diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index 5eb7693..cbc0a74 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -24,6 +24,6 @@ spec: pathType: Prefix backend: service: - name: oauth2-proxy-vault + name: vault port: - number: 80 + number: 8200 diff --git a/services/vault/kustomization.yaml b/services/vault/kustomization.yaml index 41d9ef4..745a278 100644 --- a/services/vault/kustomization.yaml +++ b/services/vault/kustomization.yaml @@ -9,5 +9,4 @@ resources: - ingress.yaml - middleware.yaml - serverstransport.yaml - - oauth2-proxy-vault.yaml - oidc-bootstrap-job.yaml diff --git a/services/vault/oauth2-proxy-vault.yaml b/services/vault/oauth2-proxy-vault.yaml deleted file mode 100644 index 75e87bc..0000000 --- a/services/vault/oauth2-proxy-vault.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# services/vault/oauth2-proxy-vault.yaml -apiVersion: v1 -kind: Service -metadata: - name: oauth2-proxy-vault - labels: - app: oauth2-proxy-vault -spec: - ports: - - name: http - port: 80 - targetPort: 4180 - selector: - app: oauth2-proxy-vault - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: oauth2-proxy-vault - labels: - app: oauth2-proxy-vault -spec: - replicas: 2 - selector: - matchLabels: - app: oauth2-proxy-vault - template: - metadata: - labels: - app: oauth2-proxy-vault - spec: - nodeSelector: - node-role.kubernetes.io/worker: "true" - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 80 - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - arm64 - - arm - containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 - args: - - --provider=oidc - - --redirect-url=https://secret.bstein.dev/oauth2/callback - - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - - --scope=openid profile email groups - - --email-domain=* - - --set-xauthrequest=true - - --pass-access-token=true - - --set-authorization-header=true - - --cookie-secure=true - - --cookie-samesite=lax - - --cookie-refresh=20m - - --cookie-expire=168h - - --insecure-oidc-allow-unverified-email=true - # Vault UI is served over HTTP on the service endpoint. - - --upstream=http://vault.vault.svc.cluster.local:8200 - - --http-address=0.0.0.0:4180 - - --skip-provider-button=true - - --skip-jwt-bearer-tokens=true - - --oidc-groups-claim=groups - - --allowed-group=admin - - --cookie-domain=secret.bstein.dev - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: client_id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: client_secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy-vault-oidc - key: cookie_secret - ports: - - containerPort: 4180 - name: http - readinessProbe: - httpGet: - path: /ping - port: 4180 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /ping - port: 4180 - initialDelaySeconds: 20 - periodSeconds: 20 diff --git a/services/vault/oidc-bootstrap-job.yaml b/services/vault/oidc-bootstrap-job.yaml index df3347c..6567a71 100644 --- a/services/vault/oidc-bootstrap-job.yaml +++ b/services/vault/oidc-bootstrap-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: vault-oidc-bootstrap-3 + name: vault-oidc-bootstrap-4 namespace: vault labels: app: vault-oidc-bootstrap @@ -50,7 +50,8 @@ spec: oidc_client_secret="$OIDC_CLIENT_SECRET" \ default_role="admin" \ bound_issuer="https://sso.bstein.dev/realms/atlas" \ - allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" + allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" \ + allowed_redirect_uris="http://localhost:8250/oidc/callback" # Admin policy (wide permissions) vault policy write vault-admin - <<'EOF' @@ -65,13 +66,16 @@ spec: "user_claim": "sub", "groups_claim": "groups", "bound_audiences": "oauth2-proxy", - "allowed_redirect_uris": "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback", + "allowed_redirect_uris": [ + "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback", + "http://localhost:8250/oidc/callback" + ], "claim_mappings": { "email": "email", "name": "name" }, "token_policies": ["vault-admin"], - "oidc_scopes": ["profile", "email", "groups"], + "oidc_scopes": ["openid", "profile", "email", "groups", "oauth2-proxy-audience"], "bound_claims": { "groups": ["admin"] } } EOF diff --git a/services/zot/oauth2-proxy-zot.yaml b/services/zot/oauth2-proxy-zot.yaml index 538deff..a3bdb55 100644 --- a/services/zot/oauth2-proxy-zot.yaml +++ b/services/zot/oauth2-proxy-zot.yaml @@ -51,7 +51,7 @@ spec: - --provider=oidc - --redirect-url=https://registry.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - - --scope=openid profile email groups + - --scope=openid profile email groups oauth2-proxy-audience - --email-domain=* - --set-xauthrequest=true - --pass-access-token=true