Improve oauth2

Author: ruzickap

.github/workflows/clusters-aws-reusable-workflow.yml

@@ -184,11 +184,13 @@ jobs:
 
           export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
           if aws eks update-kubeconfig --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" ; then
-            kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
-            kubectl delete certificate -n cert-manager --all || true
-            kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns || true
-            kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller || true
-            kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret || true
+            (
+              kubectl patch kustomization -n flux-system external-dns ingress-nginx cert-manager-certificate --type='json' -p='[{"op": "add", "path": "/spec/suspend", "value":true}]'
+              kubectl delete certificate -n cert-manager --all
+              kubectl delete deployments -n external-dns -l app.kubernetes.io/name=external-dns
+              kubectl delete service -n ingress-nginx -l app.kubernetes.io/component=controller
+              kubectl delete secrets.secretsmanager.aws.crossplane.io -n crossplane-system secretsmanager-kuard-secret
+            ) || true
             rm "${KUBECONFIG}"
           fi
 

clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml

@@ -18,6 +18,7 @@ data:
     GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
     KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
     KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
+    KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:HLoPXDudYnTNknccyC9tVo0MeUjOf6CU9yHETgwKjL7Qo1cgiHhBTm122UJztWRYxxmzWtCNfLmVNnph699/EdUzWS+pTFll43eRNE+EAdLv75lAC4L5v5k3tmcVBzHAWy5ikzcZInAFhMVHqlvcf4I7wp+Yuw5tneUf/yECHrDcIzTa24a5sqALekpaPiqPPsq4E+LLEPPrzAGT7bEmIOjx7DUlqPyDhjw/Hx3NKhQ1ww72PZxMqVEsFk4aI/cELem8K7Pi3ciOmyoplbEgwMN2c3E+18y9WTmEE6FAvyWrrp1uWE/C5dzo5F/N3vH3zpOV4BOUlXUN6BwdekeroMwyEa2NsBcMxQLu2e3tc4wMHpOaFxPoQdvPc9lIhJB9+x+/11bs5REJ2WcZLP8xteHCaqL60PXzoMJHQB4WAXKsOy99HOdERb6424Xw1+QZL2LVJXRPblbqpCW75WNxi1IrToADMX0DgTjLLowJSVurKBWNw0cDRoEpVVOdSgvUAn0ZpGLEliorEoW2kUz8iL9UHvnoSNQDCPqKOpsyBZP6/Aopy0NLiWQLP0wxg+g03VqsMuGjEw8M/ilaIpEoSX5sDkfGTV6WnubiQMDRd2sEEM10Vhe5BJXqZry3OrrPmJkHp3jGegXh90RKdBZwfYU8v8NmcqI+7/Z4XDrwJjzenXYgPdWsEeu5CNQUw0LUHa14JdAMqwhH3gOIE/pEfLHnbtzi6MMyTKdadfWOrNtFaPe15i2mA8BWFyhLIi814MzkPxpK0FmkosgL3gR9kbRMNj8wuNAhEzRGbDfpQdqddnIKzaEl9O56UeV+CUYv2esyiFth2GjkQ1vqYyxn/20cH2ufzTf26vRpHn6lv2NR8GOdMwqrs2NoskxTfOkUL6ShJJe3Qw4BLAKMY4fuB14MdAw8PH6um++vBGjzsO8oHuJauIkY5SXICAoUgmZrhWYlBGuHn6XACAUeoELbWkBhuLglYPPDKnqDNQGNtLEwNU02di2fSlVfEa+4gcyOK0Gmyp79nA+aAdDbm36cKg7v34v9WGr3s0JkapnyRImhW7G31I4wV6UCXVyVSMCPTQMcxhkchHbJLad6pL/D7vI8y+iiqDDCOSHmXl1PExclaYwTnRgtAwsM7y6Bf79ZWL7+ZuHKeWJCsUqUSk+ZSziPsxp9mW1foM+hUoxhhmo6g86SlQIEV+w+cZsF9AuSqY96eR0fCX6dPyFdI/NidMJ13IuylYzaygriHoHoy651xfJU3+aKvpoKLuhnd+Ry/1LJfD8Su9rv9loegojtCk++x2UT0x8iliL08kjx6f3/2/o+EtqXlCFaJzfVzpq1WqJTULOLoyK5kNC+74wXcvDx7V1scA5DdjEm3iXi6MK3Qw22fn81//igEzzfcX9hEU8/7/4VvU75MLkuDxlAx6aj8t4doeK0OQYMSTtAQQc0rrkQ45sy8y12pS0CwsTu7bYzfcQbeUI5z4SQVsVXG11c2uzcjdlvvegCV2dgm1jHd19i6sYw5tON/nG49RkWTgbJQ6tHnvcWBOo2uBxUZI2YWTCAlzDr5qkuxdYGIIxPTjL931MPnrzRiyuFS4OsS2UAteRoGvN0hyMct8iEo5Yjk/mbD2AcO8owHJLNA4tjkksx+yvrMVlMI74TgwdZAV0X8UNiG+MoD+9/htSj2aGFOI1w1XxcwARHCavAb3v3u/o7sAQ13IOud6EtR2d65d0tJJhqG2aNuddypgWiLrtS7DibecR+uw3zoj4rlANCI7KCeojGOoMs5HRcNXHB5AlUWGfvdVY=,iv:ktFS/EfTaO8cnIR8I1XUcDy8k9oN48nYCmyIM3zO15M=,tag:Xqta8yz/DmPkZDLNNMN0yw==,type:str]
 sops:
     kms:
         - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
@@ -28,8 +29,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-08-27T04:28:54Z"
-    mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
+    lastmodified: "2022-09-04T06:46:32Z"
+    mac: ENC[AES256_GCM,data:27imx/98CYjJuufW7FqbRYcI2506m66FmM7AT2tYYw3wEO1IE02SrupbsDrrmFP3ivR2ZwQyBx/BnMdhw1Q9+EcT3xLQ5nAfx/ERoRp5PwUOJQnAnhwEO5ogROVkoJi+lwZMyphvOFz4VkljM4Dnod0Ub3FA3zkkmpOn4BhHz1Y=,iv:YsIxpSoBsg5Ky4iKZcpNiXPa6v+P8MLkqjL24ceuIu0=,tag:KTWVKeMV7y3F7SYKnVNH4g==,type:str]
     pgp:
         - created_at: "2022-07-07T06:23:23Z"
           enc: |-

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml

@@ -9,10 +9,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: kubernetes-dashboard-admin
-    namespace: kube-system
+    namespace: kubernetes-dashboard
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kubernetes-dashboard-admin
-  namespace: kube-system
+  namespace: kubernetes-dashboard
+#secrets:
+#  - name: kubernetes-dashboard-admin-token-secret

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml

@@ -12,6 +12,9 @@ ingress:
     forecastle.stakater.com/appName: Kubernetes Dashboard
     nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
     nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      proxy_pass_header Authorization;
   className: nginx
   hosts:
     - kubernetes-dashboard.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: kubernetes-dashboard-admin-token-secret
+    namespace: kubernetes-dashboard
+    annotations:
+        kubernetes.io/service-account.name: kubernetes-dashboard-admin
+type: kubernetes.io/service-account-token
+sops:
+    kms:
+        - arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
+          created_at: "2022-09-04T06:08:06Z"
+          enc: AQICAHi6LQQvIhnSAvomoXCu+jcBZlWiugdvqoPaQnWm1x1PbwFzpYbFF4rujpnseb4gl+tOAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMLXz3BI/czI81fsMCAgEQgDsDjRrBzAqDWAP+M/Fkj4OLQBsgihd7u9SlpEKW1rGchKIA8C0APZLeSmPzjDrq3qGZI6m89aDW+Omm8A==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-04T06:31:41Z"
+    mac: ENC[AES256_GCM,data:V+CLvIn9JqEfj2M7nuftR36eYCiEW9tEp3oemybPeJKkgV3g0m88Ez/I1UsXH4Sz4OJGp5Y/20XrlZyu2fz3/YvG3E+oLC4W7ZnoiMbbDYdylN0db6/VHEkWl5LPsolJzQ/nVkh+qrUczFwCtoCnnCEpq2sL9ckkgf+k5Rwd7Qs=,iv:d6YieHqNXSLhC6uoPBUAIyTdZTd8IZO/MCMC+TlJDiQ=,tag:Go0UOsgsV+J80j0DNRhN6g==,type:str]
+    pgp:
+        - created_at: "2022-09-04T06:08:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFOA4duewNlKmHnEAgAhBR6NxShh+eJD8/lsPtkMJhiAeV5j8wrYZbZ1lh+HV38
+            thhUYi6Uz0fj5nfp2b/tbt9B+sETr6g50rMvFFzsbLtW+QzPZfN3sqD0eVRov/rg
+            LTmm35MtwzSpdiVlgogxSTe45YS89p7UxEH8q4yohvxC4sX3mYcMlJbfCbPZH5Mf
+            LWFJmHD/OkPU5VQvkBkYF8jnSD56AVKtM9fCgoVyIYeUXjD+exQFwyL1CXmdUKLp
+            ZSLTQgnZZITlR/pxrayws2qDYX7zQ5hFwIV9IE6916trYJSkNMnhRzRTwQ+MRCo1
+            1enAqCiTaej+um4NbY9I58fXccqSMjzH+PnUGEjEigf/do21ylKtUpwvjsUywfkN
+            cGU2oUrgeSUbWs+Nm+VedEJKPahpBdxT/4vFfe3FyKChwKZJtYkuBdKwV3J6Gsbh
+            TbM4nV+dKG6IK4Slhp5X8vY72yrGHcwtn8eQXIv1m9elDO1Un5PI7s6uTaOsWb/S
+            8Bel5sxIvRjE5ovS6jbwgQE/K0oA4/oUsINQ8riGaQPMW65yi9qjFIF/8npUJJyq
+            V3FsgG+zfbyPgHnZjuUFQ4mOKORZibuvgYgG1FT+ZYRVpybrj8wVUQnjgJ3GWWkb
+            fPH797NnPqmKfU7i5aKKmUglLoN6EM43bSIoxCa4CpjjbwWfG6pX4XVSUhWfgPWU
+            3dJRAf/+3i/LSq+D3LSw8nKhC6sj5Km72/RZpZ6/xtlK44mkAA4LrRlTnq7D2I4u
+            QoM4DcPtGz5l5YHIF3pakUpj0jvO5/N4l8vB8w0N92JF4yUA
+            =4RDm
+            -----END PGP MESSAGE-----
+          fp: 431A7F3379B5B00519077B732BD87EC4BA898363
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - kubernetes-dashboard-token-secret.yaml
   - kubernetes-dashboard-clusterrolebinding.yaml
 
 generatorOptions:

clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml

@@ -12,6 +12,8 @@ ingress:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       auth_request_set $email  $upstream_http_x_auth_request_email;
       proxy_set_header X-Email $email;
+      proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
+      # proxy_pass_header Authorization;
   className: nginx
   hosts:
     - host: podinfo.${CLUSTER_FQDN}

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops

clusters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: main
+    branch: improve-oauth2
   secretRef:
     name: flux-system
   url: ssh://[email protected]/ruzickap/k8s-tf-eks-gitops.git

clusters/aws-dev-mgmt/mgmt02.k8s.use1.dev.proj.aws.mylabs.dev/flux/cluster-apps-kustomization.yaml

@@ -25,3 +25,5 @@ spec:
         name: cluster-apps-secrets
       - kind: Secret
         name: cluster-apps-group-secrets
+  decryption:
+    provider: sops