diff --git a/k8s/apps/mtproxy/secret-reader-ingress.yaml b/k8s/apps/mtproxy/secret-reader-ingress.yaml index 92badbc..5d627c4 100644 --- a/k8s/apps/mtproxy/secret-reader-ingress.yaml +++ b/k8s/apps/mtproxy/secret-reader-ingress.yaml @@ -2,10 +2,10 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: keycloak-auth + name: auth-proxy spec: forwardAuth: - address: http://oauth2-proxy.oauth2-proxy.svc:80 + address: http://auth-proxy.auth-proxy.svc:80/auth trustForwardHeader: true authResponseHeaders: - X-Auth-Request-User @@ -25,7 +25,7 @@ spec: - match: Host(`secret-reader.hexor.cy`) kind: Rule middlewares: - - name: keycloak-auth + - name: auth-proxy services: - name: secret-reader port: 80 diff --git a/k8s/core/oauth2-proxy/app.yaml b/k8s/core/auth-proxy/app.yaml similarity index 82% rename from k8s/core/oauth2-proxy/app.yaml rename to k8s/core/auth-proxy/app.yaml index 15dc7e1..2b18b8b 100644 --- a/k8s/core/oauth2-proxy/app.yaml +++ b/k8s/core/auth-proxy/app.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: oauth2-proxy + name: auth-proxy namespace: argocd spec: project: core destination: - namespace: oauth2-proxy + namespace: auth-proxy server: https://kubernetes.default.svc source: repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git targetRevision: HEAD - path: k8s/core/oauth2-proxy + path: k8s/core/auth-proxy syncPolicy: automated: selfHeal: true diff --git a/k8s/core/auth-proxy/deployment.yaml b/k8s/core/auth-proxy/deployment.yaml new file mode 100644 index 0000000..00a2407 --- /dev/null +++ b/k8s/core/auth-proxy/deployment.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: auth-proxy + labels: + app: auth-proxy +spec: + replicas: 1 + selector: + matchLabels: + app: auth-proxy + template: + metadata: + labels: + app: auth-proxy + spec: + containers: + - name: auth-proxy + image: ultradesu/rsauth2-proxy:0.1.0 + ports: + - containerPort: 8080 + name: http + protocol: TCP + envFrom: + - secretRef: + name: auth-proxy-creds + env: + - name: AUTH_PROXY_OIDC_ISSUER + value: "https://auth.hexor.cy/auth/realms/hexor" + - name: AUTH_PROXY_COOKIE_DOMAIN + value: ".hexor.cy" + - name: AUTH_PROXY_CALLBACK_URL + value: "https://oauth.hexor.cy/callback" + - name: AUTH_PROXY_ROUTES_FILE + value: "/config/routes.yaml" + - name: AUTH_PROXY_LOG_LEVEL + value: "info" + volumeMounts: + - name: routes + mountPath: /config + readOnly: true + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 200m + memory: 64Mi + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + volumes: + - name: routes + configMap: + name: auth-proxy-routes + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule diff --git a/k8s/core/oauth2-proxy/external-secrets.yaml b/k8s/core/auth-proxy/external-secrets.yaml similarity index 83% rename from k8s/core/oauth2-proxy/external-secrets.yaml rename to k8s/core/auth-proxy/external-secrets.yaml index fd9be9e..e1432d5 100644 --- a/k8s/core/oauth2-proxy/external-secrets.yaml +++ b/k8s/core/auth-proxy/external-secrets.yaml @@ -2,18 +2,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: oauth2-proxy-creds + name: auth-proxy-creds spec: target: - name: oauth2-proxy-creds + name: auth-proxy-creds deletionPolicy: Delete template: type: Opaque data: - client-id: oauth2-proxy - client-secret: |- + AUTH_PROXY_CLIENT_ID: rsauth2-proxy + AUTH_PROXY_CLIENT_SECRET: |- {{ .client_secret }} - cookie-secret: |- + AUTH_PROXY_COOKIE_SECRET: |- {{ .cookie_secret }} data: - secretKey: client_secret diff --git a/k8s/core/auth-proxy/ingress.yaml b/k8s/core/auth-proxy/ingress.yaml new file mode 100644 index 0000000..152accf --- /dev/null +++ b/k8s/core/auth-proxy/ingress.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: auth-proxy +spec: + entryPoints: + - websecure + routes: + - match: Host(`oauth.hexor.cy`) + kind: Rule + services: + - name: auth-proxy + port: 80 + tls: + secretName: auth-proxy-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: auth-proxy-tls +spec: + secretName: auth-proxy-tls + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dnsNames: + - oauth.hexor.cy diff --git a/k8s/core/auth-proxy/kustomization.yaml b/k8s/core/auth-proxy/kustomization.yaml new file mode 100644 index 0000000..d529dd5 --- /dev/null +++ b/k8s/core/auth-proxy/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - external-secrets.yaml + - routes.yaml + - deployment.yaml + - service.yaml + - ingress.yaml diff --git a/k8s/core/auth-proxy/routes.yaml b/k8s/core/auth-proxy/routes.yaml new file mode 100644 index 0000000..a0a27ec --- /dev/null +++ b/k8s/core/auth-proxy/routes.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: auth-proxy-routes +data: + routes.yaml: | + routes: + secret-reader.hexor.cy: + allowed_groups: [] diff --git a/k8s/core/auth-proxy/service.yaml b/k8s/core/auth-proxy/service.yaml new file mode 100644 index 0000000..aee9af0 --- /dev/null +++ b/k8s/core/auth-proxy/service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: auth-proxy + labels: + app: auth-proxy +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + protocol: TCP + selector: + app: auth-proxy diff --git a/k8s/core/oauth2-proxy/kustomization.yaml b/k8s/core/oauth2-proxy/kustomization.yaml deleted file mode 100644 index 85c1d35..0000000 --- a/k8s/core/oauth2-proxy/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - app.yaml - - external-secrets.yaml - -helmCharts: - - name: oauth2-proxy - repo: https://oauth2-proxy.github.io/manifests - version: 10.4.3 - releaseName: oauth2-proxy - namespace: oauth2-proxy - valuesFile: values.yaml diff --git a/k8s/core/oauth2-proxy/middleware.yaml b/k8s/core/oauth2-proxy/middleware.yaml deleted file mode 100644 index 0416a9c..0000000 --- a/k8s/core/oauth2-proxy/middleware.yaml +++ /dev/null @@ -1,3 +0,0 @@ -# Middleware is deployed per-namespace alongside each IngressRoute -# because Traefik does not allow cross-namespace middleware references. -# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example. diff --git a/k8s/core/oauth2-proxy/values.yaml b/k8s/core/oauth2-proxy/values.yaml deleted file mode 100644 index 006e2a9..0000000 --- a/k8s/core/oauth2-proxy/values.yaml +++ /dev/null @@ -1,51 +0,0 @@ -replicaCount: 1 - -config: - existingSecret: oauth2-proxy-creds - configFile: |- - provider = "keycloak-oidc" - provider_display_name = "Keycloak" - oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor" - redirect_url = "https://oauth.hexor.cy/oauth2/callback" - email_domains = ["*"] - cookie_domains = [".hexor.cy"] - whitelist_domains = [".hexor.cy"] - cookie_secure = true - cookie_samesite = "lax" - upstreams = ["static://200"] - reverse_proxy = true - set_xauthrequest = true - set_authorization_header = true - pass_access_token = true - pass_authorization_header = true - skip_provider_button = true - code_challenge_method = "S256" - scope = "openid profile email" - -ingress: - enabled: true - className: traefik - annotations: - cert-manager.io/cluster-issuer: letsencrypt - traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd - hosts: - - oauth.hexor.cy - tls: - - secretName: oauth2-proxy-tls - hosts: - - oauth.hexor.cy - -resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - -nodeSelector: - kubernetes.io/hostname: master.tail2fe2d.ts.net - -tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule diff --git a/terraform/keycloak/.terraform.lock.hcl b/terraform/keycloak/.terraform.lock.hcl new file mode 100644 index 0000000..89a224d --- /dev/null +++ b/terraform/keycloak/.terraform.lock.hcl @@ -0,0 +1,27 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/keycloak/keycloak" { + version = "5.7.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:3DuKdVeOxwULh7l6bvJKWZvsgSZo92rtnrdvyp+X2Lc=", + "zh:19be4505b17e4818db121a82917cb6723019cf379cfb82b720eaa2886f15bede", + "zh:2bd1565ed22db6a9fb50d60626e22c277f3b034a71f65e6c0011e42f56cad2bb", + "zh:34a9e2dfb06331dc6146491c4a0721001195c6a769cdc2d4546edb2acf2b39bd", + "zh:3f86bf9eac6d73eeaa926471826b6888da77950f68e6a3a95dc2d9201a4a88fa", + "zh:4b9053fde2c8dee6469c8b273bf5491a27228a1df28e30b86714118f0f876baf", + "zh:522aa6bcecc6b8d517415237f4ec079488ef7de0e980a634bf6a8b481c13effc", + "zh:52f85208815ca65b8d3cd5465b28005ba63f854122bc61fbf04925c986d48e78", + "zh:636555042a6051d2e1113e5f945edb9f432e2d09b81cf6e50a59a534819d98dd", + "zh:73a1fecfb3d9666bf87c2eb7d001281b8cfcd7132573b8c3d4febc2db55f0a2f", + "zh:76fa26d055ceeb0869a50e4b63871f4b07f55045af6b46b83686016531e9fb22", + "zh:8df147e619d7ac3d3f9840ba0d1895d34bde179e818863e2e7b52e2c05c12f58", + "zh:9c830253990e13ec284d0d312fea562938e4a8fc664dacb3af5f1eb16dcae1ae", + "zh:abd0bd630b362cd6f77fbb33625bc6f515782eb58cb096b4ce69dea252254aef", + "zh:d1474a67ffc3288b2d0c99f6e8edc937ac8ef54afed0306e3c6f033aa836a5f6", + "zh:ed19408f15667bfb572120858bdde929a20ce2d1f29468973905980c03299767", + "zh:ef8bc311f7d1ad821b65ba43af92e2ce835e739d391098b13e01a61747b5c648", + "zh:f57319d9a7ac387d5070c909fd0084ccfc296f1f3193efde995ae24aa1729a39", + ] +} diff --git a/terraform/keycloak/main.tf b/terraform/keycloak/main.tf new file mode 100644 index 0000000..7cb9655 --- /dev/null +++ b/terraform/keycloak/main.tf @@ -0,0 +1,133 @@ +# ============================================================================= +# Realm +# ============================================================================= + +resource "keycloak_realm" "hexor" { + realm = "hexor" + enabled = true + + display_name = "Hexor" + + login_theme = "keycloak" + account_theme = "keycloak.v3" + + registration_allowed = false + reset_password_allowed = true + remember_me = true + verify_email = false + login_with_email_allowed = true + duplicate_emails_allowed = false + + ssl_required = "external" +} + +# ============================================================================= +# Google Identity Provider +# ============================================================================= + +resource "keycloak_oidc_google_identity_provider" "google" { + realm = keycloak_realm.hexor.id + client_id = var.google_client_id + client_secret = var.google_client_secret + + trust_email = true + sync_mode = "IMPORT" +} + +# ============================================================================= +# Default groups +# ============================================================================= + +resource "keycloak_group" "users" { + realm_id = keycloak_realm.hexor.id + name = "users" +} + +resource "keycloak_default_groups" "default" { + realm_id = keycloak_realm.hexor.id + group_ids = [keycloak_group.users.id] +} + +# ============================================================================= +# rsauth2-proxy client (production) +# ============================================================================= + +resource "keycloak_openid_client" "rsauth2_proxy" { + realm_id = keycloak_realm.hexor.id + client_id = "rsauth2-proxy" + + name = "rsauth2-proxy" + enabled = true + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + direct_access_grants_enabled = false + + valid_redirect_uris = [ + "https://oauth.hexor.cy/callback", + ] + + web_origins = [ + "https://oauth.hexor.cy", + ] +} + +resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_groups" { + realm_id = keycloak_realm.hexor.id + client_id = keycloak_openid_client.rsauth2_proxy.id + name = "groups" + claim_name = "groups" + full_path = false +} + +resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" { + realm_id = keycloak_realm.hexor.id + client_id = keycloak_openid_client.rsauth2_proxy.id + + default_scopes = [ + "openid", + "profile", + "email", + ] +} + +# ============================================================================= +# rsauth2-proxy client (localhost testing) +# ============================================================================= + +resource "keycloak_openid_client" "rsauth2_proxy_dev" { + realm_id = keycloak_realm.hexor.id + client_id = "rsauth2-proxy-dev" + + name = "rsauth2-proxy (dev)" + enabled = true + access_type = "CONFIDENTIAL" + standard_flow_enabled = true + direct_access_grants_enabled = false + + valid_redirect_uris = [ + "http://localhost:8080/callback", + ] + + web_origins = [ + "http://localhost:8080", + ] +} + +resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" { + realm_id = keycloak_realm.hexor.id + client_id = keycloak_openid_client.rsauth2_proxy_dev.id + name = "groups" + claim_name = "groups" + full_path = false +} + +resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" { + realm_id = keycloak_realm.hexor.id + client_id = keycloak_openid_client.rsauth2_proxy_dev.id + + default_scopes = [ + "openid", + "profile", + "email", + ] +} diff --git a/terraform/keycloak/outputs.tf b/terraform/keycloak/outputs.tf new file mode 100644 index 0000000..381d622 --- /dev/null +++ b/terraform/keycloak/outputs.tf @@ -0,0 +1,25 @@ +output "realm_id" { + value = keycloak_realm.hexor.id +} + +output "google_idp_alias" { + value = keycloak_oidc_google_identity_provider.google.alias +} + +output "rsauth2_proxy_client_id" { + value = keycloak_openid_client.rsauth2_proxy.client_id +} + +output "rsauth2_proxy_client_secret" { + value = keycloak_openid_client.rsauth2_proxy.client_secret + sensitive = true +} + +output "rsauth2_proxy_dev_client_id" { + value = keycloak_openid_client.rsauth2_proxy_dev.client_id +} + +output "rsauth2_proxy_dev_client_secret" { + value = keycloak_openid_client.rsauth2_proxy_dev.client_secret + sensitive = true +} diff --git a/terraform/keycloak/providers.tf b/terraform/keycloak/providers.tf new file mode 100644 index 0000000..14c28ac --- /dev/null +++ b/terraform/keycloak/providers.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + keycloak = { + source = "keycloak/keycloak" + version = ">= 5.0.0" + } + } +} + +provider "keycloak" { + url = var.keycloak_url + base_path = "/auth" + client_id = var.keycloak_client_id + client_secret = var.keycloak_client_secret +} diff --git a/terraform/keycloak/state.tf b/terraform/keycloak/state.tf new file mode 100644 index 0000000..cb295a2 --- /dev/null +++ b/terraform/keycloak/state.tf @@ -0,0 +1,8 @@ +terraform { + cloud { + organization = "ultradesu" + workspaces { + name = "Keycloak" + } + } +} diff --git a/terraform/keycloak/variables.tf b/terraform/keycloak/variables.tf new file mode 100644 index 0000000..1debe6f --- /dev/null +++ b/terraform/keycloak/variables.tf @@ -0,0 +1,28 @@ +variable "keycloak_url" { + description = "Keycloak URL (set via TF_VAR_keycloak_url)" + type = string + default = "https://auth.hexor.cy" +} + +variable "keycloak_client_id" { + description = "Keycloak Terraform client ID (set via TF_VAR_keycloak_client_id)" + type = string + default = "terraform" +} + +variable "keycloak_client_secret" { + description = "Keycloak Terraform client secret (set via TF_VAR_keycloak_client_secret)" + type = string + sensitive = true +} + +variable "google_client_id" { + description = "Google OAuth client ID (set via TF_VAR_google_client_id)" + type = string +} + +variable "google_client_secret" { + description = "Google OAuth client secret (set via TF_VAR_google_client_secret)" + type = string + sensitive = true +}