diff --git a/incubator/nginx-iap/.helmignore b/incubator/nginx-iap/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/incubator/nginx-iap/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/incubator/nginx-iap/Chart.yaml b/incubator/nginx-iap/Chart.yaml new file mode 100644 index 00000000..912703f2 --- /dev/null +++ b/incubator/nginx-iap/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: nginx-iap +version: 0.0.1 diff --git a/incubator/nginx-iap/pr123/apple.yaml b/incubator/nginx-iap/pr123/apple.yaml new file mode 100644 index 00000000..1ea0fde2 --- /dev/null +++ b/incubator/nginx-iap/pr123/apple.yaml @@ -0,0 +1,26 @@ +kind: Pod +apiVersion: v1 +metadata: + namespace: pr123 + name: apple-app + labels: + app: apple +spec: + containers: + - name: apple-app + image: hashicorp/http-echo + args: + - "-text=apple" +--- + +kind: Service +apiVersion: v1 +metadata: + namespace: pr123 + name: apple +spec: + selector: + app: apple + ports: + - port: 80 + targetPort: 5678 # Default port for image diff --git a/incubator/nginx-iap/pr123/banana.yaml b/incubator/nginx-iap/pr123/banana.yaml new file mode 100644 index 00000000..95040e22 --- /dev/null +++ b/incubator/nginx-iap/pr123/banana.yaml @@ -0,0 +1,27 @@ +kind: Pod +apiVersion: v1 +metadata: + namespace: pr123 + name: banana-app + labels: + app: banana +spec: + containers: + - name: banana-app + image: hashicorp/http-echo + args: + - "-text=banana" + +--- + +kind: Service +apiVersion: v1 +metadata: + namespace: pr123 + name: banana +spec: + selector: + app: banana + ports: + - port: 80 + targetPort: 5678 # Default port for image diff --git a/incubator/nginx-iap/pr123/echoserver-deployment.yaml b/incubator/nginx-iap/pr123/echoserver-deployment.yaml new file mode 100644 index 00000000..92ad473f --- /dev/null +++ b/incubator/nginx-iap/pr123/echoserver-deployment.yaml @@ -0,0 +1,18 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: echoserver + namespace: pr123 +spec: + replicas: 1 + template: + metadata: + labels: + app: echoserver + spec: + containers: + - image: gcr.io/google_containers/echoserver:1.4 + imagePullPolicy: Always + name: echoserver + ports: + - containerPort: 8080 diff --git a/incubator/nginx-iap/pr123/echoserver-namespace.yaml b/incubator/nginx-iap/pr123/echoserver-namespace.yaml new file mode 100644 index 00000000..fef96df6 --- /dev/null +++ b/incubator/nginx-iap/pr123/echoserver-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pr123 diff --git a/incubator/nginx-iap/pr123/echoserver-service.yaml b/incubator/nginx-iap/pr123/echoserver-service.yaml new file mode 100644 index 00000000..0c2dd1ab --- /dev/null +++ b/incubator/nginx-iap/pr123/echoserver-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: echoserver + namespace: pr123 +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + type: NodePort + selector: + app: echoserver diff --git a/incubator/nginx-iap/templates/NOTES.txt b/incubator/nginx-iap/templates/NOTES.txt new file mode 100644 index 00000000..eb6603c2 --- /dev/null +++ b/incubator/nginx-iap/templates/NOTES.txt @@ -0,0 +1,15 @@ +1. Get the application URL by running these commands: +{{- if contains "NodePort" .Values.oauth.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT/login +{{- else if contains "LoadBalancer" .Values.oauth.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.oauth.service.externalPort }} +{{- else if contains "ClusterIP" .Values.oauth.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "fullname" . }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:{{ .Values.oauth.service.externalPort }} +{{- end }} diff --git a/incubator/nginx-iap/templates/_helpers.tpl b/incubator/nginx-iap/templates/_helpers.tpl new file mode 100644 index 00000000..d6037efd --- /dev/null +++ b/incubator/nginx-iap/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 24 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 24 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified oauth name. +We limit this value to 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname_oauth" -}} +{{- printf "%.17s-oauth" .Release.Name | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified proxy name. +We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname_proxy" -}} +{{- printf "%.17s-proxy" .Release.Name | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified proxy name. +We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname_ingress" -}} +{{- printf "%.16s-ingress" .Release.Name | trimSuffix "-" -}} +{{- end -}} diff --git a/incubator/nginx-iap/templates/nginx.configmap.yaml b/incubator/nginx-iap/templates/nginx.configmap.yaml new file mode 100644 index 00000000..1d33a47b --- /dev/null +++ b/incubator/nginx-iap/templates/nginx.configmap.yaml @@ -0,0 +1,111 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname_proxy" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + default.conf: |- + # nginx requires a 'resolver' directive when variables appear in proxy_pass arguments + # (eg: proxy_pass "http://$service.$pr_number..." ) + resolver {{ .Values.kube_dns_hostname }} ipv6=off; + + upstream localhost_oauth2_proxy { + least_conn; + server 127.0.0.1:81; + } + + server { + listen 80; + + # TODO(mtamsky): It might be clearer if we had two server{} + # blocks, each with unique server_name patterns. This would + # create a clear separation of the iap from internal services. + + # Currently, this server{} config answers for both: + # iap.DOMAIN + server_name {{ .Values.iap_hostname }}.{{ .Values.DNS_ZONE }}; + # pr123-service.DOMAIN + server_name ~^(?[Pp][Rr][0-9]+)-(?[^.]+)\.{{ .Values.iap_hostname }}.{{ .Values.DNS_ZONE }}$; + + # Assemble the two captured vars + set $pr_number_service "${pr_number}-${service}"; + + access_log /dev/stdout; + error_log /dev/stderr; + + # 'internal' directive designates this location is nginx-internal-only + # cf. http://nginx.org/en/docs/http/ngx_http_core_module.html#internal + location /oauth2/auth { + internal; + proxy_pass http://localhost_oauth2_proxy; + } + + # initiate the oauth flow + location /oauth2/start { + auth_request off; + proxy_pass http://localhost_oauth2_proxy; + } + + # Presents the initial login page with "Sign in with a XYZ account" button. + # Also logs the user out by clearing their _oauth_cookie. + location /oauth2/sign_in { + auth_request off; + rewrite_log on; + if ($arg_initial = "true") { + proxy_pass http://localhost_oauth2_proxy/oauth2/sign_in?iap_redirect=${arg_iap_redirect}; + break; + # we continue processing this request + # http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#break + } + + # This is currently where the callback? oauth flow winds up after valid + # authentiation with a valid _oauth_cookie. + + # TODO(tamsky): determine if we can move iap_redirect to a unique path + # instead of piggybacking on the /oauth2/sign_in location + if ($arg_iap_redirect) { + # redirect to final desination, trailing-'?' tells nginx to drop current $query_string + rewrite ^.*$ ${arg_iap_redirect}? redirect; + } + + # This 'proxy_pass' URL is what generates the start-of-oauth-flow: + proxy_pass http://localhost_oauth2_proxy/oauth2/sign_in?iap_redirect=${pr_number_service}.{{ .Values.iap_hostname }}.{{ .Values.DNS_ZONE }}${request_uri}; + } + + location /oauth2/callback { + auth_request off; + proxy_pass http://localhost_oauth2_proxy; + } + + location / { + # All paths (not matched above) are protected by the 'auth_request' directive. + auth_request /oauth2/auth; + + # Headers we include in the auth_request: + auth_request_set $auth_user $upstream_http_x_authenticated_email; + + # TODO(tamsky): verify we need 'initial=true' pieces. + error_page 401 =307 $scheme://{{.Values.iap_hostname}}.{{ .Values.DNS_ZONE }}/oauth2/sign_in?initial=true&iap_redirect=$scheme://${pr_number_service}.{{ .Values.iap_hostname }}.{{ .Values.DNS_ZONE }}$request_uri; + + # Headers that are set in the request sent to the oauth2_proxy: + proxy_set_header x-forwarded-user $auth_user; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + + # Lookup hostname using DNS and proxy the current request to service_ip_address:80 + proxy_pass http://${service}.${pr_number}.svc.cluster.local.; + # trailing dot is correct + } + + # TODO(tamsky): add 'location /logout {}' + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Upstream-Response-Time $upstream_response_time; + proxy_next_upstream error http_500; + proxy_set_header Host $host; + } diff --git a/incubator/nginx-iap/templates/nginx.deployment.yaml b/incubator/nginx-iap/templates/nginx.deployment.yaml new file mode 100644 index 00000000..650ef427 --- /dev/null +++ b/incubator/nginx-iap/templates/nginx.deployment.yaml @@ -0,0 +1,112 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ template "fullname" . }} + annotations: + # TODO(tamsky) update when done + # checksum/ui-config: { include (print $.Template.BasePath "/dashboard.configmap.yaml") . | sha256sum }} + # checksum/vpn-config: { include (print $.Template.BasePath "/vpn.configmap.yaml") . | sha256sum }} + # checksum/vpn-secret: { include (print $.Template.BasePath "/vpn.secret.yaml") . | sha256sum }} + # checksum/oauth-config: { include (print $.Template.BasePath "/oauth.configmap.yaml") . | sha256sum }} + # checksum/oauth-secret: { include (print $.Template.BasePath "/oauth.secret.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/oauth.configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/oauth.secret.yaml") . | sha256sum }} + spec: + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + ports: + - containerPort: {{ .Values.nginx.service.http.internalPort }} + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/conf.d + # - name: source + # mountPath: /usr/share/nginx/html + livenessProbe: + tcpSocket: + port: {{ .Values.nginx.service.http.internalPort }} + readinessProbe: + tcpSocket: + port: {{ .Values.nginx.service.http.internalPort }} + resources: +{{ toYaml .Values.nginx.resources | indent 12 }} + + # Sidecar oauth2_proxy container + - name: oauth + image: "{{ .Values.oauth.image.repository }}:{{ .Values.oauth.image.tag }}" + imagePullPolicy: {{ .Values.oauth.image.pullPolicy }} + args: + - "-config" + - "/usr/share/oauth2_proxy/config" + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: client_secret + - name: OAUTH2_PROXY_COOKIE_NAME + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: cookie_name + - name: OAUTH2_PROXY_COOKIE_DOMAIN + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: cookie_domain + - name: OAUTH2_PROXY_COOKIE_EXPIRE + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: cookie_expire + - name: OAUTH2_PROXY_COOKIE_REFRESH + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: cookie_refresh + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: cookie_secret + - name: OAUTH2_PROXY_WHITELIST_DOMAIN + valueFrom: + secretKeyRef: + name: {{ template "fullname_oauth" . }} + key: whitelist_domain + ports: + - containerPort: 81 + volumeMounts: + - name: config + mountPath: /usr/share/oauth2_proxy + livenessProbe: + tcpSocket: + port: 81 + readinessProbe: + tcpSocket: + port: 81 + resources: +{{ toYaml .Values.oauth.resources | indent 12 }} + + volumes: + - name: nginx-config + configMap: + name: {{ template "fullname_proxy" . }} + - name: config + configMap: + name: {{ template "fullname_oauth" . }} diff --git a/incubator/nginx-iap/templates/nginx.service.yaml b/incubator/nginx-iap/templates/nginx.service.yaml new file mode 100644 index 00000000..06621f7a --- /dev/null +++ b/incubator/nginx-iap/templates/nginx.service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname_proxy" . }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" +{{- if .Values.nginx.service.labels }} +{{ toYaml .Values.nginx.service.labels | indent 4 }} +{{- end }} +{{- if .Values.nginx.service.annotations }} + annotations: +{{ toYaml .Values.nginx.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.nginx.service.type }} + ports: + - port: {{ .Values.nginx.service.http.externalPort }} + targetPort: {{ .Values.nginx.service.http.internalPort }} + protocol: TCP + name: http + selector: + app: {{ template "fullname" . }} diff --git a/incubator/nginx-iap/templates/oauth.configmap.yaml b/incubator/nginx-iap/templates/oauth.configmap.yaml new file mode 100644 index 00000000..93652bb6 --- /dev/null +++ b/incubator/nginx-iap/templates/oauth.configmap.yaml @@ -0,0 +1,193 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname_oauth" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + config: |- + ## OAuth2 Proxy Config File + ## https://github.com/bitly/oauth2_proxy + + ## : to listen on for HTTP clients + http_address = "http://0.0.0.0:81" + ## : to listen on for HTTPS clients + https_address = ":9999" # value required but HTTPS service is not used + + {{- if .Values.oauth.app.useSSL }} + ## TLS Settings + tls_cert_file = "" + tls_key_file = "" + {{- end }} + {{- if .Values.oauth.app.insecureSSL }} + ssl_insecure_skip_verify = true + {{- end }} + + ## the http url(s) of the upstream endpoint. If multiple, routing is based on path + upstreams = [ + {{ block "oauth2_proxy_upstreams" . }} + {{- range $value := .Values.oauth.app.upstreams }} + {{- if not (empty $value) }} + {{ $value | quote }}, + {{- end }} + {{- end }} + {{- end }} + ] + + ## the OAuth Redirect URL. + # defaults to the "https://" + requested host header + "/oauth2/callback" + {{- if .Values.oauth.app.redirectUrl }} + # REALLY, you dont want to mess with this. The requested host header is perfect. + # redirect_url = {{ .Values.oauth.app.redirectUrl | quote }} + {{- end }} + + ## Log requests to stdout + request_logging = {{ .Values.oauth.app.requestLogging }} + + ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream + pass_basic_auth = {{ .Values.oauth.app.passBasicAuth }} + ## pass the request Host Header to upstream + ## when disabled the upstream Host is used as the Host Header + pass_host_header = {{ .Values.oauth.app.passHostHeader }} + + set_xauthrequest = {{ .Values.oauth.app.setXAuthRequest }} + + ## Email Domains to allow authentication for (this authorizes any email on this domain) + ## for more granular authorization use `authenticated_emails_file` + ## To authorize any email addresses use "*" + email_domains = [ + {{- range $value := .Values.oauth.app.emailDomains }} + {{- if not (empty $value) }} + {{ $value | quote | indent 4 }}, + {{- end }} + {{- end }} + ] + + ## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token" + pass_access_token = {{ .Values.oauth.app.passAccessToken }} + + ## Authenticated Email Addresses File (one email per line) + authenticated_emails_file = "/usr/share/oauth2_proxy/emails" + + ## Htpasswd File (optional) + ## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption + ## enabling exposes a username/login signin form + {{- if not ( empty .Values.oauth.app.htpasswdFile) }} + htpasswd_file = "/usr/share/oauth2_proxy/htpasswd" + {{- end }} + + ## Templates + ## optional directory with custom sign_in.html and error.html + # custom_templates_dir = "" + + ## Cookie Settings + ## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended) + ## HttpOnly - httponly cookies are not readable by javascript (recommended) + cookie_secure = {{ .Values.oauth.app.cookieSecure }} + cookie_httponly = {{ .Values.oauth.app.cookieHttponly }} + + {{- if .Values.oauth.app.proxyPrefix }} + proxy-prefix = {{ .Values.oauth.app.proxyPrefix | quote }} + {{- end }} + + {{- if .Values.oauth.app.azureTenant }} + azure_tenant = {{ .Values.oauth.app.azureTenant | quote }} + {{- end }} + + {{- if .Values.oauth.app.githubOrg }} + github_org = {{ .Values.oauth.app.githubOrg | quote }} + {{- end }} + + {{- if .Values.oauth.app.githubTeam }} + github_team = {{ .Values.oauth.app.githubTeam | quote }} + {{- end }} + + google_group = [ + {{- range $value := .Values.oauth.app.googleGroups }} + {{- if not (empty $value) }} + {{ $value | quote | indent 4 }}, + {{- end }} + {{- end }} + ] + + {{- if .Values.oauth.app.googleAdminEmail }} + google_admin_email = {{ .Values.oauth.app.googleAdminEmail | quote }} + {{- end }} + + {{- if .Values.oauth.app.googleServiceAccountJson }} + google_service_account_json = {{ .Values.oauth.app.googleServiceAccountJson | quote }} + {{- end }} + + {{- if .Values.oauth.app.displayHtpasswdForm }} + display_htpasswd_form = {{ .Values.oauth.app.displayHtpasswdForm | quote }} + {{- end }} + + {{- if .Values.oauth.app.basicAuthPassword }} + basic_auth_password = {{ .Values.oauth.app.basicAuthPassword | quote }} + {{- end }} + + {{- if .Values.oauth.app.skipProviderButton }} + skip_provider_button = {{ .Values.oauth.app.skipProviderButton }} + {{- end }} + + {{- if .Values.oauth.app.provider }} + provider = {{ .Values.oauth.app.provider | quote }} + {{- end }} + + {{- if .Values.oauth.app.loginUrl }} + login_url = {{ .Values.oauth.app.loginUrl | quote }} + {{- end }} + + {{- if .Values.oauth.app.redeemUrl }} + redeem_url = {{ .Values.oauth.app.redeemUrl | quote }} + {{- end }} + + {{- if .Values.oauth.app.profileUrl }} + profile_url = {{ .Values.oauth.app.profileUrl | quote }} + {{- end }} + + {{- if .Values.oauth.app.resource }} + resource = {{ .Values.oauth.app.resource | quote }} + {{- end }} + + {{- if .Values.oauth.app.validateUrl }} + validate_url = {{ .Values.oauth.app.validateUrl | quote }} + {{- end }} + + {{- if .Values.oauth.app.scope }} + scope = {{ .Values.oauth.app.scope | quote }} + {{- end }} + + {{- if .Values.oauth.app.approvalPrompt }} + approval_prompt = {{ .Values.oauth.app.approvalPrompt | quote }} + {{- end }} + + {{- if .Values.oauth.app.signatureKey }} + signature_key = {{ .Values.oauth.app.signatureKey | quote }} + {{- end }} + + skip_auth_regex = [ + {{- range $value := .Values.oauth.app.skipAuthRegex }} + {{- if not (empty $value) }} + {{ $value | quote | indent 4 }}, + {{- end }} + {{- end }} + ] + + + emails: |- + {{- range $value := .Values.oauth.app.emails }} + {{- if not (empty $value) }} + {{ $value }} + {{- end }} + {{- end }} + + htpasswd: |- + {{- range $value := .Values.oauth.app.htpasswdFile }} + {{- if not (empty $value) }} + {{ $value }} + {{- end }} + {{- end }} diff --git a/incubator/nginx-iap/templates/oauth.secret.yaml b/incubator/nginx-iap/templates/oauth.secret.yaml new file mode 100644 index 00000000..fdadba84 --- /dev/null +++ b/incubator/nginx-iap/templates/oauth.secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "fullname_oauth" . }} + labels: + app: {{ template "fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + client_id: {{ default "" .Values.oauth.app.clientID | trim | b64enc | quote }} + client_secret: {{ default "" .Values.oauth.app.clientSecret | trim | b64enc | quote }} + cookie_name: {{ default "" .Values.oauth.app.cookieName | trim | b64enc | quote }} + cookie_secret: {{ default "" .Values.oauth.app.cookieSecret | trim | b64enc | quote }} + cookie_domain: {{ printf ".%s.%s" .Values.iap_hostname .Values.DNS_ZONE | b64enc | quote }} + cookie_expire: {{ default "" .Values.oauth.app.cookieExpire | trim | b64enc | quote }} + cookie_refresh: {{ default "" .Values.oauth.app.cookieRefresh | trim | b64enc | quote }} + whitelist_domain: {{ printf ".%s.%s" .Values.iap_hostname .Values.DNS_ZONE | trim | b64enc | quote }} diff --git a/incubator/nginx-iap/values.yaml b/incubator/nginx-iap/values.yaml new file mode 100644 index 00000000..b8905708 --- /dev/null +++ b/incubator/nginx-iap/values.yaml @@ -0,0 +1,146 @@ +# This is a YAML-formatted file. +# Declare variables here to be passed into your templates. +--- + +DNS_ZONE: "" # iap.staging.example.com +iap_hostname: iap +kube_dns_hostname: kube-dns.kube-system.svc.cluster.local. # trailing dot is correct + +replicaCount: 1 + +# Default values for ingress resource +ingress: + annotations: ~ + labels: ~ + hosts: + # - iap.staging.example.com + +# Default values for nginx. +nginx: + image: + repository: nginx + tag: alpine + pullPolicy: Always + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + service: + name: proxy + type: ClusterIP + # labels: + # dns: "route53" + # annotations: + # kubernetes.io/tls-acme: "true" + # domainName: "foobar.com" + # dnsRecordType: "CNAME" + # dnsRecordTTL: "300" + http: + externalPort: 80 + internalPort: 80 + +# Default values for oauth2-proxy. +oauth: + # oauth2_proxy config file settings: + app: + useSSL: false + upstreams: + # do not change + - http://localhost/ + + # Enabled provider + provider: "github" + + # Common oauth configs + clientID: + clientSecret: + scope: + redirectUrl: + + # Github specific configs + githubOrg: + githubTeam: + + # Github or Gitlab specific configs + loginUrl: + redeemUrl: + validateUrl: + + # MS Azure specific configs + azureTenant: + resource: + + # Google specific configs + googleGroups: + # - "group" + googleAdminEmail: + googleServiceAccountJson: + + # HTTP auth configs + basicAuthPassword: + displayHtpasswdForm: + htpasswdFile: + + # Email filters + emailDomains: + - "*" + emails: + # - igor@cloudposse.com + + # OAuth2 proxy configs + approvalPrompt: + requestLogging: false + passAccessToken: false + passBasicAuth: true + passHostHeader: true + setXAuthRequest: true + customTemplatesDir: + proxyPrefix: + skipAuthRegex: + # - ".*" + skipProviderButton: + profileUrl: + signatureKey: + + # OAuth2 proxy session cookie config + cookieName: + cookieSecret: + cookieDomain: + cookieExpire: + cookieRefresh: + cookieSecure: true + cookieHttponly: false + + # oauth settings + replicaCount: 1 + image: + repository: cloudposse/oauth2-proxy + tag: 2.2 + pullPolicy: Always + service: + name: oauth + type: ClusterIP + # labels: + # dns: "route53" + # annotations: + # kubernetes.io/tls-acme: "true" + # domainName: "foobar.com" + # dnsRecordType: "CNAME" + # dnsRecordTTL: "300" + http: + externalPort: 80 + internalPort: 80 + # https: + # # not used + # externalPort: 443 + # internalPort: 443 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi