switch to using oauth-proxy Ansible role

This way we get version upgrades for free. Signed-off-by: Jakub Sokołowski <jakub@status.im>
2023-09-26 08:58:24 +02:00 · 2023-09-26 08:58:24 +02:00 · 4e43dd54e2
parent e9de18e424
commit 4e43dd54e2
4 changed files with 24 additions and 45 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -36,14 +36,13 @@ alertmanager_smtp_receivers_extra: []
 #        send_resolved: true

 # OAuth
-alertmanager_oauth_id: ~
-alertmanager_oauth_secret: ~
-alertmanager_oauth_cookie_secret: ~
-alertmanager_oauth_gh_org: ~
-alertmanager_oauth_gh_teams: []
+alertmanager_oauth_compose_file: '{{ alertmanager_service_path }}/docker-compose.oauth.yml'
 alertmanager_oauth_cont_port: 8092
-alertmanager_oauth_cont_tag: 'v7.2.1-amd64'
-alertmanager_oauth_cont_image: 'quay.io/oauth2-proxy/oauth2-proxy:{{ alertmanager_oauth_cont_tag }}'
+#alertmanager_oauth_id: ~
+#alertmanager_oauth_secret: ~
+#alertmanager_oauth_cookie_secret: ~
+#alertmanager_oauth_gh_org: ~
+alertmanager_oauth_gh_teams: []

 # Route configuration
 alertmanager_group_by: ['alertname', 'fleet']
--- a/tasks/consul.yml
+++ b/tasks/consul.yml
@ -14,18 +14,6 @@
            type: 'http'
            http: 'http://localhost:{{ alertmanager_webui_port }}/api/v1/receivers'

-      - name: '{{ alertmanager_service_name }}-oauth'
-        tags: ['oauth-proxy', 'alertmanager', 'ssl-proxy-backend']
-        port: '{{ alertmanager_oauth_cont_port }}'
-        address: '{{ ansible_local.wireguard.vpn_ip }}'
-        meta:
-          proxy_fqdn: '{{ alertmanager_domain | mandatory }}'
-        checks:
-          - id:   '{{ alertmanager_service_name }}-oauth-health'
-            name: 'AlertManager OAuth Health'
-            type: 'http'
-            http: 'http://localhost:{{ alertmanager_oauth_cont_port }}/ping'
-
 # We need to do this for discover step to work
 - name: Reload Consul right away
  systemd:
--- a/tasks/container.yml
+++ b/tasks/container.yml
@ -1,5 +1,5 @@
 ---
- name: Create compose file
+- name: Create app compose file
  template:
    src: 'docker-compose.yml.j2'
    dest: '{{ alertmanager_compose_file }}'
@ -7,9 +7,26 @@
    group: 'docker'
    mode: 0640

+- name: Create OAuth compose file
+  include_role: name=oauth-proxy
+  vars:
+    oauth_service_name:  '{{ alertmanager_service_name }}-oauth'
+    oauth_service_path:  '{{ alertmanager_service_path }}'
+    oauth_compose_path:  '{{ alertmanager_oauth_compose_file }}'
+    oauth_domain:        '{{ alertmanager_domain | mandatory }}'
+    oauth_github_org:    '{{ alertmanager_oauth_gh_org | mandatory }}'
+    oauth_github_teams:  '{{ alertmanager_oauth_gh_teams | mandatory }}'
+    oauth_id:            '{{ alertmanager_oauth_id | mandatory }}'
+    oauth_secret:        '{{ alertmanager_oauth_secret | mandatory }}'
+    oauth_cookie_secret: '{{ alertmanager_oauth_cookie_secret | mandatory }}'
+    oauth_local_port:    '{{ alertmanager_oauth_cont_port | mandatory }}'
+    oauth_local_addr:    '0.0.0.0'
+    oauth_upstream_url:  'http://app:{{ alertmanager_webui_port }}/'
+
 - name: Create containers
  docker_compose:
    project_src: '{{ alertmanager_service_path }}'
+    files: ['{{ alertmanager_compose_file }}', '{{ alertmanager_oauth_compose_file }}']
    pull: true
    build: false
    state: '{{ compose_state }}'
--- a/templates/docker-compose.yml.j2
+++ b/templates/docker-compose.yml.j2
@ -30,28 +30,3 @@ services:
      - '--cluster.peer={{ peer.ServiceAddress }}:{{ alertmanager_cluster_port }}' # {{ peer.Node }}
 {% endif %}
 {% endfor %}
-{% if alertmanager_oauth_id %}
-
-  oauth:
-    container_name: '{{ alertmanager_service_name }}-oauth'
-    image: '{{ alertmanager_oauth_cont_image }}'
-    user: 'root'
-    restart: 'always'
-    ports:
-      - '0.0.0.0:{{ alertmanager_oauth_cont_port }}:{{ alertmanager_oauth_cont_port }}' # Web UI
-    command: |
-      --email-domain='*'
-      --provider='github'
-      --github-org='{{ alertmanager_oauth_gh_org | mandatory }}'
-{% if alertmanager_oauth_gh_teams %}
-      --github-team='{{ alertmanager_oauth_gh_teams | join(",") }}'
-{% endif %}
-      --cookie-domain='{{ alertmanager_domain | mandatory }}'
-      --cookie-secret='{{ alertmanager_oauth_cookie_secret | mandatory }}'
-      --client-id='{{ alertmanager_oauth_id | mandatory }}'
-      --client-secret='{{ alertmanager_oauth_secret | mandatory }}'
-      --redirect-url='https://{{ alertmanager_domain }}/oauth2/callback'
-      --http-address='0.0.0.0:{{ alertmanager_oauth_cont_port | mandatory }}'
-      --upstream='http://app:{{ alertmanager_webui_port }}/'
-      --request-logging=false
-{% endif %}