ecamp · BacLuc · Dec 3, 2024 · Nov 2, 2024
diff --git a/.github/workflows/deploy-ops-dashboard.yml b/.github/workflows/deploy-ops-dashboard.yml
@@ -0,0 +1,64 @@
+name: Deploy ops-dashboard
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose environment'
+        type: environment
+        required: true
+
+jobs:
+  deploy-ops-dashboard:
+    name: "Deploy ops-dashboard"
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.environment }}
+    steps:
+      - name: Validate environment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            if (!"${{ github.event.inputs.environment }}".startsWith("ops-dashboard")) {
+                throw new Error("Environment must start with 'ops-dashboard'");
+            }
+
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Dump secrets to .env
+        run: |
+          echo '${{ toJSON(secrets) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
+        working-directory: .ops/ops-dashboard
+
+      - name: Dump variables to .env
+        run: |  
+          echo '${{ toJSON(vars) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
+        working-directory: .ops/ops-dashboard
+
+      - name: Show .env for debugging
+        run: echo "$(cat .env | sort)"
+        working-directory: .ops/ops-dashboard
+
+      - name: Setup helm
+        run: |
+          mkdir ~/.kube && echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config && chmod go-r ~/.kube/config
+
+      - name: Add helm repositories
+        run: |
+          helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
+          helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+          helm repo update
+
+      - name: Diff deployment
+        run: |
+          ./deploy.sh diff || true
+        working-directory: .ops/ops-dashboard
+
+      - name: Show values.out.yaml
+        run: cat values.out.yaml
+        working-directory: .ops/ops-dashboard
+
+      - name: Deploy
+        run: |
+          ./deploy.sh deploy
+        working-directory: .ops/ops-dashboard
diff --git a/.ops/ops-dashboard/.env-example b/.ops/ops-dashboard/.env-example
@@ -0,0 +1,13 @@
+COOKIE_SECRET=
+
+GRAFANA_PROXY_HOST=
+GRAFANA_PROXY_OAUTH_CLIENT_ID=
+GRAFANA_PROXY_OAUTH_CLIENT_SECRET=
+
+KUBERNETES_DASHBOARD_PROXY_HOST=
+KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID=
+KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET=
+
+LOGGING_PROXY_HOST=
+LOGGING_PROXY_OAUTH_CLIENT_ID=
+LOGGING_PROXY_OAUTH_CLIENT_SECRET=
diff --git a/.ops/ops-dashboard/.gitignore b/.ops/ops-dashboard/.gitignore
@@ -1,2 +1,3 @@
+/.env
 /charts
-/values.access.yaml
+/values.out.yaml
diff --git a/.ops/ops-dashboard/README.md b/.ops/ops-dashboard/README.md
@@ -22,23 +22,26 @@ helm repo update
 
 ## Deployment
 
-First, make sure you don't overwrite the configuration currently applied:
+First, check what is currently applied:
 
 ```shell
 helm -n ops-dashboard get values ops-dashboard
 ```
 
-Fill in the values for values.access.yaml according to demo.values.access.yaml
+Fill in the values for .env according to .env.example
 
 ```shell
-cp demo.values.access.yaml values.access.yaml 
+cp .env-example .env
 ```
 
-To diff the deployment
+you may diff the current deployment with the one you want to do now
+
+```shell
+./deploy.sh diff
+````
+
+Deploy
+
 ```shell
-helm template \
-    --namespace ops-dashboard --no-hooks --skip-tests \
-    ops-dashboard . \
-    --values values.yaml \
-    --values values.access.yaml | kubectl diff --namespace ops-dashboard -f - | batcat -l diff -
+./deploy.sh deploy
 ```
diff --git a/.ops/ops-dashboard/demo.values.access.yaml b/.ops/ops-dashboard/demo.values.access.yaml
diff --git a/.ops/ops-dashboard/deploy.sh b/.ops/ops-dashboard/deploy.sh
@@ -1,9 +1,26 @@
-#!/bin/bash
+#!/bin/sh
 
-set -e
+set -ea
 
 SCRIPT_DIR=$(realpath "$(dirname "$0")")
 cd $SCRIPT_DIR
 
-# to debug: --dry-run --debug
-helm dep build && helm upgrade --install ops-dashboard --namespace=ops-dashboard --create-namespace $SCRIPT_DIR --values $SCRIPT_DIR/values.yaml --values $SCRIPT_DIR/values.access.yaml
+. $SCRIPT_DIR/.env
+
+envsubst < $SCRIPT_DIR/values.yaml > $SCRIPT_DIR/values.out.yaml
+
+helm dep build
+
+if [ $1 = "deploy" ]; then
+  # to debug: --dry-run --debug
+  helm upgrade --install ops-dashboard --namespace=ops-dashboard --create-namespace $SCRIPT_DIR --values $SCRIPT_DIR/values.out.yaml
+  exit 0
+fi
+
+if [ $1 = "diff" ]; then
+  helm template \
+      --namespace ops-dashboard --no-hooks --skip-tests ops-dashboard  \
+      $SCRIPT_DIR \
+      --values $SCRIPT_DIR/values.out.yaml | kubectl diff --namespace ops-dashboard -f -
+  exit 0
+fi
diff --git a/.ops/ops-dashboard/values.yaml b/.ops/ops-dashboard/values.yaml
@@ -2,24 +2,57 @@ grafana-proxy:
   ingress:
     enabled: true
     className: nginx
-  extraArgs: 
+    hosts:
+      - ${GRAFANA_PROXY_HOST}
+  extraArgs:
+    whitelist-domain: ${GRAFANA_HOST}
     provider: github
     github-org: ecamp
     upstream: http://kube-prometheus-stack-grafana.kube-prometheus-stack.svc.cluster.local:80
-kubernetes-dashboard-proxy: 
+  config:
+    # OAuth client ID
+    clientID: ${GRAFANA_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${GRAFANA_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}
+kubernetes-dashboard-proxy:
   ingress:
     enabled: true
     className: nginx
+    hosts:
+      - ${KUBERNETES_DASHBOARD_PROXY_HOST}
   extraArgs:
+    whitelist-domain: ${KUBERNETES_DASHBOARD_PROXY_HOST}
     provider: github
     github-org: ecamp
     upstream: https://ops-dashboard-kong-proxy.ops-dashboard.svc.cluster.local
     ssl-upstream-insecure-skip-verify: true
+  config:
+    # OAuth client ID
+    clientID: ${KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}
 logging-proxy:
   ingress:
     enabled: true
     className: nginx
+    hosts:
+      - ${LOGGING_PROXY_HOST}
   extraArgs:
+    whitelist-domain: ${LOGGING_PROXY_HOST}
     provider: github
     github-org: ecamp
     upstream: http://kibana.ecamp3-logging.svc.cluster.local:5601
+  config:
+    # OAuth client ID
+    clientID: ${LOGGING_PROXY_OAUTH_CLIENT_ID}
+    # OAuth client secret
+    clientSecret: ${LOGGING_PROXY_OAUTH_CLIENT_SECRET}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: ${COOKIE_SECRET}