fix(uptime-kuma): Add SSO for uptime-kuma

5b53b23a · Sheogorath · b12dc664 · 5b53b23a · 5b53b23a
Verified Commit 5b53b23a authored 2 years ago by Sheogorath
--- a/apps/k8s01/uptime-kuma/kustomization.yaml
+++ b/apps/k8s01/uptime-kuma/kustomization.yaml
@@ -6,4 +6,5 @@ resources:
  - certificate.yaml
  - uptime-kuma-values.yaml
  - slo.yaml
+  - oauth2.yaml
  - ../../../shared/resourcequotas/default.yaml
--- a/apps/k8s01/uptime-kuma/oauth2.yaml
+++ b/apps/k8s01/uptime-kuma/oauth2.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+    name: oauth2-proxy
+    namespace: uptime-kuma
+spec:
+    interval: 30m
+    url: https://oauth2-proxy.github.io/manifests
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-21T02:52:17Z"
+    mac: ENC[AES256_GCM,data:Qqx1RvLQEj3NRsFSVQm4CI+5eSoPWUDDuInhiHq6nXD0qsNcfYVKHTB8JgaIJ4OgEKtpd3iObYAS4z+mY34rFVhr9BlPZ/vRGbTnwYE4CCb8SJqTFetglM3rhNFn4u+AW2qLXN2cTl8Zqs1WU8by+IzdN9/qoCwgIJgdrruxtLU=,iv:Nw4V6zLa5g8xRMbufmhB2d5U+ZPUH7n5cDBAyUZDZOw=,tag:BOzhOzTK4VnQ4GKG1yWQBA==,type:str]
+    pgp:
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
+            27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
+            BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
+            7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
+            KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
+            OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
+            LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
+            DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
+            b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
+            HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
+            XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
+            5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
+            M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
+            =c/3x
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
+            yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
+            2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
+            46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
+            4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
+            GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
+            fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
+            WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
+            vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
+            tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
+            w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
+            aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
+            NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
+            PNNoVr/LwxMQ
+            =e2fo
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
+    version: 3.7.3
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+    name: oauth2-proxy
+    namespace: uptime-kuma
+spec:
+    serviceAccountName: flux-reconciler
+    releaseName: oauth2-proxy
+    chart:
+        spec:
+            chart: oauth2-proxy
+            sourceRef:
+                kind: HelmRepository
+                name: oauth2-proxy
+                namespace: uptime-kuma
+            version: 6.9.0
+    interval: 5m
+    install:
+        remediation:
+            retries: 5
+    values:
+        config:
+            clientID: uptime-kuma
+            clientSecret: ENC[AES256_GCM,data:dJQuJkMhtRJoBhrSOyhPYFKdC6lKyiBrYjQBu23+MrI=,iv:BsVDdiFHPgk82Akj6B3b4Yp/4Uj0IRFesySBtFQKD/U=,tag:9xWTZod6xUcSUq6d7pEI0Q==,type:str]
+            cookieSecret: ENC[AES256_GCM,data:s9i5XebZ373eCpa075bZ/xb9Egq0v7A2BSKAgTF6YHs/bG2f3tT6IGGmJa4=,iv:1STc1smpQoHEjLBYQGaFueDn/o+FXCQ8pnTsxbEAZMc=,tag:PvDOn3IGWhEQfaQadVWsxg==,type:str]
+        extraArgs:
+            provider: keycloak-oidc
+            provider-display-name: SI-Auth
+            oidc-issuer-url: ENC[AES256_GCM,data:CUky0W47wOOJmY7EpNrb486hs5l5DjxkaOrzT1OOOWIYcW9bdw9Xgg7FcABOxwcMO4Vn/okDZQ==,iv:lpiXwA9KSjT9nSFeXaBiijJWkAm5FKfCtmU3XvnMPDU=,tag:cN17VOD6bUz1MQHbOQ5Hwg==,type:str]
+            allowed-role: uptime-kuma:admin
+            silence-ping-logging: true
+            skip-auth-route: GET=^/$ OR GET=^/status OR GET=^/assets/ OR GET=^/assets OR GET=^/icon.svg OR GET=^/api/.* OR GET=^/upload/.* OR OR GET=^/metrics"
+        replicaCount: 2
+        securityContext:
+            enabled: true
+        affinity:
+            podAntiAffinity:
+                requiredDuringSchedulingIgnoredDuringExecution:
+                    - labelSelector:
+                        matchLabels:
+                            app: oauth2-proxy
+                      topologyKey: kubernetes.io/hostname
+        ingress:
+            enabled: true
+            path: /oauth2
+            pathType: Prefix
+            hosts:
+                - ENC[AES256_GCM,data:VxqY7uNNS0UOWgZgdQ8=,iv:WiGaTkrnESES0fKeg3KnSN8WqrqrWPsnEvuzIdwDdAg=,tag:eF5NXSAxTAQoDKzad5qxAw==,type:str]
+                - ENC[AES256_GCM,data:P/0bnr9jZ6np1LvwAsPP33P3K9O1KlA=,iv:0RKFWWivN2+l3f5ooTLKPRjQYLxKcFJOGQ/yFu45gDM=,tag:TawmgLdMogBX1SCKHKodIw==,type:str]
+            tls:
+                - hosts:
+                    - ENC[AES256_GCM,data:R/QKuvJQgZOPVT2rQqM=,iv:+W9fceFmO7zABoRSyhFT7Q7ioBQ0aWg0e29lu+DroVQ=,tag:gXlTVsg42fIfxkmmDAtmlg==,type:str]
+                  secretName: ingress-221b-tls
+                - hosts:
+                    - ENC[AES256_GCM,data:D/vFlWr6utcREaeet8KaHr1dFLnoYxE=,iv:SYaxWKnilX/qjKA914xV38i2zcVcBO2hffjX34FSK4c=,tag:Z7yZeOAp08kgxehS5X9sTg==,type:str]
+                  secretName: ingress-darmstadt-tls
+        resources:
+            limits:
+                cpu: 200m
+                memory: 100Mi
+            requests:
+                cpu: 100m
+                memory: 25Mi
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-21T02:52:17Z"
+    mac: ENC[AES256_GCM,data:Qqx1RvLQEj3NRsFSVQm4CI+5eSoPWUDDuInhiHq6nXD0qsNcfYVKHTB8JgaIJ4OgEKtpd3iObYAS4z+mY34rFVhr9BlPZ/vRGbTnwYE4CCb8SJqTFetglM3rhNFn4u+AW2qLXN2cTl8Zqs1WU8by+IzdN9/qoCwgIJgdrruxtLU=,iv:Nw4V6zLa5g8xRMbufmhB2d5U+ZPUH7n5cDBAyUZDZOw=,tag:BOzhOzTK4VnQ4GKG1yWQBA==,type:str]
+    pgp:
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
+            27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
+            BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
+            7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
+            KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
+            OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
+            LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
+            DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
+            b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
+            HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
+            XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
+            5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
+            M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
+            =c/3x
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
+            yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
+            2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
+            46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
+            4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
+            GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
+            fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
+            WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
+            vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
+            tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
+            w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
+            aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
+            NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
+            PNNoVr/LwxMQ
+            =e2fo
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
+    version: 3.7.3
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-ingress-to-oauth2
+    namespace: uptime-kuma
+spec:
+    podSelector:
+        matchLabels:
+            app: oauth2-proxy
+    ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                    ingress.shivering-isles.com/network-access-required: "true"
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-21T02:52:17Z"
+    mac: ENC[AES256_GCM,data:Qqx1RvLQEj3NRsFSVQm4CI+5eSoPWUDDuInhiHq6nXD0qsNcfYVKHTB8JgaIJ4OgEKtpd3iObYAS4z+mY34rFVhr9BlPZ/vRGbTnwYE4CCb8SJqTFetglM3rhNFn4u+AW2qLXN2cTl8Zqs1WU8by+IzdN9/qoCwgIJgdrruxtLU=,iv:Nw4V6zLa5g8xRMbufmhB2d5U+ZPUH7n5cDBAyUZDZOw=,tag:BOzhOzTK4VnQ4GKG1yWQBA==,type:str]
+    pgp:
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
+            27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
+            BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
+            7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
+            KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
+            OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
+            LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
+            DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
+            b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
+            HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
+            XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
+            5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
+            M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
+            =c/3x
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
+            yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
+            2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
+            46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
+            4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
+            GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
+            fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
+            WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
+            vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
+            tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
+            w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
+            aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
+            NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
+            PNNoVr/LwxMQ
+            =e2fo
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
+    version: 3.7.3