Skip to content

Commit

Permalink
Fix / Enable OAuth configuration (#24)
Browse files Browse the repository at this point in the history 
* Remove duplicate /dashboard ingress path

This fixes /cauth and SSO with oauth2-proxy

* Enable OAuth2 configuration via Helm chart values.yaml

* Simplify ingress configuration considerably

* Expose admin port internally if oauth enabled

* Fix auth-repsonse-headers annotation name, fix hard-coded secret name

* Fix default values.yaml entry for auth_response_headers

* Remove port mapping for 30002

Added a secure endpoint that can run on the usual 30001 instead

* Include root Ingress (where did this go??)
  • Loading branch information
@bodom0015
bodom0015 authored Mar 12, 2021
1 parent 486d070 commit 3c6d0d8
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 37 deletions.
1 change: 0 additions & 1 deletion templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ data:
workbench.ingress.tls.enable: "true"
workbench.ingress.tls.cluster_issuer: "{{ default "" .Values.certmgr.cluster_issuer }}"
workbench.ingress.tls.issuer: "{{ default "" .Values.certmgr.issuer }}"
workbench.ingress.tls.namespace: "{{ default "" .Values.certmgr.namespace }}"

# Customize this instance of Workbench
workbench.subdomain_prefix: "{{ .Values.workbench.subdomain_prefix }}"
Expand Down
76 changes: 44 additions & 32 deletions templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,28 @@ metadata:
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/ingress.class: "nginx"
{{ if .Values.workbench.subdomain_prefix }} nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/cauth/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/login/"
{{ else }} nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.workbench.domain }}/cauth/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.workbench.domain }}/login/"{{ end }}
{{ if .Values.oauth.enabled | default false }}
nginx.ingress.kubernetes.io/auth-url: "{{ .Values.oauth.auth_url | default "https://$host/cauth/auth" }}"
nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.oauth.signin_url | default "https://$host/login/" }}"
nginx.ingress.kubernetes.io/auth-response-headers: "{{ .Values.oauth.auth_response_headers | default "x-auth-request-user, x-auth-request-email" }}"
{{ else }}
nginx.ingress.kubernetes.io/auth-url: "https://$host/cauth/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/login/"
{{ end }}
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- {{ .Values.workbench.domain }}
- '*.{{ .Values.workbench.domain }}'
secretName: {{ .Values.tls.secretName }}-auth
secretName: {{ .Values.tls.secretName }}
rules:
{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }}
{{ if .Values.workbench.subdomain_prefix }}
- host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}
{{ else }}
- host: {{ .Values.workbench.domain }}
{{ end }}
http:
paths:
- path: /logs
Expand All @@ -44,81 +52,73 @@ metadata:
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/app-root: "/landing/"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- {{ .Values.workbench.domain }}
- '*.{{ .Values.workbench.domain }}'
secretName: {{ .Values.tls.secretName }}
rules:
{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }}
{{ if .Values.workbench.subdomain_prefix }}
- host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}
{{ else }}
- host: {{ .Values.workbench.domain }}
{{ end }}
http:
paths:
- path: /api
- path: /api/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 30001
- path: /login
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /landing
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /cauth
- path: /login/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /shared
- path: /landing/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /bower_components
- path: /cauth/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /node_modules
- path: /shared/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /asset
- path: /node_modules/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /swagger.yaml
- path: /asset/
pathType: Prefix
backend:
service:
name: {{ .Release.Name }}
port:
number: 80
- path: /ConfigModule.js
- path: /
pathType: Prefix
backend:
service:
Expand All @@ -131,15 +131,27 @@ kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
{{ if .Values.certmgr.cluster_issuer }} cert-manager.io/cluster-issuer: "{{ .Values.certmgr.cluster_issuer }}"{{ else if .Values.certmgr.issuer }} cert-manager.io/issuer: "{{ .Values.certmgr.issuer }}"{{ end }}
{{ if .Values.certmgr.cluster_issuer }}
cert-manager.io/cluster-issuer: "{{ .Values.certmgr.cluster_issuer }}"
{{ else if .Values.certmgr.issuer }}
cert-manager.io/issuer: "{{ .Values.certmgr.issuer }}"
{{ end }}
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{ if .Values.workbench.subdomain_prefix }} nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/landing/"{{ else }} nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.domain }}/landing/"{{ end }}
{{ if .Values.workbench.subdomain_prefix }}
nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/landing/"
{{ else }}
nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.domain }}/landing/"
{{ end }}
name: {{ .Release.Name }}-root
namespace: {{ .Release.Namespace }}
spec:
rules:
{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }}
{{ if .Values.workbench.subdomain_prefix }}
- host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}
{{ else }}
- host: {{ .Values.workbench.domain }}
{{ end }}
http:
paths:
- backend:
Expand Down
7 changes: 3 additions & 4 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,16 +45,15 @@ workbench:
timeout: 30
inactivity_timeout: 480

# FIXME: This has not been tested
oauth:
enabled: false
signin_url: ""
auth_url: ""
signin_url: "https://$host/login/"
auth_url: "https://$host/cauth/auth"
auth_response_headers: "x-auth-request-user, x-auth-request-email" # , x-auth-request-access-token, x-auth-request-redirect, x-auth-request-preferred-username"

certmgr:
cluster_issuer: "acmedns-issuer"
issuer: ""
namespace: ""

rbac:
enabled: true
Expand Down

0 comments on commit 3c6d0d8

Please sign in to comment.