#!/bin/sh -e
if test $# -lt 1; then
echo "You should be in the root apps folder."
echo "Usage: $0 <app> [subdomain] [repo] [namespace]"
exit 1
fi
app=$1
subdomain=${2:-$app}
repo=${3:-$app}
namespace=${4:-stackspout}
cat <<EOF >>"$subdomain-kustomization.yaml"
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: add-${subdomain}
namespace: flux-system
spec:
interval: 10m
prune: true
path: ./apps/${subdomain}
sourceRef:
kind: GitRepository
name: ${namespace}
EOF
if test "$(basename "$PWD")" != "${subdomain}"
then mkdir -p "${subdomain}"
cd "${subdomain}"
fi
# Values
cat <<EOF >>"$app-kustomization.yaml"
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: ${app}
namespace: flux-system
spec:
interval: 5m
retryInterval: 2m
timeout: 10m
wait: true
prune: true
path: ./apps/${subdomain}/${app}
sourceRef:
kind: GitRepository
name: ${namespace}
dependsOn:
- name: flux
- name: local-path-provisioner
- name: ${app}-secrets
- name: nginx
- name: single-sign-on
postBuild:
substituteFrom:
- kind: Secret
name: stackspin-cluster-variables
- kind: ConfigMap
name: stackspin-${app}-kustomization-variables
- kind: Secret
name: stackspin-${app}-variables
# OIDC
- kind: Secret
name: stackspin-${app}-oauth-variables
- kind: ConfigMap
name: stackspin-single-sign-on-kustomization-variables
EOF
if mkdir "$app"
then
cat <<EOF >"$app/$app-oauth-client.yaml"
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: $app-oauth-client
# Has to live in the same namespace as the stackspin-$app-oauth-variables secret
namespace: flux-system
spec:
# TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
grantTypes:
- authorization_code
- refresh_token
- client_credentials
- implicit
responseTypes:
- id_token
- code
scope: "openid profile email stackspin_roles"
secretName: stackspin-$app-oauth-variables
#redirectUris:
# - https://\${${app}_domain}/oauth/openid/
#tokenEndpointAuthMethod: client_secret_post
EOF
cat <<EOF >"$app/$app-release.yaml"
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: $app
namespace: $namespace
spec:
releaseName: $app
chart:
spec:
chart: $app
version: 1.0 # TODO
sourceRef:
kind: HelmRepository
name: $repo
namespace: flux-system
interval: 5m
valuesFrom:
- kind: ConfigMap
name: stackspin-$app-values
optional: false
# Allow overriding values by ConfigMap or Secret
- kind: ConfigMap
name: stackspin-$app-override
optional: true
- kind: Secret
name: stackspin-$app-override
optional: true
EOF
cat <<EOF >"$app/$app-values-configmap.yaml"
apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-$app-values
namespace: $namespace
data:
values.yaml: |
# TODO verify structure matches chart
commonLabels:
stackspin.net/backupSet: "${app}"
podLabels:
stackspin.net/backupSet: "${app}"
# TODO Configure PVC for data & database including backup labels
podAnnotations:
backup.velero.io/backup-volumes: "data"
persistence:
enabled: true
existingClaim: "${app}-data"
ingress:
enabled: true
# Elaborate (TrueCharts) style
annotations:
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Content-Security-Policy: frame-ancestors 'self' files.${domain}";
hosts:
- host: "\${${app}_domain}"
paths:
- path: /
pathType: Prefix
tls:
- secretName: $app-tls
hosts:
- "\${${app}_domain}"
# Bitnami style
hostname: "\${${app}_domain}"
tls: true
certManager: true
# TODO Adjust $app Mailing config
# mailer:
# enabled: "\${outgoing_mail_enabled}"
# host: "\${outgoing_mail_smtp_host}"
# port: "\${outgoing_mail_smtp_port}"
# username: "\${outgoing_mail_smtp_user}"
# password: "\${outgoing_mail_smtp_password}"
# fromemail: "\${outgoing_mail_from_address}"
# TODO Adjust $app OpenID Connect Single Sign-On Configuration
# - name: Stackspin
# key: "\${client_id}"
# secret: "\${client_secret}"
# issuer: "https://\${hydra_domain}"
# autoDiscoverUrl: 'https://\${hydra_domain}/.well-known/openid-configuration'
EOF
cat <<EOF >"$app/$app-pvc.yaml"
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: $app-data
namespace: $namespace
labels:
stackspin.net/backupSet: "$app"
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
storageClassName: local-path
EOF
fi
# Secrets
cat <<EOF >>"$app-secrets-kustomization.yaml"
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: ${app}-secrets
namespace: flux-system
spec:
interval: 5m
timeout: 4m
wait: true
prune: true
path: ./apps/${subdomain}/${app}-secrets
sourceRef:
kind: GitRepository
name: ${namespace}
dependsOn:
- name: flux
- name: secrets-controller
postBuild:
substituteFrom:
- kind: Secret
name: stackspin-cluster-variables
EOF
if mkdir "$app-secrets"
then
cat <<EOF >"$app-secrets/$app-kustomization-variables.yaml"
apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-$app-kustomization-variables
namespace: flux-system
data:
${app}_domain: ${subdomain}.\${domain}
EOF
cat <<EOF >>"$app-secrets/$app-variables.yaml"
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
name: stackspin-$app-variables
namespace: flux-system
spec:
fields:
- fieldName: password
EOF
cat <<EOF >"$app-secrets/$app-oauth-secret.yaml"
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
name: stackspin-$app-oauth-variables
namespace: flux-system
spec:
data:
client_id: $app
fields:
- fieldName: client_secret
length: "32"
EOF
fi
../generate-kustomizations.sh .
echo "TODO: Obtain chart version, check configmap, adjust secrets" >&2
exec $SHELL