This recipe can wrap a workload with JWT protections.
Showing
6 changed files
with
195 additions
and
0 deletions
1 | OAUTH2_PROXY_PROVIDER=keycloak-oidc | ||
2 | #OAUTH2_PROXY_COOKIE_SAMESITE=none | ||
3 | #OAUTH2_PROXY_COOKIE_SECURE='true' | ||
4 | #OAUTH2_PROXY_COOKIE_HTTPONLY='false' | ||
5 | OAUTH2_PROXY_EMAIL_DOMAINS='*' | ||
6 | ##OAUTH2_PROXY_COOKIE_DOMAIN=.alyvr.local | ||
7 | ##OAUTH2_PROXY_COOKIE_SECRET=CHANGEME | ||
8 | OAUTH2_PROXY_COOKIE_EXPIRE=1h | ||
9 | OAUTH2_PROXY_COOKIE_REFRESH=4m | ||
10 | ##OAUTH2_PROXY_CLIENT_ID=CHANGEME | ||
11 | ##OAUTH2_PROXY_CLIENT_SECRET=CHANGEME | ||
12 | ##OAUTH2_PROXY_LOGIN_URL='' | ||
13 | ##OAUTH2_PROXY_REDEEM_URL='' | ||
14 | ##OAUTH2_PROXY_VALIDATE_URL='' | ||
15 | OAUTH2_PROXY_SCOPE=openid profile | ||
16 | OAUTH2_PROXY_REVERSE_PROXY=true | ||
17 | #OAUTH2_PROXY_PROVIDER_CA_FILE=/srv/alyvr-ca/tls.crt | ||
18 | ##OAUTH2_PROXY_WHITELIST_DOMAIN= | ||
19 | OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true | ||
20 | OAUTH2_PROXY_SET_XAUTHREQUEST=true | ||
21 | OAUTH2_PROXY_PASS_USER_HEADERS=true | ||
22 | #OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true | ||
23 | |||
24 | OAUTH2_PROXY_WEBSOCKETS=true | ||
25 | #OAUTH2_PROXY_SKIP_AUTH_REGEX= | ||
26 | OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true | ||
27 | OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true | ||
28 | OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true | ||
29 | |||
30 | # new | ||
31 | OAUTH2_AUTH_LOGGING=true | ||
32 | OAUTH2_SHOW_DEBUG_ON_ERROR=true | ||
33 | |||
34 | |||
35 | # - --upstream=http://nginx-hello-status:80/ | ||
36 | |||
37 | OAUTH2_PROXY_UPSTREAMS | ||
38 | OAUTH2_PROXY_HTTP_ADDRESS | ||
39 | OAUTH2_PROXY_COOKIE_DOMAINS | ||
40 | OAUTH2_PROXY_COOKIE_SECRET | ||
41 | OAUTH2_PROXY_CLIENT_ID | ||
42 | OAUTH2_PROXY_ALLOWED_ROLES | ||
43 | OAUTH2_PROXY_OIDC_ISSUER_URL | ||
44 | OAUTH2_PROXY_WHITELIST_DOMAINS |
1 | apiVersion: kustomize.config.k8s.io/v1beta1 | ||
2 | kind: Kustomization | ||
3 | |||
4 | resources: | ||
5 | - oauth2-proxy.yaml | ||
6 | secretGenerator: | ||
7 | - name: oauth2-proxy | ||
8 | options: | ||
9 | disableNameSuffixHash: true | ||
10 | envs: | ||
11 | - secret.env | ||
12 | configMapGenerator: | ||
13 | - name: oauth2-proxy | ||
14 | options: | ||
15 | disableNameSuffixHash: true | ||
16 | envs: | ||
17 | - configmap.env |
1 | --- | ||
2 | apiVersion: v1 | ||
3 | kind: Service | ||
4 | metadata: | ||
5 | name: oauth2-proxy | ||
6 | spec: | ||
7 | selector: | ||
8 | app: oauth2-proxy | ||
9 | ports: | ||
10 | - name: http-oauth2 | ||
11 | protocol: TCP | ||
12 | port: 80 | ||
13 | targetPort: 9876 | ||
14 | --- | ||
15 | apiVersion: apps/v1 | ||
16 | kind: Deployment | ||
17 | metadata: | ||
18 | name: oauth2-proxy | ||
19 | labels: | ||
20 | app: oauth2-proxy | ||
21 | spec: | ||
22 | replicas: 1 | ||
23 | progressDeadlineSeconds: 600 | ||
24 | selector: | ||
25 | matchLabels: | ||
26 | app: oauth2-proxy | ||
27 | template: | ||
28 | metadata: | ||
29 | labels: | ||
30 | app: oauth2-proxy | ||
31 | spec: | ||
32 | containers: | ||
33 | - name: oauth2-proxy | ||
34 | image: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1" | ||
35 | imagePullPolicy: "IfNotPresent" | ||
36 | envFrom: | ||
37 | - configMapRef: | ||
38 | name: oauth2-proxy | ||
39 | - secretRef: | ||
40 | name: oauth2-proxy | ||
41 | ports: | ||
42 | - containerPort: 9876 | ||
43 | protocol: TCP | ||
44 | |||
45 | readinessProbe: | ||
46 | httpGet: | ||
47 | path: /ping | ||
48 | port: 9876 | ||
49 | scheme: HTTP | ||
50 | failureThreshold: 3 | ||
51 | periodSeconds: 10 | ||
52 | successThreshold: 1 | ||
53 | timeoutSeconds: 1 | ||
54 | livenessProbe: | ||
55 | httpGet: | ||
56 | path: /ping | ||
57 | port: 9876 | ||
58 | scheme: HTTP | ||
59 | failureThreshold: 3 | ||
60 | periodSeconds: 10 | ||
61 | successThreshold: 1 | ||
62 | timeoutSeconds: 1 | ||
63 | |||
64 | --- |
oauth2-proxy/charts/oauth2-proxy/secret.env
0 → 100644
1 | OAUTH2_PROXY_CLIENT_SECRET |
1 | oauth2_proxy: | ||
2 | enabled: true | ||
3 | name: "" | ||
4 | config: | ||
5 | OAUTH2_PROXY_UPSTREAMS: "" | ||
6 | OAUTH2_PROXY_HTTP_ADDRESS: "" | ||
7 | OAUTH2_PROXY_COOKIE_DOMAINS: "" | ||
8 | OAUTH2_PROXY_COOKIE_SECRET: "" | ||
9 | OAUTH2_PROXY_CLIENT_ID: "" | ||
10 | OAUTH2_PROXY_ALLOWED_ROLES: "" | ||
11 | OAUTH2_PROXY_OIDC_ISSUER_URL: "" | ||
12 | OAUTH2_PROXY_WHITELIST_DOMAINS: "" | ||
13 | OAUTH2_PROXY_CLIENT_SECRET: "" | ||
14 | secret: | ||
15 | OAUTH2_PROXY_CLIENT_SECRET: "" |
oauth2-proxy/helmfile.yaml
0 → 100644
1 | bases: | ||
2 | - ../common/environments.yaml | ||
3 | |||
4 | --- | ||
5 | releases: | ||
6 | - name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
7 | namespace: oauth2-proxy | ||
8 | chart: charts/oauth2-proxy | ||
9 | condition: oauth2_proxy.enabled | ||
10 | values: | ||
11 | - nameSuffix: -{{ $.Values.oauth2_proxy.name }} | ||
12 | - {{ .Values.oauth2_proxy.config | toYaml | nindent 8 }} | ||
13 | jsonPatches: | ||
14 | - target: | ||
15 | version: v1 | ||
16 | group: apps | ||
17 | kind: Deployment | ||
18 | namespace: oauth2-proxy | ||
19 | name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
20 | patch: | ||
21 | - op: replace | ||
22 | path: /metadata/labels/app | ||
23 | value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
24 | - op: replace | ||
25 | path: /spec/selector/matchLabels/app | ||
26 | value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
27 | - op: replace | ||
28 | path: /spec/template/metadata/labels/app | ||
29 | value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
30 | - target: | ||
31 | version: v1 | ||
32 | kind: Service | ||
33 | namespace: oauth2-proxy | ||
34 | name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
35 | patch: | ||
36 | - op: replace | ||
37 | path: /spec/selector/app | ||
38 | value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
39 | strategicMergePatches: | ||
40 | - apiVersion: v1 | ||
41 | kind: ConfigMap | ||
42 | metadata: | ||
43 | namespace: oauth2-proxy | ||
44 | name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
45 | data: | ||
46 | {{ $.Values.oauth2_proxy.config | toYaml | nindent 12 }} | ||
47 | - apiVersion: v1 | ||
48 | kind: Secret | ||
49 | metadata: | ||
50 | namespace: oauth2-proxy | ||
51 | name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }} | ||
52 | data: | ||
53 | {{ $.Values.oauth2_proxy.secret | toYaml | nindent 12 }} | ||
54 |
-
Please register or sign in to post a comment