diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5c97abf0b3e9ce7d5de395d15f2fe7f7f9093c30..ade880c3eac7faec7a89b13d61ef402cd5a63b6e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -48,39 +48,6 @@ deploy_cert_manager:
-f values/cert_manager.yaml
- kubectl -n $KUBE_NAMESPACE apply -f resources/letsencrypt-issuers.yaml
-deploy_dashboard:
- stage: deploy
- rules:
- - if: $CI_COMMIT_REF_NAME == "main"
- changes:
- - values/dashboard.yaml
- - values/oauth2_proxy.yaml
- - .gitlab-ci.yml
- tags:
- - teckids-trusted
- environment:
- name: production/teckids/dashboard
- before_script:
- - helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
- - helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
- - helm repo update
- script:
- - export KUBE_NAMESPACE=kubernetes-dashboard
- - echo $KUBECONFIG | base64 -d > /tmp/kubeconfig
- - export KUBECONFIG=/tmp/kubeconfig
- - helm upgrade --install -n $KUBE_NAMESPACE teckids-dashboard kubernetes-dashboard/kubernetes-dashboard
- --set podAnnotations.'app\.gitlab\.com'/env=$CI_ENVIRONMENT_SLUG
- --set podAnnotations.'app\.gitlab\.com'/app=$CI_PROJECT_PATH_SLUG
- --set ingress.annotations.'nginx\.ingress\.kubernetes\.io'/auth-url="http://teckids-oauth-oauth2-proxy.$KUBE_NAMESPACE.svc.cluster.local/oauth2/auth"
- -f values/dashboard.yaml
- - helm upgrade --install -n $KUBE_NAMESPACE teckids-oauth oauth2-proxy/oauth2-proxy
- --set podAnnotations.'app\.gitlab\.com'/env=$CI_ENVIRONMENT_SLUG
- --set podAnnotations.'app\.gitlab\.com'/app=$CI_PROJECT_PATH_SLUG
- --set config.clientID=$OAUTH2ID
- --set config.clientSecret=$OAUTH2SECRET
- --set config.cookieSecret=$OAUTH2COOKIE
- -f values/oauth2_proxy.yaml
-
deploy_general_resources:
stage: deploy
rules:
diff --git a/values/dashboard.yaml b/values/dashboard.yaml
deleted file mode 100644
index 6976838e03b665f2c21faba1aa0e06882fc5dee8..0000000000000000000000000000000000000000
--- a/values/dashboard.yaml
+++ /dev/null
@@ -1,288 +0,0 @@
-# Copyright 2020 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Default values for kubernetes-dashboard
-# This is a YAML-formatted file.
-# Declare name/value pairs to be passed into your templates.
-# name: value
-
-image:
- ## Repository for container
- repository: kubernetesui/dashboard
- tag: v2.7.0
- pullPolicy: IfNotPresent
- pullSecrets: []
-
-## Number of replicas
-replicaCount: 2
-
-## Here annotations can be added to the kubernetes dashboard deployment
-annotations: {}
-## Here labels can be added to the kubernetes dashboard deployment
-labels: {}
-
-## Additional container arguments
-##
-# extraArgs:
-# - --enable-skip-login
-# - --enable-insecure-login
-# - --system-banner="Welcome to Kubernetes"
-
-## Additional container environment variables
-##
-extraEnv: []
-# - name: SOME_VAR
-# value: 'some value'
-
-## Additional volumes to be added to kubernetes dashboard pods
-##
-extraVolumes: []
-# - name: dashboard-kubeconfig
-# secret:
-# defaultMode: 420
-# secretName: dashboard-kubeconfig
-
-## Additional volumeMounts to be added to kubernetes dashboard container
-##
-extraVolumeMounts: []
-# - mountPath: /kubeconfig
-# name: dashboard-kubeconfig
-# readOnly: true
-
-## Annotations to be added to kubernetes dashboard pods
-# podAnnotations:
-
-# SecurityContext to be added to kubernetes dashboard pods
-securityContext:
- seccompProfile:
- type: RuntimeDefault
-
-# Labels to be added to kubernetes dashboard pods
-podLabels: {}
-
-## Node labels for pod assignment
-## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
-nodeSelector: {}
-
-## List of node taints to tolerate (requires Kubernetes >= 1.6)
-tolerations: []
-# - key: "key"
-# operator: "Equal|Exists"
-# value: "value"
-# effect: "NoSchedule|PreferNoSchedule|NoExecute"
-
-## Affinity for pod assignment
-## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity: {}
-
-## Name of Priority Class of pods
-# priorityClassName: ""
-
-## Pod resource requests & limits
-resources:
- requests:
- cpu: 100m
- memory: 200Mi
- limits:
- cpu: 2
- memory: 200Mi
-
-## Serve application over HTTP without TLS
-##
-## Note: If set to true, you may want to add --enable-insecure-login to extraArgs
-protocolHttp: false
-
-service:
- type: ClusterIP
- # Dashboard service port
- externalPort: 443
-
- ## LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
- ## set allowed inbound rules on the security group assigned to the master load balancer
-# loadBalancerSourceRanges:
-# - "188.246.4.204/32"
-# - "46.41.20.17/28"
-# - "213.239.195.102/32"
-# - "91.204.44.72/32"
-# - "91.204.44.73/32"
-# - "62.154.226.94/32"
-# - "46.243.120.67/32"
-# - "46.243.121.252/32"
-# - "46.243.120.69/32"
-# - "46.243.121.250/32"
-# - "46.243.120.67/32"
-# - "81.16.18.29/32"
-# - "87.162.124.119/32"
-# - "2a02:a00:e00f:ffff::7:1717"
-# - "2a01:4f8:222:1451:d01f:ea75:bad:f00d"
-# - "2a03:4000:20:205::/64"
-# - "2a03:4000:20:210::/64"
-# - "2003:5b:203b:200::/64"
-# - "2003:5b:203b:101::/64"
-# - "2003:5b:203b:100::/64"
-# - "2003:5b:203b:ca00::/56"
-# - "2a03:4000:20:243::1/64"
-
- ## A user-specified IP address for load balancer to use as External IP (if supported)
- # loadBalancerIP:
-
- ## Additional Kubernetes Dashboard Service annotations
- annotations: {}
-
- ## Here labels can be added to the Kubernetes Dashboard service
- labels: {}
-
- ## Enable or disable the kubernetes.io/cluster-service label. Should be disabled for GKE clusters >=1.15.
- ## Otherwise, the addon manager will presume ownership of the service and try to delete it.
- clusterServiceLabel:
- enabled: true
- key: "kubernetes.io/cluster-service"
-
-ingress:
- ## If true, Kubernetes Dashboard Ingress will be created.
- ##
- enabled: true
- className: "nginx"
-
- annotations:
- kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-email, x-auth-request-user
- nginx.ingress.kubernetes.io/backend-protocol: HTTPS
- nginx.ingress.kubernetes.io/configuration-snippet: |
- auth_request_set $token $upstream_http_authorization;
- proxy_set_header Authorization $token;
- nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
- cert-manager.io/cluster-issuer: "letsencrypt-prod"
-
- paths:
- - /
- hosts:
- - dashboard.kube.teckids.org
- tls:
- - hosts:
- - dashboard.kube.teckids.org
- secretName: dashboard-tls
-
-settings:
- ## Cluster name that appears in the browser window title if it is set
- clusterName: "Teckids-Prod"
- ## Max number of items that can be displayed on each list page
- itemsPerPage: 10
- ## Number of seconds between every auto-refresh of logs
- logsAutoRefreshTimeInterval: 5
- ## Number of seconds between every auto-refresh of every resource. Set 0 to disable
- resourceAutoRefreshTimeInterval: 5
- ## Hide all access denied warnings in the notification panel
- disableAccessDeniedNotifications: false
-
-## Pinned CRDs that will be displayed in dashboard's menu
-pinnedCRDs:
- []
- # - kind: customresourcedefinition
- ## Fully qualified name of a CRD
- # name: prometheuses.monitoring.coreos.com
- ## Display name
- # displayName: Prometheus
- ## Is this CRD namespaced?
- # namespaced: true
-
-## Metrics Scraper
-## Container to scrape, store, and retrieve a window of time from the Metrics Server.
-## refs: https://github.com/kubernetes-sigs/dashboard-metrics-scraper
-metricsScraper:
- ## Wether to enable dashboard-metrics-scraper
- enabled: true
- image:
- repository: kubernetesui/metrics-scraper
- tag: v1.0.8
- resources: {}
- ## SecurityContext for the kubernetes dashboard metrics scraper container
- containerSecurityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsUser: 1001
- runAsGroup: 2001
-
-metrics-server:
- enabled: true
- ## Example for additional args
- args:
- - --kubelet-insecure-tls
-
-rbac:
- # Specifies whether namespaced RBAC resources (Role, Rolebinding) should be created
- create: true
-
- # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) to access metrics should be created
- # Independent from rbac.create parameter.
- clusterRoleMetrics: true
-
- # Start in ReadOnly mode.
- # Specifies whether cluster-wide RBAC resources (ClusterRole, ClusterRolebinding) with read only permissions to all resources listed inside the cluster should be created
- # Only dashboard-related Secrets and ConfigMaps will still be available for writing.
- #
- # The basic idea of the clusterReadOnlyRole
- # is not to hide all the secrets and sensitive data but more
- # to avoid accidental changes in the cluster outside the standard CI/CD.
- #
- # It is NOT RECOMMENDED to use this version in production.
- # Instead you should review the role and remove all potentially sensitive parts such as
- # access to persistentvolumes, pods/log etc.
- #
- # Independent from rbac.create parameter.
- clusterReadOnlyRole: false
-
-serviceAccount:
- # Specifies whether a service account should be created
- create: true
- # The name of the service account to use.
- # If not set and create is true, a name is generated using the fullname template
- name:
-
-livenessProbe:
- # Number of seconds to wait before sending first probe
- initialDelaySeconds: 30
- # Number of seconds to wait for probe response
- timeoutSeconds: 30
-
-## podDisruptionBudget
-## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-podDisruptionBudget:
- enabled: true
- ## Minimum available instances; ignored if there is no PodDisruptionBudget
- minAvailable: 1
- ## Maximum unavailable instances; ignored if there is no PodDisruptionBudget
- # maxUnavailable:
-
-## PodSecurityContext for pod level securityContext
-# securityContext:
-# runAsUser: 1001
-# runAsGroup: 2001
-
-## SecurityContext for the kubernetes dashboard container
-containerSecurityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- runAsUser: 1001
- runAsGroup: 2001
-
-networkPolicy:
- # Whether to create a network policy that allows/restricts access to the service
- enabled: false
-
-## podSecurityPolicy for fine-grained authorization of pod creation and updates
-podSecurityPolicy:
- # Specifies whether a pod security policy should be created
- enabled: false
diff --git a/values/oauth2_proxy.yaml b/values/oauth2_proxy.yaml
deleted file mode 100644
index 2663d4d8a38c4399930a109c83df98ebb3f4e5ef..0000000000000000000000000000000000000000
--- a/values/oauth2_proxy.yaml
+++ /dev/null
@@ -1,255 +0,0 @@
-# Oauth client configuration specifics
-config:
- # OAuth client ID
- clientID: "" # Set by ci
- # OAuth client secret
- clientSecret: "" # Set by variable
- # Create a new secret with the following command
- # openssl rand -base64 32 | head -c 32 | base64
- # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
- # Example:
- # existingSecret: secret
- cookieSecret: "" # Set by ci variable
- # The name of the cookie that oauth2-proxy will create
- # If left empty, it will default to the release name
- cookieName: ""
- configFile: |-
- email_domains = [ "*" ]
- upstreams = [ "file:///dev/null" ]
- # Custom configuration file: oauth2_proxy.cfg
- # configFile: |-
- # pass_basic_auth = false
- # pass_access_token = true
- # Use an existing config map (see configmap.yaml for required fields)
- # Example:
- # existingConfig: config
-
-image:
- repository: "quay.io/oauth2-proxy/oauth2-proxy"
- tag: "v7.3.0"
- pullPolicy: "IfNotPresent"
-
-extraArgs:
- provider: oidc
- redirect-url: $(REDIRECT_URL)
- oidc-issuer-url: $(OIDC_ISSUER_URL)
- set-authorization-header: true
- email-domain: '*'
- cookie-expire: 6h
- scope: openid profile email
- pass-access-token: true
- skip-jwt-bearer-tokens: true
-
-extraEnv:
- - name: REDIRECT_URL
- value: "https://dashboard.kube.teckids.org/oauth2/callback"
- - name: OIDC_ISSUER_URL
- value: "https://ticdesk.teckids.org/oauth"
-
-# To authorize individual email addresses
-# That is part of extraArgs but since this needs special treatment we need to do a separate section
-authenticatedEmailsFile:
- enabled: false
- # Defines how the email addresses file will be projected, via a configmap or secret
- persistence: configmap
- # template is the name of the configmap what contains the email user list but has been configured without this chart.
- # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
- # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
- # provided value in restrictedUserAccessKey field.
- template: ""
- # The configmap/secret key under which the list of email access is stored
- # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
- restrictedUserAccessKey: ""
- # One email per line
- # example:
- # restricted_access: |-
- # name1@domain
- # name2@domain
- # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
- # config map resource.
- restricted_access: ""
- annotations: {}
- # helm.sh/resource-policy: keep
-
-service:
- type: ClusterIP
- # when service.type is ClusterIP ...
- # clusterIP: 192.0.2.20
- # when service.type is LoadBalancer ...
- # loadBalancerIP: 198.51.100.40
- # loadBalancerSourceRanges: 203.0.113.0/24
- portNumber: 80
- annotations: {}
- # foo.io/bar: "true"
-
-## Create or use ServiceAccount
-serviceAccount:
- ## Specifies whether a ServiceAccount should be created
- enabled: true
- ## The name of the ServiceAccount to use.
- ## If not set and create is true, a name is generated using the fullname template
- name:
- annotations: {}
-
-ingress:
- enabled: true
- className: nginx
- path: /oauth2
- # Only used if API capabilities (networking.k8s.io/v1) allow it
- pathType: ImplementationSpecific
- # Used to create an Ingress record.
- hosts:
- - dashboard.kube.teckids.org
- tls:
- - hosts:
- - dashboard.kube.teckids.org
- secretName: dashboard-tls
-
- # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
- # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
- # extraPaths:
- # - path: /*
- # pathType: ImplementationSpecific
- # backend:
- # service:
- # name: ssl-redirect
- # port:
- # name: use-annotation
- # annotations:
- # kubernetes.io/ingress.class: nginx
- # kubernetes.io/tls-acme: "true"
- # tls:
- # Secrets must be manually created in the namespace.
- # - secretName: chart-example-tls
- # hosts:
- # - chart-example.local
-
-resources: {}
- # limits:
- # cpu: 100m
- # memory: 300Mi
- # requests:
- # cpu: 100m
- # memory: 300Mi
-
-extraVolumes: []
- # - name: ca-bundle-cert
- # secret:
- # secretName: <secret-name>
-
-extraVolumeMounts: []
- # - mountPath: /etc/ssl/certs/
- # name: ca-bundle-cert
-
-priorityClassName: ""
-
-# Affinity for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-# affinity: {}
-
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
-# Node labels for pod assignment
-# Ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-
-# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
-proxyVarsAsSecrets: true
-
-# Configure Kubernetes liveness and readiness probes.
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
-livenessProbe:
- enabled: true
- initialDelaySeconds: 0
- timeoutSeconds: 1
-
-readinessProbe:
- enabled: true
- initialDelaySeconds: 0
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
-
-# Configure Kubernetes security context for container
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-securityContext:
- enabled: false
- runAsNonRoot: true
-
-podAnnotations: {}
-podLabels: {}
-replicaCount: 2
-
-## PodDisruptionBudget settings
-## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
-podDisruptionBudget:
- enabled: true
- minAvailable: 1
-
-# Configure Kubernetes security context for pod
-# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-podSecurityContext: {}
-
-# whether to use http or https
-httpScheme: http
-
-# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
-# Alternatively supply an existing secret which contains the required information.
-htpasswdFile:
- enabled: false
- existingSecret: ""
- entries: {}
- # One row for each user
- # example:
- # entries:
- # - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
-
-# Configure the session storage type, between cookie and redis
-sessionStorage:
- # Can be one of the supported session storage cookie/redis
- type: cookie
- redis:
- # Secret name that holds the redis-password and redis-sentinel-password values
- existingSecret: ""
- password: ""
- # Can be one of sentinel/cluster/standalone
- clientType: "standalone"
- standalone:
- # If empty and sessionStorage type is redis, will automatically be generated.
- connectionUrl: ""
- cluster:
- # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
- connectionUrls: []
- sentinel:
- password: ""
- masterName: ""
- # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
- connectionUrls: []
-
-# Enables and configure the automatic deployment of the redis subchart
-redis:
- # provision an instance of the redis sub-chart
- enabled: false
- # Redis specific helm chart settings, please see:
- # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
- # redisPort: 6379
- # cluster:
- # enabled: false
- # slaveCount: 1
-
-# Enables apiVersion deprecation checks
-checkDeprecation: true
-
-metrics:
- # Enable Prometheus metrics endpoint
- enabled: true
- # Serve Prometheus metrics on this port
- port: 44180
- servicemonitor:
- enabled: true
- prometheusInstance: kube-prometheus-stack-prometheus
- interval: 60s
- scrapeTimeout: 30s