add headlamp

2025-03-03 15:17:56 -06:00
parent 05d8e2bd79
commit 61f85974ae
7 changed files with 219 additions and 0 deletions
--- a/clusters/cl01tl/management/headlamp/Chart.yaml
+++ b/clusters/cl01tl/management/headlamp/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+name: headlamp
+version: 1.0.0
+description: Headlamp
+keywords:
+  - headlamp
+  - dashboard
+  - kubernetes
+home: https://wiki.alexlebens.dev/doc/headlamp-Zp3NTU0KE8
+sources:
+  - https://github.com/headlamp-k8s/headlamp
+  - https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: headlamp
+    version: 0.29.1
+    repository: https://headlamp-k8s.github.io/headlamp/
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes-dashboard.png
+appVersion: 0.27.0
--- a/clusters/cl01tl/management/headlamp/templates/cluster-role-binding.yaml
+++ b/clusters/cl01tl/management/headlamp/templates/cluster-role-binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin-oidc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: User
+    name: alexanderlebens@gmail.com
+    apiGroup: rbac.authorization.k8s.io
--- a/clusters/cl01tl/management/headlamp/templates/external-secret.yaml
+++ b/clusters/cl01tl/management/headlamp/templates/external-secret.yaml
@@ -0,0 +1,103 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: headlamp-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: headlamp-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: secret
+    - secretKey: OIDC_ISSUER_URL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: issuer
+    - secretKey: OIDC_SCOPES
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: scopes
+
+# ---
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: headlamp-backup-secret
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: headlamp-backup-secret
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/version: {{ .Chart.AppVersion }}
+#     app.kubernetes.io/component: backup
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   target:
+#     template:
+#       mergePolicy: Merge
+#       engineVersion: v2
+#       data:
+#         RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/headlamp/headlamp"
+#   data:
+#     - secretKey: BUCKET_ENDPOINT
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: S3_BUCKET_ENDPOINT
+#     - secretKey: RESTIC_PASSWORD
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: RESTIC_PASSWORD
+#     - secretKey: AWS_DEFAULT_REGION
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: AWS_DEFAULT_REGION
+#     - secretKey: AWS_ACCESS_KEY_ID
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: access_key
+#     - secretKey: AWS_SECRET_ACCESS_KEY
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: secret_key
--- a/clusters/cl01tl/management/headlamp/templates/http-route.yaml
+++ b/clusters/cl01tl/management/headlamp/templates/http-route.yaml
@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-route-headlamp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: https-route-headlamp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - headlamp.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: headlamp
+          port: 80
+          weight: 100
--- a/clusters/cl01tl/management/headlamp/templates/namespace.yaml
+++ b/clusters/cl01tl/management/headlamp/templates/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: headlamp
+  labels:
+    https-gateway-access: "true"
--- a/clusters/cl01tl/management/headlamp/templates/replication-source.yaml
+++ b/clusters/cl01tl/management/headlamp/templates/replication-source.yaml
@@ -0,0 +1,27 @@
+# apiVersion: volsync.backube/v1alpha1
+# kind: ReplicationSource
+# metadata:
+#   name: headlamp-backup-source
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: headlamp-backup-source
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/version: {{ .Chart.AppVersion }}
+#     app.kubernetes.io/component: backup
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   sourcePVC: headlamp
+#   trigger:
+#     schedule: 0 0 */3 * *
+#   restic:
+#     pruneIntervalDays: 14
+#     repository: headlamp-backup-secret
+#     retain:
+#       hourly: 1
+#       daily: 1
+#       weekly: 1
+#       monthly: 2
+#       yearly: 4
+#     copyMethod: Snapshot
+#     storageClassName: ceph-block
+#     volumeSnapshotClassName: ceph-blockpool-snapshot
--- a/clusters/cl01tl/management/headlamp/values.yaml
+++ b/clusters/cl01tl/management/headlamp/values.yaml
@@ -0,0 +1,14 @@
+headlamp:
+  config:
+    oidc:
+      secret:
+        create: false
+      externalSecret:
+        enabled: true
+        name: headlamp-oidc-secret
+  ingress:
+    enabled: false
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi