fix(monitoring): Use centralised oauth2-stack

clusters/k8s01/monitoring/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - certificate.yaml
+- ../../../shared/applications/oauth2-proxy.yaml
 - oauth2.yaml
 - ingress.yaml
 - release-override.yaml

clusters/k8s01/monitoring/oauth2.yaml

-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
+apiVersion: v1
+kind: Secret
 metadata:
-    name: oauth2-proxy
-    namespace: monitoring-system
-spec:
-    interval: 30m
-    url: https://oauth2-proxy.github.io/manifests
+    name: oauth2-proxy-override-values
+stringData:
+    values-overrides.yaml: ENC[AES256_GCM,data:J7I3G3S2Od/wgpxwojW1cqAx4/6yFpQrA9JlK40d5qZo9jTye9fni4UFBpQKvSQ354fftVXHQx4yeZrQ/nR9pU1R0nfiqH2V7iXlNW76GkQ9Gyc1g59vkxzkcOvx/zBBOnMG3xjVysBIuVJUja6DSsvN/6LWOKqH1CKoWjvR5FZrPzzwEp1qb9wAM2SLI0+ZppbxEMI1YOkG39ZBCdBUNvC1EiUuNCUO/iwLb5oujzFRJ6ggnfY+qHMIOgd+bNfD7qnpuHc6vdgAJFo03i6OWMleFArgK+INzLABGIB9DUekNXhziCLnf1UrBJyNPboWYDRH2AiqNFn8/AKw6rnr1eaeghfAE+FWeTZ9vJmiyKbSl4n+crYRStGgtUWX1VIrARHKO3KIwX5cjDZJRCypw2RJqGTblR2e6qHDVBPRPS+SZerT9b5WPTe/qA+Y+K1/dyd37ks1BiMcHMjb7nidQi3vRX7wrOpNGDmeml07NsbZ3cCVVBsz5HNqxc2aCIQreX3ZH19UiL1PgaiIjYWyVT5fueKNGMmeqPzMkXo5/atonkHwbHnF6MfSjVa3TnkAs6qQKOMQManKxEh57IqmMWXb4fN7grV2Nuayh32qBNFUDfIGENScl++XZSItUPCSeFS6Qg0FKh6/bycdv/TaV/nVYHkFP5kaHe0XgS2X2Bvk4xscaPqM0YzaHV0pEQrDlzhgffC3j4xPSkWGrMdvmPj5ZrSyyUDndoM+f41dSzYf61/M1VkrDX5k8jjSXlMwk5QD6mYdU6ESRs2hFrWazyLki776PGULbgLuyUuqxflWk5NslT/agamZVODwsk1jce7XJo9o+DxY2UYae4++NiIwHLJU0wMUhNYSBKwiliArr6kWGNioESNn8I+FGxndMHcrB28T81wJZHFri91tebhv+YQo/k9kwqS1aOwW6yyebPkQuFW6ohdGxvxFPvUKjjlRIniJrAgYd3qOCvbDng==,iv:+freJbUFE1kP2IpAII5SpHKOzN+qJt+QZsXdw/OSKqM=,tag:Jn9XinhMsBStnPa1qh8fPw==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-09T23:36:38Z"
-    mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
-    pgp:
-        - created_at: "2022-01-22T04:06:16Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
-            27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
-            BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
-            7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
-            KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
-            OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
-            LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
-            DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
-            b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
-            HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
-            XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
-            5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
-            M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
-            =c/3x
-            -----END PGP MESSAGE-----
-          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
-        - created_at: "2022-01-22T04:06:16Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
-            yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
-            2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
-            46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
-            4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
-            GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
-            fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
-            WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
-            vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
-            tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
-            w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
-            aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
-            NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
-            PNNoVr/LwxMQ
-            =e2fo
-            -----END PGP MESSAGE-----
-          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
-    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
-    version: 3.7.3
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-    name: oauth2-proxy
-    namespace: monitoring-system
-spec:
-    releaseName: oauth2-proxy
-    chart:
-        spec:
-            chart: oauth2-proxy
-            sourceRef:
-                kind: HelmRepository
-                name: oauth2-proxy
-                namespace: monitoring-system
-            version: 6.17.1
-    interval: 5m
-    install:
-        remediation:
-            retries: 5
-    values:
-        config:
-            clientID: monitoring-k8s01
-            clientSecret: ENC[AES256_GCM,data:O9p9U9nOib+ozArhJilHlczHbl5j0Jh9kfXADP9bwrE=,iv:NcR7lQjDvzyYc7Eqmrco98tl32yCLsh6wXrU80DXGtk=,tag:iSMD+x+ffRUyCQtllTjFsg==,type:str]
-            cookieSecret: ENC[AES256_GCM,data:s9i5XebZ373eCpa075bZ/xb9Egq0v7A2BSKAgTF6YHs/bG2f3tT6IGGmJa4=,iv:1STc1smpQoHEjLBYQGaFueDn/o+FXCQ8pnTsxbEAZMc=,tag:PvDOn3IGWhEQfaQadVWsxg==,type:str]
-        extraArgs:
-            provider: keycloak-oidc
-            provider-display-name: SI-Auth
-            oidc-issuer-url: ENC[AES256_GCM,data:CUky0W47wOOJmY7EpNrb486hs5l5DjxkaOrzT1OOOWIYcW9bdw9Xgg7FcABOxwcMO4Vn/okDZQ==,iv:lpiXwA9KSjT9nSFeXaBiijJWkAm5FKfCtmU3XvnMPDU=,tag:cN17VOD6bUz1MQHbOQ5Hwg==,type:str]
-            allowed-role: monitoring-k8s01:admin
-            whitelist-domain: ENC[AES256_GCM,data:lPjezumXqntAyndo5dw8UlcN53AYvlTjH107otM=,iv:zq1ufpUpHAbSBhyZ9QOuU/1rROgtzpeBNFskOFQU6f0=,tag:qUNLlVDmPVUoEeotjumqFg==,type:str]
-            session-cookie-minimal: "true"
-            scope: openid email profile
-        replicaCount: 2
-        securityContext:
-            enabled: true
-        affinity:
-            podAntiAffinity:
-                requiredDuringSchedulingIgnoredDuringExecution:
-                    - labelSelector:
-                        matchLabels:
-                            app: oauth2-proxy
-                      topologyKey: kubernetes.io/hostname
-        ingress:
-            enabled: true
-            path: /oauth2
-            pathType: Prefix
-            hosts:
-                - ENC[AES256_GCM,data:k0YMsGdOxibO/WnTd6lWD3cp3AvMatywGUz12yv0mUC+Ot6nFRw=,iv:a1i4PSOangx0FIOfP8X2oyGwCZKnAxkADf9kYe+mJdg=,tag:vSRHDSse9BWwok+FbS/0iw==,type:str]
-                - ENC[AES256_GCM,data:qHrXuqaun8cbJzAej4NbJwgixjAg0xDQdGrnrjTO/8LzAZjT,iv:liTzoWWZwq+U8eceEQMBmZKRWFeld4yUXaQBZxUEMdw=,tag:cEkVL/jJV8iEREWYV797jw==,type:str]
-                - ENC[AES256_GCM,data:m4yzapFZV/R/zm+Bk8dHoyngfNommbHbO1EfGwUqyDX6PLo=,iv:efmgJDWYqEsNZVVOLE82SGsgFCjLQFs5HC1XFrwETG8=,tag:4x22lYMV7UySXy6BxYvRIA==,type:str]
-            tls:
-                - hosts:
-                    - ENC[AES256_GCM,data:CVPUFMkDOeaqsVw7yXac4tmOg+Qbemp7y/uy/qJbGuz3t5yWPes=,iv:AlDn5BfvIq70kmDDbCZ8a6ayyQYSiwCPTYgFYp9D2ks=,tag:P4IRT/k+iEUQhNKDEGfF8Q==,type:str]
-                    - ENC[AES256_GCM,data:bIxM8aPJRxF7p9OSK8o2+mFhaouGr7nDmHreW18Pm4YR82lK,iv:dDn9SKdV4JXQIKzLQtpTHcW9KTf+QVZ8oDVCA2zoByk=,tag:2ZlN0qkO+nANiwcjNA/LMw==,type:str]
-                    - ENC[AES256_GCM,data:vfbaD0ospbqDI1/85RbgcPn7ly+qhx8GkhZIIQtbnDu2Ozo=,iv:2cTkAt9H8GnaNwFO+Nr9l5mmY+y+kwpC1fH8F9kc64M=,tag:10nIyvU7AbNnR6wFGIEMmQ==,type:str]
-                  secretName: ingress-monitoring-tls
-        resources:
-            limits:
-                cpu: 200m
-                memory: 100Mi
-            requests:
-                cpu: 100m
-                memory: 25Mi
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-09-09T23:36:38Z"
-    mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
-    pgp:
-        - created_at: "2022-01-22T04:06:16Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
-            27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
-            BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
-            7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
-            KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
-            OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
-            LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
-            DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
-            b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
-            HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
-            XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
-            5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
-            M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
-            =c/3x
-            -----END PGP MESSAGE-----
-          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
-        - created_at: "2022-01-22T04:06:16Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
-            yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
-            2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
-            46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
-            4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
-            GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
-            fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
-            WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
-            vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
-            tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
-            w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
-            aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
-            NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
-            PNNoVr/LwxMQ
-            =e2fo
-            -----END PGP MESSAGE-----
-          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
-    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
-    version: 3.7.3
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-    name: allow-ingress-to-oauth2
-    namespace: monitoring-system
-spec:
-    podSelector:
-        matchLabels:
-            app: oauth2-proxy
-    ingress:
-        - from:
-            - namespaceSelector:
-                matchLabels:
-                    ingress.shivering-isles.com/network-access-required: "true"
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-09-09T23:36:38Z"
-    mac: ENC[AES256_GCM,data:X6uANEzYCm2qJs2SiELpae4rIgUjBk+NQK9O2AW0CfVK/RqhuzO05DpSzgfisCtWPAtNOP0q/BrCXbPFDc6LlR68oBNIkDGn8vvg2ItZ4ZnsX3yfq+k4qacb4uAcairm7vXDbCQ2POzLc5xeKPnCQLVzBwN6VPfJWgRQxE/qeKI=,iv:nUaFNW4IfQDVFN93UcstChQV0poNN+y4qAIkq+UuBbo=,tag:tFA2ftUjF/wdtz8P9f9ZKw==,type:str]
+    lastmodified: "2023-09-27T22:33:52Z"
+    mac: ENC[AES256_GCM,data:+G5Kl6LQKqADdxuZdZiSMP2lqHatZaB9Im+PoRSMsPoX/3iSm1kWmNAFBaUA6gLyZIWb56BYuRVVDXvBcgDc2P1QOBQ0eYFvi8AZPyRFysli8qITRVoxxmbGTKL5FxB/R35NI3AcZbo1EHGXLnNhkRc0zIQ06xWl+xmaWgzlf0g=,iv:w3oDnxxzFGhfmdifJZmvubv/Nho+58aryDMVX/bDnRQ=,tag:MVWnEYR6XlIaeiNcLIudPw==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-