auth: memberships behind the auth-proxy (#106)
* auth proxy ingress added
* removed ingress from install
* port > portName
diff --git a/charts/memberships/templates/install.yaml b/charts/memberships/templates/install.yaml
index 71581cc..aae4bc9 100644
--- a/charts/memberships/templates/install.yaml
+++ b/charts/memberships/templates/install.yaml
@@ -8,40 +8,10 @@
selector:
app: memberships
ports:
- - name: http
+ - name: {{ .Values.portName }}
protocol: TCP
port: 80
- targetPort: {{ .Values.port }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: ingress
- namespace: {{ .Release.Namespace }}
-{{- if .Values.certificateIssuer }}
- annotations:
- acme.cert-manager.io/http01-edit-in-place: "true"
- cert-manager.io/cluster-issuer: {{ .Values.certificateIssuer }}
-{{- end }}
-spec:
- ingressClassName: {{ .Values.ingressClassName }}
-{{- if .Values.certificateIssuer }}
- tls:
- - hosts:
- - {{ .Values.domain }}
- secretName: cert-memberships
-{{- end }}
- rules:
- - host: {{ .Values.domain }}
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: memberships
- port:
- name: http
+ targetPort: {{ .Values.portName }}
---
apiVersion: apps/v1
kind: Deployment
@@ -62,12 +32,12 @@
- name: memberships
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
ports:
- - name: http
- containerPort: {{ .Values.port }}
+ - name: {{ .Values.portName }}
+ containerPort: 8080
protocol: TCP
command:
- memberships
- - --port={{ .Values.port }}
+ - --port=8080
- --db-path=/data/memberships.db
volumeMounts:
- name: memberships
diff --git a/charts/memberships/values.yaml b/charts/memberships/values.yaml
index c07253f..c4be0f8 100644
--- a/charts/memberships/values.yaml
+++ b/charts/memberships/values.yaml
@@ -1,11 +1,7 @@
image:
repository: giolekva/memberships
- name: memberships
tag: latest
pullPolicy: Always
-ingressClassName: ingress-public
-certificateIssuer: example-public
-domain: memberships.example.com
storage:
size: 1Gi
-port: 8080
+portName: http
diff --git a/core/installer/values-tmpl/memberships.cue b/core/installer/values-tmpl/memberships.cue
index 83f4e8c..4abd6d6 100644
--- a/core/installer/values-tmpl/memberships.cue
+++ b/core/installer/values-tmpl/memberships.cue
@@ -1,6 +1,7 @@
input: {
network: #Network
subdomain: string
+ requireAuth: bool
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -18,6 +19,12 @@
tag: "latest"
pullPolicy: "Always"
}
+ authProxy: {
+ repository: "giolekva"
+ name: "auth-proxy"
+ tag: "latest"
+ pullPolicy: "Always"
+ }
}
charts: {
@@ -29,24 +36,74 @@
namespace: global.id
}
}
+ ingress: {
+ chart: "charts/ingress"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ authProxy: {
+ chart: "charts/auth-proxy"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
+_membershipsServiceName: "memberships"
+_authProxyServiceName: "auth-proxy"
+_httpPortName: "http"
+
helm: {
"memberships": {
chart: charts.memberships
values: {
- ingressClassName: input.network.ingressClass
- certificateIssuer: input.network.certificateIssuer
- domain: _domain
storage: {
size: "1Gi"
}
image: {
- repository: images.memberships.name
+ repository: images.memberships.fullName
tag: images.memberships.tag
pullPolicy: images.memberships.pullPolicy
}
- port: 8080
+ portName: _httpPortName
+ }
+ }
+ if input.requireAuth {
+ "auth-proxy": {
+ chart: charts.authProxy
+ values: {
+ image: {
+ repository: images.authProxy.fullName
+ tag: images.authProxy.tag
+ pullPolicy: images.authProxy.pullPolicy
+ }
+ upstream: "\(_membershipsServiceName).\(release.namespace).svc.cluster.local"
+ whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
+ loginAddr: "https://accounts-ui.\(global.domain)/login"
+ portName: _httpPortName
+ }
+ }
+ }
+ ingress: {
+ chart: charts.ingress
+ values: {
+ domain: _domain
+ ingressClassName: input.network.ingressClass
+ certificateIssuer: input.network.certificateIssuer
+ service: {
+ if input.requireAuth {
+ name: _authProxyServiceName
+ }
+ if !input.requireAuth {
+ name: _membershipsServiceName
+ }
+ port: name: _httpPortName
+ }
}
}
}