diff --git a/.gitignore b/.gitignore index 723ef36..ebc921f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -.idea \ No newline at end of file +docker-secret.yaml +.idea diff --git a/charts/backstage/Chart.lock b/charts/backstage/Chart.lock new file mode 100644 index 0000000..21c40a7 --- /dev/null +++ b/charts/backstage/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.8.0 +digest: sha256:03c2e3c38a6a2a192cc2c0d67dfa88c927cb26152cb00e4d8048c7ffc10ebf4c +generated: "2022-08-22T11:35:36.300794-03:00" diff --git a/charts/backstage/Chart.yaml b/charts/backstage/Chart.yaml new file mode 100644 index 0000000..ee99532 --- /dev/null +++ b/charts/backstage/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 +name: backstage +description: A Helm chart for Backstage +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: v0.1.1-alpha.23 + +sources: + - https://github.com/backstage/backstage + - https://github.com/spotify/lighthouse-audit-service + +dependencies: + - name: postgresql + condition: postgresql.enabled + version: 11.8.0 + repository: https://charts.bitnami.com/bitnami + +maintainers: + - name: GustavoBelfort + - name: pokt-foundation diff --git a/charts/backstage/README.md b/charts/backstage/README.md new file mode 100644 index 0000000..40bb266 --- /dev/null +++ b/charts/backstage/README.md @@ -0,0 +1,282 @@ +# Backstage demo helm charts + +This folder contains Helm charts that can easily create a Kubernetes deployment of a demo Backstage app. + +### Pre-requisites + +These charts depend on the `nginx-ingress` controller being present in the cluster. If it's not already installed you +can run: + +```shell +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm install nginx-ingress ingress-nginx/ingress-nginx +``` + +### Installing the charts + +After choosing a DNS name where backstage will be hosted create a yaml file for your custom configuration. + +```yaml +appConfig: + app: + baseUrl: https://backstage.mydomain.com + title: Backstage + backend: + baseUrl: https://backstage.mydomain.com + cors: + origin: https://backstage.mydomain.com + lighthouse: + baseUrl: https://backstage.mydomain.com/lighthouse-api + techdocs: + storageUrl: https://backstage.mydomain.com/api/techdocs/static/docs + requestUrl: https://backstage.mydomain.com/api/techdocs +``` + +Then use it to run: + +```shell +git clone https://github.com/backstage/backstage.git +cd contrib/chart/backstage +helm dependency update +helm install -f backstage-mydomain.yaml backstage . +``` + +This command will deploy the following pieces: + +- Backstage frontend +- Backstage backend with scaffolder and auth plugins +- (optional) a PostgreSQL instance +- lighthouse plugin +- ingress + +After a few minutes Backstage should be up and running in your cluster under the DNS specified earlier. + +Make sure to create the appropriate DNS entry in your infrastructure. To find the public IP address run: + +```shell +$ kubectl get ingress +NAME HOSTS ADDRESS PORTS AGE +backstage-ingress * 123.1.2.3 80 17m +``` + +> **NOTE**: this is not a production ready deployment. + +## Customization + +### Issue certificates + +These charts can install or reuse a `clusterIssuer` to generate certificates for the backstage `ingress`. To do that: + +1. [Install][install-cert-manager] or make sure [cert-manager][cert-manager] is installed in the cluster. +2. Enable the issuer in the charts. This will first check if there is a `letsencrypt` issuer already deployed in your + cluster and deploy one if it doesn't exist. + +To enable it you need to provide a valid email address in the chart's values: + +```yaml +issuer: + email: me@example.com + clusterIssuer: 'letsencrypt-prod' +``` + +By default, the charts use `letsencrypt-staging` so in the above example we instruct helm to use the production issuer +instead. + +[cert-manager]: https://cert-manager.io/docs/ +[install-cert-manager]: https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm + +### Custom PostgreSQL instance + +Configuring a connection to an existing PostgreSQL instance is possible through the chart's values. + +First create a yaml file with the configuration you want to override, for example `backstage-prod.yaml`: + +```yaml +postgresql: + enabled: false + +appConfig: + app: + baseUrl: https://backstage-demo.mydomain.com + title: Backstage + backend: + baseUrl: https://backstage-demo.mydomain.com + cors: + origin: https://backstage-demo.mydomain.com + database: + client: pg + connection: + database: backstage_plugin_catalog + host: + user: + password: + lighthouse: + baseUrl: https://backstage-demo.mydomain.com/lighthouse-api + +lighthouse: + database: + client: pg + connection: + host: + user: + password: + database: lighthouse_audit_service +``` + +For the CA, create a `configMap` named `--postgres-ca` with a file called `ca.crt`: + +```shell +kubectl create configmap my-company-backstage-postgres-ca --from-file=ca.crt" +``` + +or disable CA mount + +```yaml +backend: + postgresCertMountEnabled: false + +lighthouse: + postgresCertMountEnabled: false +``` + +> Where the release name contains the chart name "backstage" then only the release name will be used. + +Now install the helm chart: + +```shell +cd contrib/chart/backstage +helm install -f backstage-prod.yaml my-backstage . +``` + +### Use your own docker images + +The docker images used for the deployment can be configured through the charts values: + +```yaml +frontend: + image: + repository: + tag: + +backend: + image: + repository: + tag: + +lighthouse: + image: + repository: + tag: +``` + +### Use a private docker repo + +Create a docker-registry secret + +```shell +kubectl create secret docker-registry # args +``` + +> For private images on docker hub --docker-server can be set to docker.io + +Reference the secret in your chart values + +```yaml +dockerRegistrySecretName: +``` + +### Different namespace + +To install the charts a specific namespace use `--namespace `: + +```shell +helm install -f my_values.yaml --namespace demos backstage . +``` + +### Disable loading of demo data + +To deploy backstage with the pre-loaded demo data disable `backend.demoData`: + +```shell +helm install -f my_values.yaml --set backend.demoData=false backstage . +``` + +### Other options + +For more customization options take a look at the [values.yaml](/contrib/chart/backstage/values.yaml) file. + +## Troubleshooting + +Some resources created by these charts are meant to survive after upgrades and even after uninstalls. When +troubleshooting these charts it can be useful to delete these resources between re-installs. + +Secrets: + +``` +-postgresql-certs -- contains the certificates used by the deployed PostgreSQL +``` + +Persistent volumes: + +``` +data--postgresql-0 -- this is the data volume used by PostgreSQL to store data and configuration +``` + +> **NOTE**: this volume also stores the configuration for PostgreSQL which includes things like the password for the +> `postgres` user. This means that uninstalling and re-installing the charts with `postgres.enabled` set to `true` and +> auto generated passwords will fail. The solution is to delete this volume with +> `kubectl delete pvc data--postgresql-0` + +ConfigMaps: + +``` +-postgres-ca -- contains the generated CA certificate for PostgreSQL when `postgres` is enabled +``` + +#### Unable to verify signature + +``` +Backend failed to start up Error: unable to verify the first certificate + at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34) + at TLSSocket.emit (events.js:315:20) + at TLSSocket._finishInit (_tls_wrap.js:936:8) + at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) { + code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' +``` + +This error happens in the backend when it tries to connect to the configured PostgreSQL database and the specified CA is not correct. The solution is to make sure that the contents of the `configMap` that holds the certificate match the CA for the PostgreSQL instance. A workaround is to set `appConfig.backend.database.connection.ssl.rejectUnauthorized` to `false` in the chart's values. + +#### Multi-Platform Kubernetes Services + +If you are running a multi-platform Kubernetes service with Windows and Linux nodes then you will need to apply a `nodeSelector` to the Helm chart to ensure that pods are scheduled onto the correct platform nodes. + +Add the following to your Helm values file: + +```yaml +global: + nodeSelector: + kubernetes.io/os: linux + +# If using Postgres Chart also add +postgresql: + master: + nodeSelector: + kubernetes.io/os: linux + slave: + nodeSelector: + kubernetes.io/os: linux +``` + + + +## Uninstalling Backstage + +To uninstall Backstage simply run: + +```shell +RELEASE_NAME= # use `helm list` to find out the name +helm uninstall ${RELEASE_NAME} +kubectl delete pvc data-${RELEASE_NAME}-postgresql-0 +kubectl delete secret ${RELEASE_NAME}-postgresql-certs +kubectl delete configMap ${RELEASE_NAME}-postgres-ca +``` diff --git a/charts/backstage/charts/postgresql-11.8.0.tgz b/charts/backstage/charts/postgresql-11.8.0.tgz new file mode 100644 index 0000000..ebce9dc Binary files /dev/null and b/charts/backstage/charts/postgresql-11.8.0.tgz differ diff --git a/charts/backstage/files/app-config.values.yaml.tpl b/charts/backstage/files/app-config.values.yaml.tpl new file mode 100644 index 0000000..aee9682 --- /dev/null +++ b/charts/backstage/files/app-config.values.yaml.tpl @@ -0,0 +1,23 @@ +backend: + listen: + port: {{ .Values.appConfig.backend.listen.port | default 7007 }} + database: + client: {{ .Values.appConfig.backend.database.client | quote }} + connection: + host: {{ include "backend.postgresql.host" . | quote }} + port: {{ include "backend.postgresql.port" . | quote }} + user: {{ include "backend.postgresql.user" . | quote }} + database: {{ .Values.appConfig.backend.database.connection.database | quote }} + csp: + connect-src: ["'self'", 'http:', 'https:'] + img-src: ["'self'", 'http:', 'https:'] + +catalog: + locations: [] + +techdocs: + builder: 'local' # Alternatives - 'external' + generator: + runIn: 'docker' # Alternatives - 'local' + publisher: + type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives. diff --git a/charts/backstage/files/create-backend-dbs.sql b/charts/backstage/files/create-backend-dbs.sql new file mode 100644 index 0000000..043ff7d --- /dev/null +++ b/charts/backstage/files/create-backend-dbs.sql @@ -0,0 +1,13 @@ +{{ $backendDb := .Values.appConfig.backend.database.connection.database }} +{{ $lighthouseDb := .Values.lighthouse.database.connection.database }} +{{ $user := .Values.global.postgresql.postgresqlUsername }} + +grant all privileges on database {{ $backendDb }} to {{ $user }}; + +create database backstage_plugin_auth; +grant all privileges on database backstage_plugin_auth to {{ $user }}; + +{{ if not (eq $backendDb $lighthouseDb) }} +create database {{ $lighthouseDb }}; +grant all privileges on database {{ $lighthouseDb }} to {{ $user }}; +{{ end }} diff --git a/charts/backstage/templates/_helpers.tpl b/charts/backstage/templates/_helpers.tpl new file mode 100644 index 0000000..4049128 --- /dev/null +++ b/charts/backstage/templates/_helpers.tpl @@ -0,0 +1,270 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "backstage.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "backstage.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "backstage.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common App labels +*/}} +{{- define "backstage.app.labels" -}} +app.kubernetes.io/name: {{ include "backstage.name" . }}-app +helm.sh/chart: {{ include "backstage.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Common Backend labels +*/}} +{{- define "backstage.backend.labels" -}} +app.kubernetes.io/name: {{ include "backstage.name" . }}-backend +helm.sh/chart: {{ include "backstage.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Name for postgresql dependency +See https://github.com/helm/helm/issues/3920#issuecomment-686913512 +*/}} +{{- define "backstage.postgresql.fullname" -}} +{{ printf "%s-%s" .Release.Name .Values.postgresql.nameOverride }} +{{- end -}} + +{{/* +Create the name of the service account to use for the applications +*/}} +{{- define "backstage.serviceAccountName" -}} + {{ default "backstage" .Values.serviceAccount.name }} +{{- end -}} + +{{/* +Path to the CA certificate file in the backend +*/}} +{{- define "backstage.backend.postgresCaFilename" -}} +{{ include "backstage.backend.postgresCaDir" . }}/{{- required "The name for the CA certificate file for postgresql is required" .Values.global.postgresql.caFilename }} +{{- end -}} +{{/* + +{{/* +Directory path to the CA certificate file in the backend +*/}} +{{- define "backstage.backend.postgresCaDir" -}} +{{- if .Values.appConfig.backend.database.connection.ssl.ca -}} + {{ .Values.appConfig.backend.database.connection.ssl.ca }} +{{- else -}} +/etc/postgresql +{{- end -}} +{{- end -}} +{{/* + +Path to the CA certificate file in lighthouse +*/}} +{{- define "backstage.lighthouse.postgresCaFilename" -}} +{{ include "backstage.lighthouse.postgresCaDir" . }}/{{- required "The name for the CA certificate file for postgresql is required" .Values.global.postgresql.caFilename }} +{{- end -}} + +{{/* +Directory path to the CA certificate file in lighthouse +*/}} +{{- define "backstage.lighthouse.postgresCaDir" -}} +{{- if .Values.lighthouse.database.pathToDatabaseCa -}} + {{ .Values.lighthouse.database.pathToDatabaseCa }} +{{- else -}} +/etc/postgresql +{{- end -}} +{{- end -}} +{{/* + +{{/* +Generate ca for postgresql +*/}} +{{- define "backstage.postgresql.generateCA" -}} +{{- $ca := .ca | default (genCA (include "backstage.postgresql.fullname" .) 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $ca.Cert -}} +{{- end -}} + +{{/* +Generate certificates for postgresql +*/}} +{{- define "generateCerts" -}} +{{- $postgresName := (include "backstage.postgresql.fullname" .) }} +{{- $altNames := list $postgresName ( printf "%s.%s" $postgresName .Release.Namespace ) ( printf "%s.%s.svc" ( $postgresName ) .Release.Namespace ) -}} +{{- $ca := .ca | default (genCA (include "backstage.postgresql.fullname" .) 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cert := genSignedCert ( $postgresName ) nil $altNames 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Generate a password for the postgres user used for the connections from the backend and lighthouse +*/}} +{{- define "postgresql.generateUserPassword" -}} +{{- $pgPassword := .pgPassword | default ( randAlphaNum 12 ) -}} +{{- $_ := set . "pgPassword" $pgPassword -}} +{{ $pgPassword}} +{{- end -}} + +{{/* +Name of the backend service +*/}} +{{- define "backend.serviceName" -}} +{{ include "backstage.fullname" . }}-backend +{{- end -}} + +{{/* +Name of the frontend service +*/}} +{{- define "frontend.serviceName" -}} +{{ include "backstage.fullname" . }}-frontend +{{- end -}} + +{{/* +Name of the lighthouse backend service +*/}} +{{- define "lighthouse.serviceName" -}} +{{ include "backstage.fullname" . }}-lighthouse +{{- end -}} + +{{/* +Name of the postgresql service +*/}} +{{- define "postgresql.serviceName" -}} +{{- include "backstage.postgresql.fullname" . }} +{{- end -}} + +{{/* +Postgres host for lighthouse +*/}} +{{- define "lighthouse.postgresql.host" -}} +{{- if .Values.postgresql.enabled }} +{{- include "postgresql.serviceName" . }} +{{- else -}} +{{- required "A valid .Values.lighthouse.database.connection.host is required when postgresql is not enabled" .Values.lighthouse.database.connection.host -}} +{{- end -}} +{{- end -}} + +{{/* +Postgres host for the backend +*/}} +{{- define "backend.postgresql.host" -}} +{{- if .Values.postgresql.enabled }} +{{- include "postgresql.serviceName" . }} +{{- else -}} +{{- required "A valid .Values.appConfig.backend.database.connection.host is required when postgresql is not enabled" .Values.appConfig.backend.database.connection.host -}} +{{- end -}} +{{- end -}} + +{{/* +Postgres port for the backend +*/}} +{{- define "backend.postgresql.port" -}} +{{- if .Values.postgresql.enabled }} +{{- .Values.postgresql.service.port }} +{{- else if .Values.appConfig.backend.database.connection.port -}} +{{- .Values.appConfig.backend.database.connection.port }} +{{- else -}} +5432 +{{- end -}} +{{- end -}} + +{{/* +Postgres port for lighthouse +*/}} +{{- define "lighthouse.postgresql.port" -}} +{{- if .Values.postgresql.enabled }} +{{- .Values.postgresql.service.port }} +{{- else if .Values.lighthouse.database.connection.port -}} +{{- .Values.lighthouse.database.connection.port }} +{{- else -}} +5432 +{{- end -}} +{{- end -}} + +{{/* +Postgres user for backend +*/}} +{{- define "backend.postgresql.user" -}} +{{- if .Values.postgresql.enabled }} +{{- .Values.global.postgresql.postgresqlUsername }} +{{- else -}} +{{- required "A valid .Values.appConfig.backend.database.connection.user is required when postgresql is not enabled" .Values.appConfig.backend.database.connection.user -}} +{{- end -}} +{{- end -}} + +{{/* +Postgres user for lighthouse +*/}} +{{- define "lighthouse.postgresql.user" -}} +{{- if .Values.postgresql.enabled }} +{{- .Values.global.postgresql.postgresqlUsername }} +{{- else -}} +{{- required "A valid .Values.lighthouse.database.connection.user is required when postgresql is not enabled" .Values.lighthouse.database.connection.user -}} +{{- end -}} +{{- end -}} + +{{/* +Postgres password secret for backend +*/}} +{{- define "backend.postgresql.passwordSecret" -}} +{{- if .Values.postgresql.enabled }} +{{- template "backstage.postgresql.fullname" . }} +{{- else -}} +{{ $secretName := (printf "%s-backend-postgres" (include "backstage.fullname" . )) }} +{{- required "A valid .Values.appConfig.backend.database.connection.password is required when postgresql is not enabled" $secretName -}} +{{- end -}} +{{- end -}} + +{{/* +Postgres password for lighthouse +*/}} +{{- define "lighthouse.postgresql.passwordSecret" -}} +{{- if .Values.postgresql.enabled }} +{{- template "backstage.postgresql.fullname" . }} +{{- else -}} +{{ $secretName := (printf "%s-lighthouse-postgres" (include "backstage.fullname" . )) }} +{{- required "A valid .Values.lighthouse.database.connection.password is required when postgresql is not enabled" $secretName -}} +{{- end -}} +{{- end -}} + +{{/* +app-config file name +*/}} +{{- define "backstage.appConfigFilename" -}} +{{- "app-config.values.yaml" -}} +{{- end -}} diff --git a/charts/backstage/templates/backend-deployment.yaml b/charts/backstage/templates/backend-deployment.yaml new file mode 100644 index 0000000..52ed369 --- /dev/null +++ b/charts/backstage/templates/backend-deployment.yaml @@ -0,0 +1,94 @@ +{{- if .Values.backend.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backstage.fullname" . }}-backend + +spec: + replicas: {{ .Values.backend.replicaCount }} + + selector: + matchLabels: + app: backstage + component: backend + + template: + metadata: + annotations: + ad.datadoghq.com/backstage.logs: '[{"source":"backstage","service":"backend"}]' + labels: + app: backstage + component: backend + + spec: + {{- if .Values.dockerRegistrySecretName }} + imagePullSecrets: + - name: {{ .Values.dockerRegistrySecretName }} + {{- end}} + containers: + - name: {{ .Chart.Name }}-backend + command: ["node"] + args: + - "packages/backend" + - "--config" + - "/secret/app-config.yaml" + - "--config" + - {{ printf "/configmap/%s" (include "backstage.appConfigFilename" .) | quote }} + image: {{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }} + imagePullPolicy: {{ .Values.backend.image.pullPolicy }} + ports: + - containerPort: {{ .Values.backend.containerPort }} + resources: + {{- toYaml .Values.backend.resources | nindent 12 }} + env: + - name: NODE_ENV + value: {{ .Values.backend.nodeEnv | default "development" }} + - name: APP_CONFIG_backend_database_connection_password + valueFrom: + secretKeyRef: + name: {{ include "backend.postgresql.passwordSecret" .}} + key: postgres-password + volumeMounts: + {{- if .Values.backend.postgresCertMountEnabled }} + - name: postgres-ca + mountPath: {{ include "backstage.backend.postgresCaDir" . }} + {{- end }} + - name: app-config + mountPath: /secret/ + - name: app-config-values + mountPath: /configmap/ + volumes: + {{- if .Values.backend.postgresCertMountEnabled }} + - name: postgres-ca + configMap: + name: {{ include "backstage.fullname" . }}-postgres-ca + {{- end }} + - name: app-config + secret: + secretName: {{ .Values.externalSecrets.targetName }} + - name: app-config-values + configMap: + name: {{ include "backstage.fullname" . }}-app-config + {{- if .Values.global.nodeSelector }} + nodeSelector: {{- toYaml .Values.global.nodeSelector | nindent 8 }} + {{- end }} + +{{- if .Values.backend.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "backend.serviceName" . }} + +spec: + ports: + - port: 80 + targetPort: {{ .Values.backend.containerPort }} + + selector: + app: backstage + component: backend + + type: {{ .Values.backend.serviceType }} +{{- end }} +{{- end }} diff --git a/charts/backstage/templates/backend-secret.yaml b/charts/backstage/templates/backend-secret.yaml new file mode 100644 index 0000000..6fa88fb --- /dev/null +++ b/charts/backstage/templates/backend-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.backend.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "backstage.fullname" . }}-backend +type: Opaque +stringData: + AUTH_GITHUB_CLIENT_SECRET: {{ .Values.auth.github.clientSecret }} + SENTRY_TOKEN: {{ .Values.auth.sentryToken }} + GITHUB_TOKEN: {{ .Values.auth.githubToken }} + PAGERDUTY_TOKEN: {{ .Values.auth.pagerdutyToken }} +{{- end }} diff --git a/charts/backstage/templates/backstage-app-config.yaml b/charts/backstage/templates/backstage-app-config.yaml new file mode 100644 index 0000000..e22e23a --- /dev/null +++ b/charts/backstage/templates/backstage-app-config.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "backstage.fullname" . }}-app-config +data: +{{ include "backstage.appConfigFilename" . | indent 2 }}: | +{{ tpl (.Files.Get "files/app-config.values.yaml.tpl") . | indent 4 }} diff --git a/charts/backstage/templates/backstage-auth-config.yaml b/charts/backstage/templates/backstage-auth-config.yaml new file mode 100644 index 0000000..0eeff63 --- /dev/null +++ b/charts/backstage/templates/backstage-auth-config.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "backstage.fullname" . }}-auth +data: + AUTH_GITHUB_CLIENT_ID: {{ .Values.auth.github.clientId }} \ No newline at end of file diff --git a/charts/backstage/templates/external-secrets.yaml b/charts/backstage/templates/external-secrets.yaml new file mode 100644 index 0000000..cbd9f5c --- /dev/null +++ b/charts/backstage/templates/external-secrets.yaml @@ -0,0 +1,39 @@ +{{- if .Values.externalSecrets.enabled -}} +--- +kind: SecretStore +apiVersion: external-secrets.io/v1beta1 +metadata: + name: {{ include "backstage.fullname" . }} +spec: + controller: {{ .Values.externalSecrets.controller }} + provider: + vault: + auth: + kubernetes: + mountPath: {{ .Values.externalSecrets.authMountPath }} + role: {{ .Values.externalSecrets.role }} + serviceAccountRef: + name: {{ include "backstage.serviceAccountName" . }} + namespace: {{ .Values.externalSecrets.namespace }} + path: {{ .Values.externalSecrets.secretStoretPath }} + server: {{ .Values.externalSecrets.vaultServer }} + version: {{ .Values.externalSecrets.version }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ include "backstage.fullname" . }} +spec: + refreshInterval: "20s" + secretStoreRef: + name: {{ include "backstage.fullname" . }} + kind: SecretStore + target: + name: {{ .Values.externalSecrets.targetName }} + deletionPolicy: {{ .Values.externalSecrets.deletionPolicy }} + data: + - secretKey: {{ .Values.externalSecrets.secretKey }} + remoteRef: + key: {{ .Values.externalSecrets.secretName }} + property: {{ .Values.externalSecrets.secretKey }} +{{- end }} diff --git a/charts/backstage/templates/frontend-deployment.yaml b/charts/backstage/templates/frontend-deployment.yaml new file mode 100644 index 0000000..dba4e2c --- /dev/null +++ b/charts/backstage/templates/frontend-deployment.yaml @@ -0,0 +1,66 @@ +{{- if .Values.frontend.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backstage.fullname" . }}-frontend + +spec: + replicas: {{ .Values.frontend.replicaCount }} + + selector: + matchLabels: + app: backstage + component: frontend + + template: + metadata: + annotations: + ad.datadoghq.com/backstage.logs: '[{"source":"backstage","service":"frontend"}]' + labels: + app: backstage + component: frontend + + spec: + {{- if .Values.dockerRegistrySecretName }} + imagePullSecrets: + - name: {{ .Values.dockerRegistrySecretName }} + {{- end}} + containers: + - name: {{ .Chart.Name }}-frontend + image: {{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }} + imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + ports: + - containerPort: {{ .Values.frontend.containerPort }} + resources: + {{- toYaml .Values.frontend.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "backstage.fullname" . }}-app-env + volumeMounts: + - name: app-config + mountPath: {{ printf "/usr/share/nginx/html/static/%s" (include "backstage.appConfigFilename" .) }} + subPath: {{ include "backstage.appConfigFilename" . }} + volumes: + - name: app-config + configMap: + name: {{ include "backstage.fullname" . }}-app-config + {{- if .Values.global.nodeSelector }} + nodeSelector: {{- toYaml .Values.global.nodeSelector | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "frontend.serviceName" . }} + +spec: + ports: + - port: 80 + targetPort: {{ .Values.frontend.containerPort }} + + selector: + app: backstage + component: frontend + + type: {{ .Values.frontend.serviceType }} +{{- end }} diff --git a/charts/backstage/templates/ingress.yaml b/charts/backstage/templates/ingress.yaml new file mode 100644 index 0000000..2bb1296 --- /dev/null +++ b/charts/backstage/templates/ingress.yaml @@ -0,0 +1,150 @@ +{{- $frontendUrl := urlParse .Values.appConfig.app.baseUrl}} +{{- $backendUrl := urlParse .Values.appConfig.backend.baseUrl}} +{{- $lighthouseUrl := urlParse .Values.appConfig.lighthouse.baseUrl}} + +{{/* Determine the api type for the ingress */}} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "backstage.fullname" . }}-ingress + annotations: + {{- if .Values.issuer.email }} + cert-manager.io/cluster-issuer: {{ .Values.issuer.clusterIssuer }} + {{- end }} + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($scheme = https) { + add_header Strict-Transport-Security "max-age=0;"; + } + {{- toYaml .Values.ingress.annotations | nindent 4 }} +spec: + tls: + - secretName: {{ include "backstage.fullname" . }}-tls + hosts: + - {{ $frontendUrl.host }} + - {{ $backendUrl.host }} + - {{ $lighthouseUrl.host }} + rules: + - host: {{ $frontendUrl.host }} + http: + paths: + - path: / + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + service: + name: {{ include "backend.serviceName" . }} + port: + number: 80 + {{- else -}} + serviceName: {{ include "backend.serviceName" . }} + servicePort: 80 + {{- end }} + {{/* Route the backend inside the same hostname as the frontend when they are the same */}} + {{- if eq $frontendUrl.host $backendUrl.host}} + - path: /api/ + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + service: + name: {{ include "backend.serviceName" . }} + port: + number: 80 + {{- else -}} + serviceName: {{ include "backend.serviceName" . }} + servicePort: 80 + {{- end }} + {{/* Route the backend through a different host */}} + {{- else -}} + - host: {{ $backendUrl.host }} + http: + paths: + - path: {{ $backendUrl.path | default "/" }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + service: + name: {{ include "backend.serviceName" . }} + port: + number: 80 + {{- else -}} + serviceName: {{ include "backend.serviceName" . }} + servicePort: 80 + {{- end }} + {{- end }} + +{{/* Route lighthouse through a different host */}} +{{- if not ( eq $frontendUrl.host $lighthouseUrl.host ) }} + - host: {{ $lighthouseUrl.host }} + http: + paths: + - path: {{ $lighthouseUrl.path | default "/" }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + service: + name: {{ include "lighthouse.serviceName" . }} + port: + number: 80 + {{- else -}} + serviceName: {{ include "lighthouse.serviceName" . }} + servicePort: 80 + {{- end }} +{{- else }} +{{/* Route lighthouse by path with re-write rules when it is hosted under the same hostname */}} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "backstage.fullname" . }}-ingress-lighthouse + annotations: + {{- if .Values.issuer.email }} + cert-manager.io/cluster-issuer: {{ .Values.issuer.clusterIssuer }} + {{- end }} + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($scheme = https) { + add_header Strict-Transport-Security "max-age=0;"; + } + {{- toYaml .Values.ingress.annotations | nindent 4 }} +spec: + tls: + - secretName: {{ include "backstage.fullname" . }}-tls + hosts: + - {{ $lighthouseUrl.host }} + rules: + - host: {{ $frontendUrl.host }} + http: + paths: + - path: {{$lighthouseUrl.path}}(/|$)(.*) + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + service: + name: {{ include "lighthouse.serviceName" . }} + port: + number: 80 + {{- else -}} + serviceName: {{ include "lighthouse.serviceName" . }} + servicePort: 80 + {{- end }} +{{- end }} diff --git a/charts/backstage/templates/issuer.yaml b/charts/backstage/templates/issuer.yaml new file mode 100644 index 0000000..d129c8c --- /dev/null +++ b/charts/backstage/templates/issuer.yaml @@ -0,0 +1,19 @@ +{{- if (and (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") .Values.issuer.email ) -}} +{{/* Only install issuer if it doesn't already exist in the cluster */}} +{{- if not ( lookup "cert-manager.io/v1alpha2" "ClusterIssuer" "" .Values.issuer.clusterIssuer ) }} +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: {{ .Values.issuer.clusterIssuer }} +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ required "expected a valid .Values.issuer.email to enable ClusterIssuer" .Values.issuer.email }} + privateKeySecretRef: + name: {{ required "expected .Values.issuer.cluster-issuer to not be empty (letsencrypt-prod | letsencrypt-staging)" .Values.issuer.clusterIssuer }} + solvers: + - http01: + ingress: + class: nginx +{{- end -}} +{{- end -}} diff --git a/charts/backstage/templates/lighthouse-config.yaml b/charts/backstage/templates/lighthouse-config.yaml new file mode 100644 index 0000000..7b8cad4 --- /dev/null +++ b/charts/backstage/templates/lighthouse-config.yaml @@ -0,0 +1,12 @@ +{{- if .Values.lighthouse.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "backstage.fullname" . -}}-lighthouse +data: + PGDATABASE: {{ .Values.lighthouse.database.connection.database | quote }} + PGUSER: {{ include "lighthouse.postgresql.user" . | quote }} + PGPORT: {{ include "lighthouse.postgresql.port" . | quote }} + PGHOST: {{ include "lighthouse.postgresql.host" . | quote }} + PGPATH_TO_CA: {{ include "backstage.lighthouse.postgresCaFilename" . | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/backstage/templates/lighthouse-deployment.yaml b/charts/backstage/templates/lighthouse-deployment.yaml new file mode 100644 index 0000000..c51801d --- /dev/null +++ b/charts/backstage/templates/lighthouse-deployment.yaml @@ -0,0 +1,86 @@ +{{- if .Values.lighthouse.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backstage.fullname" . }}-lighthouse + +spec: + replicas: {{ .Values.lighthouse.replicaCount }} + + selector: + matchLabels: + app: backstage + component: lighthouse-audit-service + + template: + metadata: + annotations: + ad.datadoghq.com/backstage.logs: '[{"source":"backstage","service":"lighthouse"}]' + labels: + app: backstage + component: lighthouse-audit-service + + spec: + {{- if .Values.dockerRegistrySecretName }} + imagePullSecrets: + - name: {{ .Values.dockerRegistrySecretName }} + {{- end}} + containers: + - name: lighthouse-audit-service + image: {{ .Values.lighthouse.image.repository }}:{{ .Values.lighthouse.image.tag }} + imagePullPolicy: {{ .Values.lighthouse.image.pullPolicy }} + ports: + - containerPort: {{ .Values.lighthouse.containerPort }} + resources: + {{- toYaml .Values.lighthouse.resources | nindent 12 }} + + envFrom: + - configMapRef: + name: {{ include "backstage.fullname" . -}}-lighthouse + - configMapRef: + name: {{ include "backstage.fullname" . }}-app-env + + env: + - name: LAS_PORT + value: {{ .Values.lighthouse.containerPort | quote }} + - name: LAS_CORS + value: "true" + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "lighthouse.postgresql.passwordSecret" . }} + key: postgres-password + + {{- if .Values.lighthouse.postgresCertMountEnabled }} + volumeMounts: + - name: postgres-ca + mountPath: {{ include "backstage.lighthouse.postgresCaDir" . }} + {{- end }} + + {{- if .Values.lighthouse.postgresCertMountEnabled }} + volumes: + - name: postgres-ca + configMap: + name: {{ include "backstage.fullname" . }}-postgres-ca + {{- end }} + + {{- if .Values.global.nodeSelector }} + nodeSelector: {{- toYaml .Values.global.nodeSelector | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "lighthouse.serviceName" . }} + +spec: + ports: + - port: 80 + targetPort: {{ .Values.lighthouse.containerPort }} + + selector: + app: backstage + component: lighthouse-audit-service + + type: {{ .Values.lighthouse.serviceType }} +{{- end }} diff --git a/charts/backstage/templates/postgresql-ca-config.yaml b/charts/backstage/templates/postgresql-ca-config.yaml new file mode 100644 index 0000000..2631989 --- /dev/null +++ b/charts/backstage/templates/postgresql-ca-config.yaml @@ -0,0 +1,21 @@ +{{- if .Values.postgresql.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "backstage.fullname" . }}-postgres-ca + labels: + app: {{ include "backstage.postgresql.fullname" . }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + {{ .Values.global.postgresql.caFilename }}: | +{{ include "backstage.postgresql.generateCA" . | indent 4}} +{{- else }} +{{- $caConfig := printf "%s-postgres-ca" (include "backstage.fullname" .) }} +{{- if not ( lookup "v1" "ConfigMap" .Release.Namespace $caConfig ) }} +{{- fail (printf "\n\nPlease create the '%s' configmap with the CA certificate for your existing postgresql: kubectl create configmap %s --from-file=ca.crt" $caConfig $caConfig) }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/backstage/templates/postgresql-certs-secret.yaml b/charts/backstage/templates/postgresql-certs-secret.yaml new file mode 100644 index 0000000..c6845ca --- /dev/null +++ b/charts/backstage/templates/postgresql-certs-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.postgresql.enabled }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ required ".Values.postgresql.tls.certificatesSecret is required" .Values.postgresql.tls.certificatesSecret }} + labels: + app: {{ include "backstage.postgresql.fullname" . }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ include "generateCerts" . | indent 2 }} +{{- end }} diff --git a/charts/backstage/templates/postgresql-initdb-secret.yaml b/charts/backstage/templates/postgresql-initdb-secret.yaml new file mode 100644 index 0000000..d1c446f --- /dev/null +++ b/charts/backstage/templates/postgresql-initdb-secret.yaml @@ -0,0 +1,14 @@ +{{- if .Values.postgresql.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ required ".Values.postgresql.initdbScriptsSecret is required" .Values.postgresql.initdbScriptsSecret }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +type: Opaque +data: + create-backend-dbs.sql: | + {{ tpl (.Files.Get "files/create-backend-dbs.sql") . | b64enc }} +{{- end }} + diff --git a/charts/backstage/templates/postgresql-password-backend-secret.yaml b/charts/backstage/templates/postgresql-password-backend-secret.yaml new file mode 100644 index 0000000..ae47500 --- /dev/null +++ b/charts/backstage/templates/postgresql-password-backend-secret.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.postgresql.enabled }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "backend.postgresql.passwordSecret" . }} + labels: + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + postgres-password: {{ .Values.appConfig.backend.database.connection.password | b64enc }} +{{- end }} diff --git a/charts/backstage/templates/postgresql-password-lighthouse-secret.yaml b/charts/backstage/templates/postgresql-password-lighthouse-secret.yaml new file mode 100644 index 0000000..a801dcf --- /dev/null +++ b/charts/backstage/templates/postgresql-password-lighthouse-secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.lighthouse.enabled }} +{{- if not .Values.postgresql.enabled }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "lighthouse.postgresql.passwordSecret" . }} + labels: + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + postgres-password: {{ .Values.lighthouse.database.connection.password | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/backstage/templates/serviceaccount.yaml b/charts/backstage/templates/serviceaccount.yaml new file mode 100644 index 0000000..d0a6f2a --- /dev/null +++ b/charts/backstage/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backstage.serviceAccountName" . }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "backstage.backend.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/backstage/values.yaml b/charts/backstage/values.yaml new file mode 100644 index 0000000..81f40f2 --- /dev/null +++ b/charts/backstage/values.yaml @@ -0,0 +1,239 @@ +# Default values for backstage. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +frontend: + enabled: false + replicaCount: 1 + image: + repository: martinaif/backstage-k8s-demo-frontend + tag: test1 + pullPolicy: IfNotPresent + containerPort: 80 + serviceType: ClusterIP + resources: + requests: + memory: 128Mi + limits: + memory: 256Mi + +backend: + enabled: false + nodeEnv: development + demoData: true + replicaCount: 1 + image: + repository: martinaif/backstage-k8s-demo-backend + tag: 20210423T1550 + pullPolicy: IfNotPresent + containerPort: 7007 + postgresql: + passwordSecret: postgresql-password + serviceType: ClusterIP + postgresCertMountEnabled: false + resources: + requests: + memory: 512Mi + limits: + memory: 1024Mi + +lighthouse: + enabled: false + replicaCount: 1 + image: + repository: roadiehq/lighthouse-audit-service + tag: latest + pullPolicy: IfNotPresent + containerPort: 3003 + serviceType: ClusterIP + postgresCertMountEnabled: true + resources: + requests: + memory: 128Mi + limits: + memory: 256Mi + database: + connection: + port: + host: + user: + password: + database: lighthouse_audit_service + pathToDatabaseCa: + +nameOverride: '' +fullnameOverride: '' + +serviceAccount: + create: true + name: backstage + +externalSecrets: + enabled: false + targetName: backstage + secretKey: backstage/app-config.yaml + controller: "" + deletionPolicy: Delete + authMountPath: k8s-tooling-us-east-1 + role: backstage + namespace: admin/engineering/ + secretStoretPath: devops/ + vaultServer: https://hcp-vault-cluster-a-public-vault-72230702.bb94b393.z1.hashicorp.cloud:8200 + version: v1 + refreshInterval: "0" + +ingress: + annotations: + kubernetes.io/ingress.class: nginx + +issuer: + email: + clusterIssuer: 'letsencrypt-staging' + +global: + postgresql: + postgresqlUsername: postgres + caFilename: ca.crt + nodeSelector: {} + +postgresql: + enabled: true + nameOverride: postgresql + service: + port: 5432 + tls: + enabled: false + certificatesSecret: backstage-postgresql-certs + certFilename: tls.crt + certKeyFilename: tls.key + volumePermissions: + enabled: true + initdbScriptsSecret: backstage-postgresql-initdb + +appConfig: + app: + baseUrl: https://backstage.tooling.pokt.network + title: Backstage + googleAnalyticsTrackingId: + backend: + baseUrl: https://backstage.tooling.pokt.network + listen: + port: 7007 + cors: + origin: https://backstage.tooling.pokt.network + database: + client: pg + connection: + database: backstage_plugin_catalog + host: + user: + port: + password: + ssl: + rejectUnauthorized: false + ca: + sentry: + organization: example-org-name + techdocs: + storageUrl: https://backstage.tooling.pokt.network/api/techdocs/static/docs + requestUrl: https://backstage.tooling.pokt.network/api/techdocs + lighthouse: + baseUrl: https://backstage.tooling.pokt.network/lighthouse-api + rollbar: + organization: example-org-name + + # Auth config has recently moved into the app config file in upstream Backstage. However, + # most of this config simply mandates that items like the client id and client secret should + # be picked up from the environment variables named below. Those environment variables are + # set in this helm controlled environment by the 'auth' configuration below this section. + # Thus, the only key in this config which directly controls an app config is the + # auth.providers.github.development.appOrigin property. + auth: + providers: + google: + development: + appOrigin: 'http://localhost:3000/' + secure: false + clientId: ${AUTH_GOOGLE_CLIENT_ID} + clientSecret: ${AUTH_GOOGLE_CLIENT_SECRET} + github: + development: + appOrigin: 'http://localhost:3000/' + secure: false + clientId: ${AUTH_GITHUB_CLIENT_ID} + clientSecret: ${AUTH_GITHUB_CLIENT_SECRET} + enterpriseInstanceUrl: ${AUTH_GITHUB_ENTERPRISE_INSTANCE_URL} + gitlab: + development: + appOrigin: 'http://localhost:3000/' + secure: false + clientId: ${AUTH_GITLAB_CLIENT_ID} + clientSecret: ${AUTH_GITLAB_CLIENT_SECRET} + audience: ${GITLAB_BASE_URL} + okta: + development: + appOrigin: 'http://localhost:3000/' + secure: false + clientId: ${AUTH_OKTA_CLIENT_ID} + clientSecret: ${AUTH_OKTA_CLIENT_SECRET} + audience: ${AUTH_OKTA_AUDIENCE} + oauth2: + development: + appOrigin: 'http://localhost:3000/' + secure: false + clientId: ${AUTH_OAUTH2_CLIENT_ID} + clientSecret: ${AUTH_OAUTH2_CLIENT_SECRET} + authorizationURL: ${AUTH_OAUTH2_AUTH_URL} + tokenURL: ${AUTH_OAUTH2_TOKEN_URL} + auth0: + development: + clientId: ${AUTH_AUTH0_CLIENT_ID} + clientSecret: ${AUTH_AUTH0_CLIENT_SECRET} + domain: ${AUTH_AUTH0_DOMAIN} + microsoft: + development: + clientId: ${AUTH_MICROSOFT_CLIENT_ID} + clientSecret: ${AUTH_MICROSOFT_CLIENT_SECRET} + tenantId: ${AUTH_MICROSOFT_TENANT_ID} + +auth: + google: + clientId: a + clientSecret: a + github: + clientId: c + clientSecret: c + gitlab: + clientId: b + clientSecret: b + baseUrl: b + okta: + clientId: b + clientSecret: b + audience: b + oauth2: + clientId: b + clientSecret: b + authUrl: b + tokenUrl: b + auth0: + clientId: b + clientSecret: b + domain: b + microsoft: + clientId: f + clientSecret: f + tenantId: f + azure: + api: + token: h + sentryToken: e + rollbarAccountToken: f + # This is a 'Personal Access Token' + circleciAuthToken: r + # Used by the scaffolder to create GitHub repos. Must have 'repo' scope. + githubToken: g + gitlabToken: g + newRelicRestApiKey: r + travisciAuthToken: fake-travis-ci-auth-token + pagerdutyToken: h diff --git a/ct.yaml b/ct.yaml index d806756..865c239 100644 --- a/ct.yaml +++ b/ct.yaml @@ -2,6 +2,7 @@ remote: origin target-branch: master chart-dirs: - charts -# chart-repos: -# - external-secrets=https://charts.external-secrets.io +chart-repos: +# - pokt=https://pokt-foundation.gitlab.io/charts + - bitnami=https://charts.bitnami.com/bitnami helm-extra-args: --timeout 600s