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: phpmyadmin spec: diff --git a/nextcloud/application.yaml b/nextcloud/application.yaml index d07aeb7..2d8a220 100644 --- a/nextcloud/application.yaml +++ b/nextcloud/application.yaml @@ -17,8 +17,8 @@ spec: class: ephemeral capacity: 100Mi --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient metadata: name: nextcloud spec: @@ -86,16 +86,16 @@ spec: secretKeyRef: name: oidc-client-nextcloud-owner-secrets key: OIDC_CLIENT_SECRET - - name: OIDC_GATEWAY_AUTH_URI + - name: OIDC_IDP_AUTH_URI valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets - key: OIDC_GATEWAY_AUTH_URI - - name: OIDC_GATEWAY_URI + key: OIDC_IDP_AUTH_URI + - name: OIDC_IDP_URI valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets - key: OIDC_GATEWAY_URI + key: OIDC_IDP_URI - name: UPLOAD_LIMIT value: 10G - name: MYSQL_USER @@ -265,11 +265,11 @@ data: $CONFIG = array ( 'allow_user_to_change_display_name' => false, 'lost_password_link' => 'disabled', - 'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'), + 'oidc_login_provider_url' => getenv('OIDC_IDP_URI'), 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'), 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'), 'oidc_login_auto_redirect' => true, - 'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'), + 'oidc_login_logout_url' => getenv('OIDC_IDP_URI'), 'oidc_login_end_session_redirect' => false, 'oidc_login_default_quota' => '250000000000', 'oidc_login_button_text' => 'Log in with OpenID', diff --git a/passmower/README.md b/passmower/README.md new file mode 100644 index 0000000..7481460 --- /dev/null +++ b/passmower/README.md @@ -0,0 +1,3 @@ +``` +helm template --include-crds -n passmower passmower ../passmower/ -f passmower/values.yaml > passmower/application.yaml +``` \ No newline at end of file diff --git a/passmower/application.yaml b/passmower/application.yaml new file mode 100644 index 0000000..ea06630 --- /dev/null +++ b/passmower/application.yaml @@ -0,0 +1,669 @@ +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +--- +# Source: passmower/templates/texts.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: passmower-email-templates +data: + link.subject: "Passmower login link" + link.txt: "Open the following link to log in: <%= url %>" + link.ejs: "" + tos.subject: "Terms of Service agreement confirmation" + tos.txt: "" + tos.ejs: "" +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcusers.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcusers + singular: oidcuser + kind: OIDCUser + listKind: OIDCUserList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + github: + type: object + properties: + company: + type: string + email: + type: string + emails: + type: array + items: + type: object + properties: + email: + type: string + primary: + type: boolean + default: false + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + enum: + - github.com + id: + type: integer + login: + type: string + name: + type: string + passmower: + type: object + properties: + company: + type: string + email: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + name: + type: string + slack: + type: object + properties: + id: + type: string + spec: + type: object + required: + - type + properties: + companyEmail: + type: string + email: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + type: + type: string + default: person + enum: + - person + - org + - service + - banned + - group + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + emails: + type: array + items: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + primaryEmail: + type: string + profile: + type: object + properties: + company: + type: string + name: + type: string + x-kubernetes-preserve-unknown-fields: true + slackId: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Type + type: string + jsonPath: .spec.type + - name: Name + type: string + jsonPath: .status.profile.name + - name: Display e-mail + type: string + jsonPath: .status.primaryEmail + - name: Upstream IdP e-mail + type: string + jsonPath: .spec.github.emails[?(@.primary==true)].email + - name: GH ID + type: string + jsonPath: .spec.github.id + - name: Groups + type: string + jsonPath: .status.groups + conversion: + strategy: None +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcclients.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcclients + singular: oidcclient + kind: OIDCClient + listKind: OIDCClientList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - redirectUris + - grantTypes + - responseTypes + properties: + allowedCORSOrigins: + type: array + items: + type: string + allowedGroups: + type: array + items: + type: string + availableScopes: + type: array + default: + - openid + items: + type: string + enum: + - openid + - profile + - offline_access + displayName: + type: string + grantTypes: + type: array + items: + type: string + enum: + - implicit + - authorization_code + - refresh_token + idTokenSignedResponseAlg: + type: string + enum: + - PS256 + - RS256 + - ES256 + overrideIncomingScopes: + type: boolean + default: false + pkce: + type: boolean + default: true + redirectUris: + type: array + items: + type: string + responseTypes: + type: array + items: + type: string + enum: + - code id_token + - code + - id_token + - none + secretMetadata: + type: object + properties: + annotations: + type: object + x-kubernetes-preserve-unknown-fields: true + labels: + type: object + x-kubernetes-preserve-unknown-fields: true + secretRefreshPod: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + tokenEndpointAuthMethod: + type: string + enum: + - client_secret_basic + - client_secret_jwt + - client_secret_post + - private_key_jwt + - none + uri: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + instance: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Instance + type: string + description: Passmower deployment which manages this client + jsonPath: .status.instance + - name: Uris + type: string + description: Redirect URLs configured for this client + jsonPath: .spec.redirectUris + - name: Allowed groups + type: string + description: Groups allowed to this client + jsonPath: .spec.allowedGroups + conversion: + strategy: None +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcmiddlewareclients.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcmiddlewareclients + singular: oidcmiddlewareclient + kind: OIDCMiddlewareClient + listKind: OIDCMiddlewareClientList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + allowedGroups: + type: array + items: + type: string + displayName: + type: string + headerMapping: + type: object + default: + email: Remote-Email + groups: Remote-Groups + name: Remote-Name + user: Remote-User + properties: + email: + type: string + groups: + type: string + name: + type: string + user: + type: string + uri: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + instance: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Instance + type: string + description: Passmower deployment which manages this client + jsonPath: .status.instance + - name: Uri + type: string + description: URL configured for this client + jsonPath: .spec.uri + - name: Allowed groups + type: string + description: Groups allowed to this client + jsonPath: .spec.allowedGroups + conversion: + strategy: None +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +rules: + - verbs: + - get + - list + - watch + - create + - update + - patch + apiGroups: + - codemowers.cloud + resources: + - oidcusers + - oidcusers/status + - oidcclients + - oidcclients/status + - oidcmiddlewareclients + - oidcmiddlewareclients/status + - verbs: + - get + - create + - patch + - delete + apiGroups: + - '' + resources: + - secrets + - verbs: + - create + apiGroups: + - '' + resources: + - pods + - verbs: + - get + - create + - update + - patch + - delete + apiGroups: + - traefik.io + resources: + - middlewares +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: passmower + namespace: passmower +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: passmower +--- +# Source: passmower/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower +--- +# Source: passmower/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + template: + metadata: + labels: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + spec: + serviceAccountName: passmower + securityContext: + {} + containers: + - name: passmower + securityContext: + {} + image: "passmower/passmower:develop" + imagePullPolicy: Always + ports: + - containerPort: 3000 + name: http + - containerPort: 9090 + name: metrics + env: + - name: ISSUER_URL + value: https://auth.k-space.ee/ + - name: DEPLOYMENT_NAME + value: passmower + - name: GROUP_PREFIX + value: "k-space" + - name: ADMIN_GROUP + value: "k-space:onboarding" + - name: REQUIRED_GROUP + value: "github.com:foo:bar" + - name: GITHUB_ORGANIZATION + value: "codemowers" + - name: ENROLL_USERS + value: "false" + - name: NAMESPACE_SELECTOR + value: "*" + - name: PREFERRED_EMAIL_DOMAIN + value: "k-space.ee" + - name: REQUIRE_CUSTOM_USERNAME + value: "true" + - name: NORMALIZE_EMAIL_ADDRESSES + value: "true" + - name: REDIS_URI + valueFrom: + secretKeyRef: + name: dragonfly-auth + key: REDIS_URI + envFrom: + - secretRef: + name: oidc-keys + - secretRef: + name: email-credentials + - secretRef: + name: github-client + - secretRef: + name: slack-client + readinessProbe: + httpGet: + path: /.well-known/openid-configuration + port: 3000 + httpHeaders: + - name: x-forwarded-for # suppress oidc-provider warning + value: https://auth.k-space.ee/ + - name: x-forwarded-proto # suppress oidc-provider warning + value: https + livenessProbe: + httpGet: + path: /.well-known/openid-configuration + port: 3000 + httpHeaders: + - name: x-forwarded-for # suppress oidc-provider warning + value: https://auth.k-space.ee/ + - name: x-forwarded-proto # suppress oidc-provider warning + value: https + initialDelaySeconds: 5 + periodSeconds: 1 + volumeMounts: + - mountPath: /app/tos + name: tos + - mountPath: /app/approval + name: approval + - mountPath: /app/src/views/custom/emails + name: email-templates + resources: + {} + volumes: + - name: tos + configMap: + name: passmower-tos + - name: approval + configMap: + name: passmower-approval + - name: email-templates + configMap: + name: passmower-email-templates +--- +# Source: passmower/templates/deployment.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: passmower-key-manager + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm +spec: + template: + spec: + serviceAccountName: passmower + containers: + - name: oidc-key-manager + image: "passmower/passmower:develop" + command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] + restartPolicy: Never +--- +# Source: passmower/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: passmower + labels: + helm.sh/chart: passmower-0.1.0 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "0.1.0" + app.kubernetes.io/managed-by: Helm + annotations: + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + tls: + - hosts: + - "*.k-space.ee" + secretName: + rules: + - host: "auth.k-space.ee" + http: + paths: + - path: "/" + pathType: Prefix + backend: + service: + name: passmower + port: + number: 80 diff --git a/passmower/dragonfly.yaml b/passmower/dragonfly.yaml new file mode 100644 index 0000000..607b93e --- /dev/null +++ b/passmower/dragonfly.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: dragonfly-auth + namespace: passmower +spec: + size: 32 + mapping: + - key: password + value: "%(plaintext)s" + - key: REDIS_URI + value: "redis://:%(plaintext)s@redis" +--- +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: redis + namespace: passmower +status: + phase: ready +spec: + authentication: + passwordFromSecret: + key: password + name: dragonfly-auth + replicas: 3 + resources: + limits: + cpu: 600m + memory: 750Mi + requests: + cpu: 500m + memory: 500Mi diff --git a/oidc-gateway/proxmox.yaml b/passmower/proxmox.yaml similarity index 90% rename from oidc-gateway/proxmox.yaml rename to passmower/proxmox.yaml index d11554d..29ed867 100644 --- a/oidc-gateway/proxmox.yaml +++ b/passmower/proxmox.yaml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: proxmox spec: @@ -10,8 +10,8 @@ spec: - k-space:floor - k-space:friends --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient metadata: name: proxmox spec: @@ -95,7 +95,7 @@ kind: Service metadata: name: pve1 annotations: - traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd + traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve1.proxmox.infra.k-space.ee @@ -109,7 +109,7 @@ kind: Service metadata: name: pve8 annotations: - traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd + traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve8.proxmox.infra.k-space.ee @@ -123,7 +123,7 @@ kind: Service metadata: name: pve9 annotations: - traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd + traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd spec: type: ExternalName externalName: pve9.proxmox.infra.k-space.ee @@ -140,7 +140,7 @@ metadata: kubernetes.io/ingress.class: traefik external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-proxmox@kubernetescrd,oidc-gateway-proxmox-redirect@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd,passmower-proxmox-redirect@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: @@ -200,7 +200,7 @@ metadata: kubernetes.io/ingress.class: traefik external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-codemowers-cloud-ip-whitelist@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: passmower-codemowers-cloud-ip-whitelist@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: diff --git a/oidc-gateway/prusa.yaml b/passmower/prusa.yaml similarity index 86% rename from oidc-gateway/prusa.yaml rename to passmower/prusa.yaml index 5a650ab..e5e33be 100644 --- a/oidc-gateway/prusa.yaml +++ b/passmower/prusa.yaml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: prusa spec: @@ -33,7 +33,7 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-prusa@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: passmower-prusa@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: diff --git a/passmower/texts.yml b/passmower/texts.yml new file mode 100644 index 0000000..5ee65fc --- /dev/null +++ b/passmower/texts.yml @@ -0,0 +1,180 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: passmower-tos +data: + tos.md: | + Rules + + Also known as code of conduct, guidelines, member vows, values etc. Please keep em' on one wiki page. Canonical URL shall be [k-space.ee/rules](http://k-space.ee/rules) which will redirect to right wiki page. + + These rules were approved 30. October 2020. Current version contains minor corrections. For future amendments of the rules please put your ideas and thoughts into [pad.k-space.ee/p/rules](https://pad.k-space.ee/p/rules), they will be taken into account during next General Assembly. + + Upon becoming a member I solemny swear that + + 1. **Who's who** + - I acknowledge the management of the hackerspace is governed by K-SPACE MTÜ (non-profit organization), it's [charter](/pohikiri_80397632_716212.pdf) and [Non-profit Associations Act](https://www.riigiteataja.ee/en/eli/528052020003/consolide) + - I acknowledge there are different membership forms listed under [membership#packages](/about/membership#packages) which can be largely broken down to affiliates (Regulars, Associates, Residents) who are at the hackerspace to make use of some services and members who are more involved in making the hackerspace happen. + - I acknowledge that in order to participate in the K-SPACE MTÜ management processes I need to obtain the [Member Tier](/about/membership#member-tier) status, note that this is different from the 'Member package' which was renamed to 'Associate tier' in October of 2020 in order to clarify what member of an non-profit association means. + - Among the ['Member Tier'](https://members.k-space.ee/?filter=resident-member&filter=associate-member) people the board is elected which represents K-SPACE MTÜ in legal matters such as getting bills paid, signing rental contracts and so forth. Currently board members include Erki Naumanis only. Bearing the responsibility also means that board has the final word in many cases. + - I acknowledge K-SPACE MTÜ is renting rooms from SA Tallinna Teaduspark Tehnopol. The rental agreement imposes numerous conditions and constraints due to safety reasons. Eg corridors must be kept accessible and free of flammable materials. + + 1. **Stay positive.** + - I will set up a recurring payment (püsikorraldus) or pay up front in bulk. + - I will not go in debt. + - I acknowledge failing to pay membership fees for 2 months results in door access cancellation. + - I will mark my payments clearly and consistenly with my full name, so the payments can be automatically procesed. + + 1. **Clarity not obscurity.** + - I will mark my equipment, server, locker, desk with my full name, phone number and e-mail. + - I acknowledge that my unlabelled stuff will be unplugged. + - Before asking questions I will familiarize myself [how to ask questions](https://www.khanacademy.org/computing/computer-programming/programming/becoming-a-community-coder/a/ask-for-program-help) and provide enough details. + + 1. **Communication is vital** + - I will proactively communicate need to cancel or pause my subscription, e.g. in case of being unable to pay. + - Upon leaving I will vacate the locker and return any keys given to me. + - I acknowledge Slack is primary communications platform for K-SPACE MTÜ. This is mainly due to wanting to have a way to communicate even if all the selfhosted infra is down. I will request access to the channel from any of the onboarders. I will not complain about being left out of the loop about changes etc if I am not on the #members channel. + + 1. **Access controls** + + - I acknowledge primary method of accessing the floor is by using some of my own NFC cards (eg green Ühiskaart) or keyfobs. + - I will get my token registered in the door system of the day. To be on the safe side I will register multiple cards and/or keyfobs. + - I acknowledge Slack bot for opening the doors supplements the primary one, eg I can get in if I have forgot my card at home. + - I acknowledge that when it comes to security of doorcards it's nonexistant. I will not make copies of my card or distribute it's unique identifier sequence. + + 1. **Treat as your own -- with care** + - I will do my best to take care of the equipment and the space. + - I acknowledge that I must turn off the lights and leave windows in microventilation mode when I am the last one to leave. + - In case of equiment breakage I will notify info@k-space.ee immediately for resolution options. Any K-SPACE MTÜ owned equiment replacements must be purchased by K-SPACE MTÜ, see below under 'Regarding the toys' why. + - Upon losing (physical metal) key I will compensate 10EUR to K-SPACE MTÜ for it + + 1. **Contributions are welcome** + - I acknowledge that my immaterial contributions (e.g. building something for the hackerspace or helping others) doesn't compensate my membership fees. The only discount option is the 'Student discount'. Flexing with your contributions on your CV is OK. + - Before bringing any items for donation I will consult with a board member. K-SPACE is not my free (e-)junk disposal station. + - Donations don't compensate for my membership fees. K-SPACE MTÜ still needs to pay rent and electricity bills. + + 1. **Underpromise, overdeliver** + - I acknowledge there are many fun activities I want to be part of. + - I acknowledge I have obligations elsewhere as well (eg school, work, family). + - I will do my best to fulfill what I have promised to other members. + - I will rather say no in first place than say yes and fail to fulfill the promise. + - I will let the relying party know as soon as possible if I am not able to handle something I promised to do. + + 1. **Regarding the toys** + - I acknowledge I can bring my own equipment to hackerspace for common use. I acknowledge many others already do that. Lasercutter, CNC cutter, and many power tools are not owned by K-SPACE MTÜ. I take extra care of other members' equipment and before making use of them request training from the machine owner. + - I agree not to utilise any tool or piece of equipment unless I am competent in its use (and have completed induction/training where necessary) or are under the direct supervision of a competent user. + - I agree that the space is a potentially dangerous environment and that I may be exposed to various risks as a result of work undertaken by me or others. Notwithstanding all reasonable attempts by K-Space to ensure the safety of me and others, I agree to the full extent permitted by law to assume complete responsibility for my own actions and their consequences. + - If I think some new equipment would be useful for the space to be purchased by K-SPACE MTÜ I will make a suggestion to K-SPACE MTÜ board via board@k-space.ee. + - If I want to build something for the hackerspace I will consult with a board member for the compensation of materials. + - I acknowledge that my membership fees contribute towards refreshing equipment in common use, that is soldering irons, switches in server room etc. + - Purchases related to the hackerspace must be made by K-SPACE MTÜ. + - This is the clearest option from accounting perspective. + - It's also important that so any warranty, receipts and other documents would be correctly assigned to K-SPACE MTÜ and usable should you give up your membership at some point. + - Preferred option is to ask for proforma invoice for K-SPACE MTÜ, Akadeemia tee 21/1 and send it to info@k-space.ee - the payment will be executed by a board member. + - In case of Internet shops ask for the credit card from a board member. + + + 1. **No borrowing or lending equipment** + + - I acknowledge that equipment provided by K-SPACE MTÜ or it's members is for on-prem use only + - I will not take any of the equipment with me + - Only exception to this is workshops happening outside (eg visiting Robotex, Lapikud, IT College etc) + - I will notify info@k-space.ee about what I am going to take with me and why + - I will return equipment immediately after the event + - I acknowledge that this rule is due to numerous occasions people forgetting to return borrowed stuff + + 1. **Sharing is caring** + - I acknowledge that flexidesks also known as hot desks (8 desks in the middle of big room with projector) are to be cleaned by the end of the day. + - Sometimes exprompt events are scheduled in the room - I will not leave my stuff on flexidesks over night. If I come in often I can leave my screen and keyboard on one of the desks near the window. + - I acknowledge that for more persistent setup I should really switch to resident tier + + 1. **Being Mindful** + - While being active in the hackerspace I will make sure that my activites are not disturbing others, my activites are not causing exess financial drain on the K-SPACE MTÜ. + - Wearing earphones is generally sign of working on something and not wanting to be interrupted. + - I will act frugal. For example running additional servers without paying or running Bitcoin miner on the expense of K-SPACE MTÜ is NOT okay. + - Causing interruptions in the server room operation during working hours is NOT okay. Designated timeslot for disruptive changes is Thursday 19:00 until Friday 6:00. I recognize that occasionally hardware fails and non-disruptive changes might turn into disruptive outside that timeslot. + - I will not smoke inside the hackerspace rooms. I will exit the building for a cigarette. + + 1. **Striving for improvement*** + - I acknowledge that hackerspace is a vague term ranging from anarchocommunist potsmoking to fullblown commercial operation. + - I will do my best to educate myself about hackerspace and makerspace scene in general and I will not indulge in flamewars. + + 1. **Lock and stock** + - I acknowledge one locker is available for me for no charge with supporter and member tiers. + - I acknowledge that if would switch to resident tier I would be not eligible for a free locker as I would already have whole desk for my stuff + - I acknowledge additional lockers are available for 10EUR per month. + + 1. **Run the jewels** + - I will not make use of a blade server without legit reason, eg running hypervisor host. For single web application obtain VM from our Proxmox cluster. + - I will shut down machine not in use and I will make sure it stays shut. It's recurring issue that servers that have been shut down are discovered powered on again, eg in BIOS make sure it says 'last state' not 'always on' or even better disconnect power. + + 1. **Community FTW!** + - I acknowledge that people who take time to deal with me are not paid, they do it voluntarily off their free time for sh\*ts and giggles. + - They still pay membership fees. + - I will treat them and their time with respect. + - I will not become a burden for them. + - I acknowledge rules above are not exhaustive. + - I will do my best to act in good faith and not try to work around the rules. + - I accept that there will always be certain amount chaos at the hackerspace. + + **Disclaimer**: Lauri (K-SPACE founder) believes that: + * a) we can have a hackerspace that is not utter chaos + * b) that is financially in order + * c) offers friendly/flexible pricing for students + * d) keeps doors open for companies and startups + * e) allows reasonable buffer for experimentation. + Lauri's favourite example hackerspaces include [AFRA](https://wiki.hackerspaces.org/AFRA) and [Raumfahrtagentur](https://wiki.hackerspaces.org/Raumfahrtagentur) +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: passmower-approval +data: + approval.txt: | + Dear User, + + Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee + + Also see https://www.k-space.ee/ + + Best regards, K-Space MTÜ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: passmower-email-templates +data: + tos.txt: | + Hi, <%= name %>! + + You agreed with the Terms of Service at <%= timestamp %> + + Content SHA256 hash: <%= hash %> + + Best regards, + K-Space MTÜ + tos.ejs: | +
+

Hi, <%= name %>!

+

You agreed with the following Terms of Service at <%= timestamp %>

+

Content SHA256 hash: <%= hash %>

+
+ <%- content -%> +
+

Best regards,
K-Space MTÜ

+
+ tos.subject: | + Terms of Service agreement confirmation + link.txt: | + Open the following link to log in: <%= url %> + + Best regards, + K-Space MTÜ + link.ejs: | +
+

Open the following link to log in: <%= url %>

+

Best regards,
K-Space MTÜ

+
+ link.subject: | + auth2.k-space.ee login link diff --git a/passmower/users.yaml b/passmower/users.yaml new file mode 100644 index 0000000..2046434 --- /dev/null +++ b/passmower/users.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCUser +metadata: + name: eaas +spec: + type: person + email: erkiaas@gmail.com + companyEmail: eaas@k-space.ee + groups: + - name: floor + prefix: k-space + - name: proxmox:admins + prefix: k-space + - name: kubernetes:admins + prefix: k-space + - name: onboarding + prefix: k-space + - name: youtube + prefix: k-space + - name: gitlab + prefix: k-space + - name: legalmember + prefix: k-space + - name: matomo + prefix: k-space +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCUser +metadata: + name: lauri +spec: + type: person + email: lauri.vosandi@gmail.com + companyEmail: lauri@k-space.ee + groups: + - name: board + prefix: k-space + - name: info + prefix: k-space + - name: workshop + prefix: k-space + - name: floor + prefix: k-space + - name: kubernetes:admins + prefix: k-space + - name: proxmox:admins + prefix: k-space + - name: youtube + prefix: k-space + - name: facebook + prefix: k-space + - name: instagram + prefix: k-space + - name: gitlab + prefix: k-space + - name: legalmember + prefix: k-space + - name: onboarding + prefix: k-space +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCUser +metadata: + name: rasmus +spec: + type: person + email: github@c7.ee + companyEmail: rasmus@k-space.ee + groups: + - name: info + prefix: k-space + - name: onboarding + prefix: k-space + - name: workshop + prefix: k-space + - name: floor + prefix: k-space + - name: proxmox:admins + prefix: k-space + - name: kubernetes:developers + prefix: k-space + - name: kubernetes:admins + prefix: k-space + - name: instagram + prefix: k-space + - name: facebook + prefix: k-space + - name: youtube + prefix: k-space + - name: gitlab + prefix: k-space \ No newline at end of file diff --git a/passmower/values.yaml b/passmower/values.yaml new file mode 100644 index 0000000..7942166 --- /dev/null +++ b/passmower/values.yaml @@ -0,0 +1,115 @@ +nameOverride: "" +fullnameOverride: "" + +passmower: + # Hostname on which Passmower will be deployed to. Will be used as ingress host. + host: "auth.k-space.ee" + # Local groups will be created with given prefix. + group_prefix: 'k-space' + # Local or remote group which members will automatically become admins. + admin_group: 'k-space:onboarding' + # If set, require all users to be member of the given local or remote group. + # required_group: "" + # GitHub organization to pull groups from. Set to keep users other organizations private from Passmower. + github_organization: "codemowers" + # Allow enrolling new users automatically. Actual access will be based on required_group parameter. Disable to only manually provision users. + enroll_users: false + # Comma-separated, wildcard enabled namespace selector to select, in which namespaces Passmower looks for client CRDs. + namespace_selector: "*" + # Domain which will be preferred for determining primary emails. + preferred_email_domain: 'k-space.ee' + # Require users to set a custom username instead of system generated one. Will be used as OIDCUser CRD name and OIDC username claim. + require_custom_username: true + # Normalize incoming email addresses by removing aliases (e.g. username+alias@gmail.com) etc. + normalize_email_addresses: true + # Email credentials secret name. Secret must contain EMAIL_HOST, EMAIL_PASSWORD, EMAIL_PORT, EMAIL_SSL and EMAIL_USERNAME + email_credentials_secretRef: "email-credentials" + # GitHub OAuth client secret name. Secret must contain GH_CLIENT_ID and GH_CLIENT_SECRET + github_client_secretRef: "github-client" + # Slack API client secret name. Secret must contain SLACK_TOKEN + slack_client_secretRef: "slack-client" + # Different texts displayed and sent to the user + texts: + approval: + configMapRef: + name: passmower-approval + emails: + configMapRef: + name: passmower-email-templates + terms_of_service: + configMapRef: + name: passmower-tos + +redis: + # Requires the Codemowers redis-operator to be installed: https://github.com/codemowers/operatorlib/tree/main/samples/redis-operator + redisClaim: + enabled: false + spec: + capacity: 100Mi + class: ephemeral + # Deploys a simple, non persistent Redis deployment. + internal: + enabled: false + # Use your own implementation - just provide a secret with a valid Redis URL. + external: + enabled: true + secretKeyRef: + name: "dragonfly-auth" + key: "REDIS_URI" + +service: + type: ClusterIP + port: 80 + +ingress: + className: "" + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + - hosts: + - "*.k-space.ee" + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +image: + repository: passmower/passmower + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "develop" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +replicaCount: 1 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/oidc-gateway/voron.yaml b/passmower/voron.yaml similarity index 86% rename from oidc-gateway/voron.yaml rename to passmower/voron.yaml index 1b8c9c1..1596e4b 100644 --- a/oidc-gateway/voron.yaml +++ b/passmower/voron.yaml @@ -1,6 +1,6 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: voron spec: @@ -33,7 +33,7 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-voron@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: passmower-voron@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: diff --git a/postgres-clusters/pgweb.yaml b/postgres-clusters/pgweb.yaml index 99f7fdd..91ebaca 100644 --- a/postgres-clusters/pgweb.yaml +++ b/postgres-clusters/pgweb.yaml @@ -35,8 +35,8 @@ spec: port: 8081 targetPort: 8081 --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: pgweb spec: diff --git a/traefik/application-extras.yml b/traefik/application-extras.yml index c303447..8f06b87 100644 --- a/traefik/application-extras.yml +++ b/traefik/application-extras.yml @@ -13,8 +13,8 @@ spec: port: 9100 targetPort: 9100 --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: dashboard spec: diff --git a/traefik/values.yml b/traefik/values.yml index 4a884aa..8168bcc 100644 --- a/traefik/values.yml +++ b/traefik/values.yml @@ -45,8 +45,9 @@ ingressRoute: domain: traefik.k-space.ee matchRule: Host(`traefik.k-space.ee`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) entryPoints: ["websecure"] - #middlewares: - # - name: "sso" + middlewares: + - name: "dashboard" + - name: "dashboard-redirect" tlsOptions: default: diff --git a/wildduck/webmail.yaml b/wildduck/webmail.yaml index 9c6339f..dc544db 100644 --- a/wildduck/webmail.yaml +++ b/wildduck/webmail.yaml @@ -7,8 +7,8 @@ spec: class: ephemeral capacity: 100Mi --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWMiddlewareClient +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCMiddlewareClient metadata: name: webmail spec: diff --git a/woodpecker/woodpecker-server.yml b/woodpecker/woodpecker-server.yml index d67441c..56667cf 100644 --- a/woodpecker/woodpecker-server.yml +++ b/woodpecker/woodpecker-server.yml @@ -1,18 +1,4 @@ --- -apiVersion: codemowers.io/v1alpha1 -kind: OIDCGWClient -metadata: - name: woodpecker -spec: - displayName: Woodpecker CI - uri: https://woodpecker.k-space.ee/ - redirectUris: [] - allowedGroups: - - k-space:floor - grantTypes: [] - responseTypes: [] - availableScopes: [] ---- apiVersion: v1 kind: Service metadata: