diff --git a/platform/dex/templates/secret.yaml b/platform/dex/templates/secret.yaml new file mode 100644 index 00000000..411adffb --- /dev/null +++ b/platform/dex/templates/secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: dex-secrets + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + name: dex-secrets + data: + # Connectors + - secretKey: GITEA_CLIENT_ID + remoteRef: + key: /gitea/dex + property: client_id + - secretKey: GITEA_CLIENT_SECRET + remoteRef: + key: /gitea/dex + property: client_secret + # Clients + - secretKey: GRAFANA_SSO_CLIENT_SECRET + remoteRef: + key: /dex/grafana + property: client_secret diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index f074957c..45783c9b 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -7,7 +7,6 @@ dex: inCluster: true oauth2: skipApprovalScreen: true - # alwaysShowLoginScreen: true connectors: - type: gitea id: gitea @@ -23,21 +22,9 @@ dex: redirectURIs: - 'https://grafana.khuedoan.com/login/generic_oauth' secretEnv: GRAFANA_SSO_CLIENT_SECRET - # enablePasswordDB: true - # staticPasswords: - # - email: "admin@localhost" - # userID: 28e21718-2f8d-18ba-92a2-5f73d3ad2b4c - # username: admin - # hash: $2y$10$ft3vlZMQraUhRNFM4RvfeeYdErEBBrGirjN/nR4SujAJE3rHmdb7a - # TODO remove test values - # envFrom: - envVars: - - name: GITEA_CLIENT_ID - value: 38e22718-4f7d-48ab-92a2-6f73d3ad2b4c - - name: GITEA_CLIENT_SECRET - value: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr - - name: GRAFANA_SSO_CLIENT_SECRET - value: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr + envFrom: + - secretRef: + name: dex-secrets ingress: enabled: true className: nginx diff --git a/platform/vault/files/generate-secrets/config.yaml b/platform/vault/files/generate-secrets/config.yaml index 0049b8a0..d4f68fe8 100644 --- a/platform/vault/files/generate-secrets/config.yaml +++ b/platform/vault/files/generate-secrets/config.yaml @@ -1,21 +1,32 @@ +# Gitea - path: gitea/admin data: - key: password length: 32 special: true -- path: gitea/renovate +# TODO create tokens and put to Vault automatically +# - gitea/renovate: +# - id +# - token +# - gitea/dex: +# - client_id +# - client_secret + +# Dex +- path: dex/grafana data: - - key: id - length: 20 - special: false - - key: token - length: 40 + - key: client_secret + length: 32 special: false + +# Trow - path: trow/admin data: - key: password length: 32 special: true + +# Matrix - path: matrix/bot/alert data: - key: password diff --git a/system/monitoring-system/templates/secret.yaml b/system/monitoring-system/templates/secret.yaml new file mode 100644 index 00000000..f16163c6 --- /dev/null +++ b/system/monitoring-system/templates/secret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-secrets + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + name: grafana-secrets + data: + - secretKey: GRAFANA_SSO_CLIENT_SECRET + remoteRef: + key: /dex/grafana + property: client_secret diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml index ad82ddca..b0aed36a 100644 --- a/system/monitoring-system/values.yaml +++ b/system/monitoring-system/values.yaml @@ -18,18 +18,16 @@ kube-prometheus-stack: - name: Loki type: loki url: http://loki.loki:3100 + envFromSecret: grafana-secrets grafana.ini: server: root_url: https://grafana.khuedoan.com - # TODO disable basic auth - # auth.basic: - # disable_login_form: true auth.generic_oauth: enabled: true allow_sign_up: true name: Dex client_id: grafana-sso - client_secret: klZ0sU1EXA5il68lwCOW9kAjCoFFMVINdSuvG951B3Pr + client_secret: $__env{GRAFANA_SSO_CLIENT_SECRET} scopes: openid profile email groups auth_url: https://dex.khuedoan.com/auth token_url: https://dex.khuedoan.com/token