diff --git a/argocd/applications/passmower.yaml b/argocd/applications/passmower.yaml index 1e66763..cf4e5da 100644 --- a/argocd/applications/passmower.yaml +++ b/argocd/applications/passmower.yaml @@ -4,28 +4,6 @@ kind: Application metadata: name: passmower namespace: argocd -spec: - project: k-space.ee - source: - repoURL: ghcr.io/passmower/charts - chart: passmower - targetRevision: 1.0.1 - valueFiles: - - ../../passmower/values.yaml - destination: - server: 'https://kubernetes.default.svc' - namespace: passmower - # syncPolicy: - # automated: - # prune: true - # syncOptions: - # - CreateNamespace=true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: passmower-extras - namespace: argocd spec: project: k-space.ee source: diff --git a/passmower/.gitignore b/passmower/.gitignore deleted file mode 100644 index d02bd12..0000000 --- a/passmower/.gitignore +++ /dev/null @@ -1 +0,0 @@ -application.yaml diff --git a/passmower/README.md b/passmower/README.md index 7a31056..32c3f5f 100644 --- a/passmower/README.md +++ b/passmower/README.md @@ -26,5 +26,6 @@ For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/bra Passmower was deployed with Helm chart: ``` -helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml > passmower/application.yaml +echo "# Generated file, DO NOT EDIT!" > passmower/application.yaml +helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml >> passmower/application.yaml ``` diff --git a/passmower/application.yaml b/passmower/application.yaml new file mode 100644 index 0000000..f2ca864 --- /dev/null +++ b/passmower/application.yaml @@ -0,0 +1,692 @@ +# Generated file, DO NOT EDIT! +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +--- +# Source: passmower/templates/texts.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: passmower-disable-frontend-edit +data: + disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)" +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcusers.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcusers + singular: oidcuser + kind: OIDCUser + listKind: OIDCUserList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + github: + type: object + properties: + company: + type: string + email: + type: string + emails: + type: array + items: + type: object + properties: + email: + type: string + primary: + type: boolean + default: false + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + enum: + - github.com + id: + type: integer + login: + type: string + name: + type: string + passmower: + type: object + properties: + company: + type: string + email: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + name: + type: string + slack: + type: object + properties: + id: + type: string + spec: + type: object + required: + - type + properties: + companyEmail: + type: string + email: + type: string + phones: + type: array + items: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + type: + type: string + default: person + enum: + - person + - org + - service + - banned + - group + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + emails: + type: array + items: + type: string + groups: + type: array + items: + type: object + properties: + name: + type: string + prefix: + type: string + primaryEmail: + type: string + profile: + type: object + properties: + company: + type: string + name: + type: string + phones: + type: array + items: + type: string + x-kubernetes-preserve-unknown-fields: true + slackId: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Type + type: string + jsonPath: .spec.type + - name: Name + type: string + jsonPath: .status.profile.name + - name: Display e-mail + type: string + jsonPath: .status.primaryEmail + - name: Phone + type: string + jsonPath: .status.profile.phones[0] + - name: Upstream IdP e-mail + type: string + jsonPath: .github.emails[?(@.primary==true)].email + - name: GH ID + type: string + jsonPath: .github.id + - name: Groups + type: string + jsonPath: .status.groups + conversion: + strategy: None +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcclients.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcclients + singular: oidcclient + kind: OIDCClient + listKind: OIDCClientList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - redirectUris + - grantTypes + - responseTypes + properties: + allowedCORSOrigins: + type: array + items: + type: string + allowedGroups: + type: array + items: + type: string + availableScopes: + type: array + default: + - openid + items: + type: string + enum: + - openid + - profile + - offline_access + - groups + - allowed_groups + displayName: + type: string + grantTypes: + type: array + items: + type: string + enum: + - implicit + - authorization_code + - refresh_token + idTokenSignedResponseAlg: + type: string + enum: + - PS256 + - RS256 + - ES256 + overrideIncomingScopes: + type: boolean + default: false + pkce: + type: boolean + default: true + redirectUris: + type: array + items: + type: string + responseTypes: + type: array + items: + type: string + enum: + - code id_token + - code + - id_token + - none + secretMetadata: + type: object + properties: + annotations: + type: object + x-kubernetes-preserve-unknown-fields: true + labels: + type: object + x-kubernetes-preserve-unknown-fields: true + secretRefreshPod: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + tokenEndpointAuthMethod: + type: string + enum: + - client_secret_basic + - client_secret_jwt + - client_secret_post + - private_key_jwt + - none + uri: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + instance: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Instance + type: string + description: Passmower deployment which manages this client + jsonPath: .status.instance + - name: Uris + type: string + description: Redirect URLs configured for this client + jsonPath: .spec.redirectUris + - name: Allowed groups + type: string + description: Groups allowed to this client + jsonPath: .spec.allowedGroups + conversion: + strategy: None +--- +# Source: passmower/templates/crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: oidcmiddlewareclients.codemowers.cloud +spec: + group: codemowers.cloud + names: + plural: oidcmiddlewareclients + singular: oidcmiddlewareclient + kind: OIDCMiddlewareClient + listKind: OIDCMiddlewareClientList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + allowedGroups: + type: array + items: + type: string + displayName: + type: string + headerMapping: + type: object + default: + email: Remote-Email + groups: Remote-Groups + name: Remote-Name + user: Remote-User + properties: + email: + type: string + groups: + type: string + name: + type: string + user: + type: string + uri: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-embedded-resource: true + instance: + type: string + subresources: + status: {} + additionalPrinterColumns: + - name: Instance + type: string + description: Passmower deployment which manages this client + jsonPath: .status.instance + - name: Uri + type: string + description: URL configured for this client + jsonPath: .spec.uri + - name: Allowed groups + type: string + description: Groups allowed to this client + jsonPath: .spec.allowedGroups + conversion: + strategy: None +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +rules: + - verbs: + - get + - list + - watch + - create + - update + - patch + apiGroups: + - codemowers.cloud + resources: + - oidcusers + - oidcusers/status + - oidcclients + - oidcclients/status + - oidcmiddlewareclients + - oidcmiddlewareclients/status + - verbs: + - get + - create + - patch + - delete + apiGroups: + - '' + resources: + - secrets + - verbs: + - create + apiGroups: + - '' + resources: + - pods + - verbs: + - get + - create + - update + - patch + - delete + apiGroups: + - traefik.io + resources: + - middlewares +--- +# Source: passmower/templates/serviceaccount.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: passmower + namespace: passmower +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: passmower +--- +# Source: passmower/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower +--- +# Source: passmower/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + template: + metadata: + labels: + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + spec: + serviceAccountName: passmower + securityContext: + {} + containers: + - name: passmower + securityContext: + {} + image: "ghcr.io/passmower/passmower:1.0.1" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + name: http + - containerPort: 9090 + name: metrics + env: + - name: ISSUER_URL + value: https://auth.k-space.ee/ + - name: DEPLOYMENT_NAME + value: passmower + - name: GROUP_PREFIX + value: "k-space" + - name: ADMIN_GROUP + value: "k-space:onboarding" + - name: REQUIRED_GROUP + value: "" + - name: GITHUB_ORGANIZATION + value: "codemowers" + - name: USE_GITHUB_USERNAME + value: "false" + - name: ENROLL_USERS + value: "false" + - name: DISABLE_FRONTEND_EDIT + value: "true" + - name: NAMESPACE_SELECTOR + value: "*" + - name: PREFERRED_EMAIL_DOMAIN + value: "k-space.ee" + - name: REQUIRE_CUSTOM_USERNAME + value: "true" + - name: NORMALIZE_EMAIL_ADDRESSES + value: "true" + - name: REDIS_URI + valueFrom: + secretKeyRef: + name: dragonfly-auth + key: REDIS_URI + envFrom: + - secretRef: + name: oidc-keys + - secretRef: + name: email-credentials + - secretRef: + name: github-client + - secretRef: + name: slack-client + readinessProbe: + httpGet: + path: /.well-known/openid-configuration + port: 3000 + httpHeaders: + - name: x-forwarded-for # suppress oidc-provider warning + value: https://auth.k-space.ee/ + - name: x-forwarded-proto # suppress oidc-provider warning + value: https + livenessProbe: + httpGet: + path: /health + port: 9090 + httpHeaders: + - name: x-forwarded-for # suppress oidc-provider warning + value: https://auth.k-space.ee/ + - name: x-forwarded-proto # suppress oidc-provider warning + value: https + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 30 + volumeMounts: + - mountPath: /app/tos + name: tos + - mountPath: /app/approval + name: approval + - mountPath: /app/disable_frontend_edit + name: disable-frontend-edit + - mountPath: /app/src/views/custom/emails + name: email-templates + resources: + {} + volumes: + - name: tos + configMap: + name: passmower-tos + - name: approval + configMap: + name: passmower-approval + - name: disable-frontend-edit + configMap: + name: passmower-disable-frontend-edit + - name: email-templates + configMap: + name: passmower-email-templates +--- +# Source: passmower/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: passmower + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm + annotations: + external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + tls: + - hosts: + - "*.k-space.ee" + secretName: + rules: + - host: "auth.k-space.ee" + http: + paths: + - path: "/" + pathType: Prefix + backend: + service: + name: passmower + port: + number: 80 +--- +# Source: passmower/templates/deployment.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: passmower-key-manager + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + labels: + helm.sh/chart: passmower-1.0.1 + app.kubernetes.io/name: passmower + app.kubernetes.io/instance: passmower + app.kubernetes.io/version: "1.0.1" + app.kubernetes.io/managed-by: Helm +spec: + template: + spec: + serviceAccountName: passmower + containers: + - name: oidc-key-manager + image: "ghcr.io/passmower/passmower:1.0.1" + command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] + restartPolicy: Never diff --git a/passmower/kustomization.yaml b/passmower/kustomization.yaml index 11f11ca..1e24557 100644 --- a/passmower/kustomization.yaml +++ b/passmower/kustomization.yaml @@ -4,6 +4,7 @@ metadata: name: passmower-extras resources: +- application.yaml - application-extras.yaml - texts.yaml - kubelogin.yaml