Compare commits
63 Commits
feature/ho
...
feature/pp
| Author | SHA1 | Date | |
|---|---|---|---|
| 1808750c81 | |||
| 82a081d6a3 | |||
| c49d03d7f7 | |||
| d47dba2ae5 | |||
| cf9eb47ecf | |||
| 3eca723f05 | |||
| f36996da11 | |||
| 6bf7db21d0 | |||
| 2641d55784 | |||
| 117297effc | |||
| fda90f9e01 | |||
| 1124377d97 | |||
| c0710b89bb | |||
| d7bda18aea | |||
| 2796e1b9d3 | |||
| d7a0c26117 | |||
| 693f2f9168 | |||
| 2509ef062c | |||
| 957757e557 | |||
| 070799da05 | |||
| 1a2817e537 | |||
| b47b0035f5 | |||
| d3fac4d43e | |||
| c37bd3ef04 | |||
| ad661ba3dd | |||
| a9625f96e6 | |||
| cb64edc927 | |||
| ac1c242fb9 | |||
| 4b29c07fd6 | |||
| 52732626e5 | |||
| 8634436dd4 | |||
| a8baa169e9 | |||
| 73ef3a6e12 | |||
| 302705d374 | |||
| f3286ef77e | |||
| 74f4f86770 | |||
| f2c56156bf | |||
| 21fb50ba00 | |||
| b90b630b06 | |||
| 66de9b8a0a | |||
| 716c552be9 | |||
| f048b47a0f | |||
| 66f40427ee | |||
| 332881cbd0 | |||
| f363afa087 | |||
| bc42347cb6 | |||
| 80d7bff4bc | |||
| 3644a3ec87 | |||
| bd478478f1 | |||
| 67b1d95509 | |||
| fff95d98a5 | |||
| 8b743efa43 | |||
| 4ca9039686 | |||
| 6a9eadbde8 | |||
| f19f7c9237 | |||
| 5a459d486e | |||
| 31fb476a78 | |||
| a088425b70 | |||
| b3b3edf82c | |||
| 308755a4b3 | |||
| db6afaf180 | |||
| 5a2f9a1b88 | |||
| 1c6f18b67c |
@@ -57,7 +57,7 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
|
||||
|
||||
### What's Inside
|
||||
|
||||
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets
|
||||
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
|
||||
- **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
|
||||
- **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
|
||||
- **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
|
||||
|
||||
47
apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
Normal file
47
apps/overlays/upc-dev/dbunk-demo/dbunk-demo.yaml
Normal file
@@ -0,0 +1,47 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: dbunk-demo
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "12"
|
||||
labels:
|
||||
app.kubernetes.io/name: dbunk-demo
|
||||
app.kubernetes.io/part-of: apps
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
|
||||
path: forteapp
|
||||
targetRevision: HEAD
|
||||
helm:
|
||||
valueFiles:
|
||||
- $values/dbunk-demo/values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: dbunk-demo
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
retry:
|
||||
limit: 5
|
||||
backoff:
|
||||
duration: 5s
|
||||
factor: 2
|
||||
maxDuration: 3m
|
||||
4
apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
Normal file
4
apps/overlays/upc-dev/dbunk-demo/kustomization.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- dbunk-demo.yaml
|
||||
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
- dbunk-demo
|
||||
|
||||
# No patches needed — base already has "upc-dev" paths
|
||||
# upc-dev is the default/base cluster
|
||||
|
||||
@@ -28,7 +28,6 @@ Bootstrap()
|
||||
Gitea()
|
||||
{
|
||||
echo "Installing secret..."
|
||||
kubectl apply -f "secrets/"
|
||||
kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
|
||||
kubectl apply -f "private/${CLUSTER}/main.key"
|
||||
}
|
||||
|
||||
@@ -725,6 +725,59 @@ TLS terminates at Traefik; ArgoCD runs in insecure mode behind the proxy.
|
||||
|
||||
## Infrastructure Components
|
||||
|
||||
### Homepage (Platform Dashboard)
|
||||
|
||||
**Chart**: `jameswynn/homepage`
|
||||
**Namespace**: `homepage`
|
||||
**URL**: `https://start.forteapps.net`
|
||||
|
||||
Platform dashboard that auto-discovers deployed apps via Kubernetes service annotations.
|
||||
|
||||
**Discovery mechanism**: Services annotated with `gethomepage.dev/enabled: "true"` appear in the dashboard. Apps not deployed = annotations absent = not shown. Fully dynamic per environment.
|
||||
|
||||
**Annotated services**:
|
||||
| Service | Namespace | Group | Widget |
|
||||
|---------|-----------|-------|--------|
|
||||
| `gitea-http` | `gitea` | DevOps | `gitea` |
|
||||
| `argocd-server` | `argocd` | DevOps | `argocd` |
|
||||
| `keycloak` | `keycloak` | Identity | none |
|
||||
| `grafana` | `monitoring` | Monitoring | `grafana` |
|
||||
| `karpor-server` | `karpor` | DevOps | none |
|
||||
|
||||
**Adding a new app**: Annotate the app's Service in its Helm values:
|
||||
```yaml
|
||||
service:
|
||||
annotations:
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "My App"
|
||||
gethomepage.dev/description: "What it does"
|
||||
gethomepage.dev/group: "GroupName"
|
||||
gethomepage.dev/icon: "icon-name" # https://github.com/walkxcode/dashboard-icons
|
||||
gethomepage.dev/href: "https://myapp.forteapps.net"
|
||||
# Optional live widget:
|
||||
gethomepage.dev/widget.type: "myapp"
|
||||
gethomepage.dev/widget.url: "https://myapp.forteapps.net"
|
||||
# gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_MYAPP_TOKEN}}"
|
||||
```
|
||||
|
||||
**Widget API credentials**: Inject via env vars into the Homepage pod:
|
||||
```yaml
|
||||
# In homepage-values.yaml per environment
|
||||
env:
|
||||
- name: HOMEPAGE_VAR_GRAFANA_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: homepage-widget-credentials
|
||||
key: grafana-token
|
||||
```
|
||||
Then reference as `gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GRAFANA_TOKEN}}"`.
|
||||
|
||||
**Values files**:
|
||||
- `infra/values/base/homepage-values.yaml` — RBAC, kubernetes mode, layout
|
||||
- `infra/values/{env}/homepage-values.yaml` — hostname per environment
|
||||
|
||||
---
|
||||
|
||||
### Traefik
|
||||
|
||||
**Chart**: `traefik/traefik`
|
||||
@@ -1010,6 +1063,52 @@ dind:
|
||||
- Gitea admin panel (`/admin/runners`) — runners show as Online
|
||||
- Create test workflow in `.gitea/workflows/test.yml` — job executes
|
||||
|
||||
### Vaultwarden
|
||||
|
||||
**Chart**: `guerzon/vaultwarden`
|
||||
**Version**: 0.36.4 (app v1.36.0-alpine)
|
||||
**Namespace**: `vaultwarden`
|
||||
|
||||
**Purpose**: Self-hosted Bitwarden-compatible password manager.
|
||||
|
||||
**Configuration**:
|
||||
```yaml
|
||||
# infra/overlays/upc-dev/vaultwarden/ + infra/values/
|
||||
domain: "https://bitwarden.forteapps.net"
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
class: "traefik"
|
||||
tls: true
|
||||
tlsSecret: vaultwarden-tls
|
||||
hostname: bitwarden.forteapps.net
|
||||
additionalAnnotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
|
||||
database:
|
||||
type: postgresql
|
||||
host: vaultwarden-postgresql # StatefulSet in overlay
|
||||
existingSecret: prod-db-creds
|
||||
|
||||
storage:
|
||||
data: 5Gi (ReadWriteOnce)
|
||||
attachments: 5Gi (ReadWriteOnce)
|
||||
```
|
||||
|
||||
**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
|
||||
|
||||
**SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
|
||||
|
||||
**Endpoints**:
|
||||
- Web UI: `https://bitwarden.forteapps.net`
|
||||
|
||||
**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
|
||||
|
||||
**Secrets**:
|
||||
- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
|
||||
- `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
|
||||
- `vaultwarden-tls` — auto-managed by cert-manager
|
||||
|
||||
### AI Code Review (ai-review)
|
||||
|
||||
**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
|
||||
@@ -1088,6 +1187,30 @@ ignore:
|
||||
- Check Gitea Actions tab for workflow run status and logs
|
||||
- Monitor Anthropic usage dashboard for token consumption
|
||||
|
||||
### Keycloak Browser Flow (IdP Auto-Redirect)
|
||||
|
||||
**File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
|
||||
|
||||
The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
|
||||
|
||||
**Flow executions**:
|
||||
|
||||
| Priority | Authenticator | Requirement | Purpose |
|
||||
|----------|--------------|-------------|---------|
|
||||
| 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
|
||||
| 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
|
||||
|
||||
**Key fields in realm JSON**:
|
||||
- `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
|
||||
- `"authenticationFlows"` — defines the custom flow with its executions
|
||||
- `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
|
||||
|
||||
**Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
|
||||
|
||||
**Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
|
||||
|
||||
---
|
||||
|
||||
### Keycloak Client Registrar
|
||||
|
||||
**Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
|
||||
|
||||
21
infra/base/homepage/homepage-extra-rbac.yaml
Normal file
21
infra/base/homepage/homepage-extra-rbac.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: homepage-services-reader
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: homepage-services-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: homepage-services-reader
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: homepage
|
||||
namespace: homepage
|
||||
16
infra/base/homepage/homepage-widget-credentials-sealed.yaml
Normal file
16
infra/base/homepage/homepage-widget-credentials-sealed.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: homepage-widget-credentials
|
||||
namespace: homepage
|
||||
spec:
|
||||
encryptedData:
|
||||
HOMEPAGE_VAR_GITEA_TOKEN: AgAVN1C931EQpn+sodr3CpjlhORfJVTW8aUr+pGZQb+65Pb8QLGeVGVa7Jv60gDJUX3r+93/jMrEbCOeDL6I4qCz/V35wMCxFZLnXIdkmto0W4MKt6cK8To1/OP7EhQJOGBlSuOFsrwoy+HDtvLIqmyF0nrxhTusm9/NHrw+gCVwSTPhiAX1MCuSOSRWpbXvyNphW8j7aqUaV6ixDt424Fe4alEIShYELcS3EX/VPgsf2p2bhvBRCQOh3LEprkuxSFMuPfCBk06TPTbIN4saNVm0Ke0zW/pxkVNSiIxEnKjOmpPJtacsfWN7du+nQbx276G2qvWrf+iawJVq0Z/SLikA/NUFBL6EjSRfgE3cSOri8sbxsd0AycsFGyp98EM29wE+WOQl52M/lwl02EmCivqkICSO7Jp9pM1ScbmRMa5vcnupsGbVDxhRKLqxhAskt/BXDkRzvHN31gH3YmelES3JuqNMHV0urFxmX2oOX9Pxbtv63csc+zhy1Ui5aoex7TPnLdk7kYLSAE2MSrzT6wHvVhBC5kNnDYVrLehvJrT+eNh0MOLx2wkuJmIOxRAGUyNi5DfDnP6qnvj2aefEymLuOXAIUXH8DbeBtrjsd74HX2hhIfBlPkXvhJR3ks7i5RXjK2/YYHkgJ+nJoW80S9N7ciaRy103g74TNJZt6QzzL5Vb80qZ6yQOD4G081KmTLDmhHjJVIIv9M3nLh2s0IeBV3/Z5qHZmtjN7sSaKAn4MIr5FaH9quhx
|
||||
HOMEPAGE_VAR_GRAFANA_TOKEN: AgBloBlOlP+R/4VizE1CGpj0wyiwU14BemAnuUpld7OvOGc67dwfDPyponkQXjAZg3UU2cZ70A51WUAuVlAr+25Ktlf/FW2OBqj+1BJOCqMMyu+kv026yjX2aB8dKGzlTxgF8aji+j1mC8vP3vvmgI4Zf2HQAH7uFwLfeo8+QnV5EyhcExSS0xDne+VtOP9jNXbPRayry0DdyRVtaeKAiZacO+45oAJWszWOwmoMTg9FZQkLjER6Q0tyI6NnoNObsFCnh56chZTdzBOYtmPnwld1bP2FjoJDqn8AfRwbPTIj7t0eFP7WLUO7GQKpxVl+pFwJLb5xCOw2+HNtp1BhNCu7icuc0P88IlvwzkbN0lXJbYigVOzyjEo8f/al1DXPM4WaB/Nqmr7Mtt8KTRh2WMVTgiX5jsu25D0rGDvY9gqfBBqswkRhCLsG0v0EN32zXj1/52KYdmB7pk/+2lMwSaGMS11MOenHeU1Z95fGxm9f3EGF0E8xlFr4FowgsNwr+tJQqpM0bT/4mZnaQbGWtKPFizMtsfQFm+rHFcNCrGaOuecslmiIJs8lTm18KlrncsGfxNS64tVXk+LvydU0rwybvpg2rQjEWtAl1IQsaaiz96OAlYxxK1MGxN7KE6F8R4kfnWTZ5Fs1KMmd/DOIVBXyCbqXxk8pbekmaIeNSfv92JNZ0QNJWsBa2vgQ24WI2pb4XiR0BvtLpt3BVlZUcSK92SzUblWmYWVMwHYCJkEeEUV1PhYEmyiN+V/Kq5Qb
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: homepage-widget-credentials
|
||||
namespace: homepage
|
||||
43
infra/base/homepage/homepage.yaml
Normal file
43
infra/base/homepage/homepage.yaml
Normal file
@@ -0,0 +1,43 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: homepage
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "3"
|
||||
labels:
|
||||
app.kubernetes.io/name: homepage
|
||||
app.kubernetes.io/part-of: platform
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://jameswynn.github.io/helm-charts
|
||||
chart: homepage
|
||||
targetRevision: "2.1.0"
|
||||
helm:
|
||||
releaseName: homepage
|
||||
valueFiles:
|
||||
- $values/infra/values/base/homepage-values.yaml
|
||||
- $values/infra/values/upc-dev/homepage-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: homepage
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
6
infra/base/homepage/kustomization.yaml
Normal file
6
infra/base/homepage/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- homepage.yaml
|
||||
- homepage-widget-credentials-sealed.yaml
|
||||
- homepage-extra-rbac.yaml
|
||||
@@ -43,10 +43,6 @@ spec:
|
||||
- ServerSideApply=true
|
||||
|
||||
ignoreDifferences:
|
||||
- group: batch
|
||||
kind: CronJob
|
||||
jsonPointers:
|
||||
- /spec/jobTemplate/spec/template/spec/containers/0/args
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
|
||||
@@ -21,3 +21,5 @@ resources:
|
||||
- grafana-dashboards
|
||||
- karpor
|
||||
- databunker
|
||||
- homepage
|
||||
- vault
|
||||
|
||||
@@ -27,7 +27,6 @@ spec:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
|
||||
4
infra/base/vault/kustomization.yaml
Normal file
4
infra/base/vault/kustomization.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vault.yaml
|
||||
49
infra/base/vault/vault.yaml
Normal file
49
infra/base/vault/vault.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
labels:
|
||||
app.kubernetes.io/name: vault
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://helm.releases.hashicorp.com
|
||||
chart: vault
|
||||
targetRevision: "0.32.0"
|
||||
helm:
|
||||
releaseName: vault
|
||||
valueFiles:
|
||||
- $values/infra/values/base/vault-values.yaml
|
||||
- $values/infra/values/upc-dev/vault-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: vault
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
- /spec/volumeClaimTemplates
|
||||
@@ -13,9 +13,19 @@ resources:
|
||||
- ../../base/prometheus
|
||||
- ../../base/sealedsecrets
|
||||
- ../../base/tempo
|
||||
- ../../base/homepage
|
||||
- ../../base/traefik-application
|
||||
|
||||
patches:
|
||||
# Homepage: swap upc-dev → aks-dev
|
||||
- target:
|
||||
kind: Application
|
||||
name: homepage
|
||||
patch: |
|
||||
- op: replace
|
||||
path: /spec/sources/0/helm/valueFiles/1
|
||||
value: $values/infra/values/aks-dev/homepage-values.yaml
|
||||
|
||||
# Traefik: swap upc-dev → aks-dev
|
||||
- target:
|
||||
kind: Application
|
||||
|
||||
@@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../base
|
||||
- vaultwarden-postgresql
|
||||
- vaultwarden
|
||||
- passwordpusher-postgresql
|
||||
- passwordpusher
|
||||
|
||||
# No patches needed — base already has "upc-dev" paths
|
||||
# upc-dev is the default/base cluster
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- passwordpusher-postgresql.yaml
|
||||
@@ -0,0 +1,46 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: passwordpusher
|
||||
---
|
||||
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: passwordpusher-postgresql
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
labels:
|
||||
app.kubernetes.io/name: passwordpusher-postgresql
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
source:
|
||||
repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
path: infra/overlays/upc-dev/passwordpusher-postgresql/resources
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: passwordpusher
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
- /spec/volumeClaimTemplates
|
||||
@@ -0,0 +1,6 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- postgresql.yaml
|
||||
- passwordpusher-db-secret-sealed.yaml
|
||||
- passwordpusher-smtp-secret-sealed.yaml
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: passwordpusher-db-creds
|
||||
namespace: passwordpusher
|
||||
spec:
|
||||
encryptedData:
|
||||
DATABASE_URL: AgBeCVhdJoq18FFbP/8CUFFHBu3cUHisStmqeU3stH33qRgm0sh1Agw87QaiECBlKGp9yEjDVgQEjU/h9vEqs5L13vnzTvzmzEIMy23m1nWEyX6pY06O/ISDD6AVeW73SX6ctgZ4wabv8zZhEQ/GiKTLq8indTrNglINpItUKdjpZ5IhJWNScOkykZdIN/OyJxxzKQ5fM48ZVfL8HnTNQ+sqEJQ/P4CEHVwJQaEuIKsS+P1PKNmOxzI7IB7PegkZwORMKA83r1oufiV5q+/wY2eMujt/PkZxkokj9jdI9ATGwXfOVgPR16BXrKRIKO2AwObL1ter+Y0LnNGxl9gAz8q65b4KHdM//sKSscLo9rPWKq0R0y4octiC1FlQEvsbMZnNntDLR1vBiqRUz5YaoKcEH6nlLpubCrBpIve8f5Ty3w2YUk7k4dpQzITgZqpJirmw5RAY9OIQQldB8NHjfmKkTtlHxW1Bif/yo+XqCKX4+1xh4nbWb6z2VQtUeQHm++ITZokxAV5as/EEZyEfCfqLbQbQkk5xuPpc3B6VjyGNbAIyQQz3Ktx5t2bqa/qf2YQQTVMZaBijHV6jaK3YzyWyheefZAqliF3xUY8mm2zrOAK4+JaKbRKSQzvCzpYtcwxVO5hCV0Wki4qbMXCWbLV0SmUgiJeL/SC/iXSPBmdQIw2P8Pao1gPzhtJl/rGzdw+Nx0VtYeCID8PlsvjUO3oiv3wYFVE/Xb9oYkoQnadOrnBmUNoXATvPLb6bN/cxlZ6c5bDAReY5M5k4Im9XMWDUDiH/9bIk+V8C
|
||||
pgpassword: AgBneCXX9h7cFbvVcqk9bNSgHqPGpYQmDxDHmI2CdgIPXwogVA/HxGpaR/HnByUwXbk9PBzHuNJHTWB5XtbEgd7EVvhmhNkEuW9cfBpO6RhSYWr4yQsEQ4tRIDicCMnCh3qWFxMJKPxhN4+gB+KY0HxVQXlr/TkPEnHGNILCrwJsSP9JYufYy5xcL25c949X6M2iSi1i8OFDOYC7s72VZmS2iAEIdnY01yDJ/pW5UYNi53rtAYWZ0tzRJbl55NdWeZGJdmKEQ0OvywW50So97R0ceC6QCkBzzRin4IP5dWuWbqm/D9FL4pxUfIvNuXbMd2fGbn1DjgqfeiN9QSfgLeHqMWbFAmelA/ETKGZBJJkp8MQta7PYk30yDo9cD147AnfLSjR74plGCZBFt0tn/8fGE00G70ymo1FPqWqnVMvlrnaWwdgdlKeKbamPWw0Uo6ZHcglFlHq5ke2kEhRG4yFvk8PuuUygHShGe7uQAlWcqLw4H4/WZyy/bBVTyUfmXTg0ArEKdbb7iI/izGgGMv2NtSiV9/DutkiqmrGoc+gO6fYGfUc66XJMpAlH/FUs3Ebqk0ZSIR4j8NyygwgY+1Jm3yuSQCs6+MVH5nrf1VoAYGadMiB40lfmn1FkZwrkdWm+C00/exVqT2dys+AjMfpAFfmGY2LDjSavvqJXKYyX1x/kZ6D+gndhP2FcT9qscnScGjys8JrH
|
||||
pgusername: AgBUzpTtG8uIRRCjX3xN5UEvCybo2sgMk2v6SwoaO0TDVNMwZNKEjNigWeaD0nOX/gXu14X2KPX12YfXyaag+1CmaprUAVZzQDmF3Rseaz5MzqQnJlYfYdlWM4O+x0j2KLj+hKiw30P0T3IxZyngRw+T5c8hevYA2tXU0dvdmXZhs7L5M1mO1DJcef0tH/170RQ/8klUxaj/reWibK3DNxqCU/BOkJvUMoDkmb+hGlX4i4f0cPWEIYRjjXejDtL+LO7bMxzESqmb8VDPlDiIBvCYyBNdkN/F4ngfIAWxKBiMQTvsD8O7W3qdMDy55qHW3gPZY6ugLEyw/un6MtsaYSBame6kbjjEoy0pyyjB+SGWB6xxUIZ2Lfzflu8rZBnKEi2fkxsIAE71vhnLzcXn0WYjF3Hgh/fWQ6GYqJK9M5Ieiq6WVnWvztvWKuscZmVlHtRO9HtucCyiArvZE2yLRUDwI6NAws4R6gELadfjSECp1CRaOc53MrPHvYjIE/WWq1uI+0f0spaPV09mYEl5qGgcPW7V5ADXcmxIXHqtOfhEevrckILr9U9G/FU2q3ohveUiUUxBaMOzgAJ9mO64oDfLbit2WJqaqmdKy4xiVWwzxVDmWmNKFAs3DHNK7y9QNvYmrbM6370Pw2zsxc89yl0PvqCtzj57uUDh3ohNE3ZrTUHWsHkEniKiSCVRZD5LG9dEJKMD1nE=
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: passwordpusher-db-creds
|
||||
namespace: passwordpusher
|
||||
@@ -0,0 +1,16 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: passwordpusher-smtp-creds
|
||||
namespace: passwordpusher
|
||||
spec:
|
||||
encryptedData:
|
||||
PWP__MAIL_SMTP_PASSWORD: AgBgRYGOS6O5u6WDXxfqkLsVClufJe8O0K3/NBWKEnwKFKd/yeQVnkB/sd2apIFADK6auge+G5uFv9TejWJuqkU3QHbkvmnjnMtinRkt/lh0GrrCygmvzvwTQKCXefeqWHT5yvGtN0z6mLP73yOLoJmAMnZk9/QGHuw9jfuLEDREZ3cSrdYAAIWhospSPpvau2UNN2/yanjhmH0Yux2fZVkwKtDcS6YHFtL+s4VR7wcB/cvMaCX4vSezMtyQJhgHcmFLNHnNjjVdMEQVGMtrZ7XocbWJ0ZkvKotkuOFf/XMq5AM9ZVgaJB9di39JLweqpsfGVQJftgGW/f/edDSlbiOTjDO2cM93xY9OD9T2kts5MkeX1jLD+Q+V0OXL7+nor1jAfv/CwZ5sBibnQFKYaQpCRCw4c4pYX73VjbRsEcTHXJyfUpTJdlw8Jd3yPPL1Uqb6ga5xxUO7YsgfdH4HZYWuLR/x8Pk1Ne/qpctzHZcUkRto6MKPhkK1IW83qSJPGT3wNHgYcx6uMW9f9L/ox7k00GGWZ3Pj79khv9NJ8PXO0thsTuZktjskHYBmZk044CWpSiill0318pCaIXW6mpg5adGbeZLa+LZ9GNxMWP+iOJIcFyYNZs3GmlV08OQ741S2cbumOQhxppJkcWTdpkZrZlAanLa4XZsmW+PXmsujOsMLEuto3PpJxpujYAt3s6Nv7O79FlGqrfisRipdFw==
|
||||
PWP__MAIL_SMTP_USER_NAME: AgAli4SWEtNSiuRvbhuAYdRtBPpPYQfVp1cjiPXUqX7CxBG6bOdlMFzUPnjmZ3RVDq8UaRbwF1eJisnLt1nRCh5+DzpOXNgiU8ex2uZx7mQPf/nr/5p1HwJHbMZUo6Qieqo8NIwA0fwapQPsLizI90wI2J8f4m4nk4SXb0FW0h23SpulEJV99w92TPdOd/KuovVzEFltWeCWOsaHdVufKDsKLMFc4SNrkBwYxaCkuGnM6zICiLc7+5lF7cza8JukfGXsF12U04CkqgMDOOQG4GNNIeGSOc2GGtngpmYbuKZA1vk8ZnG3K+nVyD12bW2JhvWOBpNSc+29gLbizkNGI8QLhlxet3HznjYal9aqiIR2/glZgIUsnmgwmVg+VpxnM6A/R47sljeIzyzY0dkVxDyG1fDfKiWmXIWQU/7750Ct8XgMsVIkyDGQAK2g8o97a75lSnTngGq88VvTBLCiSEgumhPrMYf4n7ot4tSM1lfGuxmYdrOKXqXNkhBF+jxe27pd4ayCzcXniibZKRqhCozZZkAoYoo+V8tnIlewrTJhzm9THgKL849Df3Va9tI7EOvqHy82FjwTL++jCpUrOe1Emp11WpUJElnn+PUWRJnW02Xz+a0vP+mJMjC1XsylDM78i31a6Tw8Rfu7W4G7yuwzgU9GDCDL6dt7nsGUSNuucZz7CVx2pePFLWJBC8DmcuuWh/UlnrNp8IY/9kC34DAbwuBTQuFhYne1xWSA
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: passwordpusher-smtp-creds
|
||||
namespace: passwordpusher
|
||||
@@ -0,0 +1,98 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: passwordpusher-postgresql
|
||||
namespace: passwordpusher
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: passwordpusher
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: 5432
|
||||
targetPort: tcp-postgresql
|
||||
selector:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: passwordpusher
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: passwordpusher-postgresql
|
||||
namespace: passwordpusher
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: passwordpusher
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
serviceName: passwordpusher-postgresql
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: passwordpusher
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: passwordpusher
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: postgres:16-alpine
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: 5432
|
||||
env:
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: passwordpusher-db-creds
|
||||
key: pgusername
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: passwordpusher-db-creds
|
||||
key: pgpassword
|
||||
- name: POSTGRES_DB
|
||||
value: passwordpusher
|
||||
- name: PGDATA
|
||||
value: /var/lib/postgresql/data/pgdata
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- pg_isready -U "$POSTGRES_USER" -d passwordpusher
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- pg_isready -U "$POSTGRES_USER" -d passwordpusher
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
4
infra/overlays/upc-dev/passwordpusher/kustomization.yaml
Normal file
4
infra/overlays/upc-dev/passwordpusher/kustomization.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- passwordpusher.yaml
|
||||
43
infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
Normal file
43
infra/overlays/upc-dev/passwordpusher/passwordpusher.yaml
Normal file
@@ -0,0 +1,43 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: passwordpusher
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
labels:
|
||||
app.kubernetes.io/name: passwordpusher
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://pglombardo.github.io/passwordpusher-charts
|
||||
chart: password-pusher
|
||||
targetRevision: "1.4.4"
|
||||
helm:
|
||||
releaseName: passwordpusher
|
||||
valueFiles:
|
||||
- $values/infra/values/base/passwordpusher-values.yaml
|
||||
- $values/infra/values/upc-dev/passwordpusher-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: passwordpusher
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vaultwarden-postgresql.yaml
|
||||
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- postgresql.yaml
|
||||
- vaultwarden-db-secret-sealed.yaml
|
||||
@@ -0,0 +1,98 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: vaultwarden-postgresql
|
||||
namespace: vaultwarden
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: vaultwarden
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: 5432
|
||||
targetPort: tcp-postgresql
|
||||
selector:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: vaultwarden
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: vaultwarden-postgresql
|
||||
namespace: vaultwarden
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: vaultwarden
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
serviceName: vaultwarden-postgresql
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: vaultwarden
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: postgresql
|
||||
app.kubernetes.io/instance: vaultwarden
|
||||
app.kubernetes.io/component: database
|
||||
spec:
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: postgres:16-alpine
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: 5432
|
||||
env:
|
||||
- name: POSTGRES_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: prod-db-creds
|
||||
key: pgusername
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: prod-db-creds
|
||||
key: pgpassword
|
||||
- name: POSTGRES_DB
|
||||
value: vaultwarden
|
||||
- name: PGDATA
|
||||
value: /var/lib/postgresql/data/pgdata
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/postgresql/data
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- pg_isready -U "$POSTGRES_USER" -d vaultwarden
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- pg_isready -U "$POSTGRES_USER" -d vaultwarden
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
@@ -0,0 +1,20 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: prod-db-creds
|
||||
namespace: vaultwarden
|
||||
spec:
|
||||
encryptedData:
|
||||
DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
|
||||
SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
|
||||
SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
|
||||
adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
|
||||
pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
|
||||
pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: prod-db-creds
|
||||
namespace: vaultwarden
|
||||
@@ -0,0 +1,46 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
---
|
||||
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: vaultwarden-postgresql
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "0"
|
||||
labels:
|
||||
app.kubernetes.io/name: vaultwarden-postgresql
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
source:
|
||||
repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: vaultwarden
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
- /spec/volumeClaimTemplates
|
||||
@@ -0,0 +1,21 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: keycloak-client-vaultwarden
|
||||
namespace: vaultwarden
|
||||
labels:
|
||||
keycloak.forteapps.net/client-config: "true"
|
||||
stringData:
|
||||
client.json: |
|
||||
{
|
||||
"clientId": "vaultwarden",
|
||||
"name": "Vaultwarden",
|
||||
"redirectUris": ["https://vaultwarden.forteapps.net/*"],
|
||||
"webOrigins": ["https://vaultwarden.forteapps.net"],
|
||||
"protocolMappers": [],
|
||||
"secret": {
|
||||
"namespace": "vaultwarden",
|
||||
"name": "vaultwarden-oidc-credentials",
|
||||
"keys": { "clientId": "client-id", "clientSecret": "client-secret" }
|
||||
}
|
||||
}
|
||||
5
infra/overlays/upc-dev/vaultwarden/kustomization.yaml
Normal file
5
infra/overlays/upc-dev/vaultwarden/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vaultwarden.yaml
|
||||
- keycloak-client-config.yaml
|
||||
43
infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
Normal file
43
infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml
Normal file
@@ -0,0 +1,43 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
labels:
|
||||
app.kubernetes.io/name: vaultwarden
|
||||
app.kubernetes.io/part-of: security
|
||||
app.kubernetes.io/managed-by: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
|
||||
sources:
|
||||
- repoURL: https://guerzon.github.io/vaultwarden
|
||||
chart: vaultwarden
|
||||
targetRevision: "0.36.4"
|
||||
helm:
|
||||
releaseName: vaultwarden
|
||||
valueFiles:
|
||||
- $values/infra/values/base/vaultwarden-values.yaml
|
||||
- $values/infra/values/upc-dev/vaultwarden-values.yaml
|
||||
|
||||
- repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
|
||||
targetRevision: HEAD
|
||||
ref: values
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: vaultwarden
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
allowEmpty: false
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- Validate=true
|
||||
- ServerSideApply=true
|
||||
15
infra/values/aks-dev/homepage-values.yaml
Normal file
15
infra/values/aks-dev/homepage-values.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
hosts:
|
||||
- host: start.forteapps.net
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: homepage-tls
|
||||
hosts:
|
||||
- start.forteapps.net
|
||||
@@ -35,6 +35,12 @@ server:
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "ArgoCD"
|
||||
gethomepage.dev/description: "GitOps continuous delivery"
|
||||
gethomepage.dev/group: "DevOps"
|
||||
gethomepage.dev/icon: "argo-cd"
|
||||
gethomepage.dev/href: "https://argocd.forteapps.net"
|
||||
tls: true
|
||||
extraArgs:
|
||||
- --insecure
|
||||
|
||||
@@ -41,6 +41,7 @@ gitea:
|
||||
oauth2:
|
||||
ENABLED: true
|
||||
ENABLE_AUTO_REGISTRATION: true
|
||||
ACCOUNT_LINKING: auto
|
||||
USERNAME: email
|
||||
|
||||
session:
|
||||
@@ -114,6 +115,15 @@ ingress:
|
||||
className: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Gitea"
|
||||
gethomepage.dev/description: "Git hosting & CI/CD"
|
||||
gethomepage.dev/group: "DevOps"
|
||||
gethomepage.dev/icon: "gitea"
|
||||
gethomepage.dev/href: "https://git.forteapps.net"
|
||||
gethomepage.dev/widget.type: "gitea"
|
||||
gethomepage.dev/widget.url: "https://git.forteapps.net"
|
||||
gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_GITEA_TOKEN}}"
|
||||
hosts:
|
||||
- host: git.forteapps.net
|
||||
paths:
|
||||
|
||||
@@ -3,11 +3,21 @@ ingress:
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Grafana"
|
||||
gethomepage.dev/description: "Metrics & observability dashboards"
|
||||
gethomepage.dev/group: "Monitoring"
|
||||
gethomepage.dev/icon: "grafana"
|
||||
gethomepage.dev/href: "https://grafana.forteapps.net"
|
||||
tls:
|
||||
- secretName: grafana-tls
|
||||
hosts:
|
||||
- grafana.forteapps.net
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 1Gi
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
|
||||
72
infra/values/base/homepage-values.yaml
Normal file
72
infra/values/base/homepage-values.yaml
Normal file
@@ -0,0 +1,72 @@
|
||||
# Homepage Helm Values
|
||||
# Chart: jameswynn/homepage — https://gethomepage.dev
|
||||
# Discovery: K8s service annotations (gethomepage.dev/*)
|
||||
# Each deployed app annotates its own Service — apps not deployed = not visible.
|
||||
|
||||
# RBAC ClusterRole — required for cluster-wide service annotation scanning
|
||||
enableRbac: true
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: homepage
|
||||
|
||||
config:
|
||||
# Scan all namespaces for services with gethomepage.dev/enabled: "true"
|
||||
kubernetes:
|
||||
mode: cluster
|
||||
traefik: true
|
||||
|
||||
settings:
|
||||
title: "Platform"
|
||||
headerStyle: clean
|
||||
layout:
|
||||
Apps:
|
||||
style: row
|
||||
columns: 3
|
||||
Security:
|
||||
style: row
|
||||
columns: 3
|
||||
Tools:
|
||||
style: row
|
||||
header: false
|
||||
columns: 2
|
||||
DevOps:
|
||||
style: column
|
||||
rows: 2
|
||||
Monitoring:
|
||||
style: column
|
||||
rows: 1
|
||||
|
||||
# Top-of-page cluster overview widget
|
||||
widgets:
|
||||
- kubernetes:
|
||||
cluster:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
label: "Cluster"
|
||||
nodes:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
# In-cluster entries come from K8s service annotations.
|
||||
# External (out-of-cluster) services are listed here statically.
|
||||
bookmarks: []
|
||||
services: []
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
|
||||
env:
|
||||
- name: HOMEPAGE_ALLOWED_HOSTS
|
||||
value: start.forteapps.net
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: homepage-widget-credentials
|
||||
@@ -18,6 +18,12 @@ ingress:
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Keycloak"
|
||||
gethomepage.dev/description: "Identity & access management"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "keycloak"
|
||||
gethomepage.dev/href: "https://id.forteapps.net/admin/forte-test/console/"
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
@@ -52,6 +58,9 @@ keycloakConfigCli:
|
||||
enabled: true
|
||||
image:
|
||||
repository: bitnamilegacy/keycloak-config-cli
|
||||
extraEnvVars:
|
||||
- name: IMPORT_MANAGED_PROTOCOL_MAPPER
|
||||
value: "no-delete"
|
||||
configuration:
|
||||
forte-realm.json: |
|
||||
{
|
||||
@@ -95,6 +104,18 @@ keycloakConfigCli:
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "groups",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-group-membership-mapper",
|
||||
"config": {
|
||||
"claim.name": "groups",
|
||||
"full.path": "false",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
@@ -167,7 +188,54 @@ keycloakConfigCli:
|
||||
]
|
||||
}
|
||||
],
|
||||
"browserFlow": "browser-auto-idp",
|
||||
"authenticationFlows": [
|
||||
{
|
||||
"alias": "browser-auto-idp",
|
||||
"description": "Browser flow with auto-redirect to Forte Entra IdP",
|
||||
"providerId": "basic-flow",
|
||||
"topLevel": true,
|
||||
"builtIn": false,
|
||||
"authenticationExecutions": [
|
||||
{
|
||||
"authenticator": "auth-cookie",
|
||||
"authenticatorFlow": false,
|
||||
"requirement": "ALTERNATIVE",
|
||||
"priority": 10
|
||||
},
|
||||
{
|
||||
"authenticator": "identity-provider-redirector",
|
||||
"authenticatorFlow": false,
|
||||
"requirement": "ALTERNATIVE",
|
||||
"priority": 20,
|
||||
"authenticatorConfig": "forte-entra-redirector"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"authenticatorConfig": [
|
||||
{
|
||||
"alias": "forte-entra-redirector",
|
||||
"config": {
|
||||
"defaultProvider": "forte-entra"
|
||||
}
|
||||
}
|
||||
],
|
||||
"groups": [
|
||||
{
|
||||
"name": "k8s",
|
||||
"path": "/k8s",
|
||||
"clientRoles": {
|
||||
"grafana": ["Editor"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dev",
|
||||
"path": "/dev",
|
||||
"clientRoles": {
|
||||
"grafana": ["Viewer"]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "ArgoCD Admins",
|
||||
"path": "/ArgoCD Admins"
|
||||
@@ -437,10 +505,10 @@ extraDeploy:
|
||||
CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
|
||||
|
||||
# Check if credential Secret already exists in target namespace
|
||||
CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
|
||||
--cacert "$CA_CERT" \
|
||||
-H "Authorization: Bearer ${SA_TOKEN}" \
|
||||
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
|
||||
"${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
|
||||
|
||||
# Skip if hash matches and credential Secret exists
|
||||
if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
|
||||
@@ -460,44 +528,47 @@ extraDeploy:
|
||||
publicClient: false,
|
||||
redirectUris: .redirectUris,
|
||||
webOrigins: .webOrigins,
|
||||
defaultClientScopes: .defaultClientScopes,
|
||||
protocolMappers: (.protocolMappers // [])
|
||||
}')
|
||||
} | with_entries(select(.value != null))')
|
||||
|
||||
# Check if client already exists
|
||||
EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
|
||||
| jq -r '.[0].id // empty')
|
||||
EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
|
||||
EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
|
||||
|
||||
if [ -n "$EXISTING" ]; then
|
||||
echo " Updating existing Keycloak client (uuid: ${EXISTING})"
|
||||
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
RESPONSE=$(curl -s -w "\n%{http_code}" \
|
||||
-H "Authorization: Bearer ${TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X PUT -d "$KC_CLIENT" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
|
||||
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
|
||||
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
|
||||
if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
|
||||
echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
|
||||
echo " ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
|
||||
annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
|
||||
continue
|
||||
fi
|
||||
CLIENT_UUID="$EXISTING"
|
||||
else
|
||||
echo " Creating new Keycloak client '${CLIENT_ID}'"
|
||||
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||
RESPONSE=$(curl -s -w "\n%{http_code}" \
|
||||
-H "Authorization: Bearer ${TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-X POST -d "$KC_CLIENT" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
|
||||
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
|
||||
RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
|
||||
if [ "$HTTP_CODE" != "201" ]; then
|
||||
echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
|
||||
echo " ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
|
||||
annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
|
||||
continue
|
||||
fi
|
||||
# Fetch the newly created client's UUID
|
||||
CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
|
||||
CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
|
||||
"${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
|
||||
| jq -r '.[0].id')
|
||||
| jq -r '.[0].id' || true)
|
||||
fi
|
||||
|
||||
# Sync credentials to target namespace
|
||||
|
||||
7
infra/values/base/passwordpusher-values.yaml
Normal file
7
infra/values/base/passwordpusher-values.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
image:
|
||||
repository: docker.io/pglombardo/pwpush
|
||||
tag: "release-1.51.0"
|
||||
|
||||
# Disable the bundled postgresql subchart — we run our own StatefulSet
|
||||
postgresql:
|
||||
enabled: false
|
||||
36
infra/values/base/vault-values.yaml
Normal file
36
infra/values/base/vault-values.yaml
Normal file
@@ -0,0 +1,36 @@
|
||||
# HashiCorp Vault Helm Chart Values
|
||||
# Chart: hashicorp/vault v0.32.0
|
||||
|
||||
server:
|
||||
standalone:
|
||||
enabled: true
|
||||
|
||||
dataStorage:
|
||||
enabled: true
|
||||
size: 5Gi
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
pathType: Prefix
|
||||
activeService: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Vault"
|
||||
gethomepage.dev/description: "Secrets management"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "vault"
|
||||
gethomepage.dev/href: "https://vault.forteapps.net"
|
||||
|
||||
ui:
|
||||
enabled: true
|
||||
serviceType: ClusterIP
|
||||
3
infra/values/base/vaultwarden-values.yaml
Normal file
3
infra/values/base/vaultwarden-values.yaml
Normal file
@@ -0,0 +1,3 @@
|
||||
image:
|
||||
tag: "1.36.0-alpine"
|
||||
domain: "https://vaultwarden.forteapps.net"
|
||||
@@ -1,3 +1,10 @@
|
||||
ingress:
|
||||
enabled: true
|
||||
host: databunker.forteapps.net
|
||||
annotations:
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "Databunker"
|
||||
gethomepage.dev/description: "Secure Database for PII and PCI Records"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "double-take"
|
||||
gethomepage.dev/href: "https://databunker.forteapps.net"
|
||||
|
||||
65
infra/values/upc-dev/homepage-values.yaml
Normal file
65
infra/values/upc-dev/homepage-values.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
hosts:
|
||||
- host: start.forteapps.net
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: homepage-tls
|
||||
hosts:
|
||||
- start.forteapps.net
|
||||
|
||||
config:
|
||||
settings:
|
||||
title: "Forte Platform"
|
||||
headerStyle: clean
|
||||
layout:
|
||||
Apps:
|
||||
style: row
|
||||
columns: 2
|
||||
Security:
|
||||
style: row
|
||||
columns: 3
|
||||
Tools:
|
||||
style: row
|
||||
header: false
|
||||
columns: 2
|
||||
DevOps:
|
||||
style: column
|
||||
rows: 2
|
||||
Monitoring:
|
||||
style: column
|
||||
rows: 1
|
||||
|
||||
# Top-of-page cluster overview widget
|
||||
widgets:
|
||||
- kubernetes:
|
||||
cluster:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
label: "Cluster"
|
||||
nodes:
|
||||
show: true
|
||||
cpu: true
|
||||
memory: true
|
||||
showLabel: true
|
||||
# In-cluster entries come from K8s service annotations.
|
||||
# External (out-of-cluster) services are listed here statically.
|
||||
bookmarks: []
|
||||
services:
|
||||
- Apps:
|
||||
- Forte Benken:
|
||||
href: https://benken.hackathon.forteapps.net
|
||||
description: Teknisk kompetanse fra offentlige anbud
|
||||
icon: forte
|
||||
- Forte Feedback:
|
||||
href: https://feedback.forteapps.net
|
||||
description: Fortes internal feedback app
|
||||
icon: forte
|
||||
50
infra/values/upc-dev/passwordpusher-values.yaml
Normal file
50
infra/values/upc-dev/passwordpusher-values.yaml
Normal file
@@ -0,0 +1,50 @@
|
||||
env:
|
||||
PWP__HOST_DOMAIN: pwpush.forteapps.net
|
||||
PWP__HOST_PROTOCOL: https
|
||||
PWP__ENABLE_LOGINS: "true"
|
||||
PWP__ALLOW_ANONYMOUS: "false"
|
||||
PWP__SIGNUPS_ENABLED: "false"
|
||||
PWP__MAIL_RAISE_DELIVERY_ERRORS: "false"
|
||||
PWP__MAIL_SMTP_ADDRESS: smtp.office365.com
|
||||
PWP__MAIL_SMTP_PORT: "587"
|
||||
PWP__MAIL_SMTP_AUTHENTICATION: login
|
||||
PWP__MAIL_SMTP_STARTTLS: "true"
|
||||
PWP__MAIL_SMTP_DOMAIN: fortedigital.com
|
||||
PWP__MAIL_SENDER: noreply@fortedigital.com
|
||||
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: passwordpusher-db-creds
|
||||
- secretRef:
|
||||
name: passwordpusher-smtp-creds
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "PasswordPusher"
|
||||
gethomepage.dev/description: "Share passwords securely with expiring links"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "passwordpusher"
|
||||
gethomepage.dev/href: "https://pwpush.forteapps.net"
|
||||
hosts:
|
||||
- host: pwpush.forteapps.net
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: passwordpusher-tls
|
||||
hosts:
|
||||
- pwpush.forteapps.net
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
|
||||
replicaCount: 1
|
||||
9
infra/values/upc-dev/vault-values.yaml
Normal file
9
infra/values/upc-dev/vault-values.yaml
Normal file
@@ -0,0 +1,9 @@
|
||||
server:
|
||||
ingress:
|
||||
hosts:
|
||||
- host: vault.forteapps.net
|
||||
paths: []
|
||||
tls:
|
||||
- secretName: vault-tls
|
||||
hosts:
|
||||
- vault.forteapps.net
|
||||
82
infra/values/upc-dev/vaultwarden-values.yaml
Normal file
82
infra/values/upc-dev/vaultwarden-values.yaml
Normal file
@@ -0,0 +1,82 @@
|
||||
adminToken:
|
||||
existingSecret: "prod-db-creds"
|
||||
existingSecretKey: "adminToken"
|
||||
domain: "https://vaultwarden.forteapps.net"
|
||||
signupsAllowed: false
|
||||
resourceType: StatefulSet
|
||||
database:
|
||||
type: postgresql
|
||||
host: vaultwarden-postgresql
|
||||
port: "5432"
|
||||
dbName: vaultwarden
|
||||
existingSecret: prod-db-creds
|
||||
existingSecretKey: DATABASE_URL
|
||||
existingSecretUserKey: pgusername
|
||||
existingSecretPasswordKey: pgpassword
|
||||
ingress:
|
||||
enabled: true
|
||||
class: "traefik"
|
||||
tls: true
|
||||
tlsSecret: vaultwarden-tls
|
||||
hostname: vaultwarden.forteapps.net
|
||||
additionalAnnotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
gethomepage.dev/enabled: "true"
|
||||
gethomepage.dev/name: "VaultWarden"
|
||||
gethomepage.dev/description: "Password management"
|
||||
gethomepage.dev/group: "Security"
|
||||
gethomepage.dev/icon: "vaultwarden"
|
||||
gethomepage.dev/href: "https://vaultwarden.forteapps.net"
|
||||
|
||||
replicas: 1
|
||||
# Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
|
||||
|
||||
service:
|
||||
sessionAffinity: ClientIP
|
||||
sessionAffinityConfig:
|
||||
clientIP:
|
||||
timeoutSeconds: 10800
|
||||
|
||||
smtp:
|
||||
host: smtp.office365.com
|
||||
security: starttls
|
||||
port: 587
|
||||
authMechanism: "Login"
|
||||
from: noreply@fortedigital.com
|
||||
fromName: "Forte Bitwarden Administrator"
|
||||
debug: true
|
||||
existingSecret: prod-db-creds
|
||||
username:
|
||||
existingSecretKey: SMTP_USERNAME
|
||||
password:
|
||||
existingSecretKey: SMTP_PASSWORD
|
||||
|
||||
storage:
|
||||
data:
|
||||
name: "vaultwarden-data"
|
||||
size: "5Gi"
|
||||
class: ""
|
||||
path: "/data"
|
||||
keepPvc: true
|
||||
accessMode: "ReadWriteOnce"
|
||||
|
||||
attachments:
|
||||
name: "vaultwarden-files"
|
||||
size: "5Gi"
|
||||
class: ""
|
||||
path: /files
|
||||
keepPvc: true
|
||||
accessMode: "ReadWriteOnce"
|
||||
|
||||
sso:
|
||||
enabled: true
|
||||
existingSecret: vaultwarden-oidc-credentials
|
||||
authority: "https://id.forteapps.net/realms/forte"
|
||||
scopes: "email profile"
|
||||
onlySSO: true
|
||||
pkce: true
|
||||
signupsMatchEmail: true
|
||||
clientId:
|
||||
existingSecretKey: client-id
|
||||
clientSecret:
|
||||
existingSecretKey: client-secret
|
||||
Submodule shared-prompts updated: c5bc55b3d7...b79858d73c
Reference in New Issue
Block a user