feat(pgadmin): add oauth2 proxy (#63)

charts/common/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+name: common
+version: 0.0.0
+type: library

charts/common/templates/_helpers.tpl

@@ -0,0 +1,38 @@
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.names.suffixedName" -}}
+{{- $base := trunc 54 (include "common.names.fullname" .root) -}}
+{{- $suffix := .suffix -}}
+{{- printf "%s-%s" $base $suffix | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.labels.standard" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ include "common.names.fullname" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "common.labels.matchLabels" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ include "common.names.fullname" . }}
+{{- end -}}

charts/oauth2-proxy/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: oauth2-proxy
+version: 1.27.2
+dependencies:
+  - name: common
+    version: "^1.27.2"
+    repository: https://socialgouv.github.io/helm-charts

charts/oauth2-proxy/templates/deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    component: {{ include "common.names.fullname" . }}
+    application: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}
+  annotations:
+    {{ if .Values.annotations }}
+    {{ range $key, $val := .Values.annotations }}
+    "{{ $key }}": {{ $val | quote }}
+    {{ end }}
+    {{ end }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      component: {{ include "common.names.fullname" . }}
+  template:
+    metadata:
+      labels:
+        component: {{ include "common.names.fullname" . }}
+    spec:
+      containers:
+        - image: {{ .Values.image.name }}:{{ .Values.image.tag }}
+          args:
+            - --upstream
+            - {{ .Values.upstream }}
+            {{- if gt (len .Values.additionalArgs) 0 }}
+            {{- tpl (.Values.additionalArgs | toYaml) . | nindent 12 }}
+            {{- end }}
+          name: app
+          ports:
+            - containerPort: 4180
+              name: http
+          resources:
+            limits:
+              cpu: 0.5
+              memory: 256Mi
+            requests:
+              cpu: 0.2
+              memory: 128Mi
+          livenessProbe:
+            failureThreshold: 15
+            httpGet:
+              path: "/ping"
+              port: http
+            periodSeconds: 5
+            timeoutSeconds: 5
+          readinessProbe:
+            failureThreshold: 15
+            httpGet:
+              path: "/ping"
+              port: http
+            initialDelaySeconds: 1
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 1
+          startupProbe:
+            failureThreshold: 12
+            httpGet:
+              path: "/ping"
+              port: http
+            periodSeconds: 5
+            initialDelaySeconds: 30
+          env:
+            - name: "OAUTH2_PROXY_REDIRECT_URL"
+              value: https://{{ tpl (or .Values.host (print .Chart.Name "-" (or .Values.global.host ""))) . }}/oauth2/callback
+            {{- if gt (len .Values.env) 0 }}
+            {{- tpl (.Values.env | toYaml) . | nindent 12 }}
+            {{- end }}
+          envFrom:
+            {{- if gt (len .Values.envFrom) 0 }}
+            {{- tpl (.Values.envFrom | toYaml) . | nindent 12 }}
+            {{- end }}
+

charts/oauth2-proxy/templates/ingress.yaml

@@ -0,0 +1,38 @@
+{{ if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    {{ if .Values.ingress.annotations }}
+    {{ range $key, $val := (merge dict .Values.ingress.annotations) }}
+    "{{ $key }}": {{ $val | quote }}
+    {{ end }}
+    {{ end }}
+  labels:
+    component: {{ include "common.names.fullname" . }}
+    application: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}
+spec:
+  rules:
+    - host: >-
+        {{- tpl (or .Values.host (print .Chart.Name "-" (or .Values.global.host ""))) . | nindent 8 }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ include "common.names.fullname" . }}
+                port:
+                  name: http
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - >-
+          {{- tpl (or .Values.host (print .Chart.Name "-" (or .Values.global.host ""))) . | nindent 12 }}
+      {{- if .Values.certSecretName }}
+      secretName: {{ .Values.certSecretName }}
+      {{- else }}
+      secretName: {{ print .Chart.Name "-crt" }}
+      {{- end }}
+{{- end }}

charts/oauth2-proxy/templates/oauth2-proxy.configmap.yml

@@ -0,0 +1,17 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  labels:
+    component: {{ include "common.names.fullname" . }}
+    application: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}
+  annotations:
+    {{ if .Values.annotations }}
+    {{ range $key, $val := .Values.annotations }}
+    "{{ $key }}": {{ $val | quote }}
+    {{ end }}
+    {{ end }}
+data:
+  {{ range $key, $value := .Values.config }}
+  {{ $key }}: {{ $value | quote }}
+  {{ end }}

charts/oauth2-proxy/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    component: {{ include "common.names.fullname" . }}
+    application: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}
+  annotations: {}
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 4180
+  selector:
+    component: {{ include "common.names.fullname" . }}
+  type: ClusterIP

charts/oauth2-proxy/values.yaml

@@ -0,0 +1,16 @@
+env: []
+envFrom: []
+
+ingress:
+  enabled: true
+  host:
+  annotations: {}
+
+upstream:
+
+additionalArgs: []
+replicas: 1
+
+image:
+  name: quay.io/oauth2-proxy/oauth2-proxy
+  tag: v7.4.0

charts/pgadmin/Chart.yaml

@@ -1,3 +1,8 @@
 apiVersion: v2
 name: pgadmin
 version: 1.27.2
+dependencies:
+  - name: oauth2-proxy
+    version: "^1.27.2"
+    repository: https://socialgouv.github.io/helm-charts
+    condition: oauth2-proxy.enabled

charts/pgadmin/values.yaml

@@ -19,5 +19,18 @@ defaultUser:
 #       port: PGPORT
 #       database: PGDATABASE
 ingress:
-  enabled: true
+  enabled: false
   annotations: {}
+
+oauth2-proxy:
+  enabled: true
+  config:
+    OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
+    OAUTH2_PROXY_SCOPE: "user:email"
+    OAUTH2_PROXY_PROVIDER: github
+    OAUTH2_PROXY_GITHUB_ORG: SocialGouv
+    OAUTH2_PROXY_BANNER: FCE databases private access
+    OAUTH2_PROXY_FOOTER: SocialGouv auth
+    OAUTH2_PROXY_EMAIL_DOMAINS: "*"
+    OAUTH2_PROXY_COOKIE_SECURE: "false"
+    OAUTH2_PROXY_CUSTOM_SIGN_IN_LOGO: "https://socialgouv.github.io/support/_media/marianne.jpeg"

dev/standard-version-chart-updater.js

@@ -23,6 +23,9 @@ module.exports = {
         ) {
           dependency.version = version
         }
+        if (dependency.repository === "https://socialgouv.github.io/helm-charts" && dependency.version.startsWith("^")) {
+          dependency.version = "^" + version
+        }
       }
     }
     return yaml.dump(chart, { indent: 2 })