diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index d61d4bc..306556d 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -7,7 +7,9 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: "" + traefik.ingress.kubernetes.io/router.middlewares: vault-vault-basicauth@kubernetescrd + traefik.ingress.kubernetes.io/service.serversscheme: https + traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd spec: ingressClassName: traefik tls: @@ -21,6 +23,6 @@ spec: pathType: Prefix backend: service: - name: oauth2-proxy-vault + name: vault-ui port: - number: 80 + number: 8200 diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 4c0f07e..4c3fbc5 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -9,4 +9,3 @@ resources: - ingress.yaml - middleware.yaml - serverstransport.yaml - - oauth2-proxy-vault.yaml diff --git a/services/vault/middleware.yaml b/services/vault/middleware.yaml index 8a39bf9..0a41961 100644 --- a/services/vault/middleware.yaml +++ b/services/vault/middleware.yaml @@ -2,14 +2,8 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: vault-forward-auth + name: vault-basicauth namespace: vault spec: - forwardAuth: - address: https://auth.bstein.dev/oauth2/auth - trustForwardHeader: true - authResponseHeaders: - - Authorization - - X-Auth-Request-Email - - X-Auth-Request-User - - X-Auth-Request-Groups + basicAuth: + secret: vault-basic-auth diff --git a/services/vault/oauth2-proxy-vault.yaml b/services/vault/oauth2-proxy-vault.yaml deleted file mode 100644 index e79a142..0000000 --- a/services/vault/oauth2-proxy-vault.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# services/vault/oauth2-proxy-vault.yaml -apiVersion: v1 -kind: Service -metadata: - name: oauth2-proxy-vault - labels: - app: oauth2-proxy-vault -spec: - ports: - - name: http - port: 80 - targetPort: 4180 - selector: - app: oauth2-proxy-vault - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: oauth2-proxy-vault - labels: - app: oauth2-proxy-vault -spec: - replicas: 2 - selector: - matchLabels: - app: oauth2-proxy-vault - template: - metadata: - labels: - app: oauth2-proxy-vault - spec: - nodeSelector: - node-role.kubernetes.io/worker: "true" - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 80 - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - - arm - containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 - args: - - --provider=oidc - - --redirect-url=https://secret.bstein.dev/oauth2/callback - - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - - --scope=openid profile email groups - - --email-domain=* - - --set-xauthrequest=true - - --pass-access-token=true - - --set-authorization-header=true - - --cookie-secure=true - - --cookie-samesite=lax - - --cookie-refresh=20m - - --cookie-expire=168h - - --insecure-oidc-allow-unverified-email=true - - --upstream=https://vault-ui.vault.svc.cluster.local:8200 - - --ssl-insecure-skip-verify=true - - --http-address=0.0.0.0:4180 - - --skip-provider-button=true - - --skip-jwt-bearer-tokens=true - - --oidc-groups-claim=groups - - --allowed-group=admin - - --cookie-domain=secret.bstein.dev - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: client_id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: client_secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: cookie_secret - ports: - - containerPort: 4180 - name: http - readinessProbe: - httpGet: - path: /ping - port: 4180 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /ping - port: 4180 - initialDelaySeconds: 20 - periodSeconds: 20 diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml index 75ec998..3425535 100644 --- a/services/zot/ingress.yaml +++ b/services/zot/ingress.yaml @@ -8,7 +8,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml index cc76d5f..166b070 100644 --- a/services/zot/middleware.yaml +++ b/services/zot/middleware.yaml @@ -24,20 +24,3 @@ spec: - PUT - PATCH - DELETE - ---- - -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: zot-forward-auth - namespace: zot -spec: - forwardAuth: - address: https://auth.bstein.dev/oauth2/auth - trustForwardHeader: true - authResponseHeaders: - - Authorization - - X-Auth-Request-Email - - X-Auth-Request-User - - X-Auth-Request-Groups