Add fobsvr

kustomization.yaml

@@ -7,6 +7,10 @@ images:
   newName: docker.io/docuseal/docuseal
   digest: sha256:0e38d295c72f415ec647e8bfb52263703beb78ca725b2b67e52d0eb8e2bf1586
 
+- name: fobsvr
+  newName: ghcr.io/thelab-ms/fobsvr
+  newTag: "main-fb4208c"
+
 - name: frigate
   newName: ghcr.io/blakeblackshear/frigate
   newTag: "0.12.1"
@@ -61,6 +65,7 @@ resources:
   - manifests/cert-manager.yaml
   - manifests/contour.ext.yaml
   - manifests/docuseal.yaml
+  - manifests/fobsvr.yaml
   - manifests/frigate.yaml
   - manifests/gliderbot.yaml
   - manifests/grafana.yaml

manifests/cert-manager.yaml

@@ -54,3 +54,41 @@ spec:
   commonName: "*.apps.thelab.ms"
   dnsNames:
     - "*.apps.thelab.ms"
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: internal-ca
+spec:
+  selfSigned: {}
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: internal-ca
+spec:
+  isCA: true
+  commonName: thelab-internal-ca
+  secretName: internal-ca
+  duration: 927100h
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: internal-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: internal
+spec:
+  ca:
+    secretName: internal-ca

manifests/fobsvr.yaml

@@ -0,0 +1,119 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fobsvr
+  labels:
+    app: fobsvr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fobsvr
+  template:
+    metadata:
+      labels:
+        app: fobsvr
+    spec:
+      containers:
+      - name: svc
+        image: fobsvr
+        args:
+          - --callback-url=http://fobsvr.default.svc.cluster.local
+          - --keycloak-url=https://keycloak.apps.thelab.ms
+          - --keycloak-group-id=4eea9c17-f9b1-41eb-8f25-721ae04b66f6
+        volumeMounts:
+          - name: keycloak-creds
+            mountPath: /var/lib/keycloak
+          - name: root-ca
+            mountPath: /etc/ssl/certs
+        readinessProbe:
+          initialDelaySeconds: 2
+          periodSeconds: 5
+          httpGet:
+            path: /healthz
+            port: 8080
+
+      volumes:
+        - name: keycloak-creds
+          csi:
+            driver: identity.keycloak.org
+            volumeAttributes:
+              clientID: access-controller
+        - name: root-ca
+          hostPath:
+            path: /etc/ssl/certs/
+            type: Directory
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: fobsvr
+spec:
+  type: ClusterIP
+  selector:
+      app: fobsvr
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 8080
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fobsvr
+spec:
+  secretName: fobsvr-cert
+  duration: 927100h
+  issuerRef:
+    name: internal
+    kind: Issuer
+    group: cert-manager.io
+  commonName: "fobs.apps.thelab.ms"
+  dnsNames:
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fobsvr-client
+spec:
+  secretName: fobsvr-client-cert
+  duration: 927100h
+  issuerRef:
+    name: internal
+    kind: Issuer
+    group: cert-manager.io
+  commonName: "fobsvr-client"
+  usages:
+    - client auth
+
+---
+
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: fobsvr
+spec:
+  virtualhost:
+    fqdn: fobs.apps.thelab.ms
+    rateLimitPolicy:
+      local:
+        requests: 50
+        unit: second
+        burst: 50
+    tls:
+      secretName: fobsvr-cert
+      clientValidation:
+        caSecret: internal-ca
+  routes:
+    - conditions:
+      - prefix: /
+      services:
+        - name: fobsvr
+          port: 80