From 78923009c2508112b6ca2c8660616106369d3259 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Sun, 12 Nov 2023 00:56:12 -0600 Subject: [PATCH] add: oauth config --- .../kustomized/oauth-proxy/base/README.md | 3 + .../oauth-proxy/base/deployment.yaml | 86 +++++++++++++++++++ .../oauth-proxy/base/kustomization.yaml | 9 ++ .../kustomized/oauth-proxy/base/route.yaml | 20 +++++ .../kustomized/oauth-proxy/base/sa.yaml | 24 ++++++ .../kustomized/oauth-proxy/base/secret.yaml | 6 ++ .../kustomized/oauth-proxy/base/service.yaml | 22 +++++ .../overlays/default/kustomization.yaml | 5 ++ 8 files changed, 175 insertions(+) create mode 100644 components/configs/kustomized/oauth-proxy/base/README.md create mode 100644 components/configs/kustomized/oauth-proxy/base/deployment.yaml create mode 100644 components/configs/kustomized/oauth-proxy/base/kustomization.yaml create mode 100644 components/configs/kustomized/oauth-proxy/base/route.yaml create mode 100644 components/configs/kustomized/oauth-proxy/base/sa.yaml create mode 100644 components/configs/kustomized/oauth-proxy/base/secret.yaml create mode 100644 components/configs/kustomized/oauth-proxy/base/service.yaml create mode 100644 components/configs/kustomized/oauth-proxy/overlays/default/kustomization.yaml diff --git a/components/configs/kustomized/oauth-proxy/base/README.md b/components/configs/kustomized/oauth-proxy/base/README.md new file mode 100644 index 00000000..b7c4144a --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/README.md @@ -0,0 +1,3 @@ +# Notes + +- https://linuxera.org/oauth-proxy-secure-applications-openshift diff --git a/components/configs/kustomized/oauth-proxy/base/deployment.yaml b/components/configs/kustomized/oauth-proxy/base/deployment.yaml new file mode 100644 index 00000000..49b4f7cf --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth-proxy + labels: + name: oauth-proxy +spec: + replicas: 1 + selector: + matchLabels: + name: oauth-proxy + template: + metadata: + labels: + name: oauth-proxy + spec: + containers: + - name: oauth-proxy + env: + - name: UPSTREAM + value: http://httpd:8080 + - name: SAR + value: '{"resource":"namespaces","resourceName":"reverse-words","namespace":"reverse-words","verb":"get"}' + args: + - -provider=openshift + - -https-address= + - -http-address=:8888 + - -email-domain=* + - -upstream=$(UPSTREAM) + - -openshift-sar=$(SAR) + # - -tls-cert=/etc/tls/private/tls.crt + # - -tls-key=/etc/tls/private/tls.key + - -skip-provider-button + - -cookie-expire=8h0m0s + - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -openshift-service-account=oauth-proxy + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - -skip-auth-regex=^/metrics + image: quay.io/openshift/origin-oauth-proxy:4.12 + imagePullPolicy: IfNotPresent + ports: + - name: oauth-proxy + containerPort: 8888 + protocol: TCP + volumeMounts: + # - mountPath: /etc/tls/private + # name: oauth-proxy-tls + - mountPath: /etc/proxy/secrets + name: oauth-proxy + resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 100m + memory: 64Mi + readinessProbe: + httpGet: + path: /oauth/healthz + port: oauth-proxy + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /oauth/healthz + port: oauth-proxy + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + serviceAccountName: oauth-proxy + volumes: + # - name: oauth-proxy-tls + # secret: + # defaultMode: 420 + # secretName: oauth-proxy-tls + - name: oauth-proxy + secret: + defaultMode: 420 + secretName: oauth-proxy diff --git a/components/configs/kustomized/oauth-proxy/base/kustomization.yaml b/components/configs/kustomized/oauth-proxy/base/kustomization.yaml new file mode 100644 index 00000000..d2a898fc --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- deployment.yaml +- route.yaml +- sa.yaml +- secret.yaml +- service.yaml diff --git a/components/configs/kustomized/oauth-proxy/base/route.yaml b/components/configs/kustomized/oauth-proxy/base/route.yaml new file mode 100644 index 00000000..98280583 --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/route.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: oauth-proxy + labels: + app: oauth-proxy + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + port: + targetPort: 8888 + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: oauth-proxy + weight: 100 + wildcardPolicy: None diff --git a/components/configs/kustomized/oauth-proxy/base/sa.yaml b/components/configs/kustomized/oauth-proxy/base/sa.yaml new file mode 100644 index 00000000..879379bb --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/sa.yaml @@ -0,0 +1,24 @@ +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.oauth-proxy: >- + {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"oauth-proxy"}} + name: oauth-proxy +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRoleBinding +# metadata: +# # Without this role your oauth-proxy will output +# # Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: +# # User "system:serviceaccount:reverse-words:reversewords" cannot create resource "tokenreviews" in API +# # group "authentication.k8s.io" at the cluster scope +# name: oauth-proxy-tokenreviews +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: system:auth-delegator +# subjects: +# - kind: ServiceAccount +# name: oauth-proxy diff --git a/components/configs/kustomized/oauth-proxy/base/secret.yaml b/components/configs/kustomized/oauth-proxy/base/secret.yaml new file mode 100644 index 00000000..a8086e53 --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/secret.yaml @@ -0,0 +1,6 @@ +kind: Secret +apiVersion: v1 +metadata: + name: oauth-proxy +stringData: + session_secret: 'change me' diff --git a/components/configs/kustomized/oauth-proxy/base/service.yaml b/components/configs/kustomized/oauth-proxy/base/service.yaml new file mode 100644 index 00000000..78442c0b --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/base/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + # annotations: + # service.alpha.openshift.io/serving-cert-secret-name: oauth-proxy-tls + labels: + name: oauth-proxy + name: oauth-proxy +spec: + ports: + - name: proxy + port: 8888 + protocol: TCP + targetPort: oauth-proxy + - name: app + port: 8080 + protocol: TCP + targetPort: app + selector: + name: oauth-proxy + sessionAffinity: None + type: ClusterIP diff --git a/components/configs/kustomized/oauth-proxy/overlays/default/kustomization.yaml b/components/configs/kustomized/oauth-proxy/overlays/default/kustomization.yaml new file mode 100644 index 00000000..2b87e6b1 --- /dev/null +++ b/components/configs/kustomized/oauth-proxy/overlays/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base