From c4b9591f10e2ca7500a3413c6d2f543a9bf38e82 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 15 Feb 2025 23:10:40 -0800 Subject: [PATCH 01/15] feat: inital configs for staff dashboard oauth --- infra/app/templates/ingress.yaml | 38 ++++++++++++++++++- .../templates/github-oauth-sealed-secret.yaml | 16 ++++++++ infra/base/values.yaml | 20 ++++++++++ infra/init.sh | 6 +++ 4 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 infra/base/templates/github-oauth-sealed-secret.yaml diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml index 3ee6b0520..b3e322ba7 100644 --- a/infra/app/templates/ingress.yaml +++ b/infra/app/templates/ingress.yaml @@ -1,11 +1,45 @@ +# staff.berkeleytime.com ingress with oauth2 proxy apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ .Release.Name }}-ingress + name: {{ .Release.Name }}-staff-ingress labels: {{- include "bt-app.labels" . | nindent 4 }} annotations: - cert-manager.io/issuer: {{ .Values.issuer }} + kubernetes.io/ingress.class: "nginx" + cert-manager.io/issuer: {{ .Values.issuerName }} + nginx.ingress.kubernetes.io/auth-url: "https://staff.berkeleytime.com/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://staff.berkeleytime.com/oauth2/start?rd=$escaped_request_uri" + nginx.ingress.kubernetes.io/auth-response-headers: "Authorization" +spec: + ingressClassName: nginx + tls: + - hosts: + - staff.berkeleytime.com + secretName: staff-bt-tls + rules: + - host: staff.berkeleytime.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ include "bt-app.frontendName" . }}-svc + port: + number: {{ .Values.port }} + +--- +# berkeleytime.com ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }}-main-ingress + labels: + {{- include "bt-app.labels" . | nindent 4 }} + annotations: + kubernetes.io/ingress.class: "nginx" + cert-manager.io/issuer: {{ .Values.issuerName }} spec: ingressClassName: nginx tls: diff --git a/infra/base/templates/github-oauth-sealed-secret.yaml b/infra/base/templates/github-oauth-sealed-secret.yaml new file mode 100644 index 000000000..60ac2ecf7 --- /dev/null +++ b/infra/base/templates/github-oauth-sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: github-oauth-secret + namespace: bt +spec: + encryptedData: + client-id: AgCW0zOV1P3b3RFmFICy4WHCc8F6699cONL9seERMb/cglMozvST72JLuQggytk7nwQlBSJVlxC5qKLaHofmrUa0Q49qeapqPZ46rrxSHaBNO5lckkwa9xZs1i7h/Ct0+mYftxyJuhgn95ifI2Xe/HMspcmZW76ST63nKXQyLWAUzwncpUvwFJP3RYIpcCx2eqRzyL5ctLHpvOmXhN2sKeEoufK9wHgBpykHW8knpw2X8J8Uvm3JvqB7kbuy1YTvKc/HQaR7XbVtEuJX/ZPkACk6qKlB0am5k1AHbPRj9q1JIrjcmpIlpeDBQezDY7SLbDJN4En4ELz+KIssLBRzmly7M6ziWUgtne+C0ZveUR3WGMskR8LUBk4wlD6S5DpP3J3ryoyO+X8NkFLlT4C9nVSoFiWFfzhsB8uVrUgR2G1oVpEdb7g42LslJ3UjkBc6ern7FRgay8fBQ5AEf8ZJmtKcdIjXaGqEAaAwNsEVIhfJHH+d9ojzMjKJbPkY5zJtGWiaqUtpKcmsQY5ypayZybsZ/NvkI7RpSkaSkjJu4TdRoUdy45vdt8do7YNCoQv9KfxQuYWLeWXmqFoa6PVKEhdAwBLgfNhueu6vPOCy0zcWONU2DCRyzShbRicbVtxBHmiVzcILkxoltZw2Jy9Biz076b8L+YKYVVtZkEe/LGkOSzTmiIjsArGP3dkTwSARJkwetym2RAyJ3egLbuySFSVlT2xpqg== + client-secret: AgBuRj0etgzGfLhJsCgzziVvQ29d1JuOM9/NYsVQEKSw/QrMbL/nrpWvzii07Gohe0RAFViSxDZ8SptSAeUzOXR7jHVNDxiVL5jE4fGHHJa8E2qUweBvqzbzzl00VQmBoIRHZOD8+BETeopp55sRd8VHDY4wwuaeybXV8s3eU9l+jwAl67p5cIt/mBbq+zqiARxv4sA/Iul9SNcgtnq5Oq4MMLh63qf009dC/Re5wC1GlYQE64cws+IwD/NoE4hPRdOs4gPxHUkLE785s+6/JwZ+VnRA23vYVcmDpyJY7IDVfqnwKZL3vJi3/zH+XQHv7/nLHehx85EuPg/Q1C/YVyfvx6d/dwV6GCLnyqPtZjBqKIBMsuQXMwPArXnf/nqgeMfBrn2tRa1FyfJWV05p5khK1wD4cIruGgg60NYlTVy2XgFq4lshUeM6iodTOebMLoDImbkqKcAiEvlmkXWv0QanqSPXxicTOaMQ/oA2RuepJNFlGQCJkFceVuo18o3AMb1PFndEtmhGLmxcw7V2n/tNMLJMq2XuBUAKtGNbJR9vqeLqc+5vtxSmoynksptuYXYqWiyicZ4UQnGfCoXm4QVu/9R6o1IUSsiJMKpXt7XFMgRig5ZdIT1ueJKdjTErCkteK1d6tRoUt1PjdvAiv4TEDXH1igQl3/OQ2NGE4pkRtfnj4td8xZEN7NqGdCvaYXHrNNtmYRrHWeapQlt5eld8K4a4tg/AOVA6n2hnyhT0Z0lwiJ4UXrbG + cookie-secret: AgB9ndkh9jwb9DNB3Uuz5U3bPImEKk24ld/QYFmw9NBkgB+N2p0oENs/Jc/OWJ6mEM3AObp9CzU3HtEV2NcVrPiw7S1RU1w+llHp6xAZVNS9TTDdN2kIK5IAp+7mF462FYQ1ujrx/wsieJscFsBwT1zOxcnG+4EXaKiqTRZr1klGfZ8qurGIrSYYiPbVeX6B2uc3/im/csDoELr8xY+bTJ1fAUmKsT+oiwTurkzo/PcHczl3luNn4kSMH/UIWi65gMHGAAAFQpykL5ZxOvaaNehVz+oFHb62e0Mi7a0O5Pi9jbKooAw10wjU800BUVq9BxT21zEMy/BzTpRrFFDrTXjkB9qzi3KutAPCxwiQ+AXFnxCeumJtZ+c876YsivGg1UC38DKchiNnHzpAeTfINVRwkUlFWSYkdXsJL1vPnyF5tJgI7KbydTfMzNnJU72+xlv0wMhfHWBAj/NMAOKnUk1hNb4Tak+HhXaUTYYgCnFU5+Ch8lQQE6lB9yEW8Q0OT6krULrCoP/bo4rcT1IdcA5CZWhMuAsQlI5rOkqxN/8TVZL1lujxsEPUg0XJ5d1k6LMewhR5B+kaVrRSYOLDxZVZsB8jyocpuBwUWnqFrHm9S8d1o6crZG2DFgQCSX4tfXwKImbCsNixDsAiedGL6+K5eL38cGtgf9pNt6PmHIbDQEwpORk8cWLAJgsj7OknB+mKGQ6tRdYWJuIHY4InGyPFVhUEPBfsTpVdW6u0CIj66T4GCSN54RHCX7QmdAIzKqwllApNW4uY/wwd8DGYw1e5 + template: + metadata: + creationTimestamp: null + name: github-oauth-secret + namespace: bt \ No newline at end of file diff --git a/infra/base/values.yaml b/infra/base/values.yaml index 625369b55..5af2f47bc 100644 --- a/infra/base/values.yaml +++ b/infra/base/values.yaml @@ -4,3 +4,23 @@ acme: server: https://acme-v02.api.letsencrypt.org/directory cfApiTokenSecretName: cloudflare-api-token-stanfurdtime-secret ipAddressRange: 169.229.226.51-169.229.226.51 + +oauth2-proxy: + config: + existingSecret: github-oauth-secret + clientID: + key: client-id + clientSecret: + key: client-secret + cookieSecret: + key: cookie-secret + provider: "github" + githubOrg: "asuc-octo" + githubTeam: "asuc-octo/berkeleytime" + emailDomains: ["*"] + upstreamTimeout: "30s" + cookie: + name: "_oauth2_proxy" + secure: true + httpOnly: true + expire: "4h" diff --git a/infra/init.sh b/infra/init.sh index 67dd9aee4..78ad2449f 100755 --- a/infra/init.sh +++ b/infra/init.sh @@ -8,6 +8,7 @@ helm repo add bitnami-labs https://bitnami-labs.github.io/sealed-secrets/ helm repo add cert-manager https://charts.jetstack.io helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add metallb https://metallb.github.io/metallb +helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests # =================== # BASE INFRASTRUCTURE @@ -23,6 +24,11 @@ helm push ./bt-base-1.0.0.tgz oci://registry-1.docker.io/octoberkeleytime helm install bt-base oci://registry-1.docker.io/octoberkeleytime/bt-base --namespace=bt \ --version=1.0.0 +# Install OAuth2 Proxy with values from base chart +helm install bt-oauth2-proxy oauth2-proxy/oauth2-proxy \ + --namespace=bt \ + --values ./infra/base/values.yaml + # ========== # BUILD CHARTS AND PUSH TO REGISTRY # ========== From 4db1151d1d9933cfe9b028eb5790787ec8b97f32 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sun, 16 Feb 2025 00:36:37 -0800 Subject: [PATCH 02/15] fix: modularities --- infra/app/templates/ingress.yaml | 10 +++++----- infra/base/Chart.yaml | 5 +++++ .../base/templates/github-oauth-sealed-secret.yaml | 13 ++++++------- infra/base/values.yaml | 2 +- infra/init.sh | 1 - 5 files changed, 17 insertions(+), 14 deletions(-) diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml index b3e322ba7..18bdab6b0 100644 --- a/infra/app/templates/ingress.yaml +++ b/infra/app/templates/ingress.yaml @@ -15,13 +15,13 @@ spec: ingressClassName: nginx tls: - hosts: - - staff.berkeleytime.com - secretName: staff-bt-tls + - staff.{{ .Values.host }} + secretName: bt-staff-tls rules: - - host: staff.berkeleytime.com + - host: staff.{{ .Values.host }} http: paths: - - path: / + - path: {{ .Values.frontend.path }} pathType: Prefix backend: service: @@ -34,7 +34,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ .Release.Name }}-main-ingress + name: {{ .Release.Name }}-ingress labels: {{- include "bt-app.labels" . | nindent 4 }} annotations: diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml index 96188278b..f6e401791 100644 --- a/infra/base/Chart.yaml +++ b/infra/base/Chart.yaml @@ -22,3 +22,8 @@ version: 0.1.0 # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "2.0.0-alpha" + +dependencies: + - name: "oauth2-proxy" + version: "7.11.0" + repository: "https://oauth2-proxy.github.io/manifests" diff --git a/infra/base/templates/github-oauth-sealed-secret.yaml b/infra/base/templates/github-oauth-sealed-secret.yaml index 60ac2ecf7..55c392da4 100644 --- a/infra/base/templates/github-oauth-sealed-secret.yaml +++ b/infra/base/templates/github-oauth-sealed-secret.yaml @@ -2,15 +2,14 @@ apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null - name: github-oauth-secret - namespace: bt + name: {{ .Values.oauth2-proxy.config.existingSecret }} spec: encryptedData: - client-id: AgCW0zOV1P3b3RFmFICy4WHCc8F6699cONL9seERMb/cglMozvST72JLuQggytk7nwQlBSJVlxC5qKLaHofmrUa0Q49qeapqPZ46rrxSHaBNO5lckkwa9xZs1i7h/Ct0+mYftxyJuhgn95ifI2Xe/HMspcmZW76ST63nKXQyLWAUzwncpUvwFJP3RYIpcCx2eqRzyL5ctLHpvOmXhN2sKeEoufK9wHgBpykHW8knpw2X8J8Uvm3JvqB7kbuy1YTvKc/HQaR7XbVtEuJX/ZPkACk6qKlB0am5k1AHbPRj9q1JIrjcmpIlpeDBQezDY7SLbDJN4En4ELz+KIssLBRzmly7M6ziWUgtne+C0ZveUR3WGMskR8LUBk4wlD6S5DpP3J3ryoyO+X8NkFLlT4C9nVSoFiWFfzhsB8uVrUgR2G1oVpEdb7g42LslJ3UjkBc6ern7FRgay8fBQ5AEf8ZJmtKcdIjXaGqEAaAwNsEVIhfJHH+d9ojzMjKJbPkY5zJtGWiaqUtpKcmsQY5ypayZybsZ/NvkI7RpSkaSkjJu4TdRoUdy45vdt8do7YNCoQv9KfxQuYWLeWXmqFoa6PVKEhdAwBLgfNhueu6vPOCy0zcWONU2DCRyzShbRicbVtxBHmiVzcILkxoltZw2Jy9Biz076b8L+YKYVVtZkEe/LGkOSzTmiIjsArGP3dkTwSARJkwetym2RAyJ3egLbuySFSVlT2xpqg== - client-secret: AgBuRj0etgzGfLhJsCgzziVvQ29d1JuOM9/NYsVQEKSw/QrMbL/nrpWvzii07Gohe0RAFViSxDZ8SptSAeUzOXR7jHVNDxiVL5jE4fGHHJa8E2qUweBvqzbzzl00VQmBoIRHZOD8+BETeopp55sRd8VHDY4wwuaeybXV8s3eU9l+jwAl67p5cIt/mBbq+zqiARxv4sA/Iul9SNcgtnq5Oq4MMLh63qf009dC/Re5wC1GlYQE64cws+IwD/NoE4hPRdOs4gPxHUkLE785s+6/JwZ+VnRA23vYVcmDpyJY7IDVfqnwKZL3vJi3/zH+XQHv7/nLHehx85EuPg/Q1C/YVyfvx6d/dwV6GCLnyqPtZjBqKIBMsuQXMwPArXnf/nqgeMfBrn2tRa1FyfJWV05p5khK1wD4cIruGgg60NYlTVy2XgFq4lshUeM6iodTOebMLoDImbkqKcAiEvlmkXWv0QanqSPXxicTOaMQ/oA2RuepJNFlGQCJkFceVuo18o3AMb1PFndEtmhGLmxcw7V2n/tNMLJMq2XuBUAKtGNbJR9vqeLqc+5vtxSmoynksptuYXYqWiyicZ4UQnGfCoXm4QVu/9R6o1IUSsiJMKpXt7XFMgRig5ZdIT1ueJKdjTErCkteK1d6tRoUt1PjdvAiv4TEDXH1igQl3/OQ2NGE4pkRtfnj4td8xZEN7NqGdCvaYXHrNNtmYRrHWeapQlt5eld8K4a4tg/AOVA6n2hnyhT0Z0lwiJ4UXrbG - cookie-secret: AgB9ndkh9jwb9DNB3Uuz5U3bPImEKk24ld/QYFmw9NBkgB+N2p0oENs/Jc/OWJ6mEM3AObp9CzU3HtEV2NcVrPiw7S1RU1w+llHp6xAZVNS9TTDdN2kIK5IAp+7mF462FYQ1ujrx/wsieJscFsBwT1zOxcnG+4EXaKiqTRZr1klGfZ8qurGIrSYYiPbVeX6B2uc3/im/csDoELr8xY+bTJ1fAUmKsT+oiwTurkzo/PcHczl3luNn4kSMH/UIWi65gMHGAAAFQpykL5ZxOvaaNehVz+oFHb62e0Mi7a0O5Pi9jbKooAw10wjU800BUVq9BxT21zEMy/BzTpRrFFDrTXjkB9qzi3KutAPCxwiQ+AXFnxCeumJtZ+c876YsivGg1UC38DKchiNnHzpAeTfINVRwkUlFWSYkdXsJL1vPnyF5tJgI7KbydTfMzNnJU72+xlv0wMhfHWBAj/NMAOKnUk1hNb4Tak+HhXaUTYYgCnFU5+Ch8lQQE6lB9yEW8Q0OT6krULrCoP/bo4rcT1IdcA5CZWhMuAsQlI5rOkqxN/8TVZL1lujxsEPUg0XJ5d1k6LMewhR5B+kaVrRSYOLDxZVZsB8jyocpuBwUWnqFrHm9S8d1o6crZG2DFgQCSX4tfXwKImbCsNixDsAiedGL6+K5eL38cGtgf9pNt6PmHIbDQEwpORk8cWLAJgsj7OknB+mKGQ6tRdYWJuIHY4InGyPFVhUEPBfsTpVdW6u0CIj66T4GCSN54RHCX7QmdAIzKqwllApNW4uY/wwd8DGYw1e5 + client-id: AgBhDLHp/kE6BWH+e8hC+YffEHgquzGtXzOtlRIuGjk00nHrWOblfyIJAMUpt67sSOgglTmER83MBp3o8KZinV8sHWigPcmnbnUA7jSaNnbSAG8a9HudVOEBH4WrMdsEIHuQvoN0Bj0OE4X3xc3tB7eWGW+LgISuT6NBiZu+aCTDOHR5oKkLS1rfkkFVooNXVxKq/lDugAVayIJtk918syrTGskfcovnVXYQvY88HGK8qmmeZJSORqq0l5Usc+P2ExC7kfn6UusZQzVrv7X+tWVas9i0IcsfMLboVu/Xk7edeSCDORwWIdBeisTRumQFGiqaNZuBKBA9PQR0JVtMz/a386WCxmOpI8tulEPOJF8D0IqKuIaGDxf142cWAd+N4pGoFzZ8za8lPLAqZvMUyXX67MgyprKjbFJ8rq76ZoPTkRAsW/bLUzJ86nznc7yXL4/eF8cC/cgY6x7HYA80Tb9MTCLcxusEQNHJOtf0fjOQTB7dgqSbIOUaJjf+vOmqDoDlwUAcZJZlARn9NhihwMNcfvE+wt73nJePO67iiTgj4Rt9FJusHWN/TzHGg+FtA6IOscefBGwN05aH9bhoE7jnI7HwhsX9ENnsnK9UdBSjLLCADFaogVyN9PevOiCEgehDhbcYlg2USP2T75GXhEFJxxWxIM7o0Jw+p8zKB/T+wVQ6/slbfpFBPwdL+GHnjFCl1qTUJu65W7wBF1m5Psg42kdhpg== + client-secret: AgBMW2CPrJWMUO2aH8CzqkQqaMrXnFsokjYAhHf3ieMvnSLoGjt1vxpekHjGIxHN/VKRLJP5vfk4u7zPFJUPBgPa4+aMdqCqrWo3Zmxi1wRMz5F3N0HwCCi+FT7K1nUev0X3dQNTCNoZbdB+ggJFwaC0CmfqXFNFob62mYcvR4l5EFwH9Ol0oqF5u6jAuB5hZ0KozA1seeEmIxuvNZeq5PC/AEYDtQNLam01uF/GWFi4yza7xULt3WfzPFRdGaUS2G6S1/yYOSs7V0qxxjMCzkUQorm4RgppbMLIE1sBkA6ZfSQ+vTFD4AFm3DnQ36KM1qQxqtD62NKDrjHMtmOMO3/LHkkm/KmcoY2HpVEvV60pm6nXRaGWR0Z/XLJFrdXg4ovhxNw3irsaXRkmCjBEy82GBfJ5irwGcx3Q4uZu8pKYTNUp+Ks7MTa4Y+p6IS6xYahff4czbwcJpJaGD8KoBOh88QVP69lsSnfLHbrhVs6J3dmh8rdPoCr7C7pOUNS3yPc50WAy4K3uV3r2CyAnOhB0riEwmzGEEu3/eicYzUshMzofWhJc5DiybAoQDrynUm5rhbk3IakK6bIjGFN5fBYXw4Zs8ldH5RB5Wj9ePtLtOCnT8KOvUZzXc533iMoQidHex8Q29nZCckrRXkUc1kgOFSE57RyCnbG08z+vQZleBH0RdsCPACcWGEAPUxcKnTW4QD0EOAL/PNAIVLdSwQjAy3ThrfINFALzkug87ZxNyhXY3l1gNLu9 + cookie-secret: AgAsLPL8n2m06jbupXxX8Jj0uPusQwG7W366hqj8G4k7vO3JfbHQXPxju9PZzWIN+5TSlUAK3HVuS1LE6dPjsawS2wQXDzjGWiADNlud4BrQajc8X4DfMBciAASv0W8ExGSgUI0VtdCGzs5IFtikDhsRvu6T5z1aC+6n97Uik5gA+1cNOoCEyJjvy/Gc4VhAgTp9Yz0GyfruU90P5YDNLjZOXZGG1AkmhzOTQhX4q1qRxn3vl84EQJrUzgR93MvzaQ6qZg4rbIc3DRNsTlxwcmf1LnbHFiet1zxojKnzBxULMuPLftMx61wlr+Xq18CKDZPq9uAQ2Rm0yKpWGKFd9jCrErIvZ1p2xlTT86P7InJu798rGkcRxsrXlNOMuNXI3pnQJKQeV2jXmUlo0JjlmBWPuCn7iUKI12mqh7vwSkuQ+k3HLccJLaSQt9VJQ46WLtTFFowxii0kGxdl20U+dsm/EA8P1axtkwSdpTE0xqHDRSkxHjDWiL7oxPf2aFbJjTGfa3nj9B8Pi0y2MmRM5AiU6KTuv4RlwHBjdWQ4p+a2Qzk3ttNVgFcRiMsGdLJrdoP2vlT6Tr/JUnl12BAzweYQPBM0/Q8Tn34sPpThUD/st6hFuA8YcrEDNdQzpWwT9O3KmRzaDHTfJqpX5/ZCBvRgZ2S2PbmldXqK2lxzNtCBcBVC85V8og2AJTx0I0qfZ2NH/JAE3ykkgQsW3O0giWz7BzkUo8Ev8FmMVoGuw8kMu2gTM9NnZNTOHnQHZf7sAPzPQcEGv+LHjVLZjfs1UV6z template: metadata: creationTimestamp: null - name: github-oauth-secret - namespace: bt \ No newline at end of file + name: {{ .Values.oauth2-proxy.config.existingSecret }} + namespace: bt diff --git a/infra/base/values.yaml b/infra/base/values.yaml index 5af2f47bc..9d2aa302f 100644 --- a/infra/base/values.yaml +++ b/infra/base/values.yaml @@ -7,7 +7,7 @@ ipAddressRange: 169.229.226.51-169.229.226.51 oauth2-proxy: config: - existingSecret: github-oauth-secret + existingSecret: bt-github-oauth-secret clientID: key: client-id clientSecret: diff --git a/infra/init.sh b/infra/init.sh index 78ad2449f..3b589effb 100755 --- a/infra/init.sh +++ b/infra/init.sh @@ -17,7 +17,6 @@ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests helm install bt-sealed-secrets bitnami-labs/sealed-secrets --version 2.17.0 --namespace=bt --create-namespace helm install bt-metallb metallb/metallb --version 0.14.9 --namespace=bt helm install bt-cert-manager cert-manager/cert-manager --set crds.enabled=true --version 1.16.2 --namespace=bt -helm install bt-ingress-nginx ingress-nginx/ingress-nginx --version 4.12.0 --namespace=bt helm package ./infra/base --version 1.0.0 --dependency-update helm push ./bt-base-1.0.0.tgz oci://registry-1.docker.io/octoberkeleytime From 8c0dedb329dc0cc7c7dd7894df1e8872da6113f4 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sun, 16 Feb 2025 00:39:07 -0800 Subject: [PATCH 03/15] chore: same tls since staff dashboard is subdomain --- infra/app/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml index 18bdab6b0..2906d0a68 100644 --- a/infra/app/templates/ingress.yaml +++ b/infra/app/templates/ingress.yaml @@ -16,7 +16,7 @@ spec: tls: - hosts: - staff.{{ .Values.host }} - secretName: bt-staff-tls + secretName: bt-tls rules: - host: staff.{{ .Values.host }} http: From 16d1a64bf46701b0b4a4d4c9655c9578078e33d5 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Thu, 20 Feb 2025 22:49:13 -0800 Subject: [PATCH 04/15] fix: restore annotation for berkeleytime ingress --- infra/app/templates/ingress.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml index 2906d0a68..d15cd5ae6 100644 --- a/infra/app/templates/ingress.yaml +++ b/infra/app/templates/ingress.yaml @@ -38,8 +38,7 @@ metadata: labels: {{- include "bt-app.labels" . | nindent 4 }} annotations: - kubernetes.io/ingress.class: "nginx" - cert-manager.io/issuer: {{ .Values.issuerName }} + cert-manager.io/issuer: {{ .Values.issuer }} spec: ingressClassName: nginx tls: From 4cf3b40bc1d3d969ade94499376ded5a0e16fed9 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Thu, 20 Feb 2025 22:51:08 -0800 Subject: [PATCH 05/15] fix: rm dependency --- infra/base/Chart.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml index f6e401791..96188278b 100644 --- a/infra/base/Chart.yaml +++ b/infra/base/Chart.yaml @@ -22,8 +22,3 @@ version: 0.1.0 # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "2.0.0-alpha" - -dependencies: - - name: "oauth2-proxy" - version: "7.11.0" - repository: "https://oauth2-proxy.github.io/manifests" From 00e83121f2b8c6437442f829bfeae9d9428d08bf Mon Sep 17 00:00:00 2001 From: adit-bala Date: Fri, 21 Feb 2025 23:11:41 -0800 Subject: [PATCH 06/15] fix: add back dependency --- infra/base/Chart.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml index 96188278b..ed95479dc 100644 --- a/infra/base/Chart.yaml +++ b/infra/base/Chart.yaml @@ -22,3 +22,7 @@ version: 0.1.0 # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "2.0.0-alpha" +dependencies: + - name: "oauth2-proxy" + version: "7.11.0" + repository: "https://oauth2-proxy.github.io/manifests" From 320ddfc705f7cfa2c2756d6b01bddb5e7aff02c0 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 20:16:28 -0800 Subject: [PATCH 07/15] chore: update app chart version --- infra/app/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/app/Chart.yaml b/infra/app/Chart.yaml index 2c2941e8b..70cbb5edd 100644 --- a/infra/app/Chart.yaml +++ b/infra/app/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 04058903c09b9ad52293db60c2b58f09880d84cb Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 20:19:37 -0800 Subject: [PATCH 08/15] chore: update version for base chart --- infra/base/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml index ed95479dc..5a1def98f 100644 --- a/infra/base/Chart.yaml +++ b/infra/base/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 8205720e48e0d36aa521faa0bf92ca2f3fe68474 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 21:43:45 -0800 Subject: [PATCH 09/15] chore: fix helm keys --- infra/base/templates/github-oauth-sealed-secret.yaml | 9 ++------- infra/base/values.yaml | 11 ++++------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/infra/base/templates/github-oauth-sealed-secret.yaml b/infra/base/templates/github-oauth-sealed-secret.yaml index 55c392da4..b44390530 100644 --- a/infra/base/templates/github-oauth-sealed-secret.yaml +++ b/infra/base/templates/github-oauth-sealed-secret.yaml @@ -2,14 +2,9 @@ apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null - name: {{ .Values.oauth2-proxy.config.existingSecret }} + name: "{{ .Values.oauth2-proxy.config.existingSecret }}" spec: encryptedData: client-id: AgBhDLHp/kE6BWH+e8hC+YffEHgquzGtXzOtlRIuGjk00nHrWOblfyIJAMUpt67sSOgglTmER83MBp3o8KZinV8sHWigPcmnbnUA7jSaNnbSAG8a9HudVOEBH4WrMdsEIHuQvoN0Bj0OE4X3xc3tB7eWGW+LgISuT6NBiZu+aCTDOHR5oKkLS1rfkkFVooNXVxKq/lDugAVayIJtk918syrTGskfcovnVXYQvY88HGK8qmmeZJSORqq0l5Usc+P2ExC7kfn6UusZQzVrv7X+tWVas9i0IcsfMLboVu/Xk7edeSCDORwWIdBeisTRumQFGiqaNZuBKBA9PQR0JVtMz/a386WCxmOpI8tulEPOJF8D0IqKuIaGDxf142cWAd+N4pGoFzZ8za8lPLAqZvMUyXX67MgyprKjbFJ8rq76ZoPTkRAsW/bLUzJ86nznc7yXL4/eF8cC/cgY6x7HYA80Tb9MTCLcxusEQNHJOtf0fjOQTB7dgqSbIOUaJjf+vOmqDoDlwUAcZJZlARn9NhihwMNcfvE+wt73nJePO67iiTgj4Rt9FJusHWN/TzHGg+FtA6IOscefBGwN05aH9bhoE7jnI7HwhsX9ENnsnK9UdBSjLLCADFaogVyN9PevOiCEgehDhbcYlg2USP2T75GXhEFJxxWxIM7o0Jw+p8zKB/T+wVQ6/slbfpFBPwdL+GHnjFCl1qTUJu65W7wBF1m5Psg42kdhpg== client-secret: AgBMW2CPrJWMUO2aH8CzqkQqaMrXnFsokjYAhHf3ieMvnSLoGjt1vxpekHjGIxHN/VKRLJP5vfk4u7zPFJUPBgPa4+aMdqCqrWo3Zmxi1wRMz5F3N0HwCCi+FT7K1nUev0X3dQNTCNoZbdB+ggJFwaC0CmfqXFNFob62mYcvR4l5EFwH9Ol0oqF5u6jAuB5hZ0KozA1seeEmIxuvNZeq5PC/AEYDtQNLam01uF/GWFi4yza7xULt3WfzPFRdGaUS2G6S1/yYOSs7V0qxxjMCzkUQorm4RgppbMLIE1sBkA6ZfSQ+vTFD4AFm3DnQ36KM1qQxqtD62NKDrjHMtmOMO3/LHkkm/KmcoY2HpVEvV60pm6nXRaGWR0Z/XLJFrdXg4ovhxNw3irsaXRkmCjBEy82GBfJ5irwGcx3Q4uZu8pKYTNUp+Ks7MTa4Y+p6IS6xYahff4czbwcJpJaGD8KoBOh88QVP69lsSnfLHbrhVs6J3dmh8rdPoCr7C7pOUNS3yPc50WAy4K3uV3r2CyAnOhB0riEwmzGEEu3/eicYzUshMzofWhJc5DiybAoQDrynUm5rhbk3IakK6bIjGFN5fBYXw4Zs8ldH5RB5Wj9ePtLtOCnT8KOvUZzXc533iMoQidHex8Q29nZCckrRXkUc1kgOFSE57RyCnbG08z+vQZleBH0RdsCPACcWGEAPUxcKnTW4QD0EOAL/PNAIVLdSwQjAy3ThrfINFALzkug87ZxNyhXY3l1gNLu9 - cookie-secret: AgAsLPL8n2m06jbupXxX8Jj0uPusQwG7W366hqj8G4k7vO3JfbHQXPxju9PZzWIN+5TSlUAK3HVuS1LE6dPjsawS2wQXDzjGWiADNlud4BrQajc8X4DfMBciAASv0W8ExGSgUI0VtdCGzs5IFtikDhsRvu6T5z1aC+6n97Uik5gA+1cNOoCEyJjvy/Gc4VhAgTp9Yz0GyfruU90P5YDNLjZOXZGG1AkmhzOTQhX4q1qRxn3vl84EQJrUzgR93MvzaQ6qZg4rbIc3DRNsTlxwcmf1LnbHFiet1zxojKnzBxULMuPLftMx61wlr+Xq18CKDZPq9uAQ2Rm0yKpWGKFd9jCrErIvZ1p2xlTT86P7InJu798rGkcRxsrXlNOMuNXI3pnQJKQeV2jXmUlo0JjlmBWPuCn7iUKI12mqh7vwSkuQ+k3HLccJLaSQt9VJQ46WLtTFFowxii0kGxdl20U+dsm/EA8P1axtkwSdpTE0xqHDRSkxHjDWiL7oxPf2aFbJjTGfa3nj9B8Pi0y2MmRM5AiU6KTuv4RlwHBjdWQ4p+a2Qzk3ttNVgFcRiMsGdLJrdoP2vlT6Tr/JUnl12BAzweYQPBM0/Q8Tn34sPpThUD/st6hFuA8YcrEDNdQzpWwT9O3KmRzaDHTfJqpX5/ZCBvRgZ2S2PbmldXqK2lxzNtCBcBVC85V8og2AJTx0I0qfZ2NH/JAE3ykkgQsW3O0giWz7BzkUo8Ev8FmMVoGuw8kMu2gTM9NnZNTOHnQHZf7sAPzPQcEGv+LHjVLZjfs1UV6z - template: - metadata: - creationTimestamp: null - name: {{ .Values.oauth2-proxy.config.existingSecret }} - namespace: bt + cookie-secret: AgAsLPL8n2m06jbupXxX8Jj0uPusQwG7W366hqj8G4k7vO3JfbHQXPxju9PZzWIN+5TSlUAK3HVuS1LE6dPjsawS2wQXDzjGWiADNlud4BrQajc8X4DfMBciAASv0W8ExGSgUI0VtdCGzs5IFtikDhsRvu6T5z1aC+6n97Uik5gA+1cNOoCEyJjvy/Gc4VhAgTp9Yz0GyfruU90P5YDNLjZOXZGG1AkmhzOTQhX4q1qRxn3vl84EQJrUzgR93MvzaQ6qZg4rbIc3DRNsTlxwcmf1LnbHFiet1zxojKnzBxULMuPLftMx61wlr+Xq18CKDZPq9uAQ2Rm0yKpWGKFd9jCrErIvZ1p2xlTT86P7InJu798rGkcRxsrXlNOMuNXI3pnQJKQeV2jXmUlo0JjlmBWPuCn7iUKI12mqh7vwSkuQ+k3HLccJLaSQt9VJQ46WLtTFFowxii0kGxdl20U+dsm/EA8P1axtkwSdpTE0xqHDRSkxHjDWiL7oxPf2aFbJjTGfa3nj9B8Pi0y2MmRM5AiU6KTuv4RlwHBjdWQ4p+a2Qzk3ttNVgFcRiMsGdLJrdoP2vlT6Tr/JUnl12BAzweYQPBM0/Q8Tn34sPpThUD/st6hFuA8YcrEDNdQzpWwT9O3KmRzaDHTfJqpX5/ZCBvRgZ2S2PbmldXqK2lxzNtCBcBVC85V8og2AJTx0I0qfZ2NH/JAE3ykkgQsW3O0giWz7BzkUo8Ev8FmMVoGuw8kMu2gTM9NnZNTOHnQHZf7sAPzPQcEGv+LHjVLZjfs1UV6z \ No newline at end of file diff --git a/infra/base/values.yaml b/infra/base/values.yaml index 9d2aa302f..52d28ed18 100644 --- a/infra/base/values.yaml +++ b/infra/base/values.yaml @@ -8,12 +8,9 @@ ipAddressRange: 169.229.226.51-169.229.226.51 oauth2-proxy: config: existingSecret: bt-github-oauth-secret - clientID: - key: client-id - clientSecret: - key: client-secret - cookieSecret: - key: cookie-secret + clientID: client-id + clientSecret: client-secret + cookieSecret: cookie-secret provider: "github" githubOrg: "asuc-octo" githubTeam: "asuc-octo/berkeleytime" @@ -23,4 +20,4 @@ oauth2-proxy: name: "_oauth2_proxy" secure: true httpOnly: true - expire: "4h" + expire: "4h" \ No newline at end of file From 1500dade0e8597202671d0f09cbcd168c2b395ee Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 21:46:30 -0800 Subject: [PATCH 10/15] fix: helm dash hack --- infra/base/templates/github-oauth-sealed-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/base/templates/github-oauth-sealed-secret.yaml b/infra/base/templates/github-oauth-sealed-secret.yaml index b44390530..e11edd727 100644 --- a/infra/base/templates/github-oauth-sealed-secret.yaml +++ b/infra/base/templates/github-oauth-sealed-secret.yaml @@ -2,7 +2,7 @@ apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null - name: "{{ .Values.oauth2-proxy.config.existingSecret }}" + name: '{{ index .Values "oauth2-proxy" "config" "existingSecret" }}' spec: encryptedData: client-id: AgBhDLHp/kE6BWH+e8hC+YffEHgquzGtXzOtlRIuGjk00nHrWOblfyIJAMUpt67sSOgglTmER83MBp3o8KZinV8sHWigPcmnbnUA7jSaNnbSAG8a9HudVOEBH4WrMdsEIHuQvoN0Bj0OE4X3xc3tB7eWGW+LgISuT6NBiZu+aCTDOHR5oKkLS1rfkkFVooNXVxKq/lDugAVayIJtk918syrTGskfcovnVXYQvY88HGK8qmmeZJSORqq0l5Usc+P2ExC7kfn6UusZQzVrv7X+tWVas9i0IcsfMLboVu/Xk7edeSCDORwWIdBeisTRumQFGiqaNZuBKBA9PQR0JVtMz/a386WCxmOpI8tulEPOJF8D0IqKuIaGDxf142cWAd+N4pGoFzZ8za8lPLAqZvMUyXX67MgyprKjbFJ8rq76ZoPTkRAsW/bLUzJ86nznc7yXL4/eF8cC/cgY6x7HYA80Tb9MTCLcxusEQNHJOtf0fjOQTB7dgqSbIOUaJjf+vOmqDoDlwUAcZJZlARn9NhihwMNcfvE+wt73nJePO67iiTgj4Rt9FJusHWN/TzHGg+FtA6IOscefBGwN05aH9bhoE7jnI7HwhsX9ENnsnK9UdBSjLLCADFaogVyN9PevOiCEgehDhbcYlg2USP2T75GXhEFJxxWxIM7o0Jw+p8zKB/T+wVQ6/slbfpFBPwdL+GHnjFCl1qTUJu65W7wBF1m5Psg42kdhpg== From 601a0b1de9f839a9b3cb4f6d3967548054f784db Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 21:48:07 -0800 Subject: [PATCH 11/15] fix: revert version --- infra/base/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml index 5a1def98f..ed95479dc 100644 --- a/infra/base/Chart.yaml +++ b/infra/base/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.0 +version: 0.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 9570727ae127ac6059bb315900c19d1821bbb776 Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sat, 22 Feb 2025 21:58:07 -0800 Subject: [PATCH 12/15] chore: fix `host` name --- infra/app/templates/ingress.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml index d15cd5ae6..3acd45dea 100644 --- a/infra/app/templates/ingress.yaml +++ b/infra/app/templates/ingress.yaml @@ -8,8 +8,8 @@ metadata: annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/issuer: {{ .Values.issuerName }} - nginx.ingress.kubernetes.io/auth-url: "https://staff.berkeleytime.com/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://staff.berkeleytime.com/oauth2/start?rd=$escaped_request_uri" + nginx.ingress.kubernetes.io/auth-url: "https://staff.{{ .Values.host }}/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://staff.{{ .Values.host }}/oauth2/start?rd=$escaped_request_uri" nginx.ingress.kubernetes.io/auth-response-headers: "Authorization" spec: ingressClassName: nginx From 9af5378ac21e6cab9c9e21df3bf1e584ff193d0a Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sun, 23 Feb 2025 15:22:57 -0800 Subject: [PATCH 13/15] chore: fix githubteam --- infra/base/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/base/values.yaml b/infra/base/values.yaml index 52d28ed18..0adb4d7ef 100644 --- a/infra/base/values.yaml +++ b/infra/base/values.yaml @@ -13,7 +13,7 @@ oauth2-proxy: cookieSecret: cookie-secret provider: "github" githubOrg: "asuc-octo" - githubTeam: "asuc-octo/berkeleytime" + githubTeam: "Berkeleytime" emailDomains: ["*"] upstreamTimeout: "30s" cookie: From a067878f1a3639151b7704ac41582f5f83c27bbc Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sun, 23 Feb 2025 15:32:31 -0800 Subject: [PATCH 14/15] feat: `/helm-diff` command --- docs/src/core/infrastructure/runbooks.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/src/core/infrastructure/runbooks.md b/docs/src/core/infrastructure/runbooks.md index a709a90cf..368ad3e44 100644 --- a/docs/src/core/infrastructure/runbooks.md +++ b/docs/src/core/infrastructure/runbooks.md @@ -21,6 +21,24 @@ k create job --from cronjob/bt-prod-datapuller-courses bt-prod-datapuller-courses-manual-01 ``` +## Previewing Infrastructural Changes with `/helm-diff` before deployment + +The `/helm-diff` command can be used in pull request comments to preview Helm changes before they are deployed. This is particularly useful when: + +1. Making changes to Helm chart values in `infra/app` or `infra/base` +2. Upgrading Helm chart versions or dependencies +3. Modifying Kubernetes resource configurations + +To use it: +1. Comment `/helm-diff` on any pull request +2. The workflow will generate a diff showing: + - Changes to both app and base charts + - Resource modifications (deployments, services, etc.) + - Configuration updates + +The diff output is formatted as collapsible sections for each resource, with a raw diff available at the bottom for detailed inspection. + + ## Uninstall ALL development helm releases ```sh From 6f7c6910b93989a12aa968945f79ac58be98373f Mon Sep 17 00:00:00 2001 From: adit-bala Date: Sun, 23 Feb 2025 15:32:47 -0800 Subject: [PATCH 15/15] Revert "feat: `/helm-diff` command" This reverts commit a067878f1a3639151b7704ac41582f5f83c27bbc. --- docs/src/core/infrastructure/runbooks.md | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/docs/src/core/infrastructure/runbooks.md b/docs/src/core/infrastructure/runbooks.md index 368ad3e44..a709a90cf 100644 --- a/docs/src/core/infrastructure/runbooks.md +++ b/docs/src/core/infrastructure/runbooks.md @@ -21,24 +21,6 @@ k create job --from cronjob/bt-prod-datapuller-courses bt-prod-datapuller-courses-manual-01 ``` -## Previewing Infrastructural Changes with `/helm-diff` before deployment - -The `/helm-diff` command can be used in pull request comments to preview Helm changes before they are deployed. This is particularly useful when: - -1. Making changes to Helm chart values in `infra/app` or `infra/base` -2. Upgrading Helm chart versions or dependencies -3. Modifying Kubernetes resource configurations - -To use it: -1. Comment `/helm-diff` on any pull request -2. The workflow will generate a diff showing: - - Changes to both app and base charts - - Resource modifications (deployments, services, etc.) - - Configuration updates - -The diff output is formatted as collapsible sections for each resource, with a raw diff available at the bottom for detailed inspection. - - ## Uninstall ALL development helm releases ```sh