From 5bb6661a320b81d435e011684f0f6c500ef6e75b Mon Sep 17 00:00:00 2001 From: Michael Thomson Date: Fri, 24 Nov 2023 12:01:19 -0500 Subject: [PATCH] removed weave --- .../helmrepository-weave-gitops.yaml | 9 - .../kustomization-weave-gitops.yaml | 18 - .../namespaces/namespace-weave-gitops.yaml | 4 - weave-gitops/dns-endpoint-weave-gitops.yaml | 12 - weave-gitops/helmrelease-oauth2-proxy.yaml | 457 ------------------ weave-gitops/helmrelease-weave-gitops.yaml | 220 --------- .../sealedsecret-weave-gitops-oidc-auth.yaml | 24 - 7 files changed, 744 deletions(-) delete mode 100644 bootstrap/helmrepositories/helmrepository-weave-gitops.yaml delete mode 100644 bootstrap/kustomizations/kustomization-weave-gitops.yaml delete mode 100644 bootstrap/namespaces/namespace-weave-gitops.yaml delete mode 100644 weave-gitops/dns-endpoint-weave-gitops.yaml delete mode 100644 weave-gitops/helmrelease-oauth2-proxy.yaml delete mode 100644 weave-gitops/helmrelease-weave-gitops.yaml delete mode 100644 weave-gitops/sealedsecret-weave-gitops-oidc-auth.yaml diff --git a/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml b/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml deleted file mode 100644 index 0a8aa99..0000000 --- a/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: weave-gitops - namespace: flux-system -spec: - interval: 15m - type: oci - url: oci://ghcr.io/weaveworks/charts diff --git a/bootstrap/kustomizations/kustomization-weave-gitops.yaml b/bootstrap/kustomizations/kustomization-weave-gitops.yaml deleted file mode 100644 index a53b7bb..0000000 --- a/bootstrap/kustomizations/kustomization-weave-gitops.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: weave-gitops - namespace: flux-system -spec: - interval: 15m - path: ./weave-gitops - prune: true # remove any elements later removed from the above path - timeout: 2m # if not set, this defaults to interval duration, which is 1h - sourceRef: - kind: GitRepository - name: flux-system - healthChecks: - - apiVersion: helm.toolkit.fluxcd.io/v2beta1 - kind: HelmRelease - name: weave-gitops - namespace: weave-gitops diff --git a/bootstrap/namespaces/namespace-weave-gitops.yaml b/bootstrap/namespaces/namespace-weave-gitops.yaml deleted file mode 100644 index 4319604..0000000 --- a/bootstrap/namespaces/namespace-weave-gitops.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: weave-gitops diff --git a/weave-gitops/dns-endpoint-weave-gitops.yaml b/weave-gitops/dns-endpoint-weave-gitops.yaml deleted file mode 100644 index 0f48e16..0000000 --- a/weave-gitops/dns-endpoint-weave-gitops.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: externaldns.k8s.io/v1alpha1 -kind: DNSEndpoint -metadata: - name: weave-gitops.michaelthomson.dev - namespace: weave-gitops -spec: - endpoints: - - dnsName: weave-gitops.michaelthomson.dev - recordTTL: 180 - recordType: CNAME - targets: - - server.michaelthomson.dev diff --git a/weave-gitops/helmrelease-oauth2-proxy.yaml b/weave-gitops/helmrelease-oauth2-proxy.yaml deleted file mode 100644 index f824a6e..0000000 --- a/weave-gitops/helmrelease-oauth2-proxy.yaml +++ /dev/null @@ -1,457 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: oauth2-proxy - namespace: weave-gitops -spec: - chart: - spec: - chart: oauth2-proxy - version: 6.19.x # auto-update to semver bugfixes only - sourceRef: - kind: HelmRepository - name: oauth2-proxy - namespace: flux-system - interval: 15m - timeout: 5m - releaseName: oauth2-proxy - values: # paste contents of upstream values.yaml below, indented 4 spaces - ## Override the deployment namespace - ## - namespaceOverride: "" - - # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). - # This is especially useful for `helm template` as capabilities are always empty - # due to the fact that it doesn't query an actual cluster - kubeVersion: - - # Oauth client configuration specifics - config: - # Add config annotations - annotations: {} - # OAuth client ID - clientID: "kube-apiserver" - # OAuth client secret - clientSecret: "iVdGhQUc8k4bK7rT3HAiuOjctxUW7T8bDxz4hm6aPagZkdkoCDvmnLjC5mMF6ooR0obGrezYdyt9nAjVbC0RVZsOIdSsfrSYbe0kEWGfk21FazXXApqNTIrsqBF4mSJH" - # Create a new secret with the following command - # openssl rand -base64 32 | head -c 32 | base64 - # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) - # Example: - # existingSecret: secret - cookieSecret: "2W87TuxTRkTFVkwxbz3MuJxWE3EAJeab" - # The name of the cookie that oauth2-proxy will create - # If left empty, it will default to the release name - cookieName: "" - google: {} - # adminEmail: xxxx - # useApplicationDefaultCredentials: true - # targetPrincipal: xxxx - # serviceAccountJson: xxxx - # Alternatively, use an existing secret (see google-secret.yaml for required fields) - # Example: - # existingSecret: google-secret - # groups: [] - # Example: - # - group1@example.com - # - group2@example.com - # Default configuration, to be overridden - configFile: |- - email_domains = [ "*" ] - upstreams = [ "http://weave-gitops:9001" ] - # Custom configuration file: oauth2_proxy.cfg - # configFile: |- - # pass_basic_auth = false - # pass_access_token = true - # Use an existing config map (see configmap.yaml for required fields) - # Example: - # existingConfig: config - - alphaConfig: - enabled: false - # Add config annotations - annotations: {} - # Arbitrary configuration data to append to the server section - serverConfigData: {} - # Arbitrary configuration data to append to the metrics section - metricsConfigData: {} - # Arbitrary configuration data to append - configData: {} - # Arbitrary configuration to append - # This is treated as a Go template and rendered with the root context - configFile: "" - # Use an existing config map (see secret-alpha.yaml for required fields) - existingConfig: ~ - # Use an existing secret - existingSecret: ~ - - image: - repository: "quay.io/oauth2-proxy/oauth2-proxy" - # appVersion is used by default - tag: "" - pullPolicy: "IfNotPresent" - - # Optionally specify an array of imagePullSecrets. - # Secrets must be manually created in the namespace. - # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod - # imagePullSecrets: - # - name: myRegistryKeySecretName - - # Set a custom containerPort if required. - # This will default to 4180 if this value is not set and the httpScheme set to http - # This will default to 4443 if this value is not set and the httpScheme set to https - # containerPort: 4180 - - extraArgs: - provider: oidc - provider-display-name: "Authentik" - skip-provider-button: "true" - pass-authorization-header: "true" - oidc-issuer-url: "https://authentik.michaelthomson.dev/application/o/kube-apiserver/" - extraEnv: [] - - # -- Custom labels to add into metadata - customLabels: {} - - # To authorize individual email addresses - # That is part of extraArgs but since this needs special treatment we need to do a separate section - authenticatedEmailsFile: - enabled: false - # Defines how the email addresses file will be projected, via a configmap or secret - persistence: configmap - # template is the name of the configmap what contains the email user list but has been configured without this chart. - # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. - # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the - # provided value in restrictedUserAccessKey field. - template: "" - # The configmap/secret key under which the list of email access is stored - # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility - restrictedUserAccessKey: "" - # One email per line - # example: - # restricted_access: |- - # name1@domain - # name2@domain - # If you override the config with restricted_access it will configure a user list within this chart what takes care of the - # config map resource. - restricted_access: "" - annotations: {} - # helm.sh/resource-policy: keep - - service: - type: ClusterIP - # when service.type is ClusterIP ... - # clusterIP: 192.0.2.20 - # when service.type is LoadBalancer ... - # loadBalancerIP: 198.51.100.40 - # loadBalancerSourceRanges: 203.0.113.0/24 - # when service.type is NodePort ... - # nodePort: 80 - portNumber: 80 - # Protocol set on the service - appProtocol: http - annotations: {} - # foo.io/bar: "true" - - ## Create or use ServiceAccount - serviceAccount: - ## Specifies whether a ServiceAccount should be created - enabled: true - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - automountServiceAccountToken: true - annotations: {} - - ingress: - enabled: true - # className: nginx - path: / - # Only used if API capabilities (networking.k8s.io/v1) allow it - pathType: ImplementationSpecific - # Used to create an Ingress record. - hosts: - - weave-gitops.michaelthomson.dev - # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. - # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) - # extraPaths: - # - path: /* - # pathType: ImplementationSpecific - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation - labels: {} - # annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - - secretName: letsencrypt-wildcard-cert-michaelthomson.dev - hosts: - - weave-gitops.michaelthomson.dev - - resources: {} - # limits: - # cpu: 100m - # memory: 300Mi - # requests: - # cpu: 100m - # memory: 300Mi - - extraVolumes: [] - # - name: ca-bundle-cert - # secret: - # secretName: - - extraVolumeMounts: [] - # - mountPath: /etc/ssl/certs/ - # name: ca-bundle-cert - - # Additional containers to be added to the pod. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - - priorityClassName: "" - - # Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts. - hostAlias: - enabled: false - # ip: "10.xxx.xxx.xxx" - # hostname: "auth.example.com" - - # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. - # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - # topologySpreadConstraints: [] - - # Affinity for pod assignment - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - # affinity: {} - - # Tolerations for pod assignment - # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - - # Node labels for pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - nodeSelector: {} - - # Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables - proxyVarsAsSecrets: true - - # Configure Kubernetes liveness and readiness probes. - # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - # Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks - livenessProbe: - enabled: true - initialDelaySeconds: 0 - timeoutSeconds: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 0 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - - # Configure Kubernetes security context for container - # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - securityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - seccompProfile: - type: RuntimeDefault - - deploymentAnnotations: {} - podAnnotations: {} - podLabels: {} - replicaCount: 1 - revisionHistoryLimit: 10 - - ## PodDisruptionBudget settings - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - podDisruptionBudget: - enabled: true - minAvailable: 1 - - # Configure Kubernetes security context for pod - # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - podSecurityContext: {} - - # whether to use http or https - httpScheme: http - - initContainers: - # if the redis sub-chart is enabled, wait for it to be ready - # before starting the proxy - # creates a role binding to get, list, watch, the redis master pod - # if service account is enabled - waitForRedis: - enabled: true - image: - repository: "docker.io/bitnami/kubectl" - pullPolicy: "IfNotPresent" - # uses the kubernetes version of the cluster - # the chart is deployed on, if not set - kubectlVersion: "" - securityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - seccompProfile: - type: RuntimeDefault - timeout: 180 - - # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. - # Alternatively supply an existing secret which contains the required information. - htpasswdFile: - enabled: false - existingSecret: "" - entries: [] - # One row for each user - # example: - # entries: - # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy - - # Configure the session storage type, between cookie and redis - sessionStorage: - # Can be one of the supported session storage cookie|redis - type: cookie - redis: - # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) - existingSecret: "" - # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence - password: "" - # Key of the Kubernetes secret data containing the redis password value - passwordKey: "redis-password" - # Can be one of standalone|cluster|sentinel - clientType: "standalone" - standalone: - # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set - connectionUrl: "" - cluster: - # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) - connectionUrls: [] - sentinel: - # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` - existingSecret: "" - # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` - password: "" - # Key of the Kubernetes secret data containing the redis sentinel password value - passwordKey: "redis-sentinel-password" - # Redis sentinel master name - masterName: "" - # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) - connectionUrls: [] - - # Enables and configure the automatic deployment of the redis subchart - redis: - # provision an instance of the redis sub-chart - enabled: false - # Redis specific helm chart settings, please see: - # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters - # redisPort: 6379 - # cluster: - # enabled: false - # slaveCount: 1 - - # Enables apiVersion deprecation checks - checkDeprecation: true - - metrics: - # Enable Prometheus metrics endpoint - enabled: true - # Serve Prometheus metrics on this port - port: 44180 - # when service.type is NodePort ... - # nodePort: 44180 - # Protocol set on the service for the metrics port - service: - appProtocol: http - serviceMonitor: - # Enable Prometheus Operator ServiceMonitor - enabled: false - # Define the namespace where to deploy the ServiceMonitor resource - namespace: "" - # Prometheus Instance definition - prometheusInstance: default - # Prometheus scrape interval - interval: 60s - # Prometheus scrape timeout - scrapeTimeout: 30s - # Add custom labels to the ServiceMonitor resource - labels: {} - - ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. - scheme: "" - - ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. - ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig - tlsConfig: {} - - ## bearerTokenFile: Path to bearer token file. - bearerTokenFile: "" - - ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec - annotations: {} - - ## Metric relabel configs to apply to samples before ingestion. - ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - metricRelabelings: [] - # - action: keep - # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - # sourceLabels: [__name__] - - ## Relabel configs to apply to samples before ingestion. - ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - - # Extra K8s manifests to deploy - extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: oauth2-proxy-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "oauth2-proxy" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client-id" - # - path: "client_secret" - # objectAlias: "client-secret" - # - path: "cookie_secret" - # objectAlias: "cookie-secret" - # secretObjects: - # - data: - # - key: client-id - # objectName: client-id - # - key: client-secret - # objectName: client-secret - # - key: cookie-secret - # objectName: cookie-secret - # secretName: oauth2-proxy-secrets-store - # type: Opaque diff --git a/weave-gitops/helmrelease-weave-gitops.yaml b/weave-gitops/helmrelease-weave-gitops.yaml deleted file mode 100644 index 4000dd2..0000000 --- a/weave-gitops/helmrelease-weave-gitops.yaml +++ /dev/null @@ -1,220 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: weave-gitops - namespace: weave-gitops -spec: - chart: - spec: - chart: weave-gitops - version: 4.x - sourceRef: - kind: HelmRepository - name: weave-gitops - namespace: flux-system - interval: 15m - timeout: 5m - releaseName: weave-gitops - values: - # Default values for chart. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - # Note: paragraphs starting with `# --` will end up in our manual - - # see https://github.com/norwoodj/helm-docs - replicaCount: 1 - image: - # FIXME check the app name - repository: ghcr.io/weaveworks/wego-app - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "v0.37.0" - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - # -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error' - logLevel: debug - # -- Additional arguments to pass in to the gitops-server - additionalArgs: - - --insecure-no-authentication-user=kube-apiserver - # Any other environment variables: - envVars: - - name: WEAVE_GITOPS_FEATURE_TENANCY - value: "true" - - name: WEAVE_GITOPS_FEATURE_CLUSTER - value: "false" - # -- Annotations to add to the deployment - annotations: {} - # Should the 'oidc-auth' secret be created. For a detailed - # explanation of these attributes please see our documentation: - # https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider - oidcSecret: - create: false - # clientID: - # clientSecret: - # issuerURL: - # redirectURL: - # -- If non empty, additional keys can be added to the OIDC secret - additionalKeys: {} - # additionalKeys: - # claimUsername: "email" - # claimGroups: "groups" - # customScopes: "openid,offline_access,email,groups" - serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - rbac: - # -- Specifies whether the clusterRole & binding to the service account should be created - create: true - # -- If non-empty, this limits the resources that the service - # account can impersonate. This applies to both users and groups, e.g. - # `['user1@corporation.com', 'user2@corporation.com', 'operations']` - impersonationResourceNames: [] - # -- Limit the type of principal that can be impersonated - impersonationResources: ["users", "groups"] - # -- If non-empty, this limits the secrets that can be accessed by - # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` - viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"] - # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role. - # for example, - # additionalRules: - # - apiGroups: ["infra.contrib.fluxcd.io"] - # resources: ["terraforms"] - # verbs: [ "get", "list", "patch" ] - additionalRules: [] - adminUser: - # -- Whether the local admin user should be created. - # If you use this make sure you add it to `rbac.impersonationResourceNames`. - create: false - # -- Specifies whether the clusterRole & binding to the admin user should be created. - # Will be created only if `adminUser.create` is enabled. Without this, - # the adminUser will only be able to see resources in the target namespace. - createClusterRole: true - # -- Whether we should create the secret for the local - # adminUser. Will be created only if `adminUser.create` is - # enabled. Without this, we'll still set up the roles and - # permissions, but the secret with username and password has to be - # provided separately. - createSecret: true - # -- Set username for local admin user, this should match the value in the secret `cluster-user-auth` - # which can be created with `adminUser.createSecret`. Requires `adminUser.create`. - username: gitops-test-user - # -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret` - # This needs to have been hashed using bcrypt. - # You can do this via our CLI with `gitops get bcrypt-hash`. - passwordHash: - podAnnotations: {} - podLabels: {} - # aadpodidbinding: identity - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - runAsUser: 1000 - readOnlyRootFilesystem: true - service: - create: true - type: ClusterIP - port: 9001 - # nodePort: - annotations: {} - ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: weave-gitops.michaelthomson.dev - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: letsencrypt-wildcard-cert-michaelthomson.dev - hosts: - - weave-gitops.michaelthomson.dev - extraVolumes: [] - extraVolumeMounts: [] - # Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret - # with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the - # secretProviderClass so this will be created by the secrets store CSI driver. - # See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html - # extraVolumeMounts: - # - name: ww-gitops-oauth-volume - # mountPath: /mnt/secrets - # readOnly: true - # extraVolumes: - # - name: ww-gitops-oauth-volume - # csi: - # driver: secrets-store.csi.k8s.io - # readOnly: true - # volumeAttributes: - # secretProviderClass: ww-gitops-oauth-provider - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - networkPolicy: - # -- Specifies whether default network policies should be created. - create: true - nodeSelector: {} - tolerations: [] - affinity: {} - serverTLS: - # -- Enable TLS termination in gitops itself. If you enable this, - # you need to create a secret, and specify the secretName. Another - # option is to create an ingress. - enable: false - # -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format. - # See - # https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples - secretName: "my-secret-tls" - # Example of tls secret - # - # apiVersion: v1 - # kind: Secret - # metadata: - # name: my-secret-tls - # type: kubernetes.io/tls - # data: - # # the data is abbreviated in this example - # tls.crt: | - # MIIC2DCCAcCgAwIBAgIBATANBgkqh ... - # tls.key: | - # MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... - # - # You can also create a tls secre t from files whith this k8s command: - # kubectl create secret tls my-tls-secret \ - # --cert=path/to/cert/file \ - # --key=path/to/key/file - metrics: - # -- Start the metrics exporter - enabled: false - service: - # -- Port to start the metrics exporter on - port: 2112 - # -- Annotations to set on the service - annotations: - prometheus.io/scrape: "true" - prometheus.io/path: "/metrics" - prometheus.io/port: "{{ .Values.metrics.service.port }}" diff --git a/weave-gitops/sealedsecret-weave-gitops-oidc-auth.yaml b/weave-gitops/sealedsecret-weave-gitops-oidc-auth.yaml deleted file mode 100644 index 39ce0d0..0000000 --- a/weave-gitops/sealedsecret-weave-gitops-oidc-auth.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{ - "kind": "SealedSecret", - "apiVersion": "bitnami.com/v1alpha1", - "metadata": { - "name": "oidc-auth", - "namespace": "weave-gitops", - "creationTimestamp": null - }, - "spec": { - "template": { - "metadata": { - "name": "oidc-auth", - "namespace": "weave-gitops", - "creationTimestamp": null - } - }, - "encryptedData": { - "clientID": "AgABYkm/TxTCYVvC4IR4b0lMMWTbnPUAl1z0va8Bw+U/OXelPIQUGzElPpKXYXLjs3iWL/U6pok7DFVLBoUAx1JYtFOb+Mnqrb5u+phKIiGZKMQIXdZRJwmyE7+vldZDghRDMiLuE6KvJVtC6UIsTRu15oF/ZmIbDX20zXvO8vRnHnHKw1SUb9i/kbnvQuZX5dtn7VSJtVFtXni/p07MEFjtnXVVYQxRgHD6Nukxanqx99iEiivisd3gxpUUGp+/OTeikxxW/Z0+5UGZkR6TXRILgSRj29FjJMYeNUocb14g6Voj0IuzBauhcrg12NcGbuCIThQjiwO67RQref6lmAgm/uuu7ZWc5wPTkEtLM2qAwt+jeETVTRw5dMQd9zPIR8DIYkIb02RmYUaRW4rUf0bVhxcuZ8VUvzzvPQRJ0a7OT8VP3PIMKQe4s+rzbfeXRRPObf85rZIzZZfSwG9QaAT4OhbndhBrhg3hApldU+jqSUCF5n4Lelm7SZEmWhcZJHxiXEZwCtHIM23NUQl5xR7dATacBUzGWmduuLY0rDS/xbRacWJBoYS9lYaeN8QiUND5lhtB2ZFfJn9b/nGdPG36OvLmmULP+rwiRWrNy4TpLGPhVhTjIhhsPt+nnVRYERyo71bj3dRt7IfvrbvbgFWYBQIKjbm4VTrHoLDuQxLjUnbTciBbp1+eV7rWo3oSc4JQm4vWA37VoiaihRTcvg==", - "clientSecret": "AgB/xHp3BTJJQRDqmFhCnoaowvx8DwT2JoDqSPnjgIQWm0Y18OIGteWLh47CaeJO0nHiFrLiPJ25K6+VDILBg7xCF7BIs62poQS9HWRoHfZ1y80mltvlP6u4PeE1EJZCGrMvZYJZakdKAewMN5NG8KHXlaIM1wmk4YUjvBB/tic7G7JPDaglvxlSJku48Bu0nR+boJKoiDKrbv7pHKl0K4JFgBogEy9R5/MnaR3uP03Ak53bUNOj7GIpqJyF8YO4Dqzu/oIS8rglqFPuDmO1wIHwnQf+eLRh2fWk5yiWCIpkUyYKesfaJ1ujrF9zja5vSwamoKxqK4Gl9WpZ2K+I0o70ib0zxzTFZpHoG8/IMmv1z1R5Pgqb+u73xvhXzslyRU7wQYKT3MoZiEBPojgqucl0CmdLXi5/hmVDr5exxVOqElYrdIFzVWZfjopO3rV1FavJz7uBiDybzcguQ7V7vX/VCjB1XX5h+GypMlDdzZsuVb1Hx2A+O1ZQavru7nOpIPtGoj//Vewkl0jQpj6VOFA196LTJB2deufyTOMnucmbkg52UwL6KsFTRGRVR09ck4iDO21xIbEBl/CWVk6q4xRNNME5yNFvtVazzqoKAzT0aVUQ3d2EzHjR1VP8vyUCqAveBFKYvuUoIqrBILF8jJfSG1nJPUrv6j7xLgEbzQouA0NDoBJQjzl8KtlpbT0pNgXvrTUHAPucogbAEu7NQIZac4jg9MNM9M8lOw1KRREIpfbjTF+lA5/Ac5hc00Bl3liPLlbsSNwyrusW4tUQrzeHVXa9i52DDYZ2q0wObeHrzvJlExKrDjVPp/aXYdhZrVM2BFAzxPdKM2naT8cpPk/8EBTA0jVV0kHk+nXBZQqGiA==", - "issuerUrl": "AgAq1sklCG8nAhmrqVaqK7MyLq66eclgOL0gvhDLlm5+NM7kDx7uqUEZdoSQUF6+NhNFx6rfZN4v5/lcQQkR+OB2ZffyPcNecRFHBb8SWdycNO1FF169ok0CoIe3UFJFMhR0nZkoR5nVI4f2TCCFhlZklReB8ou7EwkFDJviYxo1gqODchGDtXyOJqoL493ooq+WsZfHM1+TfCWv5mMTyNQ/uHiiqI1MftKJCN1Vdyzj6lPYQOb/D+QKU5xH+2OmVCRZfSlVl1Nc5VBoM1YW+SftW3ZOSyakQJSj6kImuZd9LF/+mm6g/KosgCU6XkPM1au53N10RlqT2I1Pzwp4/xCKMc1vIJMN/La84zqRcTuc77QyxwVU/SA+BUrNP9nfsxjcPcfZTjniG18ynYsJ9OrfFoAuQZ4QKxlX5nsulN2Ram+1yKSnpDjE6prYscCwouk8fwVJ+poy2R6tNNGsFxN7xxjXGuykmfoUU0D9du7Gxk9DPKP2MdS53a+GrljQOKrqZ1pqa1bHAmlL6vOx2FQLdA1nlXQTJoaIj0groh38+SNWGn/eOluiGLAJzLrvjNqWk47VKRgtiarpVdo9FNbf0Npn0IdecnOOANBsZdKov28Zh27/lvADIlXL2SI8MGqHXj7Qan1VKlgPkjj4dww+HX3VVAIT0t04lvxGL3m/c1Xdz2WlulAtIjnwadwHuRfT/nnmVJhrbfgo1Zvfeu4oHH5Lsjmp3TK5iFc6GybEZcwpi2akhLfxFMJ/2VpyLhLdYxeM1kaWxJ6lz/Y9wWsTYbI=", - "redirectURL": "AgAmFOssOnd5V5+JMogdLuUepVAD7wb7DjvGAB22t2L6ubyqvbxBptho07wKwDT0tkXuzFTwVCSvz3CCIwNismrtgx8RKnsDGPvLcB1+8sB3bscgmTPsObg9KhOnUvViXbj2HUjDS8l74E+1LNIxRpRAEt2b3T1DtEWnheR1n5Oo2GMa6DFPLBJ4D4VGN0Cq9ZKv7IeLxAGCs/bMOsSIJ0hBkkUIgCaEW4IAh2u3c5yqhIzMVeMsKqLIKx+wg6qeYlm9NX3y6+Aq4Us6pw87PGLRwz1+xaCBFrT7iqaFKmBxbB2icH1F3kynqdXrAv6MiHj7k8CYUIFTSSrKI+4wFd6vLhy8PdRGe6F7pd0JoeIlQq0Mul3l7OT3SsPOXleCQe/zfJTMK1mry7Fci1M59dE27F8tMA5Bew8xzo/GGiBhE0Pw9TERumpo4j8X1MGaG/2Dz6CEggmLHOh6F5i++JnyySRNBWT+A+rj5ljZ/eZ/ixwUj+7c4W2Al8pqVu40Ta9SrOxKYLhpxKrrxiPknvzcpdQYmj2SHDAUBLAJbZGKKEaShHKR/Osl2cZ6JMojHIXT9UoEjS9yqyOaek97WtqXZfNjFtXfkEYxKVHDkWh9zeIIRWukDMjY2UkpOc6syf83WPT5w8mG8uhJP7FEPkuONNdz3rKPCVd/7OBxHPEavQAQ7cF63lmvwOlAtEHRyAkBhDrGCDacnQ9PAmLdK5RbEo3oPgUsUUOBvDMQbJIhOlYZ4ypVMhIVrqy6sCthCw==" - } - } -}