Skip to content

Commit

Permalink
feat: protect homepage with oidc logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@mrsimonemms
mrsimonemms committed Dec 4, 2024
1 parent 55807be commit c877304
Show file tree
Hide file tree
Showing 6 changed files with 113 additions and 0 deletions.
3 changes: 3 additions & 0 deletions registry/clusters/dev/components/dex.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ spec:
- op: replace
path: /spec/data/argocd_url
value: https://argocd.dev.simonemms.com
- op: replace
path: /spec/data/homepage_url
value: https://homepage.dev.simonemms.com
destination:
server: https://kubernetes.default.svc
namespace: dex
Expand Down
24 changes: 24 additions & 0 deletions registry/clusters/dev/components/homepage.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,30 @@ spec:
- op: replace
path: /spec/source/helm/valuesObject/ingress/main/annotations/cert-manager.io~1cluster-issuer
value: letsencrypt-staging
- target:
group: argoproj.io
version: v1alpha1
kind: Application
name: homepage-oidc
patch: |-
- op: replace
path: /spec/source/helm/valuesObject/ingress/hosts/0
value: homepage.dev.simonemms.com
- op: replace
path: /spec/source/helm/valuesObject/ingress/tls/0/hosts/0
value: homepage.dev.simonemms.com
- op: replace
path: /spec/source/helm/valuesObject/ingress/annotations/cert-manager.io~1cluster-issuer
value: letsencrypt-staging
- op: replace
path: /spec/source/helm/valuesObject/extraEnv/0/value
value: "false"
- op: replace
path: /spec/source/helm/valuesObject/extraEnv/1/value
value: https://oidc.dev.simonemms.com
- op: replace
path: /spec/source/helm/valuesObject/extraEnv/2/value
value: https://homepage.dev.simonemms.com/oauth2/callback
destination:
server: https://kubernetes.default.svc
namespace: homepage
Expand Down
2 changes: 2 additions & 0 deletions registry/components/dex/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ spec:
data:
base_url: https://oidc.simonemms.com
argocd_url: https://argocd.simonemms.com
homepage_url: https://homepage.simonemms.com
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
Expand Down Expand Up @@ -39,6 +40,7 @@ spec:
secret: {{ .oidc_client_secret }}
redirectURIs:
- {{ .argocd_url }}/auth/callback
- {{ .homepage_url }}/oauth2/callback
connectors:
- type: github
id: github
Expand Down
2 changes: 2 additions & 0 deletions registry/components/homepage/application.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ spec:
annotations:
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
ingressClassName: nginx
hosts:
- host: homepage.simonemms.com
Expand Down
1 change: 1 addition & 0 deletions registry/components/homepage/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ resources:
- application.yaml
- configmap.yaml
- namespace.yaml
- oauth2-proxy.yaml
81 changes: 81 additions & 0 deletions registry/components/homepage/oauth2-proxy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: homepage-oidc
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "10"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: oauth2-proxy
repoURL: https://oauth2-proxy.github.io/manifests
targetRevision: 7.8.1
helm:
valuesObject:
deploymentAnnotations:
secret.reloader.stakater.com/reload: oauth
extraEnv:
- name: OAUTH2_PROXY_COOKIE_SECURE
value: "true"
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: https://oidc.simonemms.com
- name: OAUTH2_PROXY_REDIRECT_URL
value: https://homepage.simonemms.com/oauth2/callback
config:
existingSecret: oauth
configFile: |-
email_domains = [ "*" ]
provider = "oidc"
ssl_insecure_skip_verify = true
upstreams = [ "file:///dev/null" ]
ingress:
enabled: true
className: nginx
path: /oauth2
annotations:
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- homepage.simonemms.com
tls:
- hosts:
- homepage.simonemms.com
secretName: oauth-tls
destination:
server: https://kubernetes.default.svc
namespace: homepage
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: oauth
namespace: homepage
annotations:
argocd.argoproj.io/sync-wave: "10"
spec:
refreshInterval: 10s
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: oauth
data:
- secretKey: client-id
remoteRef:
key: OIDC_CLIENT_ID
- secretKey: client-secret
remoteRef:
key: OIDC_CLIENT_SECRET
- secretKey: cookie-secret
remoteRef:
key: OAUTH_PROXY_COOKIE_SECRET

0 comments on commit c877304

Please sign in to comment.