diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..71b4334 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,77 @@ +name: main + +on: + push: + branches: + - master + - '**' + +env: + GIT_SHA: ${{ github.sha }} + GIT_REF: ${{ github.ref }} + CONTAINER_NAME: code-server-oauth2 + CHART_NAME: code-server-oauth2 + CHART_GIT_BRANCH: master + CHART_REPOSITORY: szymonrychu/charts + BOT_TOKEN: ${{ secrets.BOT_TOKEN }} + BOT_EMAIL: "szymon.rychu@gmail.com" + BOT_USERNAME: "szymonrychu" + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Parse versions in commit and setup debs + run: | + export LATEST_REPO_TAG=$(git tag -l --sort=-v:refname "[0-9]*" | head -n1) + if [ -z "${LATEST_REPO_TAG}" ]; then + export LATEST_REPO_TAG="0.0.1" + fi + export SHORT_SHA=$(echo ${GIT_SHA:0:7}) + + export APP_VERSION=${LATEST_REPO_TAG}-${SHORT_SHA} + export CHART_VERSION=${LATEST_REPO_TAG}-$(git show -s --format=%ct HEAD)-${SHORT_SHA} + + echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV + echo "CHART_VERSION=${CHART_VERSION}" >> $GITHUB_ENV + echo "SHORT_SHA=${SHORT_SHA}" >> $GITHUB_ENV + echo "LATEST_REPO_TAG=${LATEST_REPO_TAG}" >> $GITHUB_ENV + + sudo wget https://github.com/mikefarah/yq/releases/download/3.4.0/yq_linux_amd64 -O /usr/bin/yq + sudo chmod +x /usr/bin/yq + + curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash + + - name: Update metadata files + run: | + set -e + cd chart + yq w -i ${CHART_NAME}/Chart.yaml version ${CHART_VERSION} + + - name: Package and push helm chart + run: | + set -e + + cd chart + + CHART_PWD=$(pwd) + + helm dep update ${CHART_NAME} + helm package -u ${CHART_NAME} + + git clone https://x-access-token:${BOT_TOKEN}@github.com/${CHART_REPOSITORY}.git /tmp/repo + cd /tmp/repo + git checkout ${CHART_GIT_BRANCH} + + mv ${CHART_PWD}/${CHART_NAME}-${CHART_VERSION}.tgz ./ + helm repo index . + + git config --global user.email "${BOT_EMAIL}" + git config --global user.name "${BOT_USERNAME}" + git add -A + git commit -m "Add ${CHART_NAME} ${CHART_VERSION}" + git push origin ${CHART_GIT_BRANCH} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..29751c6 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,78 @@ +name: release + +on: + push: + tags: + - '[0-9]+.[0-9]+.[0-9]+' + +env: + GIT_SHA: ${{ github.sha }} + GIT_REF: ${{ github.ref }} + CONTAINER_NAME: code-server-oauth2 + CHART_NAME: code-server-oauth2 + CHART_GIT_BRANCH: master + CHART_REPOSITORY: szymonrychu/charts + BOT_TOKEN: ${{ secrets.BOT_TOKEN }} + BOT_EMAIL: "szymon.rychu@gmail.com" + BOT_USERNAME: "szymonrychu" + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Parse versions in commit and setup debs + run: | + export LATEST_REPO_TAG=$(git tag -l --sort=-v:refname "[0-9]*" | head -n1) + + export SHORT_SHA=$(echo ${GIT_SHA:0:7}) + + echo "APP_VERSION=${LATEST_REPO_TAG}" >> $GITHUB_ENV + echo "CHART_VERSION=${LATEST_REPO_TAG}" >> $GITHUB_ENV + echo "SHORT_SHA=${SHORT_SHA}" >> $GITHUB_ENV + echo "LATEST_REPO_TAG=${LATEST_REPO_TAG}" >> $GITHUB_ENV + + echo $SHORT_SHA + echo $LATEST_REPO_TAG + + sudo wget https://github.com/mikefarah/yq/releases/download/3.4.0/yq_linux_amd64 -O /usr/bin/yq + sudo chmod +x /usr/bin/yq + + curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash + + - name: Update metadata files + run: | + set -e + cd chart + yq w -i ${CHART_NAME}/Chart.yaml version ${CHART_VERSION} + + - name: Package and push helm chart + run: | + set -e + + cd chart + + CHART_PWD=$(pwd) + + helm dep update ${CHART_NAME} + helm package -u ${CHART_NAME} + + git clone https://x-access-token:${BOT_TOKEN}@github.com/${CHART_REPOSITORY}.git /tmp/repo + cd /tmp/repo + git checkout ${CHART_GIT_BRANCH} + + mv ${CHART_PWD}/${CHART_NAME}-${CHART_VERSION}.tgz ./ + helm repo index . + + git config --global user.email "${BOT_EMAIL}" + git config --global user.name "${BOT_USERNAME}" + git add -A + git commit -m "Release ${CHART_NAME} ${CHART_VERSION}" + git push origin ${CHART_GIT_BRANCH} + + - name: Create GH Release + uses: notlmn/release-with-changelog@v3 + with: + token: ${{ secrets.BOT_TOKEN }} + template: '{commits}' \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..38dab82 --- /dev/null +++ b/.gitignore @@ -0,0 +1,27 @@ + +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin +testbin/* + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Kubernetes Generated files - skip generated files, except for vendored files + +!vendor/**/zz_generated.* + +# editor and IDE paraphernalia +.idea +*.swp +*.swo +*~ + +.vscode \ No newline at end of file diff --git a/chart/code-server-oauth2/.helmignore b/chart/code-server-oauth2/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/chart/code-server-oauth2/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/chart/code-server-oauth2/Chart.yaml b/chart/code-server-oauth2/Chart.yaml new file mode 100644 index 0000000..12bde13 --- /dev/null +++ b/chart/code-server-oauth2/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: code-server-oauth2 +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.0.1" diff --git a/chart/code-server-oauth2/templates/NOTES.txt b/chart/code-server-oauth2/templates/NOTES.txt new file mode 100644 index 0000000..a2f62f6 --- /dev/null +++ b/chart/code-server-oauth2/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "code-server-oauth2.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "code-server-oauth2.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "code-server-oauth2.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "code-server-oauth2.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/chart/code-server-oauth2/templates/_helpers.tpl b/chart/code-server-oauth2/templates/_helpers.tpl new file mode 100644 index 0000000..9ad3fe0 --- /dev/null +++ b/chart/code-server-oauth2/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "code-server-oauth2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "code-server-oauth2.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "code-server-oauth2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "code-server-oauth2.labels" -}} +helm.sh/chart: {{ include "code-server-oauth2.chart" . }} +{{ include "code-server-oauth2.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "code-server-oauth2.selectorLabels" -}} +app.kubernetes.io/name: {{ include "code-server-oauth2.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "code-server-oauth2.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "code-server-oauth2.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/chart/code-server-oauth2/templates/configmap.yaml b/chart/code-server-oauth2/templates/configmap.yaml new file mode 100644 index 0000000..5b50383 --- /dev/null +++ b/chart/code-server-oauth2/templates/configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "code-server-oauth2.fullname" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +data: + code-domain: {{ .Values.config.codeServer.domain }} + keycloak-redirect-url: {{ .Values.config.oauth2Proxy.keycloakRedirectmUrl }} + keycloak-realm-url: {{ .Values.config.oauth2Proxy.keycloakRealmUrl }} + cookie-name: {{ .Values.config.oauth2Proxy.cookieName }} + cookie-domain: {{ .Values.config.oauth2Proxy.cookieDomain }} \ No newline at end of file diff --git a/chart/code-server-oauth2/templates/deployment.yaml b/chart/code-server-oauth2/templates/deployment.yaml new file mode 100644 index 0000000..9b3c26a --- /dev/null +++ b/chart/code-server-oauth2/templates/deployment.yaml @@ -0,0 +1,210 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "code-server-oauth2.fullname" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "code-server-oauth2.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "code-server-oauth2.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "code-server-oauth2.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: {{ .Values.codeServer.containerName }}-init + securityContext: + {{- toYaml .Values.codeServer.securityContext | nindent 12 }} + image: "{{ .Values.codeServer.image.repository }}:{{ .Values.codeServer.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.codeServer.image.pullPolicy }} + command: + - bash + args: + - -cex + - | + cd /secrets + gpg --import ./private.rsa + if [[ ! -e /home/code-new/.gnupg ]]; then + cp -R /config/.gnupg /home/code-new/.gnupg + fi + if [[ ! -e /home/code-new/.kube/config ]]; then + mkdir -p /home/code-new/.kube + cp ./kubeconfig /home/code-new/.kube/config + chmod 0600 /home/code-new/.kube/config + fi + if [[ ! -e /home/code-new/.ssh/id_rsa ]]; then + mkdir -p /home/code-new/.ssh + cp ./id_rsa /home/code-new/.ssh/id_rsa + chmod 0600 /home/code-new/.ssh/id_rsa + fi + if [[ ! -e /home/code-new/.ssh/id_rsa.pub ]]; then + mkdir -p /home/code-new/.ssh + cp ./id_rsa /home/code-new/.ssh/id_rsa.pub + fi + if [[ ! -e /home/code-new/.ssh/known_hosts ]]; then + mkdir -p /home/code-new/.ssh + cp ./id_rsa /home/code-new/.ssh/known_hosts + fi + if [[ ! -e /home/code-new/.profile ]] && [[ -e /config/.profile ]]; then + cp /config/.profile /home/code-new/.profile + fi + if [[ ! -e /home/code-new/.bashrc ]] && [[ -e /config/.bashrc ]]; then + cp /config/.bashrc /home/code-new/.bashrc + fi + if [[ ! -e /home/code-new/.bash_history ]] && [[ -e /home/code-new/.bash_history ]]; then + cp /config/.bash_history /home/code-new/.bash_history + fi + if [[ ! -e /home/code-new/.bash_profile ]] && [[ -e /config/.bash_profile ]]; then + cp /config/.bash_profile /home/code-new/.bash_profile + fi + sudo chown -R 1000:1000 /home/code-new + volumeMounts: + - name: code-secrets + mountPath: "/secrets" + readOnly: true + - mountPath: /home/code-new + name: shared-data + containers: + - name: {{ .Values.codeServer.containerName }} + securityContext: + {{- toYaml .Values.codeServer.securityContext | nindent 12 }} + image: "{{ .Values.codeServer.image.repository }}:{{ .Values.codeServer.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.codeServer.image.pullPolicy }} + env: + - name: PROXY_DOMAIN + valueFrom: + configMapKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: code-domain + - name: DEFAULT_WORKSPACE + value: /home/code/Documents + - name: PUID + value: "1000" + - name: PGID + value: "1000" + volumeMounts: + - mountPath: /home/code + name: shared-data + - mountPath: /config + name: config + ports: + - name: http + containerPort: 8443 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 12 }} + - name: {{ .Values.oauth2Proxy.containerName }} + securityContext: + {{- toYaml .Values.oauth2Proxy.securityContext | nindent 12 }} + image: "{{ .Values.oauth2Proxy.image.repository }}:{{ .Values.oauth2Proxy.image.tag }}" + imagePullPolicy: {{ .Values.oauth2Proxy.image.pullPolicy }} + env: + - name: OAUTH2_PROXY_PROVIDER + value: keycloak-oidc + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: keycloak-client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: keycloak-client-secret + - name: OAUTH2_PROXY_REDIRECT_URL + valueFrom: + configMapKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: keycloak-redirect-url + - name: OAUTH2_PROXY_OIDC_ISSUER_URL + valueFrom: + configMapKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: keycloak-realm-url + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_REVERSE_PROXY + value: "true" + - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER + value: "true" + - name: OAUTH2_PROXY_PASS_ACCESS_TOKEN + value: "true" + - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON + value: "true" + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:8443 + - name: OAUTH2_PROXY_COOKIE_NAME + valueFrom: + configMapKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: cookie-name + - name: OAUTH2_PROXY_COOKIE_DOMAIN + valueFrom: + configMapKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: cookie-domain + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ include "code-server-oauth2.fullname" . }} + key: cookie-secret + ports: + - name: http-oidc + containerPort: 4180 + protocol: TCP + livenessProbe: + tcpSocket: + port: http-oidc + readinessProbe: + tcpSocket: + port: http-oidc + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + persistentVolumeClaim: + claimName: code-config-local-pvc + - name: shared-data + persistentVolumeClaim: + claimName: code-local-pvc + - name: code-secrets + secret: + secretName: {{ include "code-server-oauth2.fullname" . }}-code-secrets diff --git a/chart/code-server-oauth2/templates/hpa.yaml b/chart/code-server-oauth2/templates/hpa.yaml new file mode 100644 index 0000000..2a3886d --- /dev/null +++ b/chart/code-server-oauth2/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "code-server-oauth2.fullname" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "code-server-oauth2.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/chart/code-server-oauth2/templates/ingress.yaml b/chart/code-server-oauth2/templates/ingress.yaml new file mode 100644 index 0000000..24a89a8 --- /dev/null +++ b/chart/code-server-oauth2/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "code-server-oauth2.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/code-server-oauth2/templates/secret.yaml b/chart/code-server-oauth2/templates/secret.yaml new file mode 100644 index 0000000..bbfb75c --- /dev/null +++ b/chart/code-server-oauth2/templates/secret.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "code-server-oauth2.fullname" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +type: Opaque +data: + keycloak-client-id: {{ .Values.config.oauth2Proxy.keycloakClientId | b64enc | quote }} + keycloak-client-secret: {{ .Values.config.oauth2Proxy.keycloakClientSecret | b64enc | quote }} + cookie-secret: {{ .Values.config.oauth2Proxy.cookieSecret | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "code-server-oauth2.fullname" . }}-code-secrets + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +type: Opaque +data: + kubeconfig: {{ .Values.secrets.kubeconfig | b64enc | quote }} + id_rsa: {{ .Values.secrets.privateKey | b64enc | quote }} + id_rsa.pub: {{ .Values.secrets.publicKey | b64enc | quote }} + known_hosts: {{ .Values.secrets.knownHosts | b64enc | quote }} + private.rsa: {{ .Values.secrets.gpgEncryptionKey | b64enc | quote }} diff --git a/chart/code-server-oauth2/templates/service.yaml b/chart/code-server-oauth2/templates/service.yaml new file mode 100644 index 0000000..90d1c2b --- /dev/null +++ b/chart/code-server-oauth2/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "code-server-oauth2.fullname" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http-oidc + protocol: TCP + name: http + selector: + {{- include "code-server-oauth2.selectorLabels" . | nindent 4 }} diff --git a/chart/code-server-oauth2/templates/serviceaccount.yaml b/chart/code-server-oauth2/templates/serviceaccount.yaml new file mode 100644 index 0000000..a4492a7 --- /dev/null +++ b/chart/code-server-oauth2/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: {{ include "code-server-oauth2.serviceAccountName" . }} + labels: + {{- include "code-server-oauth2.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/chart/code-server-oauth2/values.yaml b/chart/code-server-oauth2/values.yaml new file mode 100644 index 0000000..b870213 --- /dev/null +++ b/chart/code-server-oauth2/values.yaml @@ -0,0 +1,150 @@ +# Default values for code-server-oauth2. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +config: + codeServer: + domain: code.example.com + + oauth2Proxy: + keycloakClientId: client-id + keycloakClientSecret: client-super-secret + keycloakRedirectmUrl: https://code.example.com/oauth2/callback + keycloakRealmUrl: https://keycloak.example.com/auth/realms/SomeRealm + cookieName: oauth2-authorization-cookie + cookieDomain: example.com + cookieSecret: super-secret-cookie-secret + + +codeServer: + containerName: code-server + image: + repository: szymonrychu/kubernetes-code-server + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +oauth2Proxy: + containerName: oidc-proxy + image: + repository: quay.io/oauth2-proxy/oauth2-proxy + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: v7.3.0 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +secrets: + kubeconfig: | + --- + empty + privateKey: | + someprivatekey + publicKey: | + someprivatekey + knownHosts: | + |1|eHUy+DdABsrCSjWFrPHMB6u/aQg=|j1ubaHgHk7cCmhh2m4C9LHSlmVQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + |1|5BTVwAXj+vC6I6aDQ43nP27WKAg=|2E8pPM72MPTPTIcEIBdl1+vZzVw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + |1|PStxtwUxBOjdhk/VfSWaBbSyAvY=|vGUqFWFcpL6DfJH98NvWOOz+3mI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + |1|kcm+w/r4hUIpANo2kt73krZRMg8=|1SboFAEvMi0z0cmY7B+NFlVnQlE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU= + |1|1L+f7SudyNp0JUzd6qxPeJgKK3c=|vcu2S1jJp+QK/0cvFXWjMa46FMc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU= + |1|TU4IYB00K1s7b+SDvElOk8Gjlvc=|EMWcRuR5MQ+Dhv6BHFkGcieHOso= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE1TvABrKxeuwCHvj5Z60W96RHuDQy/9IxAU4rPl52kkJVf8N6HT8coqwjIwIXlD93XVHdRrySkibHPu0etB8/E= + |1|kZfJKZH2y51Q+3Nz2oY8nEyPjHo=|0TzDqsFEbjI72oc9dEEmZaY8VZ8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE1TvABrKxeuwCHvj5Z60W96RHuDQy/9IxAU4rPl52kkJVf8N6HT8coqwjIwIXlD93XVHdRrySkibHPu0etB8/E= + |1|/fQqEb2/XE/lu0JFOM0i/y6wQco=|j8HFDqyleoXwASyCUwqm5aKWW2w= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoLfwohyJai8WQpc0G4GoU5kuk65gh0dLGJiiur4XPBV0W71u+xzD3QHuV5kG0R2d1xp9AoQhK01b6RHO0MtmA= + |1|66KMNPk0RLY6vcf3yMRBDt2YrQo=|lYFJahwh2vjfE9PrWEJdj3y/mHw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNr2UdEpYTtWhxtEGe/DA9X/RT9S6BJ92tIg+vh6Wlsb3AfqYcEZkz55aLv6oTfBLt2wW7arhobzc2FnbNIBUXM= + |1|TvNrVYFIso7uiWP0X+L/nRtS5WU=|KDtxXZ1Z/zP3fA9+4IqI+bcjAOc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU= + |1|Vr1oUg8mUO+TkDh+z8ltWu2O8og=|pL9VFzXpIfXsVcfZIRCEAalE+Jc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNr2UdEpYTtWhxtEGe/DA9X/RT9S6BJ92tIg+vh6Wlsb3AfqYcEZkz55aLv6oTfBLt2wW7arhobzc2FnbNIBUXM= + gpgEncryptionKey: | + someprivatekey + +service: + type: ClusterIP + port: 80 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {}