github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-28 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add openshft-console

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Andrei Kvapil
2024-12-16 15:35:55 +01:00
parent e44bece114
commit fe70003c5e
27 changed files with 1177 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/core/platform/bundles/paas-full.yaml
View File

@@ -233,6 +233,12 @@ releases:
dependsOn: []
{{- end }}
- name: console
releaseName: console
chart: cozy-console
namespace: cozy-console
dependsOn: [cilium,kubeovn]
- name: kamaji
releaseName: kamaji
chart: cozy-kamaji

6
packages/core/platform/bundles/paas-hosted.yaml
View File

@@ -163,6 +163,12 @@ releases:
dependsOn: []
{{- end }}
- name: console
releaseName: console
chart: cozy-console
namespace: cozy-console
dependsOn: [cilium,kubeovn]
{{- if $oidcEnabled }}
- name: keycloak
releaseName: keycloak

3
packages/system/console/Chart.yaml Normal file
View File

@@ -0,0 +1,3 @@
apiVersion: v2
name: cozy-console
version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

5
packages/system/console/Makefile Normal file
View File

@@ -0,0 +1,5 @@
export NAME=console
export NAMESPACE=cozy-$(NAME)
include ../../../scripts/common-envs.mk
include ../../../scripts/package.mk

23
packages/system/console/charts/openshift-console/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

7
packages/system/console/charts/openshift-console/Chart.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v2
appVersion: 4.20.0
description: OpenShift Cluster Console UI
icon: https://avatars0.githubusercontent.com/u/792337?s=200&v=4
name: openshift-console
type: application
version: 0.3.6

75
packages/system/console/charts/openshift-console/README.md Normal file
View File

@@ -0,0 +1,75 @@
# OpenShift Console (Bridge)
[Bridge](https://github.com/openshift/console) is the OpenShift console.
## TL;DR
```console
$ helm repo add av1o https://av1o.gitlab.io/charts
$ helm install bridge av1o/openshift-console
```
## Introduction
This chart bootstraps a deployment of the OpenShift Console on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
The OpenShift Console is designed for running on OpenShift, however it works perfectly fine in native Kubernetes. Since the Console is unable to use the default OpenShift OAuth2, this chart is expecting a Dex deployment which is configured to generate OIDC tokens for the Kubernetes API server.
This behaviour can be configured with the `extraEnv` map.
## Prerequisites
- Kubernetes 1.12+
- Helm 3
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install my-release av1o/openshift-console
```
The command deploys the console on the Kubernetes cluster in the default configuration.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
## Parameters
The following table lists the configurable parameters of the OpenShift Console chart and their default values.
| Parameter | Description | Default |
|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
| `replicaCount` | Number of pods to run | 1 |
| `image.registry` | Docker image registry | `quay.io` |
| `image.repository` | Docker image name | `openshift/origin-console` |
| `image.pullPolicy` | Docker image pull policy | `IfNotPresent` |
| `image.tag` | Docker image tag | `${CHART_VERSION}` |
| `imagePullSecrets` | Specify Image pull secrets | `[]` |
| `podAnnotations` | Map of annotations to add to the pods | See `values.yaml` |
| `podSecurityContext` | Map of security context to add to the pod | See `values.yaml` |
| `securityContext` | Map of security context to add to the container | See `values.yaml` |
| `service.type` | Service type | `ClusterIP` |
| `extraEnv` | Map of environment variables to include in the container | `{}` |
| `console.dex.host` | HTTP(S) address of the Dex instance | `https://dex.example.org` |
| `console.baseUrl` | HTTP(S) address of the Console | `https://console.example.org` |
| `console.impersonateOpenShift` | Install CRDs to trick the Console into showing some OpenShift-exclusive actions which work on Kubernetes. Note: requires `cluster-admin` | `false` |
| `console.oidc.enabled` | Enable OIDC authentication | `true` |
| `console.oidc.issuerUrl` | Issuer of the OIDC server | `https://dex.example.org` |
| `console.oidc.clientId` | OIDC client ID | `kubernetes` |
| `console.oidc.clientSecret` | OIDC client secret | `hunter2` |
| `rbac.enabled` | Install RBAC to trick the Console into behaving closer to how OpenShift does. Required `cluster-admin` and `console.impersonateOpenShift=true` | `false` |
| `ingress.className` | IngressClass resource to use. | |
| `sidecars` | Arbitrary sidecars to include as-is | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
### Version `0.2.X`
Version `0.2.0` and above require the `networking.k8s.io/v1` API for Ingress which is available in Kubernetes 1.19 and above.

4
packages/system/console/charts/openshift-console/ci/hostaliases.yaml Normal file
View File

@@ -0,0 +1,4 @@
hostAliases:
- ip: "127.0.0.1"
hostnames:
- "kubernetes.default.svc"

7
packages/system/console/charts/openshift-console/ci/sidecar.yaml Normal file
View File

@@ -0,0 +1,7 @@
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234

21
packages/system/console/charts/openshift-console/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "openshift-console.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "openshift-console.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "openshift-console.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "openshift-console.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

75
packages/system/console/charts/openshift-console/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,75 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openshift-console.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openshift-console.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openshift-console.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openshift-console.labels" -}}
helm.sh/chart: {{ include "openshift-console.chart" . }}
{{ include "openshift-console.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openshift-console.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openshift-console.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openshift-console.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openshift-console.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

21
packages/system/console/charts/openshift-console/templates/crd.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.console.impersonateOpenShift }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: apps.apps.openshift.io
spec:
group: apps.openshift.io
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties: {}
scope: Namespaced
names:
plural: apps
singular: app
kind: OpenShift
{{- end }}

134
packages/system/console/charts/openshift-console/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,134 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "openshift-console.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openshift-console.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- include "openshift-console.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
serviceAccountName: {{ include "openshift-console.serviceAccountName" . }}
{{- if .Values.podSecurityContext.enabled }}
securityContext:
{{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.volumes }}
{{- range .Values.volumes }}
- name: {{ .name }}
{{ toYaml .config | indent 10 }}
{{- end }}
{{- end }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.args }}
args:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.command }}
command:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
{{- omit .Values.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: BRIDGE_KUBECTL_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: secret
name: {{ include "openshift-console.fullname" . }}
- name: BRIDGE_DOCUMENTATION_BASE_URL
value: https://kubernetes.io/docs/
- name: BRIDGE_DEX_API_HOST
value: {{ .Values.console.dex.host }}
- name: BRIDGE_BASE_ADDRESS
value: {{ .Values.console.baseUrl }}
{{- if .Values.console.oidc.enabled }}
- name: BRIDGE_USER_AUTH
value: oidc
- name: BRIDGE_K8S_AUTH
value: oidc
- name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
value: {{ .Values.console.oidc.issuerUrl }}
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
value: {{ .Values.console.oidc.clientId }}
- name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
value: {{ .Values.console.oidc.clientSecret }}
{{- end }}
{{- range $key, $value := .Values.extraEnv }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
volumeMounts:
{{- if .Values.volumes }}
{{- range .Values.volumes }}
- mountPath: {{ .mountPath }}
name: {{ .name }}
{{- if .subPath }}
subPath: {{ .subPath }}
{{- end }}
{{- end }}
{{- end }}
livenessProbe:
httpGet:
path: /health
port: http
readinessProbe:
httpGet:
path: /health
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

28
packages/system/console/charts/openshift-console/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "openshift-console.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

41
packages/system/console/charts/openshift-console/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "openshift-console.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- omit . "kubernetes.io/ingress.class" | toYaml | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.className | default (get .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
pathType: ImplementationSpecific
backend:
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

31
packages/system/console/charts/openshift-console/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if and .Values.console.impersonateOpenShift .Values.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "openshift-console.fullname" . }}-dashboards
namespace: openshift-config-managed
rules:
- verbs:
- get
- list
- watch
apiGroups:
- ""
resources:
- configmaps
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "openshift-console.fullname" . }}-dashboards
# unfortunately this is hardcoded (https://github.com/openshift/console/blob/master/cmd/bridge/main.go#L576)
namespace: openshift-config-managed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "openshift-console.fullname" . }}-dashboards
subjects:
- kind: ServiceAccount
name: {{ include "openshift-console.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

15
packages/system/console/charts/openshift-console/templates/secret.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{ if .Values.consolesecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "openshift-console.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
data:
secret: {{ .Values.consolesecret | b64enc | quote }}
{{- end }}

15
packages/system/console/charts/openshift-console/templates/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openshift-console.fullname" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "openshift-console.selectorLabels" . | nindent 4 }}

12
packages/system/console/charts/openshift-console/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openshift-console.serviceAccountName" . }}
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

15
packages/system/console/charts/openshift-console/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "openshift-console.fullname" . }}-test-connection"
labels:
{{- include "openshift-console.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "openshift-console.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

130
packages/system/console/charts/openshift-console/values.yaml Normal file
View File

@@ -0,0 +1,130 @@
# Default values for openshift-console.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
registry: quay.io
repository: openshift/origin-console
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: 4.20.0
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
annotations: {}
labels: {}
podLabels: {}
podAnnotations: {}
podSecurityContext:
enabled: true
runAsUser: 1001
securityContext:
enabled: true
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1001
service:
type: ClusterIP
port: 9000
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
extraEnv:
BRIDGE_K8S_AUTH_BEARER_TOKEN: 'CENSORED'
BRIDGE_GRAFANA_PUBLIC_URL: https://grafana.something.com
BRIDGE_KUBECTL_CLIENT_ID: console
BRIDGE_K8S_MODE: off-cluster
BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER: https://alertmanager.something.com
BRIDGE_K8S_MODE_OFF_CLUSTER_SKIP_VERIFY_TLS: "true"
BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS: https://prometheus.something.com
BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT: https://kube-oidc-proxy:443
volumes: []
# - name: my-volume
# mountPath: /foo/bar
# config:
# emptyDir: {}
console:
dex:
host: https://dex.something.com
baseUrl: https://console.something.com
impersonateOpenShift: false
oidc:
enabled: true
issuerUrl: https://dex.something.com
clientId: console
clientSecret: 'xxxxxx'
rbac:
enabled: false
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
sidecars: []
serviceAccount:
create: false
automountServiceAccountToken: true
annotations: {}
name: ""
hostAliases: []
# - ip: "127.0.0.1"
# hostnames:
# - "kubernetes.default.svc"
consolesecret: 'XXXXXXXXX'
#cookie-encryption-key-file: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#cookie-authentication-key-file: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
args:
- --public-dir=/opt/bridge/static
- -v
- "7"
command:
- /opt/bridge/bin/bridge
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi

168
packages/system/console/templates/00_helmchartrepositories.crd.yaml Normal file
View File

@@ -0,0 +1,168 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/598
api.openshift.io/merged-by-featuregates: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
name: helmchartrepositories.helm.openshift.io
spec:
group: helm.openshift.io
names:
kind: HelmChartRepository
listKind: HelmChartRepositoryList
plural: helmchartrepositories
singular: helmchartrepository
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: |-
HelmChartRepository holds cluster-wide configuration for proxied Helm chart repository
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
properties:
connectionConfig:
description: Required configuration for connecting to the chart repo
properties:
ca:
description: |-
ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
It is used as a trust anchor to validate the TLS certificate presented by the remote server.
The key "ca-bundle.crt" is used to locate the data.
If empty, the default system roots are used.
The namespace for this config map is openshift-config.
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
required:
- name
type: object
tlsClientConfig:
description: |-
tlsClientConfig is an optional reference to a secret by name that contains the
PEM-encoded TLS client certificate and private key to present when connecting to the server.
The key "tls.crt" is used to locate the client certificate.
The key "tls.key" is used to locate the private key.
The namespace for this secret is openshift-config.
properties:
name:
description: name is the metadata.name of the referenced secret
type: string
required:
- name
type: object
url:
description: Chart repository URL
maxLength: 2048
pattern: ^https?:\/\/
type: string
type: object
description:
description: Optional human readable repository description, it can
be used by UI for displaying purposes
maxLength: 2048
minLength: 1
type: string
disabled:
description: If set to true, disable the repo usage in the cluster/namespace
type: boolean
name:
description: Optional associated human readable repository name, it
can be used by UI for displaying purposes
maxLength: 100
minLength: 1
type: string
type: object
status:
description: Observed status of the repository within the cluster..
properties:
conditions:
description: conditions is a list of conditions and their statuses
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

182
packages/system/console/templates/00_projecthelmchartrepositories.crd.yaml Normal file
View File

@@ -0,0 +1,182 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1084
api.openshift.io/merged-by-featuregates: "true"
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
name: projecthelmchartrepositories.helm.openshift.io
spec:
group: helm.openshift.io
names:
kind: ProjectHelmChartRepository
listKind: ProjectHelmChartRepositoryList
plural: projecthelmchartrepositories
singular: projecthelmchartrepository
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: |-
ProjectHelmChartRepository holds namespace-wide configuration for proxied Helm chart repository
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
properties:
connectionConfig:
description: Required configuration for connecting to the chart repo
properties:
basicAuthConfig:
description: |-
basicAuthConfig is an optional reference to a secret by name that contains
the basic authentication credentials to present when connecting to the server.
The key "username" is used locate the username.
The key "password" is used to locate the password.
The namespace for this secret must be same as the namespace where the project helm chart repository is getting instantiated.
properties:
name:
description: name is the metadata.name of the referenced secret
type: string
required:
- name
type: object
ca:
description: |-
ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
It is used as a trust anchor to validate the TLS certificate presented by the remote server.
The key "ca-bundle.crt" is used to locate the data.
If empty, the default system roots are used.
The namespace for this configmap must be same as the namespace where the project helm chart repository is getting instantiated.
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
required:
- name
type: object
tlsClientConfig:
description: |-
tlsClientConfig is an optional reference to a secret by name that contains the
PEM-encoded TLS client certificate and private key to present when connecting to the server.
The key "tls.crt" is used to locate the client certificate.
The key "tls.key" is used to locate the private key.
The namespace for this secret must be same as the namespace where the project helm chart repository is getting instantiated.
properties:
name:
description: name is the metadata.name of the referenced secret
type: string
required:
- name
type: object
url:
description: Chart repository URL
maxLength: 2048
pattern: ^https?:\/\/
type: string
type: object
description:
description: Optional human readable repository description, it can
be used by UI for displaying purposes
maxLength: 2048
minLength: 1
type: string
disabled:
description: If set to true, disable the repo usage in the namespace
type: boolean
name:
description: Optional associated human readable repository name, it
can be used by UI for displaying purposes
maxLength: 100
minLength: 1
type: string
type: object
status:
description: Observed status of the repository within the namespace..
properties:
conditions:
description: conditions is a list of conditions and their statuses
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

8
packages/system/console/templates/cozystack.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: helm.openshift.io/v1beta1
kind: HelmChartRepository
metadata:
name: cozystack
spec:
name: cozystack
connectionConfig:
url: http://cozystack.cozy-system.svc/repos/apps

88
packages/system/console/templates/kubevirt.yaml Normal file
View File

@@ -0,0 +1,88 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubevirt-plugin
spec:
replicas: 1
selector:
matchLabels:
app: kubevirt-plugin
template:
metadata:
labels:
app: kubevirt-plugin
spec:
containers:
- name: kubevirt-plugin
image: quay.io/kubevirt-ui/kubevirt-plugin:v4.17.0
ports:
- containerPort: 9443
protocol: TCP
imagePullPolicy: Always
volumeMounts:
#- name: plugin-serving-cert
# readOnly: true
# mountPath: /var/serving-cert
- name: nginx-conf
readOnly: true
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
#- name: plugin-serving-cert
# secret:
# secretName: plugin-serving-cert
# defaultMode: 420
- name: nginx-conf
configMap:
name: nginx-conf
defaultMode: 420
restartPolicy: Always
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: |
error_log /dev/stdout info;
events {}
http {
access_log /dev/stdout;
include /etc/nginx/mime.types;
default_type application/octet-stream;
keepalive_timeout 65;
server {
listen 9443;
root /usr/share/nginx/html;
}
#server {
# listen 9443 ssl;
# ssl_certificate /var/serving-cert/tls.crt;
# ssl_certificate_key /var/serving-cert/tls.key;
# root /usr/share/nginx/html;
#}
}
---
apiVersion: v1
kind: Service
metadata:
#annotations:
# service.alpha.openshift.io/serving-cert-secret-name: plugin-serving-cert
name: kubevirt-plugin
spec:
ports:
- name: 9443-tcp
protocol: TCP
port: 9443
targetPort: 9443
selector:
app: kubevirt-plugin
type: ClusterIP
sessionAffinity: None

7
packages/system/console/templates/secret.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: openshift-console
stringData:
cookie_auth_key: rpb7aos4rd0m32x9omcrcqacnia0xty2
cookie_enc_key: gg1ejofgupoc19wyuywr2yflm75aeiwg

50
packages/system/console/values.yaml Normal file
View File

@@ -0,0 +1,50 @@
openshift-console:
fullnameOverride: console
console:
baseUrl: https://console.infra.aenix.org
oidc:
enabled: true
issuerUrl: https://keycloak.infra.aenix.org/realms/cozy
clientId: console-test
clientSecret: Sgq1yrmmEwPKy9YxGmg37b1EgsLu3P9g
extraEnv:
BRIDGE_K8S_AUTH_BEARER_TOKEN: null
BRIDGE_GRAFANA_PUBLIC_URL: https://grafana.infra.aenix.org
BRIDGE_KUBECTL_CLIENT_ID: console
BRIDGE_K8S_MODE: in-cluster
BRIDGE_COOKIE_AUTHENTICATION_KEY_FILE: /etc/openshift-console-secrets/cookie_auth_key
BRIDGE_COOKIE_ENCRYPTION_KEY_FILE: /etc/openshift-console-secrets/cookie_enc_key
BRIDGE_PLUGINS: kubevirt-plugin=http://kubevirt-plugin.cozy-console.svc:9443/
BRIDGE_ALERMANAGER_PUBLIC_URL: http://vmalertmanager-alertmanager.tenant-root.svc:9093
BRIDGE_THANOS_PUBLIC_URL: http://vmselect-shortterm.tenant-root.svc:8481/select/0/prometheus
BRIDGE_SKIP_VERIFY_TLS: true
volumes:
- name: cookie-secrets
mountPath: /etc/openshift-console-secrets
config:
secret:
secretName: openshift-console
- name: tmp
mountPath: /tmp
config:
emptyDir: {}
ingress:
enabled: true
annotations:
acme.cert-manager.io/http01-ingress-class: tenant-root
cert-manager.io/cluster-issuer: letsencrypt-prod
className: 'tenant-root'
hosts:
- host: console.infra.aenix.org
paths: ["/"]
tls:
- secretName: console-tls
hosts:
- console.infra.aenix.org
resources:
limits:
cpu: 500m
memory: 2048Mi
requests:
cpu: 200m
memory: 512Mi