add kubeaps integration (#486)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

- **New Features**
- Introduced a new variable `$host` for improved configuration
management.
- Added a `valuesFrom` section to the `dashboard` release, allowing
external value sourcing.
- Enhanced Keycloak integration with new client scopes, roles, and
configurations for Kubeapps.
- Added support for custom pod specifications and environment variables
in Redis configurations.
- Introduced a new Kubernetes configuration file for managing access to
resources via Role and Secret.
- Updated image versions across various components to ensure
compatibility and leverage new features.

- **Bug Fixes**
- Implemented error handling to ensure required configurations are
present.
- Improved handling of request headers for the `/logos` endpoint in
Nginx configuration.
- Adjusted security context configurations to enhance deployment
security.

- **Documentation**
- Updated configuration files to reflect new dependencies and structures
for better clarity.
- Enhanced README documentation with upgrade instructions and security
defaults.
- Expanded notes on handling persistent volumes and data migration
during upgrades.

These enhancements improve the overall functionality and reliability of
the platform.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: klinch0

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.6.0
+version: 1.6.1

packages/apps/tenant/templates/kubeconfig.yaml

@@ -0,0 +1,59 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
+{{- $host := index $cozyConfig.data "root-host" }}
+{{- $apiServerAdress := index $cozyConfig.data "api-server-adress" }}
+{{- $k8sClientSecret := lookup "v1" "Secret" "cozy-keycloak" "k8s-client" }}
+{{- $k8sClient := index $k8sClientSecret.data "client-secret-key" | b64dec }}
+{{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "tenant.name" . }}-dashboard-resources
+  namespace: {{ .Release.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - kubeconfig-{{ include "tenant.name" . }}
+  verbs: ["get", "list", "watch"]
+
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeconfig-{{ include "tenant.name" . }}
+  namespace: tenant-root
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        server: https://{{ $apiServerAdress }}:6443
+        certificate-authority-data: {{ $k8sCa }}
+      name: cluster
+    contexts:
+    - context:
+        cluster: cluster
+        namespace: {{ include "tenant.name" . }}
+        user: keycloak
+      name: {{ include "tenant.name" . }}
+    current-context: default
+    users:
+    - name: keycloak
+      user:
+        exec:
+          apiVersion: client.authentication.k8s.io/v1beta1
+          args:
+          - oidc-login
+          - get-token
+          - --oidc-issuer-url=https://keycloak.{{ $host }}/realms/cozy
+          - --oidc-client-id=kubernetes
+          - --oidc-client-secret={{ $k8sClient }}
+          - --skip-open-browser
+          - --grant-type=password
+          command: kubectl

packages/apps/tenant/templates/tenant.yaml

@@ -43,6 +43,9 @@ subjects:
 - kind: ServiceAccount
   name: tenant-root
   namespace: tenant-root
+- kind: Group
+  name: tenant-root-super-admin
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- if hasPrefix "tenant-" .Release.Namespace }}
 {{- $parts := splitList "-" .Release.Namespace }}
@@ -51,12 +54,18 @@ subjects:
 - kind: ServiceAccount
   name: {{ join "-" (slice $parts 0 (add $i 1)) }}
   namespace: {{ join "-" (slice $parts 0 (add $i 1)) }}
+- kind: Group
+  name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}
 {{- end }}
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
@@ -84,6 +93,9 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "tenant.name" . }}
   namespace: {{ include "tenant.name" . }}
+- kind: Group
+  name: {{ include "tenant.name" . }}-super-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
@@ -95,16 +107,47 @@ metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 rules:
-  - apiGroups: ["apps.cozystack.io"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["pods", "pods/log"]
-    verbs: ["get", "list", "watch"]
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+    verbs:
+      - get
+  - apiGroups:
+      - apps.cozystack.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - helm.toolkit.fluxcd.io
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+
 ---
+
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -125,21 +168,46 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 rules:
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
   - apiGroups: ["apps.cozystack.io"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch"]
+    resources:
+    - helmreleases
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups: [""]
-    resources: ["pods", "pods/log"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["kubevirt.io"]
-    resources: ["virtualmachines"]
-    verbs: ["get", "list"]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+    - ingresses
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups: ["subresources.kubevirt.io"]
-    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
-    verbs: ["get", "list"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -161,70 +229,135 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 rules:
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [rbac.authorization.k8s.io]
+    resources:
+    - roles
+    verbs:
+    - get
   - apiGroups: [""]
-    resources: ["pods/log", "pods"]
-    verbs: ["get", "list", "watch", "delete"]
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+    - delete
+  - apiGroups: ["helm.toolkit.fluxcd.io"]
+    resources:
+    - helmreleases
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups: ["kubevirt.io"]
-    resources: ["virtualmachines"]
-    verbs: ["get", "list"]
+    resources:
+    - virtualmachines
+    verbs:
+    - get
+    - list
   - apiGroups: ["subresources.kubevirt.io"]
-    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
-    verbs: ["get", "list"]
+    resources:
+    - virtualmachineinstances/console
+    - virtualmachineinstances/vnc
+    verbs:
+    - get
+    - list
   - apiGroups: ["apps.cozystack.io"]
-    resources: ["buckets", "clickhouses", "ferretdb", "foos", "httpcaches", "kafkas", "kuberneteses", "mysqls", "natses", "postgreses", "rabbitmqs", "redises", "seaweedfses", "tcpbalancers", "virtualmachines", "vmdisks", "vminstances"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    resources:
+    - buckets
+    - clickhouses
+    - ferretdb
+    - foos
+    - httpcaches
+    - kafkas
+    - kuberneteses
+    - mysqls
+    - natses
+    - postgreses
+    - rabbitmqs
+    - redises
+    - seaweedfses
+    - tcpbalancers
+    - virtualmachines
+    - vmdisks
+    - vminstances
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+
 
 ---
-kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: {{ include "tenant.name" . }}-admin
-  namespace: {{ include "tenant.name" . }}
+  namespace: cozy-public
+rules:
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources: ["helmrepositories"]
+    verbs:
+    - get
+    - list
+  - apiGroups:
+    - source.toolkit.fluxcd.io
+    resources:
+    - helmcharts
+    verbs:
+    - get
+    - list
+  - apiGroups: ["source.toolkit.fluxcd.io"]
+    resources:
+    - helmcharts
+    verbs: ["*"]
+    resourceNames:
+    - bucket
+    - clickhouse
+    - ferretdb
+    - foo
+    - httpcache
+    - kafka
+    - kubernetes
+    - mysql
+    - nats
+    - postgres
+    - rabbitmq
+    - redis
+    - seaweedfs
+    - tcpbalancer
+    - virtualmachine
+    - vmdisk
+    - vminstance
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "tenant.name" . }}-admin
+  namespace: cozy-public
 subjects:
-  - kind: Group
-    name: {{ include "tenant.name" . }}-admin
-    apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: {{ include "tenant.name" . }}-admin
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io
 ---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "tenant.name" . }}-super-admin
-  namespace: {{ include "tenant.name" . }}
-rules:
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: ["helmreleases"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["pods/log", "pods"]
-    verbs: ["get", "list", "watch", "delete"]
-  - apiGroups: ["kubevirt.io"]
-    resources: ["virtualmachines"]
-    verbs: ["get", "list"]
-  - apiGroups: ["subresources.kubevirt.io"]
-    resources: ["virtualmachineinstances/console", "virtualmachineinstances/vnc"]
-    verbs: ["get", "list"]
-  - apiGroups: ["apps.cozystack.io"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
----
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ include "tenant.name" . }}-super-admin
+  name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
   - kind: Group
-    name: {{ include "tenant.name" . }}-super-admin
+    name: {{ include "tenant.name" . }}-admin
     apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: {{ include "tenant.name" . }}-super-admin
+  name: {{ include "tenant.name" . }}-admin
   apiGroup: rbac.authorization.k8s.io