oidc: add oidc-gateway manifests #8
276
oidc-gateway/crds.yml
Normal file
276
oidc-gateway/crds.yml
Normal file
@ -0,0 +1,276 @@
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: oidcgatewayusers.codemowers.io
|
||||
spec:
|
||||
group: codemowers.io
|
||||
names:
|
||||
plural: oidcgatewayusers
|
||||
singular: oidcgatewayuser
|
||||
kind: OIDCGWUser
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: { }
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
email:
|
||||
type: string
|
||||
customGroups:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
prefix:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
customProfile:
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
type: string
|
||||
company:
|
||||
type: string
|
||||
githubEmails:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
email:
|
||||
type: string
|
||||
primary:
|
||||
type: boolean
|
||||
default: false
|
||||
githubGroups:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
prefix:
|
||||
type: string
|
||||
enum: [ 'github.com' ]
|
||||
name:
|
||||
type: string
|
||||
githubProfile:
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
type: string
|
||||
company:
|
||||
type: string
|
||||
id:
|
||||
type: integer
|
||||
login:
|
||||
type: string
|
||||
slackId:
|
||||
type: string
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
primaryEmail:
|
||||
type: string
|
||||
emails:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
groups:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
prefix:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
profile:
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
type: string
|
||||
company:
|
||||
type: string
|
||||
slackId:
|
||||
type: string
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
x-kubernetes-embedded-resource: true
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
additionalPrinterColumns:
|
||||
- name: Name
|
||||
type: string
|
||||
jsonPath: .status.profile.name
|
||||
- name: Emails
|
||||
type: string
|
||||
jsonPath: .status.emails
|
||||
- name: Groups
|
||||
type: string
|
||||
jsonPath: .status.groups
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: oidcgatewayclients.codemowers.io
|
||||
spec:
|
||||
group: codemowers.io
|
||||
names:
|
||||
plural: oidcgatewayclients
|
||||
singular: oidcgatewayclient
|
||||
kind: OIDCGWClient
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: { }
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
required:
|
||||
- redirectUris # TODO: add validation
|
||||
- grantTypes
|
||||
- responseTypes
|
||||
properties:
|
||||
uri:
|
||||
type: string
|
||||
displayName:
|
||||
type: string
|
||||
redirectUris:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
grantTypes:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
enum: [ 'implicit', 'authorization_code', 'refresh_token' ]
|
||||
responseTypes:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
enum: [ 'code id_token', 'code', 'id_token', 'none' ]
|
||||
tokenEndpointAuthMethod:
|
||||
type: string
|
||||
enum: [ 'client_secret_basic', 'client_secret_jwt', 'client_secret_post', 'private_key_jwt', 'none' ]
|
||||
idTokenSignedResponseAlg:
|
||||
type: string
|
||||
enum: [ 'PS256','RS256', 'ES256' ]
|
||||
allowedGroups:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
availableScopes:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
enum: [ 'openid', 'profile', 'offline_access' ]
|
||||
default: [ 'openid' ]
|
||||
pkce:
|
||||
type: boolean
|
||||
default: true
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
gateway:
|
||||
type: string
|
||||
additionalPrinterColumns:
|
||||
- name: Gateway
|
||||
type: string
|
||||
description: 'OIDC gateway deployment which manages this client'
|
||||
jsonPath: .status.gateway
|
||||
- name: Uris
|
||||
type: string
|
||||
description: 'Redirect URLs configured for this client'
|
||||
jsonPath: .spec.redirectUris
|
||||
- name: Allowed groups
|
||||
type: string
|
||||
description: 'Groups allowed to this client'
|
||||
jsonPath: .spec.allowedGroups
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: oidcgatewaymiddlewareclients.codemowers.io
|
||||
spec:
|
||||
group: codemowers.io
|
||||
names:
|
||||
plural: oidcgatewaymiddlewareclients
|
||||
singular: oidcgatewaymiddlewareclient
|
||||
kind: OIDCGWMiddlewareClient
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: { }
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
properties:
|
||||
uri:
|
||||
type: string
|
||||
displayName:
|
||||
type: string
|
||||
allowedGroups:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
headerMapping:
|
||||
type: object
|
||||
default:
|
||||
user: 'Remote-User'
|
||||
name: 'Remote-Name'
|
||||
email: 'Remote-Email'
|
||||
groups: 'Remote-Groups'
|
||||
properties:
|
||||
user:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
email:
|
||||
type: string
|
||||
groups:
|
||||
type: string
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
gateway:
|
||||
type: string
|
||||
additionalPrinterColumns:
|
||||
- name: Gateway
|
||||
type: string
|
||||
description: 'OIDC gateway deployment which manages this client'
|
||||
jsonPath: .status.gateway
|
||||
- name: Uri
|
||||
type: string
|
||||
description: 'URL configured for this client'
|
||||
jsonPath: .spec.uri
|
||||
- name: Allowed groups
|
||||
type: string
|
||||
description: 'Groups allowed to this client'
|
||||
jsonPath: .spec.allowedGroups
|
159
oidc-gateway/deployment.yml
Normal file
159
oidc-gateway/deployment.yml
Normal file
@ -0,0 +1,159 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: oidc-gateway-default
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: oidc-gateway
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: oidc-gateway
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
---
|
||||
apiVersion: codemowers.io/v1alpha1
|
||||
kind: KeyDBCluster
|
||||
spec:
|
||||
persistent: false
|
||||
replicas: 3
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||
spec:
|
||||
rules:
|
||||
- host: auth2.k-space.ee
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
path: "/"
|
||||
backend:
|
||||
service:
|
||||
name: oidc-gateway
|
||||
port:
|
||||
number: 3000
|
||||
tls:
|
||||
- hosts:
|
||||
- "*.k-space.ee"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: oidc-gateway
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 3000
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: oidc-key-manager
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: oidc-gateway
|
||||
containers:
|
||||
- name: oidc-key-manager
|
||||
image: codemowers/oidc-gateway
|
||||
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
|
||||
restartPolicy: Never
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
labels:
|
||||
app: oidc-gateway
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: oidc-gateway
|
||||
replicas: 3
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: oidc-gateway
|
||||
spec:
|
||||
serviceAccountName: oidc-gateway
|
||||
containers:
|
||||
- name: oidc-gateway
|
||||
image: codemowers/oidc-gateway
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
env:
|
||||
- name: ISSUER_URL
|
||||
value: 'https://auth2.k-space.ee/'
|
||||
- name: DEPLOYMENT_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['app']
|
||||
- name: GROUP_PREFIX
|
||||
value: 'k-space'
|
||||
- name: ADMIN_GROUP
|
||||
value: 'k-space:admins'
|
||||
# - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
|
||||
# value: 'codemowers:users'
|
||||
- name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
|
||||
value: 'codemowers'
|
||||
- name: ENROLL_USERS # allow everyone to self-register
|
||||
value: 'true'
|
||||
- name: NAMESPACE_SELECTOR
|
||||
value: '*'
|
||||
- name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent
|
||||
value: 'k-space.ee'
|
||||
- name: REQUIRE_CUSTOM_USERNAME
|
||||
value: 'true'
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: redis-oidc-gateway-owner-secrets
|
||||
- secretRef:
|
||||
name: oidc-keys
|
||||
- secretRef:
|
||||
name: oidc-gateway-email-credentials
|
||||
- secretRef:
|
||||
name: github-client
|
||||
- secretRef:
|
||||
name: slack-client
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /.well-known/openid-configuration
|
||||
port: 3000
|
||||
httpHeaders:
|
||||
- name: x-forwarded-for # suppress oidc-provider warning
|
||||
value: 'https://auth2.k-space.ee/'
|
||||
- name: x-forwarded-proto # suppress oidc-provider warning
|
||||
value: https
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 1
|
||||
volumeMounts:
|
||||
- mountPath: /app/tos
|
||||
name: tos
|
||||
- mountPath: /app/approval
|
||||
name: approval
|
||||
- mountPath: /app/src/views/custom/emails
|
||||
name: email-templates
|
||||
volumes:
|
||||
- name: tos
|
||||
configMap:
|
||||
name: oidc-gateway-tos-v1
|
||||
- name: approval
|
||||
configMap:
|
||||
name: oidc-gateway-approval-required
|
||||
- name: email-templates
|
||||
configMap:
|
||||
name: oidc-gateway-email-templates
|
59
oidc-gateway/rbac.yml
Normal file
59
oidc-gateway/rbac.yml
Normal file
@ -0,0 +1,59 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
rules:
|
||||
- apiGroups:
|
||||
- codemowers.io
|
||||
resources:
|
||||
- oidcgatewayusers
|
||||
- oidcgatewayusers/status
|
||||
- oidcgatewayclients
|
||||
- oidcgatewayclients/status
|
||||
- oidcgatewaymiddlewareclients
|
||||
- oidcgatewaymiddlewareclients/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: oidc-gateway
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: oidc-gateway
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: oidc-gateway
|
||||
namespace: oidc-gateway
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: oidc-gateway
|
65
oidc-gateway/texts.yml
Normal file
65
oidc-gateway/texts.yml
Normal file
@ -0,0 +1,65 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: oidc-gateway-tos-v1
|
||||
data:
|
||||
tos.txt: |
|
||||
Terms of Service
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: oidc-gateway-approval-required
|
||||
data:
|
||||
approval.txt: |
|
||||
Dear User,
|
||||
|
||||
Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee
|
||||
|
||||
Also see https://www.k-space.ee/
|
||||
|
||||
Best regards, K-Space MTÜ
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: oidc-gateway-email-templates
|
||||
data:
|
||||
tos.txt: |
|
||||
Hi, <%= name %>!
|
||||
|
||||
You agreed with the Terms of Service at <%= timestamp %>
|
||||
|
||||
Content SHA256 hash: <%= hash %>
|
||||
|
||||
Best regards,
|
||||
K-Space MTÜ
|
||||
tos.ejs: |
|
||||
<div>
|
||||
<p>Hi, <%= name %>!</p>
|
||||
<p>You agreed with the following Terms of Service at <%= timestamp %></p>
|
||||
<p>Content SHA256 hash: <%= hash %></p>
|
||||
<br />
|
||||
<blockquote>
|
||||
<%- content -%>
|
||||
</blockquote>
|
||||
<br />
|
||||
<p>Best regards, <br/> K-Space MTÜ</p>
|
||||
</div>
|
||||
tos.subject: |
|
||||
Terms of Service agreement confirmation
|
||||
link.txt: |
|
||||
Open the following link to log in: <%= url %>
|
||||
|
||||
Best regards,
|
||||
K-Space MTÜ
|
||||
link.ejs: |
|
||||
<div>
|
||||
<p>Open the following link to log in: <%= url %></p>
|
||||
<br />
|
||||
<p>Best regards, <br/> K-Space MTÜ</p>
|
||||
</div>
|
||||
link.subject: |
|
||||
auth.k-space.ee login link
|
Loading…
Reference in New Issue
Block a user