Merge pull request #8161 from BacLuc/rewrite-deploy-ops-dashboard

Rewrite deploy ops dashboard

Author: BacLuc

.github/workflows/deploy-ops-dashboard.yml

@@ -4,10 +4,17 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: 'Choose environment'
+        description: "Choose environment"
         type: environment
         required: true
-        default: "ops-dashboard-dev"
+      action:
+        description: "Choose action"
+        type: choice
+        required: true
+        default: diff
+        options:
+          - diff
+          - deploy
 
 jobs:
   deploy-ops-dashboard:
@@ -26,40 +33,43 @@ jobs:
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Dump secrets to .env
+      - name: Dump secrets to /tmp/secrets.yaml
         run: |
-          echo '${{ toJSON(secrets) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
-        working-directory: .ops/ops-dashboard
+          cat << 'EOF' | tee -a /tmp/secrets.yaml
+          ${{ toJSON(secrets) }}
+          EOF
+          jq '.' /tmp/secrets.yaml
 
-      - name: Dump variables to .env
-        run: |  
-          echo '${{ toJSON(vars) }}' | jq -r 'keys[] as $k | select(.[$k] |contains("\n") | not) | "\($k)=\"\(.[$k])\""' >> .env
-        working-directory: .ops/ops-dashboard
+      - name: Dump variables to /tmp/env.yaml
+        run: |
+          cat << 'EOF' | tee -a /tmp/env.yaml
+          ${{ toJSON(vars) }}
+          EOF
+          jq '.' /tmp/env.yaml
 
-      - name: Show .env for debugging
-        run: echo "$(cat .env | sort)"
+      - name: Merge secrets and variables
+        run: |
+          jq -s '.[0] + .[1]' /tmp/secrets.yaml /tmp/env.yaml > env.yaml
+          jq '.' env.yaml
         working-directory: .ops/ops-dashboard
 
       - name: Setup helm
         run: |
           mkdir ~/.kube && echo '${{ secrets.KUBECONFIG }}' > ~/.kube/config && chmod go-r ~/.kube/config
 
-      - name: Add helm repositories
-        run: |
-          helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
-          helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
-          helm repo update
+      - uses: ./.github/actions/setup-helmfile
 
       - name: Diff deployment
         run: |
           ./deploy.sh diff || true
         working-directory: .ops/ops-dashboard
-        
-      - name: Show values.out.yaml
-        run: cat values.out.yaml
+
+      - name: Show values.yaml
+        run: cat values.yaml
         working-directory: .ops/ops-dashboard
 
       - name: Deploy
+        if: ${{ github.event.inputs.action == 'deploy' }}
         run: |
           ./deploy.sh deploy
         working-directory: .ops/ops-dashboard

.ops/ops-dashboard/.gitignore

@@ -1,3 +1,5 @@
 /.env
 /charts
+/env.yaml
+/values.yaml
 /values.out.yaml

.ops/ops-dashboard/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: oauth2-proxy
   repository: https://oauth2-proxy.github.io/manifests
-  version: 8.2.0
+  version: 7.18.0
 - name: kubernetes-dashboard
   repository: https://kubernetes.github.io/dashboard/
   version: 7.13.0
 - name: oauth2-proxy
   repository: https://oauth2-proxy.github.io/manifests
-  version: 8.2.0
+  version: 7.18.0
 - name: oauth2-proxy
   repository: https://oauth2-proxy.github.io/manifests
-  version: 8.2.0
-digest: sha256:142da8fd57bc6a24ca609e3ad8a4dfb1cca54f5fda7972dea16ad14477d3dcec
-generated: "2025-08-24T16:31:56.7842085Z"
+  version: 7.18.0
+digest: sha256:d119e0b8ffb14fc7aee209549ea98ee92c80eefe64a20f4b48a5a7b193efc9c6
+generated: "2025-08-14T11:03:55.532011762Z"

.ops/ops-dashboard/Chart.yaml

@@ -26,16 +26,16 @@ appVersion: 0.1.0
 dependencies:
   - name: oauth2-proxy
     alias: grafana-proxy
-    version: 8.2.0
+    version: 7.18.0
     repository: https://oauth2-proxy.github.io/manifests
   - name: kubernetes-dashboard
     version: 7.13.0
     repository: https://kubernetes.github.io/dashboard/
   - name: oauth2-proxy
     alias: kubernetes-dashboard-proxy
-    version: 8.2.0
+    version: 7.18.0
     repository: https://oauth2-proxy.github.io/manifests
   - name: oauth2-proxy
     alias: logging-proxy
-    version: 8.2.0
+    version: 7.18.0
     repository: https://oauth2-proxy.github.io/manifests

.ops/ops-dashboard/README.md

@@ -6,19 +6,12 @@ to see our applications like graphana, kibana, kubernetes-dashboard...
 
 ## Prerequisites
 
-You need the oauth2-proxy helm chart:
+First you need to have the following dependencies:
 
-```shell
-helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
-helm repo update
-```
-
-You also need the kubernetes-dashboard helm chart:
-
-```shell
-helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
-helm repo update
-```
+- jq
+- kubectl (with a kubeconfig for the cluster you want to deploy to)
+- helm
+- helmfile
 
 ## Deployment
 

.ops/ops-dashboard/deploy.sh

@@ -5,22 +5,25 @@ set -ea
 SCRIPT_DIR=$(realpath "$(dirname "$0")")
 cd $SCRIPT_DIR
 
-. $SCRIPT_DIR/.env
+action=${1:-diff}
 
-envsubst < $SCRIPT_DIR/values.yaml > $SCRIPT_DIR/values.out.yaml
+helmfile deps
+helmfile write-values --environment default --output-file-template values.yaml
 
-helm dep build
-
-if [ $1 = "deploy" ]; then
+if [ "$action" = "deploy" ]; then
   # to debug: --dry-run --debug
-  helm upgrade --install ops-dashboard --namespace=ops-dashboard --create-namespace $SCRIPT_DIR --values $SCRIPT_DIR/values.out.yaml
+  helm upgrade --install ops-dashboard \
+    --namespace=ops-dashboard \
+    --create-namespace \
+    "$SCRIPT_DIR" \
+    --values "$SCRIPT_DIR/values.yaml"
   exit 0
 fi
 
-if [ $1 = "diff" ]; then
+if [ "$action" = "diff" ]; then
   helm template \
-      --namespace ops-dashboard --no-hooks --skip-tests ops-dashboard  \
-      $SCRIPT_DIR \
-      --values $SCRIPT_DIR/values.out.yaml | kubectl diff --namespace ops-dashboard -f -
+    --namespace ops-dashboard --no-hooks --skip-tests ops-dashboard \
+    "$SCRIPT_DIR" \
+    --values "$SCRIPT_DIR/values.yaml" | kubectl diff --namespace ops-dashboard -f -
   exit 0
 fi

.ops/ops-dashboard/env.example.yaml

@@ -0,0 +1,12 @@
+{
+  "COOKIE_SECRET": ,
+  "GRAFANA_PROXY_HOST": ,
+  "GRAFANA_PROXY_OAUTH_CLIENT_ID": ,
+  "GRAFANA_PROXY_OAUTH_CLIENT_SECRET": ,
+  "KUBERNETES_DASHBOARD_PROXY_HOST": ,
+  "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID": ,
+  "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET": ,
+  "LOGGING_PROXY_HOST": ,
+  "LOGGING_PROXY_OAUTH_CLIENT_ID": ,
+  "LOGGING_PROXY_OAUTH_CLIENT_SECRET":
+}

.ops/ops-dashboard/helmfile.yaml

@@ -0,0 +1,16 @@
+environments:
+  default:
+    values:
+      - ./env.yaml
+---
+repositories:
+  - name: oauth2-proxy
+    url: https://oauth2-proxy.github.io/manifests
+  - name:  kubernetes-dashboard
+    url: https://kubernetes.github.io/dashboard/
+
+releases:
+  - name: ""
+    chart: .
+    values:
+      - ./values.yaml.gotmpl

.ops/ops-dashboard/values.yaml

@@ -0,0 +1,58 @@
+grafana-proxy:
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - {{ .Environment.Values | getOrNil "GRAFANA_PROXY_HOST" | required "GRAFANA_PROXY_HOST is required" | quote }}
+  extraArgs:
+    whitelist-domain: {{ .Environment.Values | getOrNil "GRAFANA_PROXY_HOST" | required "GRAFANA_PROXY_HOST is required" | quote }}
+    provider: github
+    github-org: ecamp
+    upstream: http://kube-prometheus-stack-grafana.kube-prometheus-stack.svc.cluster.local:80
+  config:
+    # OAuth client ID
+    clientID: {{ .Environment.Values | getOrNil "GRAFANA_PROXY_OAUTH_CLIENT_ID" | required "GRAFANA_PROXY_OAUTH_CLIENT_ID is required" | quote }}
+    # OAuth client secret
+    clientSecret: {{ .Environment.Values | getOrNil "GRAFANA_PROXY_OAUTH_CLIENT_SECRET" | required "GRAFANA_PROXY_OAUTH_CLIENT_SECRET is required" | quote }}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: {{ .Environment.Values | getOrNil "COOKIE_SECRET" | required "COOKIE_SECRET is required" | quote }}
+kubernetes-dashboard-proxy:
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - {{ .Environment.Values | getOrNil "KUBERNETES_DASHBOARD_PROXY_HOST" | required "KUBERNETES_DASHBOARD_PROXY_HOST is required" | quote }}
+  extraArgs:
+    whitelist-domain: {{ .Environment.Values | getOrNil "KUBERNETES_DASHBOARD_PROXY_HOST" | required "KUBERNETES_DASHBOARD_PROXY_HOST is required" | quote }}
+    provider: github
+    github-org: ecamp
+    upstream: https://ops-dashboard-kong-proxy.ops-dashboard.svc.cluster.local
+    ssl-upstream-insecure-skip-verify: true
+  config:
+    # OAuth client ID
+    clientID: {{ .Environment.Values | getOrNil "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID" | required "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_ID is required" | quote }}
+    # OAuth client secret
+    clientSecret: {{ .Environment.Values | getOrNil "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET" | required "KUBERNETES_DASHBOARD_PROXY_OAUTH_CLIENT_SECRET is required" | quote }}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: {{ .Environment.Values | getOrNil "COOKIE_SECRET" | required "COOKIE_SECRET is required" | quote }}
+logging-proxy:
+  ingress:
+    enabled: true
+    className: nginx
+    hosts:
+      - {{ .Environment.Values | getOrNil "LOGGING_PROXY_HOST" | required "LOGGING_PROXY_HOST is required" | quote }}
+  extraArgs:
+    whitelist-domain: {{ .Environment.Values | getOrNil "LOGGING_PROXY_HOST" | required "LOGGING_PROXY_HOST is required" | quote }}
+    provider: github
+    github-org: ecamp
+    upstream: http://kibana.ecamp3-logging.svc.cluster.local:5601
+  config:
+    # OAuth client ID
+    clientID: {{ .Environment.Values | getOrNil "LOGGING_PROXY_OAUTH_CLIENT_ID" | required "LOGGING_PROXY_OAUTH_CLIENT_ID is required" | quote }}
+    # OAuth client secret
+    clientSecret: {{ .Environment.Values | getOrNil "LOGGING_PROXY_OAUTH_CLIENT_SECRET" | required "LOGGING_PROXY_OAUTH_CLIENT_SECRET is required" | quote }}
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: {{ .Environment.Values | getOrNil "COOKIE_SECRET" | required "COOKIE_SECRET is required" | quote }}