Umbrella Helm chart for bootstrapping ArgoCD GitOps for Infrastructure and Platform.
The implementation of the Helm chart is the bare minimum. The Helm Chart is not meant to be infinitely configurable, but to provide a quick way to deploy to a Kubernetes cluster.
The infrastructure is now managed via GitOps from the repo https://github.com/teknoir/platform-applications-gitops.
Secrets are managed manually. Generate them before deploying:
./scripts/create-clouddns-secret.sh <KEY_PATH>
./scripts/create-gcr-json-key-secret.sh <KEY_PATH>
./scripts/gen-harbor-secrets.sh
./scripts/gen-keycloak-db-secret.sh
./scripts/gen-oauth2-proxy-secrets.sh
./scripts/gen-oauth2-proxy-redis-secret.sh
..../scripts/deploy-argocd.sh
kubectl apply -f teknoir-cloud-app-of-apps.yamlSetup in Keycloak
Client setup in master realm:
- Client ID: teknoir (or change oauth2-proxy to match)
- OpenID Connect
- Client authentication: ON (this is “confidential”)
- Standard flow: ON
- Service account roles: ON
- Valid redirect URI: https://teknoir.cloud/oauth2/callback
- Web origins: https://teknoir.cloud
Then update the secret:
- Take the client secret from Keycloak
- Update oauth2-proxy-secret (by running
./scripts/gen-oauth2-proxy-secrets.sh) ./scripts/deploy-secrets.shto deploy secret to cluster
Then go to Client scopes menu:
- Add (or create) a scope: teknoir
- Type: Default
Configure a new mapper for the scope:
- Mapper type: Audience
- Included Client Audience: teknoir
- Add to access token: ON
Then add Service Account Role:
- Go to Client menu for teknoir -> Service Account Roles for the client click Assign Roles
- Assign "Client Roles": manage-users, query-users, view-users
Restart oauth2-proxy deployment to pick up new secret and scope changes:
kubectl -n teknoir-auth rollout restart deploy/oauth2-proxyYou can change the entire environment domain by setting global.domain in charts/infra/values.yaml or via CLI:
helm template infra ./charts/infra --set global.domain=my-new-domain.comcharts/infra: umbrella chart combining all components.charts/teknoir-gateway: Istio Gateway and Cert-manager Certificate templates.charts/auth: Keycloak and OAuth2-proxy configuration.charts/harbor: Harbor configuration.scripts/: helper scripts for secret generation and deployment.