Automate chart-config via standardized sub-charts

[lorenzo-w]

Each of the top-level options below is to be its own sub-chart defining a standardized interface (via json schema + options for KubeApps UI), default options, completing info from standard cluster secrets and saving them to a namespace-local secret, providing setup hooks where needed (s3, sso), and completing default resources via kyverno policies (ingress, storage, topology). Options may also be accessed and used by parent-charts (e.g. ingress hosts or pvc sizes).

topology:
  colocation: "off | best-effort | strict"
  defaults:
    zone: ""
    backbone: false

storage:
  sizes: {}
    # example-pvc: 20GiB
  defaults:
    encrypted: false
    daily_backup: true
    pre_upgrade_snapshot: true
    daily_snapshot: true

ingress:
  # fetch cluster apex domain from secret
  subdomains: {}
    # example-ingress: "example-subdomain"
  auth_proxy:
    subdomain: "oauth"
    restrict_groups: []
      # - "cluster-admins"
  defaults:
    auto_tls: true
    auto_dns: true
    auth_proxy: false

sso:
  auto_redirect: true
  keycloak:
    host: "keycloak.sso-system.svc.cluster.local"
    port: ""
    admin-secret:
      name: idp-admin
      namespace: sso-system
      key: password
  oidc: {}
  saml: {}

smtp: {} # set connection params or retreive them from a referenced secret

s3: {} # set connection params or retreive them from a referenced secret

org: {} # set config params or retreive them from a referenced configmap

[lorenzo-w]

Kyverno policies:

• [ ] Pods: node selector for targeting a specific zone / node type
• [ ] Pods: common label + inter-pod affinity to keep all pods within the namespace in the same zone / region
• [ ] PVCs: default storage class (zone / encryption / etc)
• [ ] Ingresses: common labels for cert-manager, oauth-proxy, etc.