feat: deploy dexidp (#14)

* feat: deploy dexidp * fix: Add helmrepository to kustomization.yaml
immich-app · Jan 24, 2024 · a686bed · a686bed
1 parent 3cc66be
commit a686bed
Show file tree

Hide file tree

Showing 8 changed files with 156 additions and 0 deletions.
diff --git a/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml b/kubernetes/apps/authentication/dexidp/app/helmrelease.yaml
@@ -0,0 +1,99 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: dex
+  namespace: authentication
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: dex
+      version: 0.15.3
+      sourceRef:
+        kind: HelmRepository
+        name: dex
+        namespace: flux-system
+      interval: 5m
+  values:
+    image:
+      repository: ghcr.io/dexidp/dex
+      tag: v2.37.0
+    env:
+      KUBERNETES_POD_NAMESPACE: authentication
+    envFrom:
+      - secretRef:
+          name: github-oauth-client
+    ingress:
+      enabled: true
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-production
+      hosts:
+        - host: &host auth.immich.cloud
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+          secretName: dex-tls
+
+    config:
+      issuer: &issuer https://auth.immich.cloud
+
+      storage:
+        type: kubernetes
+        config:
+          inCluster: true
+
+      web:
+        http: 0.0.0.0:5556
+
+      frontend:
+        issuer: immich
+        issuerUrl: *issuer
+        logoUrl: https://github.com/immich-app/immich/raw/main/design/immich-logo-no-outline.png
+
+      expiry:
+        signingKeys: "6h"
+        idTokens: "24h"
+
+      logger:
+        level: debug
+        format: text
+
+      oauth2:
+        responseTypes: ["code", "token", "id_token"]
+        skipApprovalScreen: true
+        alwaysShowLoginScreen: false
+
+      enablePasswordDB: false
+
+      connectors:
+        # GitHub configure 'OAuth Apps' -> 'New OAuth App', add callback URL
+        # https://github.com/settings/developers
+        - type: github
+          id: github
+          name: GitHub
+          config:
+            clientID: $GITHUB_CLIENT_ID
+            clientSecret: $GITHUB_CLIENT_SECRET
+            redirectURI: https://auth.immich.cloud/callback
+            orgs:
+              - name: immich-app
+
+      staticClients: []
+        # - id: grafana
+        #   name: grafana
+        #   secret: ${DEX_GRAFANA_AUTHENTICATOR_CLIENT_SECRET}
+        #   redirectURIs:
+        #     - "https://grafana.${SECRET_DOMAIN}/login/generic_oauth"
+
+    resources:
+      requests:
+        cpu: 10m
+        memory: 100Mi
+      limits:
+        memory: 100Mi
diff --git a/kubernetes/apps/authentication/dexidp/app/kustomization.yaml b/kubernetes/apps/authentication/dexidp/app/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/authentication/dexidp/ks.yaml b/kubernetes/apps/authentication/dexidp/ks.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://github.com/fluxcd-community/flux2-schemas/raw/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app dexidp
+  namespace: flux-system
+spec:
+  targetNamespace: authentication
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cluster-apps-onepassword
+  path: ./kubernetes/apps/authentication/dexidp/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: immich-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/authentication/kustomization.yaml b/kubernetes/apps/authentication/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./secrets.yaml
+  - ./dexidp/ks.yaml
diff --git a/kubernetes/apps/authentication/namespace.yaml b/kubernetes/apps/authentication/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentication
diff --git a/kubernetes/apps/authentication/secrets.yaml b/kubernetes/apps/authentication/secrets.yaml
@@ -0,0 +1,7 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: github-oauth-client
+  namespace: authentication
+spec:
+  itemPath: "vaults/Kubernetes/items/github-oauth-client"
diff --git a/kubernetes/flux/repositories/helm/dex.yaml b/kubernetes/flux/repositories/helm/dex.yaml
@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: dex
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://charts.dexidp.io
+  timeout: 3m
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -9,3 +9,4 @@ resources:
   - ./democratic-csi.yaml
   - ./actions-runner-controller.yaml
   - ./bjw-s.yaml
+  - ./dex.yaml