From 626264b1ead7113cf90b99102d8e793057edf59f Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Mon, 20 Dec 2021 16:20:41 +0100
Subject: [PATCH] move monitoring to Maester-based oauth credentials
---
.../eventrouter-values-configmap.yaml | 1 +
.../kube-prometheus-stack-oauth-client.yaml | 22 +++++++++++++++++
...ube-prometheus-stack-values-configmap.yaml | 1 +
flux2/apps/monitoring/kustomization.yaml | 2 +-
.../monitoring/loki-values-configmap.yaml | 1 +
.../monitoring/promtail-values-configmap.yaml | 1 +
flux2/apps/monitoring/pvc.yaml | 1 +
.../single-sign-on-values-configmap.yaml | 14 -----------
install/generate_secrets.py | 24 +++++++++++++++----
install/install-stackspin.sh | 3 +--
.../stackspin-oauth-variables.yaml.jinja | 11 +++------
...kspin-wordpress-oauth-variables.yaml.jinja | 8 -------
12 files changed, 51 insertions(+), 38 deletions(-)
create mode 100644 flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml
delete mode 100644 install/templates/stackspin-wordpress-oauth-variables.yaml.jinja
diff --git a/flux2/apps/monitoring/eventrouter-values-configmap.yaml b/flux2/apps/monitoring/eventrouter-values-configmap.yaml
index 65b6d6710..fa7d5eb71 100644
--- a/flux2/apps/monitoring/eventrouter-values-configmap.yaml
+++ b/flux2/apps/monitoring/eventrouter-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-eventrouter-values
+ namespace: stackspin
data:
values.yaml: |
sink: stdout
diff --git a/flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml b/flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml
new file mode 100644
index 000000000..82106d0d4
--- /dev/null
+++ b/flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: kube-prometheus-stack-oauth-client
+ # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+ # secret
+ namespace: flux-system
+spec:
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ responseTypes:
+ - id_token
+ - code
+ scope: "openid profile email stackspin_roles"
+ secretName: stackspin-kube-prometheus-stack-oauth-variables
+ # these are optional
+ redirectUris:
+ - https://grafana.${domain}/login/generic_oauth
+ # hydraAdmin: {}
+ tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml b/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml
index 479ad58d5..11bb919a2 100644
--- a/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml
+++ b/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-kube-prometheus-stack-values
+ namespace: stackspin
data:
values.yaml: |
# https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml
diff --git a/flux2/apps/monitoring/kustomization.yaml b/flux2/apps/monitoring/kustomization.yaml
index 1b30e22f8..d3c8daccb 100644
--- a/flux2/apps/monitoring/kustomization.yaml
+++ b/flux2/apps/monitoring/kustomization.yaml
@@ -1,10 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: stackspin
resources:
- eventrouter-release.yaml
- eventrouter-values-configmap.yaml
+ - kube-prometheus-stack-oauth-client.yaml
- kube-prometheus-stack-release.yaml
- kube-prometheus-stack-values-configmap.yaml
- loki-configmap.yaml
diff --git a/flux2/apps/monitoring/loki-values-configmap.yaml b/flux2/apps/monitoring/loki-values-configmap.yaml
index 86ec319cb..ca408a8ea 100644
--- a/flux2/apps/monitoring/loki-values-configmap.yaml
+++ b/flux2/apps/monitoring/loki-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-loki-values
+ namespace: stackspin
data:
values.yaml: |
# https://github.com/grafana/helm-charts/blob/main/charts/loki/values.yaml
diff --git a/flux2/apps/monitoring/promtail-values-configmap.yaml b/flux2/apps/monitoring/promtail-values-configmap.yaml
index 83472dccb..d32575cf5 100644
--- a/flux2/apps/monitoring/promtail-values-configmap.yaml
+++ b/flux2/apps/monitoring/promtail-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-promtail-values
+ namespace: stackspin
data:
values.yaml: |
initContainer:
diff --git a/flux2/apps/monitoring/pvc.yaml b/flux2/apps/monitoring/pvc.yaml
index c8c46cda1..4b96bcc6b 100644
--- a/flux2/apps/monitoring/pvc.yaml
+++ b/flux2/apps/monitoring/pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana
+ namespace: stackspin
spec:
accessModes:
- ReadWriteOnce
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index bb8415068..da3623061 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -109,20 +109,6 @@ data:
- "authorization_code"
- "refresh_token"
- "client_credentials"
- - clientName: grafana
- clientSecret: "${grafana_oauth_client_secret}"
- redirectUri: "https://grafana.${domain}/login/generic_oauth"
- scopes: "openid profile email stackspin_roles"
- clientUri: "https://grafana.${domain}"
- clientLogoUri: "https://grafana.${domain}/public/img/grafana_icon.svg"
- tokenEndpointAuthMethod: "client_secret_post"
- responseTypes:
- - "code"
- - "id_token"
- grantTypes:
- - "authorization_code"
- - "refresh_token"
- - "client_credentials"
# https://github.com/wekan/wekan/wiki/Keycloak
- clientName: wekan
clientSecret: "${wekan_oauth_client_secret}"
diff --git a/install/generate_secrets.py b/install/generate_secrets.py
index 04a1896f2..3640fd75d 100644
--- a/install/generate_secrets.py
+++ b/install/generate_secrets.py
@@ -25,6 +25,14 @@ from kubernetes import client, config
from kubernetes.client.exceptions import ApiException
from kubernetes.utils import create_from_yaml
+# This script gets called with an app name as argument. Most of them need an
+# oauth client in Hydra, but some don't. This list contains the ones that
+# don't.
+APPS_WITHOUT_OAUTH = [
+ "single-sign-on",
+ "prometheus",
+ "alertmanager",
+]
def main():
"""Run everything"""
@@ -37,9 +45,11 @@ def main():
sys.exit(1)
app_name = sys.argv[1]
- # Create app variables secret and oauth variables secret
- for secret in [app_name, f"{app_name}-oauth"]:
- create_variables_secret(f"stackspin-{secret}-variables.yaml.jinja", env)
+ # Create app variables secret
+ create_variables_secret(app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
+ # Create a secret that contains the oauth variables for Hydra Maester
+ if app_name not in APPS_WITHOUT_OAUTH:
+ create_variables_secret(app_name, "stackspin-oauth-variables.yaml.jinja", env)
create_basic_auth_secret(app_name, env)
@@ -49,7 +59,7 @@ def get_templates_dir():
return os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates')
-def create_variables_secret(variables_filename, env):
+def create_variables_secret(app_name, variables_filename, env):
"""Checks if a variables secret for app_name already exists, generates it if necessary"""
variables_filepath = \
os.path.join(get_templates_dir(), variables_filename)
@@ -58,7 +68,11 @@ def create_variables_secret(variables_filename, env):
with open(variables_filepath) as template_file:
lines = template_file.read()
secret_name, secret_namespace = get_secret_metadata(lines)
- new_secret_dict = yaml.safe_load(env.from_string(lines).render())
+ new_secret_dict = yaml.safe_load(
+ env.from_string(
+ lines,
+ globals={"app": app_name}
+ ).render())
current_secret_data = get_kubernetes_secret_data(secret_name,
secret_namespace)
if current_secret_data is None:
diff --git a/install/install-stackspin.sh b/install/install-stackspin.sh
index d913734f3..dacde3034 100755
--- a/install/install-stackspin.sh
+++ b/install/install-stackspin.sh
@@ -37,10 +37,9 @@ echo "Tracking branch $branch for https://open.greenhost.net/stackspin/stackspin
kubectl get namespace stackspin 2>/dev/null || kubectl create namespace stackspin
kubectl get namespace stackspin-apps 2>/dev/null || kubectl create namespace stackspin-apps
-# Generate oauth and SSO secrets
+# Generate dashboard and SSO secrets
python "$(dirname "$0")/generate_secrets.py" dashboard
python "$(dirname "$0")/generate_secrets.py" single-sign-on
-python "$(dirname "$0")/generate_secrets.py" oauth
# Generate secrets for monitoring
python "$(dirname "$0")/generate_secrets.py" kube-prometheus-stack
diff --git a/install/templates/stackspin-oauth-variables.yaml.jinja b/install/templates/stackspin-oauth-variables.yaml.jinja
index 66445dd80..32a0ab078 100644
--- a/install/templates/stackspin-oauth-variables.yaml.jinja
+++ b/install/templates/stackspin-oauth-variables.yaml.jinja
@@ -2,12 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
- name: stackspin-oauth-variables
+ name: stackspin-{{ app }}-oauth-variables
data:
- grafana_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- nextcloud_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- userpanel_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- wekan_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- wordpress_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- zulip_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
- dashboard_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
+ client_id: "{{ app | b64encode }}"
+ client_secret: "{{ 32 | generate_password | b64encode }}"
diff --git a/install/templates/stackspin-wordpress-oauth-variables.yaml.jinja b/install/templates/stackspin-wordpress-oauth-variables.yaml.jinja
deleted file mode 100644
index 4fbb548e3..000000000
--- a/install/templates/stackspin-wordpress-oauth-variables.yaml.jinja
+++ /dev/null
@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: stackspin-wordpress-oauth-variables
-data:
- client_id: "{{ 'wordpress' | b64encode }}"
- client_secret: "{{ 32 | generate_password | b64encode }}"
--
GitLab