feat(base-cluster/capactior): add flux capacitor dashboard

teutonet · Sep 23, 2024 · 89bf87c · 89bf87c
1 parent bb1942d
commit 89bf87c
Show file tree

Hide file tree

Showing 6 changed files with 240 additions and 0 deletions.
diff --git a/charts/base-cluster/templates/flux/capacitor.yaml b/charts/base-cluster/templates/flux/capacitor.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.flux.capacitor.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: capacitor
+  namespace: flux-system
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: capacitor
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "onechart" "chart" "onechart" "context" $) | nindent 6 }}
+  interval: 1h
+  driftDetection:
+    mode: enabled
+  values:
+    image:
+      repository: ghcr.io/gimlet-io/capacitor
+      tag: v0.4.2
+    containerPort: 9000
+    probe:
+      enabled: true
+      path: /
+    resources:
+      ignoreLimits: true
+    serviceAccount: capacitor
+{{- end }}
diff --git a/charts/base-cluster/templates/flux/oauth-proxy-secret.yaml b/charts/base-cluster/templates/flux/oauth-proxy-secret.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.global.authentication.config .Values.flux.capacitor.enabled }}
+{{- $name := include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  namespace: flux-system
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth-proxy
+    app.kubernetes.io/part-of: capacitor
+type: Opaque
+data:
+  # This might change on every `template` call, this can be ignored
+  cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookie-secret" "length" 32 "strong" true "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mustMergeOverwrite (deepCopy .Release)))) }}
+  client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
+  client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/base-cluster/templates/flux/oauth-proxy.yaml b/charts/base-cluster/templates/flux/oauth-proxy.yaml
@@ -0,0 +1,114 @@
+{{- if and .Values.global.authentication.config .Values.flux.capacitor.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: capacitor-oauth-proxy
+  namespace: flux-system
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth-proxy
+    app.kubernetes.io/part-of: capacitor
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }}
+  interval: 1h
+  driftDetection:
+    mode: enabled
+  values:
+    redis:
+      enabled: false
+  {{- if $.Values.global.imageRegistry }}
+    global:
+      imageRegistry: {{ $.Values.global.imageRegistry }}
+  {{- end }}
+    ingress:
+      enabled: true
+      hostname: {{ .Values.flux.capacitor.ingress.host }}
+      tls: true
+      {{- if $.Values.dns.provider }}
+      selfSigned: true # `certManager: true` leads to overwritten wildcard certificates
+      {{- else }}
+      certManager: true
+      {{- end }}
+      existingSecretName: {{ include "base-cluster.certificate" (dict "name" "capacitor" "customDomain" .Values.flux.capacitor.ingress.customDomain "context" $) | quote }}
+    replicaCount: 2
+    pdb:
+      create: true
+      minAvailable: 1
+      maxUnavailable: ""
+    podSecurityContext:
+      enabled: true
+    containerSecurityContext:
+      enabled: true
+    resources: {{- include "common.resources" $.Values.global.authentication.oauthProxy | nindent 6 }}
+    configuration:
+      existingSecret: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }}
+      content: |-
+        provider = "oidc"
+        reverse_proxy = true
+        oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }}
+        skip_provider_button = true
+        {{- if $.Values.global.authentication.oauthProxy.emailDomains }}
+        email_domains = [ "{{ $.Values.global.authentication.oauthProxy.emailDomains | join "\", \"" }}" ]
+        {{- else }}
+        email_domains = "*"
+        {{- end }}
+        upstreams = [ {{ printf "http://%s:%d" "capacitor" 9000 | quote }} ]
+    podAnnotations:
+      # This might change on every `template` call, this can be ignored
+      checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/flux/oauth-proxy-secret.yaml" "context" $) }}
+{{- if eq (include "common.networkPolicy.type" $) "cilium" }}
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: capacitor-oauth-proxy-policy
+  namespace: flux-system
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: oauth
+    app.kubernetes.io/part-of: capacitor
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: "capacitor-oauth-proxy"
+  ingress:
+    - fromEndpoints:
+        - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.ingressLabels "context" $) | nindent 12 }}
+      toPorts:
+        - ports:
+            - port: "9000"
+              protocol: TCP
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: '*'
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+    - toFQDNs:
+        - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }}
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    - toEndpoints:
+        - matchLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.global.networkPolicy.dnsLabels "context" $) | nindent 12 }}
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchName: {{ $.Values.global.authentication.config.issuerHost | quote }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/base-cluster/templates/flux/rbac-capacitor.yaml b/charts/base-cluster/templates/flux/rbac-capacitor.yaml
@@ -0,0 +1,60 @@
+{{- if .Values.flux.capacitor.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: capacitor
+  namespace: flux-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: capacitor
+rules:
+  - apiGroups:
+      - networking.k8s.io
+      - apps
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - ingresses
+      - deployments
+      - services
+      - secrets
+      - events
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - source.toolkit.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+    resources:
+      - gitrepositories
+      - ocirepositories
+      - buckets
+      - helmrepositories
+      - helmcharts
+      - kustomizations
+      - helmreleases
+    verbs:
+      - get
+      - watch
+      - list
+      - patch # to allow force reconciling by adding an annotation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: capacitor
+subjects:
+  - kind: ServiceAccount
+    name: capacitor
+    namespace: flux-system
+roleRef:
+  kind: ClusterRole
+  name: capacitor
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json
@@ -1284,6 +1284,18 @@
             ],
             "additionalProperties": false
           }
+        },
+        "capacitor": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "ingress": {
+              "$ref": "#/$defs/toolIngress"
+            }
+          },
+          "additionalItems": false
         }
       },
       "additionalProperties": false

diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
@@ -126,6 +126,11 @@ global:
       charts:
         descheduler: 0.30.x
       condition: "{{ .Values.descheduler.enabled }}"
+    onechart:
+      url: https://chart.onechart.dev
+      charts:
+        onechart: 0.70.x
+      condition: "{{ .Values.flux.capacitor.enabled }}"
     jetstack:
       url: https://charts.jetstack.io
       charts:
@@ -415,6 +420,12 @@ externalDNS:
 
 flux:
   gitRepositories: {}
+  capacitor:
+    enabled: false
+    ingress:
+      enabled: false
+      host: capacitor
+      customDomain: ""
 
 ingress:
   enabled: true