Improve oauth2

Author: ruzickap

.github/workflows/clusters-aws-reusable-workflow.yml

@@ -184,11 +184,13 @@ jobs:
 
           export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
           if aws eks update-kubeconfig --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" ; then
-            kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
-            kubectl delete certificate -n cert-manager --all || true
-            kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns || true
-            kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller || true
-            kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret || true
+            (
+              kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
+              kubectl delete certificate -n cert-manager --all
+              kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns
+              kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller
+              kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret
+            ) || true
             rm "${KUBECONFIG}"
           fi
 

clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml

@@ -18,6 +18,7 @@ data:
     GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
     KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
     KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
+    KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:sP1D32qThcvFGQiGnKA9INRcZPNhLcYC1n/RbksHMZvdRlSmWDSR8oFAszRtun1RMBAQtgYQLUvWkzEIARHD2BLv7/EdZ/GzlIYr4MY9iwILEfstA0PEHHM5KKHRmA9yrPmhjR9QaEm3X83oDEM2O+RQnpi46PmXLj9W/jy7kuUmlZm3pbTj/B6rrisSAJ81FOV3aGR1ZNbCaspJr4fW4uLPllVK2yKgvxYE0omspnA75KDmAgV8d34V4a0IoLw9vw77b7hQkBmYfo6blf1ITOt8136o5cu7zINkyaGsNTxfeEgr+icrDd8vEDQavbcXR4/qGD+xLi72zOUUQr/PZFpVGosi9CeLPPUuV24AmggHcwyg1CmtNptCgjwmm8w1Ng9ATIZd9ort9fxP9eUphO/N4o+K/y6c02TSmwOYIQe7vEh2/9ITBc9sy/ckfGVZRDmNG41ub4xrAkX1O+DHF8yfCScnzUxZdVHdvdrIHyJQPlcJJQv5KtsST5iV5Guu+hIsbZbPp50/wgaSuLID0krwPuaabuQj1UUizKdI3Qrw0GtU9w3REtucqcU665hUy2rx6gRA15NRBHPrVyTVxt1ijPdxociJODVIh10skdrvRfq2nVw3RFUiJzBfgwPhdMmgczBdP1AcWVaxxOxSNFEccNtiv0pegFfJiwo5dFeR0StI/y6Xcp+eT25UG2UGey1JJcDdnHuZLW/jAE3JVIUwjGEZTY9sOFBkoPol4F17yjExdacc9Io7xMPgB6XdOmmjFVSy74PVBfTy4QVIdNDbf1pL6WICEeAntkYiSk7lnRcMk8Z0tSzjeM6aozk5yjdG2q6dMQW6o8Tu2wwaTr5PEoy7Nx9gdjoWxO5/GrPvhoYyGc6vqyi4QeZHQFGwxtIQi6rsYa+xDrKSU4tom/vXuRI2MeWHqDd7NI6z1RCMxq66GHJbbdZMMoaizP+E9fZtQjoq4wa+4+dz62ScjwdDC2vJHpeC5z7KpzWIa2iuw0R6GLgI6s9NhQaaPUklyjZq6ykrO8xDzN1bZeYiAGYcPAls8d8ksSWYeDMzlVbbd0f+/X4vRq9m+ES1BLBxTEShgda/QhW4It8FUbzbxK8gQFKtjrt9zYMuGJaiWtxt1qxVYWissHr56T0meXhaoD/6x7WMVbsohVbxZStzuV68/v5s7CBiLNAhqixX3YcmSgQvUW0SGW7JUPAOAECAoL5YUrhirWJMroYBjoploFhURIjWghaP4rnMpe2GXdRlAtgcr4RnvmzahItEmBU/ma6IWwx52eO0d6TLdLE/Nm54sEcI2x+2BRPmBLtnOtd6aVvMy1LvMFBj1mwLT9yCeVbeEa65SPJlfonrUZG5ZYO6ul0s+MV3+aECL1GyVt6of4iiOTbR8NzAa7RrJ4obolVLTw+XA8BnmPKt11O3ZsCG7th+LdUyh9wSWdPrmVRekIxltDxeoBA5ZLPurP8prFZZOBJEfN0NG/7PU3LlGYBXTJqXPQcfPguRpRRMN2nzrpuSiUxmTzZdpwOJKv4QbmkzNTvNzZ+qAkN3KKq3syA1myBnAjVb1dsdjsWkr3m2bVG6w9Pn3rNLsXkwAy7uSz/lf803y/kUoaRZA16PbO8OUKiDsUZSoDdhPUwWfAYjOVjC5Bi0+/s4mYBXA4bpQEdAf8FY1d8FIkcLuQV3yc6l6tKfYBCJjR7tcnbwMLlUeStKwYNCYsw2Zzigft2SBh5uMHuA8aL5T5vH/7/lsgCVTXF9gN+EAWdezHxfBLbQ+jMEcLgzPd91YdjUIVPUSyHEoHYsjPzHYLBMODvFQL+lbPbh0dWR,iv:LHoeiXAFWLKSwq5ivgWv01canLo418G7EDFIl5CpNy0=,tag:iIXIG2Jq1Wb2PnDvRGxhDw==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
@@ -28,8 +29,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-08-27T04:28:54Z"
-    mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
+    lastmodified: "2022-09-11T06:27:31Z"
+    mac: ENC[AES256_GCM,data:rVMechYFEBQ+liKsE8UjBX75EySF7mKaoVqT3wFROpOFTZ2Ef7A0vw798a70dR/6/bPCxqMo95vP+QoBL64CMXWjl4xi/zf4ex8rKdI34tj8k/MMfzy/sOHmbiAoHh6m7wT5leieszsqpyGnK4Rq/mgh+/BTZvEhhLB0A+1L/R8=,iv:2KJNy0SDABIf7CAJmc2PK3E9+PdI8VlhZ+R9QkTWlKo=,tag:6EWhTF8yF11NQYsdhATe9Q==,type:str]
     pgp:
         - created_at: "2022-07-07T06:23:23Z"
           enc: |-

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml

@@ -1,18 +1,74 @@
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRoleBinding
+# metadata:
+#   name: kubernetes-dashboard-admin
+#   labels:
+#     app: kubernetes-dashboard
+# roleRef:
+#   apiGroup: rbac.authorization.k8s.io
+#   kind: ClusterRole
+#   name: cluster-admin
+# subjects:
+#   - kind: ServiceAccount
+#     name: kubernetes-dashboard-admin
+#     namespace: kubernetes-dashboard
+# ---
+# apiVersion: v1
+# kind: ServiceAccount
+# metadata:
+#   name: kubernetes-dashboard-admin
+#   namespace: kubernetes-dashboard
+# secrets:
+#   - name: kubernetes-dashboard-admin-token-secret
+#
+#
+#
+# ---
+#
+#
+#
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: Role
 metadata:
-  name: kubernetes-dashboard-admin
+  name: kubernetes-dashboard-podinfo-read-only
+  namespace: podinfo
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - apps
+    resources:
+      - deployments
+      - namespaces
+      - pods
+      - replicasets
+      - services
+    verbs:
+      - describe
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubernetes-dashboard-podinfo-read-only
+  namespace: podinfo
+  labels:
+    app: kubernetes-dashboard
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
+  kind: Role
+  name: kubernetes-dashboard-podinfo-read-only
 subjects:
   - kind: ServiceAccount
-    name: kubernetes-dashboard-admin
-    namespace: kube-system
+    name: kubernetes-dashboard-podinfo-read-only
+    namespace: podinfo
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kubernetes-dashboard-admin
-  namespace: kube-system
+  name: kubernetes-dashboard-podinfo-read-only
+  namespace: podinfo
+# secrets:
+#   - name: kubernetes-dashboard-podinfo-read-only-token-secret

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml

@@ -1,25 +1,28 @@
 # https://github.com/kubernetes/dashboard/blob/master/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml
 extraArgs:
-  - --enable-skip-login
   - --enable-insecure-login
-  - --disable-settings-authorizer
+#  - --disable-settings-authorizer
 protocolHttp: true
 ingress:
   enabled: true
   annotations:
-    forecastle.stakater.com/expose: "true"
-    forecastle.stakater.com/icon: "https://kubernetes.io/images/kubernetes-horizontal-color.png"
-    forecastle.stakater.com/appName: Kubernetes Dashboard
-    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
-    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
+    # forecastle.stakater.com/expose: "true"
+    # forecastle.stakater.com/icon: "https://kubernetes.io/images/kubernetes-horizontal-color.png"
+    # forecastle.stakater.com/appName: Kubernetes Dashboard
+    # nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
+    # nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      auth_request_set $token $upstream_http_authorization;
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      proxy_pass_header Authorization;
   className: nginx
   hosts:
     - kubernetes-dashboard.${CLUSTER_FQDN}
   tls:
     - hosts:
         - kubernetes-dashboard.${CLUSTER_FQDN}
-settings:
-  clusterName: ${CLUSTER_FQDN}
-  itemsPerPage: 50
-metricsScraper:
-  enabled: true
+# settings:
+#   clusterName: ${CLUSTER_FQDN}
+#   itemsPerPage: 50
+# metricsScraper:
+#   enabled: true

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml

@@ -0,0 +1,23 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: kubernetes-dashboard-admin-token-secret
+#   namespace: kubernetes-dashboard
+#   annotations:
+#     kubernetes.io/service-account.name: kubernetes-dashboard-admin
+# type: kubernetes.io/service-account-token
+#
+#
+#
+---
+#
+#
+#
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: kubernetes-dashboard-podinfo-read-only-token-secret
+#   namespace: podinfo
+#   annotations:
+#     kubernetes.io/service-account.name: kubernetes-dashboard-podinfo-read-only
+# type: kubernetes.io/service-account-token

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - kubernetes-dashboard-clusterrolebinding.yaml
+  - kubernetes-dashboard-token-secret.yaml
 
 generatorOptions:
   disableNameSuffixHash: true

clusters/aws-dev-mgmt/flux/cluster-apps/kustomization.yaml

@@ -11,11 +11,11 @@ resources:
   - ../../../../flux/sources/ingress-nginx
   - ../../../../flux/sources/jetstack
   - ../../../../flux/sources/kyverno
-  - ../../../../flux/sources/kubernetes-dashboard
+#  - ../../../../flux/sources/kubernetes-dashboard
   - ../../../../flux/sources/metrics-server
   - ../../../../flux/sources/oauth2-proxy
   - ../../../../flux/sources/runix
-  - ../../../../flux/sources/podinfo
+#  - ../../../../flux/sources/podinfo
   - ../../../../flux/sources/prometheus-community
   - ../../../../flux/sources/policy-reporter
   - ../../../../flux/sources/rancher
@@ -35,15 +35,15 @@ resources:
   - ../../../../flux/cluster-apps/ingress-nginx
   - ../../../../flux/cluster-apps/keycloak
   - ../../../../flux/cluster-apps/kube-prometheus-stack
-  - ../../../../flux/cluster-apps/kubernetes-dashboard
+#  - ../../../../flux/cluster-apps/kubernetes-dashboard
   - ../../../../flux/cluster-apps/kyverno
   - ../../../../flux/cluster-apps/kyverno-policies
   - ../../../../flux/cluster-apps/mailhog
   - ../../../../flux/cluster-apps/metrics-server
   - ../../../../flux/cluster-apps/oauth2-proxy
   - ../../../../flux/cluster-apps/oauth2-proxy-keycloak
   - ../../../../flux/cluster-apps/pgadmin4
-  - ../../../../flux/cluster-apps/podinfo
+#  - ../../../../flux/cluster-apps/podinfo
   - ../../../../flux/cluster-apps/policy-reporter
   - ../../../../flux/cluster-apps/rancher
   - ../../../../flux/cluster-apps/secrets-store-csi-driver
@@ -60,14 +60,14 @@ resources:
   - ingress-nginx
   - keycloak
   - kube-prometheus-stack
-  - kubernetes-dashboard
+#  - kubernetes-dashboard
   - kyverno
   - metrics-server
   - mailhog
   - oauth2-proxy
   - oauth2-proxy-keycloak
   - policy-reporter
-  - podinfo
+#  - podinfo
   - pgadmin4
   - rancher
   - secrets-store-csi-driver

clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml

@@ -12,6 +12,8 @@ ingress:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $email  $upstream_http_x_auth_request_email;
       proxy_set_header X-Email $email;
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      # proxy_pass_header Authorization;
   className: nginx
   hosts:
     - host: podinfo.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: main
+    branch: improve-oauth2
   secretRef:
     name: flux-system
   url: ssh://[email protected]/ruzickap/k8s-tf-eks-gitops.git