Updated OpenUnison, dashboard, kubevirt manager, and prometheus (#81)

* add port 443 to the loca talos cluster

* fix the way port is exposed

* for #78 ingress-nginx deploys.  if its in code spaces, it deploys on 10443.

* for #78 update kube dashboard for version 7.x keeping dashboard capability separated from openunison so that ic an be used without it.

* Added gum for input, collecting github info, deploying openunison.  need get service names and localhost ingresss working.

* for #78 adding port forwarders for openunison, dashboard, api server

* for #79 added better automation for the openunison config.  also fixed the dashboard integration

* for #79 add localhost ingress chart

* for #79 moved helm chart, removed dashboard release name from the certificate secret

* for #79 added OpenUnison docs for GitHub

* began configuring kubevirt ui

* for #80 deploy kubevrit

* for #79  intial implementation working.  need to do some refactoring and docs

* for #78 #79 refactored to line up with the refactor

* for #79 moved result group into the helm chart

.devcontainer/devcontainer.json

@@ -27,7 +27,10 @@
         2222,
         6000,
         7681,
-        8080
+        8080,
+        10443,
+        11443,
+        12443
     ],
     "customizations": {
         "vscode": {

Taskfile.yaml

@@ -15,7 +15,7 @@ vars:
   talos_patch: "{{.talos_dir}}/patch/cluster.yaml"
   talos_config_file: "{{.talos_dir}}/manifest/talosconfig"
   cluster_name: "talos-kargo-docker"
-  exposed_ports: "30590:30590/tcp"
+  exposed_ports: "30590:30590/tcp,10443:10443/tcp"
   memory: "8192"
   arch:
     sh: |
@@ -138,6 +138,67 @@ tasks:
       - source .envrc && pulumi config set --path multus.enabled false
       - source .envrc && pulumi config set --path vm.enabled false
 
+  install-gum:
+    desc: Installs the gum utility for collecting user input
+    cmds:
+    - test -e /usr/bin/gum || wget -P /tmp https://github.com/charmbracelet/gum/releases/download/v0.14.5/gum_0.14.5_amd64.deb
+    - test -e /usr/bin/gum || sudo dpkg -i /tmp/gum_0.14.5_amd64.deb
+
+  install-pen:
+    desc: Installs the pen utility for setting up port forwarding
+    cmds:
+    - |-
+        if [[ -z "${GITHUB_USER}" ]]; then
+          echo "Not running in GitHub CodeSpace"
+        else
+          echo "Running in GitHub CodeSpace"
+          test -e /usr/bin/pen || sudo apt-get update
+          test -e /usr/bin/pen || sudo apt-get install -y pen
+        fi
+
+  configure-openunison:
+    desc: "Configure OpenUnison."
+
+    cmds:
+      - task: install-gum
+      - task: install-pen
+      - pen 11443 127.0.0.1:10443
+      - pen 12443 127.0.0.1:10443
+      - source .envrc && pulumi stack select --create {{.pulumi_stack_identifier}} || true
+      - source .envrc && pulumi config set --path openunison.enabled true
+      - source .envrc && pulumi config set --path kubernetes_dashboard.enabled true
+      - source .envrc && pulumi config set --path openunison.github.client_id $(gum input --placeholder='GitHub OAuth2 Client Id' --header='GitHub OAuth2 Client Id')
+      - source .envrc && pulumi config set --secret --path openunison.github.client_secret $(gum input --placeholder='GitHub OAuth2 Client Secret' --header='GitHub OAuth2 Client Secret')
+      - source .envrc && pulumi config set --path openunison.github.teams $(gum input --placeholder='GitHub OAuth2 Teams' --header='GitHub OAuth2 Teams')
+      - |-
+          if [[ -z "${GITHUB_USER}" ]]; then
+
+          else
+            echo "Set your GitHub OAuth2 Application's 'Authorization callback URL' to https://$CODESPACE_NAME-10443.app.github.dev/auth/github"
+          fi
+
+  enable-kubevirt-manager:
+    desc: Enables the KubeVirt Manager Web UI
+    cmds:
+    - task: install-gum
+    - task: install-pen
+    - pen 13443 127.0.0.1:10443
+    - source .envrc && pulumi stack select --create {{.pulumi_stack_identifier}} || true
+    - source .envrc && pulumi config set --path kubevirt_manager.enabled true
+
+  enable-prometheus:
+    desc: Enables Prometheus
+    cmds:
+    - task: install-gum
+    - task: install-pen
+    - pen 14443 127.0.0.1:10443
+    - pen 15443 127.0.0.1:10443
+    - pen 16443 127.0.0.1:10443
+    - source .envrc && pulumi stack select --create {{.pulumi_stack_identifier}} || true
+    - source .envrc && pulumi config set --path prometheus.enabled true
+
+
+
   iac-deploy:
     desc: "Deploy Pulumi infrastructure."
     cmds:

docs/OPENUNISON.md

@@ -2,31 +2,65 @@
 
 # Dependencies
 
-1. Ingress NGINX (not included for now)
+1. Ingress NGINX
 
-For MVP Ingress NGINX is required - https://kubernetes.github.io/ingress-nginx/deploy/
+OpenUnison requires the NGINX Ingress controller for MVP.  While several controllers are supported, we wanted to keep it simple for now.  If you're running Kargo in GitHub CodeSpaces, NGINX will be configured to support port forwarding so you can access OpenUnison, and your cluster, from anywhere on the internet.  If running Kargo on bare metal, You'll need to configure Cilium's `LoadBalancer` to support NGINX.
 
-If you don't have a load balancer setup you'll want to deploy as a `DaemonSet` and update the `Deployment` or `DaemonSet` to listen on `hostPort`. First, patch the `ingress-nginx` `Namespace` to allow privileged pods:
+2. DNS suffix (Bare Metal Only)
 
-```sh
-kubectl patch namespace ingress-nginx -p '{"metadata":{"labels":{"pod-security.kubernetes.io/enforce":"privileged"}}}'
+OpenUnison requires a minimum of three host names. More if deploying additional platform management apps. For this reason, you'll need to create a DNS wildcard for a domain suffix to point to your load balancer. For instance, in the below examples a wildcard of \*.kargo.tremolo.dev was setup with an A record for my lab hosts. For a full explination, see - https://openunison.github.io/deployauth/#host-names-and-networking
+
+3. GitHub Deployment
+
+Before deploying OpenUnison, you'll need to create an organization on GitHub. This is 100% free. Once you have created an organization, you can setup an OAuth App. See https://openunison.github.io/deployauth/#github for instructions.
+
+For deployments to GitHub CodeSpaces, enter a fake URL for the redirect for now.  When you setup SSO in the code space, you'll be given a URL to use.
+
+For bare metal, your redirect URL will be `https://k8sou.DNS Suffix/auth/github`. You should also create a Team that you'll use authorizing access to your lab. Keep your `client_id` and `client_secret`.
+
+
+# Setup
+
+## GitHub CodeSpace
+
+Once you've run `task deploy`, the next step is to run:
+
+```bash
+task configure-openunison
 ```
+You'll be asked for:
+
+1. GitHub OAuth2 Application Client ID
+2. GitHub OAuth2 Application Client Secret
+3. The name of a GitHub team in the form of org/team.  For Instance, `TremoloSecurity/github-demos`
+
+When the configuration is done, you'll be presented with a redirect URL.  Configure your OAuth2 application with this URL as the redirect.
 
-Next, patch the `DaimonSet` / `Deployment` to listen on 80 and 443:
+Next, run the deployment again:
 
 ```sh
-kubectl patch deployments ingress-nginx-controller -n ingress-nginx -p '{"spec":{"template":{"spec":{"containers":[{"name":"controller","ports":[{"containerPort":80,"hostPort":80,"protocol":"TCP"},{"containerPort":443,"hostPort":443,"protocol":"TCP"}]}]}}}}'
+task deploy
 ```
 
-2. DNS suffix
+With the deployment completed, you need to configure three ports to enable HTTPS and public access:
 
-OpenUnison requires a minimum of three host names. More if deploying aditional platform management apps. For this reason, you'll need to create a DNS wildcard for a domain suffix to point to your nodes/load balancer. For instance, in the below examples a wildcard of \*.kargo.tremolo.dev was setup with an A record for my lab hosts. For a full explination, see - https://openunison.github.io/deployauth/#host-names-and-networking
+* 10443
+* 11443
+* 12443
 
-3. GitHub Deployment
+For each port, navigate to the ***PORTS*** tab in you VSCode window:
 
-Before deploying OpenUnison, you'll need to create an orgnaization on GitHub. This is 100% free. Once you have created an organization, you can setup an OAuth App. See https://openunison.github.io/deployauth/#github for instructions. Your redirect URL will be `https://k8sou.DNS Suffix/auth/github`. You should also create a Team that you'll use authorizing access to your lab. Keep your `client_id` and `client_secret`.
+![Ports Tab](images/ports.png "Ports Tab")
 
-# Setup
+Right click on the port, choose ***Change Port Protocol*** and choose ***HTTPS***
+
+![HTTPS](images/https.png "HTTPS")
+
+Finally, mark the port as public by again right clicking on the port, choose ***Port Visibility*** and select ***Public***.
+
+Repeat this step for all three of the ports 10443,11442, and 12443.
+
+## Bare Metal
 
 Enable Cert-Manager
 
@@ -72,4 +106,20 @@ If you want to allow more users to access your cluster, add them to the team you
 
 # Using OpenUnison
 
+## GitHub CodeSpace
+
+To access your cluster running a CodeSpace, get hte URL for the 10443 port.  If everything is configured correctly, you'll be prompted to continue by GitHub and then to trust your GitHub Application.  After that, you'll be logged in to OpenUnison with access to your cluster.
+
+### Limitations
+
+When running in CodeSpaces, any action that requires SPDY will not work, this includes:
+
+* kubectl exec
+* kubectl cp
+* kubectl port-forward
+
+You can use the terminal for any `Pod` in the Kubernetes Dashboard though.
+
+## Bare Metal
+
 See our manual - https://openunison.github.io/documentation/login-portal/

pulumi/__main__.py

@@ -19,6 +19,8 @@
 from src.ceph.deploy import deploy_rook_operator
 from src.vm.ubuntu import deploy_ubuntu_vm
 from src.vm.talos import deploy_talos_cluster
+from src.ingress_nginx.deploy import deploy_ingress_nginx
+from src.kv_manager.deploy import deploy_ui_for_kubevirt
 
 ##################################################################################
 # Load the Pulumi Config
@@ -83,6 +85,9 @@ def get_module_config(module_name):
 
 depends = []
 
+# defining a separate depends list for openunison to avoid circular dependencies
+openunison_depends = []
+
 def safe_append(depends, resource):
     if resource:
         depends.append(resource)
@@ -174,7 +179,7 @@ def run_kubevirt():
         versions["kubevirt"] = {"enabled": kubevirt_enabled, "version": kubevirt[0]}
         kubevirt_operator = kubevirt[1]
 
-        safe_append(depends, kubevirt_operator)
+        safe_append(openunison_depends, kubevirt_operator)
 
         return kubevirt, kubevirt_operator
     return None, None
@@ -324,10 +329,10 @@ def run_prometheus():
             openunison_enabled
         )
 
-        versions["prometheus"] = {"enabled": prometheus_enabled, "version": prometheus[0]}
+        versions["prometheus"] = {"enabled": prometheus_enabled, "version": prometheus[0],"release":prometheus[1]}
         prometheus_release = prometheus[1]
 
-        safe_append(depends, prometheus_release)
+        safe_append(openunison_depends, prometheus_release)
 
         return prometheus, prometheus_release
     return None, None
@@ -348,19 +353,42 @@ def run_kubernetes_dashboard():
             depends,
             ns_name,
             kubernetes_dashboard_version,
-            k8s_provider
+            k8s_provider,
+            openunison_enabled
         )
 
-        versions["kubernetes_dashboard"] = {"enabled": kubernetes_dashboard_enabled, "version": kubernetes_dashboard[0]}
+        versions["kubernetes_dashboard"] = {"enabled": kubernetes_dashboard_enabled, "version": kubernetes_dashboard[0], "release":kubernetes_dashboard[1]}
         kubernetes_dashboard_release = kubernetes_dashboard[1]
 
-        safe_append(depends, kubernetes_dashboard_release)
+        safe_append(openunison_depends, kubernetes_dashboard_release)
 
         return kubernetes_dashboard, kubernetes_dashboard_release
     return None, None
 
 kubernetes_dashboard, kubernetes_dashboard_release = run_kubernetes_dashboard()
 
+##################################################################################
+# Deploy Kubevirt Manager
+def run_kubevirt_manager():
+    kubevirt_manager_enabled = config_kubevirt_manager.get("enabled") or False
+    if kubevirt_manager_enabled:
+        kubevirt_manager = deploy_ui_for_kubevirt(
+            "kargo",
+            k8s_provider,
+        )
+
+        versions["kubevirt_manager"] = {"enabled": kubevirt_manager_enabled, "version": kubevirt_manager[0]}
+        kubevirt_manager_release = kubevirt_manager[1]
+
+        safe_append(openunison_depends, kubevirt_manager_release)
+
+        return kubevirt_manager, kubevirt_manager_release
+
+
+    return None, None
+
+kubevirt_manager, kubevirt_manager_release = run_kubevirt_manager()
+
 ##################################################################################
 def run_openunison():
     if openunison_enabled:
@@ -369,34 +397,39 @@ def run_openunison():
         domain_suffix = config_openunison.get('dns_suffix') or "kargo.arpa"
         cluster_issuer = config_openunison.get('cluster_issuer') or "cluster-selfsigned-issuer-ca"
 
-        config_openunison_github = config_openunison.get_object('github') or {}
+        config_openunison_github = config_openunison.get('github') or {}
         openunison_github_teams = config_openunison_github.get('teams')
         openunison_github_client_id = config_openunison_github.get('client_id')
         openunison_github_client_secret = config_openunison_github.get('client_secret')
 
         enabled = {}
 
-        if kubevirt_enabled:
-            enabled["kubevirt"] = {"enabled": kubevirt_enabled}
+        custom_depends = []
+
+
+        # Assume ingress-nginx for OpenUnison
+        nginx_release, nginx_version = deploy_ingress_nginx(None,"ingress-nginx",k8s_provider)
+        versions["nginx"] = {"enabled": openunison_enabled, "version": nginx_version}
+
 
-        if prometheus_enabled:
-            enabled["prometheus"] = {"enabled": prometheus_enabled}
+        safe_append(custom_depends,nginx_release)
+
+        custom_depends.extend(depends)
+        custom_depends.extend(openunison_depends)
 
-        pulumi.export("enabled", enabled)
 
         openunison = deploy_openunison(
-            depends,
+            custom_depends,
             ns_name,
             openunison_version,
             k8s_provider,
             domain_suffix,
             cluster_issuer,
             cert_manager_selfsigned_cert,
-            kubernetes_dashboard_release,
             openunison_github_client_id,
             openunison_github_client_secret,
             openunison_github_teams,
-            enabled,
+            versions
         )
 
         versions["openunison"] = {"enabled": openunison_enabled, "version": openunison[0]}
@@ -405,6 +438,7 @@ def run_openunison():
         safe_append(depends, openunison_release)
 
         return openunison, openunison_release
+
     return None, None
 
 openunison, openunison_release = run_openunison()
@@ -426,23 +460,7 @@ def run_rook_ceph():
 
 rook_operator = run_rook_ceph()
 
-##################################################################################
-# Deploy Kubevirt Manager
-def run_kubevirt_manager():
-    kubevirt_manager_enabled = config.get_bool('kubevirt_manager.enabled') or False
-    if kubevirt_manager_enabled:
-        kubevirt_manager = deploy_ui_for_kubevirt(
-            "kargo",
-            k8s_provider,
-            kubernetes_distribution,
-            "kargo",
-            "kubevirt_manager"
-        )
-        pulumi.export('kubevirt_manager', kubevirt_manager)
-        return kubevirt_manager
-    return None
 
-kubevirt_manager = run_kubevirt_manager()
 
 ##################################################################################
 # Deploy Ubuntu VM

pulumi/src/helm/openunison-kargo/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/