providers/app_gw: improve templates
This commit is contained in:
parent
e1bbbe6671
commit
de2b67b111
|
@ -2,18 +2,20 @@ apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: passbook-gatekeeper
|
app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
|
||||||
|
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
|
||||||
name: passbook-gatekeeper
|
name: passbook-gatekeeper
|
||||||
namespace: kube-system
|
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: passbook-gatekeeper
|
app.kubernetes.io/name: passbook-gatekeeper
|
||||||
|
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: passbook-gatekeeper
|
app.kubernetes.io/name: passbook-gatekeeper
|
||||||
|
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- args:
|
- args:
|
||||||
|
@ -27,6 +29,10 @@ spec:
|
||||||
value: "{{ cookie_secret }}"
|
value: "{{ cookie_secret }}"
|
||||||
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
|
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
|
||||||
value: "{{ issuer }}"
|
value: "{{ issuer }}"
|
||||||
|
- name: OAUTH2_PROXY_SET_XAUTHREQUEST
|
||||||
|
value: "true"
|
||||||
|
- name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
|
||||||
|
value: "true"
|
||||||
image: beryju/passbook-gatekeeper:{{ version }}
|
image: beryju/passbook-gatekeeper:{{ version }}
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: Always
|
||||||
name: passbook-gatekeeper
|
name: passbook-gatekeeper
|
||||||
|
@ -38,9 +44,9 @@ apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: passbook-gatekeeper
|
app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
|
||||||
|
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
|
||||||
name: passbook-gatekeeper
|
name: passbook-gatekeeper
|
||||||
namespace: kube-system
|
|
||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
|
@ -49,18 +55,18 @@ spec:
|
||||||
targetPort: 4180
|
targetPort: 4180
|
||||||
selector:
|
selector:
|
||||||
app.kubernetes.io/name: passbook-gatekeeper
|
app.kubernetes.io/name: passbook-gatekeeper
|
||||||
|
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Ingress
|
kind: Ingress
|
||||||
metadata:
|
metadata:
|
||||||
name: passbook-gatekeeper
|
name: passbook-gatekeeper-{{ provider.name }}
|
||||||
namespace: kube-system
|
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: {{ provider.external_host }}
|
- host: {{ provider.external_host }}
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- backend:
|
- backend:
|
||||||
serviceName: passbook-gatekeeper
|
serviceName: "passbook-gatekeeper-{{ provider.name }}"
|
||||||
servicePort: 4180
|
servicePort: 4180
|
||||||
path: /oauth2
|
path: /oauth2
|
||||||
|
|
|
@ -49,8 +49,15 @@
|
||||||
<a href="{% url 'passbook_providers_app_gw:k8s-manifest' provider=provider.pk %}">{% trans 'Here' %}</a>
|
<a href="{% url 'passbook_providers_app_gw:k8s-manifest' provider=provider.pk %}">{% trans 'Here' %}</a>
|
||||||
<p>{% trans 'Afterwards, add the following annotations to the Ingress you want to secure:' %}</p>
|
<p>{% trans 'Afterwards, add the following annotations to the Ingress you want to secure:' %}</p>
|
||||||
<textarea class="codemirror" readonly data-cm-mode="yaml">
|
<textarea class="codemirror" readonly data-cm-mode="yaml">
|
||||||
nginx.ingress.kubernetes.io/auth-url: "{{ provider.external_host }}/oauth2/auth"
|
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
|
||||||
nginx.ingress.kubernetes.io/auth-signin: "{{ provider.external_host }}/oauth2/start?rd=$escaped_request_uri"
|
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
|
||||||
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||||
|
auth_request_set $user_id $upstream_http_x_auth_request_user;
|
||||||
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||||
|
auth_request_set $user_name $upstream_http_x_auth_request_preferred_username;
|
||||||
|
proxy_set_header X-User-Id $user_id;
|
||||||
|
proxy_set_header X-User $user_name;
|
||||||
|
proxy_set_header X-Email $email;
|
||||||
</textarea>
|
</textarea>
|
||||||
</div>
|
</div>
|
||||||
<footer class="pf-c-modal-box__footer pf-m-align-left">
|
<footer class="pf-c-modal-box__footer pf-m-align-left">
|
||||||
|
|
Reference in a new issue