From 94e18c12ea9138696a7836d46cc20d1827981a24 Mon Sep 17 00:00:00 2001 From: Marcus Noble Date: Sat, 10 Oct 2020 16:46:27 +0100 Subject: [PATCH] Use a single auth proxy --- manifests/auth-proxy.yaml | 83 ++++++++++++++++++ manifests/cctv.yaml | 93 +------------------- manifests/downloads.yaml | 94 +-------------------- manifests/jackett.yaml | 93 +------------------- manifests/printer.yaml | 93 +------------------- manifests/radarr.yaml | 97 +-------------------- manifests/sonarr.yaml | 97 +-------------------- manifests/transmission.yaml | 97 +-------------------- manifests/website-to-remarkable.yaml | 121 +-------------------------- 9 files changed, 105 insertions(+), 763 deletions(-) create mode 100644 manifests/auth-proxy.yaml diff --git a/manifests/auth-proxy.yaml b/manifests/auth-proxy.yaml new file mode 100644 index 0000000..06d0cc1 --- /dev/null +++ b/manifests/auth-proxy.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: Secret +metadata: + name: auth-proxy + namespace: inlets + annotations: + kube-1password: mr6spkkx7n3memkbute6ojaarm + kube-1password/vault: Kubernetes +type: Opaque +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: auth-proxy + namespace: inlets + labels: + app: auth-proxy +spec: + replicas: 1 + selector: + matchLabels: + app: auth-proxy + template: + metadata: + labels: + app: auth-proxy + spec: + containers: + - args: + - --cookie-secure=false + - --provider=oidc + - --provider-display-name=Auth0 + - --upstream=http://inlets.inlets.svc.cluster.local + - --http-address=$(HOST_IP):8080 + - --email-domain=* + - --pass-basic-auth=false + - --pass-access-token=false + - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ + - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT + - --cookie-expire=336h0m0s + env: + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + key: username + name: auth-proxy + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: password + name: auth-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1 + name: oauth-proxy + ports: + - containerPort: 8080 + protocol: TCP + resources: + limits: + memory: 50Mi + requests: + memory: 50Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: auth-proxy + namespace: inlets + labels: + app: auth-proxy +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: auth-proxy + type: ClusterIP diff --git a/manifests/cctv.yaml b/manifests/cctv.yaml index 13c2207..5c16cc0 100644 --- a/manifests/cctv.yaml +++ b/manifests/cctv.yaml @@ -1,97 +1,8 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cctv ---- -apiVersion: v1 -kind: Secret -metadata: - name: cctv-auth - namespace: cctv - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cctv-auth - namespace: cctv - labels: - app: cctv-auth -spec: - replicas: 1 - selector: - matchLabels: - app: cctv-auth - template: - metadata: - labels: - app: cctv-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://cctv.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: cctv-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: cctv-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: cctv-auth - namespace: cctv - labels: - app: cctv-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: cctv-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: cctv-auth - namespace: cctv + namespace: inlets labels: app: cctv-auth annotations: @@ -110,5 +21,5 @@ spec: paths: - path: / backend: - serviceName: cctv-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/downloads.yaml b/manifests/downloads.yaml index 8c01faa..c5a3009 100644 --- a/manifests/downloads.yaml +++ b/manifests/downloads.yaml @@ -1,97 +1,8 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: downloads ---- -apiVersion: v1 -kind: Secret -metadata: - name: downloads-auth - namespace: downloads - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: downloads-auth - namespace: downloads - labels: - app: downloads-auth -spec: - replicas: 1 - selector: - matchLabels: - app: downloads-auth - template: - metadata: - labels: - app: downloads-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://downloads.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: downloads-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: downloads-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 250Mi - requests: - memory: 250Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: downloads-auth - namespace: downloads - labels: - app: downloads-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: downloads-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: downloads-auth - namespace: downloads + namespace: inlets labels: app: downloads-auth annotations: @@ -110,6 +21,5 @@ spec: paths: - path: / backend: - serviceName: downloads-auth + serviceName: auth-proxy servicePort: 80 - diff --git a/manifests/jackett.yaml b/manifests/jackett.yaml index 291897a..b0f5306 100644 --- a/manifests/jackett.yaml +++ b/manifests/jackett.yaml @@ -1,97 +1,8 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: jackett ---- -apiVersion: v1 -kind: Secret -metadata: - name: jackett-auth - namespace: jackett - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jackett-auth - namespace: jackett - labels: - app: jackett-auth -spec: - replicas: 1 - selector: - matchLabels: - app: jackett-auth - template: - metadata: - labels: - app: jackett-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://jackett.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: jackett-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: jackett-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: jackett-auth - namespace: jackett - labels: - app: jackett-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: jackett-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: jackett-auth - namespace: jackett + namespace: inlets labels: app: jackett-auth annotations: @@ -110,5 +21,5 @@ spec: paths: - path: / backend: - serviceName: jackett-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/printer.yaml b/manifests/printer.yaml index 8ef2770..033abdf 100644 --- a/manifests/printer.yaml +++ b/manifests/printer.yaml @@ -1,97 +1,8 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: printer ---- -apiVersion: v1 -kind: Secret -metadata: - name: printer-auth - namespace: printer - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: printer-auth - namespace: printer - labels: - app: printer-auth -spec: - replicas: 1 - selector: - matchLabels: - app: printer-auth - template: - metadata: - labels: - app: printer-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://printer.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: printer-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: printer-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 250Mi - requests: - memory: 250Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: printer-auth - namespace: printer - labels: - app: printer-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: printer-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: printer-auth - namespace: printer + namespace: inlets labels: app: printer-auth annotations: @@ -110,6 +21,6 @@ spec: paths: - path: / backend: - serviceName: printer-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/radarr.yaml b/manifests/radarr.yaml index bfbcc75..70151b0 100644 --- a/manifests/radarr.yaml +++ b/manifests/radarr.yaml @@ -1,99 +1,10 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: radarr ---- -apiVersion: v1 -kind: Secret -metadata: - name: radarr-auth - namespace: radarr - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: radarr-auth - namespace: radarr - labels: - app: radarr-auth -spec: - replicas: 1 - selector: - matchLabels: - app: radarr-auth - template: - metadata: - labels: - app: radarr-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://radarr.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: radarr-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: radarr-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: radarr-auth - namespace: radarr - labels: - app: radarr-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: radarr-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: radarr-auth - namespace: radarr + name: radarr + namespace: inlets labels: - app: radarr-auth + app: radarr annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/frontend-entry-points: http,https @@ -110,5 +21,5 @@ spec: paths: - path: / backend: - serviceName: radarr-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/sonarr.yaml b/manifests/sonarr.yaml index d3c7c21..8d9a207 100644 --- a/manifests/sonarr.yaml +++ b/manifests/sonarr.yaml @@ -1,99 +1,10 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: sonarr ---- -apiVersion: v1 -kind: Secret -metadata: - name: sonarr-auth - namespace: sonarr - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sonarr-auth - namespace: sonarr - labels: - app: sonarr-auth -spec: - replicas: 1 - selector: - matchLabels: - app: sonarr-auth - template: - metadata: - labels: - app: sonarr-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://sonarr.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: sonarr-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: sonarr-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: sonarr-auth - namespace: sonarr - labels: - app: sonarr-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: sonarr-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: sonarr-auth - namespace: sonarr + name: sonarr + namespace: inlets labels: - app: sonarr-auth + app: sonarr annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/frontend-entry-points: http,https @@ -110,5 +21,5 @@ spec: paths: - path: / backend: - serviceName: sonarr-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/transmission.yaml b/manifests/transmission.yaml index c5dfe4d..8da48b9 100644 --- a/manifests/transmission.yaml +++ b/manifests/transmission.yaml @@ -1,99 +1,10 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: transmission ---- -apiVersion: v1 -kind: Secret -metadata: - name: transmission-auth - namespace: transmission - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: transmission-auth - namespace: transmission - labels: - app: transmission-auth -spec: - replicas: 1 - selector: - matchLabels: - app: transmission-auth - template: - metadata: - labels: - app: transmission-auth - spec: - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://inlets.inlets.svc.cluster.local - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://transmission.cluster.fun/oauth2/callback - - --email-domain=* - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: transmission-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: transmission-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 50Mi - requests: - memory: 50Mi ---- -apiVersion: v1 -kind: Service -metadata: - name: transmission-auth - namespace: transmission - labels: - app: transmission-auth -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: transmission-auth - type: ClusterIP ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: transmission-auth - namespace: transmission + name: transmission + namespace: inlets labels: - app: transmission-auth + app: transmission annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/frontend-entry-points: http,https @@ -110,5 +21,5 @@ spec: paths: - path: / backend: - serviceName: transmission-auth + serviceName: auth-proxy servicePort: 80 diff --git a/manifests/website-to-remarkable.yaml b/manifests/website-to-remarkable.yaml index 1816596..3f25a03 100644 --- a/manifests/website-to-remarkable.yaml +++ b/manifests/website-to-remarkable.yaml @@ -1,123 +1,8 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: website-to-remarkable ---- -apiVersion: v1 -kind: Secret -metadata: - name: website-to-remarkable-auth - namespace: website-to-remarkable - annotations: - kube-1password: mr6spkkx7n3memkbute6ojaarm - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: v1 -kind: Secret -metadata: - name: website-to-remarkable - namespace: website-to-remarkable - annotations: - kube-1password: smp3qkv74qt72ttzkltyhiktja - kube-1password/vault: Kubernetes -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - name: website-to-remarkable - namespace: website-to-remarkable -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8080 - name: web - - port: 8000 - targetPort: 8000 - name: noauth - selector: - app: website-to-remarkable ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: website-to-remarkable - namespace: website-to-remarkable - labels: - app: website-to-remarkable -spec: - replicas: 1 - selector: - matchLabels: - app: website-to-remarkable - template: - metadata: - labels: - app: website-to-remarkable - spec: - dnsConfig: - options: - - name: ndots - value: "2" - containers: - - args: - - --cookie-secure=false - - --provider=oidc - - --provider-display-name=Auth0 - - --upstream=http://localhost:8000 - - --http-address=$(HOST_IP):8080 - - --redirect-url=https://website-to-remarkable.cluster.fun/oauth2/callback - - --email-domain=marcusnoble.co.uk - - --pass-basic-auth=false - - --pass-access-token=false - - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - key: username - name: website-to-remarkable-auth - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: password - name: website-to-remarkable-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1 - name: oauth-proxy - ports: - - containerPort: 8080 - protocol: TCP - resources: - limits: - memory: 125Mi - requests: - memory: 125Mi - - name: web - image: docker.cluster.fun/averagemarcus/website-to-remarkable:latest - imagePullPolicy: Always - env: - - name: REMARKABLE_TOKEN - valueFrom: - secretKeyRef: - name: website-to-remarkable - key: password - ports: - - containerPort: 8000 - name: web ---- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: website-to-remarkable - namespace: website-to-remarkable + namespace: inlets annotations: cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/frontend-entry-points: http,https @@ -134,7 +19,5 @@ spec: paths: - path: / backend: - serviceName: website-to-remarkable + serviceName: auth-proxy servicePort: 80 - ----