# Generated file, DO NOT EDIT! --- # Source: passmower/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm --- # Source: passmower/templates/texts.yaml --- apiVersion: v1 kind: ConfigMap metadata: name: passmower-disable-frontend-edit data: disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)" --- # Source: passmower/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: oidcusers.codemowers.cloud spec: group: codemowers.cloud names: plural: oidcusers singular: oidcuser kind: OIDCUser listKind: OIDCUserList scope: Namespaced versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: github: type: object properties: company: type: string email: type: string emails: type: array items: type: object properties: email: type: string primary: type: boolean default: false groups: type: array items: type: object properties: name: type: string prefix: type: string enum: - github.com id: type: integer login: type: string name: type: string passmower: type: object properties: company: type: string email: type: string groups: type: array items: type: object properties: name: type: string prefix: type: string name: type: string slack: type: object properties: id: type: string spec: type: object required: - type properties: companyEmail: type: string email: type: string phones: type: array items: type: string groups: type: array items: type: object properties: name: type: string prefix: type: string type: type: string default: person enum: - person - org - service - banned - group status: type: object properties: conditions: type: array items: type: object x-kubernetes-preserve-unknown-fields: true x-kubernetes-embedded-resource: true emails: type: array items: type: string groups: type: array items: type: object properties: name: type: string prefix: type: string primaryEmail: type: string profile: type: object properties: company: type: string name: type: string phones: type: array items: type: string x-kubernetes-preserve-unknown-fields: true slackId: type: string subresources: status: {} additionalPrinterColumns: - name: Type type: string jsonPath: .spec.type - name: Name type: string jsonPath: .status.profile.name - name: Display e-mail type: string jsonPath: .status.primaryEmail - name: Phone type: string jsonPath: .status.profile.phones[0] - name: Upstream IdP e-mail type: string jsonPath: .github.emails[?(@.primary==true)].email - name: GH ID type: string jsonPath: .github.id - name: Groups type: string jsonPath: .status.groups conversion: strategy: None --- # Source: passmower/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: oidcclients.codemowers.cloud spec: group: codemowers.cloud names: plural: oidcclients singular: oidcclient kind: OIDCClient listKind: OIDCClientList scope: Namespaced versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object required: - redirectUris - grantTypes - responseTypes properties: allowedCORSOrigins: type: array items: type: string allowedGroups: type: array items: type: string availableScopes: type: array default: - openid items: type: string enum: - openid - profile - offline_access - groups - allowed_groups displayName: type: string grantTypes: type: array items: type: string enum: - implicit - authorization_code - refresh_token idTokenSignedResponseAlg: type: string enum: - PS256 - RS256 - ES256 overrideIncomingScopes: type: boolean default: false pkce: type: boolean default: true redirectUris: type: array items: type: string responseTypes: type: array items: type: string enum: - code id_token - code - id_token - none secretMetadata: type: object properties: annotations: type: object x-kubernetes-preserve-unknown-fields: true labels: type: object x-kubernetes-preserve-unknown-fields: true secretRefreshPod: type: object x-kubernetes-preserve-unknown-fields: true x-kubernetes-embedded-resource: true tokenEndpointAuthMethod: type: string enum: - client_secret_basic - client_secret_jwt - client_secret_post - private_key_jwt - none uri: type: string status: type: object properties: conditions: type: array items: type: object x-kubernetes-preserve-unknown-fields: true x-kubernetes-embedded-resource: true instance: type: string subresources: status: {} additionalPrinterColumns: - name: Instance type: string description: Passmower deployment which manages this client jsonPath: .status.instance - name: Uris type: string description: Redirect URLs configured for this client jsonPath: .spec.redirectUris - name: Allowed groups type: string description: Groups allowed to this client jsonPath: .spec.allowedGroups conversion: strategy: None --- # Source: passmower/templates/crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: oidcmiddlewareclients.codemowers.cloud spec: group: codemowers.cloud names: plural: oidcmiddlewareclients singular: oidcmiddlewareclient kind: OIDCMiddlewareClient listKind: OIDCMiddlewareClientList scope: Namespaced versions: - name: v1beta1 served: true storage: true schema: openAPIV3Schema: type: object required: - spec properties: spec: type: object properties: allowedGroups: type: array items: type: string displayName: type: string headerMapping: type: object default: email: Remote-Email groups: Remote-Groups name: Remote-Name user: Remote-User properties: email: type: string groups: type: string name: type: string user: type: string uri: type: string status: type: object properties: conditions: type: array items: type: object x-kubernetes-preserve-unknown-fields: true x-kubernetes-embedded-resource: true instance: type: string subresources: status: {} additionalPrinterColumns: - name: Instance type: string description: Passmower deployment which manages this client jsonPath: .status.instance - name: Uri type: string description: URL configured for this client jsonPath: .spec.uri - name: Allowed groups type: string description: Groups allowed to this client jsonPath: .spec.allowedGroups conversion: strategy: None --- # Source: passmower/templates/serviceaccount.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm rules: - verbs: - get - list - watch - create - update - patch apiGroups: - codemowers.cloud resources: - oidcusers - oidcusers/status - oidcclients - oidcclients/status - oidcmiddlewareclients - oidcmiddlewareclients/status - verbs: - get - create - patch - delete apiGroups: - '' resources: - secrets - verbs: - create apiGroups: - '' resources: - pods - verbs: - get - create - update - patch - delete apiGroups: - traefik.io resources: - middlewares --- # Source: passmower/templates/serviceaccount.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount name: passmower namespace: passmower roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: passmower --- # Source: passmower/templates/service.yaml apiVersion: v1 kind: Service metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower --- # Source: passmower/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm spec: replicas: 3 selector: matchLabels: app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower template: metadata: labels: app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower spec: serviceAccountName: passmower securityContext: {} containers: - name: passmower securityContext: {} image: "ghcr.io/passmower/passmower:1.0.1" imagePullPolicy: IfNotPresent ports: - containerPort: 3000 name: http - containerPort: 9090 name: metrics env: - name: ISSUER_URL value: https://auth.k-space.ee/ - name: DEPLOYMENT_NAME value: passmower - name: GROUP_PREFIX value: "k-space" - name: ADMIN_GROUP value: "k-space:onboarding" - name: REQUIRED_GROUP value: "" - name: GITHUB_ORGANIZATION value: "codemowers" - name: USE_GITHUB_USERNAME value: "false" - name: ENROLL_USERS value: "false" - name: DISABLE_FRONTEND_EDIT value: "true" - name: NAMESPACE_SELECTOR value: "*" - name: PREFERRED_EMAIL_DOMAIN value: "k-space.ee" - name: REQUIRE_CUSTOM_USERNAME value: "true" - name: NORMALIZE_EMAIL_ADDRESSES value: "true" - name: REDIS_URI valueFrom: secretKeyRef: name: dragonfly-auth key: REDIS_URI envFrom: - secretRef: name: oidc-keys - secretRef: name: email-credentials - secretRef: name: github-client - secretRef: name: slack-client readinessProbe: httpGet: path: /.well-known/openid-configuration port: 3000 httpHeaders: - name: x-forwarded-for # suppress oidc-provider warning value: https://auth.k-space.ee/ - name: x-forwarded-proto # suppress oidc-provider warning value: https livenessProbe: httpGet: path: /health port: 9090 httpHeaders: - name: x-forwarded-for # suppress oidc-provider warning value: https://auth.k-space.ee/ - name: x-forwarded-proto # suppress oidc-provider warning value: https initialDelaySeconds: 10 timeoutSeconds: 10 periodSeconds: 30 volumeMounts: - mountPath: /app/tos name: tos - mountPath: /app/approval name: approval - mountPath: /app/disable_frontend_edit name: disable-frontend-edit - mountPath: /app/src/views/custom/emails name: email-templates resources: {} volumes: - name: tos configMap: name: passmower-tos - name: approval configMap: name: passmower-approval - name: disable-frontend-edit configMap: name: passmower-disable-frontend-edit - name: email-templates configMap: name: passmower-email-templates --- # Source: passmower/templates/ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: passmower labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm annotations: external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" spec: tls: - hosts: - "*.k-space.ee" secretName: rules: - host: "auth.k-space.ee" http: paths: - path: "/" pathType: Prefix backend: service: name: passmower port: number: 80 --- # Source: passmower/templates/deployment.yaml apiVersion: batch/v1 kind: Job metadata: name: passmower-key-manager annotations: "helm.sh/hook": pre-install "helm.sh/hook-delete-policy": hook-succeeded,hook-failed labels: helm.sh/chart: passmower-1.0.1 app.kubernetes.io/name: passmower app.kubernetes.io/instance: passmower app.kubernetes.io/version: "1.0.1" app.kubernetes.io/managed-by: Helm spec: template: spec: serviceAccountName: passmower containers: - name: oidc-key-manager image: "ghcr.io/passmower/passmower:1.0.1" command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] restartPolicy: Never