diff --git a/registry/clusters/dev/components/dex.yaml b/registry/clusters/dev/components/dex.yaml index b82e689..e146b6d 100644 --- a/registry/clusters/dev/components/dex.yaml +++ b/registry/clusters/dev/components/dex.yaml @@ -42,6 +42,9 @@ spec: - op: replace path: /spec/data/argocd_url value: https://argocd.dev.simonemms.com + - op: replace + path: /spec/data/homepage_url + value: https://homepage.dev.simonemms.com destination: server: https://kubernetes.default.svc namespace: dex diff --git a/registry/clusters/dev/components/homepage.yaml b/registry/clusters/dev/components/homepage.yaml index ce466ca..d10775e 100644 --- a/registry/clusters/dev/components/homepage.yaml +++ b/registry/clusters/dev/components/homepage.yaml @@ -30,6 +30,30 @@ spec: - op: replace path: /spec/source/helm/valuesObject/ingress/main/annotations/cert-manager.io~1cluster-issuer value: letsencrypt-staging + - target: + group: argoproj.io + version: v1alpha1 + kind: Application + name: homepage-oidc + patch: |- + - op: replace + path: /spec/source/helm/valuesObject/ingress/hosts/0 + value: homepage.dev.simonemms.com + - op: replace + path: /spec/source/helm/valuesObject/ingress/tls/0/hosts/0 + value: homepage.dev.simonemms.com + - op: replace + path: /spec/source/helm/valuesObject/ingress/annotations/cert-manager.io~1cluster-issuer + value: letsencrypt-staging + - op: replace + path: /spec/source/helm/valuesObject/extraEnv/0/value + value: "false" + - op: replace + path: /spec/source/helm/valuesObject/extraEnv/1/value + value: https://oidc.dev.simonemms.com + - op: replace + path: /spec/source/helm/valuesObject/extraEnv/2/value + value: https://homepage.dev.simonemms.com/oauth2/callback destination: server: https://kubernetes.default.svc namespace: homepage diff --git a/registry/components/dex/secret.yaml b/registry/components/dex/secret.yaml index 21b519a..f936543 100644 --- a/registry/components/dex/secret.yaml +++ b/registry/components/dex/secret.yaml @@ -11,6 +11,7 @@ spec: data: base_url: https://oidc.simonemms.com argocd_url: https://argocd.simonemms.com + homepage_url: https://homepage.simonemms.com --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret @@ -39,6 +40,7 @@ spec: secret: {{ .oidc_client_secret }} redirectURIs: - {{ .argocd_url }}/auth/callback + - {{ .homepage_url }}/oauth2/callback connectors: - type: github id: github diff --git a/registry/components/homepage/application.yaml b/registry/components/homepage/application.yaml index 3f37b70..1561167 100644 --- a/registry/components/homepage/application.yaml +++ b/registry/components/homepage/application.yaml @@ -29,6 +29,8 @@ spec: annotations: kubernetes.io/tls-acme: "true" cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" ingressClassName: nginx hosts: - host: homepage.simonemms.com diff --git a/registry/components/homepage/kustomization.yaml b/registry/components/homepage/kustomization.yaml index 834a07f..1ab6145 100644 --- a/registry/components/homepage/kustomization.yaml +++ b/registry/components/homepage/kustomization.yaml @@ -4,3 +4,4 @@ resources: - application.yaml - configmap.yaml - namespace.yaml + - oauth2-proxy.yaml diff --git a/registry/components/homepage/oauth2-proxy.yaml b/registry/components/homepage/oauth2-proxy.yaml new file mode 100644 index 0000000..c667663 --- /dev/null +++ b/registry/components/homepage/oauth2-proxy.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: homepage-oidc + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "10" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + chart: oauth2-proxy + repoURL: https://oauth2-proxy.github.io/manifests + targetRevision: 7.8.1 + helm: + valuesObject: + deploymentAnnotations: + secret.reloader.stakater.com/reload: oauth + extraEnv: + - name: OAUTH2_PROXY_COOKIE_SECURE + value: "true" + - name: OAUTH2_PROXY_OIDC_ISSUER_URL + value: https://oidc.simonemms.com + - name: OAUTH2_PROXY_REDIRECT_URL + value: https://homepage.simonemms.com/oauth2/callback + config: + existingSecret: oauth + configFile: |- + email_domains = [ "*" ] + provider = "oidc" + ssl_insecure_skip_verify = true + upstreams = [ "file:///dev/null" ] + ingress: + enabled: true + className: nginx + path: /oauth2 + annotations: + kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt + hosts: + - homepage.simonemms.com + tls: + - hosts: + - homepage.simonemms.com + secretName: oauth-tls + destination: + server: https://kubernetes.default.svc + namespace: homepage + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: oauth + namespace: homepage + annotations: + argocd.argoproj.io/sync-wave: "10" +spec: + refreshInterval: 10s + secretStoreRef: + kind: ClusterSecretStore + name: infisical + target: + name: oauth + data: + - secretKey: client-id + remoteRef: + key: OIDC_CLIENT_ID + - secretKey: client-secret + remoteRef: + key: OIDC_CLIENT_SECRET + - secretKey: cookie-secret + remoteRef: + key: OAUTH_PROXY_COOKIE_SECRET