providers/app_gw: improve templates

This commit is contained in:
Jens Langhammer 2020-08-01 22:13:12 +02:00
parent e1bbbe6671
commit de2b67b111
2 changed files with 22 additions and 9 deletions

View file

@ -2,18 +2,20 @@ apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: passbook-gatekeeper
app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
name: passbook-gatekeeper
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: passbook-gatekeeper
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
template:
metadata:
labels:
app.kubernetes.io/name: passbook-gatekeeper
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
spec:
containers:
- args:
@ -27,6 +29,10 @@ spec:
value: "{{ cookie_secret }}"
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: "{{ issuer }}"
- name: OAUTH2_PROXY_SET_XAUTHREQUEST
value: "true"
- name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
value: "true"
image: beryju/passbook-gatekeeper:{{ version }}
imagePullPolicy: Always
name: passbook-gatekeeper
@ -38,9 +44,9 @@ apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: passbook-gatekeeper
app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
name: passbook-gatekeeper
namespace: kube-system
spec:
ports:
- name: http
@ -49,18 +55,18 @@ spec:
targetPort: 4180
selector:
app.kubernetes.io/name: passbook-gatekeeper
passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: passbook-gatekeeper
namespace: kube-system
name: passbook-gatekeeper-{{ provider.name }}
spec:
rules:
- host: {{ provider.external_host }}
http:
paths:
- backend:
serviceName: passbook-gatekeeper
serviceName: "passbook-gatekeeper-{{ provider.name }}"
servicePort: 4180
path: /oauth2

View file

@ -49,8 +49,15 @@
<a href="{% url 'passbook_providers_app_gw:k8s-manifest' provider=provider.pk %}">{% trans 'Here' %}</a>
<p>{% trans 'Afterwards, add the following annotations to the Ingress you want to secure:' %}</p>
<textarea class="codemirror" readonly data-cm-mode="yaml">
nginx.ingress.kubernetes.io/auth-url: "{{ provider.external_host }}/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "{{ provider.external_host }}/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $user_id $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
auth_request_set $user_name $upstream_http_x_auth_request_preferred_username;
proxy_set_header X-User-Id $user_id;
proxy_set_header X-User $user_name;
proxy_set_header X-Email $email;
</textarea>
</div>
<footer class="pf-c-modal-box__footer pf-m-align-left">