Add gatekeeper auth (#8)

nuwang · web-flow · commit ca9f11bd6aab · 2020-07-14T11:15:32.000-04:00
* Added keycloak gatekeeper auth

* Fixed rewrite conflict
diff --git a/rstudio/templates/deployment.yaml b/rstudio/templates/deployment.yaml
@@ -4,6 +4,16 @@ metadata:
   name: {{ include "rstudio.fullname" . }}
   labels:
     {{- include "rstudio.labels" . | nindent 4 }}
+  annotations:
+    authproxy.stakater.com/enabled: "true"
+    authproxy.stakater.com/source-service-name: {{ .Release.Name }}-service
+    authproxy.stakater.com/upstream-url: "http://localhost:8787/"
+    authproxy.stakater.com/client-id: {{ .Values.oidc.client_id }}
+    authproxy.stakater.com/client-secret: {{ .Values.oidc.client_secret }}
+    authproxy.stakater.com/listen: ":80"
+    authproxy.stakater.com/discovery-url: {{ tpl .Values.oidc.discovery_url . }}
+    authproxy.stakater.com/oauth-uri: "{{ .Values.ingress.access_path }}oauth"
+    authproxy.stakater.com/gatekeeper-image: keycloak/keycloak-gatekeeper:7.0.0
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
@@ -50,16 +60,16 @@ spec:
               value: "true"
           ports:
             - name: http
-              containerPort: 8787
+              containerPort: 80
               protocol: TCP
           livenessProbe:
             httpGet:
               path: /
-              port: http
+              port: 8787
           readinessProbe:
             httpGet:
               path: /
-              port: http
+              port: 8787
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
diff --git a/rstudio/templates/ingress.yaml b/rstudio/templates/ingress.yaml
@@ -13,7 +13,7 @@ metadata:
     {{- include "rstudio.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
   {{- end }}
 spec:
 {{- if .Values.ingress.tls }}
@@ -34,7 +34,7 @@ spec:
         {{- range .paths }}
           - path: {{ . }}
             backend:
-              serviceName: {{ $fullName }}
+              serviceName: {{ $fullName }}-service
               servicePort: {{ $svcPort }}
         {{- end }}
   {{- end }}
diff --git a/rstudio/templates/service.yaml b/rstudio/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "rstudio.fullname" . }}
+  name: {{ include "rstudio.fullname" . }}-service
   labels:
     {{- include "rstudio.labels" . | nindent 4 }}
 spec:
diff --git a/rstudio/values.yaml b/rstudio/values.yaml
@@ -38,9 +38,13 @@ service:
   port: 80
 
 ingress:
+  access_path: /rstudio/
   enabled: true
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      # This extra rewrite restores the original url because keycloak gatekeeper expects the non-rewritten path
+      rewrite "{{ .Values.ingress.access_path }}oauth(/|$)(.*)" {{ .Values.ingress.access_path }}oauth/$2 break;
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
@@ -70,6 +74,11 @@ tolerations: []
 
 affinity: {}
 
+oidc:
+  client_id: "rstudio"
+  client_secret: "some_secret"
+  discovery_url: "http://cloudman-keycloak-http.cloudman.svc.cluster.local/auth/realms/master"
+
 persistence:
   enabled: true
   name: rstudio-pvc
