feat(helm): create packaged cluster addons

Makefile

@@ -68,3 +68,21 @@ odance:
 	helm repo add bitnami https://charts.bitnami.com/bitnami
 	helm repo update bitnami
 	helm --kube-context moos -n odance-prd upgrade --install --atomic odance bitnami/wordpress -f deploy/helm/odance.values.yaml
+
+.PHONY: cluster-addons
+cluster-addons: ingress dashboard
+
+.PHONY: ingress
+ingress:
+	kubectl create ns ingress --dry-run=client -o yaml | kubectl apply -f -
+	helm upgrade ingress charts/ingress --namespace ingress --install --atomic
+
+.PHONY: dashboard
+dashboard:
+	kubectl create ns dashboard --dry-run=client -o yaml | kubectl apply -f -
+	helm upgrade dashboard charts/dashboard --namespace dashboard --install --atomic --values secret-dashboard.yaml
+
+.PHONY: registry
+registry:
+	kubectl create ns registry --dry-run=client -o yaml | kubectl apply -f -
+	helm upgrade registry charts/registry --namespace registry --install --atomic --values secret-registry.yaml

charts/dashboard/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: kubernetes-dashboard
+  repository: https://kubernetes.github.io/dashboard/
+  version: 7.0.0-alpha1
+- name: oauth2-proxy
+  repository: https://oauth2-proxy.github.io/manifests
+  version: 6.17.1
+digest: sha256:e8ffbd60a0ac7f6a29db62e99393ea8b63da4827248b0730097893458b8ed0be
+generated: "2023-10-07T00:45:58.787399949+02:00"

charts/dashboard/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: dashboard
+description: |
+  This helm chart installs the Kubernetes dashboard
+  and configures forward authentication.
+version: 0.1.0
+dependencies:
+  - name: kubernetes-dashboard
+    version: 7.0.0-alpha1
+    repository: https://kubernetes.github.io/dashboard/
+    condition: kubernetes-dashboard.enabled
+  - name: oauth2-proxy
+    version: 6.17.1
+    repository: https://oauth2-proxy.github.io/manifests
+    condition: oauth2-proxy.enabled

charts/dashboard/templates/rolebindings.yaml

@@ -0,0 +1,28 @@
+{{ if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+{{ range $binding := .Values.bindings -}}
+kind: {{ $binding.kind }}Binding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $.Release.Name }}-{{ $binding.role }}s
+  {{- if $binding.namespace }}
+  namespace: {{ $binding.namespace }}
+  {{- end }}
+  annotations:
+    meta.helm.sh/release-name: {{ $.Release.Name }}
+    meta.helm.sh/release-namespace: {{ $.Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ $binding.kind }}
+  name: {{ $binding.role }}
+subjects:
+  {{- range $user := $binding.users }}
+  - kind: User
+    name: {{ $user }}
+  {{- end }}
+  {{- range $group := $binding.groups }}
+  - kind: Group
+    name: {{ $group }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}

charts/dashboard/values.yaml

@@ -0,0 +1,85 @@
+# Configure role bindings to allow users to access the dashboard.
+bindings: []
+# - # Must be either `ClusterRole` or `Role``.
+#   kind: ClusterRole
+#   role: cluster-admin
+#   users:
+#     - [email protected]
+# - # Must be either `ClusterRole` or `Role``.
+#   kind: ClusterRole
+#   role: cluster-admin
+#   groups:
+#     - platform-engineers
+
+kubernetes-dashboard:
+  enabled: true
+  nginx:
+    enabled: false
+  cert-manager:
+    enabled: false
+  metrics-server:
+    enabled: false
+  app:
+    ingress:
+      enabled: false
+
+oauth2-proxy:
+  enabled: true
+  ingress:
+    enabled: true
+    className: traefik
+    hosts:
+      - dashboard.november.nicklasfrahm.dev
+    path: /
+    pathType: Prefix
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    tls:
+      - secretName: dev-nicklasfrahm-november-dashboard-tls
+        hosts:
+          - dashboard.november.nicklasfrahm.dev
+  extraArgs: {}
+
+  config:
+    clientID: "CHANGE_ME"
+    clientSecret: "CHANGE_ME"
+    cookieSecret: "CHANGE_ME"
+    configFile: |-
+      # General proxy settings.
+      reverse_proxy = true
+      real_client_ip_header = "X-Forwarded-For"
+      pass_authorization_header = true
+
+      # Display settings.
+      custom_sign_in_logo = "https://upload.wikimedia.org/wikipedia/commons/thumb/6/67/Kubernetes_logo.svg/798px-Kubernetes_logo.svg.png"
+
+      # Cookie settings.
+      cookie_domains = [ ".november.nicklasfrahm.dev" ]
+      cookie_samesite = "lax"
+      cookie_expire	= "3h"
+      cookie_csrf_per_request = true
+      cookie_name = "__secure_oauth2_proxy"
+      cookie_secure = true
+      cookie_refresh = "1h"
+
+      # OIDC settings.
+      insecure_oidc_skip_issuer_verification = false
+      insecure_oidc_skip_nonce = false
+      oidc_issuer_url = "https://accounts.google.com"
+      code_challenge_method = "S256"
+
+      # Authorization settings.
+      email_domains = [ "*" ]
+
+      # Logging settings.
+      silence_ping_logging = true
+      logging_local_time = false
+
+      # Backend configuration.
+      upstreams = [
+        "http://{{ .Release.Name }}-kubernetes-dashboard-web.{{ .Release.Namespace }}.svc:8000/",
+        "http://{{ .Release.Name }}-kubernetes-dashboard-api.{{ .Release.Namespace }}.svc:9000/api/",
+      ]
+      api_routes = [
+        "^/api/",
+      ]

charts/ingress/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: traefik
+  repository: https://traefik.github.io/charts
+  version: 24.0.0
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.13.1
+digest: sha256:1ae6bd4fecdf5e9a83697966fe42bedcdd724d21560eecf0258ebc98f585eda9
+generated: "2023-10-06T23:56:30.445174616+02:00"

charts/ingress/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: ingress
+description: This helm chart implements an ingress controller for a Kubernetes cluster.
+version: 0.1.0
+dependencies:
+  - name: traefik
+    version: 24.0.0
+    repository: https://traefik.github.io/charts
+    condition: traefik.enabled
+  - name: cert-manager
+    version: 1.13.1
+    repository: https://charts.jetstack.io
+    condition: cert-manager.enabled

charts/ingress/templates/clusterissuer-letsencrypt.yaml

@@ -0,0 +1,16 @@
+{{ if .Capabilities.APIVersions.Has "cert-manager.io/v1" -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    preferredChain: ISRG Root X1
+    privateKeySecretRef:
+      name: letsencrypt-production-clusterissuer-key
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
+{{- end }}

charts/ingress/values.yaml

@@ -0,0 +1,49 @@
+traefik:
+  enabled: true
+
+  ingressClass:
+    enabled: yes
+    isDefaultClass: yes
+    name: traefik
+
+  service:
+    enabled: yes
+    type: LoadBalancer
+    single: false
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 256Mi
+    limits:
+      cpu: 250m
+      memory: 256Mi
+
+  ports:
+    traefik:
+      port: 9000
+      expose: no
+      exposedPort: 9000
+      protocol: TCP
+    web:
+      port: 8080
+      expose: yes
+      exposedPort: 80
+      protocol: TCP
+      redirectTo: websecure
+    websecure:
+      port: 8443
+      expose: yes
+      exposedPort: 443
+      protocol: TCP
+      tls:
+        enabled: yes
+
+  providers:
+    kubernetesIngress:
+      publishedService:
+        enabled: true
+
+cert-manager:
+  enabled: true
+  installCRDs: true

charts/registry/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: harbor
+  repository: https://helm.goharbor.io
+  version: 1.13.0
+digest: sha256:1354e483e0170920311d7332cf8e06a5c7b870ff93ac66b81b9f2f34d636e119
+generated: "2023-10-09T23:05:16.939333813+02:00"

charts/registry/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: registry
+description: This helm chart implements a container registry.
+version: 0.1.0
+dependencies:
+  - name: harbor
+    version: 1.13.0
+    repository: https://helm.goharbor.io
+    condition: harbor.enabled

charts/registry/values.yaml

@@ -0,0 +1,16 @@
+harbor:
+  enabled: true
+  expose:
+    tls:
+      certSource: secret
+      secret:
+        secretName: dev-nicklasfrahm-november-registry-tls
+    ingress:
+      hosts:
+        core: registry.november.nicklasfrahm.dev
+      className: traefik
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-production
+  externalURL: https://registry.november.nicklasfrahm.dev
+  harborAdminPassword: "CHANGE_ME"
+  secretKey: "CHANGE_ME"

deploy/k3se/november.yaml

@@ -21,6 +21,10 @@ cluster:
       - 10.255.0.0/16
     cluster-dns:
       - 10.255.0.10
+    kube-apiserver-arg:
+    - oidc-username-claim=email
+    - oidc-issuer-url=https://accounts.google.com
+    - oidc-client-id=454914783251-5vktqqa8kcdfkpceh0ll0ede864cu845.apps.googleusercontent.com
 
 # A list of all nodes in the cluster and their connection information.
 nodes: