replace tls client cert auth with oauth and add localai stub [ci skip]

2023-10-22 14:07:14 +00:00 · 2023-10-22 14:07:14 +00:00 · 4efa47172c
commit 4efa47172c
parent 2554ecf0ec
8 changed files with 171 additions and 22 deletions
--- a/modules/kubernetes/monitoring/grafana_chart_values.yaml
+++ b/modules/kubernetes/monitoring/grafana_chart_values.yaml
@ -1,5 +1,5 @@
 deploymentStrategy:
-    type: Recreate
+  type: Recreate
 persistence:
  # storageClassName: rook-cephfs
  enabled: true
@ -8,9 +8,11 @@ ingress:
  enabled: "true"
  annotations:
    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
-    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+    nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
  tls:
    - secretName: "tls-secret"
      hosts:
@ -35,7 +37,7 @@ dashboardProviders:
    # editable: "true"
    options:
      path: "/var/lib/grafana/dashboards/default"
-grafana.ini: 
+grafana.ini:
  auth.anonymous:
    enabled: true
    org_role: Viewer
@ -53,7 +55,7 @@ grafana.ini:
    plugins: "/var/lib/grafana/plugins"
    provisioning: "/etc/grafana/provisioning"
  security:
-    allow_embedding: true  # Allow to be iframed
+    allow_embedding: true # Allow to be iframed
 dashboards:
  default:
    node_exporter:
--- a/modules/kubernetes/monitoring/prometheus_chart_values.tpl
+++ b/modules/kubernetes/monitoring/prometheus_chart_values.tpl
@ -13,9 +13,11 @@ alertmanager:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      # Enable client certificate authentication
-      nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+      # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
      # Create the secret containing the trusted ca certificates
-      nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+      nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
    tls:
      - secretName: "tls-secret"
        hosts:
@ -70,9 +72,11 @@ server:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      # Enable client certificate authentication
-      nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+      # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
      # Create the secret containing the trusted ca certificates
-      nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+      nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
    tls:
      - secretName: "tls-secret"
        hosts: