auth-proxy: proxies only authenticated requests to upstream, redirects to login page otherwise (#103)
* auth-proxy: inspects authenticated user
* ingress: chart and use in rpuppy
* auth-proxy: make it optional in rpuppy
* kratos: whitelist env pub/priv domains for auth return_to addr
* url-shortener: put behind auth-proxy
* pihole: replace oauth2-client with auth-proxy
* auth-proxy: fix upstream uri generation
* pihole: remove old chart using oauth2
* auth-proxy: remove temporary values file
* url-shortener: check x-user header for authentication
* auth: fix allowed_return_urls list
* auth-proxy: fix current address generation logic
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/core/installer/values-tmpl/url-shortener.cue b/core/installer/values-tmpl/url-shortener.cue
index a3f6d3b..7d854e8 100644
--- a/core/installer/values-tmpl/url-shortener.cue
+++ b/core/installer/values-tmpl/url-shortener.cue
@@ -1,6 +1,7 @@
input: {
network: #Network
subdomain: string
+ requireAuth: bool
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -18,6 +19,12 @@
tag: "latest"
pullPolicy: "Always"
}
+ authProxy: {
+ repository: "giolekva"
+ name: "auth-proxy"
+ tag: "latest"
+ pullPolicy: "Always"
+ }
}
charts: {
@@ -29,15 +36,32 @@
namespace: global.id
}
}
+ ingress: {
+ chart: "charts/ingress"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ authProxy: {
+ chart: "charts/auth-proxy"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
+_urlShortenerServiceName: "url-shortener"
+_authProxyServiceName: "auth-proxy"
+_httpPortName: "http"
+
helm: {
"url-shortener": {
chart: charts.urlShortener
values: {
- ingressClassName: input.network.ingressClass
- certificateIssuer: input.network.certificateIssuer
- domain: _domain
storage: {
size: "1Gi"
}
@@ -46,7 +70,40 @@
tag: images.urlShortener.tag
pullPolicy: images.urlShortener.pullPolicy
}
- port: 8080
+ portName: _httpPortName
}
}
+ if input.requireAuth {
+ "auth-proxy": {
+ chart: charts.authProxy
+ values: {
+ image: {
+ repository: images.authProxy.fullName
+ tag: images.authProxy.tag
+ pullPolicy: images.authProxy.pullPolicy
+ }
+ upstream: "\(_urlShortenerServiceName).\(release.namespace).svc.cluster.local"
+ whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
+ loginAddr: "https://accounts-ui.\(global.domain)/login"
+ portName: _httpPortName
+ }
+ }
+ }
+ ingress: {
+ chart: charts.ingress
+ values: {
+ domain: _domain
+ ingressClassName: input.network.ingressClass
+ certificateIssuer: input.network.certificateIssuer
+ service: {
+ if input.requireAuth {
+ name: _authProxyServiceName
+ }
+ if !input.requireAuth {
+ name: _urlShortenerServiceName
+ }
+ port: name: _httpPortName
+ }
+ }
+ }
}