From 242031c6b0c89ec928ec9e7ede9ae8be687e95e4 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 10 Sep 2023 01:04:19 +0200
Subject: [PATCH] fix(longhorn): Fix oauth2-proxy scope

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.
---
 clusters/k8s01/longhorn/oauth2.yaml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/clusters/k8s01/longhorn/oauth2.yaml b/clusters/k8s01/longhorn/oauth2.yaml
index 30be31c28..dc56c75f5 100644
--- a/clusters/k8s01/longhorn/oauth2.yaml
+++ b/clusters/k8s01/longhorn/oauth2.yaml
@@ -12,8 +12,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-09-10T15:57:21Z"
-    mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str]
+    lastmodified: "2023-09-09T23:03:59Z"
+    mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
@@ -57,7 +57,7 @@ sops:
             -----END PGP MESSAGE-----
           fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
     encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
-    version: 3.7.1
+    version: 3.7.3
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
@@ -90,6 +90,7 @@ spec:
             oidc-issuer-url: ENC[AES256_GCM,data:lcMt0EiZJPca/5iwNp4Ged6qchqzkuKAXOiyJNR99jfJPRwBjMp3JJJmvfhdU+dU1/VFqMgk3w==,iv:0avQixtcn6Mr87AcloKhIVAIcp08eQk9Ud80CjMRfB4=,tag:uGVgCeeqOoD7ZxhDHvfQmQ==,type:str]
             allowed-role: longhorn-k8s01:admin
             whitelist-domain: ENC[AES256_GCM,data:tER85lGPEwqvByG9pvXJ8vGJTbkreDZaRmI=,iv:bUFq8MLCBUYzr2fM4xLODnhcVTFHaXPau/LB65tmkzA=,tag:NXCEUy086V8PXfiUSzaLQA==,type:str]
+            scope: openid email profile
         replicaCount: 2
         securityContext:
             enabled: true
@@ -123,8 +124,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-09-10T15:57:21Z"
-    mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str]
+    lastmodified: "2023-09-09T23:03:59Z"
+    mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
@@ -168,7 +169,7 @@ sops:
             -----END PGP MESSAGE-----
           fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
     encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
-    version: 3.7.1
+    version: 3.7.3
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -190,8 +191,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-09-10T15:57:21Z"
-    mac: ENC[AES256_GCM,data:WUhf2e5p9MA3ChIJFwfAHt8H0XFtD3z9Zk0KBsXI5baKOeQQIi4//4w/Wvw6KCDqJcLEA/mX7pl0BWr79WZCGJpZDvjdFWpT222fUdgiWv3tZXy5gKrhj16i3nGsVuJPpr+gRSMzvtuxW3OuhH4Ux/aN056PwCdqQcGRbvEmkkU=,iv:CTK0DnBvVpDoJunqxk2lRx+xfsmcKDzJN2KVIGw75wk=,tag:w+7kUL0lyGqQbZOHmJAHIA==,type:str]
+    lastmodified: "2023-09-09T23:03:59Z"
+    mac: ENC[AES256_GCM,data:eMaMKg/uAx3EyGMaXb5h67f+BYqzTn/G6Dk/cpwQxnzU/lTFNU+3sO8hs2YmoZa6J6eUR9zTUn2JFOxc4tA5u+Tymf0G1CLB+L6FGunbUu2cnwKocHe7rDBI08Ej1QhonkTvETUR45ljNhAaxP6JHyv32bRabGoj6uj7DVIhA9E=,iv:oha2BVKDPrug9B00mzoSLB+Jfq4TPomXbrnl43L10gA=,tag:9+bk+puCmmFgVusjqAoukQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
@@ -235,4 +236,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
     encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
-    version: 3.7.1
+    version: 3.7.3
-- 
GitLab