diff --git a/argocd/app-of-apps/values.tmpl.yaml b/argocd/app-of-apps/values.tmpl.yaml index 0497c31bfd..6ed708edbc 100644 --- a/argocd/app-of-apps/values.tmpl.yaml +++ b/argocd/app-of-apps/values.tmpl.yaml @@ -54,6 +54,14 @@ argo-cd: metrics: enabled: true server: + config: + url: https://argocd.apps.${cluster_name}.${base_domain} + oidc.config: | + name: OIDC + issuer: ${oidc_issuer_url} + clientID: ${client_id} + clientSecret: ${client_secret} + requestedScopes: ["openid", "profile", "email"] ingress: enabled: true annotations: @@ -70,6 +78,12 @@ argo-cd: - argocd.apps.${cluster_name}.${base_domain} metrics: enabled: true + rbacConfig: + policy.default: role:readonly + policy.csv: | + g, pipeline, role:readonly + g, argocd-admin, role:admin + scopes: '[groups, cognito:groups]' cert-manager: {} @@ -115,6 +129,27 @@ keycloak: kube-prometheus-stack: alertmanager: + alertmanagerSpec: + containers: + - args: + - --http-address=0.0.0.0:9095 + - --upstream=http://localhost:9093 + - --provider=oidc + - --oidc-issuer-url=${oidc_issuer_url} + - --client-id=${client_id} + - --client-secret=${client_secret} + - --cookie-secure=false + - --cookie-secret=${cookie_secret} + - --email-domain=* + - --redirect-url=https://alertmanager.apps.${cluster_name}.${base_domain}/oauth2/callback + %{ for arg in oauth2_proxy_extra_args } + - ${arg} + %{ endfor } + image: quay.io/pusher/oauth2_proxy:v6.1.1 + name: alertmanager-proxy + ports: + - containerPort: 9095 + name: web ingress: enabled: true annotations: @@ -129,8 +164,41 @@ kube-prometheus-stack: hosts: - alertmanager.apps.${base_domain} - alertmanager.apps.${cluster_name}.${base_domain} + service: + targetPort: 9095 grafana: + grafana.ini: + auth.generic_oauth: + enabled: true + allow_sign_up: true + client_id: ${client_id} + client_secret: ${client_secret} + scopes: "openid profile email" + auth_url: ${oauth2_oauth_url} + token_url: ${oauth2_token_url} + api_url: ${oauth2_api_url} + %{ for k, v in grafana_generic_oauth_extra_args } + ${k}: ${v} + %{ endfor } + server: + domain: grafana.apps.${cluster_name}.${base_domain} + root_url: "https://%(domain)s" + sidecar: + datasources: + defaultDatasourceEnabled: false + additionalDataSources: + - name: Prometheus + type: prometheus + # TODO: fix this 9091 with oauthPassThru + #url: http://kube-prometheus-stack-prometheus:9091/ + url: http://kube-prometheus-stack-prometheus:9090/ + access: proxy + isDefault: true + jsonData: + tlsAuth: false + tlsAuthWithCACert: false + oauthPassThru: true ingress: enabled: true annotations: @@ -161,6 +229,35 @@ kube-prometheus-stack: hosts: - prometheus.apps.${base_domain} - prometheus.apps.${cluster_name}.${base_domain} + prometheusSpec: + portName: proxy + containers: + - args: + - --http-address=0.0.0.0:9091 + - --upstream=http://localhost:9090 + - --provider=oidc + - --oidc-issuer-url=${oidc_issuer_url} + - --client-id=${client_id} + - --client-secret=${client_secret} + - --cookie-secure=false + - --cookie-secret=${cookie_secret} + - --email-domain=* + - --redirect-url=https://prometheus.apps.${cluster_name}.${base_domain}/oauth2/callback + %{ for arg in oauth2_proxy_extra_args } + - ${arg} + %{ endfor } + image: quay.io/pusher/oauth2_proxy:v6.1.1 + name: prometheus-proxy + ports: + - containerPort: 9091 + name: proxy + service: + port: 9091 + targetPort: 9091 + additionalPorts: + - name: web + port: 9090 + targetPort: 9090 loki-stack: {} diff --git a/modules/eks-aws/main.tf b/modules/eks-aws/main.tf index e5914d8f55..60fc8ffc35 100644 --- a/modules/eks-aws/main.tf +++ b/modules/eks-aws/main.tf @@ -149,8 +149,13 @@ resource "helm_release" "app_of_apps" { cluster_name = var.cluster_name base_domain = var.base_domain cluster_issuer = "letsencrypt-prod" + oidc_issuer_url = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id) + oauth2_oauth_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name) + oauth2_token_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name) + oauth2_api_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name) client_id = aws_cognito_user_pool_client.client.id client_secret = aws_cognito_user_pool_client.client.client_secret + cookie_secret = random_password.oauth2_cookie_secret.result admin_password = "" minio_access_key = "" minio_secret_key = "" @@ -158,23 +163,17 @@ resource "helm_release" "app_of_apps" { enable_keycloak = false enable_olm = false enable_minio = false + + oauth2_proxy_extra_args = [] + grafana_generic_oauth_extra_args = {} } ), templatefile("${path.module}/values.tmpl.yaml", { - cluster_name = var.cluster_name - base_domain = var.base_domain aws_default_region = data.aws_region.current.name cert_manager_assumable_role_arn = module.iam_assumable_role_cert_manager.this_iam_role_arn, loki_assumable_role_arn = module.iam_assumable_role_loki.this_iam_role_arn, loki_bucket_name = aws_s3_bucket.loki.id, - oidc_issuer_url = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id) - oauth2_oauth_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name) - oauth2_token_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name) - oauth2_api_url = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name) - client_id = aws_cognito_user_pool_client.client.id - client_secret = aws_cognito_user_pool_client.client.client_secret - cookie_secret = random_password.oauth2_cookie_secret.result efs_filesystem_id = var.enable_efs ? module.efs.0.this_efs_mount_target_file_system_id : "" efs_dns_name = var.enable_efs ? module.efs.0.this_efs_mount_target_full_dns_name : "" } diff --git a/modules/eks-aws/values.tmpl.yaml b/modules/eks-aws/values.tmpl.yaml index abec232757..4524b1e153 100644 --- a/modules/eks-aws/values.tmpl.yaml +++ b/modules/eks-aws/values.tmpl.yaml @@ -3,19 +3,6 @@ argo-cd: server: config: admin.enabled: "false" - url: https://argocd.apps.${cluster_name}.${base_domain} - oidc.config: | - name: Cognito - issuer: ${oidc_issuer_url} - clientID: ${client_id} - clientSecret: ${client_secret} - requestedScopes: ["openid", "profile", "email"] - rbacConfig: - policy.default: role:readonly - policy.csv: | - g, pipeline, role:readonly - g, argocd-admin, role:admin - scopes: '[cognito:groups]' cert-manager: serviceAccount: @@ -36,88 +23,6 @@ efs-provisioner: awsRegion: ${aws_default_region} dnsName: ${efs_dns_name} -kube-prometheus-stack: - alertmanager: - service: - targetPort: 9095 - alertmanagerSpec: - containers: - - args: - - --http-address=0.0.0.0:9095 - - --upstream=http://localhost:9093 - - --provider=oidc - - --oidc-issuer-url=${oidc_issuer_url} - - --client-id=${client_id} - - --client-secret=${client_secret} - - --cookie-secure=false - - --cookie-secret=${cookie_secret} - - --email-domain=* - - --redirect-url=https://alertmanager.apps.${cluster_name}.${base_domain}/oauth2/callback - image: quay.io/pusher/oauth2_proxy:v6.1.1 - name: alertmanager-proxy - ports: - - containerPort: 9095 - name: web - - prometheus: - service: - port: 9091 - targetPort: 9091 - additionalPorts: - - name: web - port: 9090 - targetPort: 9090 - prometheusSpec: - portName: proxy - containers: - - args: - - --http-address=0.0.0.0:9091 - - --upstream=http://localhost:9090 - - --provider=oidc - - --oidc-issuer-url=${oidc_issuer_url} - - --client-id=${client_id} - - --client-secret=${client_secret} - - --cookie-secure=false - - --cookie-secret=${cookie_secret} - - --email-domain=* - - --redirect-url=https://prometheus.apps.${cluster_name}.${base_domain}/oauth2/callback - image: quay.io/pusher/oauth2_proxy:v6.1.1 - name: prometheus-proxy - ports: - - containerPort: 9091 - name: proxy - - grafana: - grafana.ini: - auth.generic_oauth: - name: Cognito - enabled: true - allow_sign_up: true - client_id: ${client_id} - client_secret: ${client_secret} - scopes: "openid profile email" - auth_url: ${oauth2_oauth_url} - token_url: ${oauth2_token_url} - api_url: ${oauth2_api_url} - server: - domain: grafana.apps.${cluster_name}.${base_domain} - root_url: "https://%(domain)s" - sidecar: - datasources: - defaultDatasourceEnabled: false - additionalDataSources: - - name: Prometheus - type: prometheus - # TODO: fix this 9091 with oauthPassThru - #url: http://kube-prometheus-stack-prometheus:9091/ - url: http://kube-prometheus-stack-prometheus:9090/ - access: proxy - isDefault: true - jsonData: - tlsAuth: false - tlsAuthWithCACert: false - oauthPassThru: true - loki-stack: loki: config: diff --git a/modules/k3os-libvirt/main.tf b/modules/k3os-libvirt/main.tf index e5235e9d95..6f3f9a3855 100644 --- a/modules/k3os-libvirt/main.tf +++ b/modules/k3os-libvirt/main.tf @@ -62,8 +62,13 @@ resource "helm_release" "app_of_apps" { cluster_name = var.cluster_name base_domain = local.base_domain cluster_issuer = "selfsigned-issuer" + oidc_issuer_url = format("https://keycloak.apps.%s/auth/realms/kubernetes", local.base_domain) + oauth2_oauth_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/auth", local.base_domain) + oauth2_token_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/token", local.base_domain) + oauth2_api_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/userinfo", local.base_domain) client_id = "applications" client_secret = random_password.clientsecret.result + cookie_secret = random_password.oauth2_cookie_secret.result admin_password = random_password.admin_password.result minio_access_key = var.enable_minio ? random_password.minio_accesskey.0.result : "" minio_secret_key = var.enable_minio ? random_password.minio_secretkey.0.result : "" @@ -71,6 +76,15 @@ resource "helm_release" "app_of_apps" { enable_keycloak = true enable_olm = true enable_minio = var.enable_minio + + oauth2_proxy_extra_args = [ + "--insecure-oidc-skip-issuer-verification=true", + "--ssl-insecure-skip-verify=true", + ] + + grafana_generic_oauth_extra_args = { + tls_skip_verify_insecure = true + } } ), templatefile("${path.module}/values.tmpl.yaml", @@ -95,7 +109,7 @@ resource "random_password" "admin_password" { special = false } -resource "random_password" "cookie_secret" { +resource "random_password" "oauth2_cookie_secret" { length = 16 special = false } diff --git a/modules/k3s-docker/main.tf b/modules/k3s-docker/main.tf index 00030ce781..818f10377e 100644 --- a/modules/k3s-docker/main.tf +++ b/modules/k3s-docker/main.tf @@ -59,8 +59,13 @@ resource "helm_release" "app_of_apps" { cluster_name = var.cluster_name base_domain = local.base_domain cluster_issuer = "selfsigned-issuer" + oidc_issuer_url = format("https://keycloak.apps.%s/auth/realms/kubernetes", local.base_domain) + oauth2_oauth_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/auth", local.base_domain) + oauth2_token_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/token", local.base_domain) + oauth2_api_url = format("https://keycloak.apps.%s/auth/realms/kubernetes/protocol/openid-connect/userinfo", local.base_domain) client_id = "applications" client_secret = random_password.clientsecret.result + cookie_secret = random_password.oauth2_cookie_secret.result admin_password = random_password.admin_password.result minio_access_key = var.enable_minio ? random_password.minio_accesskey.0.result : "" minio_secret_key = var.enable_minio ? random_password.minio_secretkey.0.result : "" @@ -68,6 +73,15 @@ resource "helm_release" "app_of_apps" { enable_keycloak = true enable_olm = true enable_minio = var.enable_minio + + oauth2_proxy_extra_args = [ + "--insecure-oidc-skip-issuer-verification=true", + "--ssl-insecure-skip-verify=true", + ] + + grafana_generic_oauth_extra_args = { + tls_skip_verify_insecure = true + } } ), templatefile("${path.module}/values.tmpl.yaml", @@ -92,7 +106,7 @@ resource "random_password" "admin_password" { special = false } -resource "random_password" "cookie_secret" { +resource "random_password" "oauth2_cookie_secret" { length = 16 special = false }