From 24e3dbfa7f3dbf97cc641d09651c04b1f25beefa Mon Sep 17 00:00:00 2001 From: Finn Date: Mon, 12 Aug 2024 15:35:11 -0700 Subject: [PATCH] Add central forward auth --- k8s/monitoring/ingresses.yaml | 47 ++++------- k8s/monitoring/kustomization.yaml | 1 - k8s/monitoring/oauth2-proxy.yaml | 87 -------------------- k8s/system/kustomization.yaml | 11 +++ k8s/system/traefik-dashboard.yaml | 5 +- k8s/system/traefik/external-services.yaml | 1 + roles/k8s-node/templates/traefik-config.yaml | 3 + 7 files changed, 34 insertions(+), 121 deletions(-) delete mode 100644 k8s/monitoring/oauth2-proxy.yaml diff --git a/k8s/monitoring/ingresses.yaml b/k8s/monitoring/ingresses.yaml index 90d8b0d..29f1dd6 100644 --- a/k8s/monitoring/ingresses.yaml +++ b/k8s/monitoring/ingresses.yaml @@ -17,29 +17,10 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: Ingress -metadata: - name: prometheus-internal - annotations: - janky.solutions/auth-glue: prometheus -spec: - rules: - - host: prometheus.monitoring.k8s - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: prometheus-k8s - port: - number: 9090 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress metadata: name: prometheus annotations: - traefik.ingress.kubernetes.io/router.middlewares: monitoring-oauth2-proxy-prometheus-errors@kubernetescrd, monitoring-oauth2-proxy-prometheus@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd spec: rules: - host: prometheus.k8s.home.finn.io @@ -50,22 +31,24 @@ spec: backend: service: name: prometheus-k8s - port: + port: number: 9090 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: oauth2-proxy-prometheus + name: alertmanager + annotations: + traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd spec: rules: - - host: prometheus.k8s.home.finn.io - http: - paths: - - pathType: Prefix - path: /oauth2 - backend: - service: - name: oauth2-proxy-prometheus - port: - number: 4180 + - host: alertmanager.k8s.home.finn.io + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: alertmanager-main + port: + number: 9093 diff --git a/k8s/monitoring/kustomization.yaml b/k8s/monitoring/kustomization.yaml index 97e0be3..18cf9f8 100644 --- a/k8s/monitoring/kustomization.yaml +++ b/k8s/monitoring/kustomization.yaml @@ -5,7 +5,6 @@ resources: - promtail.yaml - ingresses.yaml - secrets.yaml - - oauth2-proxy.yaml - grafana-database.yaml secretGenerator: - name: additional-scrape-configs diff --git a/k8s/monitoring/oauth2-proxy.yaml b/k8s/monitoring/oauth2-proxy.yaml deleted file mode 100644 index ff29b89..0000000 --- a/k8s/monitoring/oauth2-proxy.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: oauth2-proxy-prometheus - labels: - app: oauth2-proxy - instance: prometheus -spec: - selector: - matchLabels: - app: oauth2-proxy - instance: prometheus - template: - metadata: - labels: - app: oauth2-proxy - instance: prometheus - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "44180" - spec: - containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:latest - args: - - --http-address=0.0.0.0:4180 - - --metrics-address=0.0.0.0:44180 - - --real-client-ip-header=x-forwarded-for - envFrom: - - configMapRef: - name: oauth2-proxy - - secretRef: - name: oauth2-proxy-prometheus - env: - - name: OAUTH2_PROXY_CLIENT_ID - value: prometheus - resources: - limits: - memory: "128Mi" - cpu: "500m" - ports: - - containerPort: 4180 ---- -apiVersion: v1 -kind: Service -metadata: - name: oauth2-proxy-prometheus -spec: - selector: - app: oauth2-proxy - instance: prometheus - ports: - - name: http - port: 4180 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: oauth2-proxy -data: - OAUTH2_PROXY_PROVIDER: keycloak-oidc - OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.janky.solutions/realms/janky.solutions - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Janky Solutions - OAUTH2_PROXY_EMAIL_DOMAINS: "*" - OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256 ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: oauth2-proxy-prometheus -spec: - forwardAuth: - address: http://oauth2-proxy-prometheus.monitoring.svc.cluster.local:4180/oauth2/auth - trustForwardHeader: true ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: oauth2-proxy-prometheus-errors -spec: - errors: - status: - - "401-403" - service: - name: oauth2-proxy-prometheus - port: 4180 - query: "/oauth2/sign_in?rd={url}" diff --git a/k8s/system/kustomization.yaml b/k8s/system/kustomization.yaml index 6291fd6..4e3666b 100644 --- a/k8s/system/kustomization.yaml +++ b/k8s/system/kustomization.yaml @@ -3,6 +3,8 @@ kind: Kustomization resources: - traefik-default-cert.yaml - traefik-dashboard.yaml + - traefik-forward-auth.yaml + - secrets.yaml configMapGenerator: - name: traefik-additional-configs namespace: kube-system @@ -10,3 +12,12 @@ configMapGenerator: disableNameSuffixHash: true files: - traefik/external-services.yaml + - name: traefik-forward-auth + namespace: kube-system + literals: + - DEFAULT_PROVIDER=oidc + - PROVIDERS_OIDC_ISSUER_URL=https://auth.janky.solutions/realms/janky.solutions + - PROVIDERS_OIDC_CLIENT_ID=authproxy.k8s.home.finn.io + - COOKIE_DOMAIN=k8s.home.finn.io + - AUTH_HOST=authproxy.k8s.home.finn.io + - LOG_LEVEL=info diff --git a/k8s/system/traefik-dashboard.yaml b/k8s/system/traefik-dashboard.yaml index 5324f66..218e8dd 100644 --- a/k8s/system/traefik-dashboard.yaml +++ b/k8s/system/traefik-dashboard.yaml @@ -5,8 +5,11 @@ metadata: namespace: kube-system spec: routes: - - match: Host(`traefik.kube-system.k8s`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) + - match: Host(`traefik.k8s.home.finn.io`) # && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) kind: Rule services: - name: api@internal kind: TraefikService + middlewares: + - name: traefik-forward-auth + # namespace: kube-system diff --git a/k8s/system/traefik/external-services.yaml b/k8s/system/traefik/external-services.yaml index 3a3024c..98c608b 100644 --- a/k8s/system/traefik/external-services.yaml +++ b/k8s/system/traefik/external-services.yaml @@ -5,6 +5,7 @@ (list "jellyfin" "jellyfin.janky.solutions" "http://jellyfin:8096") (list "dns" "dns.janky.solutions" "http://dns:9191") (list "dns443" "dns.janky.solutions:443" "http://dns:9191") + (list "legacy-monitoring" "monitoring.home.finn.io" "http://monitoring-0:3000") }} http: routers: diff --git a/roles/k8s-node/templates/traefik-config.yaml b/roles/k8s-node/templates/traefik-config.yaml index fd2498f..5295257 100644 --- a/roles/k8s-node/templates/traefik-config.yaml +++ b/roles/k8s-node/templates/traefik-config.yaml @@ -30,3 +30,6 @@ spec: - name: traefik-additional-configs mountPath: /file-configs type: configMap + providers: + kubernetesCRD: + allowCrossNamespace: true