this repo has no description
feat(wireguard): setup SSO with Dex
Change-Id: I37970b581575f8000e3f6c4df5099e7fa42b87e4
+49
-20
+22
-20
infra/production/oracle/secrets/terragrunt.hcl
+22
-20
infra/production/oracle/secrets/terragrunt.hcl
···
20
20
}
21
21
22
22
sources = {
23
-
dex_admin_password_hash = { value = include.root.locals.secrets.dex_admin_password_hash }
24
-
dex_khuedoan_password_hash = { value = include.root.locals.secrets.dex_khuedoan_password_hash }
25
-
dex_argocd_client_secret = { random = true }
26
-
dex_grafana_client_secret = { random = true }
27
-
dex_kiali_client_secret = { random = true }
28
-
dex_temporal_client_secret = { random = true }
29
-
dex_forgejo_client_key = { value = "forgejo" }
30
-
dex_forgejo_client_secret = { random = true }
31
-
forgejo_admin_username = { value = "forgejo_admin" }
32
-
forgejo_admin_password = { random = true }
33
-
silverbullet_user = { value = include.root.locals.secrets.silverbullet_user }
34
-
wireguard_config = { value = include.root.locals.secrets.wireguard_config }
23
+
dex_admin_password_hash = { value = include.root.locals.secrets.dex_admin_password_hash }
24
+
dex_khuedoan_password_hash = { value = include.root.locals.secrets.dex_khuedoan_password_hash }
25
+
dex_argocd_client_secret = { random = true }
26
+
dex_grafana_client_secret = { random = true }
27
+
dex_kiali_client_secret = { random = true }
28
+
dex_temporal_client_secret = { random = true }
29
+
dex_forgejo_client_key = { value = "forgejo" }
30
+
dex_forgejo_client_secret = { random = true }
31
+
dex_wireguard_client_secret = { random = true }
32
+
forgejo_admin_username = { value = "forgejo_admin" }
33
+
forgejo_admin_password = { random = true }
34
+
silverbullet_user = { value = include.root.locals.secrets.silverbullet_user }
35
+
wireguard_config = { value = include.root.locals.secrets.wireguard_config }
35
36
}
36
37
37
38
destinations = {
38
39
"dex/dex-secrets" = {
39
40
data = {
40
-
"ARGOCD_CLIENT_SECRET" = "dex_argocd_client_secret"
41
-
"GRAFANA_CLIENT_SECRET" = "dex_grafana_client_secret"
42
-
"KIALI_CLIENT_SECRET" = "dex_kiali_client_secret"
43
-
"TEMPORAL_CLIENT_SECRET" = "dex_temporal_client_secret"
44
-
"FORGEJO_CLIENT_SECRET" = "dex_forgejo_client_secret"
45
-
"ADMIN_PASSWORD_HASH" = "dex_admin_password_hash"
46
-
"KHUEDOAN_PASSWORD_HASH" = "dex_khuedoan_password_hash"
41
+
"ARGOCD_CLIENT_SECRET" = "dex_argocd_client_secret"
42
+
"GRAFANA_CLIENT_SECRET" = "dex_grafana_client_secret"
43
+
"KIALI_CLIENT_SECRET" = "dex_kiali_client_secret"
44
+
"TEMPORAL_CLIENT_SECRET" = "dex_temporal_client_secret"
45
+
"FORGEJO_CLIENT_SECRET" = "dex_forgejo_client_secret"
46
+
"WIREGUARD_CLIENT_SECRET" = "dex_wireguard_client_secret"
47
+
"ADMIN_PASSWORD_HASH" = "dex_admin_password_hash"
48
+
"KHUEDOAN_PASSWORD_HASH" = "dex_khuedoan_password_hash"
47
49
}
48
50
}
49
51
"argocd/argocd-secret" = {
···
73
75
}
74
76
"wireguard/wireguard-secret" = {
75
77
data = {
76
-
"wg0.conf" = "wireguard_config"
78
+
"SSO_CLIENT_SECRET" = "dex_wireguard_client_secret"
77
79
}
78
80
}
79
81
"forgejo/forgejo-admin" = {
+5
platform/production/dex.yaml
+5
platform/production/dex.yaml
···
70
70
redirectURIs:
71
71
- 'https://code.khuedoan.com/user/oauth2/SSO/callback'
72
72
secretEnv: FORGEJO_CLIENT_SECRET
73
+
- id: wireguard
74
+
name: WireGuard
75
+
redirectURIs:
76
+
- 'https://wireguard.cloudlab.khuedoan.com/api/v0/auth/login/sso/callback'
77
+
secretEnv: WIREGUARD_CLIENT_SECRET
73
78
envFrom:
74
79
- secretRef:
75
80
name: dex-secrets
+22
platform/production/wireguard.yaml
+22
platform/production/wireguard.yaml
···
23
23
helm:
24
24
valuesObject:
25
25
config:
26
+
core:
27
+
create_default_peer: true
26
28
web:
27
29
external_url: https://wireguard.cloudlab.khuedoan.com
30
+
auth:
31
+
hide_login_form: true
32
+
oidc:
33
+
- id: sso
34
+
provider_name: sso
35
+
display_name: Login with SSO
36
+
registration_enabled: true
37
+
base_url: https://dex.cloudlab.khuedoan.com
38
+
client_id: wireguard
39
+
client_secret: $SSO_CLIENT_SECRET
40
+
extra_scopes:
41
+
- profile
42
+
- email
43
+
field_map:
44
+
is_admin: email
45
+
admin_mapping:
46
+
admin_value_regex: ^admin@cloudlab.khuedoan.com$
47
+
envFrom:
48
+
- secretRef:
49
+
name: wireguard-secret
28
50
ingress:
29
51
enabled: true
30
52
className: nginx