Deployed rsauth2-proxy

k8s/core/auth-proxy/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-proxy
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: auth-proxy
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/auth-proxy
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/auth-proxy/deployment.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-proxy
+  template:
+    metadata:
+      labels:
+        app: auth-proxy
+    spec:
+      containers:
+        - name: auth-proxy
+          image: ultradesu/rsauth2-proxy:0.1.0
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: auth-proxy-creds
+          env:
+            - name: AUTH_PROXY_OIDC_ISSUER
+              value: "https://auth.hexor.cy/auth/realms/hexor"
+            - name: AUTH_PROXY_COOKIE_DOMAIN
+              value: ".hexor.cy"
+            - name: AUTH_PROXY_CALLBACK_URL
+              value: "https://oauth.hexor.cy/callback"
+            - name: AUTH_PROXY_ROUTES_FILE
+              value: "/config/routes.yaml"
+            - name: AUTH_PROXY_LOG_LEVEL
+              value: "info"
+          volumeMounts:
+            - name: routes
+              mountPath: /config
+              readOnly: true
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 64Mi
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: routes
+          configMap:
+            name: auth-proxy-routes
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule

k8s/core/auth-proxy/external-secrets.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: auth-proxy-creds
+spec:
+  target:
+    name: auth-proxy-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        AUTH_PROXY_CLIENT_ID: rsauth2-proxy
+        AUTH_PROXY_CLIENT_SECRET: |-
+          {{ .client_secret }}
+        AUTH_PROXY_COOKIE_SECRET: |-
+          {{ .cookie_secret }}
+  data:
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: login.password
+    - secretKey: cookie_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: fields[0].value

k8s/core/auth-proxy/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: auth-proxy
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`oauth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: auth-proxy
+          port: 80
+  tls:
+    secretName: auth-proxy-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-proxy-tls
+spec:
+  secretName: auth-proxy-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - oauth.hexor.cy

k8s/core/auth-proxy/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - routes.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml

k8s/core/auth-proxy/routes.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: auth-proxy-routes
+data:
+  routes.yaml: |
+    routes:
+      secret-reader.hexor.cy:
+        allowed_groups: []

k8s/core/auth-proxy/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-proxy
+  labels:
+    app: auth-proxy
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: auth-proxy