Skip to content
This repository was archived by the owner on Jun 12, 2024. It is now read-only.

Improve oauth2 #362

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve oauth2 #362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions clusters/aws-dev-mgmt/flux/cluster-apps-secrets/cluster-apps-secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ data:
GOOGLE_CLIENT_SECRET: ENC[AES256_GCM,data:tYvGtANnxyj0Ek+rYx3062uMzKy7wYbgD1PB2zq5cqEPGdJBHvIPIsfvDdeAf849,iv:pr2tMxzcMVX33SMey7C5GX22OCfOfCofKoobpLFedlI=,tag:v7QurU2gfDOP2ctVDmxK+w==,type:str]
KEYCLOAK_ADMIN_USERNAME: ENC[AES256_GCM,data:E2aV6AcQxNg=,iv:mtqtHWEFh+Z8fsSY9bHHSyJwjBmSyviaUN94JhkoR7M=,tag:n5qNcaT2eva0CH2PEGtcxg==,type:str]
KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:lw7IwY0fANGD/2iYeGZmACkbM3TMsDaXjUYpasceTKIGLYGaamKPdw==,iv:YATGDhh5K9LiWQ2Dg81dIEoDUspknKJapYafuNhOQgo=,tag:86GbwBQF6Z7O51X7vDrhfA==,type:str]
KUBERNETES_DASHBOARD_TOKEN: ENC[AES256_GCM,data:sP1D32qThcvFGQiGnKA9INRcZPNhLcYC1n/RbksHMZvdRlSmWDSR8oFAszRtun1RMBAQtgYQLUvWkzEIARHD2BLv7/EdZ/GzlIYr4MY9iwILEfstA0PEHHM5KKHRmA9yrPmhjR9QaEm3X83oDEM2O+RQnpi46PmXLj9W/jy7kuUmlZm3pbTj/B6rrisSAJ81FOV3aGR1ZNbCaspJr4fW4uLPllVK2yKgvxYE0omspnA75KDmAgV8d34V4a0IoLw9vw77b7hQkBmYfo6blf1ITOt8136o5cu7zINkyaGsNTxfeEgr+icrDd8vEDQavbcXR4/qGD+xLi72zOUUQr/PZFpVGosi9CeLPPUuV24AmggHcwyg1CmtNptCgjwmm8w1Ng9ATIZd9ort9fxP9eUphO/N4o+K/y6c02TSmwOYIQe7vEh2/9ITBc9sy/ckfGVZRDmNG41ub4xrAkX1O+DHF8yfCScnzUxZdVHdvdrIHyJQPlcJJQv5KtsST5iV5Guu+hIsbZbPp50/wgaSuLID0krwPuaabuQj1UUizKdI3Qrw0GtU9w3REtucqcU665hUy2rx6gRA15NRBHPrVyTVxt1ijPdxociJODVIh10skdrvRfq2nVw3RFUiJzBfgwPhdMmgczBdP1AcWVaxxOxSNFEccNtiv0pegFfJiwo5dFeR0StI/y6Xcp+eT25UG2UGey1JJcDdnHuZLW/jAE3JVIUwjGEZTY9sOFBkoPol4F17yjExdacc9Io7xMPgB6XdOmmjFVSy74PVBfTy4QVIdNDbf1pL6WICEeAntkYiSk7lnRcMk8Z0tSzjeM6aozk5yjdG2q6dMQW6o8Tu2wwaTr5PEoy7Nx9gdjoWxO5/GrPvhoYyGc6vqyi4QeZHQFGwxtIQi6rsYa+xDrKSU4tom/vXuRI2MeWHqDd7NI6z1RCMxq66GHJbbdZMMoaizP+E9fZtQjoq4wa+4+dz62ScjwdDC2vJHpeC5z7KpzWIa2iuw0R6GLgI6s9NhQaaPUklyjZq6ykrO8xDzN1bZeYiAGYcPAls8d8ksSWYeDMzlVbbd0f+/X4vRq9m+ES1BLBxTEShgda/QhW4It8FUbzbxK8gQFKtjrt9zYMuGJaiWtxt1qxVYWissHr56T0meXhaoD/6x7WMVbsohVbxZStzuV68/v5s7CBiLNAhqixX3YcmSgQvUW0SGW7JUPAOAECAoL5YUrhirWJMroYBjoploFhURIjWghaP4rnMpe2GXdRlAtgcr4RnvmzahItEmBU/ma6IWwx52eO0d6TLdLE/Nm54sEcI2x+2BRPmBLtnOtd6aVvMy1LvMFBj1mwLT9yCeVbeEa65SPJlfonrUZG5ZYO6ul0s+MV3+aECL1GyVt6of4iiOTbR8NzAa7RrJ4obolVLTw+XA8BnmPKt11O3ZsCG7th+LdUyh9wSWdPrmVRekIxltDxeoBA5ZLPurP8prFZZOBJEfN0NG/7PU3LlGYBXTJqXPQcfPguRpRRMN2nzrpuSiUxmTzZdpwOJKv4QbmkzNTvNzZ+qAkN3KKq3syA1myBnAjVb1dsdjsWkr3m2bVG6w9Pn3rNLsXkwAy7uSz/lf803y/kUoaRZA16PbO8OUKiDsUZSoDdhPUwWfAYjOVjC5Bi0+/s4mYBXA4bpQEdAf8FY1d8FIkcLuQV3yc6l6tKfYBCJjR7tcnbwMLlUeStKwYNCYsw2Zzigft2SBh5uMHuA8aL5T5vH/7/lsgCVTXF9gN+EAWdezHxfBLbQ+jMEcLgzPd91YdjUIVPUSyHEoHYsjPzHYLBMODvFQL+lbPbh0dWR,iv:LHoeiXAFWLKSwq5ivgWv01canLo418G7EDFIl5CpNy0=,tag:iIXIG2Jq1Wb2PnDvRGxhDw==,type:str]
sops:
kms:
- arn: arn:aws:kms:eu-central-1:729560437327:alias/sops
Expand All @@ -28,8 +29,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-08-27T04:28:54Z"
mac: ENC[AES256_GCM,data:V7oS8u9p0MzzwdMovoQhzcZh+uMt8Wy/86CQmPFD8R69gWUqjvZUVvTVR/GlEUO6rvfrwDjGTsMItVe+KRFQPPTiwlLXODaFfg+9/ctrjVLsVMPEwgd0SLdNOdFjhUR08CWqz48EB37RFy7tknEhYwwZmejy50mZ42+C9E3IMXQ=,iv:IbzeBWqiv3gy/ikXclPnZzLKVx410yh3Ue50ZNsn7CU=,tag:haQTvMSOD1hl0kFedRSL+Q==,type:str]
lastmodified: "2022-09-11T06:27:31Z"
mac: ENC[AES256_GCM,data:rVMechYFEBQ+liKsE8UjBX75EySF7mKaoVqT3wFROpOFTZ2Ef7A0vw798a70dR/6/bPCxqMo95vP+QoBL64CMXWjl4xi/zf4ex8rKdI34tj8k/MMfzy/sOHmbiAoHh6m7wT5leieszsqpyGnK4Rq/mgh+/BTZvEhhLB0A+1L/R8=,iv:2KJNy0SDABIf7CAJmc2PK3E9+PdI8VlhZ+R9QkTWlKo=,tag:6EWhTF8yF11NQYsdhATe9Q==,type:str]
pgp:
- created_at: "2022-07-07T06:23:23Z"
enc: |-
Expand Down
72 changes: 64 additions & 8 deletions ...-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,74 @@
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
# name: kubernetes-dashboard-admin
# labels:
# app: kubernetes-dashboard
# roleRef:
# apiGroup: rbac.authorization.k8s.io
# kind: ClusterRole
# name: cluster-admin
# subjects:
# - kind: ServiceAccount
# name: kubernetes-dashboard-admin
# namespace: kubernetes-dashboard
# ---
# apiVersion: v1
# kind: ServiceAccount
# metadata:
# name: kubernetes-dashboard-admin
# namespace: kubernetes-dashboard
# secrets:
# - name: kubernetes-dashboard-admin-token-secret
#
#
#
# ---
#
#
#
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: Role
metadata:
name: kubernetes-dashboard-admin
name: kubernetes-dashboard-podinfo-read-only
namespace: podinfo
rules:
- apiGroups:
- ""
- extensions
- apps
resources:
- deployments
- namespaces
- pods
- replicasets
- services
verbs:
- describe
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-podinfo-read-only
namespace: podinfo
labels:
app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
kind: Role
name: kubernetes-dashboard-podinfo-read-only
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
name: kubernetes-dashboard-podinfo-read-only
namespace: podinfo
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard-admin
namespace: kube-system
name: kubernetes-dashboard-podinfo-read-only
namespace: podinfo
# secrets:
# - name: kubernetes-dashboard-podinfo-read-only-token-secret
27 changes: 15 additions & 12 deletions ...flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-group-helmrelease-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,25 +1,28 @@
# https://github.com/kubernetes/dashboard/blob/master/aio/deploy/helm-chart/kubernetes-dashboard/values.yaml
extraArgs:
- --enable-skip-login
- --enable-insecure-login
- --disable-settings-authorizer
# - --disable-settings-authorizer
protocolHttp: true
ingress:
enabled: true
annotations:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/icon: "https://kubernetes.io/images/kubernetes-horizontal-color.png"
forecastle.stakater.com/appName: Kubernetes Dashboard
nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
# forecastle.stakater.com/expose: "true"
# forecastle.stakater.com/icon: "https://kubernetes.io/images/kubernetes-horizontal-color.png"
# forecastle.stakater.com/appName: Kubernetes Dashboard
# nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
# nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=$scheme://$host$request_uri
nginx.ingress.kubernetes.io/auth-snippet: |
auth_request_set $token $upstream_http_authorization;
proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
proxy_pass_header Authorization;
className: nginx
hosts:
- kubernetes-dashboard.${CLUSTER_FQDN}
tls:
- hosts:
- kubernetes-dashboard.${CLUSTER_FQDN}
settings:
clusterName: ${CLUSTER_FQDN}
itemsPerPage: 50
metricsScraper:
enabled: true
# settings:
# clusterName: ${CLUSTER_FQDN}
# itemsPerPage: 50
# metricsScraper:
# enabled: true
23 changes: 23 additions & 0 deletions ...ws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kubernetes-dashboard-token-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# apiVersion: v1
# kind: Secret
# metadata:
# name: kubernetes-dashboard-admin-token-secret
# namespace: kubernetes-dashboard
# annotations:
# kubernetes.io/service-account.name: kubernetes-dashboard-admin
# type: kubernetes.io/service-account-token
#
#
#
---
#
#
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: kubernetes-dashboard-podinfo-read-only-token-secret
# namespace: podinfo
# annotations:
# kubernetes.io/service-account.name: kubernetes-dashboard-podinfo-read-only
# type: kubernetes.io/service-account-token
1 change: 1 addition & 0 deletions clusters/aws-dev-mgmt/flux/cluster-apps/kubernetes-dashboard/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- kubernetes-dashboard-clusterrolebinding.yaml
- kubernetes-dashboard-token-secret.yaml

generatorOptions:
disableNameSuffixHash: true
Expand Down
12 changes: 6 additions & 6 deletions clusters/aws-dev-mgmt/flux/cluster-apps/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ resources:
- ../../../../flux/sources/ingress-nginx
- ../../../../flux/sources/jetstack
- ../../../../flux/sources/kyverno
- ../../../../flux/sources/kubernetes-dashboard
# - ../../../../flux/sources/kubernetes-dashboard
- ../../../../flux/sources/metrics-server
- ../../../../flux/sources/oauth2-proxy
- ../../../../flux/sources/runix
- ../../../../flux/sources/podinfo
# - ../../../../flux/sources/podinfo
- ../../../../flux/sources/prometheus-community
- ../../../../flux/sources/policy-reporter
- ../../../../flux/sources/rancher
Expand All @@ -35,15 +35,15 @@ resources:
- ../../../../flux/cluster-apps/ingress-nginx
# - ../../../../flux/cluster-apps/keycloak
- ../../../../flux/cluster-apps/kube-prometheus-stack
- ../../../../flux/cluster-apps/kubernetes-dashboard
# - ../../../../flux/cluster-apps/kubernetes-dashboard
- ../../../../flux/cluster-apps/kyverno
- ../../../../flux/cluster-apps/kyverno-policies
- ../../../../flux/cluster-apps/mailhog
- ../../../../flux/cluster-apps/metrics-server
- ../../../../flux/cluster-apps/oauth2-proxy
# - ../../../../flux/cluster-apps/oauth2-proxy-keycloak
- ../../../../flux/cluster-apps/pgadmin4
- ../../../../flux/cluster-apps/podinfo
# - ../../../../flux/cluster-apps/podinfo
- ../../../../flux/cluster-apps/policy-reporter
- ../../../../flux/cluster-apps/rancher
- ../../../../flux/cluster-apps/secrets-store-csi-driver
Expand All @@ -60,14 +60,14 @@ resources:
- ingress-nginx
# - keycloak
- kube-prometheus-stack
- kubernetes-dashboard
# - kubernetes-dashboard
- kyverno
- metrics-server
- mailhog
- oauth2-proxy
# - oauth2-proxy-keycloak
- policy-reporter
- podinfo
# - podinfo
- pgadmin4
- rancher
- secrets-store-csi-driver
Expand Down
2 changes: 2 additions & 0 deletions clusters/aws-dev-mgmt/flux/cluster-apps/podinfo/podinfo-group-helmrelease-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ ingress:
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-Email $email;
proxy_set_header Authorization "Bearer ${KUBERNETES_DASHBOARD_TOKEN}";
# proxy_pass_header Authorization;
className: nginx
hosts:
- host: podinfo.${CLUSTER_FQDN}
Expand Down
2 changes: 1 addition & 1 deletion ...ters/aws-dev-mgmt/mgmt01.k8s.use1.dev.proj.aws.mylabs.dev/flux/flux-system/gotk-sync.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
spec:
interval: 1m0s
ref:
branch: main
branch: improve-oauth2
secretRef:
name: flux-system
url: ssh://[email protected]/ruzickap/k8s-tf-eks-gitops.git
Expand Down