argo: passmower helm + extras didn't work out

Kustomize should be able to auto-generate Helm as well.

argocd/applications/passmower.yaml

@@ -4,28 +4,6 @@ kind: Application
 metadata:
   name: passmower
   namespace: argocd
-spec:
-  project: k-space.ee
-  source:
-    repoURL: ghcr.io/passmower/charts
-    chart: passmower
-    targetRevision: 1.0.1
-    valueFiles:
-    - ../../passmower/values.yaml
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: passmower
-  # syncPolicy:
-  #   automated:
-  #    prune: true
-  #   syncOptions:
-  #   - CreateNamespace=true
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: passmower-extras
-  namespace: argocd
 spec:
   project: k-space.ee
   source:

passmower/.gitignore

@@ -1 +0,0 @@
-application.yaml

passmower/README.md

@@ -26,5 +26,6 @@ For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/bra
 Passmower was deployed with Helm chart:
 
 ```
-helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml > passmower/application.yaml
+echo "# Generated file, DO NOT EDIT!" > passmower/application.yaml
+helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml >> passmower/application.yaml
 ```

passmower/application.yaml

@@ -0,0 +1,692 @@
+# Generated file, DO NOT EDIT!
+---
+# Source: passmower/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: passmower/templates/texts.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: passmower-disable-frontend-edit
+data:
+  disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)"
+---
+# Source: passmower/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: oidcusers.codemowers.cloud
+spec:
+  group: codemowers.cloud
+  names:
+    plural: oidcusers
+    singular: oidcuser
+    kind: OIDCUser
+    listKind: OIDCUserList
+  scope: Namespaced
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            github:
+              type: object
+              properties:
+                company:
+                  type: string
+                email:
+                  type: string
+                emails:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      email:
+                        type: string
+                      primary:
+                        type: boolean
+                        default: false
+                groups:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      prefix:
+                        type: string
+                        enum:
+                          - github.com
+                id:
+                  type: integer
+                login:
+                  type: string
+                name:
+                  type: string
+            passmower:
+              type: object
+              properties:
+                company:
+                  type: string
+                email:
+                  type: string
+                groups:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      prefix:
+                        type: string
+                name:
+                  type: string
+            slack:
+              type: object
+              properties:
+                id:
+                  type: string
+            spec:
+              type: object
+              required:
+                - type
+              properties:
+                companyEmail:
+                  type: string
+                email:
+                  type: string
+                phones:
+                  type: array
+                  items:
+                    type: string
+                groups:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      prefix:
+                        type: string
+                type:
+                  type: string
+                  default: person
+                  enum:
+                    - person
+                    - org
+                    - service
+                    - banned
+                    - group
+            status:
+              type: object
+              properties:
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                    x-kubernetes-embedded-resource: true
+                emails:
+                  type: array
+                  items:
+                    type: string
+                groups:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      prefix:
+                        type: string
+                primaryEmail:
+                  type: string
+                profile:
+                  type: object
+                  properties:
+                    company:
+                      type: string
+                    name:
+                      type: string
+                    phones:
+                      type: array
+                      items:
+                        type: string
+                  x-kubernetes-preserve-unknown-fields: true
+                slackId:
+                  type: string
+      subresources:
+        status: {}
+      additionalPrinterColumns:
+        - name: Type
+          type: string
+          jsonPath: .spec.type
+        - name: Name
+          type: string
+          jsonPath: .status.profile.name
+        - name: Display e-mail
+          type: string
+          jsonPath: .status.primaryEmail
+        - name: Phone
+          type: string
+          jsonPath: .status.profile.phones[0]
+        - name: Upstream IdP e-mail
+          type: string
+          jsonPath: .github.emails[?(@.primary==true)].email
+        - name: GH ID
+          type: string
+          jsonPath: .github.id
+        - name: Groups
+          type: string
+          jsonPath: .status.groups
+  conversion:
+    strategy: None
+---
+# Source: passmower/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: oidcclients.codemowers.cloud
+spec:
+  group: codemowers.cloud
+  names:
+    plural: oidcclients
+    singular: oidcclient
+    kind: OIDCClient
+    listKind: OIDCClientList
+  scope: Namespaced
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - redirectUris
+                - grantTypes
+                - responseTypes
+              properties:
+                allowedCORSOrigins:
+                  type: array
+                  items:
+                    type: string
+                allowedGroups:
+                  type: array
+                  items:
+                    type: string
+                availableScopes:
+                  type: array
+                  default:
+                    - openid
+                  items:
+                    type: string
+                    enum:
+                      - openid
+                      - profile
+                      - offline_access
+                      - groups
+                      - allowed_groups
+                displayName:
+                  type: string
+                grantTypes:
+                  type: array
+                  items:
+                    type: string
+                    enum:
+                      - implicit
+                      - authorization_code
+                      - refresh_token
+                idTokenSignedResponseAlg:
+                  type: string
+                  enum:
+                    - PS256
+                    - RS256
+                    - ES256
+                overrideIncomingScopes:
+                  type: boolean
+                  default: false
+                pkce:
+                  type: boolean
+                  default: true
+                redirectUris:
+                  type: array
+                  items:
+                    type: string
+                responseTypes:
+                  type: array
+                  items:
+                    type: string
+                    enum:
+                      - code id_token
+                      - code
+                      - id_token
+                      - none
+                secretMetadata:
+                  type: object
+                  properties:
+                    annotations:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    labels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                secretRefreshPod:
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                  x-kubernetes-embedded-resource: true
+                tokenEndpointAuthMethod:
+                  type: string
+                  enum:
+                    - client_secret_basic
+                    - client_secret_jwt
+                    - client_secret_post
+                    - private_key_jwt
+                    - none
+                uri:
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                    x-kubernetes-embedded-resource: true
+                instance:
+                  type: string
+      subresources:
+        status: {}
+      additionalPrinterColumns:
+        - name: Instance
+          type: string
+          description: Passmower deployment which manages this client
+          jsonPath: .status.instance
+        - name: Uris
+          type: string
+          description: Redirect URLs configured for this client
+          jsonPath: .spec.redirectUris
+        - name: Allowed groups
+          type: string
+          description: Groups allowed to this client
+          jsonPath: .spec.allowedGroups
+  conversion:
+    strategy: None
+---
+# Source: passmower/templates/crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: oidcmiddlewareclients.codemowers.cloud
+spec:
+  group: codemowers.cloud
+  names:
+    plural: oidcmiddlewareclients
+    singular: oidcmiddlewareclient
+    kind: OIDCMiddlewareClient
+    listKind: OIDCMiddlewareClientList
+  scope: Namespaced
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              properties:
+                allowedGroups:
+                  type: array
+                  items:
+                    type: string
+                displayName:
+                  type: string
+                headerMapping:
+                  type: object
+                  default:
+                    email: Remote-Email
+                    groups: Remote-Groups
+                    name: Remote-Name
+                    user: Remote-User
+                  properties:
+                    email:
+                      type: string
+                    groups:
+                      type: string
+                    name:
+                      type: string
+                    user:
+                      type: string
+                uri:
+                  type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                    x-kubernetes-embedded-resource: true
+                instance:
+                  type: string
+      subresources:
+        status: {}
+      additionalPrinterColumns:
+        - name: Instance
+          type: string
+          description: Passmower deployment which manages this client
+          jsonPath: .status.instance
+        - name: Uri
+          type: string
+          description: URL configured for this client
+          jsonPath: .spec.uri
+        - name: Allowed groups
+          type: string
+          description: Groups allowed to this client
+          jsonPath: .spec.allowedGroups
+  conversion:
+    strategy: None
+---
+# Source: passmower/templates/serviceaccount.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+    apiGroups:
+      - codemowers.cloud
+    resources:
+      - oidcusers
+      - oidcusers/status
+      - oidcclients
+      - oidcclients/status
+      - oidcmiddlewareclients
+      - oidcmiddlewareclients/status
+  - verbs:
+      - get
+      - create
+      - patch
+      - delete
+    apiGroups:
+      - ''
+    resources:
+      - secrets
+  - verbs:
+      - create
+    apiGroups:
+      - ''
+    resources:
+      - pods
+  - verbs:
+      - get
+      - create
+      - update
+      - patch
+      - delete
+    apiGroups:
+      - traefik.io
+    resources:
+      - middlewares
+---
+# Source: passmower/templates/serviceaccount.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+subjects:
+  - kind: ServiceAccount
+    name: passmower
+    namespace: passmower
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: passmower
+---
+# Source: passmower/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+---
+# Source: passmower/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: passmower
+      app.kubernetes.io/instance: passmower
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: passmower
+        app.kubernetes.io/instance: passmower
+    spec:
+      serviceAccountName: passmower
+      securityContext:
+        {}
+      containers:
+        - name: passmower
+          securityContext:
+            {}
+          image: "ghcr.io/passmower/passmower:1.0.1"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 3000
+              name: http
+            - containerPort: 9090
+              name: metrics
+          env:
+            - name: ISSUER_URL
+              value: https://auth.k-space.ee/
+            - name: DEPLOYMENT_NAME
+              value: passmower
+            - name: GROUP_PREFIX
+              value: "k-space"
+            - name: ADMIN_GROUP
+              value: "k-space:onboarding"
+            - name: REQUIRED_GROUP
+              value: ""
+            - name: GITHUB_ORGANIZATION
+              value: "codemowers"
+            - name: USE_GITHUB_USERNAME
+              value: "false"
+            - name: ENROLL_USERS
+              value: "false"
+            - name: DISABLE_FRONTEND_EDIT
+              value: "true"
+            - name: NAMESPACE_SELECTOR
+              value: "*"
+            - name: PREFERRED_EMAIL_DOMAIN
+              value: "k-space.ee"
+            - name: REQUIRE_CUSTOM_USERNAME
+              value: "true"
+            - name: NORMALIZE_EMAIL_ADDRESSES
+              value: "true"
+            - name: REDIS_URI
+              valueFrom:
+                secretKeyRef:
+                  name: dragonfly-auth
+                  key: REDIS_URI
+          envFrom:
+            - secretRef:
+                name: oidc-keys
+            - secretRef:
+                name: email-credentials
+            - secretRef:
+                name: github-client
+            - secretRef:
+                name: slack-client
+          readinessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: 3000
+              httpHeaders:
+                - name: x-forwarded-for # suppress oidc-provider warning
+                  value: https://auth.k-space.ee/
+                - name: x-forwarded-proto # suppress oidc-provider warning
+                  value: https
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 9090
+              httpHeaders:
+                - name: x-forwarded-for # suppress oidc-provider warning
+                  value: https://auth.k-space.ee/
+                - name: x-forwarded-proto # suppress oidc-provider warning
+                  value: https
+            initialDelaySeconds: 10
+            timeoutSeconds: 10
+            periodSeconds: 30
+          volumeMounts:
+            - mountPath: /app/tos
+              name: tos
+            - mountPath: /app/approval
+              name: approval
+            - mountPath: /app/disable_frontend_edit
+              name: disable-frontend-edit
+            - mountPath: /app/src/views/custom/emails
+              name: email-templates
+          resources:
+            {}
+      volumes:
+        - name: tos
+          configMap:
+            name: passmower-tos
+        - name: approval
+          configMap:
+            name: passmower-approval
+        - name: disable-frontend-edit
+          configMap:
+            name: passmower-disable-frontend-edit
+        - name: email-templates
+          configMap:
+            name: passmower-email-templates
+---
+# Source: passmower/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: passmower
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+    - hosts:
+        - "*.k-space.ee"
+      secretName: 
+  rules:
+    - host: "auth.k-space.ee"
+      http:
+        paths:
+          - path: "/"
+            pathType: Prefix
+            backend:
+              service:
+                name: passmower
+                port:
+                  number: 80
+---
+# Source: passmower/templates/deployment.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: passmower-key-manager
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+  labels:
+    helm.sh/chart: passmower-1.0.1
+    app.kubernetes.io/name: passmower
+    app.kubernetes.io/instance: passmower
+    app.kubernetes.io/version: "1.0.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  template:
+    spec:
+      serviceAccountName: passmower
+      containers:
+        - name: oidc-key-manager
+          image: "ghcr.io/passmower/passmower:1.0.1"
+          command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
+      restartPolicy: Never

passmower/kustomization.yaml

@@ -4,6 +4,7 @@ metadata:
   name: passmower-extras
 
 resources:
+- application.yaml
 - application-extras.yaml
 - texts.yaml
 - kubelogin.yaml