Skip to content

Commit

Permalink
add: oauth config
Browse files Browse the repository at this point in the history
  • Loading branch information
@codekow
codekow committed Nov 12, 2023
1 parent 8bc6eb7 commit 7892300
Show file tree
Hide file tree
Showing 8 changed files with 175 additions and 0 deletions.
3 changes: 3 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Notes

- https://linuxera.org/oauth-proxy-secure-applications-openshift
86 changes: 86 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth-proxy
labels:
name: oauth-proxy
spec:
replicas: 1
selector:
matchLabels:
name: oauth-proxy
template:
metadata:
labels:
name: oauth-proxy
spec:
containers:
- name: oauth-proxy
env:
- name: UPSTREAM
value: http://httpd:8080
- name: SAR
value: '{"resource":"namespaces","resourceName":"reverse-words","namespace":"reverse-words","verb":"get"}'
args:
- -provider=openshift
- -https-address=
- -http-address=:8888
- -email-domain=*
- -upstream=$(UPSTREAM)
- -openshift-sar=$(SAR)
# - -tls-cert=/etc/tls/private/tls.crt
# - -tls-key=/etc/tls/private/tls.key
- -skip-provider-button
- -cookie-expire=8h0m0s
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=oauth-proxy
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -skip-auth-regex=^/metrics
image: quay.io/openshift/origin-oauth-proxy:4.12
imagePullPolicy: IfNotPresent
ports:
- name: oauth-proxy
containerPort: 8888
protocol: TCP
volumeMounts:
# - mountPath: /etc/tls/private
# name: oauth-proxy-tls
- mountPath: /etc/proxy/secrets
name: oauth-proxy
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
readinessProbe:
httpGet:
path: /oauth/healthz
port: oauth-proxy
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /oauth/healthz
port: oauth-proxy
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 1
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
serviceAccountName: oauth-proxy
volumes:
# - name: oauth-proxy-tls
# secret:
# defaultMode: 420
# secretName: oauth-proxy-tls
- name: oauth-proxy
secret:
defaultMode: 420
secretName: oauth-proxy
9 changes: 9 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- deployment.yaml
- route.yaml
- sa.yaml
- secret.yaml
- service.yaml
20 changes: 20 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/route.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: oauth-proxy
labels:
app: oauth-proxy
annotations:
argocd.argoproj.io/sync-wave: "1"
spec:
port:
targetPort: 8888
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
to:
kind: Service
name: oauth-proxy
weight: 100
wildcardPolicy: None
24 changes: 24 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
kind: ServiceAccount
apiVersion: v1
metadata:
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.oauth-proxy: >-
{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"oauth-proxy"}}
name: oauth-proxy
# ---
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
# # Without this role your oauth-proxy will output
# # Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden:
# # User "system:serviceaccount:reverse-words:reversewords" cannot create resource "tokenreviews" in API
# # group "authentication.k8s.io" at the cluster scope
# name: oauth-proxy-tokenreviews
# roleRef:
# apiGroup: rbac.authorization.k8s.io
# kind: ClusterRole
# name: system:auth-delegator
# subjects:
# - kind: ServiceAccount
# name: oauth-proxy
6 changes: 6 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
kind: Secret
apiVersion: v1
metadata:
name: oauth-proxy
stringData:
session_secret: 'change me'
22 changes: 22 additions & 0 deletions components/configs/kustomized/oauth-proxy/base/service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
# annotations:
# service.alpha.openshift.io/serving-cert-secret-name: oauth-proxy-tls
labels:
name: oauth-proxy
name: oauth-proxy
spec:
ports:
- name: proxy
port: 8888
protocol: TCP
targetPort: oauth-proxy
- name: app
port: 8080
protocol: TCP
targetPort: app
selector:
name: oauth-proxy
sessionAffinity: None
type: ClusterIP
5 changes: 5 additions & 0 deletions components/configs/kustomized/oauth-proxy/overlays/default/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../../base

0 comments on commit 7892300

Please sign in to comment.