diff --git a/passmower/README.md b/passmower/README.md index 32c3f5f..69bb6d5 100644 --- a/passmower/README.md +++ b/passmower/README.md @@ -21,11 +21,10 @@ To add applications refer to the [official docs](https://github.com/passmower/pa For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/branch/master/grafana/application.yml) -# For administrators -Passmower was deployed with Helm chart: +# Deployment +With ArgoCD. Render it locally: -``` -echo "# Generated file, DO NOT EDIT!" > passmower/application.yaml -helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml >> passmower/application.yaml +```sh +kustomize build . --enable-helm ``` diff --git a/passmower/application.yaml b/passmower/application.yaml deleted file mode 100644 index 7b73c95..0000000 --- a/passmower/application.yaml +++ /dev/null @@ -1,691 +0,0 @@ -# Generated file, DO NOT EDIT! ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm ---- -# Source: passmower/templates/texts.yaml ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: passmower-disable-frontend-edit -data: - disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)" ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcusers.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcusers - singular: oidcuser - kind: OIDCUser - listKind: OIDCUserList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - github: - type: object - properties: - company: - type: string - email: - type: string - emails: - type: array - items: - type: object - properties: - email: - type: string - primary: - type: boolean - default: false - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - enum: - - github.com - id: - type: integer - login: - type: string - name: - type: string - passmower: - type: object - properties: - company: - type: string - email: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - name: - type: string - slack: - type: object - properties: - id: - type: string - spec: - type: object - required: - - type - properties: - companyEmail: - type: string - email: - type: string - phones: - type: array - items: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - type: - type: string - default: person - enum: - - person - - org - - service - - banned - - group - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - emails: - type: array - items: - type: string - groups: - type: array - items: - type: object - properties: - name: - type: string - prefix: - type: string - primaryEmail: - type: string - profile: - type: object - properties: - company: - type: string - name: - type: string - phones: - type: array - items: - type: string - x-kubernetes-preserve-unknown-fields: true - slackId: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Type - type: string - jsonPath: .spec.type - - name: Name - type: string - jsonPath: .status.profile.name - - name: Display e-mail - type: string - jsonPath: .status.primaryEmail - - name: Phone - type: string - jsonPath: .status.profile.phones[0] - - name: Upstream IdP e-mail - type: string - jsonPath: .github.emails[?(@.primary==true)].email - - name: GH ID - type: string - jsonPath: .github.id - - name: Groups - type: string - jsonPath: .status.groups - conversion: - strategy: None ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcclients.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcclients - singular: oidcclient - kind: OIDCClient - listKind: OIDCClientList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - redirectUris - - grantTypes - - responseTypes - properties: - allowedCORSOrigins: - type: array - items: - type: string - allowedGroups: - type: array - items: - type: string - availableScopes: - type: array - default: - - openid - items: - type: string - enum: - - openid - - profile - - offline_access - - groups - - allowed_groups - displayName: - type: string - grantTypes: - type: array - items: - type: string - enum: - - implicit - - authorization_code - - refresh_token - idTokenSignedResponseAlg: - type: string - enum: - - PS256 - - RS256 - - ES256 - overrideIncomingScopes: - type: boolean - default: false - pkce: - type: boolean - default: true - redirectUris: - type: array - items: - type: string - responseTypes: - type: array - items: - type: string - enum: - - code id_token - - code - - id_token - - none - secretMetadata: - type: object - properties: - annotations: - type: object - x-kubernetes-preserve-unknown-fields: true - labels: - type: object - x-kubernetes-preserve-unknown-fields: true - secretRefreshPod: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - tokenEndpointAuthMethod: - type: string - enum: - - client_secret_basic - - client_secret_jwt - - client_secret_post - - private_key_jwt - - none - uri: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - instance: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Instance - type: string - description: Passmower deployment which manages this client - jsonPath: .status.instance - - name: Uris - type: string - description: Redirect URLs configured for this client - jsonPath: .spec.redirectUris - - name: Allowed groups - type: string - description: Groups allowed to this client - jsonPath: .spec.allowedGroups - conversion: - strategy: None ---- -# Source: passmower/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: oidcmiddlewareclients.codemowers.cloud -spec: - group: codemowers.cloud - names: - plural: oidcmiddlewareclients - singular: oidcmiddlewareclient - kind: OIDCMiddlewareClient - listKind: OIDCMiddlewareClientList - scope: Namespaced - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - properties: - allowedGroups: - type: array - items: - type: string - displayName: - type: string - headerMapping: - type: object - default: - email: Remote-Email - groups: Remote-Groups - name: Remote-Name - user: Remote-User - properties: - email: - type: string - groups: - type: string - name: - type: string - user: - type: string - uri: - type: string - status: - type: object - properties: - conditions: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-embedded-resource: true - instance: - type: string - subresources: - status: {} - additionalPrinterColumns: - - name: Instance - type: string - description: Passmower deployment which manages this client - jsonPath: .status.instance - - name: Uri - type: string - description: URL configured for this client - jsonPath: .spec.uri - - name: Allowed groups - type: string - description: Groups allowed to this client - jsonPath: .spec.allowedGroups - conversion: - strategy: None ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm -rules: - - verbs: - - get - - list - - watch - - create - - update - - patch - apiGroups: - - codemowers.cloud - resources: - - oidcusers - - oidcusers/status - - oidcclients - - oidcclients/status - - oidcmiddlewareclients - - oidcmiddlewareclients/status - - verbs: - - get - - create - - patch - - delete - apiGroups: - - '' - resources: - - secrets - - verbs: - - create - apiGroups: - - '' - resources: - - pods - - verbs: - - get - - create - - update - - patch - - delete - apiGroups: - - traefik.io - resources: - - middlewares ---- -# Source: passmower/templates/serviceaccount.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: passmower - namespace: passmower -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: passmower ---- -# Source: passmower/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower ---- -# Source: passmower/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 4 - selector: - matchLabels: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - template: - metadata: - labels: - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - spec: - serviceAccountName: passmower - securityContext: - {} - containers: - - name: passmower - securityContext: - {} - image: "ghcr.io/passmower/passmower:1.0.1" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3000 - name: http - - containerPort: 9090 - name: metrics - env: - - name: ISSUER_URL - value: https://auth.k-space.ee/ - - name: DEPLOYMENT_NAME - value: passmower - - name: GROUP_PREFIX - value: "k-space" - - name: ADMIN_GROUP - value: "k-space:onboarding" - - name: REQUIRED_GROUP - value: "" - - name: GITHUB_ORGANIZATION - value: "codemowers" - - name: USE_GITHUB_USERNAME - value: "false" - - name: ENROLL_USERS - value: "false" - - name: DISABLE_FRONTEND_EDIT - value: "true" - - name: NAMESPACE_SELECTOR - value: "*" - - name: PREFERRED_EMAIL_DOMAIN - value: "k-space.ee" - - name: REQUIRE_CUSTOM_USERNAME - value: "true" - - name: NORMALIZE_EMAIL_ADDRESSES - value: "false" - - name: REDIS_URI - valueFrom: - secretKeyRef: - name: dragonfly-auth - key: REDIS_URI - envFrom: - - secretRef: - name: oidc-keys - - secretRef: - name: email-credentials - - secretRef: - name: github-client - - secretRef: - name: slack-client - readinessProbe: - httpGet: - path: /.well-known/openid-configuration - port: 3000 - httpHeaders: - - name: x-forwarded-for # suppress oidc-provider warning - value: https://auth.k-space.ee/ - - name: x-forwarded-proto # suppress oidc-provider warning - value: https - livenessProbe: - httpGet: - path: /health - port: 9090 - httpHeaders: - - name: x-forwarded-for # suppress oidc-provider warning - value: https://auth.k-space.ee/ - - name: x-forwarded-proto # suppress oidc-provider warning - value: https - initialDelaySeconds: 10 - timeoutSeconds: 10 - periodSeconds: 30 - volumeMounts: - - mountPath: /app/tos - name: tos - - mountPath: /app/approval - name: approval - - mountPath: /app/disable_frontend_edit - name: disable-frontend-edit - - mountPath: /app/src/views/custom/emails - name: email-templates - resources: - {} - volumes: - - name: tos - configMap: - name: passmower-tos - - name: approval - configMap: - name: passmower-approval - - name: disable-frontend-edit - configMap: - name: passmower-disable-frontend-edit - - name: email-templates - configMap: - name: passmower-email-templates ---- -# Source: passmower/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: passmower - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm - annotations: - external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee - kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure -spec: - tls: - - hosts: - - "*.k-space.ee" - secretName: - rules: - - host: "auth.k-space.ee" - http: - paths: - - path: "/" - pathType: Prefix - backend: - service: - name: passmower - port: - number: 80 ---- -# Source: passmower/templates/deployment.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: passmower-key-manager - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed - labels: - helm.sh/chart: passmower-1.0.1 - app.kubernetes.io/name: passmower - app.kubernetes.io/instance: passmower - app.kubernetes.io/version: "1.0.1" - app.kubernetes.io/managed-by: Helm -spec: - template: - spec: - serviceAccountName: passmower - containers: - - name: oidc-key-manager - image: "ghcr.io/passmower/passmower:1.0.1" - command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] - restartPolicy: Never diff --git a/passmower/kustomization.yaml b/passmower/kustomization.yaml index 1e24557..7817ac6 100644 --- a/passmower/kustomization.yaml +++ b/passmower/kustomization.yaml @@ -1,14 +1,24 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -metadata: - name: passmower-extras + +namespace: &ns passmower + +# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_ +helmCharts: +- namespace: *ns # for ClusterRoleBinding, which doesn't want to adopt the Kustomization namespace + includeCRDs: true + name: &name passmower + releaseName: *name + repo: oci://ghcr.io/passmower/charts + valuesFile: values.yaml + version: 1.1.1 resources: -- application.yaml +- ssh://git@git.k-space.ee/secretspace/kube/passmower # secrets: email-credentials, github-client, slack-client - application-extras.yaml -- texts.yaml +- dragonfly.yaml - kubelogin.yaml - proxmox.yaml -- dragonfly.yaml - prusa.yaml +- texts.yaml - voron.yaml