add traefik oauth forward

cmd/auth/main.go

@@ -19,9 +19,9 @@ import (
 )
 
 var (
-	cert             = flag.String("cert", "/etc/gh-auth-service/ssl/tls.crt", "Specify the path of TLS cert")
-	key              = flag.String("key", "/etc/gh-auth-service/ssl/tls.key", "Specify the path of TLS key")
-	zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-auth-service/zitadel/api-key.json", "Specify the path of Zitadel access key")
+	cert             = flag.String("cert", "/etc/gh-authz/ssl/tls.crt", "Specify the path of TLS cert")
+	key              = flag.String("key", "/etc/gh-authz/ssl/tls.key", "Specify the path of TLS key")
+	zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-authz/zitadel/api-key.json", "Specify the path of Zitadel access key")
 	httpsPort        = flag.String("https", ":443", "Specify port for http secure hosting(example for format :443)")
 	httpPort         = flag.String("http", ":80", "Specify port for http hosting(example for format :80)")
 	zitadelURI       = flag.String("zitadel-uri", "zitadel.varghacsongor.hu", "Specify the Zitadel URI")

deployment/auth-service/service.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
-  name: gh-auth-service
-spec:
-  ports:
-  - name: gin
-    port: 443
-    protocol: TCP
-    targetPort: 443
-  selector:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
-  type: ClusterIP

deployment/authN/configs/traefik-forward-auth.ini

@@ -0,0 +1,8 @@
+rule.example_public.action=allow
+rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
+
+rule.example_api.action=allow
+rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
+
+rule.example_api_query.action=allow
+rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

deployment/authN/deployment.yaml

@@ -0,0 +1,78 @@
+#
+# Traefik Forward Auth Deployment
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: thomseddon/traefik-forward-auth:2
+        name: traefik-forward-auth
+        ports:
+        - containerPort: 4181
+          protocol: TCP
+        resources:
+          limits:
+            memory: "256Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        env:
+        - name: CONFIG
+          value: "/config"
+        - name: DOMAIN
+          value: "varghacsongor.hu"
+        # INSECURE_COOKIE is required if not using a https entrypoint
+        # - name: INSECURE_COOKIE
+        #   value: "true"
+        # Remove COOKIE_DOMAIN if not using auth host mode
+        - name: COOKIE_DOMAIN
+          value: "example.com"
+        - name: AUTH_HOST
+          value: "auth.example.com"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: PROVIDERS_GOOGLE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: google-client-id
+        - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: google-client-secret
+        - name: SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: secret
+        volumeMounts:
+        - name: configs
+          mountPath: /configexample
+          subPath: traefik-forward-auth.ini
+
+      volumes:
+      - name: configs
+        configMap:
+          name: configs
+      - name: traefik-forward-auth-secrets
+        secret:
+          secretName: traefik-forward-auth-secrets

deployment/authN/ingress.yaml

@@ -0,0 +1,20 @@
+#
+# Auth Ingress
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  entryPoints:
+    - https
+  routes:
+  - match: Host(`auth.varghacsongor.hu`)
+    kind: Rule
+    services:
+    - name: traefik-forward-auth
+      port: 4181
+  tls:
+    certresolver: default

deployment/authN/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+commonLabels:
+  app: traefik-forward-auth
+
+resources:
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+- middleware.yaml
+
+#
+# Configs
+#
+configMapGenerator:
+- name: configs
+  files:
+    - configs/traefik-forward-auth.ini
+
+#
+# Secrets
+#
+secretGenerator:
+- name: traefik-forward-auth-secrets
+  env: secrets/traefik-forward-auth.env

deployment/authN/middleware.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User

deployment/authN/secrets/traefik-forward-auth.env

@@ -0,0 +1,3 @@
+google-client-id=client-id
+google-client-secret=client-secret
+secret=something-random

deployment/authN/service.yaml

@@ -0,0 +1,17 @@
+#
+# Auth Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181

deployment/authZ/certificate.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: gh-auth-service-certificate
+  name: gh-authz-certificate
   annotations:
     argocd.argoproj.io/hook: PreSync
 spec:
@@ -9,15 +9,15 @@ spec:
   duration: 2160h # 90d
   renewBefore: 360h # 15d
   dnsNames:
-    - gh-auth-service.generations-heritage.svc.cluster.local
-    - gh-auth-service
+    - gh-authz.generations-heritage.svc.cluster.local
+    - gh-authz
     - localhost
   ipAddresses:
     - 127.0.0.1
   subject:
     organizations:
       - GenerationsHeritage
-  secretName: gh-auth-service-tls
+  secretName: gh-authz-tls
   privateKey:
     algorithm: RSA
     encoding: PKCS1

deployment/authZ/deployment.yaml

@@ -2,29 +2,29 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
   annotations:
     argocd.argoproj.io/sync-wave: "1"
     argocd.argoproj.io/hook: Synce
-  name: gh-auth-service
+  name: gh-authz
   namespace: generations-heritage
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/instance: gh-auth-service
-      app.kubernetes.io/name: gh-auth-service
+      app.kubernetes.io/instance: gh-authz
+      app.kubernetes.io/name: gh-authz
   template:
     metadata:
       labels:
-        app.kubernetes.io/instance: gh-auth-service
-        app.kubernetes.io/name: gh-auth-service
+        app.kubernetes.io/instance: gh-authz
+        app.kubernetes.io/name: gh-authz
     spec:
       containers:
         - image: vcscsvcscs/gheritage-auth-service:latest
           imagePullPolicy: Always
-          name: gh-auth-service
+          name: gh-authz
           ports:
           - containerPort: 443
             name: gin
@@ -38,14 +38,14 @@ spec:
               cpu: 100m
               memory: 50Mi
           volumeMounts:
-            - name: gh-auth-service-certs
-              mountPath: /etc/gh-auth-service/ssl
+            - name: gh-authz-certs
+              mountPath: /etc/gh-authz/ssl
             - name: zitadel-service-account
-              mountPath: /etc/gh-auth-service/zitadel
+              mountPath: /etc/gh-authz/zitadel
       volumes:
-      - name: gh-auth-service-certs
+      - name: gh-authz-certs
         secret:
-          secretName: gh-auth-service-tls
+          secretName: gh-authz-tls
       - name: zitadel-service-account
         secret:
           secretName: zitadel-service-account

deployment/authZ/forwardAuth.yaml

@@ -4,7 +4,7 @@ metadata:
   name: auth-service
 spec:
   forwardAuth:
-    address: https://gh-auth-service/auth/
+    address: https://gh-authz/auth/
     authResponseHeaders:
       - id
     tls:

deployment/authZ/horizontalPodAutoScaler.yaml

@@ -1,14 +1,14 @@
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: gh-auth-service
+  name: gh-authz
   annotations:
     argocd.argoproj.io/hook: PostSync
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: gh-auth-service
+    name: gh-authz
   minReplicas: 1
   maxReplicas: 5
   metrics:

deployment/authZ/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  name: gh-authz
+spec:
+  ports:
+  - name: gin
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  type: ClusterIP

deployment/authz-argo.yaml

@@ -1,12 +1,12 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: gh-auth-service
+  name: gh-authz
 spec:
   project: generations-heritage-vv
   source:
     repoURL: 'https://github.com/vcscsvcscs/GenerationsHeritage'
-    path: deployment/auth-service
+    path: deployment/authZ
     targetRevision: main
     kustomize:
       namespace: generations-heritage