bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature/sso #4

Merged
bstein merged 30 commits from feature/sso into main 2025-12-11 20:43:36 +00:00
Conversation 0 Commits 30 Files Changed 31 +213 -8
8 changed files with 213 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 6c62d42f7a - Show all commits

4
infrastructure/longhorn/ui-ingress/ingress.yaml
View File

@ -7,7 +7,7 @@ metadata:
annotations: annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: ""
spec: spec:
ingressClassName: traefik ingressClassName: traefik
tls: tls:
@ -21,6 +21,6 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: longhorn-frontend name: oauth2-proxy-longhorn
port: port:
number: 80 number: 80

1
infrastructure/longhorn/ui-ingress/kustomization.yaml
View File

@ -4,3 +4,4 @@ kind: Kustomization
resources: resources:
- middleware.yaml - middleware.yaml
- ingress.yaml - ingress.yaml
- oauth2-proxy-longhorn.yaml

102
infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml Normal file
View File

@ -0,0 +1,102 @@
# infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-longhorn
namespace: longhorn-system
labels:
app: oauth2-proxy-longhorn
spec:
ports:
- name: http
port: 80
targetPort: 4180
selector:
app: oauth2-proxy-longhorn
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-longhorn
namespace: longhorn-system
labels:
app: oauth2-proxy-longhorn
spec:
replicas: 2
selector:
matchLabels:
app: oauth2-proxy-longhorn
template:
metadata:
labels:
app: oauth2-proxy-longhorn
spec:
nodeSelector:
node-role.kubernetes.io/worker: "true"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 90
preference:
matchExpressions:
- key: hardware
operator: In
values: ["rpi5","rpi4"]
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
imagePullPolicy: IfNotPresent
args:
- --provider=oidc
- --redirect-url=https://longhorn.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups
- --email-domain=*
- --allowed-group=admin
- --set-xauthrequest=true
- --pass-access-token=true
- --set-authorization-header=true
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-refresh=20m
- --cookie-expire=168h
- --insecure-oidc-allow-unverified-email=true
- --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local
- --http-address=0.0.0.0:4180
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
- --oidc-groups-claim=groups
- --cookie-domain=longhorn.bstein.dev
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: client_id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: client_secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-longhorn-oidc
key: cookie_secret
ports:
- containerPort: 4180
name: http
readinessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 20
periodSeconds: 20

2
services/oauth2-proxy/deployment.yaml
View File

@ -35,7 +35,7 @@ spec:
- --provider=oidc - --provider=oidc
- --redirect-url=https://auth.bstein.dev/oauth2/callback - --redirect-url=https://auth.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email - --scope=openid profile email groups
- --email-domain=* - --email-domain=*
- --set-xauthrequest=true - --set-xauthrequest=true
- --pass-access-token=true - --pass-access-token=true

1
services/oauth2-proxy/middleware-errors.yaml
View File

@ -8,6 +8,7 @@ spec:
errors: errors:
status: status:
- "401" - "401"
- "403"
service: service:
name: oauth2-proxy name: oauth2-proxy
port: 80 port: 80

8
services/vault/ingress.yaml
View File

@ -7,9 +7,7 @@ metadata:
annotations: annotations:
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: ""
traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd
spec: spec:
ingressClassName: traefik ingressClassName: traefik
tls: tls:
@ -23,6 +21,6 @@ spec:
pathType: Prefix pathType: Prefix
backend: backend:
service: service:
name: vault-ui name: oauth2-proxy-vault
port: port:
number: 8200 number: 80

1
services/vault/kustomization.yaml
View File

@ -9,3 +9,4 @@ resources:
- ingress.yaml - ingress.yaml
- middleware.yaml - middleware.yaml
- serverstransport.yaml - serverstransport.yaml
- oauth2-proxy-vault.yaml

102
services/vault/oauth2-proxy-vault.yaml Normal file
View File

@ -0,0 +1,102 @@
# services/vault/oauth2-proxy-vault.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-vault
labels:
app: oauth2-proxy-vault
spec:
ports:
- name: http
port: 80
targetPort: 4180
selector:
app: oauth2-proxy-vault
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-vault
labels:
app: oauth2-proxy-vault
spec:
replicas: 2
selector:
matchLabels:
app: oauth2-proxy-vault
template:
metadata:
labels:
app: oauth2-proxy-vault
spec:
nodeSelector:
node-role.kubernetes.io/worker: "true"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 80
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- arm
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
args:
- --provider=oidc
- --redirect-url=https://secret.bstein.dev/oauth2/callback
- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
- --scope=openid profile email groups
- --email-domain=*
- --set-xauthrequest=true
- --pass-access-token=true
- --set-authorization-header=true
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-refresh=20m
- --cookie-expire=168h
- --insecure-oidc-allow-unverified-email=true
- --upstream=https://vault-ui.vault.svc.cluster.local:8200
- --ssl-insecure-skip-verify=true
- --http-address=0.0.0.0:4180
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
- --oidc-groups-claim=groups
- --allowed-group=admin
- --cookie-domain=secret.bstein.dev
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: client_id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: client_secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-vault-oidc
key: cookie_secret
ports:
- containerPort: 4180
name: http
readinessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /ping
port: 4180
initialDelaySeconds: 20
periodSeconds: 20