diff --git a/infrastructure/longhorn/ui-ingress/ingress.yaml b/infrastructure/longhorn/ui-ingress/ingress.yaml index e9905ba..8f55b82 100644 --- a/infrastructure/longhorn/ui-ingress/ingress.yaml +++ b/infrastructure/longhorn/ui-ingress/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/infrastructure/longhorn/ui-ingress/middleware.yaml b/infrastructure/longhorn/ui-ingress/middleware.yaml index c670cef..abc2a64 100644 --- a/infrastructure/longhorn/ui-ingress/middleware.yaml +++ b/infrastructure/longhorn/ui-ingress/middleware.yaml @@ -20,3 +20,20 @@ spec: headers: customRequestHeaders: X-Forwarded-Proto: "https" + +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: longhorn-forward-auth + namespace: longhorn-system +spec: + forwardAuth: + address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth + trustForwardHeader: true + authResponseHeaders: + - Authorization + - X-Auth-Request-Email + - X-Auth-Request-User + - X-Auth-Request-Groups diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index fa43bc2..6115e38 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd traefik.ingress.kubernetes.io/service.serversscheme: https traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd spec: diff --git a/services/vault/middleware.yaml b/services/vault/middleware.yaml index 0a41961..0f4388e 100644 --- a/services/vault/middleware.yaml +++ b/services/vault/middleware.yaml @@ -2,8 +2,14 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: vault-basicauth + name: vault-forward-auth namespace: vault spec: - basicAuth: - secret: vault-basic-auth + forwardAuth: + address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth + trustForwardHeader: true + authResponseHeaders: + - Authorization + - X-Auth-Request-Email + - X-Auth-Request-User + - X-Auth-Request-Groups diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml index 10a0743..75ec998 100644 --- a/services/zot/ingress.yaml +++ b/services/zot/ingress.yaml @@ -8,7 +8,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml index 166b070..a7a294d 100644 --- a/services/zot/middleware.yaml +++ b/services/zot/middleware.yaml @@ -24,3 +24,20 @@ spec: - PUT - PATCH - DELETE + +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: zot-forward-auth + namespace: zot +spec: + forwardAuth: + address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth + trustForwardHeader: true + authResponseHeaders: + - Authorization + - X-Auth-Request-Email + - X-Auth-Request-User + - X-Auth-Request-Groups