Add oauth2 proxy

.sops.yaml

@@ -1,4 +1,4 @@
 creation_rules:
-  - path_regex: overlays/.*\.(yaml|env)$
+  - path_regex: .*\.(yaml|env)$
     encrypted_regex: ^.+$
     age: "age1ju3xfm27kpus9wv9we6l5qr00ul23uj5jfxxz3skv6vjagtkasdsuwsqsp"

base/oauth2-proxy/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: oauth-proxy
+  name: dpl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: oauth-proxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: oauth-proxy
+    spec:
+      volumes:
+        - name: oauth2-proxy-config
+          configMap:
+            name: oauth2-proxy-config
+      containers:
+      - name: oauth-proxy
+        image: "quay.io/oauth2-proxy/oauth2-proxy:v7.8.1"
+        ports:
+        - containerPort: 4180
+        env:
+          - name: OAUTH2_PROXY_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secret
+                key: client-id
+          - name: OAUTH2_PROXY_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secret
+                key: client-secret
+          - name: OAUTH2_PROXY_COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: oauth2-proxy-secret
+                key: cookie-secret
+        volumeMounts:
+        - name: oauth2-proxy-config
+          mountPath: /etc/oauth2-proxy.cfg
+          subPath: oauth2-proxy.cfg
+        args:
+          - --config=/etc/oauth2-proxy.cfg

base/oauth2-proxy/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ing
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: oauth2-proxy.la-suite.apps.digilab.network
+      http:
+        paths:
+          - backend:
+              service:
+                name: svc
+                port:
+                  number: 4180
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - oauth2-proxy.la-suite.apps.digilab.network
+      secretName: oauth2-tls

base/oauth2-proxy/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - ingress.yaml
+  - service.yaml
+
+namePrefix: oauth2-proxy-
+
+labels:
+  - pairs:
+      app.kubernetes.io/name: oauth2-proxy
+    includeSelectors: true
+
+buildMetadata: [originAnnotations]
+
+configMapGenerator:
+  - name: oauth2-proxy-config
+    files:
+      - oauth2-proxy.cfg
+
+secretGenerator:
+  - name: oauth2-proxy-secret
+    envs:
+      - secrets.env

base/oauth2-proxy/oauth2-proxy.cfg

@@ -0,0 +1,23 @@
+provider="keycloak-oidc"
+provider_display_name="LaSuite"
+login_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/auth"
+redeem_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/token"
+validate_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/userinfo"
+profile_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/userinfo"
+oidc_jwks_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/certs"
+oidc_issuer_url="https://id.la-suite.apps.digilab.network/realms/lasuite"
+ssl_insecure_skip_verify=true
+cookie_csrf_per_request=true
+cookie_domains=["meet.la-suite.apps.digilab.network","la-suite.apps.digilab.network"]
+cookie_secure="true"
+cookie_samesite="lax" 
+http_address="0.0.0.0:4180"
+upstreams="file:///dev/null"
+email_domains=["*"]
+scope="openid"
+whitelist_domains=[".la-suite.apps.digilab.network"]
+insecure_oidc_allow_unverified_email=true
+banner="-"
+footer="-"
+show_debug_on_error=true
+# force_https=true

base/oauth2-proxy/secrets.env

@@ -0,0 +1,9 @@
+client-id=ENC[AES256_GCM,data:apoXJaMT9qCrxTo=,iv:UV9oSvr7RuR53OU1CosiCACta6nVXlGkqPKNh8bGJPM=,tag:V0eS0OOzaFwuqaSHnONChg==,type:str]
+client-secret=ENC[AES256_GCM,data:d1+D80lpD4QMab6nxNZYqCQdhT66vCK+d29EVZnTmAg=,iv:OAdu1khGTrn213MuH7YHptKR0zqy1nmwHNlpy2uR4mo=,tag:t9HAG0mJNroXswajvagdWg==,type:str]
+cookie-secret=ENC[AES256_GCM,data:ikptOwllIYna5Cj9hgAe8ndYTUEvEWDARwltV5D1NHEHodxRD9tVCvIr7zI=,iv:ozaWUT22GNBo4O0AITi69uWYLsdv/3oeBfWvRFuJEag=,tag:V5OpWALHQInjh27R0jO58A==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TXgzaURSQkQvdHVQS2xK\nMTBMWHFXc21lNGswZ0owVWRoNnhCRmpZT3pvCndoUzBnRzhpMEtOMVpSOFpNSVdn\nSnI5SVd3RjR0MHJTUkpndTUrNm9KNmsKLS0tIFlGb01XVm9ZdFlSVWM5S2daeU1t\nc1FmdU9wdmwrZkY1c3hGQjd4MSsva28KUWslUqqlth8x69sAuzt2gXIq4oznbGoX\nwpn7FUabyh/b46LF8e2Y6Ad1p64zdOQMGhdmU3G28pQTvyhtz2kW8w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ju3xfm27kpus9wv9we6l5qr00ul23uj5jfxxz3skv6vjagtkasdsuwsqsp
+sops_encrypted_regex=^.+$
+sops_lastmodified=2025-01-18T22:13:12Z
+sops_mac=ENC[AES256_GCM,data:QjAD9yk4uzzGN1yk6V8LC2JxkxpC3FkFu21ZH+PFTnDLOftVtOnK9FGzNXSSSnZL6yUtCi0YBEFkf28wk8ooDtubuNGuqkJvbSK3XR4IUG+y5CICbv3+mrJgyNy41kRvWAp9EcumIfYzE1bRQFdn7zVFx3iafGC2J2rd+3HPnSk=,iv:0WK9ihul6H7nWLwdGqmU60lYj0Z4S2SSFJzYXrSOvXU=,tag:s6yHKqN5iT0VcltYso5LlA==,type:str]
+sops_version=3.8.1

base/oauth2-proxy/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: oauth-proxy
+  name: svc
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: oauth-proxy
+  ports:
+  - name: http-oauthproxy
+    port: 4180

overlays/digilab/kustomization.yaml

@@ -56,6 +56,7 @@ resources:
   - ../../base/keycloak/
   - ../../base/vault/
   - ../../base/grafana/
+  - ../../base/oauth2-proxy/
 
 secretGenerator:
   - name: sec-keycloak