From 774bfa3eb69875db148bec7f6bc5be8c4af8d29f Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 28 Sep 2023 00:34:27 +0200
Subject: [PATCH] fix(monitoring): Use centralised oauth2-stack
---
clusters/k8s01/monitoring/kustomization.yaml | 1 +
clusters/k8s01/monitoring/oauth2.yaml | 199 +------------------
2 files changed, 8 insertions(+), 192 deletions(-)
diff --git a/clusters/k8s01/monitoring/kustomization.yaml b/clusters/k8s01/monitoring/kustomization.yaml
index 9511484f2..011aa5ca8 100644
--- a/clusters/k8s01/monitoring/kustomization.yaml
+++ b/clusters/k8s01/monitoring/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml
+- ../../../shared/applications/oauth2-proxy.yaml
- oauth2.yaml
- ingress.yaml
- release-override.yaml
diff --git a/clusters/k8s01/monitoring/oauth2.yaml b/clusters/k8s01/monitoring/oauth2.yaml
index 65eafd443..63ca43ff2 100644
--- a/clusters/k8s01/monitoring/oauth2.yaml
+++ b/clusters/k8s01/monitoring/oauth2.yaml
@@ -1,202 +1,17 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
+apiVersion: v1
+kind: Secret
metadata:
- name: oauth2-proxy
- namespace: monitoring-system
-spec:
- interval: 30m
- url: https://oauth2-proxy.github.io/manifests
+ name: oauth2-proxy-override-values
+stringData:
+ values-overrides.yaml: ENC[AES256_GCM,data:J7I3G3S2Od/wgpxwojW1cqAx4/6yFpQrA9JlK40d5qZo9jTye9fni4UFBpQKvSQ354fftVXHQx4yeZrQ/nR9pU1R0nfiqH2V7iXlNW76GkQ9Gyc1g59vkxzkcOvx/zBBOnMG3xjVysBIuVJUja6DSsvN/6LWOKqH1CKoWjvR5FZrPzzwEp1qb9wAM2SLI0+ZppbxEMI1YOkG39ZBCdBUNvC1EiUuNCUO/iwLb5oujzFRJ6ggnfY+qHMIOgd+bNfD7qnpuHc6vdgAJFo03i6OWMleFArgK+INzLABGIB9DUekNXhziCLnf1UrBJyNPboWYDRH2AiqNFn8/AKw6rnr1eaeghfAE+FWeTZ9vJmiyKbSl4n+crYRStGgtUWX1VIrARHKO3KIwX5cjDZJRCypw2RJqGTblR2e6qHDVBPRPS+SZerT9b5WPTe/qA+Y+K1/dyd37ks1BiMcHMjb7nidQi3vRX7wrOpNGDmeml07NsbZ3cCVVBsz5HNqxc2aCIQreX3ZH19UiL1PgaiIjYWyVT5fueKNGMmeqPzMkXo5/atonkHwbHnF6MfSjVa3TnkAs6qQKOMQManKxEh57IqmMWXb4fN7grV2Nuayh32qBNFUDfIGENScl++XZSItUPCSeFS6Qg0FKh6/bycdv/TaV/nVYHkFP5kaHe0XgS2X2Bvk4xscaPqM0YzaHV0pEQrDlzhgffC3j4xPSkWGrMdvmPj5ZrSyyUDndoM+f41dSzYf61/M1VkrDX5k8jjSXlMwk5QD6mYdU6ESRs2hFrWazyLki776PGULbgLuyUuqxflWk5NslT/agamZVODwsk1jce7XJo9o+DxY2UYae4++NiIwHLJU0wMUhNYSBKwiliArr6kWGNioESNn8I+FGxndMHcrB28T81wJZHFri91tebhv+YQo/k9kwqS1aOwW6yyebPkQuFW6ohdGxvxFPvUKjjlRIniJrAgYd3qOCvbDng==,iv:+freJbUFE1kP2IpAII5SpHKOzN+qJt+QZsXdw/OSKqM=,tag:Jn9XinhMsBStnPa1qh8fPw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-09-09T23:36:38Z"
- mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
- name: oauth2-proxy
- namespace: monitoring-system
-spec:
- releaseName: oauth2-proxy
- chart:
- spec:
- chart: oauth2-proxy
- sourceRef:
- kind: HelmRepository
- name: oauth2-proxy
- namespace: monitoring-system
- version: 6.17.1
- interval: 5m
- install:
- remediation:
- retries: 5
- values:
- config:
- clientID: monitoring-k8s01
- clientSecret: ENC[AES256_GCM,data:O9p9U9nOib+ozArhJilHlczHbl5j0Jh9kfXADP9bwrE=,iv:NcR7lQjDvzyYc7Eqmrco98tl32yCLsh6wXrU80DXGtk=,tag:iSMD+x+ffRUyCQtllTjFsg==,type:str]
- cookieSecret: ENC[AES256_GCM,data:s9i5XebZ373eCpa075bZ/xb9Egq0v7A2BSKAgTF6YHs/bG2f3tT6IGGmJa4=,iv:1STc1smpQoHEjLBYQGaFueDn/o+FXCQ8pnTsxbEAZMc=,tag:PvDOn3IGWhEQfaQadVWsxg==,type:str]
- extraArgs:
- provider: keycloak-oidc
- provider-display-name: SI-Auth
- oidc-issuer-url: ENC[AES256_GCM,data:CUky0W47wOOJmY7EpNrb486hs5l5DjxkaOrzT1OOOWIYcW9bdw9Xgg7FcABOxwcMO4Vn/okDZQ==,iv:lpiXwA9KSjT9nSFeXaBiijJWkAm5FKfCtmU3XvnMPDU=,tag:cN17VOD6bUz1MQHbOQ5Hwg==,type:str]
- allowed-role: monitoring-k8s01:admin
- whitelist-domain: ENC[AES256_GCM,data:lPjezumXqntAyndo5dw8UlcN53AYvlTjH107otM=,iv:zq1ufpUpHAbSBhyZ9QOuU/1rROgtzpeBNFskOFQU6f0=,tag:qUNLlVDmPVUoEeotjumqFg==,type:str]
- session-cookie-minimal: "true"
- scope: openid email profile
- replicaCount: 2
- securityContext:
- enabled: true
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app: oauth2-proxy
- topologyKey: kubernetes.io/hostname
- ingress:
- enabled: true
- path: /oauth2
- pathType: Prefix
- hosts:
- - ENC[AES256_GCM,data:k0YMsGdOxibO/WnTd6lWD3cp3AvMatywGUz12yv0mUC+Ot6nFRw=,iv:a1i4PSOangx0FIOfP8X2oyGwCZKnAxkADf9kYe+mJdg=,tag:vSRHDSse9BWwok+FbS/0iw==,type:str]
- - ENC[AES256_GCM,data:qHrXuqaun8cbJzAej4NbJwgixjAg0xDQdGrnrjTO/8LzAZjT,iv:liTzoWWZwq+U8eceEQMBmZKRWFeld4yUXaQBZxUEMdw=,tag:cEkVL/jJV8iEREWYV797jw==,type:str]
- - ENC[AES256_GCM,data:m4yzapFZV/R/zm+Bk8dHoyngfNommbHbO1EfGwUqyDX6PLo=,iv:efmgJDWYqEsNZVVOLE82SGsgFCjLQFs5HC1XFrwETG8=,tag:4x22lYMV7UySXy6BxYvRIA==,type:str]
- tls:
- - hosts:
- - ENC[AES256_GCM,data:CVPUFMkDOeaqsVw7yXac4tmOg+Qbemp7y/uy/qJbGuz3t5yWPes=,iv:AlDn5BfvIq70kmDDbCZ8a6ayyQYSiwCPTYgFYp9D2ks=,tag:P4IRT/k+iEUQhNKDEGfF8Q==,type:str]
- - ENC[AES256_GCM,data:bIxM8aPJRxF7p9OSK8o2+mFhaouGr7nDmHreW18Pm4YR82lK,iv:dDn9SKdV4JXQIKzLQtpTHcW9KTf+QVZ8oDVCA2zoByk=,tag:2ZlN0qkO+nANiwcjNA/LMw==,type:str]
- - ENC[AES256_GCM,data:vfbaD0ospbqDI1/85RbgcPn7ly+qhx8GkhZIIQtbnDu2Ozo=,iv:2cTkAt9H8GnaNwFO+Nr9l5mmY+y+kwpC1fH8F9kc64M=,tag:10nIyvU7AbNnR6wFGIEMmQ==,type:str]
- secretName: ingress-monitoring-tls
- resources:
- limits:
- cpu: 200m
- memory: 100Mi
- requests:
- cpu: 100m
- memory: 25Mi
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-09T23:36:38Z"
- mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-ingress-to-oauth2
- namespace: monitoring-system
-spec:
- podSelector:
- matchLabels:
- app: oauth2-proxy
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- ingress.shivering-isles.com/network-access-required: "true"
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-09T23:36:38Z"
- mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
+ lastmodified: "2023-09-27T22:33:52Z"
+ mac: ENC[AES256_GCM,data:+G5Kl6LQKqADdxuZdZiSMP2lqHatZaB9Im+PoRSMsPoX/3iSm1kWmNAFBaUA6gLyZIWb56BYuRVVDXvBcgDc2P1QOBQ0eYFvi8AZPyRFysli8qITRVoxxmbGTKL5FxB/R35NI3AcZbo1EHGXLnNhkRc0zIQ06xWl+xmaWgzlf0g=,iv:w3oDnxxzFGhfmdifJZmvubv/Nho+58aryDMVX/bDnRQ=,tag:MVWnEYR6XlIaeiNcLIudPw==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-
--
GitLab