Improve oauth2

Author: ruzickap

.github/workflows/clusters-aws-reusable-workflow.yml

@@ -184,11 +184,13 @@ jobs:
 
           export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
           if aws eks update-kubeconfig --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" ; then
-            kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
-            kubectl delete certificate -n cert-manager --all || true
-            kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns || true
-            kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller || true
-            kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret || true
+            (
+              kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
+              kubectl delete certificate -n cert-manager --all
+              kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns
+              kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller
+              kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret
+            ) || true
             rm "${KUBECONFIG}"
           fi
 

clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml

@@ -18,6 +18,7 @@ data:
     GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
     KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
     KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
+    KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:pBYMPi70DuJRUyVey7BACH5kuNgu0/brcOOhjQHD7VVuZPM5Hv7LgwnEvqUSKjJ0EqAYvx9fSBBGdE6tUb6TjEfG/vVGwJ4C4BqFaQgtUD1JSjmFxAJld3yZdRUiCNkAPPG7WgEK52A9j3kAOrDw0pYvGF1Bw3x27yuBZ/BZQvE9DNLEdQ7RAhq53QDVWw6Cj4TE85tq9doDf80p6kKTgaEZJXM9jrBrvF8QBqPsDuCrhtwDcvrNZVWHhLVjr99PCp+WdijxKS8VRiKaGi5OAUMbOcSRF9j1QP0x41fVlwALg7z2eAhI71CkircJyWqigcjyExuTFO5TbJg1qrgEaWIo6dHidaaeCIlRe7MGpPLdfhGO/8pOqcACWxoHoElx88PTtEeFUmS96jCHnLCrajfWJiMS3RUFOfTHBycEdvs/MOU9/+xY3FewpXvjpb+dzWvhC8gDty0kS9Abbpts1hSfLoFAfHx0T/nuClJXbhUeB0t1wFVFEWEaGO2MysFivoEWml13IKuMTmarODUpA7xqWnPBaqOhQKZM6KKakxZNTtpKE8Cw+jdgI/E/UqFsj39UbZDlnv9gx8xqMutUPxOcFcuQkWXAXaF3SGROee4BWmP9HU3ylZlL8MQMN2noLRbBD/90CV/zrgOIQx5EW5esAVgCK5eCxdxsUDme3GSdPVD0ticdrli+u+iVWHOV4HmSRFhpBV4bmFPrxHvPsOuoFMHbqRKJfKgW3wMAxmsmaACqXsdxqvifGWi+NJ0m1FKNK2Df4ALXaZY3PupEKlNapSmZt2uPwV8/jqx2PIviqrxEop08hniCdwiVd9WUpJqe+w9se2BZ9D/FlmRZQBChZa7XGN/S0nuJPIKd9ePVAOKcQzuGc9UIyYV6XCXvvjdyALWdhZUWebN8yuVNsP73FAy9KfvVCYAaIFXQmcyVmle30hwq+ixCCaAS+ZOo1lYWHXNm0s4K4dR9MncJ7u+Wze8x8pz4U70xlAGL2riC/rRnJRWiU7wEuj5pkoGeViF7ZfZei6KOZdIwIKhxpleQqa3TNb1X46JwVybC+poynu2vpBfir3x2y9hvVYOn4YjTJmrt/pGCJeDJ7IBKU2QB1EaOOd3ujcGyeYvbJjs5K4c2dL+0AU9i0hINVc5OV4Y/81XXEqve4HmiJ/KVp13xfAzwsLPA2wxTuPWdOc+AevAyzjjtragnsjaa/P62GyKgEaEz/7KlIdgV5HwcIkWr9uYzi7/XBetWuJ78g08V6bu7XHInhI1o9WRFHoEDc4cjJd8X57BZBiWKfDb3QcwVCbUEctAxtQUzD6lpo3fGSnIOQQQ2JGrqULz8uIbw3ow6UfXu/w/X7Ls3T5OFps/tjDX3LijENnGay9CFRMSd8e6bcAiFy9w1RPVg3lw4naJdqt4TjKQbqr6D0ljhQcmjhpJHM6iK3c5cuLBUWCGpq1ySh+Q9hOYTWgNP1eiaGDWJtljh8ngL230RREQOBlkWixno37e8pW5v5EhbRsWrcQUWGgs6W06nueGNRMSSL/28e+wGZCcNX5rZe429xj70ItcRFbfieC+tboA4DSFmstTkxQBNxFm2xRPl28aFIzB5jGb/1J8jrohXFZkxO+aaVMPjn3V/rus4fMQHzWbBuH8iQI0Wz+NdLt9T7wGf34G+ZNF8YRZzv0xv+GwV5SY5CGYtEhmL+SpowgZR1B9WQOGaNHCX8VfRw5kh1PJtz1Floj6eteW3NzKGAwMMdzk18kbluToyyq6YkAY1peurIASanFqWkN2wnLaehouegmTmI3A1mQ0=,iv:oywd2t9+QHVsIqLYLhoEkGm/EXbdlbDONiGsj8/dWm4=,tag:AL6BeNT+lKEjibDqnsvzzw==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
@@ -28,8 +29,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-08-27T04:28:54Z"
-    mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
+    lastmodified: "2022-09-04T06:03:04Z"
+    mac: ENC[AES256_GCM,data:D3CtMxs+DylO9+x803HoHIbwCIx3ySeCXGIGaJqu13Z9DTd9JK//kXWAGbfkaypLfbLiyXX0/Jg5JlSBSMlPC6ntLLPuTQ1LX1xjTfEWTMdsEFiEOwWZhtvLpuXDMEeuGHUyxEbOQ2y2sAufzVnEjF6KI3q/iJpTT4BTJL3tf4A=,iv:W2SKNNEFFLdvHmKYqKoP5oBF27xW/B2frtGQ40T+58g=,tag:u2aHIOz1heS+oigzkyMsSQ==,type:str]
     pgp:
         - created_at: "2022-07-07T06:23:23Z"
           enc: |-

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml

@@ -9,10 +9,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: kubernetes-dashboard-admin
-    namespace: kube-system
+    namespace: kubernetes-dashboard
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kubernetes-dashboard-admin
-  namespace: kube-system
+  namespace: kubernetes-dashboard
+#secrets:
+#  - name: kubernetes-dashboard-admin-token-secret

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml

@@ -12,6 +12,9 @@ ingress:
     forecastle.stakater.com/appName: Kubernetes Dashboard
     nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
     nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      proxy_pass_header Authorization;
   className: nginx
   hosts:
     - kubernetes-dashboard.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: kubernetes-dashboard-admin-token-secret
+    namespace: kubernetes-dashboard
+    annotations:
+        kubernetes.io/service-account.name: kubernetes-dashboard-admin
+type: kubernetes.io/service-account-token
+sops:
+    kms:
+        - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
+          created_at: "2022-09-04T06:08:06Z"
+          enc: AQICAHi6LQQvIhnSAvomoXCu+jcBZlWiugdvqoPaQnWm1x1PbwFzpYbFF4rujpnseb4gl+tOAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMLXz3BI/czI81fsMCAgEQgDsDjRrBzAqDWAP+M/Fkj4OLQBsgihd7u9SlpEKW1rGchKIA8C0APZLeSmPzjDrq3qGZI6m89aDW+Omm8A==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-04T06:31:41Z"
+    mac: ENC[AES256_GCM,data:V+CLvIn9JqEfj2M7nuftR36eYCiEW9tEp3oemybPeJKkgV3g0m88Ez/I1UsXH4Sz4OJGp5Y/20XrlZyu2fz3/YvG3E+oLC4W7ZnoiMbbDYdylN0db6/VHEkWl5LPsolJzQ/nVkh+qrUczFwCtoCnnCEpq2sL9ckkgf+k5Rwd7Qs=,iv:d6YieHqNXSLhC6uoPBUAIyTdZTd8IZO/MCMC+TlJDiQ=,tag:Go0UOsgsV+J80j0DNRhN6g==,type:str]
+    pgp:
+        - created_at: "2022-09-04T06:08:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFOA4duewNlKmHnEAgAhBR6NxShh+eJD8/lsPtkMJhiAeV5j8wrYZbZ1lh+HV38
+            thhUYi6Uz0fj5nfp2b/tbt9B+sETr6g50rMvFFzsbLtW+QzPZfN3sqD0eVRov/rg
+            LTmm35MtwzSpdiVlgogxSTe45YS89p7UxEH8q4yohvxC4sX3mYcMlJbfCbPZH5Mf
+            LWFJmHD/OkPU5VQvkBkYF8jnSD56AVKtM9fCgoVyIYeUXjD+exQFwyL1CXmdUKLp
+            ZSLTQgnZZITlR/pxrayws2qDYX7zQ5hFwIV9IE6916trYJSkNMnhRzRTwQ+MRCo1
+            1enAqCiTaej+um4NbY9I58fXccqSMjzH+PnUGEjEigf/do21ylKtUpwvjsUywfkN
+            cGU2oUrgeSUbWs+Nm+VedEJKPahpBdxT/4vFfe3FyKChwKZJtYkuBdKwV3J6Gsbh
+            TbM4nV+dKG6IK4Slhp5X8vY72yrGHcwtn8eQXIv1m9elDO1Un5PI7s6uTaOsWb/S
+            8Bel5sxIvRjE5ovS6jbwgQE/K0oA4/oUsINQ8riGaQPMW65yi9qjFIF/8npUJJyq
+            V3FsgG+zfbyPgHnZjuUFQ4mOKORZibuvgYgG1FT+ZYRVpybrj8wVUQnjgJ3GWWkb
+            fPH797NnPqmKfU7i5aKKmUglLoN6EM43bSIoxCa4CpjjbwWfG6pX4XVSUhWfgPWU
+            3dJRAf/+3i/LSq+D3LSw8nKhC6sj5Km72/RZpZ6/xtlK44mkAA4LrRlTnq7D2I4u
+            QoM4DcPtGz5l5YHIF3pakUpj0jvO5/N4l8vB8w0N92JF4yUA
+            =4RDm
+            -----END PGP MESSAGE-----
+          fp: 431A7F3379B5B00519077B732BD87EC4BA898363
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - kubernetes-dashboard-token-secret.yaml
   - kubernetes-dashboard-clusterrolebinding.yaml
 
 generatorOptions:

clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml

@@ -12,6 +12,8 @@ ingress:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $email  $upstream_http_x_auth_request_email;
       proxy_set_header X-Email $email;
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      # proxy_pass_header Authorization;
   className: nginx
   hosts:
     - host: podinfo.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: main
+    branch: improve-oauth2
   secretRef:
     name: flux-system
   url: ssh://[email protected]/ruzickap/k8s-tf-eks-gitops.git

clusters/aws-dev-mgmt/mgmt02.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops