From c9a45797bf570ed98ae90ce59367ccdb6cd0491c Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Mon, 13 Mar 2023 09:08:33 +0000 Subject: [PATCH] Use groups for Minio oauth (#36) Now gitea orgs are used as policies, so it's easier to handle access. Also, drone is switched to a global Gitea oauth app, instead of my personal Reviewed-on: https://git.badhouseplants.net/badhouseplants/k8s-cluster-config/pulls/36 --- badhouseplants/values/secrets.drone.yaml | 8 ++++---- badhouseplants/values/secrets.minio.yaml | 8 ++++---- badhouseplants/values/values.minio.yaml | 10 ++-------- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/badhouseplants/values/secrets.drone.yaml b/badhouseplants/values/secrets.drone.yaml index 0d56eec..b7c56eb 100644 --- a/badhouseplants/values/secrets.drone.yaml +++ b/badhouseplants/values/secrets.drone.yaml @@ -1,6 +1,6 @@ env: - DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:BbhUhVbrqFhD3Bw3w0ZfXRFNDkR7LV2gtabUOR990UQ6xDFw,iv:PfsuCU8A0C7MxVd9q6h6hexpeqxDJIshG16+Yoj9uTA=,tag:5mqw0hVJSlIta4p9VxGomw==,type:str] - DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:W3NzKBlKhzB1lPmLbMfVkHxtnod25tGi1lHJW2RWc46je6NeWHX1XZlRefbVqKO6gO4AUTlJOq4=,iv:08EQ/9iVZ93P0I+mYBv3SuKfLs/T3ZS6yZkdAuzU4KI=,tag:c2OiB4R/aBLjVY5EfPSJgA==,type:str] + DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:7Ohn3nGR9VeIhAr9EdW1/juRFo3TXpKIwU07hD8mGoyBrbyn,iv:9/y3Ou8H/PL2hMsirJaqviKGQuzVlzL43iGAKQb9NII=,tag:EZoo2F4/HoOcacWOVU9yjA==,type:str] + DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:2wAbiSJdDb5lGUOocK14pZtwQI0EFmXGStAigKsPGAZUKyn7M0B6xBO1+B3wZYVnIKEohiNIZF7k,iv:Y9aCzdSH5cAIZfk84Clto/IrQMRaoH+bOkvbP+9CcLM=,tag:FVfLsEA56WGNCl/8ut4F/Q==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +16,8 @@ sops: QStxOG1iMWlxQ2dmOXRabXp4cm9NSU0K/+CRAc7DH4PgbQscXvDb7yLe8VoEpixr icD3GL37kYE2D4h1cm+p+/b7BF4/yjNlCUvo5cITXRjZAuiWGwUixQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-19T10:39:39Z" - mac: ENC[AES256_GCM,data:UXfogL8cIidQpdrTNVCofPRkoC00OczHIQcISQ1AlL+BTl8NjdQfzVdknczDagtooAXdV8Cf+Qf9xMzDd7svFv2Uyc6Tzz80171My9d8bHLtv1Q5TbJ4OSAVr38tOd35APnPgsvgX2SXEDf/vvUuTN7mljPTFuF0raCqLlN+LGg=,iv:s2AH5PUohmLTo2LN3Vq9RW1OOO4I9YkyuK1/ODGwegc=,tag:YmzJBbt2TGJsy5ym8ZkP2Q==,type:str] + lastmodified: "2023-03-13T09:01:15Z" + mac: ENC[AES256_GCM,data:cHdSHMa5dJTMrQsDOvTAORHON3WlFVRApaajAoZ8QIWWxC1ZCNIyMp1NlgZ+vv1vY951+JsOu4WYJdfygMvCplSz2ughqWgPFvykKOCBGTLfEKxSagnxuxuDpJ3FT2zlzzUxLFSOg8iGgpxZc9mF28divlAem4POkGgWs+7s7tE=,iv:Zjx1Zscf6G4QyZJayJLktSg6kOCl3K32G7U41dL1RVQ=,tag:v3m/hIt5A4xe6R1G9b30cA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/badhouseplants/values/secrets.minio.yaml b/badhouseplants/values/secrets.minio.yaml index 44630df..a4ce952 100644 --- a/badhouseplants/values/secrets.minio.yaml +++ b/badhouseplants/values/secrets.minio.yaml @@ -8,11 +8,11 @@ oidc: configUrl: ENC[AES256_GCM,data:ZNVvWPlFPA1xgfysavsEusfxE2ySIM9FYatYqfWPnUrHKMtCxYlrn1ip3nTYL2JHvjM3yltLBNbqWMCGlgtw,iv:p1F2DqCFaKvjYKhMieFytnMuggrec8DmBzDATLTVe+8=,tag:3EtpPSyRlGThov5OcZfV+g==,type:str] clientId: ENC[AES256_GCM,data:kO7PkjN+5GqZCxChvtbTQb/5zo7nVxfh7MZqbDoJLIKMEfth,iv:ti3Xlc3sRVOVGtxGw/pT5iBy5rBqV2v+MhiNF3Krb9U=,tag:3LUDIkq08zGmvjJtSnE/jA==,type:str] clientSecret: ENC[AES256_GCM,data:PVe+8SlNrznBiFVNpuQXIcuPkUXyUJ7DObZpRvlgA8JjUHXTy3VY7soyJVBZEMfYbNjSLLcKcWM=,iv:fbh2RcQdPf3jUt2AOI3xp09SSEaWzI4rLGZmlZY46uM=,tag:wvEBkkPsXoQXAP7fN1iDMA==,type:str] - claimName: ENC[AES256_GCM,data:K7IO7TyaAUr4U80Ni5Xt/bma,iv:R8RQLttCNMHpAit+3OQ/STXo7u6xqQ1+RYgGLpJTpn4=,tag:3Wsh7TNnh1V0GrqjF/4Uiw==,type:str] + claimName: ENC[AES256_GCM,data:+XEw9sQ5,iv:DgGZf/GwkJsk4lfI8TBBaGfwN8YESMu9BSOBLJkbz78=,tag:A4hvQYEaZxPNf9CZp9+YUQ==,type:str] redirectUri: ENC[AES256_GCM,data:+Q8cNCvslAcO4m7VJwNe/CpEntyHfuHOrHqqtlrDILkfc0IRAA8aSbZwbA2v+So=,iv:GwzNILyqLuAYUQFKbt5WE+VCdOzSTBmGCAHcCAnzxXk=,tag:p9/86/r2DfT1mkQu+aQJfQ==,type:str] comment: ENC[AES256_GCM,data:TO3kA0i503ZA+EFhKa2AZw==,iv:Cl3NvvgXz71AaCgMl062urNtcBtgk832vtxTs9MJwik=,tag:JwerK2q1L7xMv/NIoWkESw==,type:str] claimPrefix: "" - scopes: ENC[AES256_GCM,data:kyewug7Dv2UOcsc8UWe1ssepra8uBW7uYw==,iv:RfQQiwBWWSd9DSgSlYZFwyZy2xaizMuVjeCZAws3ddM=,tag:jnegIPBviRTPi4kwM1jexQ==,type:str] + scopes: ENC[AES256_GCM,data:TuXqq8d+Xo/1ZNi036wx1GhbNPSF2sv8uYUy,iv:u9VfqbAGR94vLPD7nnsKuz5b2sbpUhs1TT7Ah8quX7c=,tag:jZplD/t4rA+p7TtisrC9mg==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +28,8 @@ sops: NFd0WDBXRERZc2ZDbWhDTFhnZExjVmcKDKHKoouDK66AYXenznGjTMnahqIwbp1y zA+MZx0FPO7xm9UCGaxIFzdLXK6O2ctw9fDceR6oMj+YehLOKwEmoA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-12T10:17:38Z" - mac: ENC[AES256_GCM,data:I6DCLZNMl3LuGif/mDDNKKODZ6O/CSYty0+N60Xw4go2mH9J8/PPX0fEYL0ilRG2VDLuZ86RTiPCwAtUXVrtu1jzlkajbZPytWMpURZk+4m2XxXSDrTHNt6KJglF29DhENCkVXeZ75fHSKOS0yliZ+Q/90Ye18FJSlvVUy6HSfM=,iv:4y4pU0OTK6c2Oj5LvoJALtcn5TJ7OQFNys2swbYkodU=,tag:GSPQ64Ntu/oYnz6BfWXOTg==,type:str] + lastmodified: "2023-03-13T07:52:39Z" + mac: ENC[AES256_GCM,data:ognemBsF32MrBDoUTcmwW1W5VI//FADb/p0Do8aQttsikYMVLcFZqWx7Dyhu8CfOWsXL/atVLh2Gj3dkxjsmDFI8uUd4gwq0oMYtk7gR09WrrigDtV1UPgDgyLO3nW4/YmTYGx0fLcsFyGJMm1Pp08Sk+oGcP2Xt+zBAch6/xyE=,iv:Q6dAGFlaTQL7zbR1Z868zo3HbWW4/xpoaWdyw/k/c0U=,tag:I6X2USyt1AhgzjlY469jOA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/badhouseplants/values/values.minio.yaml b/badhouseplants/values/values.minio.yaml index f379e7a..1f16321 100644 --- a/badhouseplants/values/values.minio.yaml +++ b/badhouseplants/values/values.minio.yaml @@ -57,19 +57,13 @@ policies: - 'arn:aws:s3:::*' actions: - "s3:*" - - resources: [] - actions: - - "admin:*" - - resources: [] - actions: - - "kms:*" - name: badhouseplants statements: - resources: - - 'arn:aws:s3:::badhouseplants' + - 'arn:aws:s3:::badhouseplants-net' actions: - "s3:*" - resources: - - 'arn:aws:s3:::badhouseplants/*' + - 'arn:aws:s3:::badhouseplants-net/*' actions: - "s3:*"