Deploy/step1

charts/loki-stack/Chart.lock

 dependencies:
 - name: loki
   repository: https://grafana.github.io/helm-charts
-  version: 2.8.3
+  version: 2.8.4
 - name: promtail
   repository: https://grafana.github.io/helm-charts
   version: 2.2.0
-digest: sha256:a8eb9406745de861630e6991921a99581d3db7d910a95342c275388221b8fc17
-generated: "2021-12-17T21:11:55.486796+01:00"
+digest: sha256:8068457c894a1e43cb062a61e9771b098166d2037a794aaaf0f609e2da06de98
+generated: "2021-12-30T01:13:12.81986+01:00"

charts/oauth2-proxy/Chart.lock

-dependencies:
-- name: oauth2-proxy
-  repository: https://charts.bitnami.com/bitnami
-  version: 1.1.2
-digest: sha256:2c96b2e37e712be0c2c964fb667f61e0a33f2a15664a377c2b2e0f89b1540edd
-generated: "2021-12-08T10:17:01.676532+01:00"

charts/oauth2-proxy/Chart.yaml

-apiVersion: v2
-name: addon-oauth2-proxy
-version: 1.1.2
-dependencies:
-  - name: oauth2-proxy
-    version: 1.1.2
-    repository: https://charts.bitnami.com/bitnami

charts/oauth2-proxy/values.secret.yaml

-oauth2-proxy:
-    configuration:
-        clientID: ENC[AES256_GCM,data:V/GKBY42x5RJrQTovKqq,iv:85HW57KWaD7/i1oguIwjTQGgVdA1wdPKmHGbFzJcsBA=,tag:Cdk3wwar/VNdIXFCeqvp9Q==,type:str]
-        clientSecret: ENC[AES256_GCM,data:bQIPtxQA0q35dvPWE+aEyA6Yv6bij2BRArgEVptOVkeCZyhzM9dsF7OxoPVJCn3grRurIfugsMHsqYWN/1NBTM/XjEvgXkLyxZKfOO+B/J9jBF861PnY49m1cQX1VZ8WeUOQKOxKjrYCizwSQ+8IQ/qWFbqPZt9Mo4iwYVSYC57bK59My9fBKIAmWKc2Mk8vu2kafV3inaa//vlJlEyWjtTHfwOp9q3kMqGOrQ==,iv:D2kUEXYYnqzt2wR1OKj19UcFiUy6HwGDzVYH7F7PA2w=,tag:8PENfL/9u+utPQ0gwNqDWg==,type:str]
-        cookieSecret: ENC[AES256_GCM,data:/zLEYmNbWsMxn+MubU9eDOiYQFx3pkfl6PLy+DGbH0BZd3AUcNWqV5qhblI=,iv:4xeh5UiLjyd6n+6hdPsLep9tGS5WT7zGhdP4RThd1VQ=,tag:eHn5TPcM+PbrGSKC4CSbqw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1r9chn8pl3d4msxktw457x3xz2l8p04pwuyd7pkgldkmkakras5ks7tfsyq
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUWJVVUNXOWdlWUwvZlV6
-            NFBESVNBL0FLL3VRaFAxQStaMkw4amFSN1M0CjNvazJIR2tvL0dTanlqcmpBYVB3
-            SjNmQm5BWWxPRFRvYnBOWVAyWTkyR2cKLS0tIDNYdkZEK2N3dHA1YnM2OEVjcU1x
-            Y1kremZ2M1FMT1hObHNLN0xsRFpBOXcKZEIFbWqcqY4LUQfw53OKclt70M2g1EPX
-            wuzdnIEIitqURqbyzUwRTXSNPdVPmv9ZL0LNj60ps0/VzVyQ7QJJpg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1a7y6qdywcn0krtqmrqn9qc5hhg2lz2qd0ag2u0cwr3r3jmcce5jqwxajps
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhNENETkV2OW1vMEVNWk9x
-            TlBscjZPSzdEbEU4VjRiT3pNQ1dKc0o0KzBjCkNtNDZuZ21xNUFTcUlhSUZCNVlr
-            VnBCL20vMGxTMnUvVkZQcXprZ1AzUG8KLS0tIFdOdHJjWlljQlIrL2I3bGR6QVdm
-            L2FrUFp1anN0aVI5dVlxZHFqT0MzWUkKiq9Fhfo0ySt/XUKIM0B6o7gZSzaJrzNz
-            5INTJUDGdUtG4+aAZ/dAHwk4MXb92KpzuitOhb5lHI+wGigDmWQWWg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1wvtkhug4q7fcs7wz03kpn77ruqkkwp2xqq30npv4287wtf3w8ukq370vre
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZ1k4V2lyTmMvZWdvMFUx
-            b2I5Z2lSUGl4djF5ejdDZ2VZQ3cxVmdKeFRVCksyMEpMMGpEeFdKcEg5Rm05TktM
-            WEZSSi9nV0szeThRR3BTWjhqbHZuakUKLS0tIHdNaUl6L0J6eUFSU2pMOW5XVUg3
-            cTV3TTUwTFB1U09pUGpXQlpWMFBxLzQKeSABUEYRzq6ehPzznSCy/P70+MsWla8T
-            hM/QFLx4IvNZEE0o7az9+MoteU12SdxaeB3CBQpccVq4hNDfhJ5eKg==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yw9ea3vtvf5cy8v0z7v8s59xel5fckcer5pp7n2nkjrm9xpf4alq8e89g5
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MDRzbFdiN3oyTzNUZ0hG
-            QjN3bmNPSklxOEFGRDlGdjFEU0lFbGVHN1RNCnVMOGxJSFBPOHR5dG00NnUwRVR3
-            cWlSTGZuYm0yVXU3bnlMbHZybEpJN0EKLS0tIFAyNVhRT3JvcGZYNm44UlBqUlpR
-            Q0NEVmt4RVNuTzBHWnBlQXJWeDQxY2cKdmF0NFPLcsJ3RmZcHA7OxI50zOWgtNvu
-            sIMFpIO6WSvuVZV7pR9DDqCU2ogWgURhGkFacdfCqt9oKQLT+hIVyA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2021-12-23T23:30:26Z"
-    mac: ENC[AES256_GCM,data:9Tu6wyTbBMkYso8bRqCM/4FB9ExtkysusHM/MJf0P0YQHXPk5PtzrL2clqRVyPlEQITLFuRHQgRejO0HlSQb0JXV2PfAGllIK/r6TqHcRS5X19nU0P6xaCcOH/i8FGtL5H3mZSx7OTLkFsWCaP9+Cvo/Y/tPtJQOemVcGysWJCg=,iv:MDg4Bx/VCd3iu1YCXlKXIjRGjF7+e3VboI0j1FtKQhw=,tag:IkKrIp0WPkvFKLrcBttlKQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.7.1

charts/oauth2-proxy/values.yaml

-oauth2-proxy:
-  configuration:
-    existingSecret:
-  ingress:
-    enabled: true
-    tls: true
-    hostname: auth.exneuland.rc3.world
-    annotations:
-      "cert-manager.io/cluster-issuer": "letsencrypt-prod"
-  extraArgs:
-    - --provider=oidc
-    - --provider-display-name="CCCV SSO"
-    - --oidc-issuer-url=https://sso.cccv.de
-    - --alpha-config=/bitnami/oauth2-proxy/conf/alfa-config.yaml
-    - --cookie-domain=exneuland.rc3.world
-    - --whitelist-domain=.exneuland.rc3.world
-  redis:
-    auth:
-      enabled: false

kubeval.sh

 #!/usr/bin/env bash
 
 # Kubeval every application in the overlays
-for stage in ./overlays/*/ ;
+for stage in ./kustomize/overlays/*/ ;
 do
     for app in $stage*/ ;
     do
         echo "[kubeval] Testing $app"
 
-        if [ -f $app/secret-generator.yaml ] ;
-        then
-            echo "[kubeval|debug] make secret-generator.yaml empty"
-            echo "" > ${app}secret-generator.yaml
-        fi
+        kustomize build --enable-alpha-plugins --enable-helm ${app} | kubeval --ignore-missing-schemas --strict --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/
 
-        kustomize build --enable-alpha-plugins --enable-helm ${app} | kubeval --ignore-missing-schemas --strict
+        echo ""
     done
 done
+
+# Kubeval every helm chart
+for chart in ./charts/*/ ;
+do
+    echo "[kubeval] Testing $chart"
+    cd $chart
+    helm dependency update  > /dev/null 2>&1
+    helm dependency build > /dev/null 2>&1 
+    helm template . --values values.yaml 2>/dev/null | kubeval --ignore-missing-schemas --strict --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/
+    cd -
+
+    echo ""
+done
\ No newline at end of file

kustomize/bases/exneuland/ingress.yaml

@@ -18,14 +18,14 @@ spec:
     - host: exneuland.rc3.world
       http:
         paths:
-      - backend:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
               service:
                 name: exneuland
                 port:
                   number: 80
-        path: /
-        pathType: ImplementationSpecific
   tls:
-  - hosts:
+    - secretName: exneuland-tls
+      hosts:
         - exneuland.rc3.world
-    secretName: exneuland-tls

kustomize/bases/exneuland/rbac.yaml

@@ -6,6 +6,7 @@ rules:
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "watch"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

kustomize/bases/exneuland/service.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     app: exneuland
 spec:
+  type: ClusterIP
   selector:
     app: exneuland
   ports:
@@ -12,4 +13,3 @@ spec:
       protocol: TCP
       port: 80
       targetPort: 4000
-  type: ClusterIP

kustomize/bases/oauth2-proxy/helm-values.yaml

-ingress:
-  enabled: true
-  tls: true
-  hostname: auth.exneuland.rc3.world
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    kubernetes.io/ingress.class: "nginx"
-extraArgs:
-#  - --provider=oidc
-#  - --provider-display-name="CCCV SSO"
-#  - --oidc-issuer-url=https://sso.cccv.de
-  - --alpha-config=/bitnami/oauth2-proxy/conf/alpha-config.yaml
-#  - --cookie-domain=exneuland.rc3.world
-#  - --whitelist-domain=.exneuland.rc3.world
-redis:
-  auth:
-    enabled: false

kustomize/bases/oauth2-proxy/kustomization.yaml

-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: oauth2-proxy
-helmChartInflationGenerator:
-  - chartName: oauth2-proxy
-    chartRepoUrl: https://charts.bitnami.com/bitnami
-    chartVersion: 1.1.2
-    releaseName: oauth2-proxy
-    values: helm-values.yaml

kustomize/overlays/dev/exneuland/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
 bases:
   - ../../../bases/exneuland/
+
+generators:
+  - secret-generator.yaml
+
 patches:
   - target:
       kind: Ingress
@@ -26,6 +31,3 @@ patches:
 
 patchesStrategicMerge:
   - deployment.yaml
-
-generators:
-  - generator.yaml

kustomize/overlays/prod/exneuland/deployment.yaml

@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
   name: exneuland
 spec:
-  replicas: 50
+  replicas: 10
   template:
     spec:
       containers:

kustomize/overlays/prod/exneuland/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
 bases:
   - ../../../bases/exneuland/
+
+generators:
+  - secret-generator.yaml
+
 patches:
   - target:
       kind: Ingress
@@ -26,6 +31,9 @@ patches:
 
 patchesStrategicMerge:
   - deployment.yaml
-
-generators:
-  - generator.yaml
+  - |-
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: exneuland
+    $patch: delete

kustomize/overlays/prod/oauth2-proxy/alpha-config.yaml

-#providers:
-#  - oidcConfig:
-#    issuerURL: https://sso.cccv.de
-#    skipDiscovery: true
-
-
-providers:
-  - clientid: bazquux
-    clientsecret: xyzzyplugh
-    clientsecretfile: ""
-    oidcconfig:
-      issuerurl: https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/
-      insecureallowunverifiedemail: false
-      insecureskipissuerverification: false
-      insecureskipnonce: true
-      skipdiscovery: true
-      jwksurl: ""
-      emailclaim: email
-      groupsclaim: groups
-      useridclaim: email
-    id: providerID
-    type: oidc
-    name: ""
-    loginurl: ""
-    redeemurl: ""
-    profileurl: ""
-    validateurl: ""
\ No newline at end of file

kustomize/overlays/prod/oauth2-proxy/config.cfg

-email_domains = [ "*" ]
-upstreams = [ "file:///dev/null" ]
\ No newline at end of file