apiVersion: v1 kind: ConfigMap metadata: name: host-mappings namespace: auth-proxy labels: app: proxy data: mapping.json: | { "tekton-el.auth-proxy.svc": "tekton-el.cluster.local", "home.auth-proxy.svc": "home.cluster.local", "home.cluster.fun": "home.cluster.local", "podify.cluster.fun": "podify.cluster.local", "prometheus.auth-proxy.svc": "prometheus.cluster.local", "loki.auth-proxy.svc": "loki.cluster.local" } --- apiVersion: apps/v1 kind: Deployment metadata: name: internal-proxy namespace: auth-proxy labels: app: internal-proxy annotations: configmap.reloader.stakater.com/reload: "host-mappings" spec: replicas: 1 selector: matchLabels: app: internal-proxy template: metadata: labels: app: internal-proxy spec: dnsPolicy: None dnsConfig: nameservers: - 100.100.100.100 containers: - name: proxy image: docker.cluster.fun/averagemarcus/proxy:latest imagePullPolicy: Always env: - name: PROXY_DESTINATION value: talos.averagemarcus.github.beta.tailscale.net - name: PORT value: "8080" ports: - containerPort: 8080 protocol: TCP volumeMounts: - name: host-mappings mountPath: /config/ - name: tailscale image: ghcr.io/tailscale/tailscale:latest imagePullPolicy: IfNotPresent env: - name: AUTH_KEY valueFrom: secretKeyRef: name: tailscale-auth key: password securityContext: capabilities: add: - NET_ADMIN command: - sh - -c - | export PATH=$PATH:/tailscale/bin if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi echo "Starting tailscaled" tailscaled --socket=/tmp/tailscaled.sock & PID=$! echo "Running tailscale up" tailscale --socket=/tmp/tailscaled.sock up \ --accept-dns=true \ --authkey=${AUTH_KEY} \ --hostname=auth-proxy wait ${PID} volumes: - name: host-mappings configMap: name: host-mappings --- apiVersion: v1 kind: Service metadata: name: tekton-el namespace: auth-proxy labels: app: internal-proxy spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: internal-proxy type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: non-auth-proxy namespace: auth-proxy labels: app: non-auth-proxy spec: replicas: 1 selector: matchLabels: app: non-auth-proxy template: metadata: labels: app: non-auth-proxy spec: dnsPolicy: None dnsConfig: nameservers: - 100.100.100.100 containers: - name: oauth-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0 args: - --cookie-secure=false - --provider=oidc - --provider-display-name=Auth0 - --upstream=http://talos.averagemarcus.github.beta.tailscale.net - --http-address=0.0.0.0:8080 - --email-domain=* - --pass-basic-auth=false - --pass-access-token=false - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/ - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT - --cookie-expire=336h0m0s - --trusted-ip=0.0.0.0/0 env: - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: username name: auth-proxy - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: password name: auth-proxy ports: - containerPort: 8080 protocol: TCP resources: limits: memory: 50Mi requests: memory: 50Mi - name: tailscale image: ghcr.io/tailscale/tailscale:latest imagePullPolicy: IfNotPresent env: - name: AUTH_KEY valueFrom: secretKeyRef: name: tailscale-auth key: password securityContext: capabilities: add: - NET_ADMIN command: - sh - -c - | export PATH=$PATH:/tailscale/bin if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi echo "Starting tailscaled" tailscaled --socket=/tmp/tailscaled.sock & PID=$! echo "Running tailscale up" tailscale --socket=/tmp/tailscaled.sock up \ --accept-dns=true \ --authkey=${AUTH_KEY} \ --hostname=auth-proxy echo "Re-enabling incoming traffic from the cluster" wait ${PID} --- apiVersion: v1 kind: Service metadata: name: non-auth-proxy namespace: auth-proxy labels: app: non-auth-proxy spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: non-auth-proxy type: ClusterIP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-auth-proxy namespace: auth-proxy annotations: cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: ingressClassName: nginx tls: - hosts: - home.cluster.fun - podify.cluster.fun secretName: non-auth-proxy-ingress rules: - host: home.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: non-auth-proxy port: name: http - host: podify.cluster.fun http: paths: - path: / pathType: ImplementationSpecific backend: service: name: non-auth-proxy port: name: http