Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
492bd7292d
|
|||
e8e561ed27
|
|||
626441ad42
|
|||
cb4c5ab769
|
|||
84dc821eca
|
|||
262c670859
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
deployment/secrets.txt
|
@ -19,6 +19,10 @@ steps:
|
||||
secrets:
|
||||
- source: kube_config
|
||||
target: KUBE_CONFIG_CONTENT
|
||||
- source: encryption_key
|
||||
target: ENCRYPTION_KEY
|
||||
- source: secrets_checksum
|
||||
target: MD5_CHECKSUM
|
||||
commands:
|
||||
- export IMAGE_TAG=$CI_COMMIT_TAG
|
||||
- printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
|
||||
|
43
deployment/decrypt-secrets.sh
Executable file
43
deployment/decrypt-secrets.sh
Executable file
@ -0,0 +1,43 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$ENCRYPTION_KEY" = "" ]; then
|
||||
echo "ENCRYPTION_KEY not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$MD5_CHECKSUM" = "" ]; then
|
||||
echo "No checksum given"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SECRETS_CIPHERTEXT_FILE=secrets.enc
|
||||
SECRETS_PLAINTEXT_FILE=/tmp/secrets
|
||||
TMP_FILE=`mktemp`
|
||||
POD_NAME_SUFFIX=`date +%s`
|
||||
|
||||
cat $SECRETS_CIPHERTEXT_FILE | \
|
||||
kubectl run openssl-$POD_NAME_SUFFIX \
|
||||
--rm \
|
||||
--image bitnami/debian-base-buildpack:latest \
|
||||
--env KEY=$ENCRYPTION_KEY \
|
||||
-i \
|
||||
-q \
|
||||
-- \
|
||||
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
|
||||
$TMP_FILE
|
||||
|
||||
if [ `uname` = "Darwin" ]; then
|
||||
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
|
||||
elif [ `uname` = "Linux" ]; then
|
||||
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
|
||||
fi
|
||||
|
||||
if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
|
||||
echo "Invalid checksum"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# cat $TMP_FILE
|
||||
mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
|
||||
|
||||
|
@ -1,3 +1,151 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: traefik-forward-auth
|
||||
data:
|
||||
INSECURE_COOKIE: 'true'
|
||||
COOKIE_DOMAIN: jupyter.hottis.de
|
||||
DOMAINS: jupyter.hottis.de
|
||||
AUTH_HOST: auth.jupyter.hottis.de
|
||||
URL_PATH: /_oauth
|
||||
DEFAULT_PROVIDER: oidc
|
||||
PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
|
||||
PROVIDERS_OIDC_CLIENT_ID: jupyter
|
||||
REQUIRED_ROLE: JupyterAccess
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: traefik-forward-auth
|
||||
labels:
|
||||
app: traefik-forward-auth
|
||||
annotations:
|
||||
secret.reloader.stakater.com/reload: traefik-forward-auth
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: traefik-forward-auth
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: traefik-forward-auth
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
|
||||
spec:
|
||||
containers:
|
||||
- name: traefik-forward-auth
|
||||
#image: thomseddon/traefik-forward-auth
|
||||
image: wollud1969/traefik-forward-auth:3.0.0
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
tcpSocket:
|
||||
port: 4181
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
resources:
|
||||
limits:
|
||||
memory: '50Mi'
|
||||
cpu: '100m'
|
||||
ports:
|
||||
- containerPort: 4181
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: PROVIDERS_OIDC_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: traefik-forward-auth
|
||||
key: PROVIDERS_OIDC_CLIENT_SECRET
|
||||
- name: SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: traefik-forward-auth
|
||||
key: SECRET
|
||||
- name: LOG_LEVEL
|
||||
value: info
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: traefik-forward-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: traefik-forward-auth
|
||||
labels:
|
||||
app: traefik-forward-auth
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: traefik-forward-auth
|
||||
ports:
|
||||
- name: auth-http
|
||||
port: 4181
|
||||
targetPort: 4181
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: auth-jupyter-hottis-de
|
||||
spec:
|
||||
secretName: auth-jupyter-cert
|
||||
duration: 2160h
|
||||
renewBefore: 360h
|
||||
subject:
|
||||
organizations:
|
||||
- hottis-de
|
||||
isCA: false
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- server auth
|
||||
dnsNames:
|
||||
- auth.jupyter.hottis.de
|
||||
issuerRef:
|
||||
name: letsencrypt-production-http
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: traefik-forward-auth
|
||||
labels:
|
||||
app: traefik-forward-auth
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`auth.jupyter.hottis.de`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: traefik-forward-auth
|
||||
port: 4181
|
||||
tls:
|
||||
secretName: auth-jupyter-cert
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: traefik-forward-auth
|
||||
spec:
|
||||
forwardAuth:
|
||||
trustForwardHeader: true
|
||||
address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
|
||||
authResponseHeaders:
|
||||
- X-Forwarded-User
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@ -22,7 +170,7 @@ spec:
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: JUPYTER_PORT
|
||||
value: 8888
|
||||
value: "8888"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
@ -37,26 +185,48 @@ spec:
|
||||
targetPort: 8888
|
||||
port: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: jupyter-hottis-de
|
||||
spec:
|
||||
secretName: jupyter-cert
|
||||
duration: 2160h
|
||||
renewBefore: 360h
|
||||
subject:
|
||||
organizations:
|
||||
- hottis-de
|
||||
isCA: false
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- server auth
|
||||
dnsNames:
|
||||
- jupyter.hottis.de
|
||||
issuerRef:
|
||||
name: letsencrypt-production-http
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: jupyter
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-staging-http
|
||||
labels:
|
||||
app: jupyter
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`jupyter.hottis.de`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: jupyter
|
||||
port: 80
|
||||
middlewares:
|
||||
- name: traefik-forward-auth
|
||||
tls:
|
||||
- hosts:
|
||||
- jupyter.hottis.de
|
||||
secretName: jupyter-cert
|
||||
rules:
|
||||
- host: jupyter.hottis.de
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: jupyter
|
||||
port:
|
||||
number: 80
|
||||
secretName: jupyter-cert
|
||||
|
||||
|
@ -11,12 +11,23 @@ NAMESPACE=jupyter
|
||||
DEPLOYMENT_DIR=$PWD/deployment
|
||||
|
||||
pushd $DEPLOYMENT_DIR > /dev/null
|
||||
./decrypt-secrets.sh || exit 1
|
||||
. /tmp/secrets
|
||||
rm /tmp/secrets
|
||||
|
||||
kubectl create namespace $NAMESPACE \
|
||||
--dry-run=client \
|
||||
-o yaml | \
|
||||
kubectl -f - apply
|
||||
|
||||
kubectl create secret generic traefik-forward-auth \
|
||||
--dry-run=client \
|
||||
-o yaml \
|
||||
--save-config \
|
||||
--from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
|
||||
--from-literal=SECRET="$SECRET" | \
|
||||
kubectl apply -f - -n $NAMESPACE
|
||||
|
||||
|
||||
cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
||||
sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
|
||||
@ -24,3 +35,4 @@ cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
||||
|
||||
popd > /dev/null
|
||||
|
||||
|
||||
|
28
deployment/encrypt-secrets.sh
Executable file
28
deployment/encrypt-secrets.sh
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
|
||||
ENCRYPTION_KEY=`openssl rand -hex 32`
|
||||
echo $ENCRYPTION_KEY
|
||||
|
||||
SECRETS_PLAINTEXT_FILE=secrets.txt
|
||||
SECRETS_CIPHERTEXT_FILE=secrets.enc
|
||||
|
||||
if [ `uname` = "Darwin" ]; then
|
||||
cat $SECRETS_PLAINTEXT_FILE | md5
|
||||
elif [ `uname` = "Linux" ]; then
|
||||
cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
|
||||
fi
|
||||
|
||||
POD_NAME_SUFFIX=`date +%s`
|
||||
|
||||
cat $SECRETS_PLAINTEXT_FILE | \
|
||||
kubectl run openssl-$POD_NAME_SUFFIX \
|
||||
--rm \
|
||||
--image bitnami/debian-base-buildpack:latest \
|
||||
--env KEY=$ENCRYPTION_KEY \
|
||||
-i \
|
||||
-q \
|
||||
-- \
|
||||
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
|
||||
$SECRETS_CIPHERTEXT_FILE
|
||||
|
3
deployment/secrets.enc
Normal file
3
deployment/secrets.enc
Normal file
@ -0,0 +1,3 @@
|
||||
U2FsdGVkX1+ieFWR0PfwpZvaYyk9EzC6noAzAyjeRxrX4UDdQ5cIE1Rdtymt/eo5
|
||||
acU7SqzyrCRaJyCvAgqrqbNCn3qgL+PENLZbcyT8115MlIVSmMfkBXhN6Mc1KMOo
|
||||
todGAfQ9twY/tsuoxwTeb621IBiq4XwhRPMI1+xsoNk=
|
Reference in New Issue
Block a user