From 8392c4749948330341c93519450a36f11c953427 Mon Sep 17 00:00:00 2001 From: Maurice Faber Date: Sat, 28 Nov 2020 11:42:57 +0100 Subject: [PATCH] feat: added email+home receiver, moved cloud settings to own props --- .cspell.json | 2 - .demo/env/clouds/azure/overrides.azure.yaml | 3 - .../clouds/azure/secrets.overrides.azure.yaml | 5 - .demo/env/clusters.yaml | 1 - .demo/env/secrets.settings.yaml | 38 ++-- .demo/env/secrets.teams.yaml | 1 - .demo/env/settings.yaml | 54 +++--- .demo/env/teams.yaml | 5 + .values/.vscode/settings.json | 1 - .vscode/settings.json | 4 +- Dockerfile | 22 ++- bin/common.sh | 7 +- bin/otomi | 31 ++- bin/validate-templates.sh | 5 +- bin/validate-values.sh | 6 +- charts/keycloak/values.yaml | 2 +- charts/team-ns/templates/_helpers.tpl | 4 - helmfile.d/helmfile-60.teams.yaml | 28 +-- helmfile.d/snippets/azure-monitor.gotmpl | 19 ++ helmfile.d/snippets/env.gotmpl | 1 + values-schema.yaml | 176 ++++++++++-------- values/cloud/cloud-raw.gotmpl | 3 +- values/cloud/pv-azure.gotmpl | 4 +- .../cluster-autoscaler.gotmpl | 2 +- values/external-dns/external-dns.gotmpl | 11 +- values/jobs/keycloak.gotmpl | 1 + values/keycloak/keycloak.gotmpl | 15 ++ values/oauth2-proxy/oauth2-proxy-raw.gotmpl | 3 + values/oauth2-proxy/oauth2-proxy.gotmpl | 4 +- .../prometheus-operator.gotmpl | 24 +-- .../promitor-agent-scraper.gotmpl | 2 +- values/raw/istio-raw.gotmpl | 2 +- 32 files changed, 244 insertions(+), 242 deletions(-) create mode 100644 helmfile.d/snippets/azure-monitor.gotmpl diff --git a/.cspell.json b/.cspell.json index 9020b6c50d..8eeaa647eb 100644 --- a/.cspell.json +++ b/.cspell.json @@ -26,8 +26,6 @@ "mkilled", "nindent", "nslookup", - "oo", - "oo mkilled", "RAGRS", "jwks", "RAGZRS", diff --git a/.demo/env/clouds/azure/overrides.azure.yaml b/.demo/env/clouds/azure/overrides.azure.yaml index 45b26b4e69..e3efd97e9f 100644 --- a/.demo/env/clouds/azure/overrides.azure.yaml +++ b/.demo/env/clouds/azure/overrides.azure.yaml @@ -4,8 +4,5 @@ charts: - aks.otomi.cloud azure: region: westeurope -clouds: - azure: - diskType: Standard_LRS otomi: hasCloudLB: true diff --git a/.demo/env/clouds/azure/secrets.overrides.azure.yaml b/.demo/env/clouds/azure/secrets.overrides.azure.yaml index 46b9cbea13..f3548f98ab 100644 --- a/.demo/env/clouds/azure/secrets.overrides.azure.yaml +++ b/.demo/env/clouds/azure/secrets.overrides.azure.yaml @@ -1,8 +1,3 @@ -clouds: - azure: - resourceGroup: somesecretvalue - tenantId: somesecretvalue - subscriptionId: somesecretvalue charts: cert-manager: azureClientSecret: somesecretvalue diff --git a/.demo/env/clusters.yaml b/.demo/env/clusters.yaml index 433dd2045b..212dfc2f73 100644 --- a/.demo/env/clusters.yaml +++ b/.demo/env/clusters.yaml @@ -10,7 +10,6 @@ clouds: otomiVersion: 'master' region: eu-central-1 google: - projectId: otomi-cloud domain: gke.otomi.cloud clusters: demo: diff --git a/.demo/env/secrets.settings.yaml b/.demo/env/secrets.settings.yaml index d0b6fff5b3..5a9cbe74dd 100644 --- a/.demo/env/secrets.settings.yaml +++ b/.demo/env/secrets.settings.yaml @@ -1,28 +1,30 @@ oidc: clientSecret: somesecretvalue - idp: - clientSecret: somesecretvalue otomi: pullSecret: c29tZXNlY3JldHZhbHVlCg== - -clouds: - google: - cloudDnsKey: | - { - "type": "service_account", - "project_id": "project_id-cloud", - "private_key_id": "private_key_id", - "private_key": "-----BEGIN PRIVATE KEY-----\n private_key ----END PRIVATE KEY-----\n", - "client_email": "client_email", - "client_id": "client_id", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://oauth2.googleapis.com/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnsmanager%40otomi-cloud.iam.gserviceaccount.com" - } +azure: + monitor: + clientId: somesecretvalue + clientSecret: somesecretvalue +google: + cloudDnsKey: | + { + "type": "service_account", + "project_id": "project_id-cloud", + "private_key_id": "private_key_id", + "private_key": "-----BEGIN PRIVATE KEY-----\n private_key ----END PRIVATE KEY-----\n", + "client_email": "client_email", + "client_id": "client_id", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnsmanager%40otomi-cloud.iam.gserviceaccount.com" + } home: slack: url: https://hooks.slack.com/services/id alerts: slack: url: https://hooks.slack.com/services/id + email: + to: admins@yourdoma.in diff --git a/.demo/env/secrets.teams.yaml b/.demo/env/secrets.teams.yaml index 55a76be8d6..e2f752a95d 100644 --- a/.demo/env/secrets.teams.yaml +++ b/.demo/env/secrets.teams.yaml @@ -1,7 +1,6 @@ teamConfig: teams: demo: - azure: {} oidc: groupMapping: somesecretvalue password: somesecretvalue diff --git a/.demo/env/settings.yaml b/.demo/env/settings.yaml index b6eec6c8af..e25c334188 100644 --- a/.demo/env/settings.yaml +++ b/.demo/env/settings.yaml @@ -1,28 +1,38 @@ -otomi: - mode: ce - isManaged: true - isMultitenant: true - isHomeMonitored: true - teamPrefix: team- - hasCloudLB: false +alerts: + drone: slack + email: + from: admins@your.cloud + smarthost: some.smtp.host + receivers: + - slack + - email +azure: + diskType: Standard_LRS + resourceGroup: somevalue + subscriptionId: somevalue + tenantId: somevalue customer: name: demo -oidc: - clientID: someClientID - clientSecret: someClientSecret - issuer: https://login.microsoftonline.com/57a3f6ea-7e70-4260-acb4-e06ce452f695 - tenantID: 57a3f6ea-7e70-4260-acb4-e06ce452f695 - adminGroupID: someAdminGroupID - teamAdminGroupID: someTeamAdminGroupID - scope: openid email profile +google: + projectId: otomi-cloud home: - receivers: [slack] + receivers: + - slack slack: channel: mon-otomi channelCrit: mon-otomi-crit -alerts: - drone: slack - receivers: [slack, email] - email: - from: admins@your.cloud - smarthost: some.smtp.host +oidc: + adminGroupID: someAdminGroupID + clientID: someClientID + clientSecret: someClientSecret + issuer: 'https://login.microsoftonline.com/57a3f6ea-7e70-4260-acb4-e06ce452f695' + scope: openid email profile + teamAdminGroupID: someTeamAdminGroupID + tenantID: 57a3f6ea-7e70-4260-acb4-e06ce452f695 +otomi: + hasCloudLB: false + isHomeMonitored: true + isManaged: true + isMultitenant: true + mode: ce + teamPrefix: team- diff --git a/.demo/env/teams.yaml b/.demo/env/teams.yaml index 20b0921c44..4fc7c62677 100644 --- a/.demo/env/teams.yaml +++ b/.demo/env/teams.yaml @@ -2,3 +2,8 @@ teamConfig: teams: demo: id: demo + clusters: + - aws/demo + - azure/demo + - google/demo + - onprem/demo diff --git a/.values/.vscode/settings.json b/.values/.vscode/settings.json index 3f6263d3e1..4a495f722a 100644 --- a/.values/.vscode/settings.json +++ b/.values/.vscode/settings.json @@ -18,7 +18,6 @@ "sops.defaults.gcpCredentialsPath": "gcp-key.json", "sops.enabled": true, "yaml.schemas": { - "http://json-schema.org/draft/2019-09/schema#": ".vscode/values-schema.yaml", ".vscode/values-schema.yaml": "env/*.yaml" } } diff --git a/.vscode/settings.json b/.vscode/settings.json index 19bfe4e502..bf8486cc6c 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -24,8 +24,8 @@ "CONTRIBUTING": "markdown" }, "yaml.schemas": { - "http://json-schema.org/draft/2019-09/schema#": "./values-schema.yaml", - "http://json-schema.org/draft/2019-09/schema#": ".vscode/values-schema.yaml", + // "http://json-schema.org/draft/2019-09/schema#": "./values-schema.yaml", + // "http://json-schema.org/draft/2019-09/schema#": ".vscode/values-schema.yaml", ".values/values-schema.yaml": ".demo/env/*.yaml" }, "shellformat.flag": "-i 2 -ci" diff --git a/Dockerfile b/Dockerfile index b2d8ec6c65..0f704f1a8e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,30 +1,34 @@ -FROM node:14-slim as ci +FROM node:14-slim as npm ARG SKIP_TESTS='false' -ENV EXIT_FAST='true' +ENV CI=true ENV APP_HOME=/home/app/stack RUN mkdir -p $APP_HOME WORKDIR $APP_HOME -COPY package*.json ./ COPY . . COPY ./.cspell.json . -RUN cp -r .demo/ env/ -RUN [ "$SKIP_TESTS" = 'false' ] && \ - npm install && \ - npm run spellcheck && \ - bin/validate-values.sh && \ - bin/validate-templates.sh || true +RUN if [ "$SKIP_TESTS" = 'false' ]; then \ + npm install cspell && npm run spellcheck; fi #----------------------------- FROM otomi/tools:1.4.8 as prod +ARG SKIP_TESTS='false' +ENV CI=true + ENV APP_HOME=/home/app/stack RUN mkdir -p $APP_HOME WORKDIR $APP_HOME COPY . . +RUN if [ "$SKIP_TESTS" = 'false' ]; then \ + cp -r .demo/ env/ && \ + bin/validate-values.sh && \ + bin/validate-templates.sh && \ + rm -rf env/*; fi + CMD ["bin/otomi"] \ No newline at end of file diff --git a/bin/common.sh b/bin/common.sh index 19524a15d5..8a4da3754c 100644 --- a/bin/common.sh +++ b/bin/common.sh @@ -50,10 +50,9 @@ for_each_cluster() { executable=$1 [[ -z "$executable" ]] && echo "ERROR: the positional argument is not set" local clustersPath="$ENV_DIR/env/clusters.yaml" - clouds=($(yq r -j $clustersPath clouds | jq -r '.|keys[]')) - - for cloud in "${clouds[@]}"; do - clusters=($(yq r -j $clustersPath clouds.${cloud}.clusters | jq -r '. | keys[]')) + clouds=$(yq r -j $clustersPath clouds | jq -rc '.|keys[]') + for cloud in $clouds; do + clusters=($(yq r -j $clustersPath clouds.${cloud}.clusters | jq -rc '. | keys[]')) for cluster in "${clusters[@]}"; do CLOUD=$cloud CLUSTER=$cluster $executable done diff --git a/bin/otomi b/bin/otomi index 60584e6336..7964e8d512 100755 --- a/bin/otomi +++ b/bin/otomi @@ -14,7 +14,8 @@ set -e command=$1 -[ "$ENV_DIR" = "" ] && env_unset=1 +env_unset='false' +[ "$ENV_DIR" = "" ] && env_unset='true' ENV_DIR=${ENV_DIR:-$PWD} [ "$ENV_DIR" = "/home/app/stack" ] && ENV_DIR=$ENV_DIR/env @@ -32,10 +33,8 @@ function verbose_env() { echo "command=$command" } -# VERBOSE - export this varibale to run this script in verbose mode -VERBOSE=${VERBOSE:-'true'} -# EXIT_FAST - export this varaibale to exit the script on error -EXIT_FAST=${EXIT_FAST:-'true'} +# VERBOSE - set this variable to run this script in verbose mode +VERBOSE=${VERBOSE:-''} # check_kube_context - a flag to indicate to use kube context and to refresh kube access token before running command in docker check_kube_context=1 @@ -55,10 +54,10 @@ readme_url='https://github.com/redkubes/otomi-core' function set_env_and_stack_dir() { local cwd=$(basename "$PWD") - [ "$VERBOSE" = "1" ] && echo "CWD: $cwd" + [ "$VERBOSE" != "" ] && echo "CWD: $cwd" if [ "$cwd" = "otomi-core" ]; then - [ "$env_unset" = "1" ] && echo "Error: The ENV_DIR environment variable is not set" >&2 && exit 1 - [ "$VERBOSE" = "1" ] && echo "Mounting otomi-core dir" + [ "$env_unset" = 'true' ] && echo "Error: The ENV_DIR environment variable is not set" >&2 && exit 1 + [ "$VERBOSE" != "" ] && echo "Mounting otomi-core dir" stack_dir=$PWD mount_stack_dir=1 fi @@ -95,7 +94,7 @@ function show_usage() { Env flags: VERBOSE=1; Run otomi CLI in verbose mode - EXIT_FAST=1 Exit the script after first error + CI=true Exit the script after first error " } @@ -121,9 +120,7 @@ function evaluate_k8s_context() { function validate_k8s_context() { local context=$(kubectl config current-context) if [[ "$K8S_CONTEXT" != "$context" ]]; then - echo "Warning: Your current kubernetes context does not match target context: $K8S_CONTEXT" - echo "" - read -p "Would you like to switch kube context to target first? Yn" oki + read -p "Warning: Your current kubernetes context does not match target context: $K8S_CONTEXT. Would you like to switch kube context to target first? Yn" oki if [ "${oki:-y}" = "y" ]; then kubectl config use $K8S_CONTEXT drun bin/bootstrap.sh 1 @@ -189,8 +186,8 @@ function drun() { local stack_volume='' local socket_volume='' + [ "$VERBOSE" != "" ] && echo "Running in CI: $CI" if [ "$CI" != "" ]; then - [ "$VERBOSE" = "1" ] && echo "Running in CI: $CI" check_kube_context=0 else socket_volume="-v /var/run/docker.sock:/var/run/docker.sock" @@ -214,7 +211,7 @@ function drun() { # use docker run if has_docker AND either: # - not in docker # - in docker AND force docker - if [[ ("$CI" = "") && $has_docker -eq 1 && ("$IN_DOCKER" != "1" || $dind -eq 1) ]]; then + if [[ $has_docker -eq 1 && ("$IN_DOCKER" != "1" || $dind -eq 1) ]]; then [ "$VERBOSE" = "1" ] && echo "Running dockerized version of command: $command" docker run $docker_terminal_params --rm \ $stack_volume $socket_volume -v /tmp:/tmp \ @@ -234,7 +231,7 @@ function drun() { -e GCLOUD_SERVICE_KEY="$GCLOUD_SERVICE_KEY" \ -e CLUSTER="$CLUSTER" \ -e K8S_CONTEXT="$K8S_CONTEXT" \ - -e EXIT_FAST="$EXIT_FAST" \ + -e CI="$CI" \ -w $stack_dir \ $cmd_image \ $command @@ -269,7 +266,7 @@ function execute() { ;; bash) check_kube_context=0 - docker_terminal_params='-it' + docker_terminal_params='-t' drun bash ;; bootstrap) @@ -286,7 +283,7 @@ function execute() { check_sops_file check_kube_context=0 evaluate_secrets - if [ "$@" != "" ]; then + if [[ "$@" != "" ]]; then for f in $@; do echo "Decrypting $f" drun helm secrets dec ./env/$f >/dev/null diff --git a/bin/validate-templates.sh b/bin/validate-templates.sh index 9d87d2cdeb..fd595d813f 100755 --- a/bin/validate-templates.sh +++ b/bin/validate-templates.sh @@ -1,8 +1,7 @@ #!/usr/bin/env bash +[ "$CI" != "" ] && set -e set -uo pipefail -EXIT_FAST=${EXIT_FAST:-'true'} -[ $EXIT_FAST = 'true' ] && set -e schemaOutputPath="/tmp/otomi/kubernetes-json-schema/master" outputPath="/tmp/otomi/generated-crd-schemas" @@ -62,7 +61,7 @@ process_crd() { jq -S -c --raw-output -f "$extractCrdSchemaJQFile" >>"$schemasBundleFile" } || { echo "ERROR Processing: $document" - [ $EXIT_FAST = 'true' ] && exit 1 + [ "$CI" != "" ] && exit 1 } } diff --git a/bin/validate-values.sh b/bin/validate-values.sh index fe100af065..a9c5c09424 100755 --- a/bin/validate-values.sh +++ b/bin/validate-values.sh @@ -1,8 +1,7 @@ #!/usr/bin/env bash +[ "$CI" != "" ] && set -e set -uo pipefail -EXIT_FAST=${EXIT_FAST:-'true'} -[ $EXIT_FAST = 'true' ] && set -e . bin/common.sh @@ -18,9 +17,8 @@ trap cleanup EXIT ERR validate_values() { local values_path="$tmp_path/$CLOUD-$CLUSTER.yaml" - hf_values >$values_path - ajv validate -s './values-schema.yaml' -d $values_path --all-errors --extend-refs=fail >/dev/null + ajv test -s './values-schema.yaml' -d $values_path --all-errors --extend-refs=fail --valid } for_each_cluster validate_values diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml index 742ae6e64e..56747bb533 100755 --- a/charts/keycloak/values.yaml +++ b/charts/keycloak/values.yaml @@ -25,7 +25,7 @@ keycloak: image: repository: docker.io/jboss/keycloak # Overrides the image tag whose default is the chart version. - tag: "" + tag: "10.0.2" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/team-ns/templates/_helpers.tpl b/charts/team-ns/templates/_helpers.tpl index c0b19c20bd..faa9e29835 100644 --- a/charts/team-ns/templates/_helpers.tpl +++ b/charts/team-ns/templates/_helpers.tpl @@ -118,10 +118,6 @@ metadata: rewrite ^/$ https://otomi.{{ .cluster.domain }}/ permanent; rewrite ^(/tracing)$ $1/ permanent; {{- end }} - {{- if .hasAuth }} - # TODO: remove once we have groups support via oidc - proxy_set_header Auth-Group "{{ .teamId }}"; - {{- end }} {{- end }} labels: {{- include "chart-labels" .dot | nindent 4 }} name: {{ $.provider }}-team-{{ .teamId }}-{{ .name }} diff --git a/helmfile.d/helmfile-60.teams.yaml b/helmfile.d/helmfile-60.teams.yaml index a2ac9ba94d..d28a18f2c8 100644 --- a/helmfile.d/helmfile-60.teams.yaml +++ b/helmfile.d/helmfile-60.teams.yaml @@ -145,31 +145,8 @@ releases: access: proxy url: http://graphite.monitoring:80 {{- end }} - {{- if and (eq $v.cluster.provider "azure") }} - {{- $monitor := ($team | get "azure.monitor" ($v.clouds.azure | get "monitor" nil)) }} - {{- with $monitor }} - {{- $a := $v.clouds.azure }} - - name: Azure Monitor - type: grafana-azure-monitor-datasource - access: proxy - jsonData: - cloudName: azuremonitor - subscriptionId: {{ $a.subscriptionId }} - tenantId: {{ $a.tenantId }} - clientId: {{ .clientId }} - logAnalyticsTenantId: {{ . | get "logAnalyticsTenantId" $a.tenantId }} - logAnalyticsClientId: {{ . | get "logAnalyticsClientId" .clientId }} - logAnalyticsDefaultWorkspace: {{ .logAnalyticsWorkspace }} - appInsightsAppId: {{ . | get "appInsightsAppId" .clientId }} - azureLogAnalyticsSameAs: true - keepCookies: [] - secureJsonData: - clientSecret: {{ .clientSecret }} - logAnalyticsClientSecret: {{ . | get "logAnalyticsClientSecret" .clientSecret }} - appInsightsAppSecret : {{ . | get "appInsightsAppSecret" .clientSecret }} - version: 4 - editable: false - {{- end }} + {{- if and (eq $v.cluster.provider "azure") ($team | get "azure.monitor" ($v | get "azure.monitor" nil)) }} + - {{- tpl (readFile "../helmfile.d/snippets/azure-monitor.gotmpl") (dict "monitor" ($team | get "azureMonitor" dict) "azure" $v.azure) | toString | nindent 14 }} {{- end }} {{ if has "msteams" ($team | get "receivers" list) }} - name: prometheus-msteams-{{ $teamId }} @@ -210,6 +187,7 @@ releases: - azure{{ end }} {{- if $team | get "stack.sitespeed" false }} - sitespeed{{ end }} + {{- end }} {{- end }} {{- end }} diff --git a/helmfile.d/snippets/azure-monitor.gotmpl b/helmfile.d/snippets/azure-monitor.gotmpl new file mode 100644 index 0000000000..2222c99f04 --- /dev/null +++ b/helmfile.d/snippets/azure-monitor.gotmpl @@ -0,0 +1,19 @@ +name: Azure Monitor +type: grafana-azure-monitor-datasource +access: proxy +jsonData: + cloudName: azuremonitor + subscriptionId: {{ .azure.subscriptionId }} + tenantId: {{ .azure.tenantId }} + clientId: {{ .monitor | get "clientId" (.azure | get "monitor.clientId") }} + logAnalyticsTenantId: {{ .monitor | get "logAnalyticsTenantId" (.azure | get "monitor.logAnalyticsTenantId" .azure.tenantId) }} + logAnalyticsClientId: {{ .monitor | get "logAnalyticsClientId" (.azure | get "monitor.logAnalyticsClientId" (.azure | get "monitor.clientId")) }} + logAnalyticsDefaultWorkspace: {{ .monitor | get "logAnalyticsWorkspace" (.azure | get "monitor.logAnalyticsWorkspace" nil) }} + appInsightsAppId: {{ .monitor | get "appInsightsAppId" (.monitor | get "clientId" (.azure | get "monitor.appInsightsAppId" (.azure | get "monitor.clientId"))) }} + keepCookies: [] +secureJsonData: + clientSecret: {{ .monitor | get "clientSecret" (.azure | get "monitor.clientSecret") }} + logAnalyticsClientSecret: {{ .monitor | get "logAnalyticsClientSecret" (.azure | get "monitor.logAnalyticsSecret" (.azure | get "monitor.clientSecret")) }} + appInsightsApiKey : {{ .monitor | get "appInsightsApiKey" (.azure | get "monitor.appInsightsApiKey" (.azure | get "monitor.clientSecret")) }} +version: 4 +editable: false \ No newline at end of file diff --git a/helmfile.d/snippets/env.gotmpl b/helmfile.d/snippets/env.gotmpl index 0a91e4c68f..78023fecc6 100644 --- a/helmfile.d/snippets/env.gotmpl +++ b/helmfile.d/snippets/env.gotmpl @@ -17,6 +17,7 @@ - ../env/env/clouds/{{ .cluster.provider }}/{{ .cluster.name }}/overrides.{{ .cluster.provider }}-{{ .cluster.name }}.yaml {{- range $team := $teams }} - ../env/env/clouds/{{ $v.cluster.provider }}/{{ $v.cluster.name }}/services.{{ $team }}.yaml + - ../env/env/clouds/{{ $v.cluster.provider }}/{{ $v.cluster.name }}/jobs.{{ $team }}.yaml {{- end }} - ../core.yaml - sops: {{ $sops | toYaml | nindent 8 }} diff --git a/values-schema.yaml b/values-schema.yaml index 27bc4fad6a..bbbd829083 100644 --- a/values-schema.yaml +++ b/values-schema.yaml @@ -12,10 +12,12 @@ definitions: type: string pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ droneGit: - clientID: - type: string - clientSecretValue: - type: string + type: object + properties: + clientID: + type: string + clientSecretValue: + type: string registry: type: string pattern: ^[a-z0-9]+(?:[._-][a-z0-9]+)*$ @@ -246,10 +248,36 @@ definitions: type: string required: [smarthost, to] required: [receivers] + azureMonitor: + type: object + properties: + clientId: + type: string + description: An Azure client id + clientSecret: + type: string + description: An Azure client secret + appInsightsAppId: + type: string + description: An Azure AppInsights client id (defaults to clientId) + appInsightsApiKey: + type: string + description: An Azure AppInsights client secret (defaults to clientSecret) + logAnalyticsTenantId: + type: string + description: An Azure tenant id (defaults to tenantId) + logAnalyticsClientId: + type: string + description: An Azure client secret (defaults to clientSecret) + logAnalyticsClientSecret: + type: string + description: An Azure client secret (defaults to clientSecret) + logAnalyticsWorkspace: + type: string + description: An Azure monitor log analytics workspace cloud: description: A common cloud configuration type: object - additionalProperties: false properties: domain: '$ref': '#/definitions/domain' @@ -259,56 +287,6 @@ definitions: '$ref': '#/definitions/cluster' additionalProperties: false required: [domain, clusters] - cloudAzure: - description: An azure cloud specific configuration - type: object - additionalProperties: false - properties: - diskType: - type: string - enum: - [ - Standard_LRS, - Standard_GRS, - Standard_RAGRS, - Standard_ZRS, - Premium_LRS, - Premium_ZRS, - Standard_GZRS, - Standard_RAGZRS, - ] - description: An azure disk type (SKU Type) - monitor: - type: object - properties: - clientId: - type: string - description: An azure client id - clientSecret: - type: string - description: An azure client secret - resourceGroup: - type: string - description: An azure resource group - subscriptionId: - type: string - description: An azure subscription ID - tenantId: - type: string - description: An azure tenant ID - required: [diskType, resourceGroup, subscriptionId, tenantId] - cloudGoogle: - description: A google cloud specific configuration - type: object - additionalProperties: false - properties: - cloudDnsKey: - type: integer - description: A service account key for managing a DNS zone - projectId: - type: string - description: A Google Cloud project ID for accessing DNS zone - required: [cloudDnsKey, projectId] cluster: type: object additionalProperties: false @@ -360,12 +338,8 @@ definitions: properties: alerts: '$ref': '#/definitions/alerts' - azure: - '$ref': '#/definitions/cloudAzure' - additionalProperties: - useAdmin: - type: boolean - default: true + azureMonitor: + '$ref': '#/definitions/azureMonitor' id: '$ref': '#/definitions/idName' description: Must be the same as the name. @@ -540,6 +514,45 @@ definitions: required: [id, name] required: [id] properties: + azure: + description: Azure specific configuration + type: object + properties: + diskType: + type: string + enum: + - Standard_LRS + - Standard_GRS + - Standard_RAGRS + - Standard_ZRS + - Premium_LRS + - Premium_ZRS + - Standard_GZRS + - Standard_RAGZRS + description: An Azure disk type (SKU Type) + monitor: + '$ref': '#/definitions/azureMonitor' + resourceGroup: + type: string + description: An Azure resource group + subscriptionId: + type: string + description: An Azure subscription ID + tenantId: + type: string + description: An Azure tenant ID + required: [diskType, resourceGroup, subscriptionId, tenantId] + google: + description: Google specific configuration + type: object + properties: + cloudDnsKey: + type: string + description: A service account key for managing a DNS zone + projectId: + type: string + description: A Google Cloud project ID for accessing DNS zone + required: [cloudDnsKey, projectId] home: '$ref': '#/definitions/alerts' alerts: @@ -691,21 +704,24 @@ properties: additionalProperties: false properties: github: - '$ref': '#/definitions/droneGit' - additionalProperties: - server: - type: string - default: https://github.com + allOf: + - '$ref': '#/definitions/droneGit' + - properties: + server: + type: string + default: https://github.com gitlab: - '$ref': '#/definitions/droneGit' - additionalProperties: - server: - type: string + allOf: + - '$ref': '#/definitions/droneGit' + - properties: + server: + type: string gitea: - '$ref': '#/definitions/droneGit' - additionalProperties: - server: - type: string + allOf: + - '$ref': '#/definitions/droneGit' + - properties: + server: + type: string gogs: properties: server: @@ -1137,13 +1153,9 @@ properties: aws: '$ref': '#/definitions/cloud' azure: - allOff: - - '$ref': '#/definitions/cloud' - - '$ref': '#/definitions/cloudAzure' + '$ref': '#/definitions/cloud' google: - allOff: - - '$ref': '#/definitions/cloud' - - '$ref': '#/definitions/cloudGoogle' + '$ref': '#/definitions/cloud' onprem: '$ref': '#/definitions/cloud' customer: @@ -1162,9 +1174,9 @@ properties: clientSecret: type: string issuer: - type: string + '$ref': '#/definitions/url' jwksUri: - type: string + '$ref': '#/definitions/url' authUrl: '$ref': '#/definitions/url' tokenUrl: diff --git a/values/cloud/cloud-raw.gotmpl b/values/cloud/cloud-raw.gotmpl index e7558a59ae..448242ddd8 100644 --- a/values/cloud/cloud-raw.gotmpl +++ b/values/cloud/cloud-raw.gotmpl @@ -1,4 +1,3 @@ {{- $v := .Environment.Values }} -{{- $azureDiskType := (index $v | get "clouds.azure.diskType" "") }} resources: -{{ tpl (readFile (printf "pv-%s.gotmpl" $v.cluster.provider)) (dict "type" $azureDiskType) }} \ No newline at end of file +{{ tpl (readFile (printf "pv-%s.gotmpl" $v.cluster.provider)) ($v | get $v.cluster.provider dict) }} \ No newline at end of file diff --git a/values/cloud/pv-azure.gotmpl b/values/cloud/pv-azure.gotmpl index 8f8d6615ce..33d6cbd900 100644 --- a/values/cloud/pv-azure.gotmpl +++ b/values/cloud/pv-azure.gotmpl @@ -4,7 +4,7 @@ name: std parameters: kind: Managed - storageaccounttype: {{ .type }} + storageaccounttype: {{ .diskType }} provisioner: kubernetes.io/azure-disk allowVolumeExpansion: true reclaimPolicy: Delete @@ -15,7 +15,7 @@ name: fast parameters: kind: Managed - storageaccounttype: {{ .type }} + storageaccounttype: {{ .diskType }} provisioner: kubernetes.io/azure-disk allowVolumeExpansion: true reclaimPolicy: Delete diff --git a/values/cluster-autoscaler/cluster-autoscaler.gotmpl b/values/cluster-autoscaler/cluster-autoscaler.gotmpl index dc3d972130..8b9335e715 100644 --- a/values/cluster-autoscaler/cluster-autoscaler.gotmpl +++ b/values/cluster-autoscaler/cluster-autoscaler.gotmpl @@ -12,7 +12,7 @@ autoDiscovery: cloudProvider: {{ $v.cluster.provider }} {{- if eq $v.cluster.provider "azure" }} -{{- $a := $v.clouds.azure }} +{{- $a := $v.azure }} azureClientID: {{ $a.clientId }} azureClientSecret: {{ $a.clientSecret }} azureResourceGroup: {{ $a.resourceGroup }} diff --git a/values/external-dns/external-dns.gotmpl b/values/external-dns/external-dns.gotmpl index f4e26a3de9..85a1dc8034 100644 --- a/values/external-dns/external-dns.gotmpl +++ b/values/external-dns/external-dns.gotmpl @@ -1,9 +1,6 @@ {{- $v := .Environment.Values }} {{- $dns := $v.charts | get "external-dns" dict }} {{- $dnsProvider := $v.cluster | get "dnsProvider" $v.cluster.provider }} -{{- $google := $v | get "clouds.google" dict }} -{{- $aws := $v | get "clouds.aws" dict }} -{{- $azure := $v | get "clouds.azure" dict }} sources: - ingress - istio-gateway @@ -11,16 +8,16 @@ sources: provider: {{ $dnsProvider }} {{- if eq $dnsProvider "google" }} google: - project: {{ $google.projectId }} + project: {{ $v.google.projectId }} serviceAccountKey: | - {{- $google.cloudDnsKey | nindent 4 }} + {{- $v.google.cloudDnsKey | nindent 4 }} {{- else if and (eq $dnsProvider "aws") (hasKey $dns "aws") }} aws: {{- $dns.aws | toYaml | nindent 2 }} {{- else if eq $dnsProvider "azure" }} azure: {{- $dns.azure | toYaml | nindent 2 }} - tenantId: {{ $azure.tenantId }} - subscriptionId: {{ $azure.subscriptionId }} + tenantId: {{ $v.azure.tenantId }} + subscriptionId: {{ $v.azure.subscriptionId }} {{- end }} domainFilters: {{ $dns | get "domainFilters" | toYaml | nindent 2 }} zoneIdFilters: {{ $dns | get "zoneIdFilters" list | toYaml | nindent 2 }} diff --git a/values/jobs/keycloak.gotmpl b/values/jobs/keycloak.gotmpl index 34ea5fcd6d..58a736ad95 100644 --- a/values/jobs/keycloak.gotmpl +++ b/values/jobs/keycloak.gotmpl @@ -13,6 +13,7 @@ {{- $k := $c | get "keycloak" dict }} {{- $skipVerify := eq ($cm | get "stage") "staging" }} tasks: + keycloak: type: job description: Configure OIDC as a primary auhentication method and populate teams to harbor projects diff --git a/values/keycloak/keycloak.gotmpl b/values/keycloak/keycloak.gotmpl index 564c1e59c7..1eee6b6056 100644 --- a/values/keycloak/keycloak.gotmpl +++ b/values/keycloak/keycloak.gotmpl @@ -11,14 +11,29 @@ init: memory: "32Mi" keycloak: + # image: + # repository: docker.io/jboss/keycloak + # tag: "11.0.3" username: {{ $k | get "admin.username" "admin" }} password: {{ $k | get "admin.password" "bladibla" }} basepath: "" + cli: + custom: | + # redirect socket binding to https port + /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true) + /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=socket-binding, value=http) + /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https) + /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) + # hostname SPI modification + /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl,value="https://keycloak.{{ $v.cluster.domain }}/") + /subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl,value=true) + persistence: dbVendor: {{ $dbVendor }} dbHost: {{ $k | getOrNil "persistence.dbHost" }} deployPostgres: {{ $k | get "persistence.deployPostgres" (eq $dbVendor "postgres") }} priorityClassName: "otomi-critical" + proxyAddressForwarding: true resources: {{- if (hasKey $k "resources.keycloak") }} {{- $k.resources.keycloak | toYaml | nindent 4 }} diff --git a/values/oauth2-proxy/oauth2-proxy-raw.gotmpl b/values/oauth2-proxy/oauth2-proxy-raw.gotmpl index c1d196ca89..b07dee7c22 100644 --- a/values/oauth2-proxy/oauth2-proxy-raw.gotmpl +++ b/values/oauth2-proxy/oauth2-proxy-raw.gotmpl @@ -18,6 +18,9 @@ resources: {{- end }} kubernetes.io/ingress.class: nginx ingress.kubernetes.io/ssl-redirect: {{ if $v.otomi.hasCloudLB }}"false"{{ else }}"true"{{ end }} + {{- if $hasKeycloak }} + nginx.ingress.kubernetes.io/auth-response-headers: Authorization + {{- end }} nginx.ingress.kubernetes.io/configuration-snippet: | # rewrite auth redirects to original hosts rewrite ^/oauth2/redirect/(.*) https://$1 redirect; diff --git a/values/oauth2-proxy/oauth2-proxy.gotmpl b/values/oauth2-proxy/oauth2-proxy.gotmpl index 97a453d4e4..1ce289ca87 100644 --- a/values/oauth2-proxy/oauth2-proxy.gotmpl +++ b/values/oauth2-proxy/oauth2-proxy.gotmpl @@ -63,8 +63,8 @@ extraArgs: cookie-secure: true # cookie-httponly: true reverse-proxy: true - cookie-refresh: 0h60m0s - pass-authorization-header: {{ $hasKeycloak }} + cookie-refresh: 0h1m0s # set to the same as keycloak realm's accessCodeLifespan + pass-authorization-header: true # pass-basic-auth: true skip-auth-regex: /healthz,/metrics,/api/datasources,/api/dashboards,/api/topology,/api/authenticate,/hook silence-ping-logging: true diff --git a/values/prometheus-operator/prometheus-operator.gotmpl b/values/prometheus-operator/prometheus-operator.gotmpl index f2da282214..21803db35f 100644 --- a/values/prometheus-operator/prometheus-operator.gotmpl +++ b/values/prometheus-operator/prometheus-operator.gotmpl @@ -134,28 +134,8 @@ grafana: {{- else }} url: http://loki:3100 {{- end }} - {{- with $v | getOrNil "clouds.azure.monitor" }} - {{- $a := $v.clouds.azure }} - - name: Azure Monitor - type: grafana-azure-monitor-datasource - access: proxy - jsonData: - cloudName: azuremonitor - subscriptionId: {{ $a.subscriptionId }} - tenantId: {{ $a.tenantId }} - clientId: {{ .clientId }} - logAnalyticsTenantId: {{ . | get "logAnalyticsTenantId" $a.tenantId }} - logAnalyticsClientId: {{ . | get "logAnalyticsClientId" .clientId }} - logAnalyticsDefaultWorkspace: {{ .logAnalyticsWorkspace }} - appInsightsAppId: {{ . | get "appInsightsAppId" .clientId }} - azureLogAnalyticsSameAs: true - keepCookies: [] - secureJsonData: - clientSecret: {{ .clientSecret }} - logAnalyticsClientSecret: {{ . | get "logAnalyticsClientSecret" .clientSecret }} - appInsightsAppSecret : {{ . | get "appInsightsAppSecret" .clientSecret }} - version: 4 - editable: false + {{- with $v | get "azure.monitor" nil }} + - {{- tpl (readFile "../../helmfile.d/snippets/azure-monitor.gotmpl") (dict "monitor" dict "azure" $v.azure) | toString | nindent 6 }} {{- end }} {{- if $c.sitespeed.enabled }} - name: Graphite diff --git a/values/promitor-agent-scraper/promitor-agent-scraper.gotmpl b/values/promitor-agent-scraper/promitor-agent-scraper.gotmpl index 65dec392a1..52c81e8f82 100644 --- a/values/promitor-agent-scraper/promitor-agent-scraper.gotmpl +++ b/values/promitor-agent-scraper/promitor-agent-scraper.gotmpl @@ -1,5 +1,5 @@ {{- $v := .Environment.Values }} -{{- $a := $v.clouds.azure }} +{{- $a := $v.azure }} azureMetadata: tenantId: {{ $a.tenantId }} subscriptionId: {{ $a.subscriptionId }} diff --git a/values/raw/istio-raw.gotmpl b/values/raw/istio-raw.gotmpl index 08f43747dd..f6bd202816 100644 --- a/values/raw/istio-raw.gotmpl +++ b/values/raw/istio-raw.gotmpl @@ -32,7 +32,7 @@ resources: if status == "403" then local oauth_host = "https://auth.{{ $v.cluster.domain }}/oauth2/start?rd=/oauth2/redirect/" local redirect_url = "https://auth.{{ $v.cluster.domain }}/oauth2/sign_in" - response_handle:logWarn("Caught 403 Unauthorized! Redirecting to: "..redirect_url) + response_handle:logWarn("Caught 403 Forbidden! Redirecting to: "..redirect_url) response_handle:headers():replace(":status", 302) response_handle:headers():replace("location", redirect_url) end