feat: admin services (#753)

Allows admins to create services and jobs, in the namespace of their choice, to accomodate exposure of own platform tooling.

.cspell.json

@@ -98,6 +98,7 @@
     "kubectl",
     "kubernetes",
     "millicores",
+    "minikube",
     "modsecurity",
     "msteams",
     "mtls",

.values/env/teams/apps.admin.yaml

+teamConfig:
+    admin:
+        apps: []

.values/env/teams/external-secrets.admin.yaml

+teamConfig:
+    admin:
+        secrets: []

.values/env/teams/jobs.admin.yaml

+teamConfig:
+    admin:
+        jobs: []

.values/env/teams/services.admin.yaml

+teamConfig:
+    admin:
+        services: []

chart/otomi/values-localhost.yaml

 # These values are intended for use to demo Otomi on a server/laptop.
 # Minimal recommended specs: 32GB+ RAM, 12+ (v)CPU
 cluster:
-  provider: custom
-  domainSuffix: 127.0.0.1.nip.io
+  provider: local
+  # set the below nip.io ip to your metal LB ip when using minikube:
+  domainSuffix: 192.168.64.16.nip.io
   # k8sContext: minikube # if using minikube

chart/otomi/values.yaml

@@ -2,7 +2,9 @@ cluster:
   # domainSuffix: '' # Needs to be set when hasExternalDNS is set to true
   k8sVersion: '1.21'
   name: 'dev'
-  provider: 'aws' # provider can be one of aws|azure|google|custom
+  # Provider can be one of aws|azure|google|custom|local
+  # (choose 'local' for laptop install (minikube, kind), and 'custom' for onprem clusters.)
+  provider: 'local'
   # owner: '' # will be set to 'otomi' if left empty
 otomi: {}
   # adminPassword: '' # Will be automatically generated if not filled-in

charts/team-ns/templates/external-secrets.yaml

 {{- $v := .Values }}
 {{- $ := . }}
 {{- range $s := $v.secrets }}
+{{- $ns := index $s "namespace" | default $.Release.Namespace }}
 {{- $pathPrefix:=printf "/secret/data/teams/team-%s" $v.teamId }}
 {{- $vaultPath:=printf "%s/%s" $pathPrefix $s.name | quote }}
 apiVersion: kubernetes-client.io/v1
 kind: ExternalSecret
 metadata:
   name: {{ $s.name }}
+  namespace: {{ $ns }}
   labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
     {{- with $s.labels }}
     {{- . | toYaml | nindent 4 }}

charts/team-ns/templates/knative-services.yaml

@@ -2,6 +2,7 @@
 {{- $ := . }}
 {{- $secrets := (include "itemsByName" ($v.secrets | default list) | fromYaml) }}
 {{- range $s := $v.services }}
+{{- $ns := index $s "namespace" | default $.Release.Namespace }}
 {{- $type := $s.type | default "public" }}
 {{- if hasKey $s "ksvc" }}
 {{- $k := $s.ksvc }}
@@ -11,6 +12,7 @@ apiVersion: serving.knative.dev/v1
 kind: Service
 metadata:
   name: {{ $s.name }}
+  namespace: {{ $ns }}  
   labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
     {{- with $k.labels }}
     {{- . | toYaml | nindent 4 }}

helmfile.d/helmfile-15.ingress-core.yaml

@@ -37,5 +37,5 @@ releases:
         cluster: {{- $v.cluster | toYaml | nindent 10 }}
         otomi: {{- $v.otomi | toYaml | nindent 10 }}
         domain: {{ $v.cluster | get "domainSuffix" nil }}
-        services: {{- $coreAdminServices | toYaml | nindent 10 }}
-        resourceQuota: null
+        services: {{- concat $coreAdminServices ($v.teamConfig | get "admin.services" list) | toYaml | nindent 10 }}
+        resourceQuota: null
\ No newline at end of file

helmfile.d/helmfile-60.teams.yaml

@@ -25,7 +25,7 @@ bases:
 {{- $opsgenieTpl := tpl (readFile "../helmfile.d/snippets/alertmanager/opsgenie.gotmpl") $v | toString }}
 
 releases:
-{{- range $teamId, $team := omit $tc "admin" }}
+{{- range $teamId, $team := omit $tc "admin" }} 
   {{- $teamServices := ($team | get "services" list) }}
   {{- $domain := printf "team-%s.%s" $teamId $v.cluster.domainSuffix }}
   {{- $appsDomain := printf "apps.%s" $domain }}

helmfile.d/snippets/domains.gotmpl

@@ -15,10 +15,9 @@
 {{- end }}
 {{- end }}
 {{- $domains := dict }}
-{{- $_ := set $tc "admin" dict }}
 {{- range $teamId, $team := $tc }}
   {{- $baseDomain := printf "%s%s" (eq $teamId "admin" | ternary "" (printf "team-%s." $teamId)) $v.cluster.domainSuffix }}
-  {{- $services := (eq $teamId "admin" | ternary $coreAdminServices (concat $coreTeamServices ($team | get "services" list))) }}
+  {{- $services := (eq $teamId "admin" | ternary (concat $coreAdminServices ($team | get "services" list)) (concat $coreTeamServices ($team | get "services" list))) }}
   {{- range $s := $services }}
     {{- $domain := printf "apps.%s" $baseDomain }}
     {{- if hasKey $s "domain" }}

helmfile.d/snippets/env.gotmpl

@@ -29,7 +29,6 @@ environments:
 {{- range $app := $apps }}{{ if ne $app "" }}
       - {{ $app }}
 {{- end }}{{ end }}
-      - {{ $ENV_DIR }}/env/teams/apps.admin.yaml
 {{- range $team := $teams }}
   {{- range $type := list "apps" "services" "external-secrets" "jobs" }}
     {{- if eq (exec "bash" (list "-c" (printf "( test -f $ENV_DIR/env/teams/%s.%s.yaml && echo 'true' ) || echo 'false'" $type $team)) | trim) "true" }}

values-schema.yaml

@@ -619,6 +619,7 @@ definitions:
     type: integer
   provider:
     type: string
+    description: Enter the cloud provider of this cluster. Choose 'local' for laptop install (minikube, kind), and 'custom' for onprem clusters.
     enum:
       - aws
       - azure

values/keycloak/keycloak.gotmpl

 {{- $v := .Values }}
 {{- $k := $v.apps.keycloak }}
 {{- $dbVendor := ($k | get "persistence.dbVendor" "postgres") }}
-
+{{- $pinnedConsoleVersion := "v0.5.4" }}
 image:
   tag: 15.1.1
 contextPath: ""
@@ -51,7 +51,7 @@ startupScripts:
     cp -Rv /themes/* /opt/jboss/keycloak/themes/
 extraInitContainers: |
   - name: keycloak-otomi-branding
-    image: otomi/console:v{{ $v.versions.console }}
+    image: otomi/console:v{{ $pinnedConsoleVersion }}
     imagePullPolicy: IfNotPresent
     securityContext:
       runAsUser: 1000

values/kubeapps/kubeapps.gotmpl

@@ -22,7 +22,8 @@ authProxy:
   # provider: oidc
   # clientID: {{ $kk.idp.clientID }}
   # clientSecret: {{ $kk.idp.clientSecret }}
- 
+featureFlags:
+  operators: true 
 dashboard:
   replicaCount: {{ $k.autoscaling.dashboard.minReplicas }}
 frontend:
@@ -34,15 +35,16 @@ apprepository:
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
-{{- if or (gt (len $initialRepos) 0) $v.apps.harbor.enabled }}
   initialRepos:
-  {{- range $repo := $initialRepos }}
+    - name: bitnami
+      url: https://charts.bitnami.com/bitnami  
+{{- range $repo := $initialRepos }}
     - {{- toYaml $repo | nindent 6 }}
       containerSecurityContext:
         enabled: true
         runAsUser: 1001
-  {{- end }}
-  {{- if $v.apps.harbor.enabled }}
+{{- end }}
+{{- if $v.apps.harbor.enabled }}
     - name: harbor
       type: helm
       description: Local cluster chart repository
@@ -55,10 +57,9 @@ apprepository:
       #   password: {{ $h.registry.credentials.password }}
         # TODO: remove next line when CA is truly supported: https://github.com/kubeapps/kubeapps/issues/515
       tlsInsecureSkipVerify: {{ $v._derived.untrustedCA }}
-    {{- if $v._derived.untrustedCA }}
+  {{- if $v._derived.untrustedCA }}
       caCert: |
         {{- /*$v._derived.caCert | nindent 8 */}}
-    {{- end }}
   {{- end }}
 {{- end }}
 metrics:

versions.yaml

-api: 0.5.2
-console: 0.5.4
+api: master
+console: master
 tasks: 0.2.25