k-space/kube
10
1
Fork 3
Code Issues 31 Pull Requests Activity
2e77813162
kube/passmower/application.yaml

670 lines
18 KiB
YAML
Raw Blame History

---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
---
# Source: passmower/templates/texts.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-email-templates
data:
link.subject: "Passmower login link"
link.txt: "Open the following link to log in: <%= url %>"
link.ejs: ""
tos.subject: "Terms of Service agreement confirmation"
tos.txt: ""
tos.ejs: ""
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcusers.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcusers
singular: oidcuser
kind: OIDCUser
listKind: OIDCUserList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
github:
type: object
properties:
company:
type: string
email:
type: string
emails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
enum:
- github.com
id:
type: integer
login:
type: string
name:
type: string
passmower:
type: object
properties:
company:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
name:
type: string
slack:
type: object
properties:
id:
type: string
spec:
type: object
required:
- type
properties:
companyEmail:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
type:
type: string
default: person
enum:
- person
- org
- service
- banned
- group
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
primaryEmail:
type: string
profile:
type: object
properties:
company:
type: string
name:
type: string
x-kubernetes-preserve-unknown-fields: true
slackId:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Type
type: string
jsonPath: .spec.type
- name: Name
type: string
jsonPath: .status.profile.name
- name: Display e-mail
type: string
jsonPath: .status.primaryEmail
- name: Upstream IdP e-mail
type: string
jsonPath: .spec.github.emails[?(@.primary==true)].email
- name: GH ID
type: string
jsonPath: .spec.github.id
- name: Groups
type: string
jsonPath: .status.groups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcclients
singular: oidcclient
kind: OIDCClient
listKind: OIDCClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- redirectUris
- grantTypes
- responseTypes
properties:
allowedCORSOrigins:
type: array
items:
type: string
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
default:
- openid
items:
type: string
enum:
- openid
- profile
- offline_access
displayName:
type: string
grantTypes:
type: array
items:
type: string
enum:
- implicit
- authorization_code
- refresh_token
idTokenSignedResponseAlg:
type: string
enum:
- PS256
- RS256
- ES256
overrideIncomingScopes:
type: boolean
default: false
pkce:
type: boolean
default: true
redirectUris:
type: array
items:
type: string
responseTypes:
type: array
items:
type: string
enum:
- code id_token
- code
- id_token
- none
secretMetadata:
type: object
properties:
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
secretRefreshPod:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
tokenEndpointAuthMethod:
type: string
enum:
- client_secret_basic
- client_secret_jwt
- client_secret_post
- private_key_jwt
- none
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uris
type: string
description: Redirect URLs configured for this client
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcmiddlewareclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcmiddlewareclients
singular: oidcmiddlewareclient
kind: OIDCMiddlewareClient
listKind: OIDCMiddlewareClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
properties:
allowedGroups:
type: array
items:
type: string
displayName:
type: string
headerMapping:
type: object
default:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-User
properties:
email:
type: string
groups:
type: string
name:
type: string
user:
type: string
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uri
type: string
description: URL configured for this client
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
rules:
- verbs:
- get
- list
- watch
- create
- update
- patch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
- oidcclients
- oidcclients/status
- oidcmiddlewareclients
- oidcmiddlewareclients/status
- verbs:
- get
- create
- patch
- delete
apiGroups:
- ''
resources:
- secrets
- verbs:
- create
apiGroups:
- ''
resources:
- pods
- verbs:
- get
- create
- update
- patch
- delete
apiGroups:
- traefik.io
resources:
- middlewares
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: passmower
namespace: passmower
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: passmower
---
# Source: passmower/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
---
# Source: passmower/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
template:
metadata:
labels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
spec:
serviceAccountName: passmower
securityContext:
{}
containers:
- name: passmower
securityContext:
{}
image: "passmower/passmower:develop"
imagePullPolicy: Always
ports:
- containerPort: 3000
name: http
- containerPort: 9090
name: metrics
env:
- name: ISSUER_URL
value: https://auth.k-space.ee/
- name: DEPLOYMENT_NAME
value: passmower
- name: GROUP_PREFIX
value: "k-space"
- name: ADMIN_GROUP
value: "k-space:onboarding"
- name: REQUIRED_GROUP
value: "github.com:foo:bar"
- name: GITHUB_ORGANIZATION
value: "codemowers"
- name: ENROLL_USERS
value: "false"
- name: NAMESPACE_SELECTOR
value: "*"
- name: PREFERRED_EMAIL_DOMAIN
value: "k-space.ee"
- name: REQUIRE_CUSTOM_USERNAME
value: "true"
- name: NORMALIZE_EMAIL_ADDRESSES
value: "true"
- name: REDIS_URI
valueFrom:
secretKeyRef:
name: dragonfly-auth
key: REDIS_URI
envFrom:
- secretRef:
name: oidc-keys
- secretRef:
name: email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
livenessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 5
periodSeconds: 1
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/src/views/custom/emails
name: email-templates
resources:
{}
volumes:
- name: tos
configMap:
name: passmower-tos
- name: approval
configMap:
name: passmower-approval
- name: email-templates
configMap:
name: passmower-email-templates
---
# Source: passmower/templates/deployment.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: passmower-key-manager
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
template:
spec:
serviceAccountName: passmower
containers:
- name: oidc-key-manager
image: "passmower/passmower:develop"
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never
---
# Source: passmower/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
annotations:
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "*.k-space.ee"
secretName:
rules:
- host: "auth.k-space.ee"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: passmower
port:
number: 80
Reference in New Issue View Git Blame Copy Permalink