add forward-auth helm chart

ictsc · Oct 23, 2024 · 6804d2c · 6804d2c
1 parent 0040629
commit 6804d2c
Show file tree

Hide file tree

Showing 12 changed files with 128 additions and 0 deletions.
diff --git a/dev/cspell/dictionary.txt b/dev/cspell/dictionary.txt
@@ -71,6 +71,7 @@ swapoff
 swaptotal
 tflint
 tfstate
+thomseddon
 traefik
 virtualenvs
 vyos

diff --git a/manifest/infrastructure/traefik/env/dev/forward-auth.yaml b/manifest/infrastructure/traefik/env/dev/forward-auth.yaml
@@ -0,0 +1,2 @@
+domains:
+  - drove-dev.ictsc.net
diff --git a/manifest/infrastructure/traefik/env/prod/forward-auth.yaml b/manifest/infrastructure/traefik/env/prod/forward-auth.yaml
@@ -0,0 +1,2 @@
+domains:
+  - drove.ictsc.net
diff --git a/manifest/infrastructure/traefik/forward-auth/.helmignore b/manifest/infrastructure/traefik/forward-auth/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/manifest/infrastructure/traefik/forward-auth/Chart.yaml b/manifest/infrastructure/traefik/forward-auth/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: forward-auth
+description: Traefik Forward Auth Template
+type: application
+version: 0.1.0
+icon: https://icttoracon.net/wp-content/uploads/2023/04/favicon-75x75.png
+maintainers:
+  - name: ictsc
diff --git a/manifest/infrastructure/traefik/forward-auth/ci/ci-values.yaml b/manifest/infrastructure/traefik/forward-auth/ci/ci-values.yaml
@@ -0,0 +1,4 @@
+issuer: http://dex.dex:5556
+domains:
+  - drove-dev.ictsc.net
+  - drove.ictsc.net
diff --git a/manifest/infrastructure/traefik/forward-auth/templates/deployment.yaml b/manifest/infrastructure/traefik/forward-auth/templates/deployment.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      containers:
+        - name: forward-auth
+          image: thomseddon/traefik-forward-auth:latest
+          ports:
+            - containerPort: 4181
+          args:
+{{- range $i, $domain := .Values.domains }}
+            - --cookie-domain={{ . }}
+{{- end }}
+            - --default-provider=dex-client
+            - --providers.oidc.issuer-url={{ .Values.issuer }}
+            - --providers.oidc.client-id=forward-auth
+          env:
+            - name: PROVIDERS_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client-secret
+                  name: github-app
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: secret
+                  name: {{ .Release.Name }}
+          resources:
+            limits:
+              cpu: 500m
+              memory: 512Mi
diff --git a/manifest/infrastructure/traefik/forward-auth/templates/middleware.yaml b/manifest/infrastructure/traefik/forward-auth/templates/middleware.yaml
@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://{{ .Release.Name }}:4181
+    authResponseHeaders:
+      - X-Forwarded-User
diff --git a/manifest/infrastructure/traefik/forward-auth/templates/secret.yaml b/manifest/infrastructure/traefik/forward-auth/templates/secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}
+type: Opaque
+data:
+  secret: {{ randAlphaNum 32 | b64enc }}
diff --git a/manifest/infrastructure/traefik/forward-auth/templates/service.yaml b/manifest/infrastructure/traefik/forward-auth/templates/service.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    app: {{ .Release.Name }}
+  ports:
+    - port: 4181
diff --git a/manifest/infrastructure/traefik/forward-auth/values.yaml b/manifest/infrastructure/traefik/forward-auth/values.yaml
@@ -0,0 +1,8 @@
+# Default values for ingress.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# (required) 認証サーバのURL
+issuer:
+# (required) クッキーを発行したいドメインを配列で指定
+domains:
diff --git a/manifest/infrastructure/traefik/helmfile.yaml b/manifest/infrastructure/traefik/helmfile.yaml
@@ -24,5 +24,19 @@ releases:
     version: 0.1.0
     values:
       - env/{{ .Environment.Name }}/ingress.yaml
+  - name: forward-auth
+    namespace: traefik
+    chart: ./forward-auth
+    version: 0.1.0
+    values:
+      - env/{{ .Environment.Name }}/forward-auth.yaml
+      - issuer: http://dex.dex:5556
+  - name: forward-auth-admin
+    namespace: traefik
+    chart: ./forward-auth
+    version: 0.1.0
+    values:
+      - env/{{ .Environment.Name }}/forward-auth.yaml
+      - issuer: http://dex-admin.dex:5556
   - name: local-charts
     chart: ./local