From 14fa2447ec34f1f96080f0064717f9adca82bf0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Sat, 14 Mar 2026 17:55:43 +0100 Subject: [PATCH] fix(dex): Kill it --- helmfile.d/dex.yaml.gotmpl | 44 ------- values/dex/env-hel1.yaml.gotmpl | 2 - values/dex/env-oceanbox.yaml.gotmpl | 2 - values/dex/env.yaml.gotmpl | 3 - values/dex/manifests/db.yaml | 57 --------- values/dex/manifests/dex.yaml | 40 ------ values/dex/values/values.yaml | 185 ---------------------------- 7 files changed, 333 deletions(-) delete mode 100644 helmfile.d/dex.yaml.gotmpl delete mode 100644 values/dex/env-hel1.yaml.gotmpl delete mode 100644 values/dex/env-oceanbox.yaml.gotmpl delete mode 100644 values/dex/env.yaml.gotmpl delete mode 100644 values/dex/manifests/db.yaml delete mode 100644 values/dex/manifests/dex.yaml delete mode 100644 values/dex/values/values.yaml diff --git a/helmfile.d/dex.yaml.gotmpl b/helmfile.d/dex.yaml.gotmpl deleted file mode 100644 index cd9559d4..00000000 --- a/helmfile.d/dex.yaml.gotmpl +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://www.schemastore.org/helmfile.json - -bases: -- ../envs/environments.yaml.gotmpl - -repositories: -- name: dex - url: https://charts.dexidp.io - -commonLabels: - tier: system - -releases: -- name: dex - namespace: dex - chart: dex/dex - version: 0.19.0 - condition: dex.enabled - values: - - ../values/dex/values/values.yaml - postRenderer: ../bin/kustomizer - postRendererArgs: - - ../values/dex/kustomize/{{ .Environment.Name }} - missingFileHandler: Info -- name: manifests - namespace: dex - chart: manifests - condition: dex.enabled - missingFileHandler: Info - values: - - ../values/env.yaml - - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml - - ../values/dex/env.yaml.gotmpl - - ../values/dex/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl - hooks: - - events: [ prepare, cleanup ] - showlogs: true - command: ../bin/helmify - args: - - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - - '{{`{{ .Release.Chart }}`}}' - - '{{`{{ .Environment.Name }}`}}' - - ../values/dex/manifests - - manifests diff --git a/values/dex/env-hel1.yaml.gotmpl b/values/dex/env-hel1.yaml.gotmpl deleted file mode 100644 index beb39531..00000000 --- a/values/dex/env-hel1.yaml.gotmpl +++ /dev/null @@ -1,2 +0,0 @@ -dex: - enabled: false diff --git a/values/dex/env-oceanbox.yaml.gotmpl b/values/dex/env-oceanbox.yaml.gotmpl deleted file mode 100644 index 822821bb..00000000 --- a/values/dex/env-oceanbox.yaml.gotmpl +++ /dev/null @@ -1,2 +0,0 @@ -dex: - enabled: true diff --git a/values/dex/env.yaml.gotmpl b/values/dex/env.yaml.gotmpl deleted file mode 100644 index 3ffe792d..00000000 --- a/values/dex/env.yaml.gotmpl +++ /dev/null @@ -1,3 +0,0 @@ -dex: - enabled: false - autosync: false diff --git a/values/dex/manifests/db.yaml b/values/dex/manifests/db.yaml deleted file mode 100644 index b21a8f78..00000000 --- a/values/dex/manifests/db.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: dex-db - namespace: dex -spec: - # TODO: scale to 2 instances for HA - instances: 1 - imageName: ghcr.io/cloudnative-pg/postgresql:17 - storage: - resizeInUseVolumes: true - size: 10Gi ---- -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: tos-store - namespace: dex -spec: - retentionPolicy: "7d" - configuration: - destinationPath: s3://cnpg/dex-db - endpointURL: http://10.255.241.30:30080 - s3Credentials: - accessKeyId: - name: cnpg-s3 - key: access_key - secretAccessKey: - name: cnpg-s3 - key: access_secret - wal: - compression: snappy ---- -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: dex-db - namespace: dex -spec: - schedule: "0 0 1 * * *" - backupOwnerReference: self - cluster: - name: dex-db - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io ---- -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: dex-db-monitor -spec: - selector: - matchLabels: - cnpg.io/cluster: dex-db - podMetricsEndpoints: - - port: metrics diff --git a/values/dex/manifests/dex.yaml b/values/dex/manifests/dex.yaml deleted file mode 100644 index e5491560..00000000 --- a/values/dex/manifests/dex.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.clusterConfig.argo.enabled }} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: dex - namespace: argocd - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - destination: - namespace: dex - server: https://kubernetes.default.svc - project: sys - sources: - - repoURL: {{ .Values.clusterConfig.manifests }} - targetRevision: HEAD - path: helmfile.d - plugin: - name: helmfile-cmp - env: - - name: CLUSTER_NAME - value: {{ .Values.clusterConfig.cluster }} - - name: HELMFILE_ENVIRONMENT - value: default - - name: HELMFILE_FILE_PATH - value: dex.yaml.gotmpl - syncPolicy: - managedNamespaceMetadata: - labels: - component: sys - syncOptions: - - CreateNamespace=true - - ApplyOutOfSyncOnly=true - {{- if .Values.dex.autosync }} - automated: - prune: true - {{- end }} -{{- end }} diff --git a/values/dex/values/values.yaml b/values/dex/values/values.yaml deleted file mode 100644 index 54f1c98a..00000000 --- a/values/dex/values/values.yaml +++ /dev/null @@ -1,185 +0,0 @@ -replicaCount: 1 - -config: - issuer: https://auth.adm.oceanbox.io - storage: - type: postgres - config: - host: dex-db-rw - port: 5432 - database: app - user: $DEX_DB_USER - password: $DEX_DB_PASSWORD - ssl: - mode: disable - web: - http: 0.0.0.0:5556 - # allowedOrigins: ['*'] - frontend: - # theme: light - theme: coreos - issuer: "Oceanbox" - issuerUrl: "https://oceanbox.io" - # logoURL: theme/logo.png - # dir: "" - telemetry: - http: 0.0.0.0:5558 - oauth2: - skipApprovalScreen: true - expiry: - idTokens: "12h" - authRequests: "30m" - refreshTokens: - validIfNotUsedFor: "168h" - absoluteLifetime: "720h" - - connectors: - - type: microsoft - id: microsoft - name: Microsoft - config: - clientID: "43667ac0-37e1-422f-99fc-50a699bb255c" - clientSecret: $MICROSOFT_CLIENT_SECRET - redirectURI: https://auth.adm.oceanbox.io/callback - - staticClients: - # - id: dex - # name: Dex - # secret: $CLIENT_SECRET_DEX - # redirectURIs: - # - https://idp.beta.oceanbox.io/dex/callback - # - https://idp.dev.oceanbox.io/dex/callback - # - https://idp.oceanbox.io/dex/callback - # - https://idp.srv.oceanbox.io/dex/callback - # - id: atlantis - # name: Atlantis - # secret: $CLIENT_SECRET_ATLANTIS - # redirectURIs: - # - https://maps.beta.oceanbox.io/signin-oidc - # - https://codex.adm.oceanbox.io/signin-oidc - # - https://maps.oceanbox.io/signin-oidc - # - https://oceanbox.app/signin-oidc - # - https://atlantis.srv.oceanbox.io/signin-oidc - - - id: atlantis_dev - name: Atlantis (dev) - secret: $CLIENT_SECRET_ATLANTIS_DEV - redirectURIs: - - https://maps.dev.oceanbox.io/signin-oidc - - https://atlantis.local.oceanbox.io:8080/signin-oidc - - https://codex.local.oceanbox.io:8080/signin-oidc - - https://simkir-maps.dev.oceanbox.io/signin-oidc - - https://jonas-atlantis.dev.oceanbox.io/signin-oidc - - https://atlantis.beta.oceanbox.io/signin-oidc - - https://stig-atlantis.dev.oceanbox.io/signin-oidc - - https://codex.local.oceanbox.io:10380/signin-oidc - - https://ole-atlantis.dev.oceanbox.io/signin-oidc - - https://bast-atlantis.dev.oceanbox.io/signin-oidc - - https://mrtz-atlantis.dev.oceanbox.io/signin-oidc - - https://codex.dev.tos.obx/signin-oidc - - https://simkir-codex.dev.oceanbox.io/signin-oidc - - https://simkir-atlantis.dev.oceanbox.io/signin-oidc - - https://codex.dev.oceanbox.io/signin-oidc - - # - id: sorcerer - # name: Sorcerer - # secret: $CLIENT_SECRET_SORCERER - # redirectURIs: - # - https://sorcerer.vtn.oceanbox.io/signin-oidc - # - https://sorcerer.beta.ekman.oceanbox.io/signin-oidc - # - https://sorcerer.ekman.oceanbox.io/signin-oidc - # - https://sorcerer.data.oceanbox.io/signin-oidc - - - id: sorcerer_dev - name: Sorcerer (dev) - secret: $CLIENT_SECRET_SORCERER_DEV - redirectURIs: - - https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc - - https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc - - https://stig-sorcerer.dev.vtn.obx/signin-oidc - - https://simkir-sorcerer.dev.vtn.obx/signin-oidc - - https://ole-sorcerer.ekman.oceanbox.io/signin-oidc - - https://sorcerer.vtn.oceanbox.io/signin-oidc - - https://mrtz-sorcerer.dev.vtn.obx/signin-oidc - - https://sorcerer.ekman.oceanbox.io/signin-oidc - - https://bast-sorcerer.ekman.oceanbox.io/signin-oidc - - https://sorcerer.data.oceanbox.io/signin-oidc - - https://ole-sorcerer.dev.vtn.obx/signin-oidc - - https://stig-sorcerer.ekman.oceanbox.io/signin-oidc - -envVars: - - name: DEX_DB_USER - valueFrom: - secretKeyRef: - name: dex-db-app - key: username - - name: DEX_DB_PASSWORD - valueFrom: - secretKeyRef: - name: dex-db-app - key: password - - name: MICROSOFT_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: dex-microsoft - key: clientSecret - # - name: CLIENT_SECRET_DEX - # valueFrom: - # secretKeyRef: - # name: dex-clients - # key: dex - # - name: CLIENT_SECRET_ATLANTIS - # valueFrom: - # secretKeyRef: - # name: dex-clients - # key: atlantis - - name: CLIENT_SECRET_ATLANTIS_DEV - valueFrom: - secretKeyRef: - name: dex-clients - key: atlantis_dev - # - name: CLIENT_SECRET_SORCERER - # valueFrom: - # secretKeyRef: - # name: dex-clients - # key: sorcerer - - name: CLIENT_SECRET_SORCERER_DEV - valueFrom: - secretKeyRef: - name: dex-clients - key: sorcerer_dev - -ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: HTTP - # CORS: allow browser-based OIDC flows (e.g. token introspection, JWKS fetch) - # nginx-ingress treats non-"*" cors-allow-origin values as a regex pattern used in: - # if ($http_origin ~* "PATTERN") { add_header 'Access-Control-Allow-Origin' $http_origin; } - # This is required because browsers reject Access-Control-Allow-Origin: * with credentialed requests. - # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier + cors policy filter when cilium gateway supports it cluster-wide - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-origin: "https://.*\\.oceanbox\\.io" - nginx.ingress.kubernetes.io/cors-allow-credentials: "true" - nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS" - nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type" - hosts: - - host: auth.adm.oceanbox.io - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: auth.adm.oceanbox.io-tls - hosts: - - auth.adm.oceanbox.io - -resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 100m - memory: 128Mi