apps/board: add openproject

2025-05-19 10:16:10 +02:00 · 2025-05-19 10:16:10 +02:00 · 48cc3785b8
commit 48cc3785b8
parent 56bdd6520b
14 changed files with 279 additions and 1 deletions
--- a/apps/board-kustomization.yaml
+++ b/apps/board-kustomization.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-board
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/board
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
--- a/apps/board/kustomization.yaml
+++ b/apps/board/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openproject-kustomization.yaml
+  - openproject-secrets-kustomization.yaml
--- a/apps/board/openproject-kustomization.yaml
+++ b/apps/board/openproject-kustomization.yaml
@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: openproject
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/board/openproject
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: openproject-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-openproject-kustomization-variables
+      - kind: Secret
+        name: stackspin-openproject-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-openproject-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables
--- a/apps/board/openproject-secrets-kustomization.yaml
+++ b/apps/board/openproject-secrets-kustomization.yaml
@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: openproject-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/board/openproject-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
--- a/apps/board/openproject-secrets/openproject-kustomization-variables.yaml
+++ b/apps/board/openproject-secrets/openproject-kustomization-variables.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-openproject-kustomization-variables
+  namespace: flux-system
+data:
+  openproject_domain: board.${domain}
--- a/apps/board/openproject-secrets/openproject-oauth-secret.yaml
+++ b/apps/board/openproject-secrets/openproject-oauth-secret.yaml
@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-openproject-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: openproject
+  fields:
+  - fieldName: client_secret
+    length: "32"
--- a/apps/board/openproject-secrets/openproject-variables.yaml
+++ b/apps/board/openproject-secrets/openproject-variables.yaml
@ -0,0 +1,11 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-openproject-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: admin_password
+  - fieldName: postgresql_password
+  - fieldName: postgresql_postgres_password
--- a/apps/board/openproject/openproject-oauth-client.yaml
+++ b/apps/board/openproject/openproject-oauth-client.yaml
@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: openproject-oauth-client
+  # Has to live in the same namespace as the stackspin-openproject-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-openproject-oauth-variables
+  #redirectUris:
+  #  - https://${openproject_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post
--- a/apps/board/openproject/openproject-postgres-pvc.yaml
+++ b/apps/board/openproject/openproject-postgres-pvc.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openproject-postgres
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "openproject"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path
--- a/apps/board/openproject/openproject-pvc.yaml
+++ b/apps/board/openproject/openproject-pvc.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openproject-data
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "openproject"
+spec:
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path
--- a/apps/board/openproject/openproject-release.yaml
+++ b/apps/board/openproject/openproject-release.yaml
@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: openproject
+  namespace: stackspout
+spec:
+  releaseName: openproject
+  chart:
+    spec:
+      chart: openproject
+      version: 9.10.1
+      sourceRef:
+        kind: HelmRepository
+        name: openproject
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-openproject-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-openproject-override
+      optional: true
+    - kind: Secret
+      name: stackspin-openproject-override
+      optional: true
--- a/apps/board/openproject/openproject-values-configmap.yaml
+++ b/apps/board/openproject/openproject-values-configmap.yaml
@ -0,0 +1,86 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-openproject-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    # TODO verify structure matches chart
+    commonLabels:
+      stackspin.net/backupSet: "openproject"
+    podLabels:
+      stackspin.net/backupSet: "openproject"
+    # TODO Configure PVC for data & database including backup labels
+    podAnnotations:
+      backup.velero.io/backup-volumes: "data"
+    persistence:
+      enabled: true
+      accessModes:
+        - "ReadWriteMany"
+      existingClaim: "openproject-data"
+
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/tls-acme: "true"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_set_headers "Content-Security-Policy: frame-ancestors 'self' files.";
+      host: "${openproject_domain}"
+      path: /
+      pathType: Prefix
+      tls:
+        enabled: true
+        secretName: openproject-tls
+
+    postgresql:
+      bundled: true
+      commonLabels:
+        stackspin.net/backupSet: "openproject"
+      global:
+        postgresql:
+          auth:
+            database: openproject
+            username: openproject
+            password: "${postgresql_password}"
+            postgresPassword: "${postgresql_admin_password}"
+      primary:
+        persistence:
+          existingClaim: openproject-postgres
+        podAnnotations:
+          backup.velero.io/backup-volumes: "data"
+
+    openproject:
+      admin_user:
+        password: "${admin_password}"
+        password_reset: "false"
+        name: "${org_name} Admin"
+        mail: "${admin_email}"
+
+      ## Define OpenID Connect providers
+      #oidc:
+      #  enabled: false
+      #  provider: "Keycloak"
+      #  displayName: "Keycloak"
+      #  host: ""
+      #  identifier: ""
+      #  secret: ""
+      #  authorizationEndpoint: ""
+      #  tokenEndpoint: ""
+      #  userinfoEndpoint: ""
+      #  endSessionEndpoint: ""
+      #  scope: "[openid]"
+
+    # TODO Adjust openproject Mailing config
+    #    mailer:
+    #      enabled: "${outgoing_mail_enabled}"
+    #      host: "${outgoing_mail_smtp_host}"
+    #      port: "${outgoing_mail_smtp_port}"
+    #      username: "${outgoing_mail_smtp_user}"
+    #      password: "${outgoing_mail_smtp_password}"
+    #      fromemail: "${outgoing_mail_from_address}"
+    # TODO Adjust openproject OpenID Connect Single Sign-On Configuration
+    #    - name: Stackspin
+    #      key: "${client_id}"
+    #      secret: "${client_secret}"
+    #      issuer: "https://${hydra_domain}"
+    #      autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -8,6 +8,7 @@ resources:
  - flow-kustomization.yaml
  - meet-kustomization.yaml
  - status-kustomization.yaml
-  - design-kustomization.yaml
+  - board-kustomization.yaml
+  #- design-kustomization.yaml #
  #- sprint-kustomization.yaml #charts outdated
  #- video-kustomization.yaml #missing storage
--- a/infrastructure/sources/openproject.yaml
+++ b/infrastructure/sources/openproject.yaml
@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: openproject
+  namespace: flux-system
+spec:
+  interval: 60m
+  url: https://charts.openproject.org