Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Gitea Actions Bot
|
f6387bf0b1 |
@@ -1,18 +1,5 @@
|
|||||||
---
|
---
|
||||||
apiVersion: traefik.io/v1alpha1
|
apiVersion: traefik.io/v1alpha1
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: keycloak-auth
|
|
||||||
spec:
|
|
||||||
forwardAuth:
|
|
||||||
address: http://oauth2-proxy.oauth2-proxy.svc:80
|
|
||||||
trustForwardHeader: true
|
|
||||||
authResponseHeaders:
|
|
||||||
- X-Auth-Request-User
|
|
||||||
- X-Auth-Request-Email
|
|
||||||
- X-Auth-Request-Groups
|
|
||||||
---
|
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: IngressRoute
|
kind: IngressRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: secret-reader
|
name: secret-reader
|
||||||
@@ -26,6 +13,7 @@ spec:
|
|||||||
kind: Rule
|
kind: Rule
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: keycloak-auth
|
- name: keycloak-auth
|
||||||
|
namespace: oauth2-proxy
|
||||||
services:
|
services:
|
||||||
- name: secret-reader
|
- name: secret-reader
|
||||||
port: 80
|
port: 80
|
||||||
|
|||||||
@@ -10,10 +10,10 @@ spec:
|
|||||||
template:
|
template:
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
client-id: oauth2-proxy
|
client_id: oauth2-proxy
|
||||||
client-secret: |-
|
client_secret: |-
|
||||||
{{ .client_secret }}
|
{{ .client_secret }}
|
||||||
cookie-secret: |-
|
cookie_secret: |-
|
||||||
{{ .cookie_secret }}
|
{{ .cookie_secret }}
|
||||||
data:
|
data:
|
||||||
- secretKey: client_secret
|
- secretKey: client_secret
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ kind: Kustomization
|
|||||||
resources:
|
resources:
|
||||||
- app.yaml
|
- app.yaml
|
||||||
- external-secrets.yaml
|
- external-secrets.yaml
|
||||||
|
- middleware.yaml
|
||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
- name: oauth2-proxy
|
- name: oauth2-proxy
|
||||||
|
|||||||
@@ -1,3 +1,14 @@
|
|||||||
# Middleware is deployed per-namespace alongside each IngressRoute
|
---
|
||||||
# because Traefik does not allow cross-namespace middleware references.
|
apiVersion: traefik.io/v1alpha1
|
||||||
# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: keycloak-auth
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Auth-Request-User
|
||||||
|
- X-Auth-Request-Email
|
||||||
|
- X-Auth-Request-Groups
|
||||||
|
- Authorization
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
|
|
||||||
config:
|
config:
|
||||||
existingSecret: oauth2-proxy-creds
|
|
||||||
configFile: |-
|
configFile: |-
|
||||||
provider = "keycloak-oidc"
|
provider = "keycloak-oidc"
|
||||||
provider_display_name = "Keycloak"
|
provider_display_name = "Keycloak"
|
||||||
@@ -22,6 +21,23 @@ config:
|
|||||||
code_challenge_method = "S256"
|
code_challenge_method = "S256"
|
||||||
scope = "openid profile email"
|
scope = "openid profile email"
|
||||||
|
|
||||||
|
extraEnv:
|
||||||
|
- name: OAUTH2_PROXY_CLIENT_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: oauth2-proxy-creds
|
||||||
|
key: client_id
|
||||||
|
- name: OAUTH2_PROXY_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: oauth2-proxy-creds
|
||||||
|
key: client_secret
|
||||||
|
- name: OAUTH2_PROXY_COOKIE_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: oauth2-proxy-creds
|
||||||
|
key: cookie_secret
|
||||||
|
|
||||||
ingress:
|
ingress:
|
||||||
enabled: true
|
enabled: true
|
||||||
className: traefik
|
className: traefik
|
||||||
|
|||||||
Reference in New Issue
Block a user