Use a single auth proxy

This commit is contained in:
Marcus Noble 2020-10-10 16:46:27 +01:00
parent 84a9c19d93
commit 94e18c12ea
9 changed files with 105 additions and 763 deletions

83
manifests/auth-proxy.yaml Normal file
View File

@ -0,0 +1,83 @@
apiVersion: v1
kind: Secret
metadata:
name: auth-proxy
namespace: inlets
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-proxy
namespace: inlets
labels:
app: auth-proxy
spec:
replicas: 1
selector:
matchLabels:
app: auth-proxy
template:
metadata:
labels:
app: auth-proxy
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
- --cookie-expire=336h0m0s
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: auth-proxy
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: auth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: auth-proxy
namespace: inlets
labels:
app: auth-proxy
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: auth-proxy
type: ClusterIP

View File

@ -1,97 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: cctv
---
apiVersion: v1
kind: Secret
metadata:
name: cctv-auth
namespace: cctv
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cctv-auth
namespace: cctv
labels:
app: cctv-auth
spec:
replicas: 1
selector:
matchLabels:
app: cctv-auth
template:
metadata:
labels:
app: cctv-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://cctv.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: cctv-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: cctv-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: cctv-auth
namespace: cctv
labels:
app: cctv-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: cctv-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cctv-auth
namespace: cctv
namespace: inlets
labels:
app: cctv-auth
annotations:
@ -110,5 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: cctv-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,97 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: downloads
---
apiVersion: v1
kind: Secret
metadata:
name: downloads-auth
namespace: downloads
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: downloads-auth
namespace: downloads
labels:
app: downloads-auth
spec:
replicas: 1
selector:
matchLabels:
app: downloads-auth
template:
metadata:
labels:
app: downloads-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://downloads.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: downloads-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: downloads-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 250Mi
requests:
memory: 250Mi
---
apiVersion: v1
kind: Service
metadata:
name: downloads-auth
namespace: downloads
labels:
app: downloads-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: downloads-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: downloads-auth
namespace: downloads
namespace: inlets
labels:
app: downloads-auth
annotations:
@ -110,6 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: downloads-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,97 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: jackett
---
apiVersion: v1
kind: Secret
metadata:
name: jackett-auth
namespace: jackett
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jackett-auth
namespace: jackett
labels:
app: jackett-auth
spec:
replicas: 1
selector:
matchLabels:
app: jackett-auth
template:
metadata:
labels:
app: jackett-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://jackett.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: jackett-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: jackett-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: jackett-auth
namespace: jackett
labels:
app: jackett-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: jackett-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: jackett-auth
namespace: jackett
namespace: inlets
labels:
app: jackett-auth
annotations:
@ -110,5 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: jackett-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,97 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: printer
---
apiVersion: v1
kind: Secret
metadata:
name: printer-auth
namespace: printer
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: printer-auth
namespace: printer
labels:
app: printer-auth
spec:
replicas: 1
selector:
matchLabels:
app: printer-auth
template:
metadata:
labels:
app: printer-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://printer.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: printer-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: printer-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 250Mi
requests:
memory: 250Mi
---
apiVersion: v1
kind: Service
metadata:
name: printer-auth
namespace: printer
labels:
app: printer-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: printer-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: printer-auth
namespace: printer
namespace: inlets
labels:
app: printer-auth
annotations:
@ -110,6 +21,6 @@ spec:
paths:
- path: /
backend:
serviceName: printer-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,99 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: radarr
---
apiVersion: v1
kind: Secret
metadata:
name: radarr-auth
namespace: radarr
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr-auth
namespace: radarr
labels:
app: radarr-auth
spec:
replicas: 1
selector:
matchLabels:
app: radarr-auth
template:
metadata:
labels:
app: radarr-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://radarr.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: radarr-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: radarr-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: radarr-auth
namespace: radarr
labels:
app: radarr-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: radarr-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: radarr-auth
namespace: radarr
name: radarr
namespace: inlets
labels:
app: radarr-auth
app: radarr
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
@ -110,5 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: radarr-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,99 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: sonarr
---
apiVersion: v1
kind: Secret
metadata:
name: sonarr-auth
namespace: sonarr
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr-auth
namespace: sonarr
labels:
app: sonarr-auth
spec:
replicas: 1
selector:
matchLabels:
app: sonarr-auth
template:
metadata:
labels:
app: sonarr-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://sonarr.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: sonarr-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: sonarr-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: sonarr-auth
namespace: sonarr
labels:
app: sonarr-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: sonarr-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: sonarr-auth
namespace: sonarr
name: sonarr
namespace: inlets
labels:
app: sonarr-auth
app: sonarr
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
@ -110,5 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: sonarr-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,99 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: transmission
---
apiVersion: v1
kind: Secret
metadata:
name: transmission-auth
namespace: transmission
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: transmission-auth
namespace: transmission
labels:
app: transmission-auth
spec:
replicas: 1
selector:
matchLabels:
app: transmission-auth
template:
metadata:
labels:
app: transmission-auth
spec:
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --redirect-url=https://transmission.cluster.fun/oauth2/callback
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: transmission-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: transmission-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: transmission-auth
namespace: transmission
labels:
app: transmission-auth
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: transmission-auth
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: transmission-auth
namespace: transmission
name: transmission
namespace: inlets
labels:
app: transmission-auth
app: transmission
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
@ -110,5 +21,5 @@ spec:
paths:
- path: /
backend:
serviceName: transmission-auth
serviceName: auth-proxy
servicePort: 80

View File

@ -1,123 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: website-to-remarkable
---
apiVersion: v1
kind: Secret
metadata:
name: website-to-remarkable-auth
namespace: website-to-remarkable
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: website-to-remarkable
namespace: website-to-remarkable
annotations:
kube-1password: smp3qkv74qt72ttzkltyhiktja
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: website-to-remarkable
namespace: website-to-remarkable
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
name: web
- port: 8000
targetPort: 8000
name: noauth
selector:
app: website-to-remarkable
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: website-to-remarkable
namespace: website-to-remarkable
labels:
app: website-to-remarkable
spec:
replicas: 1
selector:
matchLabels:
app: website-to-remarkable
template:
metadata:
labels:
app: website-to-remarkable
spec:
dnsConfig:
options:
- name: ndots
value: "2"
containers:
- args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://localhost:8000
- --http-address=$(HOST_IP):8080
- --redirect-url=https://website-to-remarkable.cluster.fun/oauth2/callback
- --email-domain=marcusnoble.co.uk
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: website-to-remarkable-auth
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: website-to-remarkable-auth
image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 125Mi
requests:
memory: 125Mi
- name: web
image: docker.cluster.fun/averagemarcus/website-to-remarkable:latest
imagePullPolicy: Always
env:
- name: REMARKABLE_TOKEN
valueFrom:
secretKeyRef:
name: website-to-remarkable
key: password
ports:
- containerPort: 8000
name: web
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: website-to-remarkable
namespace: website-to-remarkable
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
@ -134,7 +19,5 @@ spec:
paths:
- path: /
backend:
serviceName: website-to-remarkable
serviceName: auth-proxy
servicePort: 80
---