Skip to content

Commit

Permalink
Merge pull request #1 from kerberos-io/feature/add-support-for-oauth2…
Browse files Browse the repository at this point in the history
…-proxy

Feature/add support for oauth2 proxy
  • Loading branch information
cedricve authored Oct 4, 2024
2 parents 3478d42 + ea3c96b commit 5a506cf
Show file tree
Hide file tree
Showing 6 changed files with 152 additions and 21 deletions.
19 changes: 19 additions & 0 deletions .github/workflows/pr-description.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Autofill PR description

on: pull_request

jobs:
openai-pr-description:
runs-on: ubuntu-22.04

steps:
- uses: actions/checkout@v4
- name: Autofill PR description if empty using OpenAI
uses: cedricve/azureopenai-pr-description@master
with:
github_token: ${{ secrets.TOKEN }}
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
azure_openai_api_key: ${{ secrets.AZURE_OPENAI_API_KEY }}
azure_openai_endpoint: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
azure_openai_version: ${{ secrets.AZURE_OPENAI_VERSION }}
overwrite_description: true
2 changes: 1 addition & 1 deletion charts/hub/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.56.0
version: 0.57.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
2 changes: 1 addition & 1 deletion charts/hub/templates/kerberos-hub/hub-api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ spec:
- name: READ_ONLY
value: "{{ .Values.readonly }}"
- name: SUPPORT_ENABLED
value: "{{ .Values.kerberoshub.support }}"
value: "{{ .Values.kerberoshub.support.enabled }}"
- name: CLOUD_API_URL
value: "{{ .Values.kerberoshub.api.url }}"
- name: API_URL
Expand Down
36 changes: 36 additions & 0 deletions charts/hub/templates/kerberos-hub/hub-frontend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ metadata:
name: hub-frontend-ingress
annotations:
kubernetes.io/ingress.class: {{ .Values.ingress }}
{{ if .Values.kerberoshub.oauth2Proxy.enabled }}
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
{{- end }}
{{- if eq .Values.ingress "nginx" }}
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
Expand Down Expand Up @@ -99,6 +103,38 @@ spec:
servicePort: 80
{{- end }}
{{ end }}
{{- if .Values.kerberoshub.oauth2Proxy.enabled -}}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: kube-system
annotations:
kubernetes.io/ingress.class: {{ .Values.ingress }}
{{- if eq .Values.ingress "nginx" }}
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
spec:
ingressClassName: nginx
rules:
- host: {{ .Values.kerberoshub.frontend.url }}
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
tls:
- hosts:
- {{ .Values.kerberoshub.frontend.url }}
secretName: oauth2-proxy-tls
{{- end -}}
---
apiVersion: apps/v1
kind: Deployment
Expand Down
65 changes: 65 additions & 0 deletions charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{{- if .Values.kerberoshub.oauth2Proxy.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=github
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: "{{ .Values.kerberoshub.oauth2Proxy.clientId }}"
- name: OAUTH2_PROXY_CLIENT_SECRET
value: "{{ .Values.kerberoshub.oauth2Proxy.clientSecret }}"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: "{{ .Values.kerberoshub.oauth2Proxy.cookieSecret }}"
- name: OAUTH2_PROXY_GITHUB_ORG
value: "{{ .Values.kerberoshub.oauth2Proxy.githubOrg }}"
- name: OAUTH2_PROXY_GITHUB_TEAM
value: "{{ .Values.kerberoshub.oauth2Proxy.githubTeam }}"
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: kube-system
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
{{- end -}}
49 changes: 30 additions & 19 deletions charts/hub/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ licenseServer:
# - name: regcred

# Environment: set to 'production', 'develop', 'demo', 'staging' or 'acceptance'.
# Set to 'true' if this is a private deployment.
# Change the environment to 'staging' or 'acceptance' will add a banner on the
# front-end, to indicate the environment.
environment: "production"

# Set to 'true' if this is a private deployment.
Expand Down Expand Up @@ -65,17 +66,17 @@ queueName: "kcloud-event-queue" # This is the topic to which all events are send
# RabbitMQ can be installed in the same cluster using a helm chart, or you can
# use a service on cloud provider like AWS, GCP, Azure, etc.
rabbitmq:
host: "rabbitmq.rabbitmq:5672" # can be internal dns name or external
host: "<rabbitmq.rabbitmq:5672>" # can be internal dns name or external
#host: "amqps://b-xxx-xxx-xxx-xxx-xxx.mq.eu-central-1.amazonaws.com:5671"
username: "yourusername"
password: "yourpassword"
username: "<yourusername>"
password: "<yourpassword>"
exchange: ""

# If you already have a Kafka cluster you might use this instead of RabbitMQ.
kafka:
broker: "kafka1.yourdomain.com:9094" # can be internal dns name or external
username: "yourusername"
password: "yourpassword"
broker: "<kafka1.yourdomain.com:9094>" # can be internal dns name or external
username: "<yourusername>"
password: "<yourpassword>"
mechanism: "PLAIN"
security: "SASL_PLAINTEXT"

Expand Down Expand Up @@ -150,8 +151,6 @@ email:
# Kerberos hub properly working.

kerberoshub:
# Enables the support environment.
support: false
api:
repository: kerberos/hub-api
pullPolicy: IfNotPresent
Expand All @@ -178,37 +177,37 @@ kerberoshub:
#legacyUrl: "api.legacy.yourdomain.com"

# MFA issuer name
mfaIssuer: "Kerberos.io"
mfaIssuer: "<yourdomain.com>"

# Admin API's are made available for automation of Kerberos Hub.
# To access those API's (e.g. creation of owner users), an API key needs to be provided.
apiKey: "a-random-admin-api-key"
apiKey: "<a-random-admin-api-key>"

## Certificates
tls:
- hosts:
- "api.yourdomain.com"
- "<api.yourdomain.com>"
secretName: kerberoshub-api
#- hosts:
# - "api.legacy.yourdomain.com"
# secretName: kerberoshub-api-legacy
- hosts:
- "admin.api.yourdomain.com"
- "<admin.api.yourdomain.com>"
secretName: kerberoshub-admin
language: "english"
fallbackLanguage: "english"
# Legacy (reseller) it is possible to link to AWS S3 and IAM (however Kerberos Vault is now the recommended option).
# This is primarily used for creation of subscriptions, and not needed if you are using mainly Kerberos Vault.
aws:
region: "xxx"
bucket: "xxx"
accessKey: "xxx"
secretKey: "xxx"
region: "<xxx>"
bucket: "<xxx>"
accessKey: "<xxx>"
secretKey: "<xxx>"
stripe: # We use stripe for billing, so it's possible to resell Kerberos Hub if agreed.
privateKey: "xxx"
privateKey: "<xxx>"
slack: # Slack is used in the api, to send logs to a specific Slack channel.
enabled: "true"
hook: "yourslackhook" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ
hook: "<yourslackhook>" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ
username: "Kerberos Hub" # The slack username
elasticsearch: # Logs of the kerberos hub will be send to an elastic search cluster.
enabled: "false"
Expand Down Expand Up @@ -347,6 +346,18 @@ kerberoshub:
navigationLinkTitle5: ""
navigationLinkUrl5: ""

support:
enabled: false

oauth2Proxy:
enabled: false
github:
clientId: "<github-client-id>"
clientSecret: "<github-client-secret>"
cookieSecret: "<generate-a-random-cookie-secret>"
organization: "<github-organization>"
team: "<github-team>"

cleanup:
repository: kerberos/hub-cleanup
pullPolicy: IfNotPresent
Expand Down

0 comments on commit 5a506cf

Please sign in to comment.