Merge "gerrit: use pcloud oauth provider instead of auth-proxy" into main
diff --git a/charts/gerrit/templates/gerrit.configmap.yaml b/charts/gerrit/templates/gerrit.configmap.yaml
index 83c188c..cd1a6a9 100644
--- a/charts/gerrit/templates/gerrit.configmap.yaml
+++ b/charts/gerrit/templates/gerrit.configmap.yaml
@@ -1,5 +1,6 @@
{{- $root := . -}}
+{{- if not .Values.gerrit.etc.existingConfigMapName }}
apiVersion: v1
kind: ConfigMap
metadata:
@@ -28,6 +29,7 @@
enabled = false
{{- end }}
---
+{{- end }}
apiVersion: v1
kind: ConfigMap
metadata:
diff --git a/charts/gerrit/templates/gerrit.stateful-set.yaml b/charts/gerrit/templates/gerrit.stateful-set.yaml
index 2669325..2fc33c9 100644
--- a/charts/gerrit/templates/gerrit.stateful-set.yaml
+++ b/charts/gerrit/templates/gerrit.stateful-set.yaml
@@ -257,7 +257,7 @@
{{- end }}
- name: gerrit-config
configMap:
- name: {{ .Release.Name }}-gerrit-configmap
+ name: {{ if .Values.gerrit.etc.existingConfigMapName }}{{ .Values.gerrit.etc.existingConfigMapName }}{{ else }} {{ .Release.Name }}-gerrit-configmap{{ end }}
- name: gerrit-secure-config
secret:
secretName: {{ .Release.Name }}-gerrit-secure-config
diff --git a/charts/gerrit/values.yaml b/charts/gerrit/values.yaml
index ef27520..c23f55c 100644
--- a/charts/gerrit/values.yaml
+++ b/charts/gerrit/values.yaml
@@ -256,6 +256,8 @@
priorityClassName:
etc:
+ # If provided config section below will be ignored.
+ existingConfigMapName: ""
# Some values are expected to have a specific value for the deployment installed
# by this chart to work. These are marked with `# FIXED`.
# Do not change them!
diff --git a/charts/resource-renderer/.helmignore b/charts/resource-renderer/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/resource-renderer/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/resource-renderer/Chart.yaml b/charts/resource-renderer/Chart.yaml
new file mode 100644
index 0000000..1360ef4
--- /dev/null
+++ b/charts/resource-renderer/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: resource-renderer
+description: A Helm chart to configure resource-renderer
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/resource-renderer/templates/install.yaml b/charts/resource-renderer/templates/install.yaml
new file mode 100644
index 0000000..9c7495d
--- /dev/null
+++ b/charts/resource-renderer/templates/install.yaml
@@ -0,0 +1,8 @@
+apiVersion: dodo.cloud.dodo.cloud/v1
+kind: ResourceRenderer
+metadata:
+ name: {{ .Values.name }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: {{ .Values.secretName }}
+ resourceTemplate: {{ toYaml .Values.resourceTemplate | indent 2 }}
diff --git a/charts/resource-renderer/values.yaml b/charts/resource-renderer/values.yaml
new file mode 100644
index 0000000..6fbb1af
--- /dev/null
+++ b/charts/resource-renderer/values.yaml
@@ -0,0 +1,3 @@
+name: render-configmap
+secretName: foo
+resourceTemplate: ""
diff --git a/core/installer/app_test.go b/core/installer/app_test.go
index 1d7552a..d3e4d3c 100644
--- a/core/installer/app_test.go
+++ b/core/installer/app_test.go
@@ -164,7 +164,6 @@
"public": "foo",
"private": "bar",
},
- "sshPort": 22,
},
}
rendered, err := a.Render(d)
diff --git a/core/installer/values-tmpl/gerrit-values.yaml b/core/installer/values-tmpl/gerrit-values.yaml
deleted file mode 100644
index c78c5d2..0000000
--- a/core/installer/values-tmpl/gerrit-values.yaml
+++ /dev/null
@@ -1,335 +0,0 @@
-images:
- busybox:
- registry: docker.io
- tag: latest
- # Registry used for container images created by this project
- registry:
- # The registry name must NOT contain a trailing slash
- name:
- ImagePullSecret:
- # Leave blank, if no ImagePullSecret is needed.
- name: image-pull-secret
- # If set to false, the gerrit chart expects either a ImagePullSecret
- # with the name configured above to be present on the cluster or that no
- # credentials are needed.
- create: false
- username:
- password:
- version: latest
- imagePullPolicy: Always
- # Additional ImagePullSecrets that already exist and should be used by the
- # pods of this chart. E.g. to pull busybox from dockerhub.
- additionalImagePullSecrets: []
-
-# Additional labels that should be applied to all resources
-additionalLabels: {}
-
-storageClasses:
- # Storage class used for storing logs and other pod-specific persisted data
- default:
- # If create is set to false, an existing StorageClass with the given
- # name is expected to exist in the cluster. Setting create to true will
- # create a storage class with the parameters given below.
- name: longhorn
- create: false
- provisioner: kubernetes.io/aws-ebs
- reclaimPolicy: Delete
- # Use the parameters key to set all parameters needed for the provisioner
- parameters:
- type: gp2
- fsType: ext4
- mountOptions: []
- allowVolumeExpansion: false
- # Storage class used for storing git repositories. Has to provide RWM access.
- shared:
- # If create is set to false, an existing StorageClass with RWM access
- # mode and the given name has to be provided.
- name: longhorn
- create: false
- provisioner: nfs
- reclaimPolicy: Delete
- # Use the parameters key to set all parameters needed for the provisioner
- parameters:
- mountOptions: vers=4.1
- mountOptions: []
- allowVolumeExpansion: false
-
-
-nfsWorkaround:
- enabled: false
- chownOnStartup: false
- idDomain: localdomain.com
-
-
-networkPolicies:
- enabled: false
- dnsPorts:
- - 53
- - 8053
-
-
-gitRepositoryStorage:
- externalPVC:
- use: false
- name: git-repositories-pvc
- size: 5Gi
-
-logStorage:
- enabled: false
- externalPVC:
- use: false
- name: gerrit-logs-pvc
- size: 5Gi
- cleanup:
- enabled: false
- additionalPodLabels: {}
- schedule: "0 0 * * *"
- retentionDays: 14
- resources:
- requests:
- cpu: 100m
- memory: 256Mi
- limits:
- cpu: 100m
- memory: 256Mi
-
-caCert:
-
-ingress:
- enabled: false
- host:
- # The maximum body size to allow for requests. Use "0" to allow unlimited
- # reuqest body sizes.
- maxBodySize: 50m
- additionalAnnotations:
- kubernetes.io/ingress.class: nginx
- # nginx.ingress.kubernetes.io/server-alias: example.com
- # nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
- tls:
- enabled: false
- secret:
- create: true
- # `name` will only be used, if `create` is set to false to bind an
- # existing secret. Otherwise the name will be automatically generated to
- # avoid conflicts between multiple chart installations.
- name:
- # `cert`and `key` will only be used, if the secret will be created by
- # this chart.
- cert: |-
- -----BEGIN CERTIFICATE-----
-
- -----END CERTIFICATE-----
- key: |-
- -----BEGIN RSA PRIVATE KEY-----
-
- -----END RSA PRIVATE KEY-----
-
-
-gitGC:
- image: k8sgerrit/git-gc
-
- tolerations: []
- nodeSelector: {}
- affinity: {}
- additionalPodLabels: {}
-
- schedule: 0 6,18 * * *
-
- resources:
- requests:
- cpu: 100m
- memory: 256Mi
- limits:
- cpu: 100m
- memory: 256Mi
-
- logging:
- persistence:
- enabled: true
- size: 1Gi
-
-
-gerrit:
- images:
- gerritInit: k8sgerrit/gerrit-init
- gerrit: k8sgerrit/gerrit
-
- tolerations: []
- topologySpreadConstraints: {}
- nodeSelector: {}
- affinity: {}
- additionalAnnotations: {}
- additionalPodLabels: {}
-
- replicas: 1
- updatePartition: 0
-
- # The memory limit has to be higher than the configures heap-size for Java!
- resources:
- requests:
- cpu: 1
- memory: 5Gi
- limits:
- cpu: 1
- memory: 6Gi
-
- persistence:
- enabled: true
- size: 10Gi
-
- livenessProbe:
- initialDelaySeconds: 30
- periodSeconds: 5
-
- readinessProbe:
- initialDelaySeconds: 5
- periodSeconds: 1
-
- startupProbe:
- initialDelaySeconds: 10
- periodSeconds: 30
-
- gracefulStopTimeout: 90
-
- # The general NetworkPolicy rules implemented by this chart may be too restrictive
- # for some setups, e.g. when trying to replicate to a Gerrit replica. Here
- # custom rules may be added to whitelist some additional connections.
- networkPolicy:
- ingress: []
- egress: []
- # An example for an egress rule to allow replication to a Gerrit replica
- # installed with the gerrit-replica setup in the same cluster and namespace
- # by using the service as the replication destination
- # (e.g. http://gerrit-replica-git-backend-service:80/git/${name}.git):
- #
- # - to:
- # - podSelector:
- # matchLabels:
- # app: git-backend
-
- service:
- additionalAnnotations: {}
- loadBalancerSourceRanges: []
- type: LoadBalancer
- externalTrafficPolicy: Cluster
- http:
- port: 80
- ssh:
- enabled: true
- port: 29418
-
- # `gerrit.keystore` expects a base64-encoded Java-keystore
- # Since Java keystores are binary files, adding the unencoded content and
- # automatic encoding using helm does not work here.
- keystore:
-
- index:
- # Either `lucene` or `elasticsearch`
- type: lucene
-
- pluginManagement:
- plugins:
- - name: gitiles
- # A plugin packaged in the gerrit.war-file
- # - name: download-commands
-
- # A plugin packaged in the gerrit.war-file that will also be installed as a
- # lib
- # - name: replication
- # installAsLibrary: true
-
- # A plugin that will be downloaded on startup
- # - name: delete-project
- # url: https://example.com/gerrit-plugins/delete-project.jar
- # sha1:
- # installAsLibrary: false
-
- # Only downloaded plugins will be cached. This will be ignored, if no plugins
- # are downloaded.
- libs: []
- cache:
- enabled: false
- size: 1Gi
-
- priorityClassName:
-
- etc:
- # Some values are expected to have a specific value for the deployment installed
- # by this chart to work. These are marked with `# FIXED`.
- # Do not change them!
- config:
- gerrit.config: |-
- [gerrit]
- basePath = git # FIXED
- serverId = gerrit-1
- # The canonical web URL has to be set to the Ingress host, if an Ingress
- # is used. If a LoadBalancer-service is used, this should be set to the
- # LoadBalancer's external IP. This can only be done manually after installing
- # the chart, when you know the external IP the LoadBalancer got from the
- # cluster.
- canonicalWebUrl = http://192.168.100.215/
- disableReverseDnsLookup = true
- [index]
- type = LUCENE
- [auth]
- type = DEVELOPMENT_BECOME_ANY_ACCOUNT
- gitBasicAuthPolicy = HTTP
- [httpd]
- # If using an ingress use proxy-http or proxy-https
- listenUrl = proxy-http://*:8080/
- requestLog = true
- gracefulStopTimeout = 1m
- [sshd]
- listenAddress = off
- [transfer]
- timeout = 120 s
- [user]
- name = Gerrit Code Review
- email = gerrit@example.com
- anonymousCoward = Unnamed User
- [cache]
- directory = cache
- [container]
- user = gerrit # FIXED
- javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
- javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
- javaOptions = -Xms200m
- # Has to be lower than 'gerrit.resources.limits.memory'. Also
- # consider memories used by other applications in the container.
- javaOptions = -Xmx4g
-
- replication.config: |-
- [gerrit]
- autoReload = false
- replicateOnStartup = true
- defaultForceUpdate = true
-
- # [remote "replica"]
- # url = http://gerrit-replica.example.com/git/${name}.git
- # replicationDelay = 0
- # timeout = 30
-
- secret:
- secure.config: |-
- # Password for the keystore added as value for 'gerritReplica.keystore'
- # Only needed, if SSL is enabled.
- #[httpd]
- # sslKeyPassword = gerrit
-
- # Credentials for replication targets
- # [remote "replica"]
- # username = git
- # password = secret
-
- # ssh_host_ecdsa_key: |-
- # -----BEGIN EC PRIVATE KEY-----
-
- # -----END EC PRIVATE KEY-----
-
- # ssh_host_ecdsa_key.pub: ecdsa-sha2-nistp256...
-
- additionalConfigMaps:
- # - name:
- # subDir:
- # data:
- # file.txt: test
diff --git a/core/installer/values-tmpl/gerrit.cue b/core/installer/values-tmpl/gerrit.cue
index 70fda48..221a286 100644
--- a/core/installer/values-tmpl/gerrit.cue
+++ b/core/installer/values-tmpl/gerrit.cue
@@ -2,7 +2,6 @@
network: #Network
subdomain: string
key: #SSHKey
- sshPort: int
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -16,7 +15,7 @@
_ingressWithAuthProxy: _IngressWithAuthProxy & {
inp: {
auth: {
- enabled: true
+ enabled: false
}
network: input.network
subdomain: input.subdomain
@@ -73,6 +72,22 @@
namespace: global.id
}
}
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ resourceRenderer: {
+ chart: "charts/resource-renderer"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
volumes: {
@@ -94,18 +109,97 @@
_longhorn: "longhorn"
_httpPort: 80
-_sshPort: 22
-portForward: [#PortForward & {
- allocator: input.network.allocatePortAddr
- sourcePort: input.sshPort
- // TODO(gio): namespace part must be populated by app manager. Otherwise
- // third-party app developer might point to a service from different namespace.
- targetService: "\(release.namespace)/gerrit-gerrit-service"
- targetPort: _sshPort
-}]
+_oauth2ClientCredentials: "gerrit-oauth2-credentials"
+_gerritConfigMapName: "gerrit-config"
helm: _ingressWithAuthProxy.out.helm & {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "gerrit-oauth2-client"
+ secretName: _oauth2ClientCredentials
+ grantTypes: ["authorization_code"]
+ scope: "openid profile email"
+ hydraAdmin: "http://hydra-admin.\(global.id)-core-auth.svc.cluster.local"
+ redirectUris: ["https://\(_domain)/oauth"]
+ }
+ }
+ "config-renderer": {
+ chart: charts.resourceRenderer
+ values: {
+ name: "config-renderer"
+ secretName: _oauth2ClientCredentials
+ resourceTemplate: """
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: \(_gerritConfigMapName)
+ namespace: \(release.namespace)
+data:
+ replication.config: |
+ [gerrit]
+ autoReload = false
+ replicateOnStartup = true
+ defaultForceUpdate = true
+ gerrit.config: |
+ [gerrit]
+ basePath = git # FIXED
+ serverId = gerrit-1
+ # The canonical web URL has to be set to the Ingress host, if an Ingress
+ # is used. If a LoadBalancer-service is used, this should be set to the
+ # LoadBalancer's external IP. This can only be done manually after installing
+ # the chart, when you know the external IP the LoadBalancer got from the
+ # cluster.
+ canonicalWebUrl = https://\(_domain)
+ disableReverseDnsLookup = true
+ [index]
+ type = LUCENE
+ [auth]
+ type = OAUTH
+ gitBasicAuthPolicy = HTTP
+ userNameToLowerCase = true
+ userNameCaseInsensitive = true
+ [plugin "gerrit-oauth-provider-pcloud-oauth"]
+ root-url = https://hydra.\(global.domain)
+ client-id = "{{ .client_id }}"
+ client-secret = "{{ .client_secret }}"
+ link-to-existing-openid-accounts = true
+ [download]
+ command = branch
+ command = checkout
+ command = cherry_pick
+ command = pull
+ command = format_patch
+ command = reset
+ scheme = http
+ scheme = anon_http
+ [httpd]
+ # If using an ingress use proxy-http or proxy-https
+ listenUrl = proxy-http://*:8080/
+ requestLog = true
+ gracefulStopTimeout = 1m
+ [sshd]
+ listenAddress = off
+ [transfer]
+ timeout = 120 s
+ [user]
+ name = Gerrit Code Review
+ email = gerrit@\(global.domain)
+ anonymousCoward = Unnamed User
+ [cache]
+ directory = cache
+ [container]
+ user = gerrit # FIXED
+ javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
+ javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
+ javaOptions = -Xms200m
+ # Has to be lower than 'gerrit.resources.limits.memory'. Also
+ # consider memories used by other applications in the container.
+ javaOptions = -Xmx4g
+"""
+ }
+ }
gerrit: {
chart: charts.gerrit
values: {
@@ -172,8 +266,7 @@
}
http: port: _httpPort
ssh: {
- enabled: true
- port: _sshPort
+ enabled: false
}
}
pluginManagement: {
@@ -181,75 +274,20 @@
name: "gitiles"
}, {
name: "download-commands"
+ }, {
+ name: "oauth"
+ url: "https://drive.google.com/uc?export=download&id=1rSUpZCAVvHZTmRgUl4enrsAM73gndjeP"
+ sha1: "cbdc5228a18b051a6e048a8e783e556394cc5db1"
}]
libs: []
cache: enabled: false
}
etc: {
secret: {
- // TODO(gio): auto generate
ssh_host_ecdsa_key: input.key.private
"ssh_host_ecdsa_key.pub": input.key.public
}
- config: {
- "replication.config": """
-[gerrit]
- autoReload = false
- replicateOnStartup = true
- defaultForceUpdate = true"""
- "gerrit.config": """
-[gerrit]
- basePath = git # FIXED
- serverId = gerrit-1
- # The canonical web URL has to be set to the Ingress host, if an Ingress
- # is used. If a LoadBalancer-service is used, this should be set to the
- # LoadBalancer's external IP. This can only be done manually after installing
- # the chart, when you know the external IP the LoadBalancer got from the
- # cluster.
- canonicalWebUrl = https://\(_domain)
- disableReverseDnsLookup = true
-[index]
- type = LUCENE
-[auth]
- type = HTTP
- httpHeader = X-User
- emailFormat = '{0}@\(global.domain)'
- logoutUrl = https://accounts-ui.\(global.domain)/logout
- gitBasicAuthPolicy = HTTP
- userNameToLowerCase = true
- userNameCaseInsensitive = true
-[download]
- command = pull
- command = cherry_pick
- command = checkout
- command = format_patch
- scheme = ssh
- scheme = http
-[httpd]
- # If using an ingress use proxy-http or proxy-https
- listenUrl = proxy-http://*:8080/
- requestLog = true
- gracefulStopTimeout = 1m
-[sshd]
- listenAddress = 0.0.0.0:29418
- advertisedAddress = \(_domain):\(input.sshPort)
-[transfer]
- timeout = 120 s
-[user]
- name = Gerrit Code Review
- email = gerrit@\(global.domain)
- anonymousCoward = Unnamed User
-[cache]
- directory = cache
-[container]
- user = gerrit # FIXED
- javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
- javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
- javaOptions = -Xms200m
- # Has to be lower than 'gerrit.resources.limits.memory'. Also
- # consider memories used by other applications in the container.
- javaOptions = -Xmx4g"""
- }
+ existingConfigMapName: _gerritConfigMapName
}
}
}
diff --git a/core/resource-renderer/Makefile b/core/resource-renderer/Makefile
index 5b9dda4..ae6b7d3 100644
--- a/core/resource-renderer/Makefile
+++ b/core/resource-renderer/Makefile
@@ -1,6 +1,6 @@
# Image URL to use all building/pushing image targets
-IMG ?= giolekva/resource-renderer-controller:latest
+IMG ?= giolekva/resource-renderer-controller
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
ENVTEST_K8S_VERSION = 1.24.2
@@ -88,16 +88,16 @@
.PHONY: docker-build
docker-build: test clean build_arm64 build_amd64 ## Build docker image with the manager.
- podman build --platform linux/arm64 --tag ${IMG}-arm64 .
- podman build --platform linux/amd64 --tag ${IMG}-amd64 .
+ docker build --platform linux/arm64 --tag ${IMG}:arm64 .
+ docker build --platform linux/amd64 --tag ${IMG}:amd64 .
.PHONY: docker-push
docker-push: ## Push docker image with the manager.
- podman push ${IMG}-arm64
- podman push ${IMG}-amd64
- podman manifest create ${IMG} ${IMG}-arm64 ${IMG}-amd64
- podman manifest push ${IMG} docker://docker.io/${IMG}
- podman manifest rm ${IMG}
+ docker push ${IMG}:arm64
+ docker push ${IMG}:amd64
+ docker manifest create ${IMG}:latest ${IMG}:arm64 ${IMG}:amd64
+ docker manifest push ${IMG}:latest
+ docker manifest rm ${IMG}:latest
##@ Deployment