hackerspace kustomize

+ move static env to dockerfile + doorboy-direct refactor
2025-08-08 03:07:21 +03:00
parent c29de936af
commit 9ef252c8ec
7 changed files with 125 additions and 129 deletions
--- a/hackerspace/README.md
+++ b/hackerspace/README.md
@@ -1,8 +1,20 @@
-## inventory.k-space.ee
+## hackerspace / inventory
 Reads-writes to mongo.
 <!-- Referenced/linked by https://wiki.k-space.ee/en/hosting/doors -->
 A component of inventory is 'doorboy' (https://wiki.k-space.ee/en/hosting/doors)
-## k6.ee
+## [doorboy-proxy](https://github.com/k-space/doorboy-proxy)
 - Dispatches open events (from mongodb) to door controllers.
 - Handles Slack open events (to mongodb).
 - Forwards logs from door controllers to mongodb.
 - Broadcasts mongodb logs to Slack.
 See also:
 - inventory-app door components
 - https://wiki.k-space.ee/en/hosting/doors
 ## [inventory-app](https://github.com/k-space/inventory-app) (inventory.k-space.ee)
 - Inventory
 - Manages door keycards.
 - Forwards door opens from website to mongodb (what are picked up by doorboy-proxy).
 ## [goredirect](https://github.com/k-space/goredirect) (k6.ee)
 Reads from mongo, HTTP redirect to //inventory.k-space.ee/m/inventory/{uuid}/view
--- a/hackerspace/doorboy.yaml
+++ b/hackerspace/doorboy.yaml
@@ -26,6 +26,7 @@ spec:
                      - doorboy-proxy
                topologyKey: topology.kubernetes.io/zone
              weight: 100
      serviceAccountName: inventory-svcacc
      containers:
        - name: doorboy-proxy
          image: harbor.k-space.ee/k-space/doorboy-proxy:latest
@@ -33,21 +34,14 @@ spec:
            - secretRef:
                name: inventory-mongodb
            - secretRef:
-                name: doorboy-api
+                name: doorboy-godoor
            - secretRef:
                name: doorboy-slack
          env:
-            - name: FLOOR_ACCESS_GROUP
+            - name: OIDC_USERS_NAMESPACE
-              value: 'k-space:floor'
+              value: passmower
-            - name: WORKSHOP_ACCESS_GROUP
+            - name: SLACK_CHANNEL_ID
-              value: 'k-space:workshop'
+              value: CDL9H8Q9W
            - name: CARD_URI
              value: 'https://inventory.k-space.ee/cards'
            - name: SWIPE_URI
              value: 'https://inventory.k-space.ee/m/doorboy/swipe'
            - name: INVENTORY_API_KEY
              valueFrom:
                secretKeyRef:
                  name: inventory-api-key
                  key: INVENTORY_API_KEY
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
--- a/hackerspace/inventory-extras.yaml
+++ b/hackerspace/inventory-extras.yaml
@@ -1,37 +1,24 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: members-inventory-redirect
 spec:
  redirectRegex:
    regex: ^https://members.k-space.ee/(.*)
    replacement: https://inventory.k-space.ee/${1}
    permanent: false
 ---
 # Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
 apiVersion: codemowers.cloud/v1beta1
-kind: OIDCMiddlewareClient
+kind: OIDCClient
 metadata:
-  name: doorboy
+  name: inventory-app
 spec:
-  displayName: Doorboy
+  uri: 'https://inventory.k-space.ee'
-  uri: 'https://inventory.k-space.ee/m/doorboy'
+  redirectUris:
---
+    - 'https://inventory.k-space.ee/login-callback'
-apiVersion: traefik.io/v1alpha1
+  grantTypes:
-kind: IngressRoute
+    - 'authorization_code'
-metadata:
+    - 'refresh_token'
-  name: members-inventory
+  responseTypes:
-spec:
+    - 'code'
-  entryPoints:
+  availableScopes:
-    - websecure
+    - 'openid'
-  routes:
+    - 'profile'
-  - match: Host(`members.k-space.ee`)
+    - 'groups'
-    kind: Rule
+    - 'offline_access'
-    middlewares:
+  tokenEndpointAuthMethod: 'client_secret_basic'
-      - name: members-inventory-redirect
+  pkce: false
    services:
      - kind: TraefikService
        name: api@internal
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: MinioBucketClaim
--- a/hackerspace/inventory-redirects.yaml
+++ b/hackerspace/inventory-redirects.yaml
@@ -0,0 +1,35 @@
 ---
 # Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCMiddlewareClient
 metadata:
  name: doorboy
 spec:
  displayName: Doorboy
  uri: 'https://inventory.k-space.ee/m/doorboy'
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: members-inventory-redirect
 spec:
  redirectRegex:
    regex: ^https://members.k-space.ee/(.*)
    replacement: https://inventory.k-space.ee/${1}
    permanent: false
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: members-inventory
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`members.k-space.ee`)
    kind: Rule
    middlewares:
      - name: members-inventory-redirect
    services:
      - kind: TraefikService
        name: api@internal
--- a/hackerspace/inventory.yaml
+++ b/hackerspace/inventory.yaml
@@ -20,36 +20,12 @@ spec:
      - image: harbor.k-space.ee/k-space/inventory-app:latest
        imagePullPolicy: Always
        env:
        - name: ENVIRONMENT_TYPE
          value: PROD
        - name: PYTHONUNBUFFERED
          value: "1"
        - name: INVENTORY_ASSETS_BASE_URL
          value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/
        - name: MACADDRESS_OUTLINK_BASEURL
          value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C
        - name: OIDC_USERS_NAMESPACE
          value: passmower
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: SECRET_KEY
              name: inventory-secrets
        - name: INVENTORY_API_KEY
          valueFrom:
            secretKeyRef:
              key: INVENTORY_API_KEY
              name: inventory-api-key
        - name: SLACK_DOORLOG_CALLBACK
          valueFrom:
            secretKeyRef:
              key: SLACK_DOORLOG_CALLBACK
              name: slack-secrets
        - name: SLACK_VERIFICATION_TOKEN
          valueFrom:
            secretKeyRef:
              key: SLACK_VERIFICATION_TOKEN
              name: slack-secrets
        envFrom:
        - secretRef:
            name: miniobucket-inventory-external-owner-secrets
@@ -122,59 +98,3 @@ spec:
  tls:
  - hosts:
    - "*.k-space.ee"
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
  name: inventory-app
 spec:
  uri: 'https://inventory.k-space.ee'
  redirectUris:
    - 'https://inventory.k-space.ee/login-callback'
  grantTypes:
    - 'authorization_code'
    - 'refresh_token'
  responseTypes:
    - 'code'
  availableScopes:
    - 'openid'
    - 'profile'
    - 'groups'
    - 'offline_access'
  tokenEndpointAuthMethod: 'client_secret_basic'
  pkce: false
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: inventory-role
  namespace: hackerspace
 rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - codemowers.cloud
    resources:
      - oidcusers
      - oidcusers/status
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: inventory-roles
  namespace: hackerspace
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: inventory-role
 subjects:
  - kind: ServiceAccount
    name: inventory-svcacc
    namespace: hackerspace
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: inventory-svcacc
--- a/hackerspace/kustomization.yaml
+++ b/hackerspace/kustomization.yaml
@@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: hackerspace
 resources:
 - ssh://git@git.k-space.ee/secretspace/kube/hackerspace # secrets: inventory-mongodb, inventory-s3, doorboy-godoor, doorboy-slack
 - ./doorboy.yaml
 - ./svcacc.yaml
 - ./inventory.yaml
 - ./inventory-extras.yaml
 - ./inventory-redirects.yaml
 - ./goredirect.yaml
--- a/hackerspace/svcacc.yaml
+++ b/hackerspace/svcacc.yaml
@@ -0,0 +1,35 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: inventory-role
  namespace: hackerspace
 rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - codemowers.cloud
    resources:
      - oidcusers
      - oidcusers/status
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: inventory-roles
  namespace: hackerspace
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: inventory-role
 subjects:
  - kind: ServiceAccount
    name: inventory-svcacc
    namespace: hackerspace
 ---
 # used by inventory and doorboy
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: inventory-svcacc