feat: split access groups for admins, devs and analytics
This commit is contained in:
@@ -43,7 +43,7 @@ configs:
|
|||||||
connectors:
|
connectors:
|
||||||
{{- with .Values.clusterConfig.oidc }}
|
{{- with .Values.clusterConfig.oidc }}
|
||||||
{{- range . }}
|
{{- range . }}
|
||||||
{{- if eq .provider "azuread" }}
|
{{- if eq .group "devel" }}
|
||||||
- type: oidc
|
- type: oidc
|
||||||
id: {{ .name }}
|
id: {{ .name }}
|
||||||
name: {{ .name }}
|
name: {{ .name }}
|
||||||
|
|||||||
+6
-13
@@ -8,22 +8,15 @@ clusterConfig:
|
|||||||
initca: "/var/lib/kubernetes/secrets"
|
initca: "/var/lib/kubernetes/secrets"
|
||||||
apiserver: "ekman-manage"
|
apiserver: "ekman-manage"
|
||||||
apiserverip: "10.255.241.99"
|
apiserverip: "10.255.241.99"
|
||||||
etcd_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99" ]
|
etcd_nodes: ["10.255.241.80, 10.255.241.90, 10.255.241.99"]
|
||||||
k8s_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128" ]
|
k8s_nodes:
|
||||||
|
[
|
||||||
|
"10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128",
|
||||||
|
]
|
||||||
cluster: "ekman"
|
cluster: "ekman"
|
||||||
ingress_nodes: ["ekman , ekman-manage" ]
|
ingress_nodes: ["ekman , ekman-manage"]
|
||||||
ingress_replica_count: 2
|
ingress_replica_count: 2
|
||||||
fileserver: "10.255.241.100"
|
fileserver: "10.255.241.100"
|
||||||
acme:
|
|
||||||
email: "acme@oceanbox.io"
|
|
||||||
dns01: "namecheap-apikey"
|
|
||||||
oidc:
|
|
||||||
- name: oceanbox
|
|
||||||
provider: azuread
|
|
||||||
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
|
||||||
secret_ref:
|
|
||||||
name: oceanbox-oidc
|
|
||||||
group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
|
|
||||||
nodes:
|
nodes:
|
||||||
- name: ekman-manage
|
- name: ekman-manage
|
||||||
taints: []
|
taints: []
|
||||||
|
|||||||
@@ -6,22 +6,15 @@ clusterConfig:
|
|||||||
initca: ""
|
initca: ""
|
||||||
apiserver: ""
|
apiserver: ""
|
||||||
apiserverip: ""
|
apiserverip: ""
|
||||||
etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ]
|
etcd_nodes: ["10.255.241.201, 10.255.241.202, 10.255.241.203"]
|
||||||
k8s_nodes: [ "" ]
|
k8s_nodes: [""]
|
||||||
cluster: "oceanbox"
|
cluster: "oceanbox"
|
||||||
ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
|
ingress_nodes:
|
||||||
|
[
|
||||||
|
"oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3",
|
||||||
|
]
|
||||||
ingress_replica_count: 3
|
ingress_replica_count: 3
|
||||||
fileserver: "10.255.241.210"
|
fileserver: "10.255.241.210"
|
||||||
acme:
|
|
||||||
email: "acme@oceanbox.io"
|
|
||||||
dns01: "namecheap-apikey"
|
|
||||||
oidc:
|
|
||||||
- name: oceanbox
|
|
||||||
provider: azuread
|
|
||||||
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
|
||||||
secret_ref:
|
|
||||||
name: oceanbox-oidc
|
|
||||||
group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
|
|
||||||
s3:
|
s3:
|
||||||
hosts: []
|
hosts: []
|
||||||
patterns: []
|
patterns: []
|
||||||
|
|||||||
+7
-14
@@ -8,28 +8,21 @@ clusterConfig:
|
|||||||
initca: "/var/lib/kubernetes/secrets"
|
initca: "/var/lib/kubernetes/secrets"
|
||||||
apiserver: "rossby-manage"
|
apiserver: "rossby-manage"
|
||||||
apiserverip: "172.16.239.221"
|
apiserverip: "172.16.239.221"
|
||||||
etcd_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210" ]
|
etcd_nodes: ["172.16.239.221, 172.16.239.222, 172.16.239.210"]
|
||||||
k8s_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130" ]
|
k8s_nodes:
|
||||||
|
[
|
||||||
|
"172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130",
|
||||||
|
]
|
||||||
cluster: "rossby"
|
cluster: "rossby"
|
||||||
ingress_nodes: ["rossby, rossby-manage" ]
|
ingress_nodes: ["rossby, rossby-manage"]
|
||||||
ingress_replica_count: 2
|
ingress_replica_count: 2
|
||||||
ingress_clusterissuer: ca-issuer
|
ingress_clusterissuer: ca-issuer
|
||||||
ingress_whitelist:
|
ingress_whitelist:
|
||||||
- 0.0.0.0/0
|
- 0.0.0.0/0
|
||||||
ingress_hostnetwork: true
|
ingress_hostnetwork: true
|
||||||
ingress_hostport: false
|
ingress_hostport: false
|
||||||
ingress_nodeport: false
|
ingress_nodeport: false
|
||||||
fileserver: "172.16.239.222"
|
fileserver: "172.16.239.222"
|
||||||
acme:
|
|
||||||
email: "acme@oceanbox.io"
|
|
||||||
dns01: "namecheap-apikey"
|
|
||||||
oidc:
|
|
||||||
- name: oceanbox
|
|
||||||
provider: azuread
|
|
||||||
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
|
||||||
secret_ref:
|
|
||||||
name: oceanbox-oidc
|
|
||||||
group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
|
|
||||||
nodes:
|
nodes:
|
||||||
- name: rossby-manage
|
- name: rossby-manage
|
||||||
taints: []
|
taints: []
|
||||||
|
|||||||
+25
-16
@@ -11,9 +11,6 @@ clusterConfig:
|
|||||||
ingress_nodes: []
|
ingress_nodes: []
|
||||||
ingress_replica_count: 3
|
ingress_replica_count: 3
|
||||||
fileserver: ""
|
fileserver: ""
|
||||||
acme:
|
|
||||||
email: "acme@oceanbox.io"
|
|
||||||
dns01: ""
|
|
||||||
nodenames: []
|
nodenames: []
|
||||||
nodes: []
|
nodes: []
|
||||||
ingress_clusterissuer: "letsencrypt-production"
|
ingress_clusterissuer: "letsencrypt-production"
|
||||||
@@ -26,19 +23,31 @@ clusterConfig:
|
|||||||
ingress_hostnetwork: false
|
ingress_hostnetwork: false
|
||||||
ingress_hostport: false
|
ingress_hostport: false
|
||||||
ingress_nodeport: true
|
ingress_nodeport: true
|
||||||
oidc: []
|
acme:
|
||||||
#- name: azure
|
email: "acme@oceanbox.io"
|
||||||
# provider: azuread
|
dns01: "namecheap-apikey"
|
||||||
# tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
|
oidc:
|
||||||
# secret_ref:
|
- group: admin
|
||||||
# name: azure-oidc
|
name: oceanbox
|
||||||
# group_id: "<group_id>"
|
provider: azuread
|
||||||
#- name: github
|
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
||||||
# provider: github
|
secret_ref:
|
||||||
# secret_ref:
|
name: oceanbox-oidc
|
||||||
# name: github-oidc
|
group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
|
||||||
# allowed_organizations: <org>
|
- group: devel
|
||||||
# allowed_teams: <team-id>
|
name: oceanbox
|
||||||
|
provider: azuread
|
||||||
|
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
||||||
|
secret_ref:
|
||||||
|
name: oceanbox-oidc
|
||||||
|
group_id: ""
|
||||||
|
- group: analytics
|
||||||
|
name: oceanbox
|
||||||
|
provider: azuread
|
||||||
|
tenant: "3f737008-e9a0-4485-9d27-40329d288089"
|
||||||
|
secret_ref:
|
||||||
|
name: oceanbox-oidc
|
||||||
|
group_id: "52bb4c7e-549c-4aed-bd95-9dcedf716f9f"
|
||||||
s3:
|
s3:
|
||||||
hosts: []
|
hosts: []
|
||||||
patterns: []
|
patterns: []
|
||||||
|
|||||||
@@ -122,7 +122,7 @@ grafana:
|
|||||||
users:
|
users:
|
||||||
auto_assign_org_role: "Admin"
|
auto_assign_org_role: "Admin"
|
||||||
{{- range .Values.clusterConfig.oidc }}
|
{{- range .Values.clusterConfig.oidc }}
|
||||||
{{- if eq .provider "azuread" }}
|
{{- if eq .group "analytics" }}
|
||||||
auth.{{ .provider }}:
|
auth.{{ .provider }}:
|
||||||
enabled: true
|
enabled: true
|
||||||
name: {{ .name }}
|
name: {{ .name }}
|
||||||
|
|||||||
Reference in New Issue
Block a user