Improve oauth2

ruzickap · ruzickap · commit cc98a7d074fb · 2022-09-04T07:47:49.000+02:00
diff --git a/.github/workflows/clusters-aws-reusable-workflow.yml b/.github/workflows/clusters-aws-reusable-workflow.yml
@@ -184,11 +184,13 @@ jobs:
 
           export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
           if aws eks update-kubeconfig --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" ; then
-            kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
-            kubectl delete certificate -n cert-manager --all || true
-            kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns || true
-            kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller || true
-            kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret || true
+            (
+              kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
+              kubectl delete certificate -n cert-manager --all
+              kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns
+              kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller
+              kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret
+            ) || true
             rm "${KUBECONFIG}"
           fi
 
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml
@@ -18,6 +18,7 @@ data:
     GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
     KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
     KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
+    KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:/BHmNYpEaX8=,iv:GWZwhILYDnNgqetdAd1LZnEU1nKd8/mZMhdmgvtnHpw=,tag:EV3QwKM9q2JU0kT+Tm7P9Q==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
@@ -28,8 +29,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-08-27T04:28:54Z"
-    mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
+    lastmodified: "2022-09-02T14:42:01Z"
+    mac: ENC[AES256_GCM,data:BCIOeAxK5+2n4jzjwpWbwf2LpBhVhf+PelDFmrmCFdEQQWaY8PiuKl5h3swa1eluym0jAeyDqIDSg/cpYSzdYEPl8WADzj7EaSuu9EbKwIwB4dNfMA6V1nrVf6XuW0BmvwzJY+MwlthINVoeQVq492ti6eEjhz2InOxFJYsckw4=,iv:EszJ1bmQ3PEt06I7wuWwhu7x9e/EUu6UoNtDFi5OA8E=,tag:Vslksfg42bqfjYPBpXMHGQ==,type:str]
     pgp:
         - created_at: "2022-07-07T06:23:23Z"
           enc: |-
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml
@@ -9,10 +9,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: kubernetes-dashboard-admin
-    namespace: kube-system
+    namespace: kubernetes-dashboard
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kubernetes-dashboard-admin
-  namespace: kube-system
+  namespace: kubernetes-dashboard
+secrets:
+  - name: kubernetes-dashboard-admin-token-secret
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml
@@ -12,6 +12,9 @@ ingress:
     forecastle.stakater.com/appName: Kubernetes Dashboard
     nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
     nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      proxy_pass_header Authorization;
   className: nginx
   hosts:
     - kubernetes-dashboard.${CLUSTER_FQDN}
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-dashboard-admin-token
+  namespace: kubernetes-dashboard
+  annotations:
+    kubernetes.io/service-account.name: kubernetes-dashboard-admin
+type: kubernetes.io/service-account-token
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - kubernetes-dashboard-clusterrolebinding.yaml
+  - kubernetes-dashboard-token-secret.yaml
 
 generatorOptions:
   disableNameSuffixHash: true
diff --git a/clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml b/clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml
@@ -12,6 +12,8 @@ ingress:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $email  $upstream_http_x_auth_request_email;
       proxy_set_header X-Email $email;
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      proxy_pass_header Authorization;
   className: nginx
   hosts:
     - host: podinfo.${CLUSTER_FQDN}
diff --git a/clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml b/clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml
@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops
diff --git a/clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml b/clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: main
+    branch: improve-oauth2
   secretRef:
     name: flux-system
   url: ssh://git@github.com/ruzickap/k8s-tf-eks-gitops.git
diff --git a/clusters/aws-dev-mgmt/mgmt02.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml b/clusters/aws-dev-mgmt/mgmt02.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml
@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops
diff --git a/flux/cluster-apps/flux-receiver/flux-receiver-kustomization/flux-receiver-github-webhook-token-secret.yaml b/flux/cluster-apps/flux-receiver/flux-receiver-kustomization/flux-receiver-github-webhook-token-secret.yaml
@@ -4,4 +4,4 @@ metadata:
   name: github-webhook-token
   namespace: flux-system
 data:
-  token: ${GITHUB_WEBHOOK_TOKEN_BASE64}
+  token: ${FLUX_GITHUB_WEBHOOK_TOKEN_BASE64}
diff --git a/terraform/aws-mgmt/data.tf b/terraform/aws-mgmt/data.tf
@@ -38,7 +38,7 @@ data "http" "argo-cd_core-install" {
 }
 
 data "kubectl_file_documents" "argo-cd_core-install" {
-  content = data.http.argo-cd_core-install.body
+  content = data.http.argo-cd_core-install.response_body
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
diff --git a/terraform/aws-mgmt/eks.tf b/terraform/aws-mgmt/eks.tf
@@ -530,17 +530,17 @@ resource "kubernetes_secret" "flux_cluster_apps_terraform_secret" {
   }
 
   data = {
-    AWS_ACCOUNT_ID              = data.aws_caller_identity.current.account_id
-    AWS_DEFAULT_REGION          = var.aws_default_region
-    AWS_PARTITION               = data.aws_partition.current.id
-    CLUSTER_FQDN                = var.cluster_fqdn
-    CLUSTER_NAME                = local.cluster_name
-    ROOT_DOMAIN                 = local.root_domain
-    CLUSTER_PATH                = var.cluster_path
-    EMAIL                       = var.email
-    ENVIRONMENT                 = var.environment
-    GITHUB_WEBHOOK_TOKEN_BASE64 = base64encode(random_id.github_webhook_flux_secret.hex)
-    LETSENCRYPT_ENVIRONMENT     = var.letsencrypt_environment
+    AWS_ACCOUNT_ID                   = data.aws_caller_identity.current.account_id
+    AWS_DEFAULT_REGION               = var.aws_default_region
+    AWS_PARTITION                    = data.aws_partition.current.id
+    CLUSTER_FQDN                     = var.cluster_fqdn
+    CLUSTER_NAME                     = local.cluster_name
+    ROOT_DOMAIN                      = local.root_domain
+    CLUSTER_PATH                     = var.cluster_path
+    EMAIL                            = var.email
+    ENVIRONMENT                      = var.environment
+    FLUX_GITHUB_WEBHOOK_TOKEN_BASE64 = base64encode(random_id.github_webhook_flux_secret.hex)
+    LETSENCRYPT_ENVIRONMENT          = var.letsencrypt_environment
     # Environment=dev,Team=test
     TAGS_INLINE = local.tags_inline
   }
