auth-proxy: proxies only authenticated requests to upstream, redirects to login page otherwise (#103)
* auth-proxy: inspects authenticated user
* ingress: chart and use in rpuppy
* auth-proxy: make it optional in rpuppy
* kratos: whitelist env pub/priv domains for auth return_to addr
* url-shortener: put behind auth-proxy
* pihole: replace oauth2-client with auth-proxy
* auth-proxy: fix upstream uri generation
* pihole: remove old chart using oauth2
* auth-proxy: remove temporary values file
* url-shortener: check x-user header for authentication
* auth: fix allowed_return_urls list
* auth-proxy: fix current address generation logic
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/core/installer/app.go b/core/installer/app.go
index 6c83376..8cfb2b5 100644
--- a/core/installer/app.go
+++ b/core/installer/app.go
@@ -147,7 +147,7 @@
...
}
-helm: {
+helmValidate: {
for key, value in helm {
"\(key)": #Helm & value & {
name: key
@@ -184,7 +184,7 @@
}
output: {
- for name, r in helm {
+ for name, r in helmValidate {
"\(name)": #HelmRelease & {
_name: name
_chart: r.chart
diff --git a/core/installer/repoio.go b/core/installer/repoio.go
index 374f75f..5b90327 100644
--- a/core/installer/repoio.go
+++ b/core/installer/repoio.go
@@ -388,6 +388,7 @@
}
switch def.Kind() {
case KindBoolean:
+ ret[k] = v
case KindString:
ret[k] = v
case KindNetwork:
diff --git a/core/installer/values-tmpl/core-auth.cue b/core/installer/values-tmpl/core-auth.cue
index 99840ab..192f806 100644
--- a/core/installer/values-tmpl/core-auth.cue
+++ b/core/installer/values-tmpl/core-auth.cue
@@ -225,6 +225,10 @@
}
selfservice: {
default_browser_return_url: "https://accounts-ui.\(global.domain)"
+ allowed_return_urls: [
+ "https://*.\(global.domain)/",
+ "https://*.\(global.privateDomain)",
+ ]
methods: {
password: {
enabled: true
diff --git a/core/installer/values-tmpl/pihole.cue b/core/installer/values-tmpl/pihole.cue
index a1ec66a..35d4c51 100644
--- a/core/installer/values-tmpl/pihole.cue
+++ b/core/installer/values-tmpl/pihole.cue
@@ -1,6 +1,7 @@
input: {
network: #Network
subdomain: string
+ requireAuth: bool
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -18,17 +19,15 @@
tag: "v5.8.1"
pullPolicy: "IfNotPresent"
}
+ authProxy: {
+ repository: "giolekva"
+ name: "auth-proxy"
+ tag: "latest"
+ pullPolicy: "Always"
+ }
}
charts: {
- oauth2Client: {
- chart: "charts/oauth2-client"
- sourceRef: {
- kind: "GitRepository"
- name: "pcloud"
- namespace: global.id
- }
- }
pihole: {
chart: "charts/pihole"
sourceRef: {
@@ -37,80 +36,110 @@
namespace: global.id
}
}
-}
-
-_oauth2ClientSecretName: "oauth2-client"
-
-helm: {
- "oauth2-client": {
- chart: charts.oauth2Client
- values: {
- name: "oauth2-client"
- secretName: _oauth2ClientSecretName
- grantTypes: ["authorization_code"]
- responseTypes: ["code"]
- scope: "openid profile email"
- redirectUris: ["https://\(_domain)/oauth2/callback"]
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ ingress: {
+ chart: "charts/ingress"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
}
}
+ authProxy: {
+ chart: "charts/auth-proxy"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+}
+
+_piholeServiceName: "pihole-web"
+_authProxyServiceName: "auth-proxy"
+_httpPortName: "http"
+_serviceWebPort: 80
+
+helm: {
pihole: {
chart: charts.pihole
values: {
- domain: _domain
- pihole: {
- fullnameOverride: "pihole"
- persistentVolumeClaim: { // TODO(gio): create volume separately as a dependency
+ fullnameOverride: "pihole"
+ persistentVolumeClaim: { // TODO(gio): create volume separately as a dependency
+ enabled: true
+ size: "5Gi"
+ }
+ admin: {
+ enabled: false
+ }
+ ingress: {
+ enabled: false
+ }
+ serviceDhcp: {
+ enabled: false
+ }
+ serviceDns: {
+ type: "ClusterIP"
+ }
+ serviceWeb: {
+ type: "ClusterIP"
+ http: {
enabled: true
- size: "5Gi"
+ port: _serviceWebPort
}
- admin: {
+ https: {
enabled: false
}
- ingress: {
- enabled: false
+ }
+ virtualHost: _domain
+ resources: {
+ requests: {
+ cpu: "250m"
+ memory: "100M"
}
- serviceDhcp: {
- enabled: false
+ limits: {
+ cpu: "500m"
+ memory: "250M"
}
- serviceDns: {
- type: "ClusterIP"
- }
- serviceWeb: {
- type: "ClusterIP"
- http: {
- enabled: true
- }
- https: {
- enabled: false
- }
- }
- virtualHost: _domain
- resources: {
- requests: {
- cpu: "250m"
- memory: "100M"
- }
- limits: {
- cpu: "500m"
- memory: "250M"
- }
- }
+ }
+ image: {
+ repository: images.pihole.fullName
+ tag: images.pihole.tag
+ pullPolicy: images.pihole.pullPolicy
+ }
+ }
+ }
+ if input.requireAuth {
+ "auth-proxy": {
+ chart: charts.authProxy
+ values: {
image: {
- repository: images.pihole.fullName
- tag: images.pihole.tag
- pullPolicy: images.pihole.pullPolicy
+ repository: images.authProxy.fullName
+ tag: images.authProxy.tag
+ pullPolicy: images.authProxy.pullPolicy
}
+ upstream: "\(_piholeServiceName).\(release.namespace).svc.cluster.local"
+ whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
+ loginAddr: "https://accounts-ui.\(global.domain)/login"
+ portName: _httpPortName
}
- oauth2: {
- cookieSecret: "1234123443214321"
- secretName: _oauth2ClientSecretName
- issuer: "https://hydra.\(global.domain)"
- }
- configName: "oauth2-proxy"
- profileUrl: "https://accounts-ui.\(global.domain)"
+ }
+ }
+ ingress: {
+ chart: charts.ingress
+ values: {
+ domain: _domain
ingressClassName: input.network.ingressClass
certificateIssuer: input.network.certificateIssuer
+ service: {
+ if input.requireAuth {
+ name: _authProxyServiceName
+ port: name: _httpPortName
+ }
+ if !input.requireAuth {
+ name: _piholeServiceName
+ port: number: _serviceWebPort
+ }
+ }
}
}
}
diff --git a/core/installer/values-tmpl/rpuppy.cue b/core/installer/values-tmpl/rpuppy.cue
index 8950d6c..ff316a0 100644
--- a/core/installer/values-tmpl/rpuppy.cue
+++ b/core/installer/values-tmpl/rpuppy.cue
@@ -1,6 +1,7 @@
input: {
network: #Network
subdomain: string
+ requireAuth: bool
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -18,6 +19,12 @@
tag: "latest"
pullPolicy: "Always"
}
+ authProxy: {
+ repository: "giolekva"
+ name: "auth-proxy"
+ tag: "latest"
+ pullPolicy: "Always"
+ }
}
charts: {
@@ -29,20 +36,71 @@
namespace: global.id
}
}
+ ingress: {
+ chart: "charts/ingress"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ authProxy: {
+ chart: "charts/auth-proxy"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
+_rpuppyServiceName: "rpuppy"
+_authProxyServiceName: "auth-proxy"
+_httpPortName: "http"
+
helm: {
rpuppy: {
chart: charts.rpuppy
values: {
- ingressClassName: input.network.ingressClass
- certificateIssuer: input.network.certificateIssuer
- domain: _domain
image: {
repository: images.rpuppy.fullName
tag: images.rpuppy.tag
pullPolicy: images.rpuppy.pullPolicy
}
+ portName: _httpPortName
+ }
+ }
+ if input.requireAuth {
+ "auth-proxy": {
+ chart: charts.authProxy
+ values: {
+ image: {
+ repository: images.authProxy.fullName
+ tag: images.authProxy.tag
+ pullPolicy: images.authProxy.pullPolicy
+ }
+ upstream: "\(_rpuppyServiceName).\(release.namespace).svc.cluster.local"
+ whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
+ loginAddr: "https://accounts-ui.\(global.domain)/login"
+ portName: _httpPortName
+ }
+ }
+ }
+ ingress: {
+ chart: charts.ingress
+ values: {
+ domain: _domain
+ ingressClassName: input.network.ingressClass
+ certificateIssuer: input.network.certificateIssuer
+ service: {
+ if input.requireAuth {
+ name: _authProxyServiceName
+ }
+ if !input.requireAuth {
+ name: _rpuppyServiceName
+ }
+ port: name: _httpPortName
+ }
}
}
}
diff --git a/core/installer/values-tmpl/url-shortener.cue b/core/installer/values-tmpl/url-shortener.cue
index a3f6d3b..7d854e8 100644
--- a/core/installer/values-tmpl/url-shortener.cue
+++ b/core/installer/values-tmpl/url-shortener.cue
@@ -1,6 +1,7 @@
input: {
network: #Network
subdomain: string
+ requireAuth: bool
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -18,6 +19,12 @@
tag: "latest"
pullPolicy: "Always"
}
+ authProxy: {
+ repository: "giolekva"
+ name: "auth-proxy"
+ tag: "latest"
+ pullPolicy: "Always"
+ }
}
charts: {
@@ -29,15 +36,32 @@
namespace: global.id
}
}
+ ingress: {
+ chart: "charts/ingress"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ authProxy: {
+ chart: "charts/auth-proxy"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
+_urlShortenerServiceName: "url-shortener"
+_authProxyServiceName: "auth-proxy"
+_httpPortName: "http"
+
helm: {
"url-shortener": {
chart: charts.urlShortener
values: {
- ingressClassName: input.network.ingressClass
- certificateIssuer: input.network.certificateIssuer
- domain: _domain
storage: {
size: "1Gi"
}
@@ -46,7 +70,40 @@
tag: images.urlShortener.tag
pullPolicy: images.urlShortener.pullPolicy
}
- port: 8080
+ portName: _httpPortName
}
}
+ if input.requireAuth {
+ "auth-proxy": {
+ chart: charts.authProxy
+ values: {
+ image: {
+ repository: images.authProxy.fullName
+ tag: images.authProxy.tag
+ pullPolicy: images.authProxy.pullPolicy
+ }
+ upstream: "\(_urlShortenerServiceName).\(release.namespace).svc.cluster.local"
+ whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
+ loginAddr: "https://accounts-ui.\(global.domain)/login"
+ portName: _httpPortName
+ }
+ }
+ }
+ ingress: {
+ chart: charts.ingress
+ values: {
+ domain: _domain
+ ingressClassName: input.network.ingressClass
+ certificateIssuer: input.network.certificateIssuer
+ service: {
+ if input.requireAuth {
+ name: _authProxyServiceName
+ }
+ if !input.requireAuth {
+ name: _urlShortenerServiceName
+ }
+ port: name: _httpPortName
+ }
+ }
+ }
}
diff --git a/core/installer/welcome/appmanager-tmpl/app.html b/core/installer/welcome/appmanager-tmpl/app.html
index 4fa4766..aebbd39 100644
--- a/core/installer/welcome/appmanager-tmpl/app.html
+++ b/core/installer/welcome/appmanager-tmpl/app.html
@@ -7,7 +7,7 @@
<label for="{{ $name }}">
<span>{{ $name }}</span>
</label>
- <input type="checkbox" role="swtich" name="{{ $name }}" oninput="valueChanged({{ $name }}, this.value)" {{ if $readonly }}disabled{{ end }} {{ if index $data $name }}checked{{ end }}/>
+ <input type="checkbox" role="swtich" name="{{ $name }}" oninput="valueChanged({{ $name }}, this.checked)" {{ if $readonly }}disabled{{ end }} {{ if index $data $name }}checked{{ end }}/>
{{ else if eq $schema.Kind 1 }}
<label for="{{ $name }}">
<span>{{ $name }}</span>