1
0
forked from k-space/kube

cleanup old oidc-gateway

This commit is contained in:
Erki Aas 2024-08-24 16:29:21 +03:00
parent 65e30d5dec
commit 222d902ec2
6 changed files with 0 additions and 728 deletions

View File

@ -1,8 +0,0 @@
# OIDC Gateway
To deploy
```
kubectl create namespace oidc-gateway
kubectl apply -n oidc-gateway -f crds.yml -f rbac.yml -f texts.yml -f deployment.yml -f kubelogin.yaml -f proxmox.yaml -f voron.yaml
```

View File

@ -1,298 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayusers.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayusers
singular: oidcgatewayuser
kind: OIDCGWUser
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
required:
- type
properties:
type:
type: string
enum: [ 'person', 'org', 'service', 'banned' ]
default: person
email:
type: string
companyEmail:
type: string
customGroups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
customProfile:
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
name:
type: string
company:
type: string
githubEmails:
type: array
items:
type: object
properties:
email:
type: string
primary:
type: boolean
default: false
githubGroups:
type: array
items:
type: object
properties:
prefix:
type: string
enum: [ 'github.com' ]
name:
type: string
githubProfile:
type: object
properties:
name:
type: string
company:
type: string
id:
type: integer
login:
type: string
slackId:
type: string
status:
type: object
properties:
primaryEmail:
type: string
emails:
type: array
items:
type: string
groups:
type: array
items:
type: object
properties:
prefix:
type: string
name:
type: string
profile:
type: object
x-kubernetes-preserve-unknown-fields: true
properties:
name:
type: string
company:
type: string
slackId:
type: string
conditions:
type: array
items:
type: object
x-kubernetes-embedded-resource: true
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- name: Type
type: string
jsonPath: .spec.type
- name: Name
type: string
jsonPath: .status.profile.name
- name: Display e-mail
type: string
jsonPath: .spec.companyEmail
- name: Upstream IdP e-mail
type: string
jsonPath: .spec.githubEmails[?(@.primary==true)].email
- name: GH ID
type: string
jsonPath: .spec.githubProfile.id
- name: Groups
type: string
jsonPath: .status.groups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewayclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewayclients
singular: oidcgatewayclient
kind: OIDCGWClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
required:
- redirectUris
- grantTypes
- responseTypes
properties:
uri:
type: string
displayName:
type: string
redirectUris:
type: array
items:
type: string
grantTypes:
type: array
items:
type: string
enum: [ 'implicit', 'authorization_code', 'refresh_token' ]
responseTypes:
type: array
items:
type: string
enum: [ 'code id_token', 'code', 'id_token', 'none' ]
tokenEndpointAuthMethod:
type: string
enum: [ 'client_secret_basic', 'client_secret_jwt', 'client_secret_post', 'private_key_jwt', 'none' ]
idTokenSignedResponseAlg:
type: string
enum: [ 'PS256','RS256', 'ES256' ]
allowedGroups:
type: array
items:
type: string
overrideIncomingScopes:
type: boolean
default: false
availableScopes:
type: array
items:
type: string
enum: [ 'openid', 'profile', 'offline_access' ]
default: [ 'openid' ]
pkce:
type: boolean
default: true
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uris
type: string
description: 'Redirect URLs configured for this client'
jsonPath: .spec.redirectUris
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: oidcgatewaymiddlewareclients.codemowers.io
spec:
group: codemowers.io
names:
plural: oidcgatewaymiddlewareclients
singular: oidcgatewaymiddlewareclient
kind: OIDCGWMiddlewareClient
scope: Namespaced
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: { }
schema:
openAPIV3Schema:
required:
- spec
type: object
properties:
spec:
type: object
properties:
uri:
type: string
displayName:
type: string
allowedGroups:
type: array
items:
type: string
headerMapping:
type: object
default:
user: 'Remote-User'
name: 'Remote-Name'
email: 'Remote-Email'
groups: 'Remote-Groups'
properties:
user:
type: string
name:
type: string
email:
type: string
groups:
type: string
status:
type: object
properties:
gateway:
type: string
additionalPrinterColumns:
- name: Gateway
type: string
description: 'OIDC gateway deployment which manages this client'
jsonPath: .status.gateway
- name: Uri
type: string
description: 'URL configured for this client'
jsonPath: .spec.uri
- name: Allowed groups
type: string
description: 'Groups allowed to this client'
jsonPath: .spec.allowedGroups

View File

@ -1,162 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-gateway
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: oidc-gateway
subjects:
- kind: ServiceAccount
name: oidc-gateway
namespace: oidc-gateway
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-gateway
---
apiVersion: codemowers.io/v1alpha1
kind: Redis
metadata:
name: oidc-gateway
spec:
capacity: 512Mi
class: ephemeral
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oidc-gateway
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: auth2.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: oidc-gateway
port:
number: 3000
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: v1
kind: Service
metadata:
name: oidc-gateway
spec:
type: ClusterIP
selector:
app: oidc-gateway
ports:
- protocol: TCP
port: 3000
---
apiVersion: batch/v1
kind: Job
metadata:
name: oidc-key-manager
spec:
template:
spec:
serviceAccountName: oidc-gateway
containers:
- name: oidc-key-manager
image: mirror.gcr.io/codemowers/passmower
command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
restartPolicy: Never
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oidc-gateway
labels:
app: oidc-gateway
spec:
selector:
matchLabels:
app: oidc-gateway
replicas: 3
template:
metadata:
labels:
app: oidc-gateway
spec:
serviceAccountName: oidc-gateway
containers:
- name: oidc-gateway
image: mirror.gcr.io/passmower/passmower:latest@sha256:b909ae01a1f8de9253cf3d6925d189eb687b4299c723f646838e1254a95f72be
ports:
- containerPort: 3000
env:
- name: ISSUER_URL
value: 'https://auth2.k-space.ee/'
- name: DEPLOYMENT_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['app']
- name: GROUP_PREFIX
value: 'k-space'
- name: ADMIN_GROUP
value: 'k-space:onboarding'
# - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
# value: 'codemowers:users'
- name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
value: 'codemowers'
- name: ENROLL_USERS # allow everyone to self-register
value: 'false'
- name: NAMESPACE_SELECTOR
value: '*'
- name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent
value: 'k-space.ee'
- name: REQUIRE_CUSTOM_USERNAME
value: 'true'
envFrom:
- secretRef:
name: redis-oidc-gateway-owner-secrets
- secretRef:
name: oidc-keys
- secretRef:
name: email-credentials
- secretRef:
name: github-client
- secretRef:
name: slack-client
readinessProbe:
httpGet:
path: /.well-known/openid-configuration
port: 3000
httpHeaders:
- name: x-forwarded-for # suppress oidc-provider warning
value: 'https://auth2.k-space.ee/'
- name: x-forwarded-proto # suppress oidc-provider warning
value: https
initialDelaySeconds: 5
periodSeconds: 1
volumeMounts:
- mountPath: /app/tos
name: tos
- mountPath: /app/approval
name: approval
- mountPath: /app/src/views/custom/emails
name: email-templates
volumes:
- name: tos
configMap:
name: oidc-gateway-tos-v1
- name: approval
configMap:
name: oidc-gateway-approval-required
- name: email-templates
configMap:
name: oidc-gateway-email-templates

View File

@ -1,21 +0,0 @@
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
name: kubelogin
spec:
displayName: Kubernetes API
uri: https://git.k-space.ee/k-space/kube#cluster-access
redirectUris:
- http://localhost:27890
allowedGroups:
- k-space:kubernetes:admins
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
tokenEndpointAuthMethod: none

View File

@ -1,59 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: oidc-gateway
rules:
- apiGroups:
- codemowers.io
resources:
- oidcgatewayusers
- oidcgatewayusers/status
- oidcgatewayclients
- oidcgatewayclients/status
- oidcgatewaymiddlewareclients
- oidcgatewaymiddlewareclients/status
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- patch
- delete
- apiGroups:
- traefik.containo.us
resources:
- middlewares
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oidc-gateway
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: oidc-gateway
subjects:
- kind: ServiceAccount
name: oidc-gateway
namespace: oidc-gateway
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-gateway

View File

@ -1,180 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-tos-v1
data:
tos.md: |
Rules
Also known as code of conduct, guidelines, member vows, values etc. Please keep em' on one wiki page. Canonical URL shall be [k-space.ee/rules](http://k-space.ee/rules) which will redirect to right wiki page.
These rules were approved 30. October 2020. Current version contains minor corrections. For future amendments of the rules please put your ideas and thoughts into [pad.k-space.ee/p/rules](https://pad.k-space.ee/p/rules), they will be taken into account during next General Assembly.
Upon becoming a member I solemny swear that
1. **Who's who**
- I acknowledge the management of the hackerspace is governed by K-SPACE MTÜ (non-profit organization), it's [charter](/pohikiri_80397632_716212.pdf) and [Non-profit Associations Act](https://www.riigiteataja.ee/en/eli/528052020003/consolide)
- I acknowledge there are different membership forms listed under [membership#packages](/about/membership#packages) which can be largely broken down to affiliates (Regulars, Associates, Residents) who are at the hackerspace to make use of some services and members who are more involved in making the hackerspace happen.
- I acknowledge that in order to participate in the K-SPACE MTÜ management processes I need to obtain the [Member Tier](/about/membership#member-tier) status, note that this is different from the 'Member package' which was renamed to 'Associate tier' in October of 2020 in order to clarify what member of an non-profit association means.
- Among the ['Member Tier'](https://members.k-space.ee/?filter=resident-member&filter=associate-member) people the board is elected which represents K-SPACE MTÜ in legal matters such as getting bills paid, signing rental contracts and so forth. Currently board members include Erki Naumanis only. Bearing the responsibility also means that board has the final word in many cases.
- I acknowledge K-SPACE MTÜ is renting rooms from SA Tallinna Teaduspark Tehnopol. The rental agreement imposes numerous conditions and constraints due to safety reasons. Eg corridors must be kept accessible and free of flammable materials.
1. **Stay positive.**
- I will set up a recurring payment (püsikorraldus) or pay up front in bulk.
- I will not go in debt.
- I acknowledge failing to pay membership fees for 2 months results in door access cancellation.
- I will mark my payments clearly and consistenly with my full name, so the payments can be automatically procesed.
1. **Clarity not obscurity.**
- I will mark my equipment, server, locker, desk with my full name, phone number and e-mail.
- I acknowledge that my unlabelled stuff will be unplugged.
- Before asking questions I will familiarize myself [how to ask questions](https://www.khanacademy.org/computing/computer-programming/programming/becoming-a-community-coder/a/ask-for-program-help) and provide enough details.
1. **Communication is vital**
- I will proactively communicate need to cancel or pause my subscription, e.g. in case of being unable to pay.
- Upon leaving I will vacate the locker and return any keys given to me.
- I acknowledge Slack is primary communications platform for K-SPACE MTÜ. This is mainly due to wanting to have a way to communicate even if all the selfhosted infra is down. I will request access to the channel from any of the onboarders. I will not complain about being left out of the loop about changes etc if I am not on the #members channel.
1. **Access controls**
- I acknowledge primary method of accessing the floor is by using some of my own NFC cards (eg green Ühiskaart) or keyfobs.
- I will get my token registered in the door system of the day. To be on the safe side I will register multiple cards and/or keyfobs.
- I acknowledge Slack bot for opening the doors supplements the primary one, eg I can get in if I have forgot my card at home.
- I acknowledge that when it comes to security of doorcards it's nonexistant. I will not make copies of my card or distribute it's unique identifier sequence.
1. **Treat as your own -- with care**
- I will do my best to take care of the equipment and the space.
- I acknowledge that I must turn off the lights and leave windows in microventilation mode when I am the last one to leave.
- In case of equiment breakage I will notify info@k-space.ee immediately for resolution options. Any K-SPACE MTÜ owned equiment replacements must be purchased by K-SPACE MTÜ, see below under 'Regarding the toys' why.
- Upon losing (physical metal) key I will compensate 10EUR to K-SPACE MTÜ for it
1. **Contributions are welcome**
- I acknowledge that my immaterial contributions (e.g. building something for the hackerspace or helping others) doesn't compensate my membership fees. The only discount option is the 'Student discount'. Flexing with your contributions on your CV is OK.
- Before bringing any items for donation I will consult with a board member. K-SPACE is not my free (e-)junk disposal station.
- Donations don't compensate for my membership fees. K-SPACE MTÜ still needs to pay rent and electricity bills.
1. **Underpromise, overdeliver**
- I acknowledge there are many fun activities I want to be part of.
- I acknowledge I have obligations elsewhere as well (eg school, work, family).
- I will do my best to fulfill what I have promised to other members.
- I will rather say no in first place than say yes and fail to fulfill the promise.
- I will let the relying party know as soon as possible if I am not able to handle something I promised to do.
1. **Regarding the toys**
- I acknowledge I can bring my own equipment to hackerspace for common use. I acknowledge many others already do that. Lasercutter, CNC cutter, and many power tools are not owned by K-SPACE MTÜ. I take extra care of other members' equipment and before making use of them request training from the machine owner.
- I agree not to utilise any tool or piece of equipment unless I am competent in its use (and have completed induction/training where necessary) or are under the direct supervision of a competent user.
- I agree that the space is a potentially dangerous environment and that I may be exposed to various risks as a result of work undertaken by me or others. Notwithstanding all reasonable attempts by K-Space to ensure the safety of me and others, I agree to the full extent permitted by law to assume complete responsibility for my own actions and their consequences.
- If I think some new equipment would be useful for the space to be purchased by K-SPACE MTÜ I will make a suggestion to K-SPACE MTÜ board via board@k-space.ee.
- If I want to build something for the hackerspace I will consult with a board member for the compensation of materials.
- I acknowledge that my membership fees contribute towards refreshing equipment in common use, that is soldering irons, switches in server room etc.
- Purchases related to the hackerspace must be made by K-SPACE MTÜ.
- This is the clearest option from accounting perspective.
- It's also important that so any warranty, receipts and other documents would be correctly assigned to K-SPACE MTÜ and usable should you give up your membership at some point.
- Preferred option is to ask for proforma invoice for K-SPACE MTÜ, Akadeemia tee 21/1 and send it to info@k-space.ee - the payment will be executed by a board member.
- In case of Internet shops ask for the credit card from a board member.
1. **No borrowing or lending equipment**
- I acknowledge that equipment provided by K-SPACE MTÜ or it's members is for on-prem use only
- I will not take any of the equipment with me
- Only exception to this is workshops happening outside (eg visiting Robotex, Lapikud, IT College etc)
- I will notify info@k-space.ee about what I am going to take with me and why
- I will return equipment immediately after the event
- I acknowledge that this rule is due to numerous occasions people forgetting to return borrowed stuff
1. **Sharing is caring**
- I acknowledge that flexidesks also known as hot desks (8 desks in the middle of big room with projector) are to be cleaned by the end of the day.
- Sometimes exprompt events are scheduled in the room - I will not leave my stuff on flexidesks over night. If I come in often I can leave my screen and keyboard on one of the desks near the window.
- I acknowledge that for more persistent setup I should really switch to resident tier
1. **Being Mindful**
- While being active in the hackerspace I will make sure that my activites are not disturbing others, my activites are not causing exess financial drain on the K-SPACE MTÜ.
- Wearing earphones is generally sign of working on something and not wanting to be interrupted.
- I will act frugal. For example running additional servers without paying or running Bitcoin miner on the expense of K-SPACE MTÜ is NOT okay.
- Causing interruptions in the server room operation during working hours is NOT okay. Designated timeslot for disruptive changes is Thursday 19:00 until Friday 6:00. I recognize that occasionally hardware fails and non-disruptive changes might turn into disruptive outside that timeslot.
- I will not smoke inside the hackerspace rooms. I will exit the building for a cigarette.
1. **Striving for improvement***
- I acknowledge that hackerspace is a vague term ranging from anarchocommunist potsmoking to <a href="https://www.fablab.berlin/">fullblown commercial operation</a>.
- I will do my best to educate myself about <a href="https://github.com/0x20/hackerspace-blueprint/releases/latest/download/hackerspace-blueprint.pdf">hackerspace and makerspace</a> scene in general and I will not indulge in flamewars.
1. **Lock and stock**
- I acknowledge one locker is available for me for no charge with supporter and member tiers.
- I acknowledge that if would switch to resident tier I would be not eligible for a free locker as I would already have whole desk for my stuff
- I acknowledge additional lockers are available for 10EUR per month.
1. **Run the jewels**
- I will not make use of a blade server without legit reason, eg running hypervisor host. For single web application obtain VM from our Proxmox cluster.
- I will shut down machine not in use and I will make sure it stays shut. It's recurring issue that servers that have been shut down are discovered powered on again, eg in BIOS make sure it says 'last state' not 'always on' or even better disconnect power.
1. **Community FTW!**
- I acknowledge that people who take time to deal with me are not paid, they do it voluntarily off their free time for sh\*ts and giggles.
- They still pay membership fees.
- I will treat them and their time with respect.
- I will not become a burden for them.
- I acknowledge rules above are not exhaustive.
- I will do my best to act in good faith and not try to work around the rules.
- I accept that there will always be certain amount chaos at the hackerspace.
**Disclaimer**: Lauri (K-SPACE founder) believes that:
* a) we can have a hackerspace that is not utter chaos
* b) that is financially in order
* c) offers friendly/flexible pricing for students
* d) keeps doors open for companies and startups
* e) allows reasonable buffer for experimentation.
Lauri's favourite example hackerspaces include [AFRA](https://wiki.hackerspaces.org/AFRA) and [Raumfahrtagentur](https://wiki.hackerspaces.org/Raumfahrtagentur)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-approval-required
data:
approval.txt: |
Dear User,
Thank you for your interest in accessing the K-Space MTÜ infrastructure. To become a member, please contact us at info@k-space.ee
Also see https://www.k-space.ee/
Best regards, K-Space MTÜ
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oidc-gateway-email-templates
data:
tos.txt: |
Hi, <%= name %>!
You agreed with the Terms of Service at <%= timestamp %>
Content SHA256 hash: <%= hash %>
Best regards,
K-Space MTÜ
tos.ejs: |
<div>
<p>Hi, <%= name %>!</p>
<p>You agreed with the following Terms of Service at <%= timestamp %></p>
<p>Content SHA256 hash: <%= hash %></p>
<blockquote>
<%- content -%>
</blockquote>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
tos.subject: |
Terms of Service agreement confirmation
link.txt: |
Open the following link to log in: <%= url %>
Best regards,
K-Space MTÜ
link.ejs: |
<div>
<p>Open the following link to log in: <a href="<%= url %>"<%= url %></a></p>
<p>Best regards, <br/> K-Space MTÜ</p>
</div>
link.subject: |
auth2.k-space.ee login link