feat: render only relevant values for team-ns helm chart (#1872)

Co-authored-by: Cas Lubbers <[email protected]>

Author: j-zimnowoda

chart/chart-index/charts

@@ -12,7 +12,6 @@
 {{- $ := . }}
 {{- $v := .dot.Values }}
 {{- $istioSvc := print "istio-ingressgateway-" .type }}
-{{- $cm := index $v.apps "cert-manager" }}
 {{- range $ingress := $v.ingress.classes }}
   {{- $routes := dict }}
   {{- $names := list }}
@@ -73,8 +72,8 @@ metadata:
     {{- end}}
     {{- if and $.hasAuth (eq $ingress.className $v.ingress.platformClass.className )}}
     nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-    nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.istio-system.svc.cluster.local/oauth2/auth"
-    nginx.ingress.kubernetes.io/auth-signin: "https://auth.{{ $v.cluster.domainSuffix }}/oauth2/start?rd=/oauth2/redirect/$http_host$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-url: "{{ $v.sso.authUrl }}"
+    nginx.ingress.kubernetes.io/auth-signin: "{{ $v.sso.signInUrl }}"
     {{- end }}
     {{- if and (hasKey $ingress "entrypoint") (ne $ingress.entrypoint "")}}
     external-dns.alpha.kubernetes.io/target: {{ $ingress.entrypoint }} 
@@ -129,7 +128,7 @@ spec:
       secretName: copy-team-{{ $v.teamId }}-{{ index $secrets $domain }}
             {{- end }}
           {{- else }}
-      secretName: {{ $v._derived.tlsSecretName }}
+      secretName: {{ $v.tlsSecretName }}
           {{- end }}
         {{- end }}
       {{- end }}

charts/team-ns/templates/_ingress.tpl

@@ -9,7 +9,7 @@ metadata:
 spec:
   project: team-{{ $v.teamId }}
   source:
-    repoURL: https://gitea.{{ $v.cluster.domainSuffix }}/otomi/team-{{ $v.teamId }}-argocd.git
+    repoURL: {{ $v.gitOps.teamRepoUrl }}
     targetRevision: HEAD
     path: ./
   destination:

charts/team-ns/templates/argocd/argocd-application.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   generators:
   - git:
-      repoURL: https://gitea.{{ $v.cluster.domainSuffix }}/otomi/values.git
+      repoURL: "{{ $v.gitOps.workloadValuesRepoUrl }}"
       revision: HEAD
       files:
       - path: "env/teams/workloads/{{ $v.teamId }}/{{ .name }}.yaml"

charts/team-ns/templates/argocd/argocd-applicationset.yaml

@@ -13,7 +13,7 @@ spec:
   description: ArgoCD project for team {{ $v.teamId }}
   # Allow manifests to deploy from any Git repos
   sourceRepos:
-  - https://gitea.{{ $v.cluster.domainSuffix }}/otomi/team-{{ $v.teamId }}-argocd.git
+  - {{ $v.gitOps.teamRepoUrl }}
   {{- range $v.workloads }}
   - {{ .url }}
   {{- end }}
@@ -50,7 +50,7 @@ spec:
   # - group: 'apps'
   #   kind: StatefulSet
   roles:
-{{- if $v.otomi.isMultitenant }}
+{{- if $v.isMultitenant }}
   # we create a scoped platform-admin role since we are only allowed access to team-* projects as platform-admin in multitenant setup
   - name: platform-admin
     description: Team member privileges to team-{{ $v.teamId }}
@@ -65,12 +65,12 @@ spec:
 {{- if not (eq $v.teamId "admin") }}
   - name: team-member
     description: Team member privileges to team-{{ $v.teamId }}
-{{- if or (has "argocd" $v.selfService.apps) $v.otomi.isMultitenant }}
+{{- if or (has "argocd" $v.selfService.apps) $v.isMultitenant }}
     policies:
   {{- if has "argocd" $v.selfService.apps }}
     - p, proj:team-{{ $v.teamId }}:team-member, *, *, team-{{ $v.teamId }}/*, allow
   {{- else }}
-    {{- if $v.otomi.isMultitenant }}
+    {{- if $v.isMultitenant }}
     - p, proj:team-{{ $v.teamId }}:team-member, *, get, team-{{ $v.teamId }}/*, allow
     {{- else }}
     # we already have read-only rights globally when not in multitenancy

charts/team-ns/templates/argocd/argocd-project.yaml

@@ -1,17 +1,13 @@
-{{- $v := .Values }}
-{{- $a := $v.apps.argocd }}
-{{- $g := $v.apps.gitea }}
-{{- if $a.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: team-{{ $v.teamId }}-gitea-repo-creds
+  name: team-{{ .Values.teamId }}-gitea-repo-creds
   namespace: argocd
   labels:
     argocd.argoproj.io/secret-type: repo-creds
 stringData:
   type: git
-  url: https://gitea.{{ $v.cluster.domainSuffix }}
-  password: {{ $g.adminPassword }}
-  username: {{ $g.adminUsername }}
-{{- end }}    
+  url: {{ .Values.gitOps.globalUrl }}
+  password: {{ .Values.gitOps.adminPassword }}
+  username: {{ .Values.gitOps.adminUsername }}
+ 

charts/team-ns/templates/argocd/argocd-repo-secret.yaml

@@ -1,15 +1,10 @@
-{{- $v := .Values }}
-{{- $a := $v.apps.argocd }}
-{{- $g := $v.apps.gitea }}
-{{- if and $a.enabled $g.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: team-{{ $v.teamId }}-gitea-repo
+  name: team-{{ .Values.teamId }}-gitea-repo
   namespace: argocd
   labels:
     argocd.argoproj.io/secret-type: repo
 stringData:
   type: git
-  url: https://gitea.{{ $v.cluster.domainSuffix }}/otomi/team-{{ $v.teamId }}-argocd.git
-{{- end }}    
+  url: {{ .Values.gitOps.teamRepoUrl }}

charts/team-ns/templates/argocd/argocd-repo.yaml

@@ -61,7 +61,7 @@ spec:
       workspace: docker-credentials
     params:
     - name: APP_IMAGE
-      value: harbor.{{ $v.cluster.domainSuffix }}/team-{{ $v.teamId }}/{{ .name }}:{{ .tag }}
+      value: {{ $v.harborDomain }}/team-{{ $v.teamId }}/{{ .name }}:{{ .tag }}
     {{- with .mode.buildpacks.path }}
     - name: SOURCE_SUBPATH
       value: {{ . }}

charts/team-ns/templates/builds/buildpack.yaml

@@ -67,7 +67,7 @@ spec:
     - name: CONTEXT
       value: {{ $context }}
     - name: IMAGE
-      value: harbor.{{ $v.cluster.domainSuffix }}/team-{{ $v.teamId }}/{{ .name }}:{{ .tag }}
+      value: {{ $v.harborDomain }}/team-{{ $v.teamId }}/{{ .name }}:{{ .tag }}
     {{- with (dig "mode" "docker" "envVars" nil . ) }}
     - name: EXTRA_ARGS
       value: 

charts/team-ns/templates/builds/docker.yaml

@@ -1,6 +1,5 @@
 {{- $ns := .Release.Namespace }}
 {{- $v := .Values }}
-{{- $k := $v.apps.keycloak | default dict }}
 # split list of services into separate ingress types:
 # - core apps that need path forwarding (apps.*/appName stuff)
 # - public/private?

charts/team-ns/templates/ingress.yaml

@@ -9,8 +9,8 @@ spec:
   gateways:
   - {{ $.Release.Namespace }}/team-admin-public-tlsterm
   hosts:
-  - {{ $v._derived.giteaDomain }}
-  - {{ $v._derived.keycloakDomain }}
+  - {{ $v.giteaDomain }}
+  - {{ $v.keycloakDomain }}
   http:
   - match:
     - uri:

charts/team-ns/templates/ingress/exceptions.yaml

@@ -1,8 +1,6 @@
 {{- $v := .Values }}
 {{- if eq $v.teamId "admin" }}
 {{- if $v.apps.harbor.enabled }}
-{{- $domain := printf "harbor.%s" $v.cluster.domainSuffix }}
-{{- $cm := index $v.apps "cert-manager" }}
 {{- $ingress :=  $v.ingress.platformClass }}
 {{- $name :=  printf "nginx-team-%s-platform-public-open-forward-harbor" $v.teamId }}
 ---
@@ -33,7 +31,7 @@ metadata:
 spec:
   ingressClassName: platform
   rules:
-    - host: {{ $domain }}
+    - host: {{ $v.harborDomain }}
       http:
         paths:
         - backend:
@@ -66,7 +64,7 @@ spec:
           pathType: Prefix
   tls:
     - hosts:
-        - {{ $domain }}
-      secretName: {{ $v._derived.tlsSecretName }}
+        - {{ $v.harborDomain }}
+      secretName: {{ $v.tlsSecretName }}
 {{- end }}
 {{- end }}

charts/team-ns/templates/ingress/harbor-public.yaml

@@ -10,5 +10,5 @@ spec:
     matchLabels:
       otomi: tty
   jwtRules:
-  - issuer: "https://keycloak.{{ $v.cluster.domainSuffix }}/realms/otomi"
-    jwksUri: "https://keycloak.{{ $v.cluster.domainSuffix }}/realms/otomi/protocol/openid-connect/certs"
+  - issuer: "{{ $v.sso.issuer }}"
+    jwksUri: "{{ $v.sso.jwksUri }}"

charts/team-ns/templates/isitio-tty-authn.yaml

@@ -1,6 +1,4 @@
 {{- $v := .Values }}
-{{- $k := $v.apps.keycloak | default dict }}
-{{- $kkMaster := printf "https://keycloak.%s/realms/otomi" $v.cluster.domainSuffix }}
 {{- $ := . }}
 {{- range $s := $v.services }}
   {{- $isKnativeService := dig "ksvc" "predeployed" false $s }}
@@ -59,8 +57,8 @@ spec:
         - uri:
             prefix: /logout-otomi
       redirect:
-        authority: auth.{{ $v.cluster.domainSuffix }}
-        uri: /oauth2/sign_out?rd={{ $kkMaster }}/protocol/openid-connect/logout?redirect_uri=https://{{ printf "console.%s" $v.cluster.domainSuffix }}
+        authority: {{ $v.authDomain }}
+        uri: {{ $v.sso.logoutUri }}
     -
         {{- with $s.paths | default (list "/") }}
       match:
@@ -207,8 +205,8 @@ spec:
         - uri:
             prefix: /logout-otomi
       redirect:
-        authority: auth.{{ $v.cluster.domainSuffix }}
-        uri: /oauth2/sign_out?rd={{ $kkMaster }}/protocol/openid-connect/logout?redirect_uri=https://{{ printf "otomi.%s" $v.cluster.domainSuffix }}
+        authority: "{{ $v.authDomain }}"
+        uri: "{{ $v.sso.logoutUri }}"
     -
         {{- with $s.paths | default (list "/") }}
       match:
@@ -310,13 +308,13 @@ spec:
   selector:
     matchLabels: {{ $workload | nindent 6 }}
   jwtRules:
-    - issuer: {{ $kkMaster }}
-      jwksUri: {{ $kkMaster }}/protocol/openid-connect/certs
+    - issuer: {{ $v.sso.masterRealm }}
+      jwksUri: {{ $v.sso.jwksUri }}
       audiences:
-        - {{ $k.idp.clientID }}
+        - {{ $v.sso.clientId }}
       forwardOriginalToken: {{ $s.authz.forwardOriginalToken | default false }}
 ---    
-      {{- $principal := printf "https://keycloak.%s/realms/otomi/*" $v.cluster.domainSuffix }}
+      {{- $principal := printf "%s/*" $v.masterRealm }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:

charts/team-ns/templates/istio-virtualservices.yaml

@@ -11,7 +11,7 @@ metadata:
   labels: {{- include "team-ns.chart-labels" $ | nindent 4 }}
 spec:
   hosts:
-    - {{ trimPrefix "https://" .Values.apps.keycloak.address }}
+    - {{ $v.keycloakDomain }}
   ports:
     - number: 443
       name: https

charts/team-ns/templates/netpols/default-istio-service-entries.yaml

@@ -58,7 +58,7 @@ spec:
                 all:
                 - key: "{{`{{ element }}`}}"
                   operator: NotEquals
-                  value: "harbor.{{ $v.cluster.domainSuffix }}/*"
+                  value: "{{ $v.harborDomain }}/*"
                 {{- if $p.customValues }}
                 - key: "{{`{{ element }}`}}"
                   operator: AnyNotIn

charts/team-ns/templates/policies/best-practice/allowed-image-repos.yaml

@@ -4,7 +4,7 @@
 ---
 apiVersion: v1
 imagePullSecrets:
-{{- with $v.otomi.globalPullSecret }}
+{{- with $v.globalPullSecret }}
 - name: otomi-pullsecret-global
 {{- end }}
 {{- if $h.enabled }}
@@ -113,11 +113,11 @@ kind: Secret
 metadata:
   name: gitea-credentials
   annotations:
-    tekton.dev/git-0: https://gitea.{{ $v.cluster.domainSuffix }}
+    tekton.dev/git-0: "{{ $v.gitOps.globalUrl }}"
 type: kubernetes.io/basic-auth
 stringData:
-  username: otomi-admin
-  password: {{ $v.otomi.adminPassword }}
+  username: {{ $v.gitOps.adminUsername }}
+  password: {{ $v.gitOps.adminPassword }}
 ---
 apiVersion: v1
 kind: ServiceAccount

charts/team-ns/templates/rbac.yaml

@@ -1,6 +1,5 @@
 {{- $v := .Values }}
-{{- $i := $v.apps.istio }}
-{{- if $i.tracing.enabled }}
+{{- if $v.tracingEnabled}}
 apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:

charts/team-ns/templates/telemetry/telemetry.yaml

@@ -42,24 +42,10 @@ releases:
       team: admin
       pipeline: otomi-task-teams
     values:
+      - ../values/team-ns/team-ns.gotmpl
       - name: admin
         teamId: admin
-        _derived: {{- toYaml $v._derived | nindent 10 }}
-        teamIds: {{- toYaml (keys $v.teamConfig) | nindent 10 }}
-        teamApps: {{- $tca.apps | toYaml | nindent 10 }}
-        apps: {{- $a | toYaml | nindent 10 }}
-        oidc: {{- $v.oidc | toYaml | nindent 10 }}
-        cluster: {{- $v.cluster | toYaml | nindent 10 }}
         otomi: {{- $v.otomi | toYaml | nindent 10 }}
-        domain: {{ $v | get "cluster.domainSuffix" nil }}
         services: {{- $services | toYaml | nindent 10 }}
+        networkPolicy: null
         resourceQuota: null
-        ingress: {{- $v.ingress | toYaml | nindent 10 }}
-        jobs: {{- $tca | get "jobs" list | toYaml | nindent 10 }}
-        secrets: {{- $tca | get "secrets" list | toYaml | nindent 10 }}
-        workloads: {{- $tca | get "workloads" list | toYaml | nindent 10 }}
-        backups: {{- $tca | get "backups" list | toYaml | nindent 10 }}
-        builds: {{- $tca | get "builds" list | toYaml | nindent 10 }}
-        policies: {{- $tca | get "policies" list | toYaml | nindent 10 }}
-        sealedsecrets: {{- $tca | get "sealedsecrets" list | toYaml | nindent 10 }}
-        dns: {{- $v.dns | toYaml | nindent 10 }}

helmfile.d/helmfile-15.ingress-core.yaml

@@ -13,15 +13,6 @@ bases:
 {{- $v := .Values }}
 {{- $a := $v.apps }}
 {{- $tc := $v.teamConfig }}
-{{- $coreTeamServices := list }}
-{{- range $s := $v.teamApps }}
-  {{- if and ($a | get $s.name | get "enabled" true) (hasKey $s "ingress") $v.otomi.isMultitenant }}
-    {{- range $ing := $s.ingress }}
-      {{- $svc := merge $ing (dict "isCore" true "name" $s.name "ownHost" ($s | get "ownHost" false)) }}
-      {{- $coreTeamServices = append $coreTeamServices $svc }}
-    {{- end }}
-  {{- end }}
-{{- end }}
 {{- $slackTpl := tpl (readFile "../helmfile.d/snippets/alertmanager/slack.gotmpl") $v | toString }}
 {{- $opsgenieTpl := tpl (readFile "../helmfile.d/snippets/alertmanager/opsgenie.gotmpl") $v | toString }}
 releases:
@@ -243,23 +234,5 @@ releases:
       team: {{ $teamId }}
       pipeline: otomi-task-teams
     values:
-      - cluster: {{- $v.cluster | toYaml | nindent 10 }}
-        apps: {{- $a | toYaml | nindent 10 }}
-        otomi: {{- $v.otomi | toYaml | nindent 10 }}
-        oidc: {{- $v | get "oidc" dict | toYaml | nindent 10 }}
-        domain: {{ $domain }}
-        ingress: {{- $v.ingress | toYaml | nindent 10 }}
-        dns: {{- $v.dns | toYaml | nindent 10 }}
-        _derived:
-          tlsSecretName: {{ $v._derived.tlsSecretName }}
-      - {{- omit $team "apps" | toYaml | nindent 8 }}
-        teamId: {{ $teamId }}
-        teamApps: {{- toYaml $teamApps | nindent 10 }}
-        teamIds: {{- toYaml (keys $v.teamConfig) | nindent 10 }}
-      - services: {{- concat $coreTeamServices $teamServices | toYaml | nindent 10 }}
-  {{- if (gt (len $teamServices) 0) }}
-      - name: blackbox
-        svc: prometheus-blackbox-exporter
-        port: 9115
-  {{- end }}
+      - ../values/team-ns/team-ns.gotmpl
 {{- end }}

helmfile.d/helmfile-60.teams.yaml

@@ -154,8 +154,11 @@ environments:
           oidcBaseUrlBackchannel: {{ $oidcBaseUrlBackchannel}}
           oidcWellKnownUrl: {{ $oidcWellKnownUrl }}
           oidcWellKnownUrlBackchannel: {{ $oidcWellKnownBackchannel}}
+          authDomain: {{ printf "auth.%s" $domainSuffix }}
+          consoleDomain: {{ printf "console.%s" $domainSuffix }}
           giteaDomain: {{ printf "gitea.%s" $domainSuffix }}
           keycloakDomain: {{ printf "keycloak.%s" $domainSuffix }}
+          harborDomain: {{ printf "harbor.%s" $domainSuffix }}
           tlsSecretName: {{ $tlsSecretName }}
         apps:
           argocd: