Merge branch '1040-deploy-dashboard-chart-with-flux' into 'main'

Resolve "Deploy dashboard chart with flux" Closes #1044 and #1040 See merge request stackspin/stackspin!623

Merge branch '1040-deploy-dashboard-chart-with-flux' into 'main'
Resolve "Deploy dashboard chart with flux" Closes #1044 and #1040 See merge request stackspin/stackspin!623
068e39a9 · Varac · ae8c9c97 · f2f4826f · 068e39a9 · 068e39a9
Commit 068e39a9 authored 3 years ago by Varac
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -128,30 +128,6 @@ include:
  extends:
    - .general_rules

-.rocketchat_rules:
-  rules:
-    - changes:
-        - flux2/apps/$RESOURCE/*.yaml
-        - flux2/cluster/optional/$RESOURCE/*.yaml
-        - install/install-app.sh
-        - test/taiko/*
-    - if: '$TRIGGER_JOBS =~ /enable-rocketchat/'
-    - if: '$CI_COMMIT_MESSAGE =~ /TRIGGER_JOBS=.*enable-rocketchat/'
-    # Because we're replacing Rocket.Chat with Zulip, and to spare resources, we
-    # do not test it in the all `main` CI pipelines anymore.
-    # - if: '$CI_COMMIT_BRANCH == "main"'
-
-.single_sign_on_rules:
-  rules:
-    - changes:
-        - flux2/core/base/$RESOURCE/*.yaml
-        - flux2/infrastructure/sources/single-sign-on.yaml
-        - install/install-stackspin.sh
-        - test/taiko/*
-    - if: '$TRIGGER_JOBS =~ /enable-single-sign-on/'
-    - if: '$CI_COMMIT_MESSAGE =~ /TRIGGER_JOBS=.*enable-single-sign-on/'
-    - if: '$CI_COMMIT_BRANCH == "main"'
-
 .wekan_rules:
  rules:
    - changes:
@@ -354,6 +330,7 @@ setup-stackspin:
    - cp install/kustomization.yaml ${CLUSTER_DIR}
    - kubectl create namespace flux-system
    - kubectl apply -k ${CLUSTER_DIR}
+    # Install flux and general, non-app specific secrets
    - bash ./install/install-stackspin.sh
  extends:
    - .ssh_setup
@@ -429,13 +406,6 @@ enable-nextcloud:
    - .enable_app_template
    - .nextcloud_rules

-enable-rocketchat:
-  variables:
-    RESOURCE: "rocketchat"
-  extends:
-    - .enable_app_template
-    - .rocketchat_rules
-
 enable-wekan:
  variables:
    RESOURCE: "wekan"
@@ -487,16 +457,6 @@ nextcloud-kustomization-ready:
    - .app-kustomization-ready
    - .nextcloud_rules

-rocketchat-kustomization-ready:
-  needs:
-    - job: setup-stackspin
-    - job: enable-rocketchat
-  variables:
-    RESOURCE: "rocketchat"
-  extends:
-    - .app-kustomization-ready
-    - .rocketchat_rules
-
 wekan-kustomization-ready:
  needs:
    - job: setup-stackspin
@@ -562,25 +522,23 @@ kube-prometheus-stack-cert:
    - .apps-cert
    - .kube_prometheus_stack_rules

-rocketchat-cert:
+single-sign-on-cert:
  variables:
-    RESOURCE: "rocketchat"
+    RESOURCE: "single-sign-on"
  needs:
-    - job: enable-rocketchat
+    - job: core-kustomizations-ready
    - job: setup-stackspin
  extends:
    - .apps-cert
-    - .rocketchat_rules

-single-sign-on-cert:
+dashboard-cert:
  variables:
-    RESOURCE: "single-sign-on"
+    RESOURCE: "dashboard"
  needs:
    - job: core-kustomizations-ready
    - job: setup-stackspin
  extends:
    - .apps-cert
-    - .single_sign_on_rules

 wekan-cert:
  variables:
@@ -700,17 +658,6 @@ nextcloud-taiko:
    - .taiko
    - .nextcloud_rules

-rocketchat-taiko:
-  variables:
-    RESOURCE: "rocketchat"
-  needs:
-    - job: rocketchat-cert
-    - job: setup-stackspin
-    - job: rocketchat-kustomization-ready
-  extends:
-    - .taiko
-    - .rocketchat_rules
-
 wekan-taiko:
  variables:
    RESOURCE: "wekan"

--- a/.gitlab/issue_templates/new_app.md
+++ b/.gitlab/issue_templates/new_app.md
@@ -5,15 +5,16 @@

 * [ ] Create new source if needed in `flux2/infrastructure/sources/APP.yaml`
 * [ ] Include `APP.yaml` in `flux2/infrastructure/sources/kustomization.yaml`
+* [ ] In case of a core app, add healthChecks to `core` `Kustomization`
+      (`flux2/cluster/base/core.yaml`)
 * [ ] Add app secret: `install/templates/stackspin-APP-variables.yaml.jinja`
-* Add `Kustomizations`:
-   * [ ] `flux2/cluster/optional/APP/APP.yaml`
-   * [ ] `flux2/apps/APP/kustomization.yaml`
-   * [ ] If needed, add PVCs in `flux2/apps/APP/pvc.yaml`
-   * [ ] Add `HelmRelease` in `flux2/apps/APP/release.yaml`
-     * Mem resource requests/limits: See https://open.greenhost.net/stackspin/stackspin/-/issues/1027
-      * [ ] mem request: the median weekly memory usage of an app
-      * [ ] mem limit: 150% of the weekly max memory usage
+ * [ ] Flux kustomization: `flux2/cluster/optional/APP/APP.yaml`
+ * [ ] K8s kustomization: `flux2/apps/APP/kustomization.yaml`
+ * [ ] If needed, add PVCs in `flux2/apps/APP/pvc.yaml`
+ * [ ] Add `HelmRelease` in `flux2/apps/APP/release.yaml`
+   * Mem resource requests/limits: See https://open.greenhost.net/stackspin/stackspin/-/issues/1027
+    * [ ] mem request: the median weekly memory usage of an app
+    * [ ] mem limit: 150% of the weekly max memory usage

 ### Single sign-on

@@ -72,3 +73,9 @@ Add the following elements to `.gitlab-ci.yml`:
  * [ ] `docs/installation_instructions.rst`
  * [ ] `docs/testing_instructions.rst`
  * [ ] `docs/usage.rst`
+
+## Follow-up issues
+
+Create follow-up issue with:
+
+* [ ] Fine-tune CPU and mem limits (https://open.greenhost.net/stackspin/stackspin/-/issues/1027)
--- a/flux2/cluster/base/core.yaml
+++ b/flux2/cluster/base/core.yaml
@@ -16,6 +16,8 @@ spec:
  validation: client
  postBuild:
    substituteFrom:
+      - kind: Secret
+        name: stackspin-dashboard-variables
      - kind: Secret
        name: stackspin-single-sign-on-variables
      - kind: Secret
@@ -35,6 +37,10 @@ spec:
      kind: HelmRelease
      name: single-sign-on
      namespace: stackspin
+    - apiVersion: helm.toolkit.fluxcd.io/v1beta1
+      kind: HelmRelease
+      name: dashboard
+      namespace: stackspin
    - apiVersion: apps/v1
      kind: Deployment
      name: single-sign-on-userbackend
@@ -47,3 +53,7 @@ spec:
      kind: Deployment
      name: single-sign-on-login
      namespace: stackspin
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: dashboard
+      namespace: stackspin
--- a/flux2/core/base/dashboard/dashboard-release.yaml
+++ b/flux2/core/base/dashboard/dashboard-release.yaml
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: dashboard
+spec:
+  releaseName: dashboard
+  dependsOn:
+    - name: nginx
+    - name: single-sign-on
+  chart:
+    spec:
+      chart: ./deployment/helmchart/
+      # NOTE: Change the GitRepository yaml file if you want a different version
+      sourceRef:
+        kind: GitRepository
+        name: dashboard
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+    timeout: 10m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-dashboard-values
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-dashboard-override
+      optional: true
+    - kind: Secret
+      name: stackspin-dashboard-override
+      optional: true
--- a/flux2/core/base/dashboard/dashboard-values-configmap.yaml
+++ b/flux2/core/base/dashboard/dashboard-values-configmap.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-dashboard-values
+data:
+  values.yaml: |
+    fullnameOverride: dashboard
+    dashboard:
+      host: dashboard.${domain}
+      resources:
+        limits:
+          cpu: 20m
+          memory: 32Mi
+        requests:
+          cpu: 10m
+          memory: 16Mi
+    backend:
+      secretKey: ${backend_secret_key}
+      password: ${backend_password}
+      smtp:
+        enabled: ${outgoing_mail_enabled}
+        user: "${outgoing_mail_smtp_user}"
+        password: "${outgoing_mail_smtp_password}"
+        host: "${outgoing_mail_smtp_host}"
+        port: "${outgoing_mail_smtp_port}"
+      kratosUrl: single-sign-on-kratos-admin
+      resources:
+        limits:
+          cpu: 200m
+          memory: 512Mi
+        requests:
+          cpu: 100m
+          memory: 256Mi
+    ingress:
+      certManager: true
+      enabled: true
+      hostname: dashboard.${domain}
+      tls:
+      - hosts:
+        - dashboard.${domain}
+        secretName: stackspin-dashboard
--- a/flux2/core/base/dashboard/kustomization.yaml
+++ b/flux2/core/base/dashboard/kustomization.yaml
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: stackspin
+resources:
+  - ./dashboard-release.yaml
+  - ./dashboard-values-configmap.yaml
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -28,6 +28,8 @@ data:
          description: "Wekan Kanban board."
        - name: &ZULIP zulip
          description: "Communicate and collaborate using team chat and switch to video or audio calls with screen sharing for more efficient teamwork."
+        - name: &DASHBOARD dashboard
+          description: "Stackspin dashboard."
      username: "${userbackend_admin_username}"
      password: "${userbackend_admin_password}"
      email: "${admin_email}"
@@ -180,6 +182,12 @@ data:
      scopes: "openid profile email"
      clientUri: "https://zulip.${domain}"
      clientLogoUri: "https://zulip.${domain}/static/images/zulip-logo.svg"
+    - clientName: *DASHBOARD
+      clientSecret: "${dashboard_oauth_client_secret}"
+      redirectUri: "https://dashboard.${domain}/_oauth/oidc"
+      scopes: "openid profile email"
+      clientUri: "https://dashboard.${domain}"
+      clientLogoUri: "https://dashboard.${domain}/assets/logo.svg"
      tokenEndpointAuthMethod: "client_secret_post"
      responseTypes:
        - "code"

--- a/flux2/infrastructure/sources/dashboard.yaml
+++ b/flux2/infrastructure/sources/dashboard.yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: dashboard
+  namespace: stackspin
+spec:
+  interval: 1h
+  url: https://open.greenhost.net/stackspin/dashboard
+  ref:
+    tag: chart-0.1.1
--- a/flux2/infrastructure/sources/kustomization.yaml
+++ b/flux2/infrastructure/sources/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: flux-system
 resources:
  - bitnami.yaml
+  - dashboard.yaml
  - grafana.yaml
  - ingress-nginx.yaml
  - jetstack.yaml

--- a/install/install-stackspin.sh
+++ b/install/install-stackspin.sh
@@ -32,6 +32,7 @@ kubectl get namespace stackspin 2>/dev/null || kubectl create namespace stackspi
 kubectl get namespace stackspin-apps 2>/dev/null || kubectl create namespace stackspin-apps

 # Generate oauth and SSO secrets
+python "$(dirname "$0")/generate_secrets.py" dashboard
 python "$(dirname "$0")/generate_secrets.py" single-sign-on
 python "$(dirname "$0")/generate_secrets.py" oauth


--- a/install/templates/stackspin-dashboard-variables.yaml.jinja
+++ b/install/templates/stackspin-dashboard-variables.yaml.jinja
+apiVersion: v1
+kind: Secret
+metadata:
+  name: stackspin-dashboard-variables
+data:
+  backend_secret_key: "{{ 32 | generate_password | b64encode }}"
+  backend_password: "{{ 32 | generate_password | b64encode }}"
--- a/install/templates/stackspin-oauth-variables.yaml.jinja
+++ b/install/templates/stackspin-oauth-variables.yaml.jinja
@@ -11,3 +11,4 @@ data:
  wekan_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
  wordpress_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
  zulip_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
+  dashboard_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
--- a/test/pytest/test_certs.py
+++ b/test/pytest/test_certs.py
@@ -95,10 +95,10 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements


    app_subdomains = {
+        'dashboard': 'dashboard',
        'grafana': 'grafana',
        'nextcloud': 'files',
        'onlyoffice': 'office',
-        # prometheus is only exposed if opted-in in the settings
        'prometheus': 'prometheus',
        'rocketchat': 'chat',
        'single-sign-on': 'sso',

--- a/test/taiko/apps.js
+++ b/test/taiko/apps.js
@@ -180,9 +180,8 @@ const assert = require('assert');

    // Dashboard
    if (taikoTests.includes('dashboard') || taikoTests === 'all') {
-      const dashboardUrl = 'https://admin.' + domain
-
-      console.log('• Dashboard')
+      const dashboardUrl = 'https://dashboard.' + domain
+      console.log('• Dashboard at ' + dashboardUrl)
      await goto(dashboardUrl)
    }