passmower helm kustomize

passmower/README.md

@@ -21,11 +21,10 @@ To add applications refer to the [official docs](https://github.com/passmower/pa
 
 For good examples refer to [Grafana](https://git.k-space.ee/k-space/kube/src/branch/master/grafana/application.yml)
 
-# For administrators
 
-Passmower was deployed with Helm chart:
+# Deployment
+With ArgoCD. Render it locally:
 
-```
+```sh
-echo "# Generated file, DO NOT EDIT!" > passmower/application.yaml
+kustomize build . --enable-helm
-helm template --include-crds -n passmower passmower oci://ghcr.io/passmower/charts/passmower -f passmower/values.yaml >> passmower/application.yaml
 ```

passmower/application.yaml

@@ -1,691 +0,0 @@
-# Generated file, DO NOT EDIT!
----
-# Source: passmower/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: passmower/templates/texts.yaml
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: passmower-disable-frontend-edit
-data:
-  disable_frontend_edit.md: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)"
----
-# Source: passmower/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: oidcusers.codemowers.cloud
-spec:
-  group: codemowers.cloud
-  names:
-    plural: oidcusers
-    singular: oidcuser
-    kind: OIDCUser
-    listKind: OIDCUserList
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      schema:
-        openAPIV3Schema:
-          type: object
-          required:
-            - spec
-          properties:
-            github:
-              type: object
-              properties:
-                company:
-                  type: string
-                email:
-                  type: string
-                emails:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      email:
-                        type: string
-                      primary:
-                        type: boolean
-                        default: false
-                groups:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      name:
-                        type: string
-                      prefix:
-                        type: string
-                        enum:
-                          - github.com
-                id:
-                  type: integer
-                login:
-                  type: string
-                name:
-                  type: string
-            passmower:
-              type: object
-              properties:
-                company:
-                  type: string
-                email:
-                  type: string
-                groups:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      name:
-                        type: string
-                      prefix:
-                        type: string
-                name:
-                  type: string
-            slack:
-              type: object
-              properties:
-                id:
-                  type: string
-            spec:
-              type: object
-              required:
-                - type
-              properties:
-                companyEmail:
-                  type: string
-                email:
-                  type: string
-                phones:
-                  type: array
-                  items:
-                    type: string
-                groups:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      name:
-                        type: string
-                      prefix:
-                        type: string
-                type:
-                  type: string
-                  default: person
-                  enum:
-                    - person
-                    - org
-                    - service
-                    - banned
-                    - group
-            status:
-              type: object
-              properties:
-                conditions:
-                  type: array
-                  items:
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                    x-kubernetes-embedded-resource: true
-                emails:
-                  type: array
-                  items:
-                    type: string
-                groups:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      name:
-                        type: string
-                      prefix:
-                        type: string
-                primaryEmail:
-                  type: string
-                profile:
-                  type: object
-                  properties:
-                    company:
-                      type: string
-                    name:
-                      type: string
-                    phones:
-                      type: array
-                      items:
-                        type: string
-                  x-kubernetes-preserve-unknown-fields: true
-                slackId:
-                  type: string
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - name: Type
-          type: string
-          jsonPath: .spec.type
-        - name: Name
-          type: string
-          jsonPath: .status.profile.name
-        - name: Display e-mail
-          type: string
-          jsonPath: .status.primaryEmail
-        - name: Phone
-          type: string
-          jsonPath: .status.profile.phones[0]
-        - name: Upstream IdP e-mail
-          type: string
-          jsonPath: .github.emails[?(@.primary==true)].email
-        - name: GH ID
-          type: string
-          jsonPath: .github.id
-        - name: Groups
-          type: string
-          jsonPath: .status.groups
-  conversion:
-    strategy: None
----
-# Source: passmower/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: oidcclients.codemowers.cloud
-spec:
-  group: codemowers.cloud
-  names:
-    plural: oidcclients
-    singular: oidcclient
-    kind: OIDCClient
-    listKind: OIDCClientList
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      schema:
-        openAPIV3Schema:
-          type: object
-          required:
-            - spec
-          properties:
-            spec:
-              type: object
-              required:
-                - redirectUris
-                - grantTypes
-                - responseTypes
-              properties:
-                allowedCORSOrigins:
-                  type: array
-                  items:
-                    type: string
-                allowedGroups:
-                  type: array
-                  items:
-                    type: string
-                availableScopes:
-                  type: array
-                  default:
-                    - openid
-                  items:
-                    type: string
-                    enum:
-                      - openid
-                      - profile
-                      - offline_access
-                      - groups
-                      - allowed_groups
-                displayName:
-                  type: string
-                grantTypes:
-                  type: array
-                  items:
-                    type: string
-                    enum:
-                      - implicit
-                      - authorization_code
-                      - refresh_token
-                idTokenSignedResponseAlg:
-                  type: string
-                  enum:
-                    - PS256
-                    - RS256
-                    - ES256
-                overrideIncomingScopes:
-                  type: boolean
-                  default: false
-                pkce:
-                  type: boolean
-                  default: true
-                redirectUris:
-                  type: array
-                  items:
-                    type: string
-                responseTypes:
-                  type: array
-                  items:
-                    type: string
-                    enum:
-                      - code id_token
-                      - code
-                      - id_token
-                      - none
-                secretMetadata:
-                  type: object
-                  properties:
-                    annotations:
-                      type: object
-                      x-kubernetes-preserve-unknown-fields: true
-                    labels:
-                      type: object
-                      x-kubernetes-preserve-unknown-fields: true
-                secretRefreshPod:
-                  type: object
-                  x-kubernetes-preserve-unknown-fields: true
-                  x-kubernetes-embedded-resource: true
-                tokenEndpointAuthMethod:
-                  type: string
-                  enum:
-                    - client_secret_basic
-                    - client_secret_jwt
-                    - client_secret_post
-                    - private_key_jwt
-                    - none
-                uri:
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  type: array
-                  items:
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                    x-kubernetes-embedded-resource: true
-                instance:
-                  type: string
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - name: Instance
-          type: string
-          description: Passmower deployment which manages this client
-          jsonPath: .status.instance
-        - name: Uris
-          type: string
-          description: Redirect URLs configured for this client
-          jsonPath: .spec.redirectUris
-        - name: Allowed groups
-          type: string
-          description: Groups allowed to this client
-          jsonPath: .spec.allowedGroups
-  conversion:
-    strategy: None
----
-# Source: passmower/templates/crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: oidcmiddlewareclients.codemowers.cloud
-spec:
-  group: codemowers.cloud
-  names:
-    plural: oidcmiddlewareclients
-    singular: oidcmiddlewareclient
-    kind: OIDCMiddlewareClient
-    listKind: OIDCMiddlewareClientList
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      schema:
-        openAPIV3Schema:
-          type: object
-          required:
-            - spec
-          properties:
-            spec:
-              type: object
-              properties:
-                allowedGroups:
-                  type: array
-                  items:
-                    type: string
-                displayName:
-                  type: string
-                headerMapping:
-                  type: object
-                  default:
-                    email: Remote-Email
-                    groups: Remote-Groups
-                    name: Remote-Name
-                    user: Remote-User
-                  properties:
-                    email:
-                      type: string
-                    groups:
-                      type: string
-                    name:
-                      type: string
-                    user:
-                      type: string
-                uri:
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  type: array
-                  items:
-                    type: object
-                    x-kubernetes-preserve-unknown-fields: true
-                    x-kubernetes-embedded-resource: true
-                instance:
-                  type: string
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - name: Instance
-          type: string
-          description: Passmower deployment which manages this client
-          jsonPath: .status.instance
-        - name: Uri
-          type: string
-          description: URL configured for this client
-          jsonPath: .spec.uri
-        - name: Allowed groups
-          type: string
-          description: Groups allowed to this client
-          jsonPath: .spec.allowedGroups
-  conversion:
-    strategy: None
----
-# Source: passmower/templates/serviceaccount.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-    apiGroups:
-      - codemowers.cloud
-    resources:
-      - oidcusers
-      - oidcusers/status
-      - oidcclients
-      - oidcclients/status
-      - oidcmiddlewareclients
-      - oidcmiddlewareclients/status
-  - verbs:
-      - get
-      - create
-      - patch
-      - delete
-    apiGroups:
-      - ''
-    resources:
-      - secrets
-  - verbs:
-      - create
-    apiGroups:
-      - ''
-    resources:
-      - pods
-  - verbs:
-      - get
-      - create
-      - update
-      - patch
-      - delete
-    apiGroups:
-      - traefik.io
-    resources:
-      - middlewares
----
-# Source: passmower/templates/serviceaccount.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-subjects:
-  - kind: ServiceAccount
-    name: passmower
-    namespace: passmower
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: passmower
----
-# Source: passmower/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
----
-# Source: passmower/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 4
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: passmower
-      app.kubernetes.io/instance: passmower
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: passmower
-        app.kubernetes.io/instance: passmower
-    spec:
-      serviceAccountName: passmower
-      securityContext:
-        {}
-      containers:
-        - name: passmower
-          securityContext:
-            {}
-          image: "ghcr.io/passmower/passmower:1.0.1"
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 3000
-              name: http
-            - containerPort: 9090
-              name: metrics
-          env:
-            - name: ISSUER_URL
-              value: https://auth.k-space.ee/
-            - name: DEPLOYMENT_NAME
-              value: passmower
-            - name: GROUP_PREFIX
-              value: "k-space"
-            - name: ADMIN_GROUP
-              value: "k-space:onboarding"
-            - name: REQUIRED_GROUP
-              value: ""
-            - name: GITHUB_ORGANIZATION
-              value: "codemowers"
-            - name: USE_GITHUB_USERNAME
-              value: "false"
-            - name: ENROLL_USERS
-              value: "false"
-            - name: DISABLE_FRONTEND_EDIT
-              value: "true"
-            - name: NAMESPACE_SELECTOR
-              value: "*"
-            - name: PREFERRED_EMAIL_DOMAIN
-              value: "k-space.ee"
-            - name: REQUIRE_CUSTOM_USERNAME
-              value: "true"
-            - name: NORMALIZE_EMAIL_ADDRESSES
-              value: "false"
-            - name: REDIS_URI
-              valueFrom:
-                secretKeyRef:
-                  name: dragonfly-auth
-                  key: REDIS_URI
-          envFrom:
-            - secretRef:
-                name: oidc-keys
-            - secretRef:
-                name: email-credentials
-            - secretRef:
-                name: github-client
-            - secretRef:
-                name: slack-client
-          readinessProbe:
-            httpGet:
-              path: /.well-known/openid-configuration
-              port: 3000
-              httpHeaders:
-                - name: x-forwarded-for # suppress oidc-provider warning
-                  value: https://auth.k-space.ee/
-                - name: x-forwarded-proto # suppress oidc-provider warning
-                  value: https
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 9090
-              httpHeaders:
-                - name: x-forwarded-for # suppress oidc-provider warning
-                  value: https://auth.k-space.ee/
-                - name: x-forwarded-proto # suppress oidc-provider warning
-                  value: https
-            initialDelaySeconds: 10
-            timeoutSeconds: 10
-            periodSeconds: 30
-          volumeMounts:
-            - mountPath: /app/tos
-              name: tos
-            - mountPath: /app/approval
-              name: approval
-            - mountPath: /app/disable_frontend_edit
-              name: disable-frontend-edit
-            - mountPath: /app/src/views/custom/emails
-              name: email-templates
-          resources:
-            {}
-      volumes:
-        - name: tos
-          configMap:
-            name: passmower-tos
-        - name: approval
-          configMap:
-            name: passmower-approval
-        - name: disable-frontend-edit
-          configMap:
-            name: passmower-disable-frontend-edit
-        - name: email-templates
-          configMap:
-            name: passmower-email-templates
----
-# Source: passmower/templates/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: passmower
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-spec:
-  tls:
-    - hosts:
-        - "*.k-space.ee"
-      secretName:
-  rules:
-    - host: "auth.k-space.ee"
-      http:
-        paths:
-          - path: "/"
-            pathType: Prefix
-            backend:
-              service:
-                name: passmower
-                port:
-                  number: 80
----
-# Source: passmower/templates/deployment.yaml
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: passmower-key-manager
-  annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-  labels:
-    helm.sh/chart: passmower-1.0.1
-    app.kubernetes.io/name: passmower
-    app.kubernetes.io/instance: passmower
-    app.kubernetes.io/version: "1.0.1"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  template:
-    spec:
-      serviceAccountName: passmower
-      containers:
-        - name: oidc-key-manager
-          image: "ghcr.io/passmower/passmower:1.0.1"
-          command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
-      restartPolicy: Never

passmower/kustomization.yaml

@@ -1,14 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-metadata:
+
-  name: passmower-extras
+namespace: &ns passmower
+
+# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
+helmCharts:
+- namespace: *ns # for ClusterRoleBinding, which doesn't want to adopt the Kustomization namespace
+  includeCRDs: true
+  name: &name passmower
+  releaseName: *name
+  repo: oci://ghcr.io/passmower/charts
+  valuesFile: values.yaml
+  version: 1.1.1
 
 resources:
-- application.yaml
+- ssh://git@git.k-space.ee/secretspace/kube/passmower # secrets: email-credentials, github-client, slack-client
 - application-extras.yaml
-- texts.yaml
+- dragonfly.yaml
 - kubelogin.yaml
 - proxmox.yaml
-- dragonfly.yaml
 - prusa.yaml
+- texts.yaml
 - voron.yaml