From 66d25e03d1ab6477a15379cf5b46ac9aa185224f Mon Sep 17 00:00:00 2001 From: Vargha Csongor Date: Sun, 5 Jan 2025 19:14:59 +0100 Subject: [PATCH] add traefik oauth forward --- cmd/auth/main.go | 6 +- deployment/auth-service/service.yaml | 17 ---- .../authN/configs/traefik-forward-auth.ini | 8 ++ deployment/authN/deployment.yaml | 78 +++++++++++++++++++ deployment/authN/ingress.yaml | 20 +++++ deployment/authN/kustomization.yaml | 26 +++++++ deployment/authN/middleware.yaml | 9 +++ .../authN/secrets/traefik-forward-auth.env | 3 + deployment/authN/service.yaml | 17 ++++ .../{auth-service => authZ}/certificate.yaml | 8 +- .../{auth-service => authZ}/deployment.yaml | 26 +++---- .../{auth-service => authZ}/forwardAuth.yaml | 2 +- .../horizontalPodAutoScaler.yaml | 4 +- .../kustomization.yaml | 0 deployment/authZ/service.yaml | 17 ++++ ...auth-service-argo.yaml => authz-argo.yaml} | 4 +- 16 files changed, 203 insertions(+), 42 deletions(-) delete mode 100644 deployment/auth-service/service.yaml create mode 100644 deployment/authN/configs/traefik-forward-auth.ini create mode 100644 deployment/authN/deployment.yaml create mode 100644 deployment/authN/ingress.yaml create mode 100644 deployment/authN/kustomization.yaml create mode 100644 deployment/authN/middleware.yaml create mode 100644 deployment/authN/secrets/traefik-forward-auth.env create mode 100644 deployment/authN/service.yaml rename deployment/{auth-service => authZ}/certificate.yaml (75%) rename deployment/{auth-service => authZ}/deployment.yaml (60%) rename deployment/{auth-service => authZ}/forwardAuth.yaml (80%) rename deployment/{auth-service => authZ}/horizontalPodAutoScaler.yaml (90%) rename deployment/{auth-service => authZ}/kustomization.yaml (100%) create mode 100644 deployment/authZ/service.yaml rename deployment/{auth-service-argo.yaml => authz-argo.yaml} (89%) diff --git a/cmd/auth/main.go b/cmd/auth/main.go index 9344808..b85e58a 100644 --- a/cmd/auth/main.go +++ b/cmd/auth/main.go @@ -19,9 +19,9 @@ import ( ) var ( - cert = flag.String("cert", "/etc/gh-auth-service/ssl/tls.crt", "Specify the path of TLS cert") - key = flag.String("key", "/etc/gh-auth-service/ssl/tls.key", "Specify the path of TLS key") - zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-auth-service/zitadel/api-key.json", "Specify the path of Zitadel access key") + cert = flag.String("cert", "/etc/gh-authz/ssl/tls.crt", "Specify the path of TLS cert") + key = flag.String("key", "/etc/gh-authz/ssl/tls.key", "Specify the path of TLS key") + zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-authz/zitadel/api-key.json", "Specify the path of Zitadel access key") httpsPort = flag.String("https", ":443", "Specify port for http secure hosting(example for format :443)") httpPort = flag.String("http", ":80", "Specify port for http hosting(example for format :80)") zitadelURI = flag.String("zitadel-uri", "zitadel.varghacsongor.hu", "Specify the Zitadel URI") diff --git a/deployment/auth-service/service.yaml b/deployment/auth-service/service.yaml deleted file mode 100644 index 8239fec..0000000 --- a/deployment/auth-service/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: gh-auth-service - app.kubernetes.io/name: gh-auth-service - name: gh-auth-service -spec: - ports: - - name: gin - port: 443 - protocol: TCP - targetPort: 443 - selector: - app.kubernetes.io/instance: gh-auth-service - app.kubernetes.io/name: gh-auth-service - type: ClusterIP \ No newline at end of file diff --git a/deployment/authN/configs/traefik-forward-auth.ini b/deployment/authN/configs/traefik-forward-auth.ini new file mode 100644 index 0000000..1bf8868 --- /dev/null +++ b/deployment/authN/configs/traefik-forward-auth.ini @@ -0,0 +1,8 @@ +rule.example_public.action=allow +rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public") + +rule.example_api.action=allow +rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key") + +rule.example_api_query.action=allow +rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key") diff --git a/deployment/authN/deployment.yaml b/deployment/authN/deployment.yaml new file mode 100644 index 0000000..a9467c2 --- /dev/null +++ b/deployment/authN/deployment.yaml @@ -0,0 +1,78 @@ +# +# Traefik Forward Auth Deployment +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-forward-auth + labels: + app: traefik-forward-auth +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + strategy: + type: Recreate + template: + metadata: + labels: + app: traefik-forward-auth + spec: + serviceAccountName: traefik-ingress-controller + terminationGracePeriodSeconds: 60 + containers: + - image: thomseddon/traefik-forward-auth:2 + name: traefik-forward-auth + ports: + - containerPort: 4181 + protocol: TCP + resources: + limits: + memory: "256Mi" + cpu: "500m" + requests: + memory: "128Mi" + cpu: "250m" + env: + - name: CONFIG + value: "/config" + - name: DOMAIN + value: "varghacsongor.hu" + # INSECURE_COOKIE is required if not using a https entrypoint + # - name: INSECURE_COOKIE + # value: "true" + # Remove COOKIE_DOMAIN if not using auth host mode + - name: COOKIE_DOMAIN + value: "example.com" + - name: AUTH_HOST + value: "auth.example.com" + - name: LOG_LEVEL + value: "info" + - name: PROVIDERS_GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: google-client-id + - name: PROVIDERS_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: google-client-secret + - name: SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: secret + volumeMounts: + - name: configs + mountPath: /configexample + subPath: traefik-forward-auth.ini + + volumes: + - name: configs + configMap: + name: configs + - name: traefik-forward-auth-secrets + secret: + secretName: traefik-forward-auth-secrets diff --git a/deployment/authN/ingress.yaml b/deployment/authN/ingress.yaml new file mode 100644 index 0000000..0a04b4a --- /dev/null +++ b/deployment/authN/ingress.yaml @@ -0,0 +1,20 @@ +# +# Auth Ingress +# +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-forward-auth + labels: + app: traefik +spec: + entryPoints: + - https + routes: + - match: Host(`auth.varghacsongor.hu`) + kind: Rule + services: + - name: traefik-forward-auth + port: 4181 + tls: + certresolver: default diff --git a/deployment/authN/kustomization.yaml b/deployment/authN/kustomization.yaml new file mode 100644 index 0000000..8f24f83 --- /dev/null +++ b/deployment/authN/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +commonLabels: + app: traefik-forward-auth + +resources: +- deployment.yaml +- service.yaml +- ingress.yaml +- middleware.yaml + +# +# Configs +# +configMapGenerator: +- name: configs + files: + - configs/traefik-forward-auth.ini + +# +# Secrets +# +secretGenerator: +- name: traefik-forward-auth-secrets + env: secrets/traefik-forward-auth.env diff --git a/deployment/authN/middleware.yaml b/deployment/authN/middleware.yaml new file mode 100644 index 0000000..59a24a8 --- /dev/null +++ b/deployment/authN/middleware.yaml @@ -0,0 +1,9 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-forward-auth +spec: + forwardAuth: + address: http://traefik-forward-auth:4181 + authResponseHeaders: + - X-Forwarded-User diff --git a/deployment/authN/secrets/traefik-forward-auth.env b/deployment/authN/secrets/traefik-forward-auth.env new file mode 100644 index 0000000..06ab509 --- /dev/null +++ b/deployment/authN/secrets/traefik-forward-auth.env @@ -0,0 +1,3 @@ +google-client-id=client-id +google-client-secret=client-secret +secret=something-random diff --git a/deployment/authN/service.yaml b/deployment/authN/service.yaml new file mode 100644 index 0000000..e4744a1 --- /dev/null +++ b/deployment/authN/service.yaml @@ -0,0 +1,17 @@ +# +# Auth Service +# +apiVersion: v1 +kind: Service +metadata: + name: traefik-forward-auth + labels: + app: traefik +spec: + type: ClusterIP + selector: + app: traefik + ports: + - name: auth-http + port: 4181 + targetPort: 4181 diff --git a/deployment/auth-service/certificate.yaml b/deployment/authZ/certificate.yaml similarity index 75% rename from deployment/auth-service/certificate.yaml rename to deployment/authZ/certificate.yaml index 2e4a060..412010f 100644 --- a/deployment/auth-service/certificate.yaml +++ b/deployment/authZ/certificate.yaml @@ -1,7 +1,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: gh-auth-service-certificate + name: gh-authz-certificate annotations: argocd.argoproj.io/hook: PreSync spec: @@ -9,15 +9,15 @@ spec: duration: 2160h # 90d renewBefore: 360h # 15d dnsNames: - - gh-auth-service.generations-heritage.svc.cluster.local - - gh-auth-service + - gh-authz.generations-heritage.svc.cluster.local + - gh-authz - localhost ipAddresses: - 127.0.0.1 subject: organizations: - GenerationsHeritage - secretName: gh-auth-service-tls + secretName: gh-authz-tls privateKey: algorithm: RSA encoding: PKCS1 diff --git a/deployment/auth-service/deployment.yaml b/deployment/authZ/deployment.yaml similarity index 60% rename from deployment/auth-service/deployment.yaml rename to deployment/authZ/deployment.yaml index c1c4903..c91aee4 100644 --- a/deployment/auth-service/deployment.yaml +++ b/deployment/authZ/deployment.yaml @@ -2,29 +2,29 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app.kubernetes.io/instance: gh-auth-service - app.kubernetes.io/name: gh-auth-service + app.kubernetes.io/instance: gh-authz + app.kubernetes.io/name: gh-authz annotations: argocd.argoproj.io/sync-wave: "1" argocd.argoproj.io/hook: Synce - name: gh-auth-service + name: gh-authz namespace: generations-heritage spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/instance: gh-auth-service - app.kubernetes.io/name: gh-auth-service + app.kubernetes.io/instance: gh-authz + app.kubernetes.io/name: gh-authz template: metadata: labels: - app.kubernetes.io/instance: gh-auth-service - app.kubernetes.io/name: gh-auth-service + app.kubernetes.io/instance: gh-authz + app.kubernetes.io/name: gh-authz spec: containers: - image: vcscsvcscs/gheritage-auth-service:latest imagePullPolicy: Always - name: gh-auth-service + name: gh-authz ports: - containerPort: 443 name: gin @@ -38,14 +38,14 @@ spec: cpu: 100m memory: 50Mi volumeMounts: - - name: gh-auth-service-certs - mountPath: /etc/gh-auth-service/ssl + - name: gh-authz-certs + mountPath: /etc/gh-authz/ssl - name: zitadel-service-account - mountPath: /etc/gh-auth-service/zitadel + mountPath: /etc/gh-authz/zitadel volumes: - - name: gh-auth-service-certs + - name: gh-authz-certs secret: - secretName: gh-auth-service-tls + secretName: gh-authz-tls - name: zitadel-service-account secret: secretName: zitadel-service-account diff --git a/deployment/auth-service/forwardAuth.yaml b/deployment/authZ/forwardAuth.yaml similarity index 80% rename from deployment/auth-service/forwardAuth.yaml rename to deployment/authZ/forwardAuth.yaml index 82ee6fd..895b8f9 100644 --- a/deployment/auth-service/forwardAuth.yaml +++ b/deployment/authZ/forwardAuth.yaml @@ -4,7 +4,7 @@ metadata: name: auth-service spec: forwardAuth: - address: https://gh-auth-service/auth/ + address: https://gh-authz/auth/ authResponseHeaders: - id tls: diff --git a/deployment/auth-service/horizontalPodAutoScaler.yaml b/deployment/authZ/horizontalPodAutoScaler.yaml similarity index 90% rename from deployment/auth-service/horizontalPodAutoScaler.yaml rename to deployment/authZ/horizontalPodAutoScaler.yaml index 413e418..6603007 100644 --- a/deployment/auth-service/horizontalPodAutoScaler.yaml +++ b/deployment/authZ/horizontalPodAutoScaler.yaml @@ -1,14 +1,14 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: gh-auth-service + name: gh-authz annotations: argocd.argoproj.io/hook: PostSync spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: gh-auth-service + name: gh-authz minReplicas: 1 maxReplicas: 5 metrics: diff --git a/deployment/auth-service/kustomization.yaml b/deployment/authZ/kustomization.yaml similarity index 100% rename from deployment/auth-service/kustomization.yaml rename to deployment/authZ/kustomization.yaml diff --git a/deployment/authZ/service.yaml b/deployment/authZ/service.yaml new file mode 100644 index 0000000..f4e3820 --- /dev/null +++ b/deployment/authZ/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: gh-authz + app.kubernetes.io/name: gh-authz + name: gh-authz +spec: + ports: + - name: gin + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: gh-authz + app.kubernetes.io/name: gh-authz + type: ClusterIP \ No newline at end of file diff --git a/deployment/auth-service-argo.yaml b/deployment/authz-argo.yaml similarity index 89% rename from deployment/auth-service-argo.yaml rename to deployment/authz-argo.yaml index 770f378..a0ddcfe 100644 --- a/deployment/auth-service-argo.yaml +++ b/deployment/authz-argo.yaml @@ -1,12 +1,12 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: gh-auth-service + name: gh-authz spec: project: generations-heritage-vv source: repoURL: 'https://github.com/vcscsvcscs/GenerationsHeritage' - path: deployment/auth-service + path: deployment/authZ targetRevision: main kustomize: namespace: generations-heritage