simon/kube
1
0
Fork 0
forked from k-space/kube
Code Pull Requests Activity

oidc: add oidc-gateway manifests

Browse Source
This commit is contained in:
Erki Aas
2023-06-27 14:01:44 +03:00
parent 1d3d58f1a0
commit 045a8bb574
4 changed files with 557 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
oidc-gateway/crds.yml Normal file
View File

@@ -0,0 +1,276 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayusers.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayusers
singular: oidcgatewayuser
kind: OIDCGWUser
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
email:
type: string
customGroups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
customProfile:
type: object
properties:
name:
type: string
company:
type: string
githubEmails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
githubGroups:
type: array
items:
type: object
properties:
prefix:
type: string
enum: [ 'github.com' ]
name:
type: string
githubProfile:
type: object
properties:
name:
type: string
company:
type: string
id:
type: integer
login:
type: string
slackId:
type: string
status:
type: object
properties:
primaryEmail:
type: string
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
profile:
type: object
properties:
name:
type: string
company:
type: string
slackId:
type: string
conditions:
type: array
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Name
type: string
jsonPath: .status.profile.name
- name: Emails
type: string
jsonPath: .status.emails
- name: Groups
type: string
jsonPath: .status.groups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayclients
singular: oidcgatewayclient
kind: OIDCGWClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
required:
- redirectUris # TODO: add validation
- grantTypes
- responseTypes
properties:
uri:
type: string
displayName:
type: string
redirectUris:
type: array
items:
type: string
grantTypes:
type: array
items:
type: string
enum: [ 'implicit', 'authorization_code', 'refresh_token' ]
responseTypes:
type: array
items:
type: string
enum: [ 'code id_token', 'code', 'id_token', 'none' ]
tokenEndpointAuthMethod:
type: string
enum: [ 'client_secret_basic', 'client_secret_jwt', 'client_secret_post', 'private_key_jwt', 'none' ]
idTokenSignedResponseAlg:
type: string
enum: [ 'PS256','RS256', 'ES256' ]
allowedGroups:
type: array
items:
type: string
availableScopes:
type: array
items:
type: string
enum: [ 'openid', 'profile', 'offline_access' ]
default: [ 'openid' ]
pkce:
type: boolean
default: true
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uris
type: string
description: 'Redirect URLs configured for this client'
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewaymiddlewareclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewaymiddlewareclients
singular: oidcgatewaymiddlewareclient
kind: OIDCGWMiddlewareClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
uri:
type: string
displayName:
type: string
allowedGroups:
type: array
items:
type: string
headerMapping:
type: object
default:
user: 'Remote-User'
name: 'Remote-Name'
email: 'Remote-Email'
groups: 'Remote-Groups'
properties:
user:
type: string
name:
type: string
email:
type: string
groups:
type: string
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uri
type: string
description: 'URL configured for this client'
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups

157
oidc-gateway/deployment.yml Normal file
View File

@@ -0,0 +1,157 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-gateway-default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: oidc-gateway
subjects:
- kind: ServiceAccount
name: oidc-gateway
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-gateway
---
apiVersion: codemowers.io/v1alpha1
kind: KeyDBCluster
spec:
persistent: false
replicas: 3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oidc-gateway
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: auth2.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: oidc-gateway
port:
number: 3000
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: v1
kind: Service
metadata:
name: oidc-gateway
spec:
type: ClusterIP
selector:
app: oidc-gateway
ports:
- protocol: TCP
port: 3000
---
apiVersion: batch/v1
kind: Job
metadata:
name: oidc-key-manager
spec:
template:
spec:
serviceAccountName: oidc-gateway
containers:
- name: oidc-key-manager
image: codemowers/oidc-gateway
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oidc-gateway
labels:
app: oidc-gateway
spec:
selector:
matchLabels:
app: oidc-gateway
replicas: 3
template:
metadata:
labels:
app: oidc-gateway
spec:
serviceAccountName: oidc-gateway
containers:
- name: oidc-gateway
image: codemowers/oidc-gateway
ports:
- containerPort: 3000
env:
- name: ISSUER_URL
value: 'https://auth2.k-space.ee/'
- name: DEPLOYMENT_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: GROUP_PREFIX
value: 'k-space'
- name: ADMIN_GROUP
value: 'k-space:admins'
# - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
# value: 'codemowers:users'
- name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
value: 'codemowers'
- name: ENROLL_USERS # allow everyone to self-register
value: 'true'
- name: NAMESPACE_SELECTOR
value: '*'
- name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent
value: 'k-space.ee'
envFrom:
- secretRef:
name: redis-oidc-gateway-owner-secrets
- secretRef:
name: oidc-keys
- secretRef:
name: oidc-gateway-email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: 'https://auth2.k-space.ee/'
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 5
periodSeconds: 1
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/src/views/custom/emails
name: email-templates
volumes:
- name: tos
configMap:
name: oidc-gateway-tos-v1
- name: approval
configMap:
name: oidc-gateway-approval-required
- name: email-templates
configMap:
name: oidc-gateway-email-templates

59
oidc-gateway/rbac.yml Normal file
View File

@@ -0,0 +1,59 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: oidc-gateway
rules:
- apiGroups:
- codemowers.io
resources:
- oidcgatewayusers
- oidcgatewayusers/status
- oidcgatewayclients
- oidcgatewayclients/status
- oidcgatewaymiddlewareclients
- oidcgatewaymiddlewareclients/status
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- patch
- delete
- apiGroups:
- traefik.containo.us
resources:
- middlewares
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-gateway
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: oidc-gateway
subjects:
- kind: ServiceAccount
name: oidc-gateway
namespace: oidc-gateway
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-gateway

65
oidc-gateway/texts.yml Normal file
View File

@@ -0,0 +1,65 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-tos-v1
data:
tos.txt: |
Terms of Service
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-approval-required
data:
approval.txt: |
Dear User,
Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee
Also see https://www.k-space.ee/
Best regards, K-Space MTÜ
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-email-templates
data:
tos.txt: |
Hi, <%= name %>!
You agreed with the Terms of Service at <%= timestamp %>
Content SHA256 hash: <%= hash %>
Best regards,
K-Space MTÜ
tos.ejs: |
<div>
<p>Hi, <%= name %>!</p>
<p>You agreed with the following Terms of Service at <%= timestamp %></p>
<p>Content SHA256 hash: <%= hash %></p>
<br />
<blockquote>
<%- content -%>
</blockquote>
<br />
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
tos.subject: |
Terms of Service agreement confirmation
link.txt: |
Open the following link to log in: <%= url %>
Best regards,
K-Space MTÜ
link.ejs: |
<div>
<p>Open the following link to log in: <%= url %></p>
<br />
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
link.subject: |
auth.k-space.ee login link