Add central forward auth

k8s/monitoring/ingresses.yaml

@@ -17,29 +17,10 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
-metadata:
-  name: prometheus-internal
-  annotations:
-    janky.solutions/auth-glue: prometheus
-spec:
-  rules:
-    - host: prometheus.monitoring.k8s
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name:  prometheus-k8s
-                port:
-                  number: 9090
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
 metadata:
   name: prometheus
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: monitoring-oauth2-proxy-prometheus-errors@kubernetescrd, monitoring-oauth2-proxy-prometheus@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
 spec:
   rules:
   - host: prometheus.k8s.home.finn.io
@@ -50,22 +31,24 @@ spec:
         backend:
           service:
             name: prometheus-k8s
-            port: 
+            port:
               number: 9090
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: oauth2-proxy-prometheus
+  name: alertmanager
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
 spec:
   rules:
-    - host: prometheus.k8s.home.finn.io
+  - host: alertmanager.k8s.home.finn.io
-      http:
+    http:
-        paths:
+      paths:
-        - pathType: Prefix
+      - pathType: Prefix
-          path: /oauth2
+        path: "/"
-          backend:
+        backend:
-            service:
+          service:
-              name: oauth2-proxy-prometheus
+            name: alertmanager-main
-              port:
+            port:
-                number: 4180
+              number: 9093

k8s/monitoring/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
   - promtail.yaml
   - ingresses.yaml
   - secrets.yaml
-  - oauth2-proxy.yaml
   - grafana-database.yaml
 secretGenerator:
   - name: additional-scrape-configs

k8s/monitoring/oauth2-proxy.yaml

@@ -1,87 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: oauth2-proxy-prometheus
-  labels:
-    app: oauth2-proxy
-    instance: prometheus
-spec:
-  selector:
-    matchLabels:
-      app: oauth2-proxy
-      instance: prometheus
-  template:
-    metadata:
-      labels:
-        app: oauth2-proxy
-        instance: prometheus
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "44180"
-    spec:
-      containers:
-      - name: oauth2-proxy
-        image: quay.io/oauth2-proxy/oauth2-proxy:latest
-        args:
-          - --http-address=0.0.0.0:4180
-          - --metrics-address=0.0.0.0:44180
-          - --real-client-ip-header=x-forwarded-for
-        envFrom:
-          - configMapRef:
-              name: oauth2-proxy
-          - secretRef:
-              name: oauth2-proxy-prometheus
-        env:
-          - name: OAUTH2_PROXY_CLIENT_ID
-            value: prometheus
-        resources:
-          limits:
-            memory: "128Mi"
-            cpu: "500m"
-        ports:
-        - containerPort: 4180
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: oauth2-proxy-prometheus
-spec:
-  selector:
-    app: oauth2-proxy
-    instance: prometheus
-  ports:
-  - name: http
-    port: 4180
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: oauth2-proxy
-data:
-  OAUTH2_PROXY_PROVIDER: keycloak-oidc
-  OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.janky.solutions/realms/janky.solutions
-  OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Janky Solutions
-  OAUTH2_PROXY_EMAIL_DOMAINS: "*"
-  OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: oauth2-proxy-prometheus
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy-prometheus.monitoring.svc.cluster.local:4180/oauth2/auth
-    trustForwardHeader: true
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: oauth2-proxy-prometheus-errors
-spec:
-  errors:
-    status:
-      - "401-403"
-    service: 
-      name: oauth2-proxy-prometheus
-      port: 4180
-    query: "/oauth2/sign_in?rd={url}"

k8s/system/kustomization.yaml

@@ -3,6 +3,8 @@ kind: Kustomization
 resources:
   - traefik-default-cert.yaml
   - traefik-dashboard.yaml
+  - traefik-forward-auth.yaml
+  - secrets.yaml
 configMapGenerator:
   - name: traefik-additional-configs
     namespace: kube-system
@@ -10,3 +12,12 @@ configMapGenerator:
       disableNameSuffixHash: true
     files:
       - traefik/external-services.yaml
+  - name: traefik-forward-auth
+    namespace: kube-system
+    literals:
+      - DEFAULT_PROVIDER=oidc
+      - PROVIDERS_OIDC_ISSUER_URL=https://auth.janky.solutions/realms/janky.solutions
+      - PROVIDERS_OIDC_CLIENT_ID=authproxy.k8s.home.finn.io
+      - COOKIE_DOMAIN=k8s.home.finn.io
+      - AUTH_HOST=authproxy.k8s.home.finn.io
+      - LOG_LEVEL=info

k8s/system/traefik-dashboard.yaml

@@ -5,8 +5,11 @@ metadata:
   namespace: kube-system
 spec:
   routes:
-  - match: Host(`traefik.kube-system.k8s`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+  - match: Host(`traefik.k8s.home.finn.io`) # && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
     kind: Rule
     services:
     - name: api@internal
       kind: TraefikService
+    middlewares:
+      - name: traefik-forward-auth
+        # namespace: kube-system

k8s/system/traefik/external-services.yaml

@@ -5,6 +5,7 @@
     (list "jellyfin" "jellyfin.janky.solutions" "http://jellyfin:8096")
     (list "dns" "dns.janky.solutions" "http://dns:9191")
     (list "dns443" "dns.janky.solutions:443" "http://dns:9191")
+    (list "legacy-monitoring" "monitoring.home.finn.io" "http://monitoring-0:3000")
 }}
 http:
   routers:

roles/k8s-node/templates/traefik-config.yaml

@@ -30,3 +30,6 @@ spec:
       - name: traefik-additional-configs
         mountPath: /file-configs
         type: configMap
+    providers:
+      kubernetesCRD:
+        allowCrossNamespace: true