feat(service-proxy): secure endpoint with oauth2-proxy (#628)

* feat(service-proxy): secure endpoint with oauth2-proxy

* fix(actions): pr build cleanup filter

* fix: whitespace, domains, cookie-csrf

* fix: remove quotation

* rename ingress host

* hide oauth2proxy behind a feature toggle

---------

Co-authored-by: David Gogl <1381862+kengou@users.noreply.github.com>

Author: IvoGoman

.github/workflows/ci-pr-build.yaml

@@ -6,6 +6,7 @@ on:
       - labeled
       - closed
       - unlabeled
+      - synchronize
 
 env:
   REGISTRY: ghcr.io
@@ -108,6 +109,6 @@ jobs:
           uses: dataaxiom/ghcr-cleanup-action@v1
           with:
             tags: ${{ env.PR_NUMBER }}-pr
-            packages: ${{ github.repository }}/charts/*
+            packages: ${{ github.event.repository.name }}/charts/*
             expand-packages: true
             token: ${{ secrets.CLOUDOPERATOR_REPO_WRITE_DELETE_TOKEN }}

service-proxy/charts/1.0.0/service-proxy/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.2
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

service-proxy/charts/1.0.0/service-proxy/ci/test-values.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+global:
+  greenhouse:
+    organizationName: demo
+domain: demo.cloud.tld
+
+oauth2proxy:
+  issuerURL: https://idp.tld
+  clientIDRef:
+    secret: "client-secret"
+    key: clientid
+  clientSecretRef:
+    secret: "client-secret"
+    key: clientsecret
+  cookieSecretRef:
+    secret: "cookie-secret"
+    key: "cookie"

service-proxy/charts/1.0.0/service-proxy/templates/_helpers.tpl

@@ -23,6 +23,14 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "oauth2-proxy.fullname" -}}
+{{- printf "%s-%s" .Release.Name "oauth2-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -60,3 +68,4 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+

service-proxy/charts/1.0.0/service-proxy/templates/ingress.yaml

@@ -14,17 +14,22 @@ metadata:
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
+{{- if $.Values.oauth2proxy.enabled }}
+    nginx.ingress.kubernetes.io/auth-signin: https://auth-proxy.{{ required ".domain missing" $.Values.domain }}/oauth2/start 
+    nginx.ingress.kubernetes.io/auth-url: https://auth-proxy.{{ required ".domain missing" $.Values.domain }}/oauth2/auth 
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+{{- end }}
   {{- end }}
 spec:
   {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
   tls:
   - hosts:
-      - "*.{{ required ".domain missing" .Values.domain }}"
+      - "*.{{ required ".domain missing" $.Values.domain }}"
     secretName: {{ $fullName }}-tls
   rules:
-  - host: "*.{{ required ".domain missing" .Values.domain }}"
+  - host: "*.{{ required ".domain missing" $.Values.domain }}"
     http:
       paths:
         - path: /
@@ -33,4 +38,4 @@ spec:
             service:
               name: {{ $fullName }}
               port:
-                number: {{ $svcPort }}
+                number: {{ $svcPort }}

service-proxy/charts/1.0.0/service-proxy/templates/oauth2-proxy-deployment.yaml

@@ -0,0 +1,88 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.oauth2proxy.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: {{ include "oauth2-proxy.fullname" . }}
+spec:
+  replicas: {{ .Values.replicas | default 1 }}
+  selector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        k8s-app: oauth2-proxy
+    spec:
+      containers:
+      - args:
+        - --provider=oidc
+        - --email-domain=*
+        - --provider-display-name={{ .Values.oauth2proxy.providerDisplayName | default ( printf "%s %s" .Values.global.greenhouse.organizationName "OIDC Provider") }}
+        - --upstream=file:///dev/null
+        - --http-address=0.0.0.0:4180
+        - --redirect-url=oauth2/callback
+        - --oidc-issuer-url={{ required "oauth2proxy.issuerURL" .Values.oauth2proxy.issuerURL }}
+        - --scope=openid email
+        - --pass-user-headers=true
+        - --set-xauthrequest=true
+        - --whitelist-domain={{ required ".domain missing" $.Values.domain | trimPrefix $.Values.global.greenhouse.organizationName }}
+        - --cookie-name={{ .Values.oauth2proxy.cookieName | default "_oauth2_proxy" }}
+        - --cookie-domain={{ required ".domain missing" $.Values.domain | trimPrefix $.Values.global.greenhouse.organizationName }}
+        - --cookie-expire={{ .Values.oauth2proxy.cookieExpire | default "12h0m0s" }}
+        - --oidc-email-claim=email
+        - --cookie-csrf-per-request=true
+        - --cookie-csrf-expire=5m
+        env:
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: {{ required "oauth2proxy.clientIDRef.secret" .Values.oauth2proxy.clientIDRef.secret }}
+              key: {{ required "oauth2proxy.clientIDRef.key" .Values.oauth2proxy.clientIDRef.key }}
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ required "oauth2proxy.clientSecretRef.secret" .Values.oauth2proxy.clientSecretRef.secret }}
+              key: {{ required "oauth2proxy.clientIDRef.key" .Values.oauth2proxy.clientSecretRef.key }}
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ required "oauth2proxy.cookieSecretRef.secret" .Values.oauth2proxy.cookieSecretRef.secret }}
+              key: {{ required "oauth2proxy.cookieSecretRef.key" .Values.oauth2proxy.cookieSecretRef.key }}
+        image: {{ required "oauth2proxy.image.registry" .Values.oauth2proxy.image.registry }}/{{ required "oauth2proxy.image.repository" .Values.oauth2proxy.image.repository }}:{{ required "oauth2proxy.image.version" .Values.oauth2proxy.image.version }}
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - sleep 30
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /ping
+            port: 4180
+            scheme: HTTP
+          initialDelaySeconds: 60
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 10
+        name: oauth2-proxy
+        ports:
+        - containerPort: 4180
+          protocol: TCP
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: 
+        runAsUser: 0
+      terminationGracePeriodSeconds: 30
+{{- end }}

service-proxy/charts/1.0.0/service-proxy/templates/oauth2-proxy-ingress.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.oauth2proxy.enabled }}
+{{- $fullName := include "oauth2-proxy.fullname" . }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    ingress.kubernetes.io/proxy-buffer-size: 8k
+    ingress.kubernetes.io/ssl-redirect: "true"
+  {{- end }}
+  name: {{ $fullName }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: auth-proxy.{{ required ".domain missing" $.Values.domain }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
+        path: /oauth2
+        pathType: Prefix
+  tls:
+  - hosts:
+    - auth-proxy.{{ required ".domain missing" $.Values.domain }}
+    secretName: {{ $fullName }}-tls
+{{- end }}

service-proxy/charts/1.0.0/service-proxy/templates/oauth2-proxy-service.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.oauth2proxy.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+spec:
+  internalTrafficPolicy: Cluster
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    k8s-app: oauth2-proxy
+  type: ClusterIP
+{{- end }}

service-proxy/charts/1.0.0/service-proxy/values.yaml

@@ -37,3 +37,11 @@ ingress:
   annotations:
     kubernetes.io/tls-acme: "true"
     disco: "true"
+
+oauth2proxy:
+  enabled: false
+  image:
+    registry: "docker.io"
+    repository: "bitnami/oauth2-proxy"
+    version: "7.6.0"
+  providerDisplayName: ""