fix(dex): remove hard coded values

platform/dex/templates/secret.yaml

@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: dex-secrets
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: dex-secrets
+  data:
+    # Connectors
+    - secretKey: GITEA_CLIENT_ID
+      remoteRef:
+        key: /gitea/dex
+        property: client_id
+    - secretKey: GITEA_CLIENT_SECRET
+      remoteRef:
+        key: /gitea/dex
+        property: client_secret
+    # Clients
+    - secretKey: GRAFANA_SSO_CLIENT_SECRET
+      remoteRef:
+        key: /dex/grafana
+        property: client_secret

platform/dex/values.yaml

@@ -7,7 +7,6 @@ dex:
         inCluster: true
     oauth2:
       skipApprovalScreen: true
-      # alwaysShowLoginScreen: true
     connectors:
       - type: gitea
         id: gitea
@@ -23,21 +22,9 @@ dex:
         redirectURIs:
           - 'https://grafana.khuedoan.com/login/generic_oauth'
         secretEnv: GRAFANA_SSO_CLIENT_SECRET
-    # enablePasswordDB: true
-    # staticPasswords:
-    #   - email: "admin@localhost"
-    #     userID: 28e21718-2f8d-18ba-92a2-5f73d3ad2b4c
-    #     username: admin
-    #     hash: $2y$10$ft3vlZMQraUhRNFM4RvfeeYdErEBBrGirjN/nR4SujAJE3rHmdb7a
-  # TODO remove test values
-  # envFrom:
-  envVars:
-    - name: GITEA_CLIENT_ID
-      value: 38e22718-4f7d-48ab-92a2-6f73d3ad2b4c
-    - name: GITEA_CLIENT_SECRET
-      value: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr
-    - name: GRAFANA_SSO_CLIENT_SECRET
-      value: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr
+  envFrom:
+    - secretRef:
+        name: dex-secrets
   ingress:
     enabled: true
     className: nginx

platform/vault/files/generate-secrets/config.yaml

@@ -1,21 +1,32 @@
+# Gitea
 - path: gitea/admin
   data:
     - key: password
       length: 32
       special: true
-- path: gitea/renovate
+# TODO create tokens and put to Vault automatically
+# - gitea/renovate:
+#   - id
+#   - token
+# - gitea/dex:
+#   - client_id
+#   - client_secret
+
+# Dex
+- path: dex/grafana
   data:
-    - key: id
-      length: 20
-      special: false
-    - key: token
-      length: 40
+    - key: client_secret
+      length: 32
       special: false
+
+# Trow
 - path: trow/admin
   data:
     - key: password
       length: 32
       special: true
+
+# Matrix
 - path: matrix/bot/alert
   data:
     - key: password

system/monitoring-system/templates/secret.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-secrets
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: grafana-secrets
+  data:
+    - secretKey: GRAFANA_SSO_CLIENT_SECRET
+      remoteRef:
+        key: /dex/grafana
+        property: client_secret

system/monitoring-system/values.yaml

@@ -18,18 +18,16 @@ kube-prometheus-stack:
       - name: Loki
         type: loki
         url: http://loki.loki:3100
+    envFromSecret: grafana-secrets
     grafana.ini:
       server:
         root_url: https://grafana.khuedoan.com
-      # TODO disable basic auth
-      # auth.basic:
-      #   disable_login_form: true
       auth.generic_oauth:
         enabled: true
         allow_sign_up: true
         name: Dex
         client_id: grafana-sso
-        client_secret: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr
+        client_secret: $__env{GRAFANA_SSO_CLIENT_SECRET}
         scopes: openid profile email groups
         auth_url: https://dex.khuedoan.com/auth
         token_url: https://dex.khuedoan.com/token