Added oauth2 proxy

k8s/apps/mtproxy/kustomization.yaml

@@ -12,4 +12,5 @@ resources:
   - ./telemt-servicemonitor.yaml
   - ./service.yaml
   - ./secret-reader.yaml
+  - ./secret-reader-ingress.yaml
 # - ./storage.yaml

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: secret-reader
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`secret-reader.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: keycloak-auth
+      services:
+        - name: secret-reader
+          port: 80
+  tls:
+    secretName: secret-reader-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: secret-reader-tls
+spec:
+  secretName: secret-reader-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - secret-reader.hexor.cy

k8s/apps/pasarguard/deployment.yaml

@@ -1,4 +1,5 @@
 ---
+image: &image 'pasarguard/panel:v3.1.0'
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -34,7 +35,7 @@ spec:
               mountPath: /templates/subscription
       containers:
         - name: pasarguard-web
-          image: 'pasarguard/panel:v3.1.0'
+          image: *image
           imagePullPolicy: Always
           envFrom:
             - secretRef:

k8s/core/kanidm/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kanidm
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: kanidm
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/kanidm
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/kanidm/certificate.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kanidm-tls
+spec:
+  secretName: kanidm-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - auth.hexor.cy

k8s/core/kanidm/configmap.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kanidm-config
+data:
+  server.toml: |
+    bindaddress = "[::]:443"
+    db_path = "/data/kanidm.db"
+    tls_chain = "/certs/tls.crt"
+    tls_key = "/certs/tls.key"
+    domain = "auth.hexor.cy"
+    origin = "https://auth.hexor.cy"
+    log_level = "info"
+
+    [online_backup]
+    path = "/data/backups/"
+    schedule = "00 22 * * *"
+    versions = 7

k8s/core/kanidm/ingress.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kanidm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.hexor.cy`)
+      kind: Rule
+      services:
+        - name: kanidm
+          port: 443
+          scheme: https
+          serversTransport: kanidm-transport
+  tls:
+    secretName: kanidm-ingress-tls

k8s/core/kanidm/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - configmap.yaml
+  - certificate.yaml
+  - statefulset.yaml
+  - service.yaml
+  - ingress.yaml
+  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kanidm-transport
+spec:
+  insecureSkipVerify: true

k8s/core/kanidm/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+  selector:
+    app: kanidm

k8s/core/kanidm/statefulset.yaml

@@ -0,0 +1,86 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: kanidm
+  labels:
+    app: kanidm
+spec:
+  serviceName: kanidm
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanidm
+  template:
+    metadata:
+      labels:
+        app: kanidm
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: kanidm
+          image: kanidm/server:1.9.3
+          ports:
+            - containerPort: 443
+              name: https
+              protocol: TCP
+          volumeMounts:
+            - name: kanidm-data
+              mountPath: /data
+            - name: kanidm-config
+              mountPath: /data/server.toml
+              subPath: server.toml
+              readOnly: true
+            - name: kanidm-tls
+              mountPath: /certs
+              readOnly: true
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          readinessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /status
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        - name: kanidm-config
+          configMap:
+            name: kanidm-config
+        - name: kanidm-tls
+          secret:
+            secretName: kanidm-tls
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+  volumeClaimTemplates:
+    - metadata:
+        name: kanidm-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 1Gi

k8s/core/keycloak/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: keycloak
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/keycloak
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: keycloak-creds
+spec:
+  target:
+    name: keycloak-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: |-
+          {{ .db_password }}
+        KC_BOOTSTRAP_ADMIN_USERNAME: admin
+        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
+          {{ .admin_password }}
+  data:
+    - secretKey: db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value
+    - secretKey: admin_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
+        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: keycloakx
+    repo: https://codecentric.github.io/helm-charts
+    version: 7.1.11
+    releaseName: keycloak
+    namespace: keycloak
+    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -0,0 +1,67 @@
+replicas: 1
+
+image:
+  repository: quay.io/keycloak/keycloak
+  tag: "26.5.6"
+
+command:
+  - "/opt/keycloak/bin/kc.sh"
+  - "start"
+  - "--http-port=8080"
+  - "--hostname-strict=false"
+  - "--proxy-headers=xforwarded"
+
+extraEnvFrom: |
+  - secretRef:
+      name: keycloak-creds
+
+extraEnv: |
+  - name: KC_HOSTNAME
+    value: auth.hexor.cy
+  - name: JAVA_OPTS_APPEND
+    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
+
+dbchecker:
+  enabled: true
+
+database:
+  vendor: postgres
+  hostname: psql.psql.svc
+  port: 5432
+  database: keycloak
+  existingSecret: keycloak-creds
+  existingSecretKey: KC_DB_PASSWORD
+
+service:
+  type: ClusterIP
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  rules:
+    - host: auth.hexor.cy
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: keycloak-tls
+      hosts:
+        - auth.hexor.cy
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

k8s/core/oauth2-proxy/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2-proxy
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: oauth2-proxy
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/oauth2-proxy
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: oauth2-proxy-creds
+spec:
+  target:
+    name: oauth2-proxy-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        client-id: oauth2-proxy
+        client-secret: |-
+          {{ .client_secret }}
+        cookie-secret: |-
+          {{ .cookie_secret }}
+  data:
+    - secretKey: client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: login.password
+    - secretKey: cookie_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
+        property: fields[0].value

k8s/core/oauth2-proxy/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: oauth2-proxy
+    repo: https://oauth2-proxy.github.io/manifests
+    version: 10.4.3
+    releaseName: oauth2-proxy
+    namespace: oauth2-proxy
+    valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -0,0 +1,3 @@
+# Middleware is deployed per-namespace alongside each IngressRoute
+# because Traefik does not allow cross-namespace middleware references.
+# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -0,0 +1,51 @@
+replicaCount: 1
+
+config:
+  existingSecret: oauth2-proxy-creds
+  configFile: |-
+    provider = "keycloak-oidc"
+    provider_display_name = "Keycloak"
+    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
+    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
+    email_domains = ["*"]
+    cookie_domains = [".hexor.cy"]
+    whitelist_domains = [".hexor.cy"]
+    cookie_secure = true
+    cookie_samesite = "lax"
+    upstreams = ["static://200"]
+    reverse_proxy = true
+    set_xauthrequest = true
+    set_authorization_header = true
+    pass_access_token = true
+    pass_authorization_header = true
+    skip_provider_button = true
+    code_challenge_method = "S256"
+    scope = "openid profile email"
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  hosts:
+    - oauth.hexor.cy
+  tls:
+    - secretName: oauth2-proxy-tls
+      hosts:
+        - oauth.hexor.cy
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 128Mi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule

k8s/core/postgresql/external-secrets.yaml

@@ -135,6 +135,8 @@ spec:
           {{ .furumi }}
         USER_furumi_dev: |-
           {{ .furumi_dev }}
+        USER_keycloak: |-
+          {{ .keycloak }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -323,4 +325,14 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[17].value
-
+    - secretKey: keycloak
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value