cluster.fun/manifests/auth-proxy/non-auth-proxy.yaml

212 lines
5.0 KiB
YAML

apiVersion: v1
kind: Secret
metadata:
name: tailscale-non-auth-proxy
namespace: auth-proxy
type: Opaque
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale-non-auth-proxy
labels:
app.kubernetes.io/name: tailscale
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale-non-auth-proxy
labels:
app.kubernetes.io/name: tailscale
subjects:
- kind: ServiceAccount
name: "tailscale-non-auth-proxy"
roleRef:
kind: Role
name: tailscale-non-auth-proxy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale-non-auth-proxy
labels:
app.kubernetes.io/name: tailscale
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resourceNames: ["tailscale-non-auth-proxy"]
resources: ["secrets"]
verbs: ["get", "update"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: non-auth-proxy
namespace: auth-proxy
labels:
app: non-auth-proxy
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: non-auth-proxy
template:
metadata:
labels:
app: non-auth-proxy
spec:
serviceAccountName: tailscale-non-auth-proxy
dnsPolicy: ClusterFirst
dnsConfig:
nameservers:
- 100.100.100.100
containers:
- name: oauth-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
args:
- --cookie-secure=false
- --provider=oidc
- --provider-display-name=Auth0
- --upstream=http://talos.averagemarcus.github.beta.tailscale.net
- --http-address=0.0.0.0:8080
- --email-domain=*
- --pass-basic-auth=false
- --pass-access-token=false
- --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
- --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
- --cookie-expire=336h0m0s
- --trusted-ip=0.0.0.0/0
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: username
name: auth-proxy
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: password
name: auth-proxy
ports:
- containerPort: 8080
protocol: TCP
resources:
limits:
memory: 50Mi
requests:
memory: 50Mi
- name: tailscale
image: ghcr.io/tailscale/tailscale:v1.44
imagePullPolicy: Always
tty: true
env:
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: password
- name: TS_KUBE_SECRET
value: tailscale-non-auth-proxy
- name: TS_ACCEPT_DNS
value: "true"
- name: TS_EXTRA_ARGS
value: "--hostname=non-auth-proxy"
securityContext:
capabilities:
add:
- NET_ADMIN
command:
- sh
- -c
- |
export PATH=$PATH:/tailscale/bin
if [[ ! -d /dev/net ]]; then mkdir -p /dev/net; fi
if [[ ! -c /dev/net/tun ]]; then mknod /dev/net/tun c 10 200; fi
echo "Starting tailscaled"
tailscaled --state=kube:${TS_KUBE_SECRET} --socket=/tmp/tailscaled.sock &
PID=$!
echo "Running tailscale up"
tailscale --socket=/tmp/tailscaled.sock up \
--accept-dns=${TS_ACCEPT_DNS} \
--authkey=${TS_AUTH_KEY} \
${TS_EXTRA_ARGS}
echo "Re-enabling incoming traffic from the cluster"
wait ${PID}
---
apiVersion: v1
kind: Service
metadata:
name: non-auth-proxy
namespace: auth-proxy
labels:
app: non-auth-proxy
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: non-auth-proxy
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-auth-proxy
namespace: auth-proxy
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- home.cluster.fun
- tasks.cluster.fun
- api.tasks.cluster.fun
secretName: non-auth-proxy-ingress
rules:
- host: home.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: non-auth-proxy
port:
name: http
- host: tasks.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: non-auth-proxy
port:
name: http
- host: api.tasks.cluster.fun
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: non-auth-proxy
port:
name: http