164 lines
4.3 KiB
YAML
164 lines
4.3 KiB
YAML
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: oidc-gateway
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: oidc-gateway
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: oidc-gateway
|
|
namespace: oidc-gateway
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: oidc-gateway
|
|
---
|
|
apiVersion: codemowers.io/v1alpha1
|
|
kind: Redis
|
|
metadata:
|
|
name: oidc-gateway
|
|
spec:
|
|
capacity: 512Mi
|
|
class: ephemeral
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: oidc-gateway
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
spec:
|
|
rules:
|
|
- host: auth2.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: oidc-gateway
|
|
port:
|
|
number: 3000
|
|
tls:
|
|
- hosts:
|
|
- "*.k-space.ee"
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: oidc-gateway
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: oidc-gateway
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3000
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: oidc-key-manager
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: oidc-gateway
|
|
containers:
|
|
- name: oidc-key-manager
|
|
image: codemowers/oidc-gateway
|
|
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
|
|
restartPolicy: Never
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: oidc-gateway
|
|
labels:
|
|
app: oidc-gateway
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: oidc-gateway
|
|
replicas: 3
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: oidc-gateway
|
|
spec:
|
|
serviceAccountName: oidc-gateway
|
|
containers:
|
|
- name: oidc-gateway
|
|
image: docker.io/codemowers/oidc-gateway
|
|
|
|
ports:
|
|
- containerPort: 3000
|
|
env:
|
|
- name: ISSUER_URL
|
|
value: 'https://auth2.k-space.ee/'
|
|
- name: DEPLOYMENT_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.labels['app']
|
|
- name: GROUP_PREFIX
|
|
value: 'k-space'
|
|
- name: ADMIN_GROUP
|
|
value: 'k-space:kubernetes:admins'
|
|
# - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
|
|
# value: 'codemowers:users'
|
|
- name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
|
|
value: 'codemowers'
|
|
- name: ENROLL_USERS # allow everyone to self-register
|
|
value: 'false'
|
|
- name: NAMESPACE_SELECTOR
|
|
value: '*'
|
|
- name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent
|
|
value: 'k-space.ee'
|
|
- name: REQUIRE_CUSTOM_USERNAME
|
|
value: 'true'
|
|
envFrom:
|
|
- secretRef:
|
|
name: redis-oidc-gateway-owner-secrets
|
|
- secretRef:
|
|
name: oidc-keys
|
|
- secretRef:
|
|
name: email-credentials
|
|
- secretRef:
|
|
name: github-client
|
|
- secretRef:
|
|
name: slack-client
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /.well-known/openid-configuration
|
|
port: 3000
|
|
httpHeaders:
|
|
- name: x-forwarded-for # suppress oidc-provider warning
|
|
value: 'https://auth2.k-space.ee/'
|
|
- name: x-forwarded-proto # suppress oidc-provider warning
|
|
value: https
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 1
|
|
volumeMounts:
|
|
- mountPath: /app/tos
|
|
name: tos
|
|
- mountPath: /app/approval
|
|
name: approval
|
|
- mountPath: /app/src/views/custom/emails
|
|
name: email-templates
|
|
volumes:
|
|
- name: tos
|
|
configMap:
|
|
name: oidc-gateway-tos-v1
|
|
- name: approval
|
|
configMap:
|
|
name: oidc-gateway-approval-required
|
|
- name: email-templates
|
|
configMap:
|
|
name: oidc-gateway-email-templates
|