build: Rebase pinniped to bitnami helm chart

2023-08-22 12:02:13 +02:00
parent b17501ee1d
commit 1a1440f751
15 changed files with 216 additions and 80 deletions
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -33,6 +33,10 @@ platform:
  helm_repositories:
    - name: argo
      url: https://argoproj.github.io/argo-helm
+    - name: bitnami
+      url: https://charts.bitnami.com/bitnami
+    - name: dexidp
+      url: https://charts.dexidp.io
    - name: gitea-charts
      url: https://dl.gitea.io/charts/
    - name: harbor
@ -93,6 +97,38 @@ components:
      node_template:
        url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova

+  dex:
+    helm:
+      version: 0.15.3  # (= Dex 2.37.0)
+      chart: dexidp/dex
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        config:
+          issuer: https://idps.{{ vapp['metacluster.fqdn'] }}
+          storage:
+            type: kubernetes
+            config:
+              inCluster: true
+          staticClients:
+          - id: pinniped-supervisor
+            secret: pinniped-supervisor-secret
+            name: Pinniped Supervisor client
+            redirectURIs:
+            - https://auth.{{ vapp['metacluster.fqdn'] }}/callback
+          enablePasswordDB: true
+          staticPasswords:
+          - email: admin@{{ vapp['metacluster.fqdn'] }}
+            hash: {{ vapp['metacluster.password'] | password_hash('bcrypt') }}
+            username: admin
+            userID: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}
+        ingress:
+          enabled: true
+          hosts:
+            - host: idps.{{ vapp['metacluster.fqdn'] }}
+              paths:
+                - path: /
+                  pathType: Prefix
+
  gitea:
    helm:
      version: v7.0.2 # (= Gitea v1.18.3)
@ -198,8 +234,17 @@ components:
          defaultClassReplicaCount: 1

  pinniped:
-    # Must match the version referenced at `dependencies.static_binaries[.filename==pinniped].url`
-    version: v0.25.0
+    helm:
+      version: 1.2.11  # (= Pinniped v0.25.0)
+      chart: bitnami/pinniped
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        concierge:
+          enabled: false
+        supervisor:
+          service:
+            public:
+              type: ClusterIP

  step-certificates:
    helm:
--- a/ansible/vars/workloadcluster.yml
+++ b/ansible/vars/workloadcluster.yml
@ -1,6 +1,8 @@
 downstream:

  helm_repositories:
+    - name: bitnami
+      url: https://charts.bitnami.com/bitnami
    - name: longhorn
      url: https://charts.longhorn.io
    - name: sealed-secrets
@ -18,6 +20,15 @@ downstream:
          createDefaultDiskLabeledNodes: true
          defaultDataPath: /mnt/blockstorage

+  pinniped:
+    helm:
+      version: 1.2.11  # (= Pinniped v0.25.0)
+      chart: bitnami/pinniped
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        supervisor:
+          enabled: false
+
    sealed-secrets:
      version: 2.8.1  # (= Sealed Secrets v0.20.2)
      chart: sealed-secrets/sealed-secrets