Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / dd750802fc0efc8f0d799f3ab966f8f954a51a76 / . / helmfile / users / helmfile.yaml
blob: 7740a6a77be7414b1a33e5d7c4f03bd281002ad7 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
30 - fullnameOverride: nginx
31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraVolumes:
41 - name: lighthouse-cert
42 secret:
43 secretName: node-lighthouse-cert
44 - name: config
45 configMap:
46 name: lighthouse-config
47 extraContainers:
48 - name: lighthouse
49 image: giolekva/nebula:latest
50 imagePullPolicy: IfNotPresent
51 securityContext:
52 privileged: true
53 capabilities:
54 add:
55 - NET_ADMIN
56 ports:
57 - name: nebula
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]58 containerPort: 4243
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]59 protocol: UDP
60 command:
61 - nebula
62 - --config=/etc/nebula/config/lighthouse.yaml
63 volumeMounts:
64 - name: lighthouse-cert
65 mountPath: /etc/nebula/lighthouse
66 - name: config
67 mountPath: /etc/nebula/config
68 config:
69 bind-address: 111.0.0.1
70 proxy-body-size: 0
71 udp:
72 - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
73 tcp:
74 - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]75- name: certificate-issuer
76 chart: ../../charts/certificate-issuer
77 namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
78 createNamespace: true
79 values:
80 - public:
81 name: {{ .Values.id }}-public
82 server: https://acme-v02.api.letsencrypt.org/directory
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]83 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]84 contactEmail: {{ .Values.contactEmail }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]85 ingressClass: nginx
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]86 - private:
87 name: {{ .Values.id }}-private
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]88- name: core-auth-storage # TODO(giolekva): merge with core-auth
89 chart: bitnami/postgresql
90 version: 10.13.5
91 namespace: {{ .Values.id }}-core-auth
92 createNamespace: true
93 values:
94 - fullnameOverride: postgres
95 - image:
96 repository: arm64v8/postgres
97 tag: 13.4
98 - service:
99 type: ClusterIP
100 port: 5432
101 - postgresqlPassword: psswd
102 - postgresqlDatabase: kratos
103 - persistence:
104 size: 1Gi
105 - securityContext:
106 enabled: true
107 fsGroup: 0
108 - containerSecurityContext:
109 enabled: true
110 runAsUser: 0
111 - volumePermissions:
112 securityContext:
113 runAsUser: 0
114- name: core-auth
115 chart: ../../charts/auth
116 namespace: {{ .Values.id }}-core-auth
117 createNamespace: true
118 values:
119 - kratos:
120 fullnameOverride: kratos
121 image:
122 repository: giolekva/ory-kratos
123 tag: latest
124 pullPolicy: Always
125 service:
126 admin:
127 enabled: true
128 type: ClusterIP
129 port: 80
130 name: http
131 public:
132 enabled: true
133 type: ClusterIP
134 port: 80
135 name: http
136 ingress:
137 admin:
138 enabled: true
139 className: {{ .Values.id }}-ingress-private
140 hosts:
141 - host: kratos.{{ .Values.id }}
142 paths:
143 - path: /
144 pathType: Prefix
145 annotations:
146 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
147 acme.cert-manager.io/http01-edit-in-place: "true"
148 tls:
149 - hosts:
150 - kratos.{{ .Values.id }}
151 secretName: cert-kratos.{{ .Values.id }}
152 public:
153 enabled: true
154 className: nginx
155 hosts:
156 - host: accounts.{{ .Values.domain }}
157 paths:
158 - path: /
159 pathType: Prefix
160 annotations:
161 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public-staging"
162 acme.cert-manager.io/http01-edit-in-place: "true"
163 tls:
164 - hosts:
165 - accounts.{{ .Values.domain }}
166 secretName: cert-accounts.{{ .Values.domain }}
167 secret:
168 enabled: true
169 kratos:
170 autoMigrate: true
171 development: false
172 config:
173 version: v0.7.1-alpha.1
174 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
175 serve:
176 public:
177 base_url: https://accounts.{{ .Values.domain }}
178 cors:
179 enabled: true
180 debug: false
181 allow_credentials: true
182 allowed_origins:
183 - https://{{ .Values.domain }}
184 - https://*.{{ .Values.domain }}
185 admin:
186 base_url: https://kratos.{{ .Values.id }}/
187 selfservice:
188 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
189 whitelisted_return_urls:
190 - https://accounts-ui.{{ .Values.domain }}
191 methods:
192 password:
193 enabled: true
194 flows:
195 error:
196 ui_url: https://accounts-ui.{{ .Values.domain }}/error
197 settings:
198 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
199 privileged_session_max_age: 15m
200 recovery:
201 enabled: false
202 verification:
203 enabled: false
204 logout:
205 after:
206 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
207 login:
208 ui_url: https://accounts-ui.{{ .Values.domain }}/login
209 lifespan: 10m
210 after:
211 password:
212 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
213 registration:
214 lifespan: 10m
215 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
216 after:
217 password:
218 hooks:
219 -
220 hook: session
221 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
222 log:
223 level: debug
224 format: text
225 leak_sensitive_values: true
226 cookies:
227 path: /
228 same_site: None
229 domain: {{ .Values.domain }}
230 secrets:
231 cookie:
232 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
233 # cipher:
234 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
235 # ciphers:
236 # algorithm: xchacha20-poly1305
237 hashers:
238 argon2:
239 parallelism: 1
240 memory: 128MB
241 iterations: 2
242 salt_length: 16
243 key_length: 16
244 identity:
245 default_schema_url: file:///etc/config/identity.schema.json
246 courier:
247 smtp:
248 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
249 identitySchemas:
250 "identity.schema.json": |
251 {
252 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
253 "$schema": "http://json-schema.org/draft-07/schema#",
254 "title": "User",
255 "type": "object",
256 "properties": {
257 "traits": {
258 "type": "object",
259 "properties": {
260 "username": {
261 "type": "string",
262 "format": "username",
263 "title": "Username",
264 "minLength": 3,
265 "ory.sh/kratos": {
266 "credentials": {
267 "password": {
268 "identifier": true
269 }
270 }
271 }
272 }
273 },
274 "additionalProperties": false
275 }
276 }
277 }
278 - hydra:
279 fullnameOverride: hydra
280 image:
281 repository: giolekva/ory-hydra
282 tag: latest
283 pullPolicy: Always
284 service:
285 admin:
286 enabled: true
287 type: ClusterIP
288 port: 80
289 name: http
290 public:
291 enabled: true
292 type: ClusterIP
293 port: 80
294 name: http
295 ingress:
296 admin:
297 enabled: true
298 className: {{ .Values.id }}-ingress-private
299 hosts:
300 - host: hydra.{{ .Values.id }}
301 paths:
302 - path: /
303 pathType: Prefix
304 annotations:
305 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
306 acme.cert-manager.io/http01-edit-in-place: "true"
307 tls:
308 - hosts:
309 - hydra.{{ .Values.id }}
310 secretName: cert-hydra.{{ .Values.id }}
311 public:
312 enabled: true
313 className: nginx
314 hosts:
315 - host: hydra.{{ .Values.domain }}
316 paths:
317 - path: /
318 pathType: Prefix
319 annotations:
320 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public-staging"
321 acme.cert-manager.io/http01-edit-in-place: "true"
322 tls:
323 - hosts:
324 - hydra.{{ .Values.domain }}
325 secretName: cert-hydra.{{ .Values.domain }}
326 secret:
327 enabled: true
328 maester:
329 enabled: false
330 hydra:
331 autoMigrate: true
332 config:
333 version: v1.10.6
334 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
335 serve:
336 cookies:
337 same_site_mode: None
338 public:
339 cors:
340 enabled: true
341 debug: false
342 allow_credentials: true
343 allowed_origins:
344 - https://{{ .Values.domain }}
345 - https://*.{{ .Values.domain }}
346 admin:
347 # host: localhost
348 cors:
349 allowed_origins:
350 - https://hydra.{{ .Values.id }}
351 tls:
352 allow_termination_from:
353 - 0.0.0.0/0
354 - 10.42.0.0/16
355 - 10.43.0.0/16
356 - 111.0.0.1/32
357 tls:
358 allow_termination_from:
359 - 0.0.0.0/0
360 - 10.42.0.0/16
361 - 10.43.0.0/16
362 - 111.0.0.1/32
363 urls:
364 self:
365 public: https://hydra.{{ .Values.domain }}
366 issuer: https://hydra.{{ .Values.domain }}
367 consent: https://accounts-ui.{{ .Values.domain }}/consent
368 login: https://accounts-ui.{{ .Values.domain }}/login
369 logout: https://accounts-ui.{{ .Values.domain }}/logout
370 secrets:
371 system:
372 - youReallyNeedToChangeThis
373 oidc:
374 subject_identifiers:
375 supported_types:
376 - pairwise
377 - public
378 pairwise:
379 salt: youReallyNeedToChangeThis
380 log:
381 level: trace
382 leak_sensitive_values: false
383 - ui:
384 certificateIssuer: {{ .Values.id }}-public-staging
385 ingressClassName: nginx
386 domain: {{ .Values.domain }}
387 internalDomain: {{ .Values.id }}
388 nebula:
389 lighthouse:
390 name: ui-lighthouse
391 internalIP: 111.0.0.1
392 externalIP: 46.49.35.44
393 port: "4243"
394 node:
395 name: ui
396 ipCidr: 111.0.0.2/24
397 secretName: node-ui-cert
398 certificateAuthority:
399 name: {{ .Values.id }}
400 namespace: {{ .Values.id }}-ingress-private
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]401
402environments:
403 shveli:
404 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame^]405 - id: shveli
406 - domain: shve.li
407 - contactEmail: giolekva@gmail.com
408 - certManagerNamespace: cert-manager