feat: allow changing prometheus oauth2 proxy args (#852)

camptocamp · Apr 4, 2022 · 67c5d55 · 67c5d55
1 parent 8c815ca
commit 67c5d55
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 68 deletions.
diff --git a/modules/aks/azure/main.tf b/modules/aks/azure/main.tf
@@ -24,6 +24,15 @@ locals {
     { for i in distinct(var.azureidentities[*].namespace) : i => null },
     var.app_node_selectors
   )
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url              = format("https://login.microsoftonline.com/%s/v2.0", data.azurerm_client_config.current.tenant_id)
+    oauth_url               = format("https://login.microsoftonline.com/%s/oauth2/authorize", data.azurerm_client_config.current.tenant_id)
+    token_url               = format("https://login.microsoftonline.com/%s/oauth2/token", data.azurerm_client_config.current.tenant_id)
+    api_url                 = format("https://graph.microsoft.com/oidc/userinfo")
+    client_id               = azuread_application.oauth2_apps.0.application_id
+    client_secret           = azuread_application_password.oauth2_apps.0.value
+    oauth2_proxy_extra_args = []
+  }
 }
 
 provider "helm" {
@@ -124,15 +133,7 @@ module "argocd" {
   argocd_server_secretkey = var.argocd_server_secretkey
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url              = format("https://login.microsoftonline.com/%s/v2.0", data.azurerm_client_config.current.tenant_id)
-    oauth_url               = format("https://login.microsoftonline.com/%s/oauth2/authorize", data.azurerm_client_config.current.tenant_id)
-    token_url               = format("https://login.microsoftonline.com/%s/oauth2/token", data.azurerm_client_config.current.tenant_id)
-    api_url                 = format("https://graph.microsoft.com/oidc/userinfo")
-    client_id               = azuread_application.oauth2_apps.0.application_id
-    client_secret           = azuread_application_password.oauth2_apps.0.value
-    oauth2_proxy_extra_args = []
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   grafana = {
     admin_password = local.grafana_admin_password

diff --git a/modules/cce/opentelekomcloud/main.tf b/modules/cce/opentelekomcloud/main.tf
@@ -7,6 +7,19 @@ locals {
   kubernetes_cluster_ca_certificate = base64decode(local.context.clusters.0.cluster.certificate-authority-data)
   kubeconfig                        = module.cluster.kubeconfig
   keycloak_user_map                 = { for username, infos in var.keycloak_users : username => merge(infos, tomap({ password = random_password.keycloak_passwords[username].result })) }
+
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
+    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
+    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
+    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
+    client_id     = "devops-stack-applications"
+    client_secret = random_password.clientsecret.result
+    oauth2_proxy_extra_args = [
+      "--insecure-oidc-skip-issuer-verification=true",
+      "--ssl-insecure-skip-verify=true",
+    ]
+  }
 }
 
 provider "helm" {
@@ -49,18 +62,7 @@ module "argocd" {
   cluster_issuer          = "ca-issuer"
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
-    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
-    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
-    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
-    client_id     = "devops-stack-applications"
-    client_secret = random_password.clientsecret.result
-    oauth2_proxy_extra_args = [
-      "--insecure-oidc-skip-issuer-verification=true",
-      "--ssl-insecure-skip-verify=true",
-    ]
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   keycloak = {
     enable   = var.oidc == null ? true : false

diff --git a/modules/eks/aws/main.tf b/modules/eks/aws/main.tf
@@ -4,6 +4,16 @@ locals {
   kubernetes_cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
   kubernetes_token                  = data.aws_eks_cluster_auth.cluster.token
   kubeconfig                        = module.cluster.kubeconfig
+
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url              = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id)
+    oauth_url               = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name)
+    token_url               = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name)
+    api_url                 = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name)
+    client_id               = aws_cognito_user_pool_client.client.0.id
+    client_secret           = aws_cognito_user_pool_client.client.0.client_secret
+    oauth2_proxy_extra_args = []
+  }
 }
 
 data "aws_vpc" "this" {
@@ -110,15 +120,8 @@ module "argocd" {
   cluster_issuer          = "letsencrypt-prod"
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url              = format("https://cognito-idp.%s.amazonaws.com/%s", data.aws_region.current.name, var.cognito_user_pool_id)
-    oauth_url               = format("https://%s.auth.%s.amazoncognito.com/oauth2/authorize", var.cognito_user_pool_domain, data.aws_region.current.name)
-    token_url               = format("https://%s.auth.%s.amazoncognito.com/oauth2/token", var.cognito_user_pool_domain, data.aws_region.current.name)
-    api_url                 = format("https://%s.auth.%s.amazoncognito.com/oauth2/userInfo", var.cognito_user_pool_domain, data.aws_region.current.name)
-    client_id               = aws_cognito_user_pool_client.client.0.id
-    client_secret           = aws_cognito_user_pool_client.client.0.client_secret
-    oauth2_proxy_extra_args = []
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
+
   loki = {
     bucket_name = aws_s3_bucket.loki.id,
   }

diff --git a/modules/k3s/main.tf b/modules/k3s/main.tf
@@ -11,6 +11,19 @@ locals {
     secret_key = var.enable_minio ? random_password.minio_secretkey.0.result : ""
   }
   keycloak_user_map = { for username, infos in var.keycloak_users : username => merge(infos, tomap({ password = random_password.keycloak_passwords[username].result })) }
+
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
+    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
+    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
+    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
+    client_id     = "devops-stack-applications"
+    client_secret = random_password.clientsecret.result
+    oauth2_proxy_extra_args = [
+      "--insecure-oidc-skip-issuer-verification=true",
+      "--ssl-insecure-skip-verify=true",
+    ]
+  }
 }
 
 provider "helm" {
@@ -44,18 +57,7 @@ module "argocd" {
   cluster_issuer          = "ca-issuer"
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
-    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
-    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
-    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
-    client_id     = "devops-stack-applications"
-    client_secret = random_password.clientsecret.result
-    oauth2_proxy_extra_args = [
-      "--insecure-oidc-skip-issuer-verification=true",
-      "--ssl-insecure-skip-verify=true",
-    ]
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   minio = {
     enable     = var.enable_minio

diff --git a/modules/kind/kind/main.tf b/modules/kind/kind/main.tf
@@ -11,6 +11,19 @@ locals {
     access_key = var.enable_minio ? random_password.minio_accesskey.0.result : ""
     secret_key = var.enable_minio ? random_password.minio_secretkey.0.result : ""
   }
+
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
+    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
+    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
+    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
+    client_id     = "devops-stack-applications"
+    client_secret = random_password.clientsecret.result
+    oauth2_proxy_extra_args = [
+      "--insecure-oidc-skip-issuer-verification=true",
+      "--ssl-insecure-skip-verify=true",
+    ]
+  }
 }
 
 data "docker_network" "kind" {
@@ -74,18 +87,7 @@ module "argocd" {
   cluster_issuer          = "ca-issuer"
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url    = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack", var.cluster_name, local.base_domain)
-    oauth_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/auth", var.cluster_name, local.base_domain)
-    token_url     = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/token", var.cluster_name, local.base_domain)
-    api_url       = format("https://keycloak.apps.%s.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", var.cluster_name, local.base_domain)
-    client_id     = "devops-stack-applications"
-    client_secret = random_password.clientsecret.result
-    oauth2_proxy_extra_args = [
-      "--insecure-oidc-skip-issuer-verification=true",
-      "--ssl-insecure-skip-verify=true",
-    ]
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   minio = {
     enable     = var.enable_minio

diff --git a/modules/openshift4/aws/main.tf b/modules/openshift4/aws/main.tf
@@ -10,6 +10,10 @@ locals {
   kubeconfig = module.cluster.kubeconfig
 
   grafana_admin_password = var.grafana_admin_password == null ? random_password.grafana_admin_password.0.result : var.grafana_admin_password
+
+  oidc = {
+    client_secret = random_password.clientsecret.result
+  }
 }
 
 module "cluster" {
@@ -53,9 +57,7 @@ module "argocd" {
   cluster_issuer         = "letsencrypt-prod"
   wait_for_app_of_apps   = var.wait_for_app_of_apps
 
-  oidc = {
-    client_secret = random_password.clientsecret.result
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   loki = {
     enable = false

diff --git a/modules/sks/exoscale/main.tf b/modules/sks/exoscale/main.tf
@@ -22,6 +22,17 @@ locals {
   nodepools         = coalesce(var.nodepools, local.default_nodepools)
   cluster_issuer    = (length(local.nodepools) > 1) ? "letsencrypt-prod" : "ca-issuer"
   keycloak_user_map = { for username, infos in var.keycloak_users : username => merge(infos, tomap({ password = random_password.keycloak_passwords[username].result })) }
+
+  oidc = var.oidc != null ? var.oidc : {
+    issuer_url    = format("https://keycloak.apps.%s/auth/realms/devops-stack", local.base_domain)
+    oauth_url     = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/auth", local.base_domain)
+    token_url     = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/token", local.base_domain)
+    api_url       = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", local.base_domain)
+    client_id     = "devops-stack-applications"
+    client_secret = random_password.clientsecret.result
+
+    oauth2_proxy_extra_args = []
+  }
 }
 
 provider "helm" {
@@ -148,16 +159,7 @@ module "argocd" {
   cluster_issuer          = local.cluster_issuer
   wait_for_app_of_apps    = var.wait_for_app_of_apps
 
-  oidc = var.oidc != null ? var.oidc : {
-    issuer_url    = format("https://keycloak.apps.%s/auth/realms/devops-stack", local.base_domain)
-    oauth_url     = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/auth", local.base_domain)
-    token_url     = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/token", local.base_domain)
-    api_url       = format("https://keycloak.apps.%s/auth/realms/devops-stack/protocol/openid-connect/userinfo", local.base_domain)
-    client_id     = "devops-stack-applications"
-    client_secret = random_password.clientsecret.result
-
-    oauth2_proxy_extra_args = []
-  }
+  oidc = merge(local.oidc, var.prometheus_oauth2_proxy_args)
 
   grafana = {
     admin_password = local.grafana_admin_password

diff --git a/modules/values.tmpl.yaml b/modules/values.tmpl.yaml
@@ -382,7 +382,10 @@ kube-prometheus-stack:
             %{ for arg in oidc.oauth2_proxy_extra_args }
             - ${arg}
             %{ endfor }
-          image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
+            %{ for arg in oidc.prometheus_oauth2_proxy_extra_args }
+            - ${arg}
+            %{ endfor }
+          image: ${oidc.prometheus_oauth2_proxy_image}
           name: prometheus-proxy
           ports:
             - containerPort: 9091

diff --git a/modules/variables.tf b/modules/variables.tf
@@ -53,6 +53,17 @@ variable "oidc" {
   default = null
 }
 
+variable "prometheus_oauth2_proxy_args" {
+  type = object({
+    prometheus_oauth2_proxy_extra_args = list(string)
+    prometheus_oauth2_proxy_image = string
+  })
+  default = {
+    prometheus_oauth2_proxy_extra_args = []
+    prometheus_oauth2_proxy_image = "quay.io/oauth2-proxy/oauth2-proxy:v7.1.3"
+  }
+}
+
 variable "argocd_server_secretkey" {
   description = "ArgoCD Server Secert Key to avoid regenerate token on redeploy."
   type        = string