From 2c7de2fb4c89e2e3783da2f99cf25b4fa3691a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?c=C4=83t=C4=83lin?= Date: Wed, 13 Mar 2024 15:20:32 +0100 Subject: [PATCH] feat: add argo workflows --- k8s/argo-apps/argo-workflows.yaml | 48 +++++++++++++++++++ .../argo-workflows/admin-service-account.yaml | 18 +++++++ .../argo-workflows/sealedsecrets.yaml | 16 +++++++ k8s/services/argo/project-management.yaml | 3 ++ tofu/adguard/main.tf | 15 ++++++ tofu/authentik/.terraform.lock.hcl | 24 ++++++++++ tofu/authentik/main.tf | 32 +++++++++++++ tofu/authentik/sample.env | 4 ++ tofu/authentik/vars.tf | 9 ++++ tofu/modules/authentik/main.tf | 45 +++++++++++++++++ tofu/modules/authentik/vars.tf | 40 ++++++++++++++++ 11 files changed, 254 insertions(+) create mode 100644 k8s/argo-apps/argo-workflows.yaml create mode 100644 k8s/services/argo-workflows/admin-service-account.yaml create mode 100644 k8s/services/argo-workflows/sealedsecrets.yaml create mode 100644 tofu/authentik/.terraform.lock.hcl create mode 100644 tofu/authentik/main.tf create mode 100644 tofu/authentik/sample.env create mode 100644 tofu/authentik/vars.tf create mode 100644 tofu/modules/authentik/main.tf create mode 100644 tofu/modules/authentik/vars.tf diff --git a/k8s/argo-apps/argo-workflows.yaml b/k8s/argo-apps/argo-workflows.yaml new file mode 100644 index 0000000..3682b0a --- /dev/null +++ b/k8s/argo-apps/argo-workflows.yaml @@ -0,0 +1,48 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argo-workflows + namespace: argocd +spec: + destination: + name: '' + namespace: 'argo-workflows' + server: "https://kubernetes.default.svc" + project: management + syncPolicy: + automated: { } + sources: + - chart: argo-workflows + repoURL: https://argoproj.github.io/argo-helm + targetRevision: 0.40.* + helm: + valuesObject: + controller: + singleNamespace: true + workflowNamespaces: + - argo-workflows + server: + authMode: sso + sso: + enabled: true + issuer: https://auth.fukurokuju.dev/application/o/argo-workflows/ + clientId: + name: secrets-argo-server-sso + key: client-id + clientSecret: + name: secrets-argo-server-sso + key: client-secret + redirectUrl: https://ci.fuku/oauth2/callback + scopes: + - openid + - profile + - email + - offline_access + rbac: + enabled: true + ingress: + enabled: true + ingressClassName: traefik + hosts: + - ci.fuku + tls: [] diff --git a/k8s/services/argo-workflows/admin-service-account.yaml b/k8s/services/argo-workflows/admin-service-account.yaml new file mode 100644 index 0000000..0de82ba --- /dev/null +++ b/k8s/services/argo-workflows/admin-service-account.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: argo-workflows + annotations: + workflows.argoproj.io/rbac-rule: "true" + workflows.argoproj.io/rbac-rule-precedence: "1" +--- +apiVersion: v1 +kind: Secret +metadata: + name: admin-user.service-account-token + namespace: argo-workflows + annotations: + kubernetes.io/service-account.name: admin-user +type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/k8s/services/argo-workflows/sealedsecrets.yaml b/k8s/services/argo-workflows/sealedsecrets.yaml new file mode 100644 index 0000000..f6337eb --- /dev/null +++ b/k8s/services/argo-workflows/sealedsecrets.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: secrets-argo-server-sso + namespace: argo-workflows +spec: + encryptedData: + client-id: AgBLae+Tym75VhhsY4IK4VXlFKaP9ono6wF71N70X6krXVkURqBg3ncm9HvV6iO8ouPB3LWTRmQsNf0W2MbFD+wMPKGQcuUg3gSFOheDXF5rlUn5VuChDgBcbzemBHArlddVOsTFmuqUixhcMKbXenUHjNqW88N8j0GCxajnTpyPsW4nRHdBLzhqmliJWJCAbhtzGXV+0DM3UbW329ktYoDVFMMwM2RMZS39Uk65zoOqLsWR1eU9vI7PNrQpbcK1GJ3ZyqWfwcD5g6Az+/TiOx2PVkUtfeCqry1KNHCzANytpApcOTYUngg0XBW4vi/Gu84aNpAPXP3SBWOSah+4REgOBl/DlojUTIMIz/UJCvZViWbK6szg9+/RJtW2WKZQ2Pob3rfAtuZ0JKOrjG9koklthLWzjthzZVXk7JBy79GU84Gj7cQv52WwHbMPvIaPrzl5wJlMUZLnCQ8jSNvXpAmQdBf4wres6KMUlPGPw1aF75LNvlrju66dv1f7lRC6Uao7L39jvCXx95dznI2fcybZyE/W+aVznnpUNk/dfHKc4IB12g5DCtq8AfiTlZD72Fq+eMOn3xSlJ+pB6FQXRFLrdnc8f25pw7pqbf3zi/p+ylVdpMiLLTaL0M06RJbTVk5BT28HjGVMslBaR+4pJKLFNL2XwRW1VHteAhPtrvfe/zw5/pXSmK78pZ4UqsW9bb7+dUlQ/OSASwe3xZrs0ogB7yidvUjtQlpS/Ocumcq1mm5X/gRvShz1yqcvaDZ01/sR8ZXQtOAAJEvMLLDS2rugzYFp + client-secret: AgA8/QhgkPt3QRwa5zDQhlyhnYJurwGd/Uigo5WNIyUAh1vqqfmGlRAyJ9YQRJKPaJmTTU1nsaulOtS8Lafe4pAhXTsGaGsP7r+pntRii1KV79avl6e94zrH8LdhkrWxzaKLh6sW7Lj+Q3Cxj/Anh5jRSyIKGB0lpbR2RDE9XuBGx6r+jKS+8WXCn3Bxh2/ZEOBttAIWT59KxdwhZLeh/N5P809V1h8O7pxBdvvuyvK/nkBxJPWzO85zZnAiszLwraoOoiMZbfo4Z+Uzxf1dlGUxj2ZEoq3gWN9cuWRNoLxMJ1sq26zez99fyPbDD19+y0k6o+dNSQRLfFkhbgLgqCDUvWs3QzoV52oBe3zJ/of37hD03bLl1CUuJQcO8a8hoOsBqe7as+tmJTefKx67jjoUbtGPwoNYwakU2gH74rAlQE7NN/d1LuzjZSnivv27X2pTD169Ts4q/CjBUVVbSrLn/o5icEXu+d1SSFNhiFXI7/lcM/vi7CBVKuxmIsiJ0ka+mpnF6FTgsbcRvNKkFz0qZPGpx0Q7eg7tvvW7wh8aBk8k3Rh+Xp9ZXKGwRUlpBfDCVf2LB0tN5N2ieHgcy41Hxy+v7Ce5+qjTel/NkA2y67M7B5X/ji6+N+1a9wwKwTdQOze60Q/EfK8MPF8X3lpfarGhieWbGQAnHmQW0tVWBIjAnOSYbgrfoeyg2XPYg1vW7YetTfPGdF7QDhmnAEmPeBYbubMDwmXpofrpM1vz87degAL9L6kqyWF+XQph/pVAU5c1cHD30t383j0HTK5uG/dwHbWzt9k9hyz94Un0mXRohz/zAT2NIv1dwM9yv9VC3v89mkcapjlUlxBApPYcow6WWOvvcadyTrEXlVjskQ== + template: + metadata: + creationTimestamp: null + name: secrets-argo-server-sso + namespace: argo-workflows diff --git a/k8s/services/argo/project-management.yaml b/k8s/services/argo/project-management.yaml index 00de4f0..7d1f4fc 100644 --- a/k8s/services/argo/project-management.yaml +++ b/k8s/services/argo/project-management.yaml @@ -16,6 +16,8 @@ spec: server: https://kubernetes.default.svc - namespace: system-upgrade server: https://kubernetes.default.svc + - namespace: argo-workflows + server: https://kubernetes.default.svc clusterResourceWhitelist: - group: "*" kind: "*" @@ -27,3 +29,4 @@ spec: - https://kubernetes-sigs.github.io/descheduler/ - https://github.com/rancher/system-upgrade-controller.git - https://charts.bitnami.com/bitnami + - https://argoproj.github.io/argo-helm \ No newline at end of file diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf index 5ab7f43..f4966bf 100644 --- a/tofu/adguard/main.tf +++ b/tofu/adguard/main.tf @@ -90,3 +90,18 @@ resource "adguard_rewrite" "authentik" { domain = "auth.fukurokuju.dev" answer = "192.168.1.12" } + +resource "adguard_rewrite" "ci_local_1" { + domain = "ci.fuku" + answer = "192.168.1.31" +} + +resource "adguard_rewrite" "ci_local_2" { + domain = "ci.fuku" + answer = "192.168.1.32" +} + +resource "adguard_rewrite" "ci_local_3" { + domain = "ci.fuku" + answer = "192.168.1.33" +} diff --git a/tofu/authentik/.terraform.lock.hcl b/tofu/authentik/.terraform.lock.hcl new file mode 100644 index 0000000..f86ea5a --- /dev/null +++ b/tofu/authentik/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2024.2.0" + constraints = "2024.2.0" + hashes = [ + "h1:AeyEcplt1WTQijM1d2E1pBPemcL57WC5bZr7y1XNui4=", + "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa", + "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0", + "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e", + "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8", + "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e", + "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5", + "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e", + "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef", + "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036", + "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375", + "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b", + "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265", + "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df", + "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c", + ] +} diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf new file mode 100644 index 0000000..985847c --- /dev/null +++ b/tofu/authentik/main.tf @@ -0,0 +1,32 @@ +terraform { + backend "s3" { + bucket = "fuku-terraform" + key = "authentik/terraform" + region = "us-east-1" + } + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2024.2.0" + } + } +} + +data "authentik_user" "catalin" { + username = "catalin" +} + +resource "authentik_group" "ci" { + name = "ci" + users = [data.authentik_user.catalin.id] +} + +module "argo-workflows" { + source = "../modules/authentik" + app_name = "Argo Workflows" + app_slug = "argo-workflows" + client_id = var.argo_workflows_client_id + client_secret = var.argo_workflows_client_secret + app_access_group_id = authentik_group.ci.id + redirect_uris = ["https://ci.fuku/oauth2/callback"] +} \ No newline at end of file diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env new file mode 100644 index 0000000..0eb6593 --- /dev/null +++ b/tofu/authentik/sample.env @@ -0,0 +1,4 @@ + AUTHENTIK_URL=https://auth.fukurokuju.dev + AUTHENTIK_TOKEN= + TF_VAR_argo_workflows_client_id= + TF_VAR_argo_workflows_client_secret= \ No newline at end of file diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf new file mode 100644 index 0000000..3c32c43 --- /dev/null +++ b/tofu/authentik/vars.tf @@ -0,0 +1,9 @@ +variable "argo_workflows_client_id" { + description = "Client ID" + type = string +} + +variable "argo_workflows_client_secret" { + description = "Client secret" + type = string +} diff --git a/tofu/modules/authentik/main.tf b/tofu/modules/authentik/main.tf new file mode 100644 index 0000000..ad233fe --- /dev/null +++ b/tofu/modules/authentik/main.tf @@ -0,0 +1,45 @@ +terraform { + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2024.2.0" + } + } +} +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} + +data "authentik_scope_mapping" "default-scopes" { + managed_list = [ + "goauthentik.io/providers/oauth2/scope-email", + "goauthentik.io/providers/oauth2/scope-openid", + "goauthentik.io/providers/oauth2/scope-profile", + "goauthentik.io/providers/oauth2/scope-offline_access", + ] +} + + +resource "authentik_provider_oauth2" "provider_oidc" { + name = var.app_name + client_id = var.client_id + client_secret = var.client_secret + authorization_flow = data.authentik_flow.default-authorization-flow.id + redirect_uris = var.redirect_uris + property_mappings = data.authentik_scope_mapping.default-scopes.ids + sub_mode = var.sub_mode + signing_key = var.oidc_signing_key +} + + +resource "authentik_application" "app" { + name = var.app_name + slug = var.app_slug + protocol_provider = authentik_provider_oauth2.provider_oidc.id + +} +resource "authentik_policy_binding" "app_access" { + target = authentik_application.app.uuid + group = var.app_access_group_id + order = 0 +} \ No newline at end of file diff --git a/tofu/modules/authentik/vars.tf b/tofu/modules/authentik/vars.tf new file mode 100644 index 0000000..8c9d226 --- /dev/null +++ b/tofu/modules/authentik/vars.tf @@ -0,0 +1,40 @@ +variable "app_name" { + description = "App name" + type = string +} + +variable "app_slug" { + description = "App slug, a human-readable URL identifier, e.g.: Google -> google" + type = string +} + +variable "client_id" { + description = "Client ID" + type = string +} + +variable "client_secret" { + description = "Client secret" + type = string +} + +variable "app_access_group_id" { + description = "ID of a group which will have access to the app" + type = string +} + +variable "redirect_uris" { + description = "List of URIs allowed to redirect to" + type = list(string) +} + +variable "sub_mode" { + type = string + default = "user_username" +} + +variable "oidc_signing_key" { + type = string + description = "Signing key" + default = "c4ff5edf-3cad-4093-9326-44fea088e670" +} \ No newline at end of file