Add central forward auth
This commit is contained in:
parent
747b041721
commit
24e3dbfa7f
7 changed files with 34 additions and 121 deletions
|
@ -17,29 +17,10 @@ spec:
|
|||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: prometheus-internal
|
||||
annotations:
|
||||
janky.solutions/auth-glue: prometheus
|
||||
spec:
|
||||
rules:
|
||||
- host: prometheus.monitoring.k8s
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: prometheus-k8s
|
||||
port:
|
||||
number: 9090
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: prometheus
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.middlewares: monitoring-oauth2-proxy-prometheus-errors@kubernetescrd, monitoring-oauth2-proxy-prometheus@kubernetescrd
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- host: prometheus.k8s.home.finn.io
|
||||
|
@ -56,16 +37,18 @@ spec:
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: oauth2-proxy-prometheus
|
||||
name: alertmanager
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- host: prometheus.k8s.home.finn.io
|
||||
- host: alertmanager.k8s.home.finn.io
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
path: /oauth2
|
||||
path: "/"
|
||||
backend:
|
||||
service:
|
||||
name: oauth2-proxy-prometheus
|
||||
name: alertmanager-main
|
||||
port:
|
||||
number: 4180
|
||||
number: 9093
|
||||
|
|
|
@ -5,7 +5,6 @@ resources:
|
|||
- promtail.yaml
|
||||
- ingresses.yaml
|
||||
- secrets.yaml
|
||||
- oauth2-proxy.yaml
|
||||
- grafana-database.yaml
|
||||
secretGenerator:
|
||||
- name: additional-scrape-configs
|
||||
|
|
|
@ -1,87 +0,0 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: oauth2-proxy-prometheus
|
||||
labels:
|
||||
app: oauth2-proxy
|
||||
instance: prometheus
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: oauth2-proxy
|
||||
instance: prometheus
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: oauth2-proxy
|
||||
instance: prometheus
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "44180"
|
||||
spec:
|
||||
containers:
|
||||
- name: oauth2-proxy
|
||||
image: quay.io/oauth2-proxy/oauth2-proxy:latest
|
||||
args:
|
||||
- --http-address=0.0.0.0:4180
|
||||
- --metrics-address=0.0.0.0:44180
|
||||
- --real-client-ip-header=x-forwarded-for
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: oauth2-proxy
|
||||
- secretRef:
|
||||
name: oauth2-proxy-prometheus
|
||||
env:
|
||||
- name: OAUTH2_PROXY_CLIENT_ID
|
||||
value: prometheus
|
||||
resources:
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "500m"
|
||||
ports:
|
||||
- containerPort: 4180
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: oauth2-proxy-prometheus
|
||||
spec:
|
||||
selector:
|
||||
app: oauth2-proxy
|
||||
instance: prometheus
|
||||
ports:
|
||||
- name: http
|
||||
port: 4180
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: oauth2-proxy
|
||||
data:
|
||||
OAUTH2_PROXY_PROVIDER: keycloak-oidc
|
||||
OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.janky.solutions/realms/janky.solutions
|
||||
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Janky Solutions
|
||||
OAUTH2_PROXY_EMAIL_DOMAINS: "*"
|
||||
OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: oauth2-proxy-prometheus
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://oauth2-proxy-prometheus.monitoring.svc.cluster.local:4180/oauth2/auth
|
||||
trustForwardHeader: true
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: oauth2-proxy-prometheus-errors
|
||||
spec:
|
||||
errors:
|
||||
status:
|
||||
- "401-403"
|
||||
service:
|
||||
name: oauth2-proxy-prometheus
|
||||
port: 4180
|
||||
query: "/oauth2/sign_in?rd={url}"
|
|
@ -3,6 +3,8 @@ kind: Kustomization
|
|||
resources:
|
||||
- traefik-default-cert.yaml
|
||||
- traefik-dashboard.yaml
|
||||
- traefik-forward-auth.yaml
|
||||
- secrets.yaml
|
||||
configMapGenerator:
|
||||
- name: traefik-additional-configs
|
||||
namespace: kube-system
|
||||
|
@ -10,3 +12,12 @@ configMapGenerator:
|
|||
disableNameSuffixHash: true
|
||||
files:
|
||||
- traefik/external-services.yaml
|
||||
- name: traefik-forward-auth
|
||||
namespace: kube-system
|
||||
literals:
|
||||
- DEFAULT_PROVIDER=oidc
|
||||
- PROVIDERS_OIDC_ISSUER_URL=https://auth.janky.solutions/realms/janky.solutions
|
||||
- PROVIDERS_OIDC_CLIENT_ID=authproxy.k8s.home.finn.io
|
||||
- COOKIE_DOMAIN=k8s.home.finn.io
|
||||
- AUTH_HOST=authproxy.k8s.home.finn.io
|
||||
- LOG_LEVEL=info
|
||||
|
|
|
@ -5,8 +5,11 @@ metadata:
|
|||
namespace: kube-system
|
||||
spec:
|
||||
routes:
|
||||
- match: Host(`traefik.kube-system.k8s`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
|
||||
- match: Host(`traefik.k8s.home.finn.io`) # && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
|
||||
kind: Rule
|
||||
services:
|
||||
- name: api@internal
|
||||
kind: TraefikService
|
||||
middlewares:
|
||||
- name: traefik-forward-auth
|
||||
# namespace: kube-system
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
(list "jellyfin" "jellyfin.janky.solutions" "http://jellyfin:8096")
|
||||
(list "dns" "dns.janky.solutions" "http://dns:9191")
|
||||
(list "dns443" "dns.janky.solutions:443" "http://dns:9191")
|
||||
(list "legacy-monitoring" "monitoring.home.finn.io" "http://monitoring-0:3000")
|
||||
}}
|
||||
http:
|
||||
routers:
|
||||
|
|
|
@ -30,3 +30,6 @@ spec:
|
|||
- name: traefik-additional-configs
|
||||
mountPath: /file-configs
|
||||
type: configMap
|
||||
providers:
|
||||
kubernetesCRD:
|
||||
allowCrossNamespace: true
|
||||
|
|
Loading…
Reference in a new issue