diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml index 24e0318..c243cd9 100644 --- a/k8s/apps/mtproxy/kustomization.yaml +++ b/k8s/apps/mtproxy/kustomization.yaml @@ -12,4 +12,5 @@ resources: - ./telemt-servicemonitor.yaml - ./service.yaml - ./secret-reader.yaml + - ./secret-reader-ingress.yaml # - ./storage.yaml diff --git a/k8s/apps/mtproxy/secret-reader-ingress.yaml b/k8s/apps/mtproxy/secret-reader-ingress.yaml new file mode 100644 index 0000000..77d263f --- /dev/null +++ b/k8s/apps/mtproxy/secret-reader-ingress.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: secret-reader + annotations: + cert-manager.io/cluster-issuer: letsencrypt +spec: + entryPoints: + - websecure + routes: + - match: Host(`secret-reader.hexor.cy`) + kind: Rule + middlewares: + - name: keycloak-auth + namespace: oauth2-proxy + services: + - name: secret-reader + port: 80 + tls: + secretName: secret-reader-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: secret-reader-tls +spec: + secretName: secret-reader-tls + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dnsNames: + - secret-reader.hexor.cy diff --git a/k8s/core/oauth2-proxy/app.yaml b/k8s/core/oauth2-proxy/app.yaml new file mode 100644 index 0000000..15dc7e1 --- /dev/null +++ b/k8s/core/oauth2-proxy/app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oauth2-proxy + namespace: argocd +spec: + project: core + destination: + namespace: oauth2-proxy + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/oauth2-proxy + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/k8s/core/oauth2-proxy/external-secrets.yaml b/k8s/core/oauth2-proxy/external-secrets.yaml new file mode 100644 index 0000000..a1ec20b --- /dev/null +++ b/k8s/core/oauth2-proxy/external-secrets.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: oauth2-proxy-creds +spec: + target: + name: oauth2-proxy-creds + deletionPolicy: Delete + template: + type: Opaque + data: + client_id: oauth2-proxy + client_secret: |- + {{ .client_secret }} + cookie_secret: |- + {{ .cookie_secret }} + data: + - secretKey: client_secret + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: PLACEHOLDER_VAULTWARDEN_ITEM_ID + property: login.password + - secretKey: cookie_secret + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: PLACEHOLDER_VAULTWARDEN_ITEM_ID + property: fields[0].value diff --git a/k8s/core/oauth2-proxy/kustomization.yaml b/k8s/core/oauth2-proxy/kustomization.yaml new file mode 100644 index 0000000..46c3a95 --- /dev/null +++ b/k8s/core/oauth2-proxy/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - external-secrets.yaml + - middleware.yaml + +helmCharts: + - name: oauth2-proxy + repo: https://oauth2-proxy.github.io/manifests + version: 7.12.6 + releaseName: oauth2-proxy + namespace: oauth2-proxy + valuesFile: values.yaml diff --git a/k8s/core/oauth2-proxy/middleware.yaml b/k8s/core/oauth2-proxy/middleware.yaml new file mode 100644 index 0000000..b503219 --- /dev/null +++ b/k8s/core/oauth2-proxy/middleware.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: keycloak-auth + namespace: oauth2-proxy +spec: + forwardAuth: + address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth + trustForwardHeader: true + authResponseHeaders: + - X-Auth-Request-User + - X-Auth-Request-Email + - X-Auth-Request-Groups + - Authorization diff --git a/k8s/core/oauth2-proxy/values.yaml b/k8s/core/oauth2-proxy/values.yaml new file mode 100644 index 0000000..987a52b --- /dev/null +++ b/k8s/core/oauth2-proxy/values.yaml @@ -0,0 +1,67 @@ +replicaCount: 1 + +config: + configFile: |- + provider = "keycloak-oidc" + provider_display_name = "Keycloak" + oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor" + redirect_url = "https://oauth.hexor.cy/oauth2/callback" + email_domains = ["*"] + cookie_domains = [".hexor.cy"] + whitelist_domains = [".hexor.cy"] + cookie_secure = true + cookie_samesite = "lax" + upstreams = ["static://200"] + reverse_proxy = true + set_xauthrequest = true + set_authorization_header = true + pass_access_token = true + pass_authorization_header = true + skip_provider_button = true + code_challenge_method = "S256" + scope = "openid profile email" + +extraEnv: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-creds + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-creds + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-creds + key: cookie_secret + +ingress: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + hosts: + - oauth.hexor.cy + tls: + - secretName: oauth2-proxy-tls + hosts: + - oauth.hexor.cy + +resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + +nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + +tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule