simon/kube
1
0
Fork 0
forked from k-space/kube
Code Pull Requests Activity

migrate to new passmower

Browse Source
This commit is contained in:
Erki Aas
2024-07-27 03:15:41 +03:00
parent ca623c11fd
commit 2e77813162
24 changed files with 1230 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
passmower/README.md Normal file
View File

@@ -0,0 +1,3 @@
```
helm template --include-crds -n passmower passmower ../passmower/ -f passmower/values.yaml > passmower/application.yaml
```

669
passmower/application.yaml Normal file
View File

@@ -0,0 +1,669 @@
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
---
# Source: passmower/templates/texts.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-email-templates
data:
link.subject: "Passmower login link"
link.txt: "Open the following link to log in: <%= url %>"
link.ejs: ""
tos.subject: "Terms of Service agreement confirmation"
tos.txt: ""
tos.ejs: ""
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcusers.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcusers
singular: oidcuser
kind: OIDCUser
listKind: OIDCUserList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
github:
type: object
properties:
company:
type: string
email:
type: string
emails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
enum:
- github.com
id:
type: integer
login:
type: string
name:
type: string
passmower:
type: object
properties:
company:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
name:
type: string
slack:
type: object
properties:
id:
type: string
spec:
type: object
required:
- type
properties:
companyEmail:
type: string
email:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
type:
type: string
default: person
enum:
- person
- org
- service
- banned
- group
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
name:
type: string
prefix:
type: string
primaryEmail:
type: string
profile:
type: object
properties:
company:
type: string
name:
type: string
x-kubernetes-preserve-unknown-fields: true
slackId:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Type
type: string
jsonPath: .spec.type
- name: Name
type: string
jsonPath: .status.profile.name
- name: Display e-mail
type: string
jsonPath: .status.primaryEmail
- name: Upstream IdP e-mail
type: string
jsonPath: .spec.github.emails[?(@.primary==true)].email
- name: GH ID
type: string
jsonPath: .spec.github.id
- name: Groups
type: string
jsonPath: .status.groups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcclients
singular: oidcclient
kind: OIDCClient
listKind: OIDCClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- redirectUris
- grantTypes
- responseTypes
properties:
allowedCORSOrigins:
type: array
items:
type: string
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
default:
- openid
items:
type: string
enum:
- openid
- profile
- offline_access
displayName:
type: string
grantTypes:
type: array
items:
type: string
enum:
- implicit
- authorization_code
- refresh_token
idTokenSignedResponseAlg:
type: string
enum:
- PS256
- RS256
- ES256
overrideIncomingScopes:
type: boolean
default: false
pkce:
type: boolean
default: true
redirectUris:
type: array
items:
type: string
responseTypes:
type: array
items:
type: string
enum:
- code id_token
- code
- id_token
- none
secretMetadata:
type: object
properties:
annotations:
type: object
x-kubernetes-preserve-unknown-fields: true
labels:
type: object
x-kubernetes-preserve-unknown-fields: true
secretRefreshPod:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
tokenEndpointAuthMethod:
type: string
enum:
- client_secret_basic
- client_secret_jwt
- client_secret_post
- private_key_jwt
- none
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uris
type: string
description: Redirect URLs configured for this client
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcmiddlewareclients.codemowers.cloud
spec:
group: codemowers.cloud
names:
plural: oidcmiddlewareclients
singular: oidcmiddlewareclient
kind: OIDCMiddlewareClient
listKind: OIDCMiddlewareClientList
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
properties:
allowedGroups:
type: array
items:
type: string
displayName:
type: string
headerMapping:
type: object
default:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-User
properties:
email:
type: string
groups:
type: string
name:
type: string
user:
type: string
uri:
type: string
status:
type: object
properties:
conditions:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
x-kubernetes-embedded-resource: true
instance:
type: string
subresources:
status: {}
additionalPrinterColumns:
- name: Instance
type: string
description: Passmower deployment which manages this client
jsonPath: .status.instance
- name: Uri
type: string
description: URL configured for this client
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: Groups allowed to this client
jsonPath: .spec.allowedGroups
conversion:
strategy: None
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
rules:
- verbs:
- get
- list
- watch
- create
- update
- patch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
- oidcclients
- oidcclients/status
- oidcmiddlewareclients
- oidcmiddlewareclients/status
- verbs:
- get
- create
- patch
- delete
apiGroups:
- ''
resources:
- secrets
- verbs:
- create
apiGroups:
- ''
resources:
- pods
- verbs:
- get
- create
- update
- patch
- delete
apiGroups:
- traefik.io
resources:
- middlewares
---
# Source: passmower/templates/serviceaccount.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
subjects:
- kind: ServiceAccount
name: passmower
namespace: passmower
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: passmower
---
# Source: passmower/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
---
# Source: passmower/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
template:
metadata:
labels:
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
spec:
serviceAccountName: passmower
securityContext:
{}
containers:
- name: passmower
securityContext:
{}
image: "passmower/passmower:develop"
imagePullPolicy: Always
ports:
- containerPort: 3000
name: http
- containerPort: 9090
name: metrics
env:
- name: ISSUER_URL
value: https://auth.k-space.ee/
- name: DEPLOYMENT_NAME
value: passmower
- name: GROUP_PREFIX
value: "k-space"
- name: ADMIN_GROUP
value: "k-space:onboarding"
- name: REQUIRED_GROUP
value: "github.com:foo:bar"
- name: GITHUB_ORGANIZATION
value: "codemowers"
- name: ENROLL_USERS
value: "false"
- name: NAMESPACE_SELECTOR
value: "*"
- name: PREFERRED_EMAIL_DOMAIN
value: "k-space.ee"
- name: REQUIRE_CUSTOM_USERNAME
value: "true"
- name: NORMALIZE_EMAIL_ADDRESSES
value: "true"
- name: REDIS_URI
valueFrom:
secretKeyRef:
name: dragonfly-auth
key: REDIS_URI
envFrom:
- secretRef:
name: oidc-keys
- secretRef:
name: email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
livenessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: https://auth.k-space.ee/
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 5
periodSeconds: 1
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/src/views/custom/emails
name: email-templates
resources:
{}
volumes:
- name: tos
configMap:
name: passmower-tos
- name: approval
configMap:
name: passmower-approval
- name: email-templates
configMap:
name: passmower-email-templates
---
# Source: passmower/templates/deployment.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: passmower-key-manager
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
spec:
template:
spec:
serviceAccountName: passmower
containers:
- name: oidc-key-manager
image: "passmower/passmower:develop"
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never
---
# Source: passmower/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passmower
labels:
helm.sh/chart: passmower-0.1.0
app.kubernetes.io/name: passmower
app.kubernetes.io/instance: passmower
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
annotations:
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "*.k-space.ee"
secretName:
rules:
- host: "auth.k-space.ee"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: passmower
port:
number: 80

34
passmower/dragonfly.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: dragonfly-auth
namespace: passmower
spec:
size: 32
mapping:
- key: password
value: "%(plaintext)s"
- key: REDIS_URI
value: "redis://:%(plaintext)s@redis"
---
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: redis
namespace: passmower
status:
phase: ready
spec:
authentication:
passwordFromSecret:
key: password
name: dragonfly-auth
replicas: 3
resources:
limits:
cpu: 600m
memory: 750Mi
requests:
cpu: 500m
memory: 500Mi

242
passmower/proxmox.yaml Normal file
View File

@@ -0,0 +1,242 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: proxmox
spec:
displayName: Proxmox Virtual Environment (middleware)
uri: https://pve.k-space.ee/
allowedGroups:
- k-space:floor
- k-space:friends
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: proxmox
spec:
displayName: Proxmox Virtual Environment
uri: https://pve.k-space.ee/
redirectUris:
- https://pve.k-space.ee/
- https://pve.k-space.ee
allowedGroups:
- k-space:floor
- k-space:friends
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: proxmox-servers-transport
spec:
rootCAsSecrets:
- pve
---
apiVersion: v1
kind: Secret
metadata:
name: pve
data:
# This is not actually secret, this is CA certificate of the key
# used to sign Proxmox HTTPS endpoint keypairs.
# This makes sure Traefik is talking to the real Proxmox machines,
# and not arbitrary machines that have hijacked the Proxmox machine IP-s.
# To inspect current value:
# kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout
pve.pem: |
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0
ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV
SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN
elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G
bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16
QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX
NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16
RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX
ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq
VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0
bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF
UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk
enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w
OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR
VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz
WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5
em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s
ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2
RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6
MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ
YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn
CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH
NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C
QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh
YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr
REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1
OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl
c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY
KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK
U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k
aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW
VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz
NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4
dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh
Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h
RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
---
apiVersion: v1
kind: Service
metadata:
name: pve1
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve1.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pve8
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve8.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: pve9
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: passmower-proxmox-servers-transport@kubernetescrd
spec:
type: ExternalName
externalName: pve9.proxmox.infra.k-space.ee
ports:
- name: https
port: 8006
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pve
annotations:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd,passmower-proxmox-redirect@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: proxmox.k-space.ee
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: whoami
port:
number: 80
- host: pve.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: pve1
port:
number: 8006
- pathType: Prefix
path: "/"
backend:
service:
name: pve8
port:
number: 8006
- pathType: Prefix
path: "/"
backend:
service:
name: pve9
port:
number: 8006
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: proxmox-redirect
spec:
redirectRegex:
regex: ^https://proxmox.k-space.ee/(.*)$
replacement: https://pve.k-space.ee/$1
permanent: false
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pve-internal
annotations:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: passmower-codemowers-cloud-ip-whitelist@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: pve-internal.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: pve1
port:
number: 8006
- pathType: Prefix
path: "/"
backend:
service:
name: pve8
port:
number: 8006
- pathType: Prefix
path: "/"
backend:
service:
name: pve9
port:
number: 8006
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: codemowers-cloud-ip-whitelist
spec:
ipWhiteList:
sourceRange:
- 172.20.5.0/24

53
passmower/prusa.yaml Normal file
View File

@@ -0,0 +1,53 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: prusa
spec:
displayName: Prusa 3D printer
uri: 'https://prusa.k-space.ee'
allowedGroups:
- k-space:floor
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username
---
apiVersion: v1
kind: Service
metadata:
name: prusa
spec:
type: ExternalName
externalName: 100.101.3.2
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prusa
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: passmower-prusa@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: prusa.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: prusa
port:
name: http
tls:
- hosts:
- "*.k-space.ee"

180
passmower/texts.yml Normal file
View File

@@ -0,0 +1,180 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-tos
data:
tos.md: |
Rules
Also known as code of conduct, guidelines, member vows, values etc. Please keep em' on one wiki page. Canonical URL shall be [k-space.ee/rules](http://k-space.ee/rules) which will redirect to right wiki page.
These rules were approved 30. October 2020. Current version contains minor corrections. For future amendments of the rules please put your ideas and thoughts into [pad.k-space.ee/p/rules](https://pad.k-space.ee/p/rules), they will be taken into account during next General Assembly.
Upon becoming a member I solemny swear that
1. **Who's who**
- I acknowledge the management of the hackerspace is governed by K-SPACE MTÜ (non-profit organization), it's [charter](/pohikiri_80397632_716212.pdf) and [Non-profit Associations Act](https://www.riigiteataja.ee/en/eli/528052020003/consolide)
- I acknowledge there are different membership forms listed under [membership#packages](/about/membership#packages) which can be largely broken down to affiliates (Regulars, Associates, Residents) who are at the hackerspace to make use of some services and members who are more involved in making the hackerspace happen.
- I acknowledge that in order to participate in the K-SPACE MTÜ management processes I need to obtain the [Member Tier](/about/membership#member-tier) status, note that this is different from the 'Member package' which was renamed to 'Associate tier' in October of 2020 in order to clarify what member of an non-profit association means.
- Among the ['Member Tier'](https://members.k-space.ee/?filter=resident-member&filter=associate-member) people the board is elected which represents K-SPACE MTÜ in legal matters such as getting bills paid, signing rental contracts and so forth. Currently board members include Erki Naumanis only. Bearing the responsibility also means that board has the final word in many cases.
- I acknowledge K-SPACE MTÜ is renting rooms from SA Tallinna Teaduspark Tehnopol. The rental agreement imposes numerous conditions and constraints due to safety reasons. Eg corridors must be kept accessible and free of flammable materials.
1. **Stay positive.**
- I will set up a recurring payment (püsikorraldus) or pay up front in bulk.
- I will not go in debt.
- I acknowledge failing to pay membership fees for 2 months results in door access cancellation.
- I will mark my payments clearly and consistenly with my full name, so the payments can be automatically procesed.
1. **Clarity not obscurity.**
- I will mark my equipment, server, locker, desk with my full name, phone number and e-mail.
- I acknowledge that my unlabelled stuff will be unplugged.
- Before asking questions I will familiarize myself [how to ask questions](https://www.khanacademy.org/computing/computer-programming/programming/becoming-a-community-coder/a/ask-for-program-help) and provide enough details.
1. **Communication is vital**
- I will proactively communicate need to cancel or pause my subscription, e.g. in case of being unable to pay.
- Upon leaving I will vacate the locker and return any keys given to me.
- I acknowledge Slack is primary communications platform for K-SPACE MTÜ. This is mainly due to wanting to have a way to communicate even if all the selfhosted infra is down. I will request access to the channel from any of the onboarders. I will not complain about being left out of the loop about changes etc if I am not on the #members channel.
1. **Access controls**
- I acknowledge primary method of accessing the floor is by using some of my own NFC cards (eg green Ühiskaart) or keyfobs.
- I will get my token registered in the door system of the day. To be on the safe side I will register multiple cards and/or keyfobs.
- I acknowledge Slack bot for opening the doors supplements the primary one, eg I can get in if I have forgot my card at home.
- I acknowledge that when it comes to security of doorcards it's nonexistant. I will not make copies of my card or distribute it's unique identifier sequence.
1. **Treat as your own -- with care**
- I will do my best to take care of the equipment and the space.
- I acknowledge that I must turn off the lights and leave windows in microventilation mode when I am the last one to leave.
- In case of equiment breakage I will notify info@k-space.ee immediately for resolution options. Any K-SPACE MTÜ owned equiment replacements must be purchased by K-SPACE MTÜ, see below under 'Regarding the toys' why.
- Upon losing (physical metal) key I will compensate 10EUR to K-SPACE MTÜ for it
1. **Contributions are welcome**
- I acknowledge that my immaterial contributions (e.g. building something for the hackerspace or helping others) doesn't compensate my membership fees. The only discount option is the 'Student discount'. Flexing with your contributions on your CV is OK.
- Before bringing any items for donation I will consult with a board member. K-SPACE is not my free (e-)junk disposal station.
- Donations don't compensate for my membership fees. K-SPACE MTÜ still needs to pay rent and electricity bills.
1. **Underpromise, overdeliver**
- I acknowledge there are many fun activities I want to be part of.
- I acknowledge I have obligations elsewhere as well (eg school, work, family).
- I will do my best to fulfill what I have promised to other members.
- I will rather say no in first place than say yes and fail to fulfill the promise.
- I will let the relying party know as soon as possible if I am not able to handle something I promised to do.
1. **Regarding the toys**
- I acknowledge I can bring my own equipment to hackerspace for common use. I acknowledge many others already do that. Lasercutter, CNC cutter, and many power tools are not owned by K-SPACE MTÜ. I take extra care of other members' equipment and before making use of them request training from the machine owner.
- I agree not to utilise any tool or piece of equipment unless I am competent in its use (and have completed induction/training where necessary) or are under the direct supervision of a competent user.
- I agree that the space is a potentially dangerous environment and that I may be exposed to various risks as a result of work undertaken by me or others. Notwithstanding all reasonable attempts by K-Space to ensure the safety of me and others, I agree to the full extent permitted by law to assume complete responsibility for my own actions and their consequences.
- If I think some new equipment would be useful for the space to be purchased by K-SPACE MTÜ I will make a suggestion to K-SPACE MTÜ board via board@k-space.ee.
- If I want to build something for the hackerspace I will consult with a board member for the compensation of materials.
- I acknowledge that my membership fees contribute towards refreshing equipment in common use, that is soldering irons, switches in server room etc.
- Purchases related to the hackerspace must be made by K-SPACE MTÜ.
- This is the clearest option from accounting perspective.
- It's also important that so any warranty, receipts and other documents would be correctly assigned to K-SPACE MTÜ and usable should you give up your membership at some point.
- Preferred option is to ask for proforma invoice for K-SPACE MTÜ, Akadeemia tee 21/1 and send it to info@k-space.ee - the payment will be executed by a board member.
- In case of Internet shops ask for the credit card from a board member.
1. **No borrowing or lending equipment**
- I acknowledge that equipment provided by K-SPACE MTÜ or it's members is for on-prem use only
- I will not take any of the equipment with me
- Only exception to this is workshops happening outside (eg visiting Robotex, Lapikud, IT College etc)
- I will notify info@k-space.ee about what I am going to take with me and why
- I will return equipment immediately after the event
- I acknowledge that this rule is due to numerous occasions people forgetting to return borrowed stuff
1. **Sharing is caring**
- I acknowledge that flexidesks also known as hot desks (8 desks in the middle of big room with projector) are to be cleaned by the end of the day.
- Sometimes exprompt events are scheduled in the room - I will not leave my stuff on flexidesks over night. If I come in often I can leave my screen and keyboard on one of the desks near the window.
- I acknowledge that for more persistent setup I should really switch to resident tier
1. **Being Mindful**
- While being active in the hackerspace I will make sure that my activites are not disturbing others, my activites are not causing exess financial drain on the K-SPACE MTÜ.
- Wearing earphones is generally sign of working on something and not wanting to be interrupted.
- I will act frugal. For example running additional servers without paying or running Bitcoin miner on the expense of K-SPACE MTÜ is NOT okay.
- Causing interruptions in the server room operation during working hours is NOT okay. Designated timeslot for disruptive changes is Thursday 19:00 until Friday 6:00. I recognize that occasionally hardware fails and non-disruptive changes might turn into disruptive outside that timeslot.
- I will not smoke inside the hackerspace rooms. I will exit the building for a cigarette.
1. **Striving for improvement***
- I acknowledge that hackerspace is a vague term ranging from anarchocommunist potsmoking to <a href="https://www.fablab.berlin/">fullblown commercial operation</a>.
- I will do my best to educate myself about <a href="https://github.com/0x20/hackerspace-blueprint/releases/latest/download/hackerspace-blueprint.pdf">hackerspace and makerspace</a> scene in general and I will not indulge in flamewars.
1. **Lock and stock**
- I acknowledge one locker is available for me for no charge with supporter and member tiers.
- I acknowledge that if would switch to resident tier I would be not eligible for a free locker as I would already have whole desk for my stuff
- I acknowledge additional lockers are available for 10EUR per month.
1. **Run the jewels**
- I will not make use of a blade server without legit reason, eg running hypervisor host. For single web application obtain VM from our Proxmox cluster.
- I will shut down machine not in use and I will make sure it stays shut. It's recurring issue that servers that have been shut down are discovered powered on again, eg in BIOS make sure it says 'last state' not 'always on' or even better disconnect power.
1. **Community FTW!**
- I acknowledge that people who take time to deal with me are not paid, they do it voluntarily off their free time for sh\*ts and giggles.
- They still pay membership fees.
- I will treat them and their time with respect.
- I will not become a burden for them.
- I acknowledge rules above are not exhaustive.
- I will do my best to act in good faith and not try to work around the rules.
- I accept that there will always be certain amount chaos at the hackerspace.
**Disclaimer**: Lauri (K-SPACE founder) believes that:
* a) we can have a hackerspace that is not utter chaos
* b) that is financially in order
* c) offers friendly/flexible pricing for students
* d) keeps doors open for companies and startups
* e) allows reasonable buffer for experimentation.
Lauri's favourite example hackerspaces include [AFRA](https://wiki.hackerspaces.org/AFRA) and [Raumfahrtagentur](https://wiki.hackerspaces.org/Raumfahrtagentur)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-approval
data:
approval.txt: |
Dear User,
Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee
Also see https://www.k-space.ee/
Best regards, K-Space MTÜ
---
apiVersion: v1
kind: ConfigMap
metadata:
name: passmower-email-templates
data:
tos.txt: |
Hi, <%= name %>!
You agreed with the Terms of Service at <%= timestamp %>
Content SHA256 hash: <%= hash %>
Best regards,
K-Space MTÜ
tos.ejs: |
<div>
<p>Hi, <%= name %>!</p>
<p>You agreed with the following Terms of Service at <%= timestamp %></p>
<p>Content SHA256 hash: <%= hash %></p>
<blockquote>
<%- content -%>
</blockquote>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
tos.subject: |
Terms of Service agreement confirmation
link.txt: |
Open the following link to log in: <%= url %>
Best regards,
K-Space MTÜ
link.ejs: |
<div>
<p>Open the following link to log in: <%= url %></p>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
link.subject: |
auth2.k-space.ee login link

92
passmower/users.yaml Normal file
View File

@@ -0,0 +1,92 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: eaas
spec:
type: person
email: erkiaas@gmail.com
companyEmail: eaas@k-space.ee
groups:
- name: floor
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: onboarding
prefix: k-space
- name: youtube
prefix: k-space
- name: gitlab
prefix: k-space
- name: legalmember
prefix: k-space
- name: matomo
prefix: k-space
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: lauri
spec:
type: person
email: lauri.vosandi@gmail.com
companyEmail: lauri@k-space.ee
groups:
- name: board
prefix: k-space
- name: info
prefix: k-space
- name: workshop
prefix: k-space
- name: floor
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: youtube
prefix: k-space
- name: facebook
prefix: k-space
- name: instagram
prefix: k-space
- name: gitlab
prefix: k-space
- name: legalmember
prefix: k-space
- name: onboarding
prefix: k-space
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCUser
metadata:
name: rasmus
spec:
type: person
email: github@c7.ee
companyEmail: rasmus@k-space.ee
groups:
- name: info
prefix: k-space
- name: onboarding
prefix: k-space
- name: workshop
prefix: k-space
- name: floor
prefix: k-space
- name: proxmox:admins
prefix: k-space
- name: kubernetes:developers
prefix: k-space
- name: kubernetes:admins
prefix: k-space
- name: instagram
prefix: k-space
- name: facebook
prefix: k-space
- name: youtube
prefix: k-space
- name: gitlab
prefix: k-space

115
passmower/values.yaml Normal file
View File

@@ -0,0 +1,115 @@
nameOverride: ""
fullnameOverride: ""
passmower:
# Hostname on which Passmower will be deployed to. Will be used as ingress host.
host: "auth.k-space.ee"
# Local groups will be created with given prefix.
group_prefix: 'k-space'
# Local or remote group which members will automatically become admins.
admin_group: 'k-space:onboarding'
# If set, require all users to be member of the given local or remote group.
# required_group: ""
# GitHub organization to pull groups from. Set to keep users other organizations private from Passmower.
github_organization: "codemowers"
# Allow enrolling new users automatically. Actual access will be based on required_group parameter. Disable to only manually provision users.
enroll_users: false
# Comma-separated, wildcard enabled namespace selector to select, in which namespaces Passmower looks for client CRDs.
namespace_selector: "*"
# Domain which will be preferred for determining primary emails.
preferred_email_domain: 'k-space.ee'
# Require users to set a custom username instead of system generated one. Will be used as OIDCUser CRD name and OIDC username claim.
require_custom_username: true
# Normalize incoming email addresses by removing aliases (e.g. username+alias@gmail.com) etc.
normalize_email_addresses: true
# Email credentials secret name. Secret must contain EMAIL_HOST, EMAIL_PASSWORD, EMAIL_PORT, EMAIL_SSL and EMAIL_USERNAME
email_credentials_secretRef: "email-credentials"
# GitHub OAuth client secret name. Secret must contain GH_CLIENT_ID and GH_CLIENT_SECRET
github_client_secretRef: "github-client"
# Slack API client secret name. Secret must contain SLACK_TOKEN
slack_client_secretRef: "slack-client"
# Different texts displayed and sent to the user
texts:
approval:
configMapRef:
name: passmower-approval
emails:
configMapRef:
name: passmower-email-templates
terms_of_service:
configMapRef:
name: passmower-tos
redis:
# Requires the Codemowers redis-operator to be installed: https://github.com/codemowers/operatorlib/tree/main/samples/redis-operator
redisClaim:
enabled: false
spec:
capacity: 100Mi
class: ephemeral
# Deploys a simple, non persistent Redis deployment.
internal:
enabled: false
# Use your own implementation - just provide a secret with a valid Redis URL.
external:
enabled: true
secretKeyRef:
name: "dragonfly-auth"
key: "REDIS_URI"
service:
type: ClusterIP
port: 80
ingress:
className: ""
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
- hosts:
- "*.k-space.ee"
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
image:
repository: passmower/passmower
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "develop"
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
replicaCount: 1
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

53
passmower/voron.yaml Normal file
View File

@@ -0,0 +1,53 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: voron
spec:
displayName: Voron 3D printer
uri: 'https://voron.k-space.ee'
allowedGroups:
- k-space:floor
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username
---
apiVersion: v1
kind: Service
metadata:
name: voron
spec:
type: ExternalName
externalName: 100.101.3.1
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: voron
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: passmower-voron@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: voron.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: voron
port:
name: http
tls:
- hosts:
- "*.k-space.ee"