auth-proxy: verify group membership (#105)
* auth-proxy: verify group membership
* memberships: install memberships app and use it in few apps
* app-repo: render auth
* installer: always use external dependencies option in app configs
* installer: fix auth handling
* auth-proxy: configure membership-addr and groups flags in helm chart
* installer: fix indentation
* app-manager: fix how auth block is rendered
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/core/installer/values-tmpl/pihole.cue b/core/installer/values-tmpl/pihole.cue
index 35d4c51..ff04fe2 100644
--- a/core/installer/values-tmpl/pihole.cue
+++ b/core/installer/values-tmpl/pihole.cue
@@ -1,7 +1,7 @@
input: {
network: #Network
subdomain: string
- requireAuth: bool
+ auth: #Auth
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -108,7 +108,7 @@
}
}
}
- if input.requireAuth {
+ if input.auth.enabled {
"auth-proxy": {
chart: charts.authProxy
values: {
@@ -120,6 +120,8 @@
upstream: "\(_piholeServiceName).\(release.namespace).svc.cluster.local"
whoAmIAddr: "https://accounts.\(global.domain)/sessions/whoami"
loginAddr: "https://accounts-ui.\(global.domain)/login"
+ membershipAddr: "http://memberships.\(global.id)-core-auth-memberships.svc.cluster.local/api/user"
+ groups: input.auth.groups
portName: _httpPortName
}
}
@@ -131,11 +133,11 @@
ingressClassName: input.network.ingressClass
certificateIssuer: input.network.certificateIssuer
service: {
- if input.requireAuth {
+ if input.auth.enabled {
name: _authProxyServiceName
port: name: _httpPortName
}
- if !input.requireAuth {
+ if !input.auth.enabled {
name: _piholeServiceName
port: number: _serviceWebPort
}