longhorn/vault: gate via oauth2-proxy

2025-12-07 19:44:02 -03:00 · 2025-12-07 19:44:02 -03:00 · 6c62d42f7a
commit 6c62d42f7a
parent a7e9f1f7d8
8 changed files with 213 additions and 8 deletions
--- a/infrastructure/longhorn/ui-ingress/ingress.yaml
+++ b/infrastructure/longhorn/ui-ingress/ingress.yaml
@ -7,7 +7,7 @@ metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: ""
 spec:
  ingressClassName: traefik
  tls:
@ -21,6 +21,6 @@ spec:
            pathType: Prefix
            backend:
              service:
-                name: longhorn-frontend
+                name: oauth2-proxy-longhorn
                port:
                  number: 80
--- a/infrastructure/longhorn/ui-ingress/kustomization.yaml
+++ b/infrastructure/longhorn/ui-ingress/kustomization.yaml
@ -4,3 +4,4 @@ kind: Kustomization
 resources:
  - middleware.yaml
  - ingress.yaml
+  - oauth2-proxy-longhorn.yaml
--- a/infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml
+++ b/infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml
@ -0,0 +1,102 @@
+# infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy-longhorn
+  namespace: longhorn-system
+  labels:
+    app: oauth2-proxy-longhorn
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 4180
+  selector:
+    app: oauth2-proxy-longhorn
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy-longhorn
+  namespace: longhorn-system
+  labels:
+    app: oauth2-proxy-longhorn
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: oauth2-proxy-longhorn
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy-longhorn
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/worker: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: ["rpi5","rpi4"]
+      containers:
+        - name: oauth2-proxy
+          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - --provider=oidc
+            - --redirect-url=https://longhorn.bstein.dev/oauth2/callback
+            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
+            - --scope=openid profile email groups
+            - --email-domain=*
+            - --allowed-group=admin
+            - --set-xauthrequest=true
+            - --pass-access-token=true
+            - --set-authorization-header=true
+            - --cookie-secure=true
+            - --cookie-samesite=lax
+            - --cookie-refresh=20m
+            - --cookie-expire=168h
+            - --insecure-oidc-allow-unverified-email=true
+            - --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local
+            - --http-address=0.0.0.0:4180
+            - --skip-provider-button=true
+            - --skip-jwt-bearer-tokens=true
+            - --oidc-groups-claim=groups
+            - --cookie-domain=longhorn.bstein.dev
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-longhorn-oidc
+                  key: client_id
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-longhorn-oidc
+                  key: client_secret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-longhorn-oidc
+                  key: cookie_secret
+          ports:
+            - containerPort: 4180
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 20
+            periodSeconds: 20
--- a/services/oauth2-proxy/deployment.yaml
+++ b/services/oauth2-proxy/deployment.yaml
@ -35,7 +35,7 @@ spec:
            - --provider=oidc
            - --redirect-url=https://auth.bstein.dev/oauth2/callback
            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
-            - --scope=openid profile email
+            - --scope=openid profile email groups
            - --email-domain=*
            - --set-xauthrequest=true
            - --pass-access-token=true
--- a/services/oauth2-proxy/middleware-errors.yaml
+++ b/services/oauth2-proxy/middleware-errors.yaml
@ -8,6 +8,7 @@ spec:
  errors:
    status:
      - "401"
+      - "403"
    service:
      name: oauth2-proxy
      port: 80
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@ -7,9 +7,7 @@ metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd
-    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: ""
 spec:
  ingressClassName: traefik
  tls:
@ -23,6 +21,6 @@ spec:
            pathType: Prefix
            backend:
              service:
-                name: vault-ui
+                name: oauth2-proxy-vault
                port:
-                  number: 8200
+                  number: 80
--- a/services/vault/kustomization.yaml
+++ b/services/vault/kustomization.yaml
@ -9,3 +9,4 @@ resources:
  - ingress.yaml
  - middleware.yaml
  - serverstransport.yaml
+  - oauth2-proxy-vault.yaml
--- a/services/vault/oauth2-proxy-vault.yaml
+++ b/services/vault/oauth2-proxy-vault.yaml
@ -0,0 +1,102 @@
+# services/vault/oauth2-proxy-vault.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy-vault
+  labels:
+    app: oauth2-proxy-vault
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: 4180
+  selector:
+    app: oauth2-proxy-vault
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy-vault
+  labels:
+    app: oauth2-proxy-vault
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: oauth2-proxy-vault
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy-vault
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/worker: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 80
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
+                      - arm
+      containers:
+        - name: oauth2-proxy
+          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+          args:
+            - --provider=oidc
+            - --redirect-url=https://secret.bstein.dev/oauth2/callback
+            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
+            - --scope=openid profile email groups
+            - --email-domain=*
+            - --set-xauthrequest=true
+            - --pass-access-token=true
+            - --set-authorization-header=true
+            - --cookie-secure=true
+            - --cookie-samesite=lax
+            - --cookie-refresh=20m
+            - --cookie-expire=168h
+            - --insecure-oidc-allow-unverified-email=true
+            - --upstream=https://vault-ui.vault.svc.cluster.local:8200
+            - --ssl-insecure-skip-verify=true
+            - --http-address=0.0.0.0:4180
+            - --skip-provider-button=true
+            - --skip-jwt-bearer-tokens=true
+            - --oidc-groups-claim=groups
+            - --allowed-group=admin
+            - --cookie-domain=secret.bstein.dev
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-vault-oidc
+                  key: client_id
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-vault-oidc
+                  key: client_secret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-vault-oidc
+                  key: cookie_secret
+          ports:
+            - containerPort: 4180
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 4180
+            initialDelaySeconds: 20
+            periodSeconds: 20