bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: tighten zot and vault oidc flow

Browse Source
This commit is contained in:
Brad Stein 2025-12-10 11:16:50 -03:00
parent b8817ef0af
commit b39db83702
5 changed files with 11 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
services/vault/ingress.yaml
View File

@ -24,6 +24,6 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: oauth2-proxy-vault name: vault
port: port:
number: 80 number: 8200

1
services/vault/kustomization.yaml
View File

@ -9,5 +9,4 @@ resources:
- ingress.yaml - ingress.yaml
- middleware.yaml - middleware.yaml
- serverstransport.yaml - serverstransport.yaml
- oauth2-proxy-vault.yaml
- oidc-bootstrap-job.yaml - oidc-bootstrap-job.yaml

102
services/vault/oauth2-proxy-vault.yaml
View File

@ -1,102 +0,0 @@
# services/vault/oauth2-proxy-vault.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-vault
labels:
app: oauth2-proxy-vault
spec:
ports:
- name: http
port: 80
targetPort: 4180
selector:
app: oauth2-proxy-vault
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-vault
labels:
app: oauth2-proxy-vault
spec:
replicas: 2
selector:
matchLabels:
app: oauth2-proxy-vault
template:
metadata:
labels:
app: oauth2-proxy-vault
spec:
nodeSelector:
node-role.kubernetes.io/worker: "true"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 80
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- arm
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
args:
- --provider=oidc
- --redirect-url=https://secret.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups
- --email-domain=*
- --set-xauthrequest=true
- --pass-access-token=true
- --set-authorization-header=true
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-refresh=20m
- --cookie-expire=168h
- --insecure-oidc-allow-unverified-email=true
# Vault UI is served over HTTP on the service endpoint.
- --upstream=http://vault.vault.svc.cluster.local:8200
- --http-address=0.0.0.0:4180
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
- --oidc-groups-claim=groups
- --allowed-group=admin
- --cookie-domain=secret.bstein.dev
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: client_id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: client_secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: cookie_secret
ports:
- containerPort: 4180
name: http
readinessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 20
periodSeconds: 20

12
services/vault/oidc-bootstrap-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: vault-oidc-bootstrap-3 name: vault-oidc-bootstrap-4
namespace: vault namespace: vault
labels: labels:
app: vault-oidc-bootstrap app: vault-oidc-bootstrap
@ -50,7 +50,8 @@ spec:
oidc_client_secret="$OIDC_CLIENT_SECRET" \ oidc_client_secret="$OIDC_CLIENT_SECRET" \
default_role="admin" \ default_role="admin" \
bound_issuer="https://sso.bstein.dev/realms/atlas" \ bound_issuer="https://sso.bstein.dev/realms/atlas" \
allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" allowed_redirect_uris="https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback"
# Admin policy (wide permissions) # Admin policy (wide permissions)
vault policy write vault-admin - <<'EOF' vault policy write vault-admin - <<'EOF'
@ -65,13 +66,16 @@ spec:
"user_claim": "sub", "user_claim": "sub",
"groups_claim": "groups", "groups_claim": "groups",
"bound_audiences": "oauth2-proxy", "bound_audiences": "oauth2-proxy",
"allowed_redirect_uris": "https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback", "allowed_redirect_uris": [
"https://secret.bstein.dev/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback"
],
"claim_mappings": { "claim_mappings": {
"email": "email", "email": "email",
"name": "name" "name": "name"
}, },
"token_policies": ["vault-admin"], "token_policies": ["vault-admin"],
"oidc_scopes": ["profile", "email", "groups"], "oidc_scopes": ["openid", "profile", "email", "groups", "oauth2-proxy-audience"],
"bound_claims": { "groups": ["admin"] } "bound_claims": { "groups": ["admin"] }
} }
EOF EOF

2
services/zot/oauth2-proxy-zot.yaml
View File

@ -51,7 +51,7 @@ spec:
- --provider=oidc - --provider=oidc
- --redirect-url=https://registry.bstein.dev/oauth2/callback - --redirect-url=https://registry.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups - --scope=openid profile email groups oauth2-proxy-audience
- --email-domain=* - --email-domain=*
- --set-xauthrequest=true - --set-xauthrequest=true
- --pass-access-token=true - --pass-access-token=true