Skip to content
Snippets Groups Projects
Verified Commit 242031c6 authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

fix(longhorn): Fix oauth2-proxy scope 

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.
parent 2020685b
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
clusters/k8s01/longhorn/oauth2.yaml
+ 10
9
View file @ 242031c6
...@@ -12,8 +12,8 @@ sops: ...@@ -12,8 +12,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-09-10T15:57:21Z" lastmodified: "2023-09-09T23:03:59Z"
mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str] mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
pgp: pgp:
- created_at: "2022-01-22T04:06:16Z" - created_at: "2022-01-22T04:06:16Z"
enc: |- enc: |-
...@@ -57,7 +57,7 @@ sops: ...@@ -57,7 +57,7 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version: 3.7.1 version: 3.7.3
--- ---
apiVersion: helm.toolkit.fluxcd.io/v2beta1 apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease kind: HelmRelease
...@@ -90,6 +90,7 @@ spec: ...@@ -90,6 +90,7 @@ spec:
oidc-issuer-url: ENC[AES256_GCM,data:lcMt0EiZJPca/5iwNp4Ged6qchqzkuKAXOiyJNR99jfJPRwBjMp3JJJmvfhdU+dU1/VFqMgk3w==,iv:0avQixtcn6Mr87AcloKhIVAIcp08eQk9Ud80CjMRfB4=,tag:uGVgCeeqOoD7ZxhDHvfQmQ==,type:str] oidc-issuer-url: ENC[AES256_GCM,data:lcMt0EiZJPca/5iwNp4Ged6qchqzkuKAXOiyJNR99jfJPRwBjMp3JJJmvfhdU+dU1/VFqMgk3w==,iv:0avQixtcn6Mr87AcloKhIVAIcp08eQk9Ud80CjMRfB4=,tag:uGVgCeeqOoD7ZxhDHvfQmQ==,type:str]
allowed-role: longhorn-k8s01:admin allowed-role: longhorn-k8s01:admin
whitelist-domain: ENC[AES256_GCM,data:tER85lGPEwqvByG9pvXJ8vGJTbkreDZaRmI=,iv:bUFq8MLCBUYzr2fM4xLODnhcVTFHaXPau/LB65tmkzA=,tag:NXCEUy086V8PXfiUSzaLQA==,type:str] whitelist-domain: ENC[AES256_GCM,data:tER85lGPEwqvByG9pvXJ8vGJTbkreDZaRmI=,iv:bUFq8MLCBUYzr2fM4xLODnhcVTFHaXPau/LB65tmkzA=,tag:NXCEUy086V8PXfiUSzaLQA==,type:str]
scope: openid email profile
replicaCount: 2 replicaCount: 2
securityContext: securityContext:
enabled: true enabled: true
...@@ -123,8 +124,8 @@ sops: ...@@ -123,8 +124,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-09-10T15:57:21Z" lastmodified: "2023-09-09T23:03:59Z"
mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str] mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
pgp: pgp:
- created_at: "2022-01-22T04:06:16Z" - created_at: "2022-01-22T04:06:16Z"
enc: |- enc: |-
...@@ -168,7 +169,7 @@ sops: ...@@ -168,7 +169,7 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version: 3.7.1 version: 3.7.3
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
...@@ -190,8 +191,8 @@ sops: ...@@ -190,8 +191,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-09-10T15:57:21Z" lastmodified: "2023-09-09T23:03:59Z"
mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str] mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
pgp: pgp:
- created_at: "2022-01-22T04:06:16Z" - created_at: "2022-01-22T04:06:16Z"
enc: |- enc: |-
...@@ -235,4 +236,4 @@ sops: ...@@ -235,4 +236,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version: 3.7.1 version: 3.7.3
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment