diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml index 75ec998..9180541 100644 --- a/services/zot/ingress.yaml +++ b/services/zot/ingress.yaml @@ -8,7 +8,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd spec: ingressClassName: traefik tls: @@ -22,6 +22,6 @@ spec: pathType: Prefix backend: service: - name: zot + name: oauth2-proxy-zot port: - number: 5000 + number: 80 diff --git a/services/zot/kustomization.yaml b/services/zot/kustomization.yaml index 73a097c..2af1766 100644 --- a/services/zot/kustomization.yaml +++ b/services/zot/kustomization.yaml @@ -9,3 +9,4 @@ resources: - service.yaml - ingress.yaml - middleware.yaml + - oauth2-proxy-zot.yaml diff --git a/services/zot/oauth2-proxy-zot.yaml b/services/zot/oauth2-proxy-zot.yaml new file mode 100644 index 0000000..81c7cb5 --- /dev/null +++ b/services/zot/oauth2-proxy-zot.yaml @@ -0,0 +1,102 @@ +# services/zot/oauth2-proxy-zot.yaml +apiVersion: v1 +kind: Service +metadata: + name: oauth2-proxy-zot + labels: + app: oauth2-proxy-zot +spec: + ports: + - name: http + port: 80 + targetPort: 4180 + selector: + app: oauth2-proxy-zot + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy-zot + labels: + app: oauth2-proxy-zot +spec: + replicas: 2 + selector: + matchLabels: + app: oauth2-proxy-zot + template: + metadata: + labels: + app: oauth2-proxy-zot + spec: + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 80 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - arm64 + - arm + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + args: + - --provider=oidc + - --redirect-url=https://registry.bstein.dev/oauth2/callback + - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas + - --scope=openid profile email groups + - --email-domain=* + - --set-xauthrequest=true + - --pass-access-token=true + - --set-authorization-header=true + - --cookie-secure=true + - --cookie-samesite=lax + - --cookie-refresh=20m + - --cookie-expire=168h + - --insecure-oidc-allow-unverified-email=true + - --upstream=http://zot.zot.svc.cluster.local:5000 + - --http-address=0.0.0.0:4180 + - --skip-provider-button=true + - --skip-jwt-bearer-tokens=true + - --oidc-groups-claim=groups + - --allowed-group=admin + - --allowed-group=image-pusher + - --cookie-domain=registry.bstein.dev + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-zot-oidc + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-zot-oidc + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-zot-oidc + key: cookie_secret + ports: + - containerPort: 4180 + name: http + readinessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 20 + periodSeconds: 20