159021dd by Adam Heath

This recipe can wrap a workload with JWT protections.

1 parent 012bbb50
1 OAUTH2_PROXY_PROVIDER=keycloak-oidc
2 #OAUTH2_PROXY_COOKIE_SAMESITE=none
3 #OAUTH2_PROXY_COOKIE_SECURE='true'
4 #OAUTH2_PROXY_COOKIE_HTTPONLY='false'
5 OAUTH2_PROXY_EMAIL_DOMAINS='*'
6 ##OAUTH2_PROXY_COOKIE_DOMAIN=.alyvr.local
7 ##OAUTH2_PROXY_COOKIE_SECRET=CHANGEME
8 OAUTH2_PROXY_COOKIE_EXPIRE=1h
9 OAUTH2_PROXY_COOKIE_REFRESH=4m
10 ##OAUTH2_PROXY_CLIENT_ID=CHANGEME
11 ##OAUTH2_PROXY_CLIENT_SECRET=CHANGEME
12 ##OAUTH2_PROXY_LOGIN_URL=''
13 ##OAUTH2_PROXY_REDEEM_URL=''
14 ##OAUTH2_PROXY_VALIDATE_URL=''
15 OAUTH2_PROXY_SCOPE=openid profile
16 OAUTH2_PROXY_REVERSE_PROXY=true
17 #OAUTH2_PROXY_PROVIDER_CA_FILE=/srv/alyvr-ca/tls.crt
18 ##OAUTH2_PROXY_WHITELIST_DOMAIN=
19 OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
20 OAUTH2_PROXY_SET_XAUTHREQUEST=true
21 OAUTH2_PROXY_PASS_USER_HEADERS=true
22 #OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
23
24 OAUTH2_PROXY_WEBSOCKETS=true
25 #OAUTH2_PROXY_SKIP_AUTH_REGEX=
26 OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
27 OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
28 OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
29
30 # new
31 OAUTH2_AUTH_LOGGING=true
32 OAUTH2_SHOW_DEBUG_ON_ERROR=true
33
34
35 # - --upstream=http://nginx-hello-status:80/
36
37 OAUTH2_PROXY_UPSTREAMS
38 OAUTH2_PROXY_HTTP_ADDRESS
39 OAUTH2_PROXY_COOKIE_DOMAINS
40 OAUTH2_PROXY_COOKIE_SECRET
41 OAUTH2_PROXY_CLIENT_ID
42 OAUTH2_PROXY_ALLOWED_ROLES
43 OAUTH2_PROXY_OIDC_ISSUER_URL
44 OAUTH2_PROXY_WHITELIST_DOMAINS
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 - oauth2-proxy.yaml
6 secretGenerator:
7 - name: oauth2-proxy
8 options:
9 disableNameSuffixHash: true
10 envs:
11 - secret.env
12 configMapGenerator:
13 - name: oauth2-proxy
14 options:
15 disableNameSuffixHash: true
16 envs:
17 - configmap.env
1 ---
2 apiVersion: v1
3 kind: Service
4 metadata:
5 name: oauth2-proxy
6 spec:
7 selector:
8 app: oauth2-proxy
9 ports:
10 - name: http-oauth2
11 protocol: TCP
12 port: 80
13 targetPort: 9876
14 ---
15 apiVersion: apps/v1
16 kind: Deployment
17 metadata:
18 name: oauth2-proxy
19 labels:
20 app: oauth2-proxy
21 spec:
22 replicas: 1
23 progressDeadlineSeconds: 600
24 selector:
25 matchLabels:
26 app: oauth2-proxy
27 template:
28 metadata:
29 labels:
30 app: oauth2-proxy
31 spec:
32 containers:
33 - name: oauth2-proxy
34 image: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1"
35 imagePullPolicy: "IfNotPresent"
36 envFrom:
37 - configMapRef:
38 name: oauth2-proxy
39 - secretRef:
40 name: oauth2-proxy
41 ports:
42 - containerPort: 9876
43 protocol: TCP
44
45 readinessProbe:
46 httpGet:
47 path: /ping
48 port: 9876
49 scheme: HTTP
50 failureThreshold: 3
51 periodSeconds: 10
52 successThreshold: 1
53 timeoutSeconds: 1
54 livenessProbe:
55 httpGet:
56 path: /ping
57 port: 9876
58 scheme: HTTP
59 failureThreshold: 3
60 periodSeconds: 10
61 successThreshold: 1
62 timeoutSeconds: 1
63
64 ---
1 oauth2_proxy:
2 enabled: true
3 name: ""
4 config:
5 OAUTH2_PROXY_UPSTREAMS: ""
6 OAUTH2_PROXY_HTTP_ADDRESS: ""
7 OAUTH2_PROXY_COOKIE_DOMAINS: ""
8 OAUTH2_PROXY_COOKIE_SECRET: ""
9 OAUTH2_PROXY_CLIENT_ID: ""
10 OAUTH2_PROXY_ALLOWED_ROLES: ""
11 OAUTH2_PROXY_OIDC_ISSUER_URL: ""
12 OAUTH2_PROXY_WHITELIST_DOMAINS: ""
13 OAUTH2_PROXY_CLIENT_SECRET: ""
14 secret:
15 OAUTH2_PROXY_CLIENT_SECRET: ""
1 bases:
2 - ../common/environments.yaml
3
4 ---
5 releases:
6 - name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
7 namespace: oauth2-proxy
8 chart: charts/oauth2-proxy
9 condition: oauth2_proxy.enabled
10 values:
11 - nameSuffix: -{{ $.Values.oauth2_proxy.name }}
12 - {{ .Values.oauth2_proxy.config | toYaml | nindent 8 }}
13 jsonPatches:
14 - target:
15 version: v1
16 group: apps
17 kind: Deployment
18 namespace: oauth2-proxy
19 name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
20 patch:
21 - op: replace
22 path: /metadata/labels/app
23 value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
24 - op: replace
25 path: /spec/selector/matchLabels/app
26 value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
27 - op: replace
28 path: /spec/template/metadata/labels/app
29 value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
30 - target:
31 version: v1
32 kind: Service
33 namespace: oauth2-proxy
34 name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
35 patch:
36 - op: replace
37 path: /spec/selector/app
38 value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
39 strategicMergePatches:
40 - apiVersion: v1
41 kind: ConfigMap
42 metadata:
43 namespace: oauth2-proxy
44 name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
45 data:
46 {{ $.Values.oauth2_proxy.config | toYaml | nindent 12 }}
47 - apiVersion: v1
48 kind: Secret
49 metadata:
50 namespace: oauth2-proxy
51 name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
52 data:
53 {{ $.Values.oauth2_proxy.secret | toYaml | nindent 12 }}
54