From 3c6d0d857dcad514b832d478e44e7a60f564590c Mon Sep 17 00:00:00 2001 From: Mike Lambert Date: Fri, 12 Mar 2021 15:49:21 -0600 Subject: [PATCH] Fix / Enable OAuth configuration (#24) * Remove duplicate /dashboard ingress path This fixes /cauth and SSO with oauth2-proxy * Enable OAuth2 configuration via Helm chart values.yaml * Simplify ingress configuration considerably * Expose admin port internally if oauth enabled * Fix auth-repsonse-headers annotation name, fix hard-coded secret name * Fix default values.yaml entry for auth_response_headers * Remove port mapping for 30002 Added a secure endpoint that can run on the usual 30001 instead * Include root Ingress (where did this go??) --- templates/config.yaml | 1 - templates/ingress.yaml | 76 ++++++++++++++++++++++++------------------ values.yaml | 7 ++-- 3 files changed, 47 insertions(+), 37 deletions(-) diff --git a/templates/config.yaml b/templates/config.yaml index 3010ec4..8b34888 100644 --- a/templates/config.yaml +++ b/templates/config.yaml @@ -11,7 +11,6 @@ data: workbench.ingress.tls.enable: "true" workbench.ingress.tls.cluster_issuer: "{{ default "" .Values.certmgr.cluster_issuer }}" workbench.ingress.tls.issuer: "{{ default "" .Values.certmgr.issuer }}" - workbench.ingress.tls.namespace: "{{ default "" .Values.certmgr.namespace }}" # Customize this instance of Workbench workbench.subdomain_prefix: "{{ .Values.workbench.subdomain_prefix }}" diff --git a/templates/ingress.yaml b/templates/ingress.yaml index c5fefd7..b8c3049 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -6,10 +6,14 @@ metadata: namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "nginx" -{{ if .Values.workbench.subdomain_prefix }} nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/cauth/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/login/" -{{ else }} nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.workbench.domain }}/cauth/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.workbench.domain }}/login/"{{ end }} +{{ if .Values.oauth.enabled | default false }} + nginx.ingress.kubernetes.io/auth-url: "{{ .Values.oauth.auth_url | default "https://$host/cauth/auth" }}" + nginx.ingress.kubernetes.io/auth-signin: "{{ .Values.oauth.signin_url | default "https://$host/login/" }}" + nginx.ingress.kubernetes.io/auth-response-headers: "{{ .Values.oauth.auth_response_headers | default "x-auth-request-user, x-auth-request-email" }}" +{{ else }} + nginx.ingress.kubernetes.io/auth-url: "https://$host/cauth/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/login/" +{{ end }} nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: @@ -17,9 +21,13 @@ spec: - hosts: - {{ .Values.workbench.domain }} - '*.{{ .Values.workbench.domain }}' - secretName: {{ .Values.tls.secretName }}-auth + secretName: {{ .Values.tls.secretName }} rules: -{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }} +{{ if .Values.workbench.subdomain_prefix }} + - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }} +{{ else }} + - host: {{ .Values.workbench.domain }} +{{ end }} http: paths: - path: /logs @@ -44,6 +52,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/app-root: "/landing/" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: @@ -51,74 +60,65 @@ spec: - hosts: - {{ .Values.workbench.domain }} - '*.{{ .Values.workbench.domain }}' + secretName: {{ .Values.tls.secretName }} rules: -{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }} +{{ if .Values.workbench.subdomain_prefix }} + - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }} +{{ else }} + - host: {{ .Values.workbench.domain }} +{{ end }} http: paths: - - path: /api + - path: /api/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 30001 - - path: /login - pathType: Prefix - backend: - service: - name: {{ .Release.Name }} - port: - number: 80 - - path: /landing - pathType: Prefix - backend: - service: - name: {{ .Release.Name }} - port: - number: 80 - - path: /cauth + - path: /login/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /shared + - path: /landing/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /bower_components + - path: /cauth/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /node_modules + - path: /shared/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /asset + - path: /node_modules/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /swagger.yaml + - path: /asset/ pathType: Prefix backend: service: name: {{ .Release.Name }} port: number: 80 - - path: /ConfigModule.js + - path: / pathType: Prefix backend: service: @@ -131,15 +131,27 @@ kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "nginx" -{{ if .Values.certmgr.cluster_issuer }} cert-manager.io/cluster-issuer: "{{ .Values.certmgr.cluster_issuer }}"{{ else if .Values.certmgr.issuer }} cert-manager.io/issuer: "{{ .Values.certmgr.issuer }}"{{ end }} +{{ if .Values.certmgr.cluster_issuer }} + cert-manager.io/cluster-issuer: "{{ .Values.certmgr.cluster_issuer }}" +{{ else if .Values.certmgr.issuer }} + cert-manager.io/issuer: "{{ .Values.certmgr.issuer }}" +{{ end }} nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" -{{ if .Values.workbench.subdomain_prefix }} nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/landing/"{{ else }} nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.domain }}/landing/"{{ end }} +{{ if .Values.workbench.subdomain_prefix }} + nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}/landing/" +{{ else }} + nginx.ingress.kubernetes.io/permanent-redirect: "https://{{ .Values.workbench.domain }}/landing/" +{{ end }} name: {{ .Release.Name }}-root namespace: {{ .Release.Namespace }} spec: rules: -{{ if .Values.workbench.subdomain_prefix }} - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }}{{ else }} - host: {{ .Values.workbench.domain }}{{ end }} +{{ if .Values.workbench.subdomain_prefix }} + - host: {{ .Values.workbench.subdomain_prefix }}.{{ .Values.workbench.domain }} +{{ else }} + - host: {{ .Values.workbench.domain }} +{{ end }} http: paths: - backend: diff --git a/values.yaml b/values.yaml index 3549881..e7429f1 100644 --- a/values.yaml +++ b/values.yaml @@ -45,16 +45,15 @@ workbench: timeout: 30 inactivity_timeout: 480 -# FIXME: This has not been tested oauth: enabled: false - signin_url: "" - auth_url: "" + signin_url: "https://$host/login/" + auth_url: "https://$host/cauth/auth" + auth_response_headers: "x-auth-request-user, x-auth-request-email" # , x-auth-request-access-token, x-auth-request-redirect, x-auth-request-preferred-username" certmgr: cluster_issuer: "acmedns-issuer" issuer: "" - namespace: "" rbac: enabled: true