Skip to content
This repository was archived by the owner on Jun 12, 2024. It is now read-only.

Commit aea52ec

Browse files
ruzickapruzickap
committed
Improve oauth2
1 parent cf1a8c1 commit aea52ec

File tree

13 files changed

+86
-23
lines changed

13 files changed

+86
-23
lines changed

.github/workflows/clusters-aws-reusable-workflow.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -184,11 +184,13 @@ jobs:
184184
185185
export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
186186
if aws eks update-kubeconfig --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" ; then
187-
kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
188-
kubectl delete certificate -n cert-manager --all || true
189-
kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns || true
190-
kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller || true
191-
kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret || true
187+
(
188+
kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
189+
kubectl delete certificate -n cert-manager --all
190+
kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns
191+
kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller
192+
kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret
193+
) || true
192194
rm "${KUBECONFIG}"
193195
fi
194196

clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ data:
1818
GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
1919
KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
2020
KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
21+
KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:/BHmNYpEaX8=,iv:GWZwhILYDnNgqetdAd1LZnEU1nKd8/mZMhdmgvtnHpw=,tag:EV3QwKM9q2JU0kT+Tm7P9Q==,type:str]
2122
sops:
2223
kms:
2324
- arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
@@ -28,8 +29,8 @@ sops:
2829
azure_kv: []
2930
hc_vault: []
3031
age: []
31-
lastmodified: "2022-08-27T04:28:54Z"
32-
mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
32+
lastmodified: "2022-09-02T14:42:01Z"
33+
mac: ENC[AES256_GCM,data:BCIOeAxK5+2n4jzjwpWbwf2LpBhVhf+PelDFmrmCFdEQQWaY8PiuKl5h3swa1eluym0jAeyDqIDSg/cpYSzdYEPl8WADzj7EaSuu9EbKwIwB4dNfMA6V1nrVf6XuW0BmvwzJY+MwlthINVoeQVq492ti6eEjhz2InOxFJYsckw4=,iv:EszJ1bmQ3PEt06I7wuWwhu7x9e/EUu6UoNtDFi5OA8E=,tag:Vslksfg42bqfjYPBpXMHGQ==,type:str]
3334
pgp:
3435
- created_at: "2022-07-07T06:23:23Z"
3536
enc: |-

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,13 @@ roleRef:
99
subjects:
1010
- kind: ServiceAccount
1111
name: kubernetes-dashboard-admin
12-
namespace: kube-system
12+
namespace: kubernetes-dashboard
13+
1314
---
1415
apiVersion: v1
1516
kind: ServiceAccount
1617
metadata:
1718
name: kubernetes-dashboard-admin
18-
namespace: kube-system
19+
namespace: kubernetes-dashboard
20+
secrets:
21+
- name: kubernetes-dashboard-admin-token-secret

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ ingress:
1212
forecastle.stakater.com/appName: Kubernetes Dashboard
1313
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
1414
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
15+
nginx.ingress.kubernetes.io/auth-snippet: |
16+
proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
17+
proxy_pass_header Authorization;
1518
className: nginx
1619
hosts:
1720
- kubernetes-dashboard.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: kubernetes-dashboard-admin-token
5+
namespace: kubernetes-dashboard
6+
annotations:
7+
kubernetes.io/service-account.name: kubernetes-dashboard-admin
8+
data:
9+
ca.crt: ENC[AES256_GCM,data:G2e2T32RbhPi7EEeLDp9hJhUluyTSOnMKz0d6F8iTaLJPfuJIOU4h+c05KyJo5XVM9KglSrumvil5679Mxok5o6Ax4/l48ImfB4SCnoHxaXZqJ6hyOtsYSGva4VkXBZgS5itvHznzq/3aphGwLwrG8Z2wSvMOmWJXhzXxzt2ky1rM2L/FuzBQYBycFz34trlGuph4cR/WwtmNQ2pwdnwsrGbDN4c8BgdujpXFHki6bFaJeHjFUck+BFtou+r3/iCs4pu/r+51dt8h2kodHcILABkI3+LWXeQlferMKKzbae9sywYIxLCLjXw/mAwGM/RHSk/BBYod9DXK9F0ZTyz9scwsqXSsTSXLAMpMkTPABOfqmWc5ZtExUWHjJfgGM/B+D2Xc9QIQAM4REMJ0byKSReJwvEHbpIfggOi7BAurzQo49ToVQxWyCErojzXCntE6tvKiJIetgIU7MAIipwnBtzjsz0TlXudL+W7Ly7nX0X+3ItO6q3R6XzOjcZ5yItY8HSq12BmsWwXzYVxqhbwa3qSbpNJyAgRc5ws82ABn9tZoK/ONabWaLIsQ0+sqcJmQ35SR6ObfsZkwJZcKdmJHLuEfHpakHAf0rY3VacD2Uvl6o63bfuklmnGGNjoJT97iy5N44s514IjjyMEJ7XTA5gaVsdGbqd/JpB5iVmrK3Gz6hyVajsGycDVPPlCFqkBsecxQ6WX2rpg1Yr+hanhanaqTFx27PeAHTn8uCgrerRUxjly827/+GgNIS5W6GcutaPvVimT2vEi3yYqaSL2RV7XwMNdBGHNLfWGm+pYxHC6IwkuzAtG/K0aU2jbCNWfGrbfYkAx9Nclgbm/rubaHAT3HjWk/Eegq782rzcRoE28/F5GKrVHLM7LRffVkzwbO3HNwmg+Y/bksusUqm/7QWxhXDelpUiUhvo5mDdAD64qU1fGafZtuvEaHFSH89dtSx9a2GJABVzs0lT9QOIjqT9+zCw3JKQibfxSjXni+yvnWvlAWd/g+KKsHKV/CJwCWZCtNP5wpxbsbnWrHrtmU/1YMfUMFcvCOz7puA0oKaqbk3Z7d+aka4Q3exmltA1w9RQV2uF52Vp8Iwl9UlYxIydZIVKaQaGIp5+CaBA04lRbJJXsqhgiIDsvo2aKfz87ZEZqgqWiQN0tTZaar2bvKM4IYokFis0g0GpNRJQ/vDleKHvMAvR5hr8wUzojVXZGM0JdSIhUk7qdIIacLbk0kOqkqpiIq2u1YSr0WJB3l8KXEeUZjaKx9eLjebIea5fBj2qyJPmsNhUa2/og1iMneOlU+hc/QjJt2QfiCm15PNxyPKbzRizshOdmktGZ2SVkPt5CwAyDHVAanCR+hZKYoSd/jlCLW9yvTtYCy2jiWuFCY00qZDw8j+LflClvzwQazEdwHji82ueVJtoKlZIMktYGRAmKJkCG8ATcmQ0eI+33Ygg1sTfVHtvkbUNo+zMHzQAXFaDFJ2vSUANeDZYOha+YPPBo6icVlT3FRFmqMppErEjXGiY32FFOPwflOnpn7P5a2maNOCqQCyQ5mGyUwU6JbBk94HpVfRJZCetn2WRkgK+eqTlxUwwS9gM7AwshrN1cnYL3UAlSiQnddny2PzBNWCUqSm425lcgRSjljExWc+UQhaVGPkmpjfQB3j9XzvJPrIu7EPpGvbT56GMj6vsKh0Ob7O12+C4n+8FNEVM4A9rdky2VZ8C1OSyXMSn/2ZlrtofP+BOPAs+kH7JY4C1XH8KBYkNshxyCG9061KrEwqzqonWzwzECzDoA7dQJWRE47DKS1S6kUpHxgW8BTPPEt9tvZ6mnrplaaEVwJIu4HBXbOIZ0TkHMeTFZYx3NxQwnwDPa9ZuA9ANBola0qpxbOLj697gdWRRLgKxyN6eOh60iyoobv1sv9zU1rKBH4bgDq99lyMBnnZLjml1RMgSet76bPPfGnedFjA==,iv:rcm808lPUK9FdC+8yyfYRv7EmBPJaZHoWyrMil/VfWc=,tag:Dw26Rfu9ab3aavzCS3+igQ==,type:str]
10+
namespace: ENC[AES256_GCM,data:xFCVQEa1vnU129bL4BGhP6mNUyDGWVaKagIzZw==,iv:eTpmeH5s/M8bh1lWnbFFRd7kGt3sj0iw1lOgpjCU+0E=,tag:eVzoPsV22QZzD43Lv6FSIw==,type:str]
11+
token: ENC[AES256_GCM,data:UX4aEeyLGrWYym12Q0rsIzPXnvvRVrb8RXGrbYTm5WshxPRQua9W6dEAUUpcKE7FDBYiAL+BZi+TokuwGuvXhOAiwc+fbpVl97p6NpFhVd7i5IKKkKPXKYfHJZ5ZvVDjDv7Np20nPJHmZLH248AGBzQjj9iJWCLLcN4mGp3YdTU4KyGrw3cWXbkUMQsLU5Dl2zHg3XCKVbDYjj0ipg3uYoZHp0p35cA8korhOJBIHKoXtX0kwEcojFu8zngbZR7VPFcPkk6CAqjNA6ilDMi942E/Xu+qRqd4wbi2pvm9oTIDYD42XxexX7ZlQFDh8Q0D5GFWljvqert2FXFeFMItTkf042iqtv+cQwSWfPjN8laiNp9wXXO1wPskM+Bb+7y7UOq3qrWAwtQZ9v+Nt0wJuTYUK85pKUu4tTomGJ857j+xK3AOld+Os704hKjlPfWLbrbZPG6gJ6TX8le0G9YyIavf/v3yPx+nALThKowreNBcau1soPWEvxoxdJ14Wm6e+KxO5NFT3iaJKn2+1tgRV/upZhert9MK/xPWB0JbSQp+66vGaOXblMufkMiaHjmMoEbmPKXQdOKyuPhtaDTcJQTN9d5J3tLJlgfzUtE+2MnU46lZmLyjgw3iGcXkmIeuXEv8Z997ts/ypuvA7Hy0XgtUPSqV99cMXgdtQijZVfYXdDXfJjmbawgNjFoXaheSbM/uvMXHqQO6kX7ZP5oQSYc8+WJbB7bwW0pkYpNch1lzEpK9jrU2Ujp0nVL+rA9aiHAO+doyu/qdH/UgkUgHX27V3nlk0rQf0lmxbBNOO9vjMGpJNXI4Api9ovEuyt8AxjmyORV+Ak8hgCo/ce3ovDE+Ok26sMsBvLGTcSAy63fZ/0yKBlFkPhmEIHoEJOK6Z82aTp4V2OCnhVR2CocAuz7HHO1VGh3P+gteIsL7RdjDXhO9/0cpr8CJfbyp+Js7+I2ucFuVEE/koYtC3VgMhC0GMYTuJFkwCZumOtDD3FF8ud8J0JZMgkwTlIyhS8Jc9AySXmZZw5qNUmJ/cW3fJmv7lbcQIe0GxqojBCcCPzkm9O+0MwtjM6KueeqUcoWFIqG1UipaO4DVoEiCm8Y19X21NxzZgjDIJVQT8n9k2C6wvnLWQJuaLE5jglsIGfM3/lc27EL+eYwyMaRO8w1fPopuXaCAvQBkJtUf80CPTebTVzo4roFDFkXnCz3/nToXELoogbCdwiD9ZSd4zCMbqrg3kSrKO0AqWjqtHXm3whMNgIlC9z3t3H0+VL42GE+TKTyNtQNk0tDdV7hJ8RIiKRYuSzXCHPuaIPKKegewNun+SN9t2/B4thOQCYk7AzZtn9B0hI7YoyTe2DGdRl9MygIWvC8ChZ/DVwa/eL9xvD6fKioItC/BQRlVITTV2p6lmZXE2RI1RNaa7FbkwW/g8m5owUYXkRw0S7TDXYHsNohUjoDBh/mrJ/nOEtkEYhYcrtBDwYVDHDc2+V7+GYh8+e1mSkLuNqAUdr7kXz/VAoEZMTjOY5UMpQ4g7y6T4JqZLzf4DtEuzSa8Gab9Ra8Zj10qF8xPyytINOj2eQ8SC6jAsdlVs9toN3+TiI7GSTPAVjcWLLieVNRlxOgsQP7U3wwvO/W2XkrkKY5gb/rUv1AA1eAEezR44eBQtJzocI/OkYHrDC0iJfbMwckMZdVltPSxs4SR2EU1wtZJ7r/+lHqu3Hf6/44E4zzztfeEgjAoyV02SUOvVUSB5GeZ4w6G1ZGPyuaAB5Izeu+00p2v4TeIMS04f21qA8a6k5Au5/WcaNp5zw==,iv:BhVtp7ETOjZ1HsOMLEmGKs2QMc6MR2KPdbAEIOOTPss=,tag:L/Wb6gfgri11fabioqPj2Q==,type:str]
12+
type: kubernetes.io/service-account-token
13+
sops:
14+
kms:
15+
- arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
16+
created_at: "2022-09-02T10:33:43Z"
17+
enc: AQICAHi6LQQvIhnSAvomoXCu+jcBZlWiugdvqoPaQnWm1x1PbwET13eF16igAYA47X9hYGsZAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMpU80vKyZfR0qrqVHAgEQgDt1iyQmpr0+lfE6TPKNIJRva2/uaHi9N+hNppPKetsII3X/htXKG2NWDe7B6fIxjInlt25XYOVyqGR4PQ==
18+
aws_profile: ""
19+
gcp_kms: []
20+
azure_kv: []
21+
hc_vault: []
22+
age: []
23+
lastmodified: "2022-09-02T14:50:18Z"
24+
mac: ENC[AES256_GCM,data:pBFzeQdYleNKl/ULBBjEk7P+6twFv1igC3BGLSF/eLOmIlPw+Xn5GxPynT8fsIooEQ/66cirluV+SV8QYZq2A5lhInrkQl3jfsuDiNxXKX4tQJ4vMNQJMVATOkqFxeroNcWjFfTRos4JmEOVQX9xwT0qJx6dRAMHsLZi967B+OQ=,iv:AFZmzk/BIg/D8WV0o327nRpWF2atqOZVWG5kPl0Igzk=,tag:PXpQZKMTNp+dbCqUk2KPuw==,type:str]
25+
pgp:
26+
- created_at: "2022-09-02T10:33:43Z"
27+
enc: |-
28+
-----BEGIN PGP MESSAGE-----
29+
30+
wcFOA4duewNlKmHnEAgAjg1eW+6OkzlmsCXQ/LKl2qqFdegj9A9NEvkvRsrfOZyj
31+
/35ezxQrjB4QSZJNM/fdCEDClNYUjD1gUzkIQRJN6CdjeBkQUgNdJseZ9dRJBwHN
32+
XAF4JWCRCGfuy3DfkGTN1olhkCwXABnUEd5bjAfHPZv/a5cGglKYd/dqwzHSamET
33+
uaEVkI8wIMGmJjRzfTbsEXaI1UYOxbl8N2u1crqCmtDcbEd67ptv/ZNpXXp45+p5
34+
LdNQCY0mqtmBDUZaaQUr184yf08NRHIc9/D3z08IuCfAuslHqmlQZQDzpXVcKgNh
35+
HhA5ijPWIbDDyotDKhE9M6XMKQ0xS0n/kGaPB1cblAf+IMEtKiHHRzP8oJhmfOna
36+
g4saeDnuDRbll1r9cVt0NDJKT/ssw5fz/yJjcB2OQMmxFJIOdOuvIQf8ZfIXrYLo
37+
z6l6HHJhCQjjcoY49U8rskZZbdXx5h40jqSQSvHnV5u99O0Rk1+JG67SD72EaPhF
38+
JY2HP6SJ1/zXd/k/P4wRjSIpuLJBgL0pKShlJwu7inj2I9Pba8KXuXt1Z6E3xkHN
39+
t1Y+0PJT9zP3SRN+vFBa1XGHgZtV8HjnIPtdGP6aw3JEOqvQa0n5nne3avvIKDl5
40+
+1+16Aubi7yhrPmPbVMgwT5lcW/z1McJbqqCNKA+cIhWY6/BrHVCZZxysIpHtMVC
41+
iNJRAUa6l58gSXele7Gwm97TLJKyMTxb6ZWd3XFMtG6OELlxx5JOHwynF7iouqgr
42+
WbBcvR2LZPgdcN0aZGa9tUQwaw/A7KVfEbKVegBhfU3n6wni
43+
=X6kE
44+
-----END PGP MESSAGE-----
45+
fp: 431A7F3379B5B00519077B732BD87EC4BA898363
46+
encrypted_regex: ^(data|stringData)$
47+
version: 3.7.3

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
22
kind: Kustomization
33
resources:
44
- kubernetes-dashboard-clusterrolebinding.yaml
5+
- kubernetes-dashboard-token-secret.yaml
56

67
generatorOptions:
78
disableNameSuffixHash: true

clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ ingress:
1212
nginx.ingress.kubernetes.io/configuration-snippet: |
1313
auth_request_set $email $upstream_http_x_auth_request_email;
1414
proxy_set_header X-Email $email;
15+
proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
16+
proxy_pass_header Authorization;
1517
className: nginx
1618
hosts:
1719
- host: podinfo.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,5 @@ spec:
2525
name: cluster-apps-secrets
2626
- kind: Secret
2727
name: cluster-apps-group-secrets
28+
decryption:
29+
provider: sops

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ metadata:
66
spec:
77
interval: 1m0s
88
ref:
9-
branch: main
9+
branch: improve-oauth2
1010
secretRef:
1111
name: flux-system
1212
url: ssh://[email protected]/ruzickap/k8s-tf-eks-gitops.git

clusters/aws-dev-mgmt/mgmt02.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,5 @@ spec:
2525
name: cluster-apps-secrets
2626
- kind: Secret
2727
name: cluster-apps-group-secrets
28+
decryption:
29+
provider: sops

0 commit comments

Comments
 (0)