AverageMarcus/cluster.fun
1
0
Fork 0
Code Issues 1 Pull Requests 2 Releases Activity

Use tailscale for auth proxy

Browse Source 
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
This commit is contained in:
Marcus Noble
2021-10-23 17:57:14 +01:00
parent f9caf0a0d1
commit f4f6745c27
21 changed files with 194 additions and 686 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
manifests/auth-proxy/auth-proxy.yaml
View File

@@ -1,18 +1,33 @@
apiVersion: v1
kind: Namespace
metadata:
name: auth-proxy
---
apiVersion: v1
kind: Secret
metadata:
name: auth-proxy
namespace: inlets
namespace: auth-proxy
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
namespace: auth-proxy
annotations:
kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-proxy
namespace: inlets
namespace: auth-proxy
labels:
app: auth-proxy
spec:
@@ -25,13 +40,19 @@ spec:
labels:
app: auth-proxy
spec:
dnsPolicy: None
dnsConfig:
nameservers:
- 100.100.100.100
containers:
- args:
- name: oauth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local
- --http-address=$(HOST_IP):8080
- --upstream=http://talos.averagemarcus.github.beta.tailscale.net
- --http-address=0.0.0.0:8080
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
@@ -54,8 +75,6 @@ spec:
secretKeyRef:
key: password
name: auth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
name: oauth-proxy
ports:
- containerPort: 8080
protocol: TCP
@@ -64,12 +83,43 @@ spec:
memory: 50Mi
requests:
memory: 50Mi
- name: tailscale
image: ghcr.io/tailscale/tailscale:latest
imagePullPolicy: IfNotPresent
env:
- name: AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: password
securityContext:
capabilities:
add:
- NET_ADMIN
command:
- sh
- -c
- |
export PATH=$PATH:/tailscale/bin
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
echo "Starting tailscaled"
tailscaled --socket=/tmp/tailscaled.sock &
PID=$!
echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up \
--accept-dns=true \
--authkey=${AUTH_KEY} \
--hostname=auth-proxy
echo "Re-enabling incoming traffic from the cluster"
iptables -D ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
wait ${PID}
---
apiVersion: v1
kind: Service
metadata:
name: auth-proxy
namespace: inlets
namespace: auth-proxy
labels:
app: auth-proxy
spec:

135
manifests/auth-proxy/ingress.yaml Normal file
View File

@@ -0,0 +1,135 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-proxy
namespace: auth-proxy
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- downloads.cluster.fun
- argo.cluster.fun
- code.cluster.fun
- home.cluster.fun
- adguard.cluster.fun
- podify.cluster.fun
- jackett.cluster.fun
- printer.cluster.fun
- radarr.cluster.fun
- sonarr.cluster.fun
- transmission.cluster.fun
secretName: auth-proxy-ingress
rules:
- host: downloads.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: argo.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: code.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: home.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: adguard.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: podify.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: jackett.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: printer.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: radarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: sonarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: transmission.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http