214 lines
5.1 KiB
YAML
214 lines
5.1 KiB
YAML
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: tailscale-non-auth-proxy
|
|
namespace: auth-proxy
|
|
type: Opaque
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: tailscale-non-auth-proxy
|
|
labels:
|
|
app.kubernetes.io/name: tailscale
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: tailscale-non-auth-proxy
|
|
labels:
|
|
app.kubernetes.io/name: tailscale
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: "tailscale-non-auth-proxy"
|
|
roleRef:
|
|
kind: Role
|
|
name: tailscale-non-auth-proxy
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: tailscale-non-auth-proxy
|
|
labels:
|
|
app.kubernetes.io/name: tailscale
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["create"]
|
|
- apiGroups: [""]
|
|
resourceNames: ["tailscale-non-auth-proxy"]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "update"]
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: non-auth-proxy
|
|
namespace: auth-proxy
|
|
labels:
|
|
app: non-auth-proxy
|
|
annotations:
|
|
secret.reloader.stakater.com/reload: "tailscale-non-auth-proxy"
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: non-auth-proxy
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: non-auth-proxy
|
|
spec:
|
|
serviceAccountName: tailscale-non-auth-proxy
|
|
dnsPolicy: ClusterFirst
|
|
dnsConfig:
|
|
nameservers:
|
|
- 100.100.100.100
|
|
containers:
|
|
- name: oauth-proxy
|
|
image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
|
|
args:
|
|
- --cookie-secure=false
|
|
- --provider=oidc
|
|
- --provider-display-name=Auth0
|
|
- --upstream=http://talos.averagemarcus.github.beta.tailscale.net
|
|
- --http-address=0.0.0.0:8080
|
|
- --email-domain=*
|
|
- --pass-basic-auth=false
|
|
- --pass-access-token=false
|
|
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
|
|
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
|
|
- --cookie-expire=336h0m0s
|
|
- --trusted-ip=0.0.0.0/0
|
|
env:
|
|
- name: HOST_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: status.podIP
|
|
- name: OAUTH2_PROXY_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: username
|
|
name: auth-proxy
|
|
- name: OAUTH2_PROXY_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: password
|
|
name: auth-proxy
|
|
ports:
|
|
- containerPort: 8080
|
|
protocol: TCP
|
|
resources:
|
|
limits:
|
|
memory: 50Mi
|
|
requests:
|
|
memory: 50Mi
|
|
- name: tailscale
|
|
image: ghcr.io/tailscale/tailscale:v1.56
|
|
imagePullPolicy: Always
|
|
tty: true
|
|
env:
|
|
- name: TS_AUTH_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: tailscale-auth
|
|
key: password
|
|
- name: TS_KUBE_SECRET
|
|
value: tailscale-non-auth-proxy
|
|
- name: TS_ACCEPT_DNS
|
|
value: "true"
|
|
- name: TS_EXTRA_ARGS
|
|
value: "--hostname=non-auth-proxy"
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
export PATH=$PATH:/tailscale/bin
|
|
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
|
|
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
|
|
echo "Starting tailscaled"
|
|
tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
|
|
PID=$!
|
|
echo "Running tailscale up"
|
|
tailscale --socket=/tmp/tailscaled.sock up \
|
|
--accept-dns=${TS_ACCEPT_DNS} \
|
|
--authkey=${TS_AUTH_KEY} \
|
|
${TS_EXTRA_ARGS}
|
|
echo "Re-enabling incoming traffic from the cluster"
|
|
wait ${PID}
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: non-auth-proxy
|
|
namespace: auth-proxy
|
|
labels:
|
|
app: non-auth-proxy
|
|
spec:
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
protocol: TCP
|
|
targetPort: 8080
|
|
selector:
|
|
app: non-auth-proxy
|
|
type: ClusterIP
|
|
---
|
|
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: non-auth-proxy
|
|
namespace: auth-proxy
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
|
spec:
|
|
ingressClassName: nginx
|
|
tls:
|
|
- hosts:
|
|
# - home.cluster.fun
|
|
- tasks.cluster.fun
|
|
- api.tasks.cluster.fun
|
|
secretName: non-auth-proxy-ingress
|
|
rules:
|
|
# - host: home.cluster.fun
|
|
# http:
|
|
# paths:
|
|
# - path: /
|
|
# pathType: ImplementationSpecific
|
|
# backend:
|
|
# service:
|
|
# name: non-auth-proxy
|
|
# port:
|
|
# name: http
|
|
- host: tasks.cluster.fun
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
backend:
|
|
service:
|
|
name: non-auth-proxy
|
|
port:
|
|
name: http
|
|
- host: api.tasks.cluster.fun
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
backend:
|
|
service:
|
|
name: non-auth-proxy
|
|
port:
|
|
name: http
|