cluster.fun/manifests/auth-proxy/auth-proxy.yaml

203 lines
4.8 KiB
YAML

apiVersion: v1
kind: Namespace
metadata:
name: auth-proxy
---
apiVersion: v1
kind: Secret
metadata:
name: auth-proxy
namespace: auth-proxy
annotations:
kube-1password: mr6spkkx7n3memkbute6ojaarm
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
namespace: auth-proxy
annotations:
kube-1password: 2cqycmsgv5r7vcyvjpblcl2l4y
kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth-proxy
type: Opaque
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale-auth-proxy
labels:
app.kubernetes.io/name: tailscale
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale-auth-proxy
labels:
app.kubernetes.io/name: tailscale
subjects:
- kind: ServiceAccount
name: "tailscale-auth-proxy"
roleRef:
kind: Role
name: tailscale-auth-proxy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale-auth-proxy
labels:
app.kubernetes.io/name: tailscale
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resourceNames: ["tailscale-auth-proxy"]
resources: ["secrets"]
verbs: ["get", "update"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-proxy
namespace: auth-proxy
labels:
app: auth-proxy
annotations:
secret.reloader.stakater.com/reload: "tailscale-auth"
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: auth-proxy
template:
metadata:
labels:
app: auth-proxy
spec:
serviceAccountName: tailscale-auth-proxy
dnsPolicy: ClusterFirst
dnsConfig:
nameservers:
- 100.100.100.100
initContainers:
- name: sysctler
image: busybox
securityContext:
privileged: true
command: ["/bin/sh"]
args:
- -c
- |
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.disable_ipv6=0
resources:
requests:
cpu: 1m
memory: 1Mi
containers:
- name: oauth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://talos.averagemarcus.github.beta.tailscale.net
- --http-address=0.0.0.0:8080
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
- --cookie-expire=336h0m0s
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: auth-proxy
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: auth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
- name: tailscale
image: ghcr.io/tailscale/tailscale:v1.58
imagePullPolicy: Always
env:
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: password
- name: TS_KUBE_SECRET
value: tailscale-auth-proxy
- name: TS_ACCEPT_DNS
value: "true"
- name: TS_EXTRA_ARGS
value: "--hostname=auth-proxy-oauth2"
securityContext:
capabilities:
add:
- NET_ADMIN
command:
- sh
- -c
- |
export PATH=$PATH:/tailscale/bin
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
echo "Starting tailscaled"
tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
PID=$!
echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up \
--accept-dns=${TS_ACCEPT_DNS} \
--authkey=${TS_AUTH_KEY} \
${TS_EXTRA_ARGS}
echo "Re-enabling incoming traffic from the cluster"
wait ${PID}
---
apiVersion: v1
kind: Service
metadata:
name: auth-proxy
namespace: auth-proxy
labels:
app: auth-proxy
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: auth-proxy
type: ClusterIP