From 89bf87ca3aa2b6ffdd35b1d6b3ba42cb557c2bcc Mon Sep 17 00:00:00 2001 From: st Date: Mon, 23 Sep 2024 15:41:02 +0200 Subject: [PATCH] feat(base-cluster/capactior): add flux capacitor dashboard --- .../templates/flux/capacitor.yaml | 26 ++++ .../templates/flux/oauth-proxy-secret.yaml | 17 +++ .../templates/flux/oauth-proxy.yaml | 114 ++++++++++++++++++ .../templates/flux/rbac-capacitor.yaml | 60 +++++++++ charts/base-cluster/values.schema.json | 12 ++ charts/base-cluster/values.yaml | 11 ++ 6 files changed, 240 insertions(+) create mode 100644 charts/base-cluster/templates/flux/capacitor.yaml create mode 100644 charts/base-cluster/templates/flux/oauth-proxy-secret.yaml create mode 100644 charts/base-cluster/templates/flux/oauth-proxy.yaml create mode 100644 charts/base-cluster/templates/flux/rbac-capacitor.yaml diff --git a/charts/base-cluster/templates/flux/capacitor.yaml b/charts/base-cluster/templates/flux/capacitor.yaml new file mode 100644 index 000000000..14adffd46 --- /dev/null +++ b/charts/base-cluster/templates/flux/capacitor.yaml @@ -0,0 +1,26 @@ +{{- if .Values.flux.capacitor.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: capacitor + namespace: flux-system + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: capacitor +spec: + chart: + spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "onechart" "chart" "onechart" "context" $) | nindent 6 }} + interval: 1h + driftDetection: + mode: enabled + values: + image: + repository: ghcr.io/gimlet-io/capacitor + tag: v0.4.2 + containerPort: 9000 + probe: + enabled: true + path: / + resources: + ignoreLimits: true + serviceAccount: capacitor +{{- end }} diff --git a/charts/base-cluster/templates/flux/oauth-proxy-secret.yaml b/charts/base-cluster/templates/flux/oauth-proxy-secret.yaml new file mode 100644 index 000000000..9d3ddeefb --- /dev/null +++ b/charts/base-cluster/templates/flux/oauth-proxy-secret.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.global.authentication.config .Values.flux.capacitor.enabled }} +{{- $name := include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + namespace: flux-system + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: oauth-proxy + app.kubernetes.io/part-of: capacitor +type: Opaque +data: + # This might change on every `template` call, this can be ignored + cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookie-secret" "length" 32 "strong" true "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mustMergeOverwrite (deepCopy .Release)))) }} + client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }} + client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }} +{{- end }} diff --git a/charts/base-cluster/templates/flux/oauth-proxy.yaml b/charts/base-cluster/templates/flux/oauth-proxy.yaml new file mode 100644 index 000000000..4cf407550 --- /dev/null +++ b/charts/base-cluster/templates/flux/oauth-proxy.yaml @@ -0,0 +1,114 @@ +{{- if and .Values.global.authentication.config .Values.flux.capacitor.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: capacitor-oauth-proxy + namespace: flux-system + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: oauth-proxy + app.kubernetes.io/part-of: capacitor +spec: + chart: + spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }} + interval: 1h + driftDetection: + mode: enabled + values: + redis: + enabled: false + {{- if $.Values.global.imageRegistry }} + global: + imageRegistry: {{ $.Values.global.imageRegistry }} + {{- end }} + ingress: + enabled: true + hostname: {{ .Values.flux.capacitor.ingress.host }} + tls: true + {{- if $.Values.dns.provider }} + selfSigned: true # `certManager: true` leads to overwritten wildcard certificates + {{- else }} + certManager: true + {{- end }} + existingSecretName: {{ include "base-cluster.certificate" (dict "name" "capacitor" "customDomain" .Values.flux.capacitor.ingress.customDomain "context" $) | quote }} + replicaCount: 2 + pdb: + create: true + minAvailable: 1 + maxUnavailable: "" + podSecurityContext: + enabled: true + containerSecurityContext: + enabled: true + resources: {{- include "common.resources" $.Values.global.authentication.oauthProxy | nindent 6 }} + configuration: + existingSecret: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }} + content: |- + provider = "oidc" + reverse_proxy = true + oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }} + skip_provider_button = true + {{- if $.Values.global.authentication.oauthProxy.emailDomains }} + email_domains = [ "{{ $.Values.global.authentication.oauthProxy.emailDomains | join "\", \"" }}" ] + {{- else }} + email_domains = "*" + {{- end }} + upstreams = [ {{ printf "http://%s:%d" "capacitor" 9000 | quote }} ] + podAnnotations: + # This might change on every `template` call, this can be ignored + checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/flux/oauth-proxy-secret.yaml" "context" $) }} +{{- if eq (include "common.networkPolicy.type" $) "cilium" }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: capacitor-oauth-proxy-policy + namespace: flux-system + labels: {{- include "common.labels.standard" $ | nindent 4 }} + app.kubernetes.io/component: oauth + app.kubernetes.io/part-of: capacitor +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: "capacitor-oauth-proxy" + ingress: + - fromEndpoints: + - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.ingressLabels "context" $) | nindent 12 }} + toPorts: + - ports: + - port: "9000" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: '*' + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + - toFQDNs: + - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }} + toPorts: + - ports: + - port: "443" + protocol: TCP + - toEndpoints: + - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.dnsLabels "context" $) | nindent 12 }} + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }} +{{- end }} +--- +{{- end }} diff --git a/charts/base-cluster/templates/flux/rbac-capacitor.yaml b/charts/base-cluster/templates/flux/rbac-capacitor.yaml new file mode 100644 index 000000000..7139c666c --- /dev/null +++ b/charts/base-cluster/templates/flux/rbac-capacitor.yaml @@ -0,0 +1,60 @@ +{{- if .Values.flux.capacitor.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: capacitor + namespace: flux-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: capacitor +rules: + - apiGroups: + - networking.k8s.io + - apps + - "" + resources: + - pods + - pods/log + - ingresses + - deployments + - services + - secrets + - events + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - source.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + resources: + - gitrepositories + - ocirepositories + - buckets + - helmrepositories + - helmcharts + - kustomizations + - helmreleases + verbs: + - get + - watch + - list + - patch # to allow force reconciling by adding an annotation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: capacitor +subjects: + - kind: ServiceAccount + name: capacitor + namespace: flux-system +roleRef: + kind: ClusterRole + name: capacitor + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json index 6b1ca67a1..b372bedab 100644 --- a/charts/base-cluster/values.schema.json +++ b/charts/base-cluster/values.schema.json @@ -1284,6 +1284,18 @@ ], "additionalProperties": false } + }, + "capacitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "ingress": { + "$ref": "#/$defs/toolIngress" + } + }, + "additionalItems": false } }, "additionalProperties": false diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml index 073adafe5..db7631384 100644 --- a/charts/base-cluster/values.yaml +++ b/charts/base-cluster/values.yaml @@ -126,6 +126,11 @@ global: charts: descheduler: 0.30.x condition: "{{ .Values.descheduler.enabled }}" + onechart: + url: https://chart.onechart.dev + charts: + onechart: 0.70.x + condition: "{{ .Values.flux.capacitor.enabled }}" jetstack: url: https://charts.jetstack.io charts: @@ -415,6 +420,12 @@ externalDNS: flux: gitRepositories: {} + capacitor: + enabled: false + ingress: + enabled: false + host: capacitor + customDomain: "" ingress: enabled: true