diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl index 6c978fb..5d2eb23 100644 --- a/deployment/deploy-yml.tmpl +++ b/deployment/deploy-yml.tmpl @@ -1,3 +1,149 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-forward-auth +data: + INSECURE_COOKIE: 'true' + COOKIE_DOMAIN: jupyter.hottis.de + DOMAINS: jupyter.hottis.de + AUTH_HOST: auth.jupyter.hottis.de + URL_PATH: /_oauth + DEFAULT_PROVIDER: oidc + PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis + PROVIDERS_OIDC_CLIENT_ID: jupyter + REQUIRED_ROLE: JupyterAccess +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-forward-auth + labels: + app: traefik-forward-auth +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + template: + metadata: + labels: + app: traefik-forward-auth + annotations: + container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default + spec: + containers: + - name: traefik-forward-auth + #image: thomseddon/traefik-forward-auth + image: wollud1969/traefik-forward-auth:3.0.0 + imagePullPolicy: Always + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + capabilities: + drop: + - ALL + livenessProbe: + failureThreshold: 3 + tcpSocket: + port: 4181 + initialDelaySeconds: 10 + periodSeconds: 10 + resources: + limits: + memory: '50Mi' + cpu: '100m' + ports: + - containerPort: 4181 + protocol: TCP + env: + - name: PROVIDERS_OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth + key: PROVIDERS_OIDC_CLIENT_SECRET + - name: SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth + key: SECRET + - name: LOG_LEVEL + value: info + envFrom: + - configMapRef: + name: traefik-forward-auth +--- +apiVersion: v1 +kind: Service +metadata: + name: traefik-forward-auth + labels: + app: traefik-forward-auth +spec: + type: ClusterIP + selector: + app: traefik-forward-auth + ports: + - name: auth-http + port: 4181 + targetPort: 4181 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: auth-jupyter-hottis-de +spec: + secretName: auth-jupyter-cert + duration: 2160h + renewBefore: 360h + subject: + organizations: + - hottis-de + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + dnsNames: + - auth.jupyter.hottis.de + issuerRef: + name: letsencrypt-production-http + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-forward-auth + labels: + app: traefik-forward-auth +spec: + entryPoints: + - websecure + routes: + - match: Host(`auth.jupyter.hottis.de`) + kind: Rule + services: + - name: traefik-forward-auth + port: 4181 + tls: + secretName: auth-jupyter-cert +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-forward-auth +spec: + forwardAuth: + trustForwardHeader: true + address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181 + authResponseHeaders: + - X-Forwarded-User + +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -37,26 +183,48 @@ spec: targetPort: 8888 port: 80 --- -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: jupyter-hottis-de +spec: + secretName: jupyter-cert + duration: 2160h + renewBefore: 360h + subject: + organizations: + - hottis-de + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + dnsNames: + - jupyter.hottis.de + issuerRef: + name: letsencrypt-production-http + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute metadata: name: jupyter - annotations: - cert-manager.io/cluster-issuer: letsencrypt-staging-http + labels: + app: jupyter spec: + entryPoints: + - websecure + routes: + - match: Host(`jupyter.hottis.de`) + kind: Rule + services: + - name: jupyter + port: 80 + middlewares: + - name: traefik-forward-auth tls: - - hosts: - - jupyter.hottis.de - secretName: jupyter-cert - rules: - - host: jupyter.hottis.de - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: jupyter - port: - number: 80 + secretName: jupyter-cert diff --git a/deployment/secret.yml b/deployment/secret.yml new file mode 100644 index 0000000..eb841a8 --- /dev/null +++ b/deployment/secret.yml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: traefik-forward-auth +type: Opaque +data: + PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER + SECRET: PLACEHOLDER +