Compare commits
3 Commits
66de9b8a0a
...
feature/ho
| Author | SHA1 | Date | |
|---|---|---|---|
| 516498651b | |||
| 230c160870 | |||
| d1588975dc |
@@ -1,47 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: dbunk-demo
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "12"
|
||||
labels:
|
||||
app.kubernetes.io/name: dbunk-demo
|
||||
app.kubernetes.io/part-of: apps
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
|
||||
path: forteapp
|
||||
targetRevision: HEAD
|
||||
helm:
|
||||
valueFiles:
|
||||
- $values/dbunk-demo/values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: dbunk-demo
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
retry:
|
||||
limit: 5
|
||||
backoff:
|
||||
duration: 5s
|
||||
factor: 2
|
||||
maxDuration: 3m
|
||||
@@ -1,4 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- dbunk-demo.yaml
|
||||
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
- dbunk-demo
|
||||
|
||||
# No patches needed — base already has "upc-dev" paths
|
||||
# upc-dev is the default/base cluster
|
||||
|
||||
@@ -28,6 +28,7 @@ Bootstrap()
|
||||
Gitea()
|
||||
{
|
||||
echo "Installing secret..."
|
||||
kubectl apply -f "secrets/"
|
||||
kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
|
||||
kubectl apply -f "private/${CLUSTER}/main.key"
|
||||
}
|
||||
|
||||
@@ -1141,30 +1141,6 @@ ignore:
|
||||
- Check Gitea Actions tab for workflow run status and logs
|
||||
- Monitor Anthropic usage dashboard for token consumption
|
||||
|
||||
### Keycloak Browser Flow (IdP Auto-Redirect)
|
||||
|
||||
**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
|
||||
|
||||
The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
|
||||
|
||||
**Flow executions**:
|
||||
|
||||
| Priority | Authenticator | Requirement | Purpose |
|
||||
|----------|--------------|-------------|---------|
|
||||
| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
|
||||
| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
|
||||
|
||||
**Key fields in realm JSON**:
|
||||
- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
|
||||
- `"authenticationFlows"` — defines the custom flow with its executions
|
||||
- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
|
||||
|
||||
**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
|
||||
|
||||
**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
|
||||
|
||||
---
|
||||
|
||||
### Keycloak Client Registrar
|
||||
|
||||
**Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: homepage-services-reader
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: homepage-services-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: homepage-services-reader
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: homepage
|
||||
namespace: homepage
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: homepage-widget-credentials
|
||||
namespace: homepage
|
||||
spec:
|
||||
encryptedData:
|
||||
HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
|
||||
HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: homepage-widget-credentials
|
||||
namespace: homepage
|
||||
@@ -2,5 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- homepage.yaml
|
||||
- homepage-widget-credentials-sealed.yaml
|
||||
- homepage-extra-rbac.yaml
|
||||
|
||||
@@ -22,4 +22,3 @@ resources:
|
||||
- karpor
|
||||
- databunker
|
||||
- homepage
|
||||
- vault
|
||||
|
||||
@@ -27,6 +27,7 @@ spec:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vault.yaml
|
||||
@@ -1,49 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://helm.releases.hashicorp.com
|
||||
chart: vault
|
||||
targetRevision: "0.32.0"
|
||||
helm:
|
||||
releaseName: vault
|
||||
valueFiles:
|
||||
- $values/infra/values/base/vault-values.yaml
|
||||
- $values/infra/values/upc-dev/vault-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: vault
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
- /spec/volumeClaimTemplates
|
||||
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
- vaultwarden
|
||||
|
||||
# No patches needed — base already has "upc-dev" paths
|
||||
# upc-dev is the default/base cluster
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vaultwarden.yaml
|
||||
- vaultwarden-db-secret-sealed.yaml
|
||||
@@ -1,18 +0,0 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: prod-db-creds
|
||||
namespace: vaultwarden
|
||||
spec:
|
||||
encryptedData:
|
||||
SMTP_PASSWORD: AgARC3vcVD2SC8GUry5SYylyiS39eKQUFAjqT4dpXQsoJX7QSLfd7Ta68BURg8Q5e2zWdzIl+nrUyBy/4TMXeHjSUhcfsH0RY2logMuTn96kV/V7YKm1Zw394hrJ3uroB7iFkf/TwiXuwFS1QvppxlpXNWVClHs+r0aW3vD2s7ViFxFqcPYGfNKlGvW2aLU6XER/TUXCffoSmHgl0wut5UaZEo+321AAaqcmk90Te/Pv4oU0SfFGn/+14zDR3VT4s6u8rgYQcSB23p2f3X3+8tCLgSLclyzSXAVfclMBYCuCtOzFjgXOQLoYfW3WW48KqsFKsoZsI/dop8L/y2P78xGJ5gYNiVcH6vEMfOr6wOTISyXqQIi3a/KZcNSY4ZZ7kH13aqru3Fpb4XAGjcmEEfWfOQ9IcPBj6Yh9pNOhxlQHPqXR9zrwx//iXdH2bsbEJ2vNHQhU9uc4t3dO1VnLO/icvMr3CFEuaB4mFDThVrPGOEi5s1YKPTHb1j8B92WSy6aNmNro0977cbbJs/linNox3rNa20kzQPfU2pdlC31vIcpMCM7vtUnx16QHyjUNe/whFqIbSG3mE19jbjIvGo0d7jhBWZYQin+m1MRv/Tv8VjzYe6FciIFX33pNTWkwkvFq+s8eQcyruWCe5hLlF361FklqXcSh1tMyqcfOScNRPxUPlWumkGPDmonULJPkmAs7eJmxKlvinrAPs8eiP7c/1SPW6FdMmxT7sq/27TII
|
||||
SMTP_USERNAME: AgC1Zsv5l5Wbrq7VZC2U55+0/LQvZEbsmlxq2O5Z+Xp/admdqptEBGlLKEdIn7CmyBzvmrmWasmN4NJPJHoeLWn7SgsoULTu1UQ3W9kgcrXUJ52dwOrYLMJUxJuh+OD9HEJejfOMksc2rSM69I4NUc+NXaDSZOo+gzldWzBN7nCa778NcnMgJxVcT4gqjTIRB9EOrCo4f3ldFJzVJW7qNnxurN0UZQ51y+nj+4z2R+LvfOJ1BT5YQC+nmx80HVBMdQWK5WO4QdxCtenXfiFDNcGK3MK/Exd+kubOWse85CMt2dR0GWuIfIOp+t4XQXfb1pxhTibh/fGae9dD0RpSX1c8hobkpXaDJIYeb7ZQF5J6Zf68fgCn0YircY1hB4yF7uX5CQL1yv76M4tM9yuOn5FTJaIG6byWn/RsHZ7KPIUSd1mOce9ZqfTkKzvC/wfX45UMhPEsdXF9o67mAtOpdmBGrmeDD+7GwPwKXz3JgDovlGtzvLvMZ27+x1dpC8LrcAjcKXXGKczbs3L2Pc+tymd9dis36RvlFLEgQG32ffQu5vQXqGcoSEnlZ0l39qoU9EItkA5kp0isGiJI46hJtAdTTNr0roymvrfDyLXpAvXTQYaVMC7/8KVb2r3kIPKtnsDuU2A57ceiqtdWQgUarPn4F0O3SaCnprmTm2thgCgQOkW7BGlN3CCsVboZUIOlFr7CwTswB9ZI6tzOj2WsUOhriTfIuXv3kyrFCspo
|
||||
pgpassword: AgB7F1Nvm2sjBOneDFux2mc/qni32jaq+KccTWkS7UZWWgA37owrE/XvDSOXZ0ZkrpBfhvCnsrh7/mbVnZYNWCd/GgxI2txnkp9MxW5JLpJiaZZmzznI229BgG9I08vg6ciuUS+bvRw9XJFD7SAmgeA3NaDKAHRNIhu3CFEKQJANity+pKHY1zK6gX6ubmllFtjEJg2pijM3EeSNuXdAFXZlsYIJMqFzlvQrb4MV7qeqsvW2qMeJBElMnas60l3JgeUYtsIwh6720m6FFKGXYQLm4cKbByC0M1C0/Nfwnd9j+xgIgyXharQFmgyp1qQBM+MAHxnHoHCE3V9cJqy1nCy33M16YYsZGOuAkHB9ks9I7NxGAKKjAIm5DccW7zbYINzTQKAUYIF/VhVosHv0thAHjfuH7fGzSmo9BHrLTQE3tO5RF40X2GgKFxP/R5lA+dCtR2QBNot0DaL2TEJoPc0czSYPY5y92FDOQ1j9jvcet18tkJN+bzCKwiG+BxtD0eH+tv1EAZTwvyl43xlU3E3RwWgSmOWcusMrn92fhsHwNFs9mMeeM8qeAVq4xUkatbKoijHm6q03tMgp2T6iT3EoVNLzWz+754mLQxt6serkBS8U7Mkxwpfitf64ANLaQyMF8t9Rao0c8Q/ZkIl9TEczbCPX3DvlnsoSPKDMWGB9gTzKbvvH0+Gcxxs+LZFigE7SQ20kYMlQpD8uo15ufWpMSGmFJxvto55fYgA0+wJmqe18ERy1QjxCqQYG7A==
|
||||
pgusername: AgAvYmIjfz5UbstZli9gpc77rc+oAft7NYIHFrSClyV0Ugt6UU+icMMlLbU92roy7J9XUHuWoXoK5vh0y/XeF95ce1VJC0/zvMK2OXmpfERbyNvyCpwzCFtzYJ4LO7yOi8PAPstzuziqnvLt+GLCwk1enU+IWHI7G2A/qIeWEww5+Y5a4WevVrchp0Wh87PdJ88IT5EiF7qBT2ipbcSoB+Gon962nbw8+pnFedmRcUQcdOf0tQBBZOl5TUVJ6mn4WIY8u6/yOwACMlUXQ553rxXYwGKyTRjI0KbTWwpgeCJiqokyrw/RcShD6qJvZGePdq6rNmmkELOHCPo9z/WvXQIDHbuPldvcglyHuN2w4tsBcGukbmjitwS6wxYD0vp3er3FI9+0tRnD9zlkLiUpcaLi9Rrm7NPS/JP1dbGcHz7fJNXgbMZRGRx3DjV73Qnz6YHvOHT4g6BI2+9JytriRKSOJk/FlDCINgrO+6zMrbxKzBTW3+FK1cc41sJ9zClbV603wsMgtkmB1sZL4xcLmq5wOuk19uO9TsK0Xnf+ajuFUkQm42DVxtTZ9HObLnP8eygn1WiMDv3ks6W7HIpJTpc2YJVU/Pg/kTeQgBKS0JRTkzpJFPHV2UrkLTr0U6ToPYOb2SWBnPI+Lp3cTOeUsbKOylBzx4uUJGoZUL5pAorjd5tDHJhMyMm589m5J3mGMXuhXO1cWg80
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: prod-db-creds
|
||||
namespace: vaultwarden
|
||||
@@ -1,49 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
---
|
||||
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
labels:
|
||||
app.kubernetes.io/name: vaultwarden
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://guerzon.github.io/vaultwarden
|
||||
chart: vaultwarden
|
||||
targetRevision: "0.36.4"
|
||||
helm:
|
||||
releaseName: vaultwarden
|
||||
valueFiles:
|
||||
- $values/infra/values/base/vaultwarden-values.yaml
|
||||
- $values/infra/values/upc-dev/vaultwarden-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: vaultwarden
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
@@ -39,8 +39,11 @@ server:
|
||||
gethomepage.dev/name: "ArgoCD"
|
||||
gethomepage.dev/description: "GitOps continuous delivery"
|
||||
gethomepage.dev/group: "DevOps"
|
||||
gethomepage.dev/icon: "argo-cd"
|
||||
gethomepage.dev/icon: "argocd"
|
||||
gethomepage.dev/href: "https://argocd.forteapps.net"
|
||||
gethomepage.dev/widget.type: "argocd"
|
||||
gethomepage.dev/widget.url: "https://argocd.forteapps.net"
|
||||
# gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_ARGOCD_TOKEN}}"
|
||||
tls: true
|
||||
extraArgs:
|
||||
- --insecure
|
||||
|
||||
@@ -41,7 +41,6 @@ gitea:
|
||||
oauth2:
|
||||
ENABLED: true
|
||||
ENABLE_AUTO_REGISTRATION: true
|
||||
ACCOUNT_LINKING: auto
|
||||
USERNAME: email
|
||||
|
||||
session:
|
||||
@@ -123,7 +122,7 @@ ingress:
|
||||
gethomepage.dev/href: "https://git.forteapps.net"
|
||||
gethomepage.dev/widget.type: "gitea"
|
||||
gethomepage.dev/widget.url: "https://git.forteapps.net"
|
||||
gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
|
||||
# gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
|
||||
hosts:
|
||||
- host: git.forteapps.net
|
||||
paths:
|
||||
|
||||
@@ -9,15 +9,15 @@ ingress:
|
||||
gethomepage.dev/group: "Monitoring"
|
||||
gethomepage.dev/icon: "grafana"
|
||||
gethomepage.dev/href: "https://grafana.forteapps.net"
|
||||
gethomepage.dev/widget.type: "grafana"
|
||||
gethomepage.dev/widget.url: "https://grafana.forteapps.net"
|
||||
# gethomepage.dev/widget.username: "{{HOMEPAGE_VAR_GRAFANA_USER}}"
|
||||
# gethomepage.dev/widget.password: "{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}"
|
||||
tls:
|
||||
- secretName: grafana-tls
|
||||
hosts:
|
||||
- grafana.forteapps.net
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 1Gi
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
|
||||
@@ -14,28 +14,20 @@ config:
|
||||
# Scan all namespaces for services with gethomepage.dev/enabled: "true"
|
||||
kubernetes:
|
||||
mode: cluster
|
||||
traefik: true
|
||||
|
||||
settings:
|
||||
title: "Platform"
|
||||
title: "Forte Platform"
|
||||
headerStyle: clean
|
||||
layout:
|
||||
Apps:
|
||||
DevOps:
|
||||
style: row
|
||||
columns: 3
|
||||
Security:
|
||||
columns: 4
|
||||
Identity:
|
||||
style: row
|
||||
columns: 3
|
||||
Tools:
|
||||
columns: 4
|
||||
Monitoring:
|
||||
style: row
|
||||
header: false
|
||||
columns: 2
|
||||
DevOps:
|
||||
style: column
|
||||
rows: 2
|
||||
Monitoring:
|
||||
style: column
|
||||
rows: 1
|
||||
columns: 4
|
||||
|
||||
# Top-of-page cluster overview widget
|
||||
widgets:
|
||||
@@ -47,14 +39,14 @@ config:
|
||||
showLabel: true
|
||||
label: "Cluster"
|
||||
nodes:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
# In-cluster entries come from K8s service annotations.
|
||||
# External (out-of-cluster) services are listed here statically.
|
||||
show: false
|
||||
# Both empty — all entries come from K8s service annotations
|
||||
bookmarks: []
|
||||
services: []
|
||||
# Widget API credentials (optional — add via SealedSecret + envFrom below)
|
||||
# Homepage reads HOMEPAGE_VAR_* env vars and substitutes them in widget annotations.
|
||||
# Example: gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"
|
||||
# To enable: create a sealed secret and add envFrom to load it.
|
||||
|
||||
resources:
|
||||
requests:
|
||||
@@ -63,10 +55,3 @@ resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
|
||||
env:
|
||||
- name: HOMEPAGE_ALLOWED_HOSTS
|
||||
value: start.forteapps.net
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: homepage-widget-credentials
|
||||
|
||||
@@ -21,9 +21,9 @@ ingress:
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Keycloak"
|
||||
gethomepage.dev/description: "Identity & access management"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/group: "Identity"
|
||||
gethomepage.dev/icon: "keycloak"
|
||||
gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"
|
||||
gethomepage.dev/href: "https://id.forteapps.net"
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
@@ -58,9 +58,6 @@ keycloakConfigCli:
|
||||
enabled: true
|
||||
image:
|
||||
repository: bitnamilegacy/keycloak-config-cli
|
||||
extraEnvVars:
|
||||
- name: IMPORT_MANAGED_PROTOCOL_MAPPER
|
||||
value: "no-delete"
|
||||
configuration:
|
||||
forte-realm.json: |
|
||||
{
|
||||
@@ -104,18 +101,6 @@ keycloakConfigCli:
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "groups",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-group-membership-mapper",
|
||||
"config": {
|
||||
"claim.name": "groups",
|
||||
"full.path": "false",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
@@ -188,54 +173,7 @@ keycloakConfigCli:
|
||||
]
|
||||
}
|
||||
],
|
||||
"browserFlow": "browser-auto-idp",
|
||||
"authenticationFlows": [
|
||||
{
|
||||
"alias": "browser-auto-idp",
|
||||
"description": "Browser flow with auto-redirect to Forte Entra IdP",
|
||||
"providerId": "basic-flow",
|
||||
"topLevel": true,
|
||||
"builtIn": false,
|
||||
"authenticationExecutions": [
|
||||
{
|
||||
"authenticator": "auth-cookie",
|
||||
"authenticatorFlow": false,
|
||||
"requirement": "ALTERNATIVE",
|
||||
"priority": 10
|
||||
},
|
||||
{
|
||||
"authenticator": "identity-provider-redirector",
|
||||
"authenticatorFlow": false,
|
||||
"requirement": "ALTERNATIVE",
|
||||
"priority": 20,
|
||||
"authenticatorConfig": "forte-entra-redirector"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"authenticatorConfig": [
|
||||
{
|
||||
"alias": "forte-entra-redirector",
|
||||
"config": {
|
||||
"defaultProvider": "forte-entra"
|
||||
}
|
||||
}
|
||||
],
|
||||
"groups": [
|
||||
{
|
||||
"name": "k8s",
|
||||
"path": "/k8s",
|
||||
"clientRoles": {
|
||||
"grafana": ["Editor"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dev",
|
||||
"path": "/dev",
|
||||
"clientRoles": {
|
||||
"grafana": ["Viewer"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "ArgoCD Admins",
|
||||
"path": "/ArgoCD Admins"
|
||||
|
||||
@@ -1,36 +0,0 @@
|
||||
# HashiCorp Vault Helm Chart Values
|
||||
# Chart: hashicorp/vault v0.32.0
|
||||
|
||||
server:
|
||||
standalone:
|
||||
enabled: true
|
||||
|
||||
dataStorage:
|
||||
enabled: true
|
||||
size: 5Gi
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
pathType: Prefix
|
||||
activeService: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Vault"
|
||||
gethomepage.dev/description: "Secrets management"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "vault"
|
||||
gethomepage.dev/href: "https://vault.forteapps.net"
|
||||
|
||||
ui:
|
||||
enabled: true
|
||||
serviceType: ClusterIP
|
||||
@@ -1,3 +0,0 @@
|
||||
image:
|
||||
tag: "1.36.0-alpine"
|
||||
domain: "https://vaultwarden.forteapps.net"
|
||||
@@ -1,10 +1,3 @@
|
||||
ingress:
|
||||
enabled: true
|
||||
host: databunker.forteapps.net
|
||||
annotations:
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Databunker"
|
||||
gethomepage.dev/description: "Secure Database for PII and PCI Records"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "double-take"
|
||||
gethomepage.dev/href: "https://databunker.forteapps.net"
|
||||
|
||||
@@ -13,53 +13,3 @@ ingress:
|
||||
- secretName: homepage-tls
|
||||
hosts:
|
||||
- start.forteapps.net
|
||||
|
||||
config:
|
||||
settings:
|
||||
title: "Forte Platform"
|
||||
headerStyle: clean
|
||||
layout:
|
||||
Apps:
|
||||
style: row
|
||||
columns: 2
|
||||
Security:
|
||||
style: row
|
||||
columns: 3
|
||||
Tools:
|
||||
style: row
|
||||
header: false
|
||||
columns: 2
|
||||
DevOps:
|
||||
style: column
|
||||
rows: 2
|
||||
Monitoring:
|
||||
style: column
|
||||
rows: 1
|
||||
|
||||
# Top-of-page cluster overview widget
|
||||
widgets:
|
||||
- kubernetes:
|
||||
cluster:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
label: "Cluster"
|
||||
nodes:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
# In-cluster entries come from K8s service annotations.
|
||||
# External (out-of-cluster) services are listed here statically.
|
||||
bookmarks: []
|
||||
services:
|
||||
- Apps:
|
||||
- Forte Benken:
|
||||
href: https://benken.hackathon.forteapps.net
|
||||
description: Teknisk kompetanse fra offentlige anbud
|
||||
icon: forte
|
||||
- Forte Feedback:
|
||||
href: https://feedback.forteapps.net
|
||||
description: Fortes internal feedback app
|
||||
icon: forte
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
server:
|
||||
ingress:
|
||||
hosts:
|
||||
- host: vault.forteapps.net
|
||||
paths: []
|
||||
tls:
|
||||
- secretName: vault-tls
|
||||
hosts:
|
||||
- vault.forteapps.net
|
||||
@@ -1,45 +0,0 @@
|
||||
database:
|
||||
type: postgresql
|
||||
existingSecret: prod-db-creds
|
||||
existingSecretUserKey: pgusername
|
||||
existingSecretPasswordKey: pgpassword
|
||||
ingress:
|
||||
enabled: true
|
||||
class: "traefik"
|
||||
tlsSecret: vw-forteapps-net-crt
|
||||
hostname: bitwarden.forteapps.net
|
||||
|
||||
replicas: 1
|
||||
|
||||
service:
|
||||
sessionAffinity: ClientIP
|
||||
sessionAffinityConfig:
|
||||
clientIP:
|
||||
timeoutSeconds: 10800
|
||||
|
||||
smtp:
|
||||
host: smtp.office365.com
|
||||
from: no-reply@forteapps.net
|
||||
fromName: "Forte Bitwarden Administrator"
|
||||
existingSecret: prod-db-creds
|
||||
username:
|
||||
existingSecretKey: SMTP_USERNAME
|
||||
password:
|
||||
existingSecretKey: SMTP_PASSWORD
|
||||
|
||||
storage:
|
||||
data:
|
||||
name: "vaultwarden-data"
|
||||
size: "5Gi"
|
||||
class: ""
|
||||
path: "/data"
|
||||
keepPvc: true
|
||||
accessMode: "ReadWriteOnce"
|
||||
|
||||
attachments:
|
||||
name: "vaultwarden-files"
|
||||
size: "5Gi"
|
||||
class: ""
|
||||
path: /files
|
||||
keepPvc: true
|
||||
accessMode: "ReadWriteOnce"
|
||||
Reference in New Issue
Block a user