auth-proxy: proxies only authenticated requests to upstream, redirects to login page otherwise (#103)
* auth-proxy: inspects authenticated user
* ingress: chart and use in rpuppy
* auth-proxy: make it optional in rpuppy
* kratos: whitelist env pub/priv domains for auth return_to addr
* url-shortener: put behind auth-proxy
* pihole: replace oauth2-client with auth-proxy
* auth-proxy: fix upstream uri generation
* pihole: remove old chart using oauth2
* auth-proxy: remove temporary values file
* url-shortener: check x-user header for authentication
* auth: fix allowed_return_urls list
* auth-proxy: fix current address generation logic
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/charts/pihole/templates/service-web.yaml b/charts/pihole/templates/service-web.yaml
new file mode 100644
index 0000000..ace4603
--- /dev/null
+++ b/charts/pihole/templates/service-web.yaml
@@ -0,0 +1,102 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "pihole.fullname" . }}-web
+ labels:
+ app: {{ template "pihole.name" . }}
+ chart: {{ template "pihole.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+{{- if .Values.serviceWeb.annotations }}
+ annotations:
+{{ toYaml .Values.serviceWeb.annotations | indent 4 }}
+{{- end }}
+spec:
+ type: {{ .Values.serviceWeb.type }}
+ {{- if and (.Values.dualStack.enabled) (not (eq .Values.serviceWeb.type "LoadBalancer")) }}
+ ipFamilies:
+ - IPv4
+ - IPv6
+ ipFamilyPolicy: PreferDualStack
+ {{- end }}
+ {{- if .Values.serviceWeb.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.serviceWeb.loadBalancerIP }}
+ {{- end }}
+ {{- if or (eq .Values.serviceWeb.type "NodePort") (eq .Values.serviceWeb.type "LoadBalancer") }}
+ externalTrafficPolicy: {{ .Values.serviceWeb.externalTrafficPolicy }}
+ {{- end }}
+ ports:
+ {{- if .Values.serviceWeb.http.enabled }}
+ - port: {{ .Values.serviceWeb.http.port }}
+ targetPort: http
+ {{- if and (.Values.serviceWeb.http.nodePort) (eq .Values.serviceWeb.type "NodePort") }}
+ nodePort: {{ .Values.serviceWeb.http.nodePort }}
+ {{- end }}
+ protocol: TCP
+ name: http
+ {{- end }}
+ {{- if .Values.serviceWeb.https.enabled }}
+ - port: {{ .Values.serviceWeb.https.port }}
+ targetPort: https
+ {{- if and (.Values.serviceWeb.https.nodePort) (eq .Values.serviceWeb.type "NodePort") }}
+ nodePort: {{ .Values.serviceWeb.https.nodePort }}
+ {{- end }}
+ protocol: TCP
+ name: https
+ {{- end }}
+ {{- if .Values.doh.enabled }}
+ - port: 49312
+ protocol: TCP
+ name: cloudflared-met
+ {{- end }}
+ selector:
+ app: {{ template "pihole.name" . }}
+ release: {{ .Release.Name }}
+---
+{{- if and (.Values.dualStack.enabled) (eq .Values.serviceWeb.type "LoadBalancer") -}}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "pihole.fullname" . }}-web-ipv6
+ labels:
+ app: {{ template "pihole.name" . }}
+ chart: {{ template "pihole.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+{{- if .Values.serviceWeb.annotations }}
+ annotations:
+{{ toYaml .Values.serviceWeb.annotations | indent 4 }}
+{{- end }}
+spec:
+ type: {{ .Values.serviceWeb.type }}
+ ipFamilies:
+ - IPv6
+ ipFamilyPolicy: SingleStack
+ {{- if .Values.serviceWeb.loadBalancerIPv6 }}
+ loadBalancerIP: {{ .Values.serviceWeb.loadBalancerIPv6 }}
+ {{- end }}
+ {{- if or (eq .Values.serviceWeb.type "NodePort") (eq .Values.serviceWeb.type "LoadBalancer") }}
+ externalTrafficPolicy: {{ .Values.serviceWeb.externalTrafficPolicy }}
+ {{- end }}
+ ports:
+ {{- if .Values.serviceWeb.http.enabled }}
+ - port: {{ .Values.serviceWeb.http.port }}
+ targetPort: http
+ protocol: TCP
+ name: http
+ {{- end }}
+ {{- if .Values.serviceWeb.https.enabled }}
+ - port: {{ .Values.serviceWeb.https.port }}
+ targetPort: https
+ protocol: TCP
+ name: https
+ {{- end }}
+ {{- if .Values.doh.enabled }}
+ - port: 49312
+ protocol: TCP
+ name: cloudflared-met
+ {{- end }}
+ selector:
+ app: {{ template "pihole.name" . }}
+ release: {{ .Release.Name }}
+{{- end }}