Switch to OpenID auth

REBELinBLUE · Dec 3, 2019 · 76e0b34 · 76e0b34
1 parent 5ee6143
commit 76e0b34
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 17 deletions.
diff --git a/deployments/infra/traefik/ingress.yaml b/deployments/infra/traefik/ingress.yaml
@@ -7,8 +7,9 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    ingress.kubernetes.io/auth-type: basic
-    ingress.kubernetes.io/auth-secret: dashboards-auth
+    ingress.kubernetes.io/auth-type: forward
+    ingress.kubernetes.io/auth-url: http://traefik-forward-auth.infra.svc
+    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
 spec:
   rules:
     - host: traefik.cluster.rebelinblue.com

diff --git a/deployments/logging/promtail/promtail.yaml b/deployments/logging/promtail/promtail.yaml
@@ -486,8 +486,9 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    ingress.kubernetes.io/auth-type: basic
-    ingress.kubernetes.io/auth-secret: dashboards-auth
+    ingress.kubernetes.io/auth-type: forward
+    ingress.kubernetes.io/auth-url: http://traefik-forward-auth.infra.svc
+    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
 spec:
   rules:
     - host: promtail.cluster.rebelinblue.com

diff --git a/deployments/vault/consul/consul.yaml b/deployments/vault/consul/consul.yaml
@@ -254,8 +254,9 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    ingress.kubernetes.io/auth-type: basic
-    ingress.kubernetes.io/auth-secret: dashboards-auth
+    ingress.kubernetes.io/auth-type: forward
+    ingress.kubernetes.io/auth-url: http://traefik-forward-auth.infra.svc
+    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
 spec:
   rules:
     - host: consul.cluster.rebelinblue.com

diff --git a/setup/.env.sample b/setup/.env.sample
@@ -1,8 +1,5 @@
 LINODE_TOKEN=""
 
-AUTH_USERNAME=""
-AUTH_PASSWORD=""
-
 VAULT_ROOT_TOKEN=""
 VAULT_ADMIN_USERNAME=""
 VAULT_ADMIN_PASSWORD=""

diff --git a/setup/bin/bootstrap-secrets.sh b/setup/bin/bootstrap-secrets.sh
@@ -5,12 +5,6 @@ source "$REPO_ROOT/setup/.env"
 
 kubectl -n infra create secret generic linode-dynamic-dns --from-literal="token=$LINODE_TOKEN"
 
-AUTHSTRING=$(htpasswd -nb $AUTH_USERNAME $AUTH_PASSWORD)
-kubectl -n logging create secret generic dashboards-auth --from-literal="auth=$AUTHSTRING"
-kubectl -n monitoring create secret generic dashboards-auth --from-literal="auth=$AUTHSTRING"
-kubectl -n apps create secret generic dashboards-auth --from-literal="auth=$AUTHSTRING"
-kubectl -n vault create secret generic dashboards-auth --from-literal="auth=$AUTHSTRING"
-
 kubectl -n vault delete secret vault-unseal-keys || true
 kubectl -n vault create secret generic vault-unseal-keys --from-literal="VAULT_UNSEAL_KEY_1=$VAULT_UNSEAL_KEY_1" \
                                                          --from-literal="VAULT_UNSEAL_KEY_2=$VAULT_UNSEAL_KEY_2" \

diff --git a/unused/deployments/monitoring/chronograf/chronograf.yaml b/unused/deployments/monitoring/chronograf/chronograf.yaml
@@ -113,8 +113,9 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    ingress.kubernetes.io/auth-type: basic
-    ingress.kubernetes.io/auth-secret: dashboards-auth
+    ingress.kubernetes.io/auth-type: forward
+    ingress.kubernetes.io/auth-url: http://traefik-forward-auth.infra.svc
+    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
 spec:
   rules:
     - host: chronograf.cluster.rebelinblue.com