Unverified Commit 98f42eff authored by torgiren's avatar torgiren
Browse files

protect alertmanager with oauth2 - closes #157

Signed-off-by: torgiren's avatarMarcin Fabrykowski <git@fabrykowski.pl>
1 merge request!66protect alertmanager with oauth2 - closes #157
Pipeline #1200 passed with stages
in 38 seconds
Showing with 110 additions and 0 deletions
+110 -0
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: oauth2-alertmanager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
- kopf.zalando.org/KopfFinalizerMarker
spec:
project: exphost
source:
repoURL: 'https://charts.bitnami.com/bitnami'
chart: oauth2-proxy
targetRevision: 1.2.0
helm:
values: |
ingress:
enabled: true
hostname: "alertmanager.{{ .Values.domain}}"
path: /oauth2
pathType: Prefix
tls: true
annotations:
cert-manager.io/cluster-issuer: acme-issuer
configuration:
existingSecret: oauth2-alertmanager-oauth2-proxy
content: |
provider = "oidc"
oidc_issuer_url = "https://auth.{{ .Values.domain }}/dex"
allowed_groups = ["k8s-admins"]
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
redis:
auth:
existingSecret: oauth2-alertmanager-redis
destination:
server: 'https://kubernetes.default.svc'
namespace: prometheus-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: exphost.pl/v1
kind: Password
metadata:
name: oauth2-cookie
namespace: prometheus-system
spec:
name: oauth2-cookie
types:
- base64
---
apiVersion: exphost.pl/v1
kind: Password
metadata:
name: oauth2-redis
namespace: prometheus-system
spec:
name: oauth2-redis
---
apiVersion: exphost.pl/v1
kind: Template
metadata:
name: alertmanager-oauth2-secrets
namespace: prometheus-system
annotations:
argocd.argoproj.io/sync-wave: "2"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
templates:
cookie-secret: '{{ "{{" }} cookie {{ "}}" }}'
client-id: alertmanager-oauth2
client-secret: COhRsMzr1t0RK2juK4yp4gJwA6wNtfAR2eTiqqoR7qk=
destination_name: oauth2-alertmanager-oauth2-proxy
destination_type: Secret
values:
- name: cookie
source_name: password-oauth2-cookie-from-prometheus-system
source_type: Secret
source_key: password
---
apiVersion: exphost.pl/v1
kind: Template
metadata:
name: alertmanager-oauth2-redis-password
namespace: prometheus-system
annotations:
argocd.argoproj.io/sync-wave: "2"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
templates:
redis-password: '{{ "{{" }} password {{ "}}" }}'
destination_name: oauth2-alertmanager-redis
destination_type: Secret
values:
- name: password
source_name: password-oauth2-redis-from-prometheus-system
source_type: Secret
source_key: password
......@@ -53,6 +53,8 @@ spec:
tls: true
annotations:
cert-manager.io/cluster-issuer: acme-issuer
nginx.ingress.kubernetes.io/auth-url: "https://alertmanager.{{ .Values.domain }}/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://alertmanager.{{ .Values.domain }}/oauth2/start?rd=$escaped_request_uri"
configNamespaceSelector: {}
configSelector:
matchLabels:
......
......@@ -64,6 +64,11 @@ config:
- 'https://longhorn.{{ .Values.domain }}/oauth2/callback'
name: 'Longhorn oauth2'
secret: c4Pw7HREAvBewTFZ9qiTNpNDHEQGv8KL
- id: alertmanager-oauth2
redirectURIs:
- 'https://alertmanager.{{ .Values.domain }}/oauth2/callback'
name: 'alertmanager oauth2'
secret: COhRsMzr1t0RK2juK4yp4gJwA6wNtfAR2eTiqqoR7qk=
alertmanager:
globalMail: ~
# to: mail@example.com
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment