From 6c62d42f7ab057ffac208878d4f3235279172115 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 7 Dec 2025 19:44:02 -0300 Subject: [PATCH] longhorn/vault: gate via oauth2-proxy --- .../longhorn/ui-ingress/ingress.yaml | 4 +- .../longhorn/ui-ingress/kustomization.yaml | 1 + .../ui-ingress/oauth2-proxy-longhorn.yaml | 102 ++++++++++++++++++ services/oauth2-proxy/deployment.yaml | 2 +- services/oauth2-proxy/middleware-errors.yaml | 1 + services/vault/ingress.yaml | 8 +- services/vault/kustomization.yaml | 1 + services/vault/oauth2-proxy-vault.yaml | 102 ++++++++++++++++++ 8 files changed, 213 insertions(+), 8 deletions(-) create mode 100644 infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml create mode 100644 services/vault/oauth2-proxy-vault.yaml diff --git a/infrastructure/longhorn/ui-ingress/ingress.yaml b/infrastructure/longhorn/ui-ingress/ingress.yaml index 8f55b82..94daeed 100644 --- a/infrastructure/longhorn/ui-ingress/ingress.yaml +++ b/infrastructure/longhorn/ui-ingress/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: "" spec: ingressClassName: traefik tls: @@ -21,6 +21,6 @@ spec: pathType: Prefix backend: service: - name: longhorn-frontend + name: oauth2-proxy-longhorn port: number: 80 diff --git a/infrastructure/longhorn/ui-ingress/kustomization.yaml b/infrastructure/longhorn/ui-ingress/kustomization.yaml index 1d497dc..a2ae5f3 100644 --- a/infrastructure/longhorn/ui-ingress/kustomization.yaml +++ b/infrastructure/longhorn/ui-ingress/kustomization.yaml @@ -4,3 +4,4 @@ kind: Kustomization resources: - middleware.yaml - ingress.yaml + - oauth2-proxy-longhorn.yaml diff --git a/infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml b/infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml new file mode 100644 index 0000000..b8d4f34 --- /dev/null +++ b/infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml @@ -0,0 +1,102 @@ +# infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml +apiVersion: v1 +kind: Service +metadata: + name: oauth2-proxy-longhorn + namespace: longhorn-system + labels: + app: oauth2-proxy-longhorn +spec: + ports: + - name: http + port: 80 + targetPort: 4180 + selector: + app: oauth2-proxy-longhorn + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy-longhorn + namespace: longhorn-system + labels: + app: oauth2-proxy-longhorn +spec: + replicas: 2 + selector: + matchLabels: + app: oauth2-proxy-longhorn + template: + metadata: + labels: + app: oauth2-proxy-longhorn + spec: + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 90 + preference: + matchExpressions: + - key: hardware + operator: In + values: ["rpi5","rpi4"] + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + imagePullPolicy: IfNotPresent + args: + - --provider=oidc + - --redirect-url=https://longhorn.bstein.dev/oauth2/callback + - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas + - --scope=openid profile email groups + - --email-domain=* + - --allowed-group=admin + - --set-xauthrequest=true + - --pass-access-token=true + - --set-authorization-header=true + - --cookie-secure=true + - --cookie-samesite=lax + - --cookie-refresh=20m + - --cookie-expire=168h + - --insecure-oidc-allow-unverified-email=true + - --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local + - --http-address=0.0.0.0:4180 + - --skip-provider-button=true + - --skip-jwt-bearer-tokens=true + - --oidc-groups-claim=groups + - --cookie-domain=longhorn.bstein.dev + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-longhorn-oidc + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-longhorn-oidc + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-longhorn-oidc + key: cookie_secret + ports: + - containerPort: 4180 + name: http + readinessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 20 + periodSeconds: 20 diff --git a/services/oauth2-proxy/deployment.yaml b/services/oauth2-proxy/deployment.yaml index 03d30c1..7c22a93 100644 --- a/services/oauth2-proxy/deployment.yaml +++ b/services/oauth2-proxy/deployment.yaml @@ -35,7 +35,7 @@ spec: - --provider=oidc - --redirect-url=https://auth.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - - --scope=openid profile email + - --scope=openid profile email groups - --email-domain=* - --set-xauthrequest=true - --pass-access-token=true diff --git a/services/oauth2-proxy/middleware-errors.yaml b/services/oauth2-proxy/middleware-errors.yaml index ee0c786..55e092a 100644 --- a/services/oauth2-proxy/middleware-errors.yaml +++ b/services/oauth2-proxy/middleware-errors.yaml @@ -8,6 +8,7 @@ spec: errors: status: - "401" + - "403" service: name: oauth2-proxy port: 80 diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index 6115e38..d61d4bc 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -7,9 +7,7 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd - traefik.ingress.kubernetes.io/service.serversscheme: https - traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: "" spec: ingressClassName: traefik tls: @@ -23,6 +21,6 @@ spec: pathType: Prefix backend: service: - name: vault-ui + name: oauth2-proxy-vault port: - number: 8200 + number: 80 diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 4c3fbc5..4c0f07e 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -9,3 +9,4 @@ resources: - ingress.yaml - middleware.yaml - serverstransport.yaml + - oauth2-proxy-vault.yaml diff --git a/services/vault/oauth2-proxy-vault.yaml b/services/vault/oauth2-proxy-vault.yaml new file mode 100644 index 0000000..e79a142 --- /dev/null +++ b/services/vault/oauth2-proxy-vault.yaml @@ -0,0 +1,102 @@ +# services/vault/oauth2-proxy-vault.yaml +apiVersion: v1 +kind: Service +metadata: + name: oauth2-proxy-vault + labels: + app: oauth2-proxy-vault +spec: + ports: + - name: http + port: 80 + targetPort: 4180 + selector: + app: oauth2-proxy-vault + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy-vault + labels: + app: oauth2-proxy-vault +spec: + replicas: 2 + selector: + matchLabels: + app: oauth2-proxy-vault + template: + metadata: + labels: + app: oauth2-proxy-vault + spec: + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 80 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - arm64 + - arm + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + args: + - --provider=oidc + - --redirect-url=https://secret.bstein.dev/oauth2/callback + - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas + - --scope=openid profile email groups + - --email-domain=* + - --set-xauthrequest=true + - --pass-access-token=true + - --set-authorization-header=true + - --cookie-secure=true + - --cookie-samesite=lax + - --cookie-refresh=20m + - --cookie-expire=168h + - --insecure-oidc-allow-unverified-email=true + - --upstream=https://vault-ui.vault.svc.cluster.local:8200 + - --ssl-insecure-skip-verify=true + - --http-address=0.0.0.0:4180 + - --skip-provider-button=true + - --skip-jwt-bearer-tokens=true + - --oidc-groups-claim=groups + - --allowed-group=admin + - --cookie-domain=secret.bstein.dev + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-vault-oidc + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-vault-oidc + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-vault-oidc + key: cookie_secret + ports: + - containerPort: 4180 + name: http + readinessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 20 + periodSeconds: 20