forked from linode/apl-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
core.yaml
294 lines (290 loc) · 6.62 KB
/
core.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
# NOTE: This file is merged with other values in ./helmfile.d/snippets/env.gotmpl
# keep list of all apps for frontend
apps:
alertmanager: {}
drone: {}
gitea: {}
# gilab: {}
grafana: {}
harbor: {}
hello: {}
httpbin: {}
keycloak: {}
kiali: {}
kubeapps: {}
loki: {}
prometheus: {}
sitespeed: {}
jaeger: {}
vault: {}
weave-scope: {}
k8s:
namespaces:
- name: cert-manager
disableIstioInjection: true
- name: default
disableIstioInjection: true
disablePolicyChecks: true
- name: drone-pipelines
disableIstioInjection: true
disablePolicyChecks: true
- name: external-dns
disableIstioInjection: true
- name: harbor
- name: gitea
- name: istio-system
disableIstioInjection: true
- name: ingress
- name: jaeger
- name: jaeger-operator
disableIstioInjection: true
- name: keycloak
- name: kiali
- name: kiali-operator
disableIstioInjection: true
- name: knative-serving
disablePolicyChecks: true
- name: kubeapps
disableIstioInjection: true
disablePolicyChecks: true
- name: kube-system
disableIstioInjection: true
disablePolicyChecks: true
- name: maintenance
disableIstioInjection: true
- name: monitoring
- name: operator-lifecycle-manager
disableIstioInjection: true
disablePolicyChecks: true
- name: otomi
- name: overprovisioner
disableIstioInjection: true
- name: shared
- name: team-admin
- name: vault
services:
- name: keycloak
namespace: keycloak
svc: keycloak-http
ownHost: true
type: public
- name: httpbin
namespace: shared
svc: httpbin
ownHost: true
isShared: true
type: public
auth: true
- name: harbor
svc: harbor-portal
namespace: harbor
ownHost: true
isShared: true
type: public
auth: true
- name: harbor
svc: harbor-core
namespace: harbor
ownHost: true
paths: [/api/, /c/, /chartrepo/]
forwardPath: true
hide: true
isShared: true
type: public
auth: true
- name: harbor
svc: harbor-core
namespace: harbor
ownHost: true
paths: [/service/, /v1/, /v2/]
forwardPath: true
hide: true
type: public
- name: gitea
namespace: gitea
svc: gitea-http
ownHost: true
isShared: true
port: 3000
forwardPath: true
type: public
- name: kiali
svc: kiali
forwardPath: true
port: 20001
namespace: kiali
type: public
auth: true
- name: notary
svc: harbor-notary-server
port: 4443
namespace: harbor
ownHost: true
hide: true
isShared: true
type: public
auth: true
- name: otomi
namespace: otomi
ownHost: true
isShared: true
svc: otomi-api
hide: true
paths: [/api/]
type: public
auth: true
- name: otomi
namespace: otomi
ownHost: true
isShared: true
svc: otomi-console
type: public
auth: true
- name: loki
svc: po-grafana
host: grafana # this service is only specified to generate an icon on the dashboard that opens grafana's loki view
namespace: monitoring
path: 'explore?orgId=1&left=%5B"now-1h","now","Loki",%7B%7D,%7B"mode":"Logs"%7D,%7B"ui":%5Btrue,true,true,"none"%5D%7D%5D'
type: public
auth: true
# - name: weave-scope
# svc: weave-scope
# namespace: monitoring
# type: public
# auth: true
- name: grafana
svc: po-grafana
namespace: monitoring
# specifying authz will strip the bearer token by default, unless forwardOriginalToken=true
# this mechanism allows us to not bother services that need the same "Bearer" header for their own oidc
# it also adds an in-cluster enforcement that only payloads containing the right authn may access it
authz:
workload:
app.kubernetes.io/instance: prometheus-operator
app.kubernetes.io/name: po-grafana
type: public
auth: true
- name: prometheus
svc: po-prometheus
port: 9090
namespace: monitoring
type: public
auth: true
- name: alertmanager
svc: po-alertmanager
port: 9093
logo:
name: prometheus
namespace: monitoring
type: public
auth: true
- name: drone
svc: drone
namespace: team-admin
ownHost: true
authz:
workload:
app: drone
component: server
type: public
auth: true
- name: drone
svc: drone
namespace: team-admin
ownHost: true
hide: true
type: public
paths: [/hook, /api/user, /api/repo]
forwardPath: true
- name: jaeger
svc: jaeger-operator-jaeger-query
port: 16686
forwardPath: true
namespace: jaeger
type: public
auth: true
- name: vault
namespace: vault
svc: vault-0
port: 8200
ownHost: true
logo:
name: vault
isShared: true
path: ui/vault/auth?with=oidc
type: public
auth: true
- name: kubeapps
svc: kubeapps
namespace: kubeapps
ownHost: true
logo:
name: kubernetes
type: public
isShared: true
auth: true
teamConfig:
services:
- name: harbor
svc: harbor-portal
namespace: harbor
isShared: true
host: harbor
type: public
auth: true
- name: httpbin
namespace: shared
svc: httpbin
isShared: true
host: httpbin
type: public
auth: true
- name: vault
namespace: vault
svc: vault-0
port: 8200
host: vault
logo:
name: vault
isShared: true
path: ui/vault/secrets/secret/list/teams/#NS#/
type: public
auth: true
- name: kubeapps
namespace: kubeapps
svc: kubeapps
isShared: true
host: kubeapps
logo:
name: kubernetes
type: public
auth: true
- name: loki
svc: po-grafana
host: grafana # this service is only specified to generate an icon on the dashboard that opens grafana's loki view
path: explore?orgId=1&left=%5B%22now-1h%22,%22now%22,%22Loki%22,%7B%22expr%22:%22%7Bnamespace%3D%5C%22#NS#%5C%22%7D%22%7D,%7B%22mode%22:%22Logs%22%7D,%7B%22ui%22:%5Btrue,true,true,%22none%22%5D%7D%5D
type: public
auth: true
- name: grafana
svc: po-grafana
hasPrefix: true
authz:
workload:
app.kubernetes.io/instance: prometheus-__TEAM
app.kubernetes.io/name: __TEAM-po-grafana
type: public
auth: true
- name: prometheus
svc: po-prometheus
hasPrefix: true
port: 9090
type: public
auth: true
- name: alertmanager
svc: po-alertmanager
hasPrefix: true
port: 9093
logo:
name: prometheus
type: public
auth: true