Add central forward auth

This commit is contained in:
Finn 2024-08-12 15:35:11 -07:00
parent 747b041721
commit 24e3dbfa7f
7 changed files with 34 additions and 121 deletions

View file

@ -17,29 +17,10 @@ spec:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prometheus-internal
annotations:
janky.solutions/auth-glue: prometheus
spec:
rules:
- host: prometheus.monitoring.k8s
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: prometheus-k8s
port:
number: 9090
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prometheus
annotations:
traefik.ingress.kubernetes.io/router.middlewares: monitoring-oauth2-proxy-prometheus-errors@kubernetescrd, monitoring-oauth2-proxy-prometheus@kubernetescrd
traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
spec:
rules:
- host: prometheus.k8s.home.finn.io
@ -56,16 +37,18 @@ spec:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oauth2-proxy-prometheus
name: alertmanager
annotations:
traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
spec:
rules:
- host: prometheus.k8s.home.finn.io
- host: alertmanager.k8s.home.finn.io
http:
paths:
- pathType: Prefix
path: /oauth2
path: "/"
backend:
service:
name: oauth2-proxy-prometheus
name: alertmanager-main
port:
number: 4180
number: 9093

View file

@ -5,7 +5,6 @@ resources:
- promtail.yaml
- ingresses.yaml
- secrets.yaml
- oauth2-proxy.yaml
- grafana-database.yaml
secretGenerator:
- name: additional-scrape-configs

View file

@ -1,87 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-prometheus
labels:
app: oauth2-proxy
instance: prometheus
spec:
selector:
matchLabels:
app: oauth2-proxy
instance: prometheus
template:
metadata:
labels:
app: oauth2-proxy
instance: prometheus
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "44180"
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:latest
args:
- --http-address=0.0.0.0:4180
- --metrics-address=0.0.0.0:44180
- --real-client-ip-header=x-forwarded-for
envFrom:
- configMapRef:
name: oauth2-proxy
- secretRef:
name: oauth2-proxy-prometheus
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: prometheus
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 4180
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-prometheus
spec:
selector:
app: oauth2-proxy
instance: prometheus
ports:
- name: http
port: 4180
---
apiVersion: v1
kind: ConfigMap
metadata:
name: oauth2-proxy
data:
OAUTH2_PROXY_PROVIDER: keycloak-oidc
OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.janky.solutions/realms/janky.solutions
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Janky Solutions
OAUTH2_PROXY_EMAIL_DOMAINS: "*"
OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth2-proxy-prometheus
spec:
forwardAuth:
address: http://oauth2-proxy-prometheus.monitoring.svc.cluster.local:4180/oauth2/auth
trustForwardHeader: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth2-proxy-prometheus-errors
spec:
errors:
status:
- "401-403"
service:
name: oauth2-proxy-prometheus
port: 4180
query: "/oauth2/sign_in?rd={url}"

View file

@ -3,6 +3,8 @@ kind: Kustomization
resources:
- traefik-default-cert.yaml
- traefik-dashboard.yaml
- traefik-forward-auth.yaml
- secrets.yaml
configMapGenerator:
- name: traefik-additional-configs
namespace: kube-system
@ -10,3 +12,12 @@ configMapGenerator:
disableNameSuffixHash: true
files:
- traefik/external-services.yaml
- name: traefik-forward-auth
namespace: kube-system
literals:
- DEFAULT_PROVIDER=oidc
- PROVIDERS_OIDC_ISSUER_URL=https://auth.janky.solutions/realms/janky.solutions
- PROVIDERS_OIDC_CLIENT_ID=authproxy.k8s.home.finn.io
- COOKIE_DOMAIN=k8s.home.finn.io
- AUTH_HOST=authproxy.k8s.home.finn.io
- LOG_LEVEL=info

View file

@ -5,8 +5,11 @@ metadata:
namespace: kube-system
spec:
routes:
- match: Host(`traefik.kube-system.k8s`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
- match: Host(`traefik.k8s.home.finn.io`) # && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-forward-auth
# namespace: kube-system

View file

@ -5,6 +5,7 @@
(list "jellyfin" "jellyfin.janky.solutions" "http://jellyfin:8096")
(list "dns" "dns.janky.solutions" "http://dns:9191")
(list "dns443" "dns.janky.solutions:443" "http://dns:9191")
(list "legacy-monitoring" "monitoring.home.finn.io" "http://monitoring-0:3000")
}}
http:
routers:

View file

@ -30,3 +30,6 @@ spec:
- name: traefik-additional-configs
mountPath: /file-configs
type: configMap
providers:
kubernetesCRD:
allowCrossNamespace: true