gitops: observability stack (Loki/Promtail/Grafana), Grafana Ingress, Argo multi-source

- Add gitops/observability umbrella chart with vendored Helm deps - Grafana Ingress: Traefik, letsencrypt-prod, grafana.k8s.selair.it + root_url - Argo Application: spec.sources (onelab + onelab-obs) - OneLab: configuration secret override, compliance/LDAP values, logs.path /logs - Docs: OBSERVABILITY, BOOTSTRAP, README, instance-overrides example Made-with: Cursor
2026-03-20 11:10:06 +01:00
parent 9cb1b10d6c
commit b91c35c410
18 changed files with 360 additions and 14 deletions
--- a/gitops/charts/onelab/files/configurations.gotmpl
+++ b/gitops/charts/onelab/files/configurations.gotmpl
@@ -2,6 +2,7 @@
 onelab:
  domain: {{ .Values.onelab.domain | quote }}
  logs:
+    path: "/logs"
    level: info
  assets:
    purge: 1d
@@ -41,6 +42,15 @@ onelab:
      remember_me: true
    lab:
      creation_policy: many
+{{- if .Values.onelab.compliance.enabled }}
+    compliance:
+      require_electronic_signature: {{ .Values.onelab.compliance.requireElectronicSignature }}
+      execution_operator_restriction_policy: {{ .Values.onelab.compliance.executionOperatorRestrictionPolicy | quote }}
+      execution_admin_expert_restriction_policy: {{ .Values.onelab.compliance.executionAdminExpertRestrictionPolicy | quote }}
+      prevent_csv_import: {{ .Values.onelab.compliance.preventCsvImport }}
+      prevent_manual_metadata_edit: {{ .Values.onelab.compliance.preventManualMetadataEdit }}
+      device_restart: {{ .Values.onelab.compliance.deviceRestart }}
+{{- end }}
    signup: false
 {{- if .Values.onelab.intercom.appid }}
    intercom:
@@ -56,7 +66,39 @@ onelab:
      maxtries: 3
      timeout: 60
  ldap:
-    enabled: {{ .Values.features.ldapWorker }}
+    enabled: {{ if or .Values.onelab.ldap.enabled .Values.features.ldapWorker }}true{{ else }}false{{ end }}
+{{- if or .Values.onelab.ldap.enabled .Values.features.ldapWorker }}
+    {{- if .Values.onelab.ldap.timeout }}
+    timeout: {{ .Values.onelab.ldap.timeout | int }}
+    {{- end }}
+    {{- if .Values.onelab.ldap.encryption }}
+    encryption: {{ .Values.onelab.ldap.encryption | quote }}
+    {{- end }}
+    {{- if .Values.onelab.ldap.policy }}
+    policy: {{ .Values.onelab.ldap.policy | quote }}
+    {{- end }}
+    {{- if kindIs "bool" .Values.onelab.ldap.verifyCertificates }}
+    verify_certificates: {{ .Values.onelab.ldap.verifyCertificates }}
+    {{- end }}
+    {{- if or .Values.onelab.ldap.tlsCaPath .Values.onelab.ldap.tlsCertPath .Values.onelab.ldap.tlsKeyPath .Values.onelab.ldap.tlsCiphers .Values.onelab.ldap.tlsSslVersion }}
+    tls:
+      {{- if .Values.onelab.ldap.tlsCaPath }}
+      ca: {{ .Values.onelab.ldap.tlsCaPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsCertPath }}
+      cert: {{ .Values.onelab.ldap.tlsCertPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsKeyPath }}
+      key: {{ .Values.onelab.ldap.tlsKeyPath | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsCiphers }}
+      ciphers: {{ .Values.onelab.ldap.tlsCiphers | quote }}
+      {{- end }}
+      {{- if .Values.onelab.ldap.tlsSslVersion }}
+      ssl_version: {{ .Values.onelab.ldap.tlsSslVersion | quote }}
+      {{- end }}
+    {{- end }}
+{{- end }}
  services:
    db:
      host: db
--- a/gitops/charts/onelab/templates/_helpers.tpl
+++ b/gitops/charts/onelab/templates/_helpers.tpl
@@ -31,3 +31,7 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- $entry := dict "username" $user "password" $pass "auth" $auth -}}
 {{- dict "auths" (dict $server $entry) | toJson -}}
 {{- end }}
+
+{{- define "onelab.configurationSecretName" -}}
+{{- .Values.configuration.existingSecretName | default "onelab-configurations" }}
+{{- end }}
--- a/gitops/charts/onelab/templates/deployment-optional-workers.yaml
+++ b/gitops/charts/onelab/templates/deployment-optional-workers.yaml
@@ -1,5 +1,5 @@
 {{- $root := . }}
-{{- if .Values.features.ldapWorker }}
+{{- if or .Values.onelab.ldap.enabled .Values.features.ldapWorker }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -43,7 +43,7 @@ spec:
      volumes:
        - name: configurations
          secret:
-            secretName: onelab-configurations
+            secretName: {{ include "onelab.configurationSecretName" $root }}
        {{- if eq $root.Values.persistence.mode "hostPath" }}
        - name: logs
          hostPath:
@@ -98,7 +98,7 @@ spec:
      volumes:
        - name: configurations
          secret:
-            secretName: onelab-configurations
+            secretName: {{ include "onelab.configurationSecretName" $root }}
        {{- if eq $root.Values.persistence.mode "hostPath" }}
        - name: logs
          hostPath:
--- a/gitops/charts/onelab/templates/secret-configurations.yaml
+++ b/gitops/charts/onelab/templates/secret-configurations.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.configuration.existingSecretName }}
 {{- $cfg := fromYaml (.Files.AsConfig) }}
 apiVersion: v1
 kind: Secret
@@ -11,3 +12,4 @@ type: Opaque
 stringData:
  configurations.yml: |
 {{- tpl (index $cfg "configurations.gotmpl") . | nindent 4 }}
+{{- end }}
--- a/gitops/charts/onelab/templates/workloads.yaml
+++ b/gitops/charts/onelab/templates/workloads.yaml
@@ -76,7 +76,7 @@ spec:
        {{- if .config }}
        - name: configurations
          secret:
-            secretName: onelab-configurations
+            secretName: {{ include "onelab.configurationSecretName" $root }}
        {{- end }}
        {{- if eq $root.Values.persistence.mode "hostPath" }}
        {{- if has "logs" .mounts }}
--- a/gitops/charts/onelab/values.yaml
+++ b/gitops/charts/onelab/values.yaml
@@ -3,6 +3,11 @@
 nameOverride: ""
 fullnameOverride: ""

+# If non-empty, workloads mount this Secret instead of chart-generated onelab-configurations.
+# Secret must contain key `configurations.yml`. Chart will NOT create onelab-configurations.
+configuration:
+  existingSecretName: ""
+
 images:
  registry: hub.andrewalliance.com/releases
  tag: "1.27.0"
@@ -71,11 +76,32 @@ onelab:
    authTokenKey: "TokenAuthPlaceholder"
    monitoringToken: "TokenMonitoringPlaceholder"
    rabbitToken: "TokenRabbitPlaceholder"
+  # Mirrors app/configurations.yml params.compliance (enable without editing app/).
+  compliance:
+    enabled: false
+    requireElectronicSignature: true
+    executionOperatorRestrictionPolicy: "reviewed"
+    executionAdminExpertRestrictionPolicy: "reviewed"
+    preventCsvImport: true
+    preventManualMetadataEdit: true
+    deviceRestart: true
+  # Set enabled: true to turn on LDAP in configurations.yml and deploy ldap-worker (or use features.ldapWorker).
+  ldap:
+    enabled: false
+    timeout: ""
+    encryption: ""
+    policy: ""
+    tlsCaPath: ""
+    tlsCertPath: ""
+    tlsKeyPath: ""
+    tlsCiphers: ""
+    tlsSslVersion: ""
  intercom:
    appid: "zxvgsagz"
    secret: "QUw2jEV8utIpe9DeYjOqBjhBY9VxjXddKUCISUNu"

 features:
+  # Deprecated for LDAP: prefer onelab.ldap.enabled (either enables ldap-worker + ldap.enabled in config).
  ldapWorker: false
  mailerWorker: false