AverageMarcus/cluster.fun
1
0
Fork 0
Code Issues 1 Pull Requests 2 Releases Activity

Use tailscale for auth proxy

Browse Source 
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
This commit is contained in:
Marcus Noble 2021-10-23 17:57:14 +01:00
parent f9caf0a0d1
commit f4f6745c27
Signed by: AverageMarcus
GPG Key ID: B8F2DB8A7AEBAF78
21 changed files with 194 additions and 686 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
manifests/_apps/argocd.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/argocd
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

2
manifests/_apps/auth-proxy.yaml
View File

@ -8,7 +8,7 @@ metadata:
spec: spec:
project: cluster.fun project: cluster.fun
destination: destination:
namespace: inlets namespace: auth-proxy
name: cluster-fun (scaleway) name: cluster-fun (scaleway)
source: source:
path: manifests/auth-proxy path: manifests/auth-proxy

24
manifests/_apps/code-server.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: code-server
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/code-server
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/downloads.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: downloads
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/downloads
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/inlets.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: inlets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/inlets
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/jackett.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: jackett
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/jackett
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/printer.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: printer
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/printer
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/radarr.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: radarr
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/radarr
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/sonarr.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sonarr
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/sonarr
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

24
manifests/_apps/transmission.yaml
View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: transmission
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: cluster.fun
destination:
namespace: inlets
name: cluster-fun (scaleway)
source:
path: manifests/transmission
repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
targetRevision: HEAD
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: Secret
jsonPointers:
- /data

27
manifests/argocd/argocd.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argo
namespace: inlets
labels:
app: argo
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- argo.cluster.fun
secretName: argo-ingress
rules:
- host: argo.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

66
manifests/auth-proxy/auth-proxy.yaml
View File

@ -1,18 +1,33 @@
apiVersion: v1 apiVersion: v1
kind: Namespace
metadata:
name: auth-proxy
---
apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: auth-proxy name: auth-proxy
namespace: inlets namespace: auth-proxy
annotations: annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes kube-1password/vault: Kubernetes
type: Opaque type: Opaque
--- ---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
namespace: auth-proxy
annotations:
kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: auth-proxy name: auth-proxy
namespace: inlets namespace: auth-proxy
labels: labels:
app: auth-proxy app: auth-proxy
spec: spec:
@ -25,13 +40,19 @@ spec:
labels: labels:
app: auth-proxy app: auth-proxy
spec: spec:
dnsPolicy: None
dnsConfig:
nameservers:
- 100.100.100.100
containers: containers:
- args: - name: oauth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
args:
- --cookie-secure=false - --cookie-secure=false
- --provider=oidc - --provider=oidc
- --provider-display-name=Auth0 - --provider-display-name=Auth0
- --upstream=http://inlets.inlets.svc.cluster.local - --upstream=http://talos.averagemarcus.github.beta.tailscale.net
- --http-address=$(HOST_IP):8080 - --http-address=0.0.0.0:8080
- --email-domain=* - --email-domain=*
- --pass-basic-auth=false - --pass-basic-auth=false
- --pass-access-token=false - --pass-access-token=false
@ -54,8 +75,6 @@ spec:
secretKeyRef: secretKeyRef:
key: password key: password
name: auth-proxy name: auth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
name: oauth-proxy
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
@ -64,12 +83,43 @@ spec:
memory: 50Mi memory: 50Mi
requests: requests:
memory: 50Mi memory: 50Mi
- name: tailscale
image: ghcr.io/tailscale/tailscale:latest
imagePullPolicy: IfNotPresent
env:
- name: AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: password
securityContext:
capabilities:
add:
- NET_ADMIN
command:
- sh
- -c
- |
export PATH=$PATH:/tailscale/bin
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
echo "Starting tailscaled"
tailscaled --socket=/tmp/tailscaled.sock &
PID=$!
echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up \
--accept-dns=true \
--authkey=${AUTH_KEY} \
--hostname=auth-proxy
echo "Re-enabling incoming traffic from the cluster"
iptables -D ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
wait ${PID}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: auth-proxy name: auth-proxy
namespace: inlets namespace: auth-proxy
labels: labels:
app: auth-proxy app: auth-proxy
spec: spec:

135
manifests/auth-proxy/ingress.yaml Normal file
View File

@ -0,0 +1,135 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-proxy
namespace: auth-proxy
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- downloads.cluster.fun
- argo.cluster.fun
- code.cluster.fun
- home.cluster.fun
- adguard.cluster.fun
- podify.cluster.fun
- jackett.cluster.fun
- printer.cluster.fun
- radarr.cluster.fun
- sonarr.cluster.fun
- transmission.cluster.fun
secretName: auth-proxy-ingress
rules:
- host: downloads.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: argo.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: code.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: home.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: adguard.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: podify.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: jackett.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: printer.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: radarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: sonarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http
- host: transmission.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
name: http

25
manifests/code-server/code-server.yaml
View File

@ -1,25 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: code
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- code.cluster.fun
secretName: code-ingress
rules:
- host: code.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

27
manifests/downloads/downloads.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: downloads-auth
namespace: inlets
labels:
app: downloads-auth
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- downloads.cluster.fun
secretName: downloads-ingress
rules:
- host: downloads.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

247
manifests/inlets/inlets.yaml
View File

@ -1,247 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: inlets
namespace: inlets
annotations:
kube-1password: podju6t2s2osc3vbkimyce25ti
kube-1password/vault: Kubernetes
kube-1password/password-key: token
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: inlets
namespace: inlets
labels:
app: inlets
spec:
type: ClusterIP
ports:
- port: 80
protocol: TCP
targetPort: 8000
selector:
app: inlets
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: inlets
namespace: inlets
labels:
app: inlets
spec:
replicas: 1
selector:
matchLabels:
app: inlets
template:
metadata:
labels:
app: inlets
spec:
containers:
- name: inlets
image: docker.cluster.fun/averagemarcus/inlets:3.0.3
imagePullPolicy: IfNotPresent
command: ["inlets"]
args:
- "server"
- "--token-from=/var/inlets/token"
volumeMounts:
- name: inlets-token-volume
mountPath: /var/inlets/
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
volumes:
- name: inlets-token-volume
secret:
secretName: inlets
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: inlets
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- inlets.cluster.fun
secretName: inlets-ingress
rules:
- host: inlets.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home-assistant
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- home.cluster.fun
secretName: home-assistant-ingress
rules:
- host: home.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: downloads-rpc
namespace: inlets
labels:
app: inlets
spec:
type: ClusterIP
ports:
- port: 80
protocol: TCP
targetPort: 8000
selector:
app: inlets
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vpn-check
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- vpn-check.cluster.fun
secretName: vpn-check-ingress
rules:
- host: vpn-check.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: adguard
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- adguard.cluster.fun
secretName: adguard-ingress
rules:
- host: adguard.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: podify
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- podify.cluster.fun
secretName: podify-ingress
rules:
- host: podify.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: photos
namespace: inlets
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- photos.cluster.fun
secretName: photos-ingress
rules:
- host: photos.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: inlets
port:
number: 80
---
kind: Service
apiVersion: v1
metadata:
name: loki
namespace: inlets
spec:
type: ClusterIP
ports:
- port: 80
protocol: TCP
targetPort: 8000
selector:
app: inlets
---

27
manifests/jackett/jackett.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jackett-auth
namespace: inlets
labels:
app: jackett-auth
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- jackett.cluster.fun
secretName: jackett-ingress
rules:
- host: jackett.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

27
manifests/printer/printer.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: printer-auth
namespace: inlets
labels:
app: printer-auth
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- printer.cluster.fun
secretName: printer-ingress
rules:
- host: printer.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

27
manifests/radarr/radarr.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr
namespace: inlets
labels:
app: radarr
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- radarr.cluster.fun
secretName: radarr-ingress
rules:
- host: radarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

27
manifests/sonarr/sonarr.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr
namespace: inlets
labels:
app: sonarr
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- sonarr.cluster.fun
secretName: sonarr-ingress
rules:
- host: sonarr.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80

27
manifests/transmission/transmission.yaml
View File

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: transmission
namespace: inlets
labels:
app: transmission
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- transmission.cluster.fun
secretName: transmission-ingress
rules:
- host: transmission.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: auth-proxy
port:
number: 80