Configure Applications to use Keycloak

camptocamp · Nov 26, 2020 · 98deebf · 98deebf
1 parent de6e522
commit 98deebf
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 106 deletions.
diff --git a/argocd/app-of-apps/values.tmpl.yaml b/argocd/app-of-apps/values.tmpl.yaml
@@ -54,6 +54,14 @@ argo-cd:
     metrics:
       enabled: true
   server:
+    config:
+      url: https://argocd.apps.${cluster_name}.${base_domain}
+      oidc.config: |
+        name: OIDC
+        issuer: ${oidc_issuer_url}
+        clientID: ${client_id}
+        clientSecret: ${client_secret}
+        requestedScopes: ["openid", "profile", "email"]
     ingress:
       enabled: true
       annotations:
@@ -70,6 +78,12 @@ argo-cd:
             - argocd.apps.${cluster_name}.${base_domain}
     metrics:
       enabled: true
+    rbacConfig:
+      policy.default: role:readonly
+      policy.csv: |
+        g, pipeline, role:readonly
+        g, argocd-admin, role:admin
+      scopes: '[groups, cognito:groups]'
 
 cert-manager: {}
 
@@ -115,6 +129,27 @@ keycloak:
 
 kube-prometheus-stack:
   alertmanager:
+    alertmanagerSpec:
+      containers:
+        - args:
+            - --http-address=0.0.0.0:9095
+            - --upstream=http://localhost:9093
+            - --provider=oidc
+            - --oidc-issuer-url=${oidc_issuer_url}
+            - --client-id=${client_id}
+            - --client-secret=${client_secret}
+            - --cookie-secure=false
+            - --cookie-secret=${cookie_secret}
+            - --email-domain=*
+            - --redirect-url=https://alertmanager.apps.${cluster_name}.${base_domain}/oauth2/callback
+            %{ for arg in oauth2_proxy_extra_args }
+            - ${arg}
+            %{ endfor }
+          image: quay.io/pusher/oauth2_proxy:v6.1.1
+          name: alertmanager-proxy
+          ports:
+            - containerPort: 9095
+              name: web
     ingress:
       enabled: true
       annotations:
@@ -129,8 +164,41 @@ kube-prometheus-stack:
           hosts:
             - alertmanager.apps.${base_domain}
             - alertmanager.apps.${cluster_name}.${base_domain}
+    service:
+      targetPort: 9095
 
   grafana:
+    grafana.ini:
+      auth.generic_oauth:
+        enabled: true
+        allow_sign_up: true
+        client_id: ${client_id}
+        client_secret: ${client_secret}
+        scopes: "openid profile email"
+        auth_url: ${oauth2_oauth_url}
+        token_url: ${oauth2_token_url}
+        api_url: ${oauth2_api_url}
+        %{ for k, v in grafana_generic_oauth_extra_args }
+        ${k}: ${v}
+        %{ endfor }
+      server:
+        domain: grafana.apps.${cluster_name}.${base_domain}
+        root_url: "https://%(domain)s"
+    sidecar:
+      datasources:
+        defaultDatasourceEnabled: false
+    additionalDataSources:
+      - name: Prometheus
+        type: prometheus
+        # TODO: fix this 9091 with oauthPassThru
+        #url: http://kube-prometheus-stack-prometheus:9091/
+        url: http://kube-prometheus-stack-prometheus:9090/
+        access: proxy
+        isDefault: true
+        jsonData:
+          tlsAuth: false
+          tlsAuthWithCACert: false
+          oauthPassThru: true
     ingress:
       enabled: true
       annotations:
@@ -161,6 +229,35 @@ kube-prometheus-stack:
           hosts:
             - prometheus.apps.${base_domain}
             - prometheus.apps.${cluster_name}.${base_domain}
+    prometheusSpec:
+      portName: proxy
+      containers:
+        - args:
+            - --http-address=0.0.0.0:9091
+            - --upstream=http://localhost:9090
+            - --provider=oidc
+            - --oidc-issuer-url=${oidc_issuer_url}
+            - --client-id=${client_id}
+            - --client-secret=${client_secret}
+            - --cookie-secure=false
+            - --cookie-secret=${cookie_secret}
+            - --email-domain=*
+            - --redirect-url=https://prometheus.apps.${cluster_name}.${base_domain}/oauth2/callback
+            %{ for arg in oauth2_proxy_extra_args }
+            - ${arg}
+            %{ endfor }
+          image: quay.io/pusher/oauth2_proxy:v6.1.1
+          name: prometheus-proxy
+          ports:
+            - containerPort: 9091
+              name: proxy
+    service:
+      port: 9091
+      targetPort: 9091
+      additionalPorts:
+        - name: web
+          port: 9090
+          targetPort: 9090
 
 loki-stack: {}
 

diff --git a/modules/eks-aws/main.tf b/modules/eks-aws/main.tf
@@ -149,32 +149,31 @@ resource "helm_release" "app_of_apps" {
         cluster_name                    = var.cluster_name
         base_domain                     = var.base_domain
         cluster_issuer                  = "letsencrypt-prod"
+        oidc_issuer_url                 = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id)
+        oauth2_oauth_url                = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name)
+        oauth2_token_url                = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name)
+        oauth2_api_url                  = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name)
         client_id                       = aws_cognito_user_pool_client.client.id
         client_secret                   = aws_cognito_user_pool_client.client.client_secret
+        cookie_secret                   = random_password.oauth2_cookie_secret.result
         admin_password                  = ""
         minio_access_key                = ""
         minio_secret_key                = ""
         enable_efs                      = var.enable_efs
         enable_keycloak                 = false
         enable_olm                      = false
         enable_minio                    = false
+
+        oauth2_proxy_extra_args          = []
+        grafana_generic_oauth_extra_args = {}
       }
     ),
     templatefile("${path.module}/values.tmpl.yaml",
       {
-        cluster_name                    = var.cluster_name
-        base_domain                     = var.base_domain
         aws_default_region              = data.aws_region.current.name
         cert_manager_assumable_role_arn = module.iam_assumable_role_cert_manager.this_iam_role_arn,
         loki_assumable_role_arn         = module.iam_assumable_role_loki.this_iam_role_arn,
         loki_bucket_name                = aws_s3_bucket.loki.id,
-        oidc_issuer_url                 = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id)
-        oauth2_oauth_url                = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name)
-        oauth2_token_url                = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name)
-        oauth2_api_url                  = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name)
-        client_id                       = aws_cognito_user_pool_client.client.id
-        client_secret                   = aws_cognito_user_pool_client.client.client_secret
-        cookie_secret                   = random_password.oauth2_cookie_secret.result
         efs_filesystem_id               = var.enable_efs ? module.efs.0.this_efs_mount_target_file_system_id : ""
         efs_dns_name                    = var.enable_efs ? module.efs.0.this_efs_mount_target_full_dns_name : ""
       }

diff --git a/modules/eks-aws/values.tmpl.yaml b/modules/eks-aws/values.tmpl.yaml
@@ -3,19 +3,6 @@ argo-cd:
   server:
     config:
       admin.enabled: "false"
-      url: https://argocd.apps.${cluster_name}.${base_domain}
-      oidc.config: |
-        name: Cognito
-        issuer: ${oidc_issuer_url}
-        clientID: ${client_id}
-        clientSecret: ${client_secret}
-        requestedScopes: ["openid", "profile", "email"]
-    rbacConfig:
-      policy.default: role:readonly
-      policy.csv: |
-        g, pipeline, role:readonly
-        g, argocd-admin, role:admin
-      scopes: '[cognito:groups]'
 
 cert-manager:
   serviceAccount:
@@ -36,88 +23,6 @@ efs-provisioner:
     awsRegion: ${aws_default_region}
     dnsName: ${efs_dns_name}
 
-kube-prometheus-stack:
-  alertmanager:
-    service:
-      targetPort: 9095
-    alertmanagerSpec:
-      containers:
-        - args:
-            - --http-address=0.0.0.0:9095
-            - --upstream=http://localhost:9093
-            - --provider=oidc
-            - --oidc-issuer-url=${oidc_issuer_url}
-            - --client-id=${client_id}
-            - --client-secret=${client_secret}
-            - --cookie-secure=false
-            - --cookie-secret=${cookie_secret}
-            - --email-domain=*
-            - --redirect-url=https://alertmanager.apps.${cluster_name}.${base_domain}/oauth2/callback
-          image: quay.io/pusher/oauth2_proxy:v6.1.1
-          name: alertmanager-proxy
-          ports:
-            - containerPort: 9095
-              name: web
-
-  prometheus:
-    service:
-      port: 9091
-      targetPort: 9091
-      additionalPorts:
-        - name: web
-          port: 9090
-          targetPort: 9090
-    prometheusSpec:
-      portName: proxy
-      containers:
-        - args:
-            - --http-address=0.0.0.0:9091
-            - --upstream=http://localhost:9090
-            - --provider=oidc
-            - --oidc-issuer-url=${oidc_issuer_url}
-            - --client-id=${client_id}
-            - --client-secret=${client_secret}
-            - --cookie-secure=false
-            - --cookie-secret=${cookie_secret}
-            - --email-domain=*
-            - --redirect-url=https://prometheus.apps.${cluster_name}.${base_domain}/oauth2/callback
-          image: quay.io/pusher/oauth2_proxy:v6.1.1
-          name: prometheus-proxy
-          ports:
-            - containerPort: 9091
-              name: proxy
-
-  grafana:
-    grafana.ini:
-      auth.generic_oauth:
-        name: Cognito
-        enabled: true
-        allow_sign_up: true
-        client_id: ${client_id}
-        client_secret: ${client_secret}
-        scopes: "openid profile email"
-        auth_url: ${oauth2_oauth_url}
-        token_url: ${oauth2_token_url}
-        api_url: ${oauth2_api_url}
-      server:
-        domain: grafana.apps.${cluster_name}.${base_domain}
-        root_url: "https://%(domain)s"
-    sidecar:
-      datasources:
-        defaultDatasourceEnabled: false
-    additionalDataSources:
-      - name: Prometheus
-        type: prometheus
-        # TODO: fix this 9091 with oauthPassThru
-        #url: http://kube-prometheus-stack-prometheus:9091/
-        url: http://kube-prometheus-stack-prometheus:9090/
-        access: proxy
-        isDefault: true
-        jsonData:
-          tlsAuth: false
-          tlsAuthWithCACert: false
-          oauthPassThru: true
-
 loki-stack:
   loki:
     config:

diff --git a/modules/k3os-libvirt/main.tf b/modules/k3os-libvirt/main.tf
@@ -62,15 +62,29 @@ resource "helm_release" "app_of_apps" {
         cluster_name                    = var.cluster_name
         base_domain                     = local.base_domain
         cluster_issuer                  = "selfsigned-issuer"
+        oidc_issuer_url                 = format("https://keycloak.apps.%s/auth/realms/kubernetes", local.base_domain)
+        oauth2_oauth_url                = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/auth", local.base_domain)
+        oauth2_token_url                = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/token", local.base_domain)
+        oauth2_api_url                  = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/userinfo", local.base_domain)
         client_id                       = "applications"
         client_secret                   = random_password.clientsecret.result
+        cookie_secret                   = random_password.oauth2_cookie_secret.result
         admin_password                  = random_password.admin_password.result
         minio_access_key                = var.enable_minio ? random_password.minio_accesskey.0.result : ""
         minio_secret_key                = var.enable_minio ? random_password.minio_secretkey.0.result : ""
         enable_efs                      = false
         enable_keycloak                 = true
         enable_olm                      = true
         enable_minio                    = var.enable_minio
+
+        oauth2_proxy_extra_args = [
+          "--insecure-oidc-skip-issuer-verification=true",
+          "--ssl-insecure-skip-verify=true",
+        ]
+
+        grafana_generic_oauth_extra_args = {
+          tls_skip_verify_insecure = true
+        }
       }
     ),
     templatefile("${path.module}/values.tmpl.yaml",
@@ -95,7 +109,7 @@ resource "random_password" "admin_password" {
   special = false
 }
 
-resource "random_password" "cookie_secret" {
+resource "random_password" "oauth2_cookie_secret" {
   length  = 16
   special = false
 }

diff --git a/modules/k3s-docker/main.tf b/modules/k3s-docker/main.tf
@@ -59,15 +59,29 @@ resource "helm_release" "app_of_apps" {
         cluster_name                    = var.cluster_name
         base_domain                     = local.base_domain
         cluster_issuer                  = "selfsigned-issuer"
+        oidc_issuer_url                 = format("https://keycloak.apps.%s/auth/realms/kubernetes", local.base_domain)
+        oauth2_oauth_url                = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/auth", local.base_domain)
+        oauth2_token_url                = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/token", local.base_domain)
+        oauth2_api_url                  = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/userinfo", local.base_domain)
         client_id                       = "applications"
         client_secret                   = random_password.clientsecret.result
+        cookie_secret                   = random_password.oauth2_cookie_secret.result
         admin_password                  = random_password.admin_password.result
         minio_access_key                = var.enable_minio ? random_password.minio_accesskey.0.result : ""
         minio_secret_key                = var.enable_minio ? random_password.minio_secretkey.0.result : ""
         enable_efs                      = false
         enable_keycloak                 = true
         enable_olm                      = true
         enable_minio                    = var.enable_minio
+
+        oauth2_proxy_extra_args = [
+          "--insecure-oidc-skip-issuer-verification=true",
+          "--ssl-insecure-skip-verify=true",
+        ]
+
+        grafana_generic_oauth_extra_args = {
+          tls_skip_verify_insecure = true
+        }
       }
     ),
     templatefile("${path.module}/values.tmpl.yaml",
@@ -92,7 +106,7 @@ resource "random_password" "admin_password" {
   special = false
 }
 
-resource "random_password" "cookie_secret" {
+resource "random_password" "oauth2_cookie_secret" {
   length  = 16
   special = false
 }