Created
April 23, 2024 09:23
-
-
Save guilhem/6fdc9e31f537f8355954cb87e871b662 to your computer and use it in GitHub Desktop.
stack for a oauth2 auth proxy with EntraID (Azure AD) in front of all services on a kubernetes cluster
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: cert-manager.io/v1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: letsencrypt-production | |
| namespace: cert-manager | |
| spec: | |
| acme: | |
| # You must replace this email address with your own. | |
| # Let's Encrypt will use this to contact you about expiring | |
| # certificates, and issues related to your account. | |
| email: {myemail}@{MYDOMAIN}.com | |
| server: https://acme-v02.api.letsencrypt.org/directory | |
| privateKeySecretRef: | |
| # Secret resource that will be used to store the account's private key. | |
| name: letsencrypt-production-key | |
| # Add a single challenge solver, HTTP01 using nginx | |
| solvers: | |
| - http01: | |
| ingress: | |
| ingressClassName: nginx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: redis.redis.opstreelabs.in/v1beta2 | |
| kind: Redis | |
| metadata: | |
| name: oauth2-proxy-sessions-store | |
| namespace: oauth2-proxy | |
| spec: | |
| kubernetesConfig: | |
| image: quay.io/opstree/redis:v7.2.3 | |
| redisSecret: | |
| name: oauth2-proxy-sessions-store | |
| key: password | |
| podSecurityContext: | |
| runAsUser: 1000 | |
| fsGroup: 1000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| repositories: | |
| - name: ingress-nginx | |
| url: https://kubernetes.github.io/ingress-nginx | |
| - name: oauth2-proxy | |
| url: https://oauth2-proxy.github.io/manifests | |
| - name: ot-helm | |
| url: https://ot-container-kit.github.io/helm-charts/ | |
| - name: jetstack | |
| url: https://charts.jetstack.io | |
| releases: | |
| - name: ingress-nginx | |
| namespace: ingress-nginx | |
| chart: ingress-nginx/ingress-nginx | |
| version: 4.10.0 | |
| set: | |
| - name: controller.config.global-auth-url | |
| value: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth | |
| - name: controller.config.global-auth-signin | |
| value: https://auth.{MYDOMAIN}.com/oauth2/start | |
| - name: controller.config.global-auth-request-redirect | |
| value: $scheme://$host$request_uri | |
| - name: controller.config.global-auth-response-headers | |
| value: "X-Auth-Request-Email, X-Auth-Request-Name, Authorization, X-Auth-Request-Groups" | |
| - name: controller.service.externalTrafficPolicy | |
| value: Local | |
| # Default behavior | |
| # - name: controller.service.no-auth-locations | |
| # value: /.well-known/acme-challenge | |
| - name: oauth2-proxy | |
| namespace: oauth2-proxy | |
| chart: oauth2-proxy/oauth2-proxy | |
| version: 7.4.1 | |
| values: | |
| - values.oauth2-proxy.yaml | |
| - name: redis-operator | |
| namespace: redis-operator | |
| chart: ot-helm/redis-operator | |
| version: 0.15.9 | |
| set: | |
| - name: certManager.enabled | |
| value: true | |
| - name: cert-manager | |
| namespace: cert-manager | |
| chart: jetstack/cert-manager | |
| version: v1.14.4 | |
| wait: true | |
| set: | |
| - name: installCRDs | |
| value: true | |
| - name: prometheus.enabled | |
| value: false | |
| - name: ingressShim.defaultIssuerName | |
| value: letsencrypt-production | |
| - name: ingressShim.defaultIssuerKind | |
| value: ClusterIssuer |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| config: | |
| existingSecret: "oauth2-proxy-config" | |
| # kubectl -n oauth2-proxy create secret generic oauth2-proxy-config --from-literal=client-id=UUID --from-literal=client-secret=UUID --from-literal=cookie-secret=$(openssl rand -base64 32 | head -c 32 | base64) | |
| extraArgs: | |
| provider: "azure" | |
| azure-tenant: "{TENANT UUID}" | |
| oidc-issuer-url: "https://login.microsoftonline.com/{TENANT UUID}/v2.0" | |
| email-domain: "{MYDOMAIN}.com" | |
| prefer-email-to-user: true | |
| pass-user-headers: true | |
| whitelist-domain: ".{MYDOMAIN}.com" | |
| cookie-domain: ".{MYDOMAIN}.com" | |
| reverse-proxy: true | |
| set-xauthrequest: true | |
| set-authorization-header: true | |
| trusted-ip: "{POD_CIDR}" | |
| ingress: | |
| enabled: true | |
| hosts: | |
| - auth.{MYDOMAIN}.com | |
| annotations: | |
| nginx.ingress.kubernetes.io/enable-global-auth: "false" | |
| cert-manager.io/cluster-issuer: "letsencrypt-production" | |
| className: nginx | |
| tls: | |
| - secretName: oauth2-proxy-tls | |
| hosts: | |
| - auth.{MYDOMAIN}.com | |
| sessionStorage: | |
| type: redis | |
| redis: | |
| existingSecret: "oauth2-proxy-sessions-store" | |
| passwordKey: password | |
| standalone: | |
| connectionUrl: "redis://oauth2-proxy-sessions-store:6379" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment