--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: oidc-gateway roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: oidc-gateway subjects: - kind: ServiceAccount name: oidc-gateway namespace: oidc-gateway --- apiVersion: v1 kind: ServiceAccount metadata: name: oidc-gateway --- apiVersion: codemowers.io/v1alpha1 kind: Redis metadata: name: oidc-gateway spec: capacity: 512Mi class: ephemeral --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: oidc-gateway annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: auth2.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: oidc-gateway port: number: 3000 tls: - hosts: - "*.k-space.ee" --- apiVersion: v1 kind: Service metadata: name: oidc-gateway spec: type: ClusterIP selector: app: oidc-gateway ports: - protocol: TCP port: 3000 --- apiVersion: batch/v1 kind: Job metadata: name: oidc-key-manager spec: template: spec: serviceAccountName: oidc-gateway containers: - name: oidc-key-manager image: mirror.gcr.io/codemowers/passmower command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ] restartPolicy: Never --- apiVersion: apps/v1 kind: Deployment metadata: name: oidc-gateway labels: app: oidc-gateway spec: selector: matchLabels: app: oidc-gateway replicas: 3 template: metadata: labels: app: oidc-gateway spec: serviceAccountName: oidc-gateway containers: - name: oidc-gateway image: mirror.gcr.io/passmower/passmower:latest@sha256:b909ae01a1f8de9253cf3d6925d189eb687b4299c723f646838e1254a95f72be ports: - containerPort: 3000 env: - name: ISSUER_URL value: 'https://auth2.k-space.ee/' - name: DEPLOYMENT_NAME valueFrom: fieldRef: fieldPath: metadata.labels['app'] - name: GROUP_PREFIX value: 'k-space' - name: ADMIN_GROUP value: 'k-space:onboarding' # - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level. # value: 'codemowers:users' - name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for. value: 'codemowers' - name: ENROLL_USERS # allow everyone to self-register value: 'false' - name: NAMESPACE_SELECTOR value: '*' - name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent value: 'k-space.ee' - name: REQUIRE_CUSTOM_USERNAME value: 'true' envFrom: - secretRef: name: redis-oidc-gateway-owner-secrets - secretRef: name: oidc-keys - secretRef: name: email-credentials - secretRef: name: github-client - secretRef: name: slack-client readinessProbe: httpGet: path: /.well-known/openid-configuration port: 3000 httpHeaders: - name: x-forwarded-for # suppress oidc-provider warning value: 'https://auth2.k-space.ee/' - name: x-forwarded-proto # suppress oidc-provider warning value: https initialDelaySeconds: 5 periodSeconds: 1 volumeMounts: - mountPath: /app/tos name: tos - mountPath: /app/approval name: approval - mountPath: /app/src/views/custom/emails name: email-templates volumes: - name: tos configMap: name: oidc-gateway-tos-v1 - name: approval configMap: name: oidc-gateway-approval-required - name: email-templates configMap: name: oidc-gateway-email-templates