Merge pull request #1 from kerberos-io/feature/add-support-for-oauth2-proxy

cedricve · web-flow · commit 5a506cfe6a25 · 2024-10-04T14:26:04.000+02:00
Feature/add support for oauth2 proxy
diff --git a/.github/workflows/pr-description.yml b/.github/workflows/pr-description.yml
@@ -0,0 +1,19 @@
+name: Autofill PR description
+
+on: pull_request
+
+jobs:
+  openai-pr-description:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Autofill PR description if empty using OpenAI
+        uses: cedricve/azureopenai-pr-description@master
+        with:
+          github_token: ${{ secrets.TOKEN }}
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+          azure_openai_api_key: ${{ secrets.AZURE_OPENAI_API_KEY }}
+          azure_openai_endpoint: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
+          azure_openai_version: ${{ secrets.AZURE_OPENAI_VERSION }}
+          overwrite_description: true
diff --git a/charts/hub/Chart.yaml b/charts/hub/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.56.0
+version: 0.57.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/hub/templates/kerberos-hub/hub-api.yaml b/charts/hub/templates/kerberos-hub/hub-api.yaml
@@ -140,7 +140,7 @@ spec:
             - name: READ_ONLY
               value: "{{ .Values.readonly }}"
             - name: SUPPORT_ENABLED
-              value: "{{ .Values.kerberoshub.support }}"
+              value: "{{ .Values.kerberoshub.support.enabled }}"
             - name: CLOUD_API_URL
               value: "{{ .Values.kerberoshub.api.url }}"
             - name: API_URL
diff --git a/charts/hub/templates/kerberos-hub/hub-frontend.yaml b/charts/hub/templates/kerberos-hub/hub-frontend.yaml
@@ -23,6 +23,10 @@ metadata:
   name: hub-frontend-ingress
   annotations:
     kubernetes.io/ingress.class: {{ .Values.ingress }}
+    {{ if .Values.kerberoshub.oauth2Proxy.enabled }}
+    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
+    {{- end }}
     {{- if eq .Values.ingress "nginx" }}
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -99,6 +103,38 @@ spec:
               servicePort: 80
     {{- end }}
   {{ end }}
+{{- if .Values.kerberoshub.oauth2Proxy.enabled -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy
+  namespace: kube-system
+  annotations:
+    kubernetes.io/ingress.class: {{ .Values.ingress }}
+    {{- if eq .Values.ingress "nginx" }}
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{ .Values.kerberoshub.frontend.url }}
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy
+                port:
+                  number: 4180
+  tls:
+    - hosts:
+        - {{ .Values.kerberoshub.frontend.url }}
+      secretName: oauth2-proxy-tls
+{{- end -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml b/charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml
@@ -0,0 +1,65 @@
+{{- if .Values.kerberoshub.oauth2Proxy.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        k8s-app: oauth2-proxy
+    spec:
+      containers:
+        - args:
+            - --provider=github
+            - --email-domain=*
+            - --upstream=file:///dev/null
+            - --http-address=0.0.0.0:4180
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              value: "{{ .Values.kerberoshub.oauth2Proxy.clientId }}"
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              value: "{{ .Values.kerberoshub.oauth2Proxy.clientSecret }}"
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              value: "{{ .Values.kerberoshub.oauth2Proxy.cookieSecret }}"
+            - name: OAUTH2_PROXY_GITHUB_ORG
+              value: "{{ .Values.kerberoshub.oauth2Proxy.githubOrg }}"
+            - name: OAUTH2_PROXY_GITHUB_TEAM
+              value: "{{ .Values.kerberoshub.oauth2Proxy.githubTeam }}"
+          image: quay.io/oauth2-proxy/oauth2-proxy:latest
+          imagePullPolicy: Always
+          name: oauth2-proxy
+          ports:
+            - containerPort: 4180
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 100m
+              memory: 50Mi
+            requests:
+              cpu: 100m
+              memory: 50Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: kube-system
+spec:
+  ports:
+    - name: http
+      port: 4180
+      protocol: TCP
+      targetPort: 4180
+  selector:
+    k8s-app: oauth2-proxy
+{{- end -}}
diff --git a/charts/hub/values.yaml b/charts/hub/values.yaml
@@ -19,7 +19,8 @@ licenseServer:
 #  - name: regcred
 
 # Environment: set to 'production', 'develop', 'demo', 'staging' or 'acceptance'.
-# Set to 'true' if this is a private deployment.
+# Change the environment to 'staging' or 'acceptance' will add a banner on the 
+# front-end, to indicate the environment.
 environment: "production"
 
 # Set to 'true' if this is a private deployment.
@@ -65,17 +66,17 @@ queueName: "kcloud-event-queue" # This is the topic to which all events are send
 # RabbitMQ can be installed in the same cluster using a helm chart, or you can
 # use a service on  cloud provider like AWS, GCP, Azure, etc.
 rabbitmq:
-  host: "rabbitmq.rabbitmq:5672" # can be internal dns name or external
+  host: "<rabbitmq.rabbitmq:5672>" # can be internal dns name or external
   #host: "amqps://b-xxx-xxx-xxx-xxx-xxx.mq.eu-central-1.amazonaws.com:5671"
-  username: "yourusername"
-  password: "yourpassword"
+  username: "<yourusername>"
+  password: "<yourpassword>"
   exchange: ""
 
 # If you already have a Kafka cluster you might use this instead of RabbitMQ.
 kafka:
-  broker: "kafka1.yourdomain.com:9094" # can be internal dns name or external
-  username: "yourusername"
-  password: "yourpassword"
+  broker: "<kafka1.yourdomain.com:9094>" # can be internal dns name or external
+  username: "<yourusername>"
+  password: "<yourpassword>"
   mechanism: "PLAIN"
   security: "SASL_PLAINTEXT"
 
@@ -150,8 +151,6 @@ email:
 # Kerberos hub properly working.
 
 kerberoshub:
-  # Enables the support environment.
-  support: false
   api:
     repository: kerberos/hub-api
     pullPolicy: IfNotPresent
@@ -178,37 +177,37 @@ kerberoshub:
     #legacyUrl: "api.legacy.yourdomain.com"
 
     # MFA issuer name
-    mfaIssuer: "Kerberos.io"
+    mfaIssuer: "<yourdomain.com>"
 
     # Admin API's are made available for automation of Kerberos Hub.
     # To access those API's (e.g. creation of owner users), an API key needs to be provided.
-    apiKey: "a-random-admin-api-key"
+    apiKey: "<a-random-admin-api-key>"
 
     ## Certificates
     tls:
       - hosts:
-          - "api.yourdomain.com"
+          - "<api.yourdomain.com>"
         secretName: kerberoshub-api
       #- hosts:
       #    - "api.legacy.yourdomain.com"
       #  secretName: kerberoshub-api-legacy
       - hosts:
-          - "admin.api.yourdomain.com"
+          - "<admin.api.yourdomain.com>"
         secretName: kerberoshub-admin
     language: "english"
     fallbackLanguage: "english"
     # Legacy (reseller) it is possible to link to AWS S3 and IAM (however Kerberos Vault is now the recommended option).
     # This is primarily used for creation of subscriptions, and not needed if you are using mainly Kerberos Vault.
     aws:
-      region: "xxx"
-      bucket: "xxx"
-      accessKey: "xxx"
-      secretKey: "xxx"
+      region: "<xxx>"
+      bucket: "<xxx>"
+      accessKey: "<xxx>"
+      secretKey: "<xxx>"
     stripe: # We use stripe for billing, so it's possible to resell Kerberos Hub if agreed.
-      privateKey: "xxx"
+      privateKey: "<xxx>"
     slack: # Slack is used in the api, to send logs to a specific Slack channel.
       enabled: "true"
-      hook: "yourslackhook" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ
+      hook: "<yourslackhook>" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ
       username: "Kerberos Hub" # The slack username
     elasticsearch: # Logs of the kerberos hub will be send to an elastic search cluster.
       enabled: "false"
@@ -347,6 +346,18 @@ kerberoshub:
     navigationLinkTitle5: ""
     navigationLinkUrl5: ""
 
+  support:
+    enabled: false
+
+  oauth2Proxy:
+    enabled: false
+    github:
+      clientId: "<github-client-id>"
+      clientSecret: "<github-client-secret>"
+      cookieSecret: "<generate-a-random-cookie-secret>"
+      organization: "<github-organization>"
+      team: "<github-team>"
+
   cleanup:
     repository: kerberos/hub-cleanup
     pullPolicy: IfNotPresent
