diff --git a/charts/apps/charts/coder/Chart.yaml b/charts/apps/charts/coder/Chart.yaml new file mode 100644 index 0000000..5b46cef --- /dev/null +++ b/charts/apps/charts/coder/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +version: 1.0.0 +name: openwebui diff --git a/charts/apps/charts/coder/templates/client.yaml b/charts/apps/charts/coder/templates/client.yaml new file mode 100644 index 0000000..f931eac --- /dev/null +++ b/charts/apps/charts/coder/templates/client.yaml @@ -0,0 +1,10 @@ +apiVersion: homelab.mortenolsen.pro/v1 +kind: OidcClient +metadata: + name: '{{ .Release.Name }}' +spec: + environment: '{{ .Values.globals.environment }}' + redirectUris: + - path: /api/v2/users/oidc/callback + subdomain: '{{ .Values.subdomain }}' + matchingMode: strict diff --git a/charts/apps/charts/coder/templates/deployment.yaml b/charts/apps/charts/coder/templates/deployment.yaml new file mode 100644 index 0000000..910ed4e --- /dev/null +++ b/charts/apps/charts/coder/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: '{{ .Release.Name }}' +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: '{{ .Release.Name }}' + template: + metadata: + labels: + app: '{{ .Release.Name }}' + spec: + serviceAccountName: '{{ .Release.Name }}-serviceaccount' + containers: + - name: '{{ .Release.Name }}' + image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}' + imagePullPolicy: '{{ .Values.image.pullPolicy }}' + ports: + - name: http + containerPort: 7080 + protocol: TCP + livenessProbe: + tcpSocket: + port: http + readinessProbe: + tcpSocket: + port: http + volumeMounts: + - mountPath: /home/coder/.config + name: data + env: + - name: CODER_HTTP_ADDRESS + value: '0.0.0.0:7080' + - name: CODER_OIDC_ALLOWED_GROUPS + value: admin + - name: CODER_OIDC_GROUP_FIELD + value: groups + - name: CODER_ACCESS_URL + value: https://coder.olsen.cloud + - name: CODER_OIDC_ICON_URL + value: https://authentik.olsen.cloud/static/dist/assets/icons/icon.png + - name: CODER_DISABLE_PASSWORD_AUTH + value: 'true' + - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS + value: 'false' + - name: CODER_OIDC_SIGN_IN_TEXT + value: 'Sign in with OIDC' + - name: CODER_OIDC_SCOPES + value: openid,profile,email,offline_access + - name: CODER_OIDC_ISSUER_URL + valueFrom: + secretKeyRef: + name: '{{ .Release.Name }}-client' + key: configurationIssuer + - name: CODER_OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: '{{ .Release.Name }}-client' + key: clientId + - name: CODER_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: '{{ .Release.Name }}-client' + key: clientSecret + + volumes: + - name: data + persistentVolumeClaim: + claimName: '{{ .Release.Name }}-data' diff --git a/charts/apps/charts/coder/templates/http-service.yaml b/charts/apps/charts/coder/templates/http-service.yaml new file mode 100644 index 0000000..2233b00 --- /dev/null +++ b/charts/apps/charts/coder/templates/http-service.yaml @@ -0,0 +1,11 @@ +apiVersion: homelab.mortenolsen.pro/v1 +kind: HttpService +metadata: + name: '{{ .Release.Name }}' +spec: + environment: '{{ .Values.globals.environment }}' + subdomain: '{{ .Values.subdomain }}' + destination: + host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local' + port: + number: 80 diff --git a/charts/apps/charts/coder/templates/pvc.yaml b/charts/apps/charts/coder/templates/pvc.yaml new file mode 100644 index 0000000..bc1d0a6 --- /dev/null +++ b/charts/apps/charts/coder/templates/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: '{{ .Release.Name }}-data' +spec: + accessModes: + - 'ReadWriteOnce' + resources: + requests: + storage: '1Gi' + storageClassName: '{{ .Values.globals.environment }}' diff --git a/charts/apps/charts/coder/templates/role.yaml b/charts/apps/charts/coder/templates/role.yaml new file mode 100644 index 0000000..5724980 --- /dev/null +++ b/charts/apps/charts/coder/templates/role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: '{{ .Release.Name }}-workspace-creator' +rules: + - apiGroups: [''] # "" indicates the core API group (for Pods, PVCs, Services) + resources: ['pods', 'pods/exec', 'pods/log', 'persistentvolumeclaims', 'services'] + verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] + - apiGroups: ['apps'] # For Deployments, StatefulSets + resources: ['deployments', 'statefulsets'] + verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] + - apiGroups: ['networking.k8s.io'] # For Ingresses + resources: ['ingresses'] + verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete'] + - apiGroups: ['events.k8s.io'] # For events related to workspace activity + resources: ['events'] + verbs: ['create', 'patch', 'update'] # Coder might create events for workspace lifecycle + # Add any other resources that Coder workspace templates might create (e.g., secrets, configmaps) + # - apiGroups: [""] + # resources: ["secrets", "configmaps"] + # verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/apps/charts/coder/templates/rolebinding.yaml b/charts/apps/charts/coder/templates/rolebinding.yaml new file mode 100644 index 0000000..3354a26 --- /dev/null +++ b/charts/apps/charts/coder/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: '{{ .Release.Name }}-workspace-creator-binding' + namespace: '{{ .Release.Namespace }}' +subjects: + - kind: ServiceAccount + name: '{{ .Release.Name }}-serviceaccount' + namespace: '{{ .Release.Namespace }}' +roleRef: + kind: ClusterRole + name: '{{ .Release.Name }}-workspace-creator' + apiGroup: rbac.authorization.k8s.io diff --git a/charts/apps/charts/coder/templates/service.yaml b/charts/apps/charts/coder/templates/service.yaml new file mode 100644 index 0000000..ca4d3c5 --- /dev/null +++ b/charts/apps/charts/coder/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: '{{ .Release.Name }}' + labels: + app: '{{ .Release.Name }}' +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 7080 + protocol: TCP + name: http + selector: + app: '{{ .Release.Name }}' diff --git a/charts/apps/charts/coder/templates/serviceaccount.yaml b/charts/apps/charts/coder/templates/serviceaccount.yaml new file mode 100644 index 0000000..53966e4 --- /dev/null +++ b/charts/apps/charts/coder/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: '{{ .Release.Name }}-serviceaccount' + namespace: '{{ .Release.Namespace }}' diff --git a/charts/apps/charts/coder/values.yaml b/charts/apps/charts/coder/values.yaml new file mode 100644 index 0000000..ab0b9e6 --- /dev/null +++ b/charts/apps/charts/coder/values.yaml @@ -0,0 +1,7 @@ +globals: + environment: prod +image: + repository: ghcr.io/coder/coder + tag: latest + pullPolicy: IfNotPresent +subdomain: coder diff --git a/charts/apps/charts/headscale/templates/service.yaml b/charts/apps/charts/headscale/templates/service.yaml index 1e0dee4..6f98962 100644 --- a/charts/apps/charts/headscale/templates/service.yaml +++ b/charts/apps/charts/headscale/templates/service.yaml @@ -11,9 +11,22 @@ spec: targetPort: 8080 protocol: TCP name: http - - name: wireguard-udp # TODO: should this be a LB service? - port: 41641 - targetPort: 41641 - protocol: UDP + selector: + app: '{{ .Release.Name }}' + +--- +apiVersion: v1 +kind: Service +metadata: + name: '{{ .Release.Name }}-headscale' + labels: + app: '{{ .Release.Name }}' +spec: + type: LoadBalancer + ports: + - port: 41641 + targetPort: 41641 + protocol: UDP + name: wireguard-udp selector: app: '{{ .Release.Name }}'