159021dd by Adam Heath

This recipe can wrap a workload with JWT protections.

1 parent 012bbb50
OAUTH2_PROXY_PROVIDER=keycloak-oidc
#OAUTH2_PROXY_COOKIE_SAMESITE=none
#OAUTH2_PROXY_COOKIE_SECURE='true'
#OAUTH2_PROXY_COOKIE_HTTPONLY='false'
OAUTH2_PROXY_EMAIL_DOMAINS='*'
##OAUTH2_PROXY_COOKIE_DOMAIN=.alyvr.local
##OAUTH2_PROXY_COOKIE_SECRET=CHANGEME
OAUTH2_PROXY_COOKIE_EXPIRE=1h
OAUTH2_PROXY_COOKIE_REFRESH=4m
##OAUTH2_PROXY_CLIENT_ID=CHANGEME
##OAUTH2_PROXY_CLIENT_SECRET=CHANGEME
##OAUTH2_PROXY_LOGIN_URL=''
##OAUTH2_PROXY_REDEEM_URL=''
##OAUTH2_PROXY_VALIDATE_URL=''
OAUTH2_PROXY_SCOPE=openid profile
OAUTH2_PROXY_REVERSE_PROXY=true
#OAUTH2_PROXY_PROVIDER_CA_FILE=/srv/alyvr-ca/tls.crt
##OAUTH2_PROXY_WHITELIST_DOMAIN=
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_SET_XAUTHREQUEST=true
OAUTH2_PROXY_PASS_USER_HEADERS=true
#OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
OAUTH2_PROXY_WEBSOCKETS=true
#OAUTH2_PROXY_SKIP_AUTH_REGEX=
OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
# new
OAUTH2_AUTH_LOGGING=true
OAUTH2_SHOW_DEBUG_ON_ERROR=true
# - --upstream=http://nginx-hello-status:80/
OAUTH2_PROXY_UPSTREAMS
OAUTH2_PROXY_HTTP_ADDRESS
OAUTH2_PROXY_COOKIE_DOMAINS
OAUTH2_PROXY_COOKIE_SECRET
OAUTH2_PROXY_CLIENT_ID
OAUTH2_PROXY_ALLOWED_ROLES
OAUTH2_PROXY_OIDC_ISSUER_URL
OAUTH2_PROXY_WHITELIST_DOMAINS
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- oauth2-proxy.yaml
secretGenerator:
- name: oauth2-proxy
options:
disableNameSuffixHash: true
envs:
- secret.env
configMapGenerator:
- name: oauth2-proxy
options:
disableNameSuffixHash: true
envs:
- configmap.env
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
spec:
selector:
app: oauth2-proxy
ports:
- name: http-oauth2
protocol: TCP
port: 80
targetPort: 9876
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
labels:
app: oauth2-proxy
spec:
replicas: 1
progressDeadlineSeconds: 600
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1"
imagePullPolicy: "IfNotPresent"
envFrom:
- configMapRef:
name: oauth2-proxy
- secretRef:
name: oauth2-proxy
ports:
- containerPort: 9876
protocol: TCP
readinessProbe:
httpGet:
path: /ping
port: 9876
scheme: HTTP
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
httpGet:
path: /ping
port: 9876
scheme: HTTP
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
---
oauth2_proxy:
enabled: true
name: ""
config:
OAUTH2_PROXY_UPSTREAMS: ""
OAUTH2_PROXY_HTTP_ADDRESS: ""
OAUTH2_PROXY_COOKIE_DOMAINS: ""
OAUTH2_PROXY_COOKIE_SECRET: ""
OAUTH2_PROXY_CLIENT_ID: ""
OAUTH2_PROXY_ALLOWED_ROLES: ""
OAUTH2_PROXY_OIDC_ISSUER_URL: ""
OAUTH2_PROXY_WHITELIST_DOMAINS: ""
OAUTH2_PROXY_CLIENT_SECRET: ""
secret:
OAUTH2_PROXY_CLIENT_SECRET: ""
bases:
- ../common/environments.yaml
---
releases:
- name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
namespace: oauth2-proxy
chart: charts/oauth2-proxy
condition: oauth2_proxy.enabled
values:
- nameSuffix: -{{ $.Values.oauth2_proxy.name }}
- {{ .Values.oauth2_proxy.config | toYaml | nindent 8 }}
jsonPatches:
- target:
version: v1
group: apps
kind: Deployment
namespace: oauth2-proxy
name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
patch:
- op: replace
path: /metadata/labels/app
value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
- op: replace
path: /spec/selector/matchLabels/app
value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
- op: replace
path: /spec/template/metadata/labels/app
value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
- target:
version: v1
kind: Service
namespace: oauth2-proxy
name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
patch:
- op: replace
path: /spec/selector/app
value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
strategicMergePatches:
- apiVersion: v1
kind: ConfigMap
metadata:
namespace: oauth2-proxy
name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
data:
{{ $.Values.oauth2_proxy.config | toYaml | nindent 12 }}
- apiVersion: v1
kind: Secret
metadata:
namespace: oauth2-proxy
name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
data:
{{ $.Values.oauth2_proxy.secret | toYaml | nindent 12 }}