Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Gitea Actions Bot
|
2cfcccd73c | ||
 Ultradesu
|
b75036b756 | ||
 ab
|
15abaac453 | ||
|
ab
|
24218d4d50 | ||
|
ab
|
70b652b079 | ||
|
Ultradesu
|
f6ad2edde4 | ||
|
Ultradesu
|
1fb779255f |
@@ -0,0 +1,46 @@
|
|||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: auth-proxy
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://auth-proxy.auth-proxy.svc:80/auth
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Auth-Request-User
|
||||||
|
- X-Auth-Request-Email
|
||||||
|
- X-Auth-Request-Groups
|
||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: secret-reader
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`pass.hexor.cy`)
|
||||||
|
kind: Rule
|
||||||
|
middlewares:
|
||||||
|
- name: auth-proxy
|
||||||
|
services:
|
||||||
|
- name: secret-reader
|
||||||
|
port: 80
|
||||||
|
tls:
|
||||||
|
secretName: secret-reader-tls
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: secret-reader-tls
|
||||||
|
spec:
|
||||||
|
secretName: secret-reader-tls
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt
|
||||||
|
kind: ClusterIssuer
|
||||||
|
dnsNames:
|
||||||
|
- pass.hexor.cy
|
||||||
|
|
||||||
+16
-17
@@ -24,31 +24,30 @@ configs:
|
|||||||
statusbadge.enabled: true
|
statusbadge.enabled: true
|
||||||
timeout.reconciliation: 60s
|
timeout.reconciliation: 60s
|
||||||
oidc.config: |
|
oidc.config: |
|
||||||
name: Authentik
|
name: Keycloak
|
||||||
issuer: https://idm.hexor.cy/application/o/argocd/
|
issuer: https://auth.hexor.cy/auth/realms/hexor
|
||||||
clientID: $oidc-creds:id
|
clientID: $oidc-creds:id
|
||||||
clientSecret: $oidc-creds:secret
|
clientSecret: $oidc-creds:secret
|
||||||
requestedScopes: ["openid", "profile", "email", "groups", "offline_access"]
|
requestedScopes: ["openid", "profile", "email", "offline_access"]
|
||||||
requestedIDTokenClaims: {"groups": {"essential": true}}
|
requestedIDTokenClaims: {"groups": {"essential": true}}
|
||||||
refreshTokenThreshold: 2m
|
refreshTokenThreshold: 2m
|
||||||
rbac:
|
rbac:
|
||||||
create: true
|
create: true
|
||||||
policy.default: ""
|
policy.default: ""
|
||||||
policy.csv: |
|
policy.csv: |
|
||||||
# Bound OIDC Group and internal role
|
g, game-servers-managers, GameServersManagersRole
|
||||||
g, Game Servers Managers, GameServersManagersRole
|
# Role permissions
|
||||||
# Role permissions
|
p, GameServersManagersRole, applications, get, games/*, allow
|
||||||
p, GameServersManagersRole, applications, get, games/*, allow
|
p, GameServersManagersRole, applications, update, games/*, allow
|
||||||
p, GameServersManagersRole, applications, update, games/*, allow
|
p, GameServersManagersRole, applications, sync, games/*, allow
|
||||||
p, GameServersManagersRole, applications, sync, games/*, allow
|
p, GameServersManagersRole, applications, override, games/*, allow
|
||||||
p, GameServersManagersRole, applications, override, games/*, allow
|
p, GameServersManagersRole, applications, action/*, games/*, allow
|
||||||
p, GameServersManagersRole, applications, action/*, games/*, allow
|
p, GameServersManagersRole, exec, create, games/*, allow
|
||||||
p, GameServersManagersRole, exec, create, games/*, allow
|
p, GameServersManagersRole, logs, get, games/*, allow
|
||||||
p, GameServersManagersRole, logs, get, games/*, allow
|
p, GameServersManagersRole, applications, delete, games/*, deny
|
||||||
p, GameServersManagersRole, applications, delete, games/*, deny
|
|
||||||
|
# Admin policy
|
||||||
# Admin policy
|
g, argocd-admins, role:admin
|
||||||
g, ArgoCD Admins, role:admin
|
|
||||||
|
|
||||||
secret:
|
secret:
|
||||||
createSecret: true
|
createSecret: true
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: auth-proxy
|
- name: auth-proxy
|
||||||
image: ultradesu/rsauth2-proxy:0.1.0
|
image: ultradesu/rsauth2-proxy:latest
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8080
|
- containerPort: 8080
|
||||||
name: http
|
name: http
|
||||||
|
|||||||
@@ -7,4 +7,5 @@ resources:
|
|||||||
- deployment.yaml
|
- deployment.yaml
|
||||||
- service.yaml
|
- service.yaml
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
|
- servicemonitor.yaml
|
||||||
# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)
|
# routes.yaml ConfigMap is managed by Terraform (kubernetes_config_map)
|
||||||
|
|||||||
Reference in New Issue
Block a user