diff --git a/apps/board-kustomization.yaml b/apps/board-kustomization.yaml new file mode 100644 index 0000000..4b95524 --- /dev/null +++ b/apps/board-kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: add-board + namespace: flux-system +spec: + interval: 10m + prune: true + path: ./apps/board + sourceRef: + kind: GitRepository + name: stackspout diff --git a/apps/board/kustomization.yaml b/apps/board/kustomization.yaml new file mode 100644 index 0000000..7c9cfd7 --- /dev/null +++ b/apps/board/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - openproject-kustomization.yaml + - openproject-secrets-kustomization.yaml diff --git a/apps/board/openproject-kustomization.yaml b/apps/board/openproject-kustomization.yaml new file mode 100644 index 0000000..0ba25f9 --- /dev/null +++ b/apps/board/openproject-kustomization.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: openproject + namespace: flux-system +spec: + interval: 5m + retryInterval: 2m + timeout: 10m + wait: true + prune: true + path: ./apps/board/openproject + sourceRef: + kind: GitRepository + name: stackspout + dependsOn: + - name: flux + - name: local-path-provisioner + - name: openproject-secrets + - name: nginx + - name: single-sign-on + postBuild: + substituteFrom: + - kind: Secret + name: stackspin-cluster-variables + - kind: ConfigMap + name: stackspin-openproject-kustomization-variables + - kind: Secret + name: stackspin-openproject-variables + # OIDC + - kind: Secret + name: stackspin-openproject-oauth-variables + - kind: ConfigMap + name: stackspin-single-sign-on-kustomization-variables diff --git a/apps/board/openproject-secrets-kustomization.yaml b/apps/board/openproject-secrets-kustomization.yaml new file mode 100644 index 0000000..55014a1 --- /dev/null +++ b/apps/board/openproject-secrets-kustomization.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: openproject-secrets + namespace: flux-system +spec: + interval: 5m + timeout: 4m + wait: true + prune: true + path: ./apps/board/openproject-secrets + sourceRef: + kind: GitRepository + name: stackspout + dependsOn: + - name: flux + - name: secrets-controller + postBuild: + substituteFrom: + - kind: Secret + name: stackspin-cluster-variables diff --git a/apps/board/openproject-secrets/openproject-kustomization-variables.yaml b/apps/board/openproject-secrets/openproject-kustomization-variables.yaml new file mode 100644 index 0000000..0137ebe --- /dev/null +++ b/apps/board/openproject-secrets/openproject-kustomization-variables.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: stackspin-openproject-kustomization-variables + namespace: flux-system +data: + openproject_domain: board.${domain} diff --git a/apps/board/openproject-secrets/openproject-oauth-secret.yaml b/apps/board/openproject-secrets/openproject-oauth-secret.yaml new file mode 100644 index 0000000..4e5fffa --- /dev/null +++ b/apps/board/openproject-secrets/openproject-oauth-secret.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: secretgenerator.mittwald.de/v1alpha1 +kind: StringSecret +metadata: + name: stackspin-openproject-oauth-variables + namespace: flux-system +spec: + data: + client_id: openproject + fields: + - fieldName: client_secret + length: "32" diff --git a/apps/board/openproject-secrets/openproject-variables.yaml b/apps/board/openproject-secrets/openproject-variables.yaml new file mode 100644 index 0000000..2480409 --- /dev/null +++ b/apps/board/openproject-secrets/openproject-variables.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: secretgenerator.mittwald.de/v1alpha1 +kind: StringSecret +metadata: + name: stackspin-openproject-variables + namespace: flux-system +spec: + fields: + - fieldName: admin_password + - fieldName: postgresql_password + - fieldName: postgresql_postgres_password diff --git a/apps/board/openproject/openproject-oauth-client.yaml b/apps/board/openproject/openproject-oauth-client.yaml new file mode 100644 index 0000000..34b632c --- /dev/null +++ b/apps/board/openproject/openproject-oauth-client.yaml @@ -0,0 +1,21 @@ +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: openproject-oauth-client + # Has to live in the same namespace as the stackspin-openproject-oauth-variables secret + namespace: flux-system +spec: + # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak + grantTypes: + - authorization_code + - refresh_token + - client_credentials + - implicit + responseTypes: + - id_token + - code + scope: "openid profile email stackspin_roles" + secretName: stackspin-openproject-oauth-variables + #redirectUris: + # - https://${openproject_domain}/oauth/openid/ + #tokenEndpointAuthMethod: client_secret_post diff --git a/apps/board/openproject/openproject-postgres-pvc.yaml b/apps/board/openproject/openproject-postgres-pvc.yaml new file mode 100644 index 0000000..18941c8 --- /dev/null +++ b/apps/board/openproject/openproject-postgres-pvc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openproject-postgres + namespace: stackspout + labels: + stackspin.net/backupSet: "openproject" +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 2Gi + storageClassName: local-path diff --git a/apps/board/openproject/openproject-pvc.yaml b/apps/board/openproject/openproject-pvc.yaml new file mode 100644 index 0000000..47a6beb --- /dev/null +++ b/apps/board/openproject/openproject-pvc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openproject-data + namespace: stackspout + labels: + stackspin.net/backupSet: "openproject" +spec: + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 2Gi + storageClassName: local-path diff --git a/apps/board/openproject/openproject-release.yaml b/apps/board/openproject/openproject-release.yaml new file mode 100644 index 0000000..e628be0 --- /dev/null +++ b/apps/board/openproject/openproject-release.yaml @@ -0,0 +1,27 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: openproject + namespace: stackspout +spec: + releaseName: openproject + chart: + spec: + chart: openproject + version: 9.10.1 + sourceRef: + kind: HelmRepository + name: openproject + namespace: flux-system + interval: 5m + valuesFrom: + - kind: ConfigMap + name: stackspin-openproject-values + optional: false + # Allow overriding values by ConfigMap or Secret + - kind: ConfigMap + name: stackspin-openproject-override + optional: true + - kind: Secret + name: stackspin-openproject-override + optional: true diff --git a/apps/board/openproject/openproject-values-configmap.yaml b/apps/board/openproject/openproject-values-configmap.yaml new file mode 100644 index 0000000..b1b6b7d --- /dev/null +++ b/apps/board/openproject/openproject-values-configmap.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: stackspin-openproject-values + namespace: stackspout +data: + values.yaml: | + # TODO verify structure matches chart + commonLabels: + stackspin.net/backupSet: "openproject" + podLabels: + stackspin.net/backupSet: "openproject" + # TODO Configure PVC for data & database including backup labels + podAnnotations: + backup.velero.io/backup-volumes: "data" + persistence: + enabled: true + accessModes: + - "ReadWriteMany" + existingClaim: "openproject-data" + + ingress: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "Content-Security-Policy: frame-ancestors 'self' files."; + host: "${openproject_domain}" + path: / + pathType: Prefix + tls: + enabled: true + secretName: openproject-tls + + postgresql: + bundled: true + commonLabels: + stackspin.net/backupSet: "openproject" + global: + postgresql: + auth: + database: openproject + username: openproject + password: "${postgresql_password}" + postgresPassword: "${postgresql_admin_password}" + primary: + persistence: + existingClaim: openproject-postgres + podAnnotations: + backup.velero.io/backup-volumes: "data" + + openproject: + admin_user: + password: "${admin_password}" + password_reset: "false" + name: "${org_name} Admin" + mail: "${admin_email}" + + ## Define OpenID Connect providers + #oidc: + # enabled: false + # provider: "Keycloak" + # displayName: "Keycloak" + # host: "" + # identifier: "" + # secret: "" + # authorizationEndpoint: "" + # tokenEndpoint: "" + # userinfoEndpoint: "" + # endSessionEndpoint: "" + # scope: "[openid]" + + # TODO Adjust openproject Mailing config + # mailer: + # enabled: "${outgoing_mail_enabled}" + # host: "${outgoing_mail_smtp_host}" + # port: "${outgoing_mail_smtp_port}" + # username: "${outgoing_mail_smtp_user}" + # password: "${outgoing_mail_smtp_password}" + # fromemail: "${outgoing_mail_from_address}" + # TODO Adjust openproject OpenID Connect Single Sign-On Configuration + # - name: Stackspin + # key: "${client_id}" + # secret: "${client_secret}" + # issuer: "https://${hydra_domain}" + # autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration' diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index 9d4d9f7..37a183d 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -8,6 +8,7 @@ resources: - flow-kustomization.yaml - meet-kustomization.yaml - status-kustomization.yaml - - design-kustomization.yaml + - board-kustomization.yaml + #- design-kustomization.yaml # #- sprint-kustomization.yaml #charts outdated #- video-kustomization.yaml #missing storage diff --git a/infrastructure/sources/openproject.yaml b/infrastructure/sources/openproject.yaml new file mode 100644 index 0000000..9851931 --- /dev/null +++ b/infrastructure/sources/openproject.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: openproject + namespace: flux-system +spec: + interval: 60m + url: https://charts.openproject.org