protect alertmanager with oauth2 - closes #157

Signed-off-by: Marcin Fabrykowski <git@fabrykowski.pl>

chart/templates/prometheus/alertmanager_oauth2.yml

+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2-alertmanager
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+    - kopf.zalando.org/KopfFinalizerMarker
+spec:
+  project: exphost
+  source:
+    repoURL: 'https://charts.bitnami.com/bitnami'
+    chart: oauth2-proxy
+    targetRevision: 1.2.0
+    helm:
+      values: |
+        ingress:
+          enabled: true
+          hostname: "alertmanager.{{ .Values.domain}}"
+          path: /oauth2
+          pathType: Prefix
+          tls: true
+          annotations:
+            cert-manager.io/cluster-issuer: acme-issuer
+        configuration:
+          existingSecret: oauth2-alertmanager-oauth2-proxy
+          content: |
+            provider = "oidc"
+            oidc_issuer_url = "https://auth.{{ .Values.domain }}/dex"
+            allowed_groups = ["k8s-admins"]
+            email_domains = [ "*" ]
+            upstreams = [ "file:///dev/null" ]
+        redis:
+          auth:
+            existingSecret: oauth2-alertmanager-redis
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: prometheus-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

chart/templates/prometheus/oauth2_keys.yml

+---
+apiVersion: exphost.pl/v1
+kind: Password
+metadata:
+  name: oauth2-cookie
+  namespace: prometheus-system
+spec:
+  name: oauth2-cookie
+  types:
+  - base64
+---
+apiVersion: exphost.pl/v1
+kind: Password
+metadata:
+  name: oauth2-redis
+  namespace: prometheus-system
+spec:
+  name: oauth2-redis

chart/templates/prometheus/oauth2_secrets_template.yml

+---
+apiVersion: exphost.pl/v1
+kind: Template
+metadata:
+  name: alertmanager-oauth2-secrets
+  namespace: prometheus-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  templates:
+    cookie-secret: '{{ "{{" }} cookie {{ "}}" }}'
+    client-id: alertmanager-oauth2
+    client-secret: COhRsMzr1t0RK2juK4yp4gJwA6wNtfAR2eTiqqoR7qk=
+  destination_name: oauth2-alertmanager-oauth2-proxy
+  destination_type: Secret
+  values:
+    - name: cookie
+      source_name: password-oauth2-cookie-from-prometheus-system
+      source_type: Secret
+      source_key: password
+---
+apiVersion: exphost.pl/v1
+kind: Template
+metadata:
+  name: alertmanager-oauth2-redis-password
+  namespace: prometheus-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  templates:
+    redis-password: '{{ "{{" }} password {{ "}}" }}'
+  destination_name: oauth2-alertmanager-redis
+  destination_type: Secret
+  values:
+    - name: password
+      source_name: password-oauth2-redis-from-prometheus-system
+      source_type: Secret
+      source_key: password

chart/templates/prometheus.yml → chart/templates/prometheus/prometheus.yml

@@ -53,6 +53,8 @@ spec:
             tls: true
             annotations:
               cert-manager.io/cluster-issuer: acme-issuer
+              nginx.ingress.kubernetes.io/auth-url: "https://alertmanager.{{ .Values.domain }}/oauth2/auth"
+              nginx.ingress.kubernetes.io/auth-signin: "https://alertmanager.{{ .Values.domain }}/oauth2/start?rd=$escaped_request_uri"
           configNamespaceSelector: {}
           configSelector:
             matchLabels:

chart/values.yaml

@@ -64,6 +64,11 @@ config:
         - 'https://longhorn.{{ .Values.domain }}/oauth2/callback'
         name: 'Longhorn oauth2'
         secret: c4Pw7HREAvBewTFZ9qiTNpNDHEQGv8KL
+      - id: alertmanager-oauth2
+        redirectURIs:
+        - 'https://alertmanager.{{ .Values.domain }}/oauth2/callback'
+        name: 'alertmanager oauth2'
+        secret: COhRsMzr1t0RK2juK4yp4gJwA6wNtfAR2eTiqqoR7qk=
   alertmanager:
     globalMail: ~
 #      to: mail@example.com