scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-01 10:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(auth): Adding traefik-forward-auth

Browse Source
This commit is contained in:
Vegard Hagen
2022-10-11 21:53:45 +02:00
parent c450934d77
commit 954ff94821
18 changed files with 302 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -30,4 +30,5 @@ override.tf.json
.terraform.lock.hcl .terraform.lock.hcl
.idea .idea
certs/ certs/
**/secrets/*

2
RESOURCES.md
View File

@@ -4,3 +4,5 @@ https://kubernetes.io/docs/concepts/services-networking/service/
https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/ https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/
https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/getting-started https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/getting-started
https://www.smarthomebeginner.com/traefik-forward-auth-google-oauth-2022/

4
apps/arr/00-arr.yaml
View File

@@ -59,7 +59,7 @@ spec:
selector: selector:
app: qbittorrent app: qbittorrent
--- ---
## Deployment for Sonarr ## Deployment for QbitTorrent
kind: Deployment kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
@@ -369,8 +369,8 @@ spec:
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: ingressroute-arr
namespace: arr namespace: arr
name: ingressroute-arr
spec: spec:
entryPoints: entryPoints:
- websecure - websecure

8
apps/traefik-forward-auth/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: whoami
resources:
- namespace.yaml
- traefik-forward-auth
- whoami

4
apps/traefik-forward-auth/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: whoami

8
apps/traefik-forward-auth/traefik-forward-auth/configs/traefik-forward-auth.ini Normal file
View File

@@ -0,0 +1,8 @@
rule.example_public.action=allow
rule.example_public.rule=Host("stats.stonegarden.dev") && PathPrefix("/api/public")
rule.example_api.action=allow
rule.example_api.rule=Host("api.stonegarden.dev") && Headers("X-API-Authorization", "a-long-api-key")
rule.example_api_query.action=allow
rule.example_api_query.rule=Host("api.stonegarden.dev") && && Query("api_key=a-long-api-key")

70
apps/traefik-forward-auth/traefik-forward-auth/deployment.yaml Normal file
View File

@@ -0,0 +1,70 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
#serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
#- name: DOMAIN
# value: "gmail.com"
# INSECURE_COOKIE is required if not using a https entrypoint
#- name: INSECURE_COOKIE
# value: "true"
# Remove COOKIE_DOMAIN if not using auth host mode
- name: COOKIE_DOMAIN
value: "stonegarden.dev"
- name: AUTH_HOST
value: "auth.stonegarden.dev"
- name: LOG_LEVEL
value: "trace"
- name: WHITELIST
value: veghag@gmail.com
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets

22
apps/traefik-forward-auth/traefik-forward-auth/ingress.yaml Normal file
View File

@@ -0,0 +1,22 @@
#
# Auth Ingress
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.stonegarden.dev`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: traefik-forward-auth
tls:
certResolver: letsencrypt

26
apps/traefik-forward-auth/traefik-forward-auth/kustomization.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: traefik-forward-auth
resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- middleware.yaml
#
# Configs
#
configMapGenerator:
- name: configs
files:
- configs/traefik-forward-auth.ini
#
# Secrets
#
secretGenerator:
- name: traefik-forward-auth-secrets
envs:
- secrets/traefik-forward-auth.env

10
apps/traefik-forward-auth/traefik-forward-auth/middleware.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
authResponseHeaders:
- X-Forwarded-User
trustForwardHeader: true

16
apps/traefik-forward-auth/traefik-forward-auth/service.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181

19
apps/traefik-forward-auth/whoami/deployment.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
name: whoami

19
apps/traefik-forward-auth/whoami/ingress.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
labels:
app: whoami
spec:
entryPoints:
- websecure
routes:
- match: Host(`whoami.stonegarden.dev`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
tls:
certResolver: letsencrypt

9
apps/traefik-forward-auth/whoami/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app: whoami
resources:
- service.yaml
- deployment.yaml
- ingress.yaml

13
apps/traefik-forward-auth/whoami/service.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

8
apps/whoami/00-whoami.yml
View File

@@ -3,8 +3,6 @@ apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: whoami name: whoami
label:
name: whoami
--- ---
# Service for exposing deployment of whoami # Service for exposing deployment of whoami
@@ -14,13 +12,13 @@ metadata:
namespace: whoami namespace: whoami
name: whoami name: whoami
spec: spec:
type: LoadBalancer type: ClusterIP
selector:
app: whoami
ports: ports:
- protocol: TCP - protocol: TCP
name: web name: web
port: 80 port: 80
selector:
app: whoami
--- ---
# Deployment of whoami # Deployment of whoami

4
helm/traefik-values.yaml
View File

@@ -9,6 +9,10 @@ deployment:
- name: data - name: data
mountPath: /data mountPath: /data
providers:
kubernetesCRD:
allowCrossNamespace: true
additionalArguments: additionalArguments:
- "--log.level=DEBUG" - "--log.level=DEBUG"
- "--api.insecure" - "--api.insecure"

130
main.tf
View File

@@ -91,71 +91,71 @@ resource "helm_release" "traefik" {
} }
# --- whoami # --- whoami
resource "kubernetes_namespace" "whoami" { #resource "kubernetes_namespace" "whoami" {
metadata { # metadata {
name = "whoami" # name = "whoami"
} # }
} #}
#
resource "kubernetes_service" "whoami" { #resource "kubernetes_service" "whoami" {
metadata { # metadata {
name = "whoami" # name = "whoami"
namespace = kubernetes_namespace.whoami.metadata.0.name # namespace = kubernetes_namespace.whoami.metadata.0.name
} # }
spec { # spec {
selector = { # selector = {
app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app # app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app
} # }
#
type = "LoadBalancer" # type = "LoadBalancer"
port { # port {
protocol = "TCP" # protocol = "TCP"
name = "web" # name = "web"
port = 80 # port = 80
} # }
} # }
} #}
#
resource "kubernetes_deployment" "whoami" { #resource "kubernetes_deployment" "whoami" {
metadata { # metadata {
name = "whoami" # name = "whoami"
namespace = kubernetes_namespace.whoami.metadata.0.name # namespace = kubernetes_namespace.whoami.metadata.0.name
} # }
spec { # spec {
replicas = "2" # replicas = "2"
selector { # selector {
match_labels = { # match_labels = {
app = "whoami" # app = "whoami"
} # }
} # }
template { # template {
metadata { # metadata {
labels = { # labels = {
app = "whoami" # app = "whoami"
} # }
} # }
spec { # spec {
container { # container {
name = "whoami" # name = "whoami"
image = "traefik/whoami" # image = "traefik/whoami"
port { # port {
name = "web" # name = "web"
container_port = 80 # container_port = 80
} # }
} # }
} # }
} # }
} # }
} #}
#
resource "helm_release" "whoami" { #resource "helm_release" "whoami" {
name = "whoami" # name = "whoami"
repository = "https://charts.itscontained.io" # repository = "https://charts.itscontained.io"
chart = "raw" # chart = "raw"
version = "0.2.5" # version = "0.2.5"
#
values = [file("helm/whoami-values.yaml")] # values = [file("helm/whoami-values.yaml")]
} #}
//resource "kubernetes_namespace" "test" { //resource "kubernetes_namespace" "test" {
// metadata { // metadata {