From 14554c31c81a6db121e8b4c95e81dfa2f6faa744 Mon Sep 17 00:00:00 2001
From: Finn <finn@finn.io>
Date: Sun, 13 Oct 2024 16:54:22 -0700
Subject: [PATCH] fix auth for spoolman

---
 k8s/spoolman/ingress.yaml                     | 25 ++++++
 k8s/system/kustomization.yaml                 | 10 +++
 .../traefik-forward-auth-herzfeld-casa.yaml   | 82 +++++++++++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 k8s/system/traefik-forward-auth-herzfeld-casa.yaml

diff --git a/k8s/spoolman/ingress.yaml b/k8s/spoolman/ingress.yaml
index e85b95b..ffcb304 100644
--- a/k8s/spoolman/ingress.yaml
+++ b/k8s/spoolman/ingress.yaml
@@ -32,6 +32,31 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
+metadata:
+  name: spoolman.herzfeld.casa
+  labels:
+    name: spoolman.herzfeld.casa
+  annotations:
+     traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth-herzfeld-casa@kubernetescrd
+     cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts: [spoolman.herzfeld.casa]
+      secretName: spoolman.herzfeld.casa
+  rules:
+  - host: spoolman.herzfeld.casa
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: spoolman
+            port: 
+              number: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: spoolman-internal
   labels:
diff --git a/k8s/system/kustomization.yaml b/k8s/system/kustomization.yaml
index 4e3666b..43c2480 100644
--- a/k8s/system/kustomization.yaml
+++ b/k8s/system/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
   - traefik-default-cert.yaml
   - traefik-dashboard.yaml
   - traefik-forward-auth.yaml
+  - traefik-forward-auth-herzfeld-casa.yaml
   - secrets.yaml
 configMapGenerator:
   - name: traefik-additional-configs
@@ -21,3 +22,12 @@ configMapGenerator:
       - COOKIE_DOMAIN=k8s.home.finn.io
       - AUTH_HOST=authproxy.k8s.home.finn.io
       - LOG_LEVEL=info
+  - name: traefik-forward-auth-herzfeld-casa
+    namespace: kube-system
+    literals:
+      - DEFAULT_PROVIDER=oidc
+      - PROVIDERS_OIDC_ISSUER_URL=https://auth.janky.solutions/realms/janky.solutions
+      - PROVIDERS_OIDC_CLIENT_ID=authproxy.k8s.home.finn.io
+      - COOKIE_DOMAIN=herzfeld.casa
+      - AUTH_HOST=authproxy.herzfeld.casa
+      - LOG_LEVEL=info
diff --git a/k8s/system/traefik-forward-auth-herzfeld-casa.yaml b/k8s/system/traefik-forward-auth-herzfeld-casa.yaml
new file mode 100644
index 0000000..e57c43a
--- /dev/null
+++ b/k8s/system/traefik-forward-auth-herzfeld-casa.yaml
@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth-herzfeld-casa
+  namespace: kube-system
+  labels:
+    app: traefik-forward-auth-herzfeld-casa
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth-herzfeld-casa
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth-herzfeld-casa
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: git.janky.solutions/jankysolutions/infra/traefik-forward-auth:latest
+        name: traefik-forward-auth
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 4181
+          protocol: TCP
+        envFrom:
+          - configMapRef:
+              name: traefik-forward-auth-herzfeld-casa
+          - secretRef:
+              name: traefik-forward-auth-herzfeld-casa
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth-herzfeld-casa
+  namespace: kube-system
+spec:
+  selector:
+    app: traefik-forward-auth-herzfeld-casa
+  ports:
+  - name: auth-http
+    port: 4181
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth-herzfeld-casa
+  namespace: kube-system
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth-herzfeld-casa:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: traefik-forward-auth-herzfeld-casa
+  namespace: kube-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth-herzfeld-casa@kubernetescrd
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts: [authproxy.herzfeld.casa]
+      secretName: authproxy.herzfeld.casa
+  rules:
+  - host: authproxy.herzfeld.casa
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: traefik-forward-auth-herzfeld-casa
+            port: 
+              number: 4181