bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add oauth2-proxy for SSO forward-auth

Browse Source
This commit is contained in:
Brad Stein 2025-12-06 14:42:24 -03:00
parent 598bdfc727
commit a55502fe27
7 changed files with 150 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
clusters/atlas/flux-system/applications/kustomization.yaml
View File

@ -14,3 +14,4 @@ resources:
- xmr-miner/kustomization.yaml
- sui-metrics/kustomization.yaml
- keycloak/kustomization.yaml
- oauth2-proxy/kustomization.yaml

15
clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
# clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: oauth2-proxy
namespace: flux-system
spec:
interval: 10m
prune: true
sourceRef:
kind: GitRepository
name: flux-system
path: ./services/oauth2-proxy
targetNamespace: sso
timeout: 2m

71
services/oauth2-proxy/deployment.yaml Normal file
View File

@ -0,0 +1,71 @@
# services/oauth2-proxy/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: sso
labels:
app: oauth2-proxy
spec:
replicas: 2
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
imagePullPolicy: IfNotPresent
args:
- --provider=oidc
- --redirect-url=https://auth.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups
- --email-domain=*
- --set-xauthrequest=true
- --pass-access-token=true
- --set-authorization-header=true
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-refresh=20m
- --cookie-expire=168h
- --upstream=static://200
- --http-address=0.0.0.0:4180
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
- --oidc-groups-claim=groups
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-oidc
key: client_id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-oidc
key: client_secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-oidc
key: cookie_secret
ports:
- containerPort: 4180
name: http
readinessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 20
periodSeconds: 20

24
services/oauth2-proxy/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
# services/oauth2-proxy/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: sso
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
ingressClassName: traefik
rules:
- host: auth.bstein.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 80
tls:
- hosts: [auth.bstein.dev]
secretName: auth-tls

9
services/oauth2-proxy/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
# services/oauth2-proxy/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: sso
resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- middleware.yaml

15
services/oauth2-proxy/middleware.yaml Normal file
View File

@ -0,0 +1,15 @@
# services/oauth2-proxy/middleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth2-proxy-forward-auth
namespace: sso
spec:
forwardAuth:
address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth
trustForwardHeader: true
authResponseHeaders:
- Authorization
- X-Auth-Request-Email
- X-Auth-Request-User
- X-Auth-Request-Groups

15
services/oauth2-proxy/service.yaml Normal file
View File

@ -0,0 +1,15 @@
# services/oauth2-proxy/service.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: sso
labels:
app: oauth2-proxy
spec:
selector:
app: oauth2-proxy
ports:
- name: http
port: 80
targetPort: 4180