move monitoring to Maester-based oauth credentials

626264b1 · Maarten de Waard · fc460571 · 626264b1 · 626264b1 · 626264b1
Verified Commit 626264b1 authored 3 years ago by Maarten de Waard
--- a/flux2/apps/monitoring/eventrouter-values-configmap.yaml
+++ b/flux2/apps/monitoring/eventrouter-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stackspin-eventrouter-values
+  namespace: stackspin
 data:
  values.yaml: |
    sink: stdout

--- a/flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml
+++ b/flux2/apps/monitoring/kube-prometheus-stack-oauth-client.yaml
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: kube-prometheus-stack-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-kube-prometheus-stack-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://grafana.${domain}/login/generic_oauth
+  # hydraAdmin: {}
+  tokenEndpointAuthMethod: client_secret_post
--- a/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml
+++ b/flux2/apps/monitoring/kube-prometheus-stack-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stackspin-kube-prometheus-stack-values
+  namespace: stackspin
 data:
  values.yaml: |
    # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml

--- a/flux2/apps/monitoring/kustomization.yaml
+++ b/flux2/apps/monitoring/kustomization.yaml
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: stackspin
 resources:
  - eventrouter-release.yaml
  - eventrouter-values-configmap.yaml
+  - kube-prometheus-stack-oauth-client.yaml
  - kube-prometheus-stack-release.yaml
  - kube-prometheus-stack-values-configmap.yaml
  - loki-configmap.yaml

--- a/flux2/apps/monitoring/loki-values-configmap.yaml
+++ b/flux2/apps/monitoring/loki-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stackspin-loki-values
+  namespace: stackspin
 data:
  values.yaml: |
    # https://github.com/grafana/helm-charts/blob/main/charts/loki/values.yaml

--- a/flux2/apps/monitoring/promtail-values-configmap.yaml
+++ b/flux2/apps/monitoring/promtail-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: stackspin-promtail-values
+  namespace: stackspin
 data:
  values.yaml: |
    initContainer:

--- a/flux2/apps/monitoring/pvc.yaml
+++ b/flux2/apps/monitoring/pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: grafana
+  namespace: stackspin
 spec:
  accessModes:
    - ReadWriteOnce

--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -109,20 +109,6 @@ data:
        - "authorization_code"
        - "refresh_token"
        - "client_credentials"
-    - clientName: grafana
-      clientSecret: "${grafana_oauth_client_secret}"
-      redirectUri: "https://grafana.${domain}/login/generic_oauth"
-      scopes: "openid profile email stackspin_roles"
-      clientUri: "https://grafana.${domain}"
-      clientLogoUri: "https://grafana.${domain}/public/img/grafana_icon.svg"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
    # https://github.com/wekan/wekan/wiki/Keycloak
    - clientName: wekan
      clientSecret: "${wekan_oauth_client_secret}"

--- a/install/generate_secrets.py
+++ b/install/generate_secrets.py
@@ -25,6 +25,14 @@ from kubernetes import client, config
 from kubernetes.client.exceptions import ApiException
 from kubernetes.utils import create_from_yaml

+# This script gets called with an app name as argument. Most of them need an
+# oauth client in Hydra, but some don't. This list contains the ones that
+# don't.
+APPS_WITHOUT_OAUTH = [
+    "single-sign-on",
+    "prometheus",
+    "alertmanager",
+]

 def main():
    """Run everything"""
@@ -37,9 +45,11 @@ def main():
        sys.exit(1)
    app_name = sys.argv[1]

-    # Create app variables secret and oauth variables secret
-    for secret in [app_name, f"{app_name}-oauth"]:
-        create_variables_secret(f"stackspin-{secret}-variables.yaml.jinja", env)
+    # Create app variables secret
+    create_variables_secret(app_name, f"stackspin-{app_name}-variables.yaml.jinja", env)
+    # Create a secret that contains the oauth variables for Hydra Maester
+    if app_name not in APPS_WITHOUT_OAUTH:
+        create_variables_secret(app_name, "stackspin-oauth-variables.yaml.jinja", env)
    create_basic_auth_secret(app_name, env)


@@ -49,7 +59,7 @@ def get_templates_dir():
    return os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates')


-def create_variables_secret(variables_filename, env):
+def create_variables_secret(app_name, variables_filename, env):
    """Checks if a variables secret for app_name already exists, generates it if necessary"""
    variables_filepath = \
        os.path.join(get_templates_dir(), variables_filename)
@@ -58,7 +68,11 @@ def create_variables_secret(variables_filename, env):
        with open(variables_filepath) as template_file:
            lines = template_file.read()
            secret_name, secret_namespace = get_secret_metadata(lines)
-            new_secret_dict = yaml.safe_load(env.from_string(lines).render())
+            new_secret_dict = yaml.safe_load(
+                env.from_string(
+                    lines,
+                    globals={"app": app_name}
+                ).render())
            current_secret_data = get_kubernetes_secret_data(secret_name,
                    secret_namespace)
            if current_secret_data is None:

--- a/install/install-stackspin.sh
+++ b/install/install-stackspin.sh
@@ -37,10 +37,9 @@ echo "Tracking branch $branch for https://open.greenhost.net/stackspin/stackspin
 kubectl get namespace stackspin 2>/dev/null || kubectl create namespace stackspin
 kubectl get namespace stackspin-apps 2>/dev/null || kubectl create namespace stackspin-apps

-# Generate oauth and SSO secrets
+# Generate dashboard and SSO secrets
 python "$(dirname "$0")/generate_secrets.py" dashboard
 python "$(dirname "$0")/generate_secrets.py" single-sign-on
-python "$(dirname "$0")/generate_secrets.py" oauth

 # Generate secrets for monitoring
 python "$(dirname "$0")/generate_secrets.py" kube-prometheus-stack

--- a/install/templates/stackspin-oauth-variables.yaml.jinja
+++ b/install/templates/stackspin-oauth-variables.yaml.jinja
@@ -2,12 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: stackspin-oauth-variables
+  name: stackspin-{{ app }}-oauth-variables
 data:
-  grafana_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  nextcloud_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  userpanel_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  wekan_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  wordpress_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  zulip_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
-  dashboard_oauth_client_secret: "{{ 32 | generate_password | b64encode }}"
+  client_id: "{{ app | b64encode }}"
+  client_secret: "{{ 32 | generate_password | b64encode }}"
--- a/install/templates/stackspin-wordpress-oauth-variables.yaml.jinja
+++ b/install/templates/stackspin-wordpress-oauth-variables.yaml.jinja
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: stackspin-wordpress-oauth-variables
-data:
-  client_id: "{{ 'wordpress' | b64encode }}"
-  client_secret: "{{ 32 | generate_password | b64encode }}"