k-space/kube
12
1
Fork 3
Code Issues 62 Pull Requests 1 Wiki Activity

argo: passmower helm + extras didn't work out

Browse Source 
Kustomize should be able to auto-generate Helm as well.
This commit is contained in:
rasmus
2025-01-02 01:02:23 +02:00
parent 21beb2332c
commit b71a872c09
5 changed files with 695 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
argocd/applications/passmower.yaml
View File

@@ -4,28 +4,6 @@ kind: Application
metadata: metadata:
name: passmower name: passmower
namespace: argocd namespace: argocd
spec:
project: k-space.ee
source:
repoURL: ghcr.io/passmower/charts
chart: passmower
targetRevision: 1.0.1
valueFiles:
- ../../passmower/values.yaml
destination:
server: 'https://kubernetes.default.svc'
namespace: passmower
# syncPolicy:
# automated:
# prune: true
# syncOptions:
# - CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: passmower-extras
namespace: argocd
spec: spec:
project: k-space.ee project: k-space.ee
source: source:

1
passmower/.gitignore vendored
View File

@@ -1 +0,0 @@
application.yaml

3
passmower/README.md
View File

@@ -26,5 +26,6 @@ For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/bra
Passmower was deployed with Helm chart: Passmower was deployed with Helm chart:
``` ```
helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml > passmower/application.yaml echo "# Generated file, DO NOT EDIT!" > passmower/application.yaml
helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml >> passmower/application.yaml
``` ```

692
passmower/application.yaml Normal file
View File

@@ -0,0 +1,692 @@
# Generated file, DO NOT EDIT!
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
---
# Source: passmower/templates/texts.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-disable-frontend-edit
data:
disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)"
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcusers.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcusers
singular: oidcuser
kind: OIDCUser
listKind: OIDCUserList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
github:
type: object
properties:
company:
type: string
email:
type: string
emails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
enum:
- github.com
id:
type: integer
login:
type: string
name:
type: string
passmower:
type: object
properties:
company:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
name:
type: string
slack:
type: object
properties:
id:
type: string
spec:
type: object
required:
- type
properties:
companyEmail:
type: string
email:
type: string
phones:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
type:
type: string
default: person
enum:
- person
- org
- service
- banned
- group
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
primaryEmail:
type: string
profile:
type: object
properties:
company:
type: string
name:
type: string
phones:
type: array
items:
type: string
x-kubernetes-preserve-unknown-fields: true
slackId:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Type
type: string
jsonPath: .spec.type
- name: Name
type: string
jsonPath: .status.profile.name
- name: Display e-mail
type: string
jsonPath: .status.primaryEmail
- name: Phone
type: string
jsonPath: .status.profile.phones[0]
- name: Upstream IdP e-mail
type: string
jsonPath: .github.emails[?(@.primary==true)].email
- name: GH ID
type: string
jsonPath: .github.id
- name: Groups
type: string
jsonPath: .status.groups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcclients
singular: oidcclient
kind: OIDCClient
listKind: OIDCClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- redirectUris
- grantTypes
- responseTypes
properties:
allowedCORSOrigins:
type: array
items:
type: string
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
default:
- openid
items:
type: string
enum:
- openid
- profile
- offline_access
- groups
- allowed_groups
displayName:
type: string
grantTypes:
type: array
items:
type: string
enum:
- implicit
- authorization_code
- refresh_token
idTokenSignedResponseAlg:
type: string
enum:
- PS256
- RS256
- ES256
overrideIncomingScopes:
type: boolean
default: false
pkce:
type: boolean
default: true
redirectUris:
type: array
items:
type: string
responseTypes:
type: array
items:
type: string
enum:
- code id_token
- code
- id_token
- none
secretMetadata:
type: object
properties:
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
secretRefreshPod:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
tokenEndpointAuthMethod:
type: string
enum:
- client_secret_basic
- client_secret_jwt
- client_secret_post
- private_key_jwt
- none
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uris
type: string
description: Redirect URLs configured for this client
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcmiddlewareclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcmiddlewareclients
singular: oidcmiddlewareclient
kind: OIDCMiddlewareClient
listKind: OIDCMiddlewareClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
properties:
allowedGroups:
type: array
items:
type: string
displayName:
type: string
headerMapping:
type: object
default:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-User
properties:
email:
type: string
groups:
type: string
name:
type: string
user:
type: string
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uri
type: string
description: URL configured for this client
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
rules:
- verbs:
- get
- list
- watch
- create
- update
- patch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
- oidcclients
- oidcclients/status
- oidcmiddlewareclients
- oidcmiddlewareclients/status
- verbs:
- get
- create
- patch
- delete
apiGroups:
- ''
resources:
- secrets
- verbs:
- create
apiGroups:
- ''
resources:
- pods
- verbs:
- get
- create
- update
- patch
- delete
apiGroups:
- traefik.io
resources:
- middlewares
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: passmower
namespace: passmower
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: passmower
---
# Source: passmower/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
---
# Source: passmower/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 3
selector:
matchLabels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
template:
metadata:
labels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
spec:
serviceAccountName: passmower
securityContext:
{}
containers:
- name: passmower
securityContext:
{}
image: "ghcr.io/passmower/passmower:1.0.1"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: http
- containerPort: 9090
name: metrics
env:
- name: ISSUER_URL
value: https://auth.k-space.ee/
- name: DEPLOYMENT_NAME
value: passmower
- name: GROUP_PREFIX
value: "k-space"
- name: ADMIN_GROUP
value: "k-space:onboarding"
- name: REQUIRED_GROUP
value: ""
- name: GITHUB_ORGANIZATION
value: "codemowers"
- name: USE_GITHUB_USERNAME
value: "false"
- name: ENROLL_USERS
value: "false"
- name: DISABLE_FRONTEND_EDIT
value: "true"
- name: NAMESPACE_SELECTOR
value: "*"
- name: PREFERRED_EMAIL_DOMAIN
value: "k-space.ee"
- name: REQUIRE_CUSTOM_USERNAME
value: "true"
- name: NORMALIZE_EMAIL_ADDRESSES
value: "true"
- name: REDIS_URI
valueFrom:
secretKeyRef:
name: dragonfly-auth
key: REDIS_URI
envFrom:
- secretRef:
name: oidc-keys
- secretRef:
name: email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
livenessProbe:
httpGet:
path: /health
port: 9090
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 10
timeoutSeconds: 10
periodSeconds: 30
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/disable_frontend_edit
name: disable-frontend-edit
- mountPath: /app/src/views/custom/emails
name: email-templates
resources:
{}
volumes:
- name: tos
configMap:
name: passmower-tos
- name: approval
configMap:
name: passmower-approval
- name: disable-frontend-edit
configMap:
name: passmower-disable-frontend-edit
- name: email-templates
configMap:
name: passmower-email-templates
---
# Source: passmower/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passmower
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
annotations:
external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "*.k-space.ee"
secretName:
rules:
- host: "auth.k-space.ee"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: passmower
port:
number: 80
---
# Source: passmower/templates/deployment.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: passmower-key-manager
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
labels:
helm.sh/chart: passmower-1.0.1
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "1.0.1"
app.kubernetes.io/managed-by: Helm
spec:
template:
spec:
serviceAccountName: passmower
containers:
- name: oidc-key-manager
image: "ghcr.io/passmower/passmower:1.0.1"
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never

1
passmower/kustomization.yaml
View File

@@ -4,6 +4,7 @@ metadata:
name: passmower-extras name: passmower-extras
resources: resources:
- application.yaml
- application-extras.yaml - application-extras.yaml
- texts.yaml - texts.yaml
- kubelogin.yaml - kubelogin.yaml