From cf79ac7a6e2a7c5625314c853f1f02dc2dc1c34c Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Sat, 18 Jan 2025 23:13:35 +0100 Subject: [PATCH] Add oauth2 proxy --- .sops.yaml | 2 +- base/oauth2-proxy/deployment.yaml | 47 ++++++++++++++++++++++++++++ base/oauth2-proxy/ingress.yaml | 23 ++++++++++++++ base/oauth2-proxy/kustomization.yaml | 26 +++++++++++++++ base/oauth2-proxy/oauth2-proxy.cfg | 20 ++++++++++++ base/oauth2-proxy/secrets.env | 9 ++++++ base/oauth2-proxy/service.yaml | 13 ++++++++ overlays/digilab/kustomization.yaml | 1 + 8 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 base/oauth2-proxy/deployment.yaml create mode 100644 base/oauth2-proxy/ingress.yaml create mode 100644 base/oauth2-proxy/kustomization.yaml create mode 100644 base/oauth2-proxy/oauth2-proxy.cfg create mode 100644 base/oauth2-proxy/secrets.env create mode 100644 base/oauth2-proxy/service.yaml diff --git a/.sops.yaml b/.sops.yaml index 9c2842f..e7eff73 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,4 @@ creation_rules: - - path_regex: overlays/.*\.(yaml|env)$ + - path_regex: .*\.(yaml|env)$ encrypted_regex: ^.+$ age: "age1ju3xfm27kpus9wv9we6l5qr00ul23uj5jfxxz3skv6vjagtkasdsuwsqsp" diff --git a/base/oauth2-proxy/deployment.yaml b/base/oauth2-proxy/deployment.yaml new file mode 100644 index 0000000..5e1ee6a --- /dev/null +++ b/base/oauth2-proxy/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth-proxy + name: dpl +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: oauth-proxy + template: + metadata: + labels: + app.kubernetes.io/component: oauth-proxy + spec: + volumes: + - name: oauth2-proxy-config + configMap: + name: oauth2-proxy-config + containers: + - name: oauth-proxy + image: "quay.io/oauth2-proxy/oauth2-proxy:v7.8.1" + ports: + - containerPort: 4180 + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: cookie-secret + volumeMounts: + - name: oauth2-proxy-config + mountPath: /etc/oauth2-proxy.cfg + subPath: oauth2-proxy.cfg + args: + - --config=/etc/oauth2-proxy.cfg \ No newline at end of file diff --git a/base/oauth2-proxy/ingress.yaml b/base/oauth2-proxy/ingress.yaml new file mode 100644 index 0000000..ffa18fb --- /dev/null +++ b/base/oauth2-proxy/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ing + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: nginx + rules: + - host: oauth2-proxy.la-suite.apps.digilab.network + http: + paths: + - backend: + service: + name: svc + port: + number: 4180 + path: / + pathType: Prefix + tls: + - hosts: + - oauth2-proxy.la-suite.apps.digilab.network + secretName: oauth2-tls \ No newline at end of file diff --git a/base/oauth2-proxy/kustomization.yaml b/base/oauth2-proxy/kustomization.yaml new file mode 100644 index 0000000..8120f3b --- /dev/null +++ b/base/oauth2-proxy/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deployment.yaml + - ingress.yaml + - service.yaml + +namePrefix: oauth2-proxy- + +labels: + - pairs: + app.kubernetes.io/name: oauth2-proxy + includeSelectors: true + +buildMetadata: [originAnnotations] + +configMapGenerator: + - name: oauth2-proxy-config + files: + - oauth2-proxy.cfg + +secretGenerator: + - name: oauth2-proxy-secret + envs: + - secrets.env diff --git a/base/oauth2-proxy/oauth2-proxy.cfg b/base/oauth2-proxy/oauth2-proxy.cfg new file mode 100644 index 0000000..94d5f58 --- /dev/null +++ b/base/oauth2-proxy/oauth2-proxy.cfg @@ -0,0 +1,20 @@ +provider="keycloak-oidc" +provider_display_name="LaSuite" +login_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/auth" +redeem_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/token" +validate_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/userinfo" +profile_url="https://id.la-suite.apps.digilab.network/realms/lasuite/protocol/openid-connect/userinfo" +ssl_insecure_skip_verify=true +# Client config +cookie_csrf_per_request=true +cookie_csrf_expire=5m +cookie_domains=["oauth2-proxy.la-suite.apps.digilab.network"] +cookie_secure="true" +cookie_samesite="lax" +# Upstream config +http_address="0.0.0.0:4180" +upstreams="file:///dev/null" +email_domains=["*"] +oidc_issuer_url="https://id.la-suite.apps.digilab.network/realms/lasuite" +scope="openid" +whitelist_domains=["oauth2-proxy.la-suite.apps.digilab.network"] diff --git a/base/oauth2-proxy/secrets.env b/base/oauth2-proxy/secrets.env new file mode 100644 index 0000000..6f8a743 --- /dev/null +++ b/base/oauth2-proxy/secrets.env @@ -0,0 +1,9 @@ +client-id=ENC[AES256_GCM,data:apoXJaMT9qCrxTo=,iv:UV9oSvr7RuR53OU1CosiCACta6nVXlGkqPKNh8bGJPM=,tag:V0eS0OOzaFwuqaSHnONChg==,type:str] +client-secret=ENC[AES256_GCM,data:d1+D80lpD4QMab6nxNZYqCQdhT66vCK+d29EVZnTmAg=,iv:OAdu1khGTrn213MuH7YHptKR0zqy1nmwHNlpy2uR4mo=,tag:t9HAG0mJNroXswajvagdWg==,type:str] +cookie-secret=ENC[AES256_GCM,data:ikptOwllIYna5Cj9hgAe8ndYTUEvEWDARwltV5D1NHEHodxRD9tVCvIr7zI=,iv:ozaWUT22GNBo4O0AITi69uWYLsdv/3oeBfWvRFuJEag=,tag:V5OpWALHQInjh27R0jO58A==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TXgzaURSQkQvdHVQS2xK\nMTBMWHFXc21lNGswZ0owVWRoNnhCRmpZT3pvCndoUzBnRzhpMEtOMVpSOFpNSVdn\nSnI5SVd3RjR0MHJTUkpndTUrNm9KNmsKLS0tIFlGb01XVm9ZdFlSVWM5S2daeU1t\nc1FmdU9wdmwrZkY1c3hGQjd4MSsva28KUWslUqqlth8x69sAuzt2gXIq4oznbGoX\nwpn7FUabyh/b46LF8e2Y6Ad1p64zdOQMGhdmU3G28pQTvyhtz2kW8w==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ju3xfm27kpus9wv9we6l5qr00ul23uj5jfxxz3skv6vjagtkasdsuwsqsp +sops_encrypted_regex=^.+$ +sops_lastmodified=2025-01-18T22:13:12Z +sops_mac=ENC[AES256_GCM,data:QjAD9yk4uzzGN1yk6V8LC2JxkxpC3FkFu21ZH+PFTnDLOftVtOnK9FGzNXSSSnZL6yUtCi0YBEFkf28wk8ooDtubuNGuqkJvbSK3XR4IUG+y5CICbv3+mrJgyNy41kRvWAp9EcumIfYzE1bRQFdn7zVFx3iafGC2J2rd+3HPnSk=,iv:0WK9ihul6H7nWLwdGqmU60lYj0Z4S2SSFJzYXrSOvXU=,tag:s6yHKqN5iT0VcltYso5LlA==,type:str] +sops_version=3.8.1 diff --git a/base/oauth2-proxy/service.yaml b/base/oauth2-proxy/service.yaml new file mode 100644 index 0000000..2691707 --- /dev/null +++ b/base/oauth2-proxy/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: oauth-proxy + name: svc +spec: + type: ClusterIP + selector: + app.kubernetes.io/component: oauth-proxy + ports: + - name: http-oauthproxy + port: 4180 \ No newline at end of file diff --git a/overlays/digilab/kustomization.yaml b/overlays/digilab/kustomization.yaml index f13c6bd..4702248 100644 --- a/overlays/digilab/kustomization.yaml +++ b/overlays/digilab/kustomization.yaml @@ -56,6 +56,7 @@ resources: - ../../base/keycloak/ - ../../base/vault/ - ../../base/grafana/ + - ../../base/oauth2-proxy/ secretGenerator: - name: sec-keycloak