fix(dex): Kill it

helmfile.d/dex.yaml.gotmpl

@@ -1,44 +0,0 @@
-# yaml-language-server: $schema=https://www.schemastore.org/helmfile.json
-
-bases:
-- ../envs/environments.yaml.gotmpl
-
-repositories:
-- name: dex
-  url: https://charts.dexidp.io
-
-commonLabels:
-  tier: system
-
-releases:
-- name: dex
-  namespace: dex
-  chart: dex/dex
-  version: 0.19.0
-  condition: dex.enabled
-  values:
-  - ../values/dex/values/values.yaml
-  postRenderer: ../bin/kustomizer
-  postRendererArgs:
-  - ../values/dex/kustomize/{{ .Environment.Name }}
-  missingFileHandler: Info
-- name: manifests
-  namespace: dex
-  chart: manifests
-  condition: dex.enabled
-  missingFileHandler: Info
-  values:
-  - ../values/env.yaml
-  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/dex/env.yaml.gotmpl
-  - ../values/dex/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
-  hooks:
-  - events: [ prepare, cleanup ]
-    showlogs: true
-    command: ../bin/helmify
-    args:
-    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
-    - '{{`{{ .Release.Chart }}`}}'
-    - '{{`{{ .Environment.Name }}`}}'
-    - ../values/dex/manifests
-    - manifests

values/dex/env-hel1.yaml.gotmpl

@@ -1,2 +0,0 @@
-dex:
-  enabled: false

values/dex/env-oceanbox.yaml.gotmpl

@@ -1,2 +0,0 @@
-dex:
-  enabled: true

values/dex/env.yaml.gotmpl

@@ -1,3 +0,0 @@
-dex:
-  enabled: false
-  autosync: false

values/dex/manifests/db.yaml

@@ -1,57 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: dex-db
-  namespace: dex
-spec:
-  # TODO: scale to 2 instances for HA
-  instances: 1
-  imageName: ghcr.io/cloudnative-pg/postgresql:17
-  storage:
-    resizeInUseVolumes: true
-    size: 10Gi
----
-apiVersion: barmancloud.cnpg.io/v1
-kind: ObjectStore
-metadata:
-  name: tos-store
-  namespace: dex
-spec:
-  retentionPolicy: "7d"
-  configuration:
-    destinationPath: s3://cnpg/dex-db
-    endpointURL: http://10.255.241.30:30080
-    s3Credentials:
-      accessKeyId:
-        name: cnpg-s3
-        key: access_key
-      secretAccessKey:
-        name: cnpg-s3
-        key: access_secret
-    wal:
-      compression: snappy
----
-apiVersion: postgresql.cnpg.io/v1
-kind: ScheduledBackup
-metadata:
-  name: dex-db
-  namespace: dex
-spec:
-  schedule: "0 0 1 * * *"
-  backupOwnerReference: self
-  cluster:
-    name: dex-db
-  method: plugin
-  pluginConfiguration:
-    name: barman-cloud.cloudnative-pg.io
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: dex-db-monitor
-spec:
-  selector:
-    matchLabels:
-      cnpg.io/cluster: dex-db
-  podMetricsEndpoints:
-  - port: metrics

values/dex/manifests/dex.yaml

@@ -1,40 +0,0 @@
-{{- if .Values.clusterConfig.argo.enabled }}
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dex
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: dex
-    server: https://kubernetes.default.svc
-  project: sys
-  sources:
-  - repoURL: {{ .Values.clusterConfig.manifests }}
-    targetRevision: HEAD
-    path: helmfile.d
-    plugin:
-      name: helmfile-cmp
-      env:
-      - name: CLUSTER_NAME
-        value: {{ .Values.clusterConfig.cluster }}
-      - name: HELMFILE_ENVIRONMENT
-        value: default
-      - name: HELMFILE_FILE_PATH
-        value: dex.yaml.gotmpl
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        component: sys
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    {{- if .Values.dex.autosync }}
-    automated:
-      prune: true
-    {{- end }}
-{{- end }}

values/dex/values/values.yaml

@@ -1,185 +0,0 @@
-replicaCount: 1
-
-config:
-  issuer: https://auth.adm.oceanbox.io
-  storage:
-    type: postgres
-    config:
-      host: dex-db-rw
-      port: 5432
-      database: app
-      user: $DEX_DB_USER
-      password: $DEX_DB_PASSWORD
-      ssl:
-        mode: disable
-  web:
-    http: 0.0.0.0:5556
-    # allowedOrigins: ['*']
-  frontend:
-    # theme: light
-    theme: coreos
-    issuer: "Oceanbox"
-    issuerUrl: "https://oceanbox.io"
-  #   logoURL: theme/logo.png
-  #   dir: ""
-  telemetry:
-    http: 0.0.0.0:5558
-  oauth2:
-    skipApprovalScreen: true
-  expiry:
-    idTokens: "12h"
-    authRequests: "30m"
-    refreshTokens:
-      validIfNotUsedFor: "168h"
-      absoluteLifetime: "720h"
-
-  connectors:
-    - type: microsoft
-      id: microsoft
-      name: Microsoft
-      config:
-        clientID: "43667ac0-37e1-422f-99fc-50a699bb255c"
-        clientSecret: $MICROSOFT_CLIENT_SECRET
-        redirectURI: https://auth.adm.oceanbox.io/callback
-
-  staticClients:
-    # - id: dex
-    #   name: Dex
-    #   secret: $CLIENT_SECRET_DEX
-    #   redirectURIs:
-    #   - https://idp.beta.oceanbox.io/dex/callback
-    #   - https://idp.dev.oceanbox.io/dex/callback
-    #   - https://idp.oceanbox.io/dex/callback
-    #   - https://idp.srv.oceanbox.io/dex/callback
-    # - id: atlantis
-    # name: Atlantis
-    # secret: $CLIENT_SECRET_ATLANTIS
-    # redirectURIs:
-    # - https://maps.beta.oceanbox.io/signin-oidc
-    # - https://codex.adm.oceanbox.io/signin-oidc
-    # - https://maps.oceanbox.io/signin-oidc
-    # - https://oceanbox.app/signin-oidc
-    # - https://atlantis.srv.oceanbox.io/signin-oidc
-
-    - id: atlantis_dev
-      name: Atlantis (dev)
-      secret: $CLIENT_SECRET_ATLANTIS_DEV
-      redirectURIs:
-        - https://maps.dev.oceanbox.io/signin-oidc
-        - https://atlantis.local.oceanbox.io:8080/signin-oidc
-        - https://codex.local.oceanbox.io:8080/signin-oidc
-        - https://simkir-maps.dev.oceanbox.io/signin-oidc
-        - https://jonas-atlantis.dev.oceanbox.io/signin-oidc
-        - https://atlantis.beta.oceanbox.io/signin-oidc
-        - https://stig-atlantis.dev.oceanbox.io/signin-oidc
-        - https://codex.local.oceanbox.io:10380/signin-oidc
-        - https://ole-atlantis.dev.oceanbox.io/signin-oidc
-        - https://bast-atlantis.dev.oceanbox.io/signin-oidc
-        - https://mrtz-atlantis.dev.oceanbox.io/signin-oidc
-        - https://codex.dev.tos.obx/signin-oidc
-        - https://simkir-codex.dev.oceanbox.io/signin-oidc
-        - https://simkir-atlantis.dev.oceanbox.io/signin-oidc
-        - https://codex.dev.oceanbox.io/signin-oidc
-
-    # - id: sorcerer
-    # name: Sorcerer
-    # secret: $CLIENT_SECRET_SORCERER
-    # redirectURIs:
-    # - https://sorcerer.vtn.oceanbox.io/signin-oidc
-    # - https://sorcerer.beta.ekman.oceanbox.io/signin-oidc
-    # - https://sorcerer.ekman.oceanbox.io/signin-oidc
-    # - https://sorcerer.data.oceanbox.io/signin-oidc
-
-    - id: sorcerer_dev
-      name: Sorcerer (dev)
-      secret: $CLIENT_SECRET_SORCERER_DEV
-      redirectURIs:
-        - https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc
-        - https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc
-        - https://stig-sorcerer.dev.vtn.obx/signin-oidc
-        - https://simkir-sorcerer.dev.vtn.obx/signin-oidc
-        - https://ole-sorcerer.ekman.oceanbox.io/signin-oidc
-        - https://sorcerer.vtn.oceanbox.io/signin-oidc
-        - https://mrtz-sorcerer.dev.vtn.obx/signin-oidc
-        - https://sorcerer.ekman.oceanbox.io/signin-oidc
-        - https://bast-sorcerer.ekman.oceanbox.io/signin-oidc
-        - https://sorcerer.data.oceanbox.io/signin-oidc
-        - https://ole-sorcerer.dev.vtn.obx/signin-oidc
-        - https://stig-sorcerer.ekman.oceanbox.io/signin-oidc
-
-envVars:
-  - name: DEX_DB_USER
-    valueFrom:
-      secretKeyRef:
-        name: dex-db-app
-        key: username
-  - name: DEX_DB_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: dex-db-app
-        key: password
-  - name: MICROSOFT_CLIENT_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: dex-microsoft
-        key: clientSecret
-  # - name: CLIENT_SECRET_DEX
-  #   valueFrom:
-  #     secretKeyRef:
-  #       name: dex-clients
-  #       key: dex
-  # - name: CLIENT_SECRET_ATLANTIS
-  #   valueFrom:
-  #     secretKeyRef:
-  #       name: dex-clients
-  #       key: atlantis
-  - name: CLIENT_SECRET_ATLANTIS_DEV
-    valueFrom:
-      secretKeyRef:
-        name: dex-clients
-        key: atlantis_dev
-  # - name: CLIENT_SECRET_SORCERER
-  #   valueFrom:
-  #     secretKeyRef:
-  #       name: dex-clients
-  #       key: sorcerer
-  - name: CLIENT_SECRET_SORCERER_DEV
-    valueFrom:
-      secretKeyRef:
-        name: dex-clients
-        key: sorcerer_dev
-
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    # CORS: allow browser-based OIDC flows (e.g. token introspection, JWKS fetch)
-    # nginx-ingress treats non-"*" cors-allow-origin values as a regex pattern used in:
-    #   if ($http_origin ~* "PATTERN") { add_header 'Access-Control-Allow-Origin' $http_origin; }
-    # This is required because browsers reject Access-Control-Allow-Origin: * with credentialed requests.
-    # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier + cors policy filter when cilium gateway supports it cluster-wide
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-origin: "https://.*\\.oceanbox\\.io"
-    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
-    nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
-  hosts:
-    - host: auth.adm.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - secretName: auth.adm.oceanbox.io-tls
-      hosts:
-        - auth.adm.oceanbox.io
-
-resources:
-  limits:
-    cpu: 500m
-    memory: 512Mi
-  requests:
-    cpu: 100m
-    memory: 128Mi