253 lines
5.2 KiB
Cheetah
253 lines
5.2 KiB
Cheetah
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: traefik-forward-auth
|
|
data:
|
|
INSECURE_COOKIE: 'true'
|
|
COOKIE_DOMAIN: jupyter.hottis.de
|
|
DOMAINS: jupyter.hottis.de
|
|
AUTH_HOST: auth.jupyter.hottis.de
|
|
URL_PATH: /_oauth
|
|
DEFAULT_PROVIDER: oidc
|
|
PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
|
|
PROVIDERS_OIDC_CLIENT_ID: jupyter
|
|
REQUIRED_ROLE: JupyterAccess
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: traefik-forward-auth
|
|
labels:
|
|
app: traefik-forward-auth
|
|
annotations:
|
|
secret.reloader.stakater.com/reload: traefik-forward-auth
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: traefik-forward-auth
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: traefik-forward-auth
|
|
annotations:
|
|
container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
|
|
spec:
|
|
containers:
|
|
- name: traefik-forward-auth
|
|
#image: thomseddon/traefik-forward-auth
|
|
image: wollud1969/traefik-forward-auth:3.0.0
|
|
imagePullPolicy: Always
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 65534
|
|
runAsGroup: 65534
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
tcpSocket:
|
|
port: 4181
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
resources:
|
|
limits:
|
|
memory: '50Mi'
|
|
cpu: '100m'
|
|
ports:
|
|
- containerPort: 4181
|
|
protocol: TCP
|
|
env:
|
|
- name: PROVIDERS_OIDC_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: traefik-forward-auth
|
|
key: PROVIDERS_OIDC_CLIENT_SECRET
|
|
- name: SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: traefik-forward-auth
|
|
key: SECRET
|
|
- name: LOG_LEVEL
|
|
value: info
|
|
envFrom:
|
|
- configMapRef:
|
|
name: traefik-forward-auth
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: traefik-forward-auth
|
|
labels:
|
|
app: traefik-forward-auth
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: traefik-forward-auth
|
|
ports:
|
|
- name: auth-http
|
|
port: 4181
|
|
targetPort: 4181
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: auth-jupyter-hottis-de
|
|
spec:
|
|
secretName: auth-jupyter-cert
|
|
duration: 2160h
|
|
renewBefore: 360h
|
|
subject:
|
|
organizations:
|
|
- hottis-de
|
|
isCA: false
|
|
privateKey:
|
|
algorithm: RSA
|
|
encoding: PKCS1
|
|
size: 2048
|
|
usages:
|
|
- server auth
|
|
dnsNames:
|
|
- auth.jupyter.hottis.de
|
|
issuerRef:
|
|
name: letsencrypt-production-http
|
|
kind: ClusterIssuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: traefik-forward-auth
|
|
labels:
|
|
app: traefik-forward-auth
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`auth.jupyter.hottis.de`)
|
|
kind: Rule
|
|
services:
|
|
- name: traefik-forward-auth
|
|
port: 4181
|
|
tls:
|
|
secretName: auth-jupyter-cert
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: traefik-forward-auth
|
|
spec:
|
|
forwardAuth:
|
|
trustForwardHeader: true
|
|
address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
|
|
authResponseHeaders:
|
|
- X-Forwarded-User
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: jupyter-workspace
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: nfs-client
|
|
resources:
|
|
requests:
|
|
storage: 100Mi
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: jupyter
|
|
labels:
|
|
app: jupyter
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: jupyter
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: jupyter
|
|
spec:
|
|
containers:
|
|
- name: jupyter
|
|
image: %IMAGE%
|
|
ports:
|
|
- containerPort: 8888
|
|
protocol: TCP
|
|
env:
|
|
- name: JUPYTER_PORT
|
|
value: "8888"
|
|
volumeMounts:
|
|
- mountPath: /home/jovyan/work
|
|
name: work
|
|
volumes:
|
|
- name: work
|
|
persistentVolumeClaim:
|
|
claimName: jupyter-workspace
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: jupyter
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: jupyter
|
|
ports:
|
|
- name: http
|
|
targetPort: 8888
|
|
port: 80
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: jupyter-hottis-de
|
|
spec:
|
|
secretName: jupyter-cert
|
|
duration: 2160h
|
|
renewBefore: 360h
|
|
subject:
|
|
organizations:
|
|
- hottis-de
|
|
isCA: false
|
|
privateKey:
|
|
algorithm: RSA
|
|
encoding: PKCS1
|
|
size: 2048
|
|
usages:
|
|
- server auth
|
|
dnsNames:
|
|
- jupyter.hottis.de
|
|
issuerRef:
|
|
name: letsencrypt-production-http
|
|
kind: ClusterIssuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: jupyter
|
|
labels:
|
|
app: jupyter
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`jupyter.hottis.de`)
|
|
kind: Rule
|
|
services:
|
|
- name: jupyter
|
|
port: 80
|
|
middlewares:
|
|
- name: traefik-forward-auth
|
|
tls:
|
|
secretName: jupyter-cert
|
|
|