Deprecate Authelia

oidc-gateway/README.md

@@ -0,0 +1,8 @@
+# OIDC Gateway
+
+To deploy
+
+```
+kubectl create namespace oidc-gateway
+kubectl apply -n oidc-gateway -f crds.yml -f rbac.yml -f texts.yml -f deployment.yml -f kubelogin.yaml -f proxmox.yaml -f voron.yaml
+```

oidc-gateway/deployment.yml

@@ -95,7 +95,8 @@ spec:
       serviceAccountName: oidc-gateway
       containers:
         - name: oidc-gateway
-          image: codemowers/oidc-gateway
+          image: docker.io/codemowers/oidc-gateway
+
           ports:
             - containerPort: 3000
           env:
@@ -108,13 +109,13 @@ spec:
             - name: GROUP_PREFIX
               value: 'k-space'
             - name: ADMIN_GROUP
-              value: 'github.com:codemowers:admins'
+              value: 'k-space:kubernetes:admins'
 #            - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
 #              value: 'codemowers:users'
             - name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
               value: 'codemowers'
             - name: ENROLL_USERS # allow everyone to self-register
-              value: 'true'
+              value: 'false'
             - name: NAMESPACE_SELECTOR
               value: '*'
             - name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent

oidc-gateway/kubelogin.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: kubelogin
+spec:
+  displayName: Kubernetes API
+  uri: https://git.k-space.ee/k-space/kube#cluster-access
+  redirectUris:
+    - http://localhost:27890
+  allowedGroups:
+    - k-space:kubernetes:admins
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile

oidc-gateway/proxmox.yaml

@@ -0,0 +1,191 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: proxmox
+spec:
+  displayName: Proxmox Virtual Environment (middleware)
+  uri: https://pve.k-space.ee/
+  allowedGroups:
+    - k-space:proxmox:admins
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: proxmox
+spec:
+  displayName: Proxmox Virtual Environment
+  uri: https://pve.k-space.ee/
+  redirectUris:
+    - https://pve.k-space.ee/
+    - https://pve.k-space.ee
+  allowedGroups:
+    - k-space:proxmox:admins
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: proxmox-servers-transport
+spec:
+  rootCAsSecrets:
+    - pve
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pve
+data:
+  # This is not actually secret, this is CA certificate of the key
+  # used to sign Proxmox HTTPS endpoint keypairs.
+  # This makes sure Traefik is talking to the real Proxmox machines,
+  # and not arbitrary machines that have hijacked the Proxmox machine IP-s.
+  # To inspect current value:
+  # kubectl get secret -n traefik pve -o=json | jq '.data ."pve.pem"' -r | base64 -d | openssl x509 -text -inform PEM -noout
+  pve.pem: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ6VENDQTdXZ0F3SUJBZ0lVUGk5SFNhQlp0
+    ZG5JL01NREFBb05DT3ZpaGJjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2RqRWtNQ0lHQTFVRUF3d2JV
+    SEp2ZUcxdmVDQldhWEowZFdGc0lFVnVkbWx5YjI1dFpXNTBNUzB3S3dZRApWUVFMRENSbFptTmpN
+    elF6WXkweU5HSXhMVFJqWXpNdFlqTXhZaTA0Tm1KaE0yVmxOemt6WTJZeEh6QWRCZ05WCkJBb01G
+    bEJXUlNCRGJIVnpkR1Z5SUUxaGJtRm5aWElnUTBFd0hoY05NakF3T0RJek1Ea3pNalEyV2hjTk16
+    QXcKT0RJeE1Ea3pNalEyV2pCMk1TUXdJZ1lEVlFRRERCdFFjbTk0Ylc5NElGWnBjblIxWVd3Z1JX
+    NTJhWEp2Ym0xbApiblF4TFRBckJnTlZCQXNNSkdWbVkyTXpORE5qTFRJMFlqRXROR05qTXkxaU16
+    RmlMVGcyWW1FelpXVTNPVE5qClpqRWZNQjBHQTFVRUNnd1dVRlpGSUVOc2RYTjBaWElnVFdGdVlX
+    ZGxjaUJEUVRDQ0FpSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1yTXZq
+    VEJ2ZkdIUEZFbmJhWUh6Qm5TeTJNdnBkV0h3TTIrQU9XRQpnbmpDcjhiYnNWaUxBZnpMdGlNYzM0
+    bEJIRXp6d3JwbmlQdXAyS2doNmtCc3BKa2c0bXZSY25pQW9XK3F4UDlWCmpXRlJiTU9OYVB1UHZF
+    UWhrS2xBakJCL2hqZkRxS3FKaURZeU5CNjZsZG9RbnFFQ3RyRXEvRFFDZHZYWitJWW4KNmZpelBk
+    enp3UHk4dzhxU1RiMmlpNzZjSkplOWdJYWVjdUlCRk5mK1dUYW0vRndGL2ZXbGU1aHMyNTZsa25w
+    OQpKbTV6Q0R3eFljNCt5dVF1WEM0WEgzclNKc2U1UWI5QmhyVEx0VTdiRHZTbzZMWEZsOTR4YTlR
+    VGQ1L3UvT3h0CmdONVN2aTBnS1RXUUdiK0pvTHJHYVducS9ocmN4THpnVzJSclMxOGJUZFE2MEZz
+    WVdXSUFTRmZuSzdzSDJjQ2oKRWI5Sk8yWjJzNXpzQ3ZBYjlQQkF6ZkdwSFc0dnFibHpHdmZtbFV5
+    em10NFpEU3V6cGlwRTJ4SUpWVHNBOXJqdwpJd0plU1E0bitpeUF6cUQwMUprbjdRaEtJQ0kzZ21s
+    ZmJ5YzRuTkxEZlZnQTA0VDBmUG5LMDBTSnN2ek1WRjNMCncvbmNheHBhczlhV2ptQ1BBWTEvREJ2
+    RmU3M05EeGRsazFpd0Y5L1V6OGl2WWlLYlk3K3I4blhGM0V3YjZtQmYKZFdsTUlaYSsyeVEweHl6
+    MDlqanNKU1dSRlduV25oRVg1SDVISERBYXhkZmZXUkRtVXR3d2ExWlN6VU1MNHNENgo4U2NHclFQ
+    YWVicE5ZWWI3WmdGTm82ZVp3YytlWmpJVW9XMXhYNlhqSWQ2UENvSmw5UDdMUnJUTWF3NjhHU3Nn
+    CjdLd0RBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FH
+    NWpBZkJnTlYKSFNNRUdEQVdnQlJxT0VLODdZY2lZM09NSitOcVdRdklaQ2FHNWpBUEJnTlZIUk1C
+    QWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk1JTmszTFlHTHZITlpSWURh
+    YVYwaW45bGtzaWIvd0dZQ01vUDhQZE03Ckw0ZktsUjNDNXJ3clhKNjRwWVJrOFByemFWRjJvclNr
+    REI1Z1Jaa1phbVkzbCtSOU9ISkNheXBNSjVTeHZtVlkKZFBYZ1hBYVlGR1V1cjZHU0RsZkxDUmp1
+    OWdMRnhEbEhZZTVPcm5JbURUcENzK2xXVmcwSDVrUlFNZFJ2eVplTAp1SWs5UEZVcE5GSksyWmtl
+    c0tOWUlPNldwRzBBd0hSZUI0U0MzYzBWNkdrQW84bHUxeGhYMWpUMnFuQXRQTDM4CkkzQkpCNDhY
+    KzkzZGxHcDNBRlp4WmhSSjU1ejdHTm56c1UxaGNTSk1rOUpTN2RhWVhtM3FjTmxZNnY5OCtVK3gK
+    U0RxdUFKU0tIanF5RzRDdjZlL2toamNLMzJpcENuZmYzb2plblpTZlFtN3l3OXpCQjFSc1Z3TU9k
+    aTBCOW44cApDWHpRcHdHTERiNjB1VCtycTJ4eHJici9yT3VtQU5GbXByd1oxbi9yWE45bndxUktW
+    VVBRU1lQdVVKa2xCTktLCnNVL1dTSHBzMGF4dTRUMElFUk0zZHVCWEJ5Yms0TXJXSTBCZ2ptNXZz
+    NFNPNHVGSU96d2RBVkdIQ09lRWhQQzIKMzRiSW9ES09tZDFNcmtjYTQyTWw4bDFtb0hTUFd3djZ4
+    dVo1U1I0UXhPaXdWa0tJRHdvSmg2M2swTmxwUzZFUwp4N253ekZIc01rNTRFTWNMMjJjRk9YK3Rh
+    Q1JtTDVRVVdDMGQ3bEFCMElXQS9UTkRXU3lQbHlRN1VCcjRIZGoxClh2NU43Yks0SUN5NWRhN25h
+    RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
+    LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve1
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve1.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve8
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve8.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve9
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: oidc-gateway-proxmox-servers-transport@kubernetescrd
+spec:
+  type: ExternalName
+  externalName: pve9.proxmox.infra.k-space.ee
+  ports:
+    - name: https
+      port: 8006
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pve
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-proxmox@kubernetescrd,oidc-gateway-proxmox-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: proxmox.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: whoami
+            port:
+              number: 80
+  - host: pve.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve1
+            port:
+              number: 8006
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve8
+            port:
+              number: 8006
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: pve9
+            port:
+              number: 8006
+  tls:
+  - hosts:
+    - "*.k-space.ee"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: proxmox-redirect
+spec:
+  redirectRegex:
+    regex: ^https://proxmox.k-space.ee/(.*)$
+    replacement: https://pve.k-space.ee/$1
+    permanent: false

oidc-gateway/voron.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: voron
+spec:
+  displayName: Voron 3D printer
+  uri: 'https://voron.k-space.ee'
+  allowedGroups:
+    - k-space:floor
+  headerMapping:
+    email: Remote-Email
+    groups: Remote-Groups
+    name: Remote-Name
+    user: Remote-Username
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: voron
+spec:
+  type: ExternalName
+  externalName: 100.101.3.1
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: voron
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: oidc-gateway-voron@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: voron.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: voron
+            port:
+              name: http
+  tls:
+  - hosts:
+    - "*.k-space.ee"