From 601147a3d56c079e1caa8454b25f47d29842d6d4 Mon Sep 17 00:00:00 2001 From: Cedric Verstraeten Date: Fri, 4 Oct 2024 08:53:01 +0200 Subject: [PATCH 1/3] add support for oauth2-proxy --- .../hub/templates/kerberos-hub/hub-api.yaml | 2 +- .../templates/kerberos-hub/hub-frontend.yaml | 36 ++++++++++ .../kerberos-hub/hub-oauth2-proxy.yaml | 65 +++++++++++++++++++ charts/hub/values.yaml | 49 ++++++++------ 4 files changed, 132 insertions(+), 20 deletions(-) create mode 100644 charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml diff --git a/charts/hub/templates/kerberos-hub/hub-api.yaml b/charts/hub/templates/kerberos-hub/hub-api.yaml index aeab0f9..befe706 100644 --- a/charts/hub/templates/kerberos-hub/hub-api.yaml +++ b/charts/hub/templates/kerberos-hub/hub-api.yaml @@ -140,7 +140,7 @@ spec: - name: READ_ONLY value: "{{ .Values.readonly }}" - name: SUPPORT_ENABLED - value: "{{ .Values.kerberoshub.support }}" + value: "{{ .Values.kerberoshub.support.enabled }}" - name: CLOUD_API_URL value: "{{ .Values.kerberoshub.api.url }}" - name: API_URL diff --git a/charts/hub/templates/kerberos-hub/hub-frontend.yaml b/charts/hub/templates/kerberos-hub/hub-frontend.yaml index dedb733..683964c 100644 --- a/charts/hub/templates/kerberos-hub/hub-frontend.yaml +++ b/charts/hub/templates/kerberos-hub/hub-frontend.yaml @@ -23,6 +23,10 @@ metadata: name: hub-frontend-ingress annotations: kubernetes.io/ingress.class: {{ .Values.ingress }} + {{ if .Values.kerberoshub.oauth2Proxy.enabled }} + nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" + {{- end }} {{- if eq .Values.ingress "nginx" }} kubernetes.io/tls-acme: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" @@ -99,6 +103,38 @@ spec: servicePort: 80 {{- end }} {{ end }} +{{- if .Values.kerberoshub.oauth2Proxy.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: oauth2-proxy + namespace: kube-system + annotations: + kubernetes.io/ingress.class: {{ .Values.ingress }} + {{- if eq .Values.ingress "nginx" }} + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.kerberoshub.frontend.url }} + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + number: 4180 + tls: + - hosts: + - {{ .Values.kerberoshub.frontend.url }} + secretName: oauth2-proxy-tls +{{- end -}} --- apiVersion: apps/v1 kind: Deployment diff --git a/charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml b/charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml new file mode 100644 index 0000000..c4a49df --- /dev/null +++ b/charts/hub/templates/kerberos-hub/hub-oauth2-proxy.yaml @@ -0,0 +1,65 @@ +{{- if .Values.kerberoshub.oauth2Proxy.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: oauth2-proxy + name: oauth2-proxy + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: oauth2-proxy + template: + metadata: + labels: + k8s-app: oauth2-proxy + spec: + containers: + - args: + - --provider=github + - --email-domain=* + - --upstream=file:///dev/null + - --http-address=0.0.0.0:4180 + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: "{{ .Values.kerberoshub.oauth2Proxy.clientId }}" + - name: OAUTH2_PROXY_CLIENT_SECRET + value: "{{ .Values.kerberoshub.oauth2Proxy.clientSecret }}" + - name: OAUTH2_PROXY_COOKIE_SECRET + value: "{{ .Values.kerberoshub.oauth2Proxy.cookieSecret }}" + - name: OAUTH2_PROXY_GITHUB_ORG + value: "{{ .Values.kerberoshub.oauth2Proxy.githubOrg }}" + - name: OAUTH2_PROXY_GITHUB_TEAM + value: "{{ .Values.kerberoshub.oauth2Proxy.githubTeam }}" + image: quay.io/oauth2-proxy/oauth2-proxy:latest + imagePullPolicy: Always + name: oauth2-proxy + ports: + - containerPort: 4180 + protocol: TCP + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: oauth2-proxy + name: oauth2-proxy + namespace: kube-system +spec: + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + k8s-app: oauth2-proxy +{{- end -}} \ No newline at end of file diff --git a/charts/hub/values.yaml b/charts/hub/values.yaml index 639cadb..942f676 100644 --- a/charts/hub/values.yaml +++ b/charts/hub/values.yaml @@ -19,7 +19,8 @@ licenseServer: # - name: regcred # Environment: set to 'production', 'develop', 'demo', 'staging' or 'acceptance'. -# Set to 'true' if this is a private deployment. +# Change the environment to 'staging' or 'acceptance' will add a banner on the +# front-end, to indicate the environment. environment: "production" # Set to 'true' if this is a private deployment. @@ -65,17 +66,17 @@ queueName: "kcloud-event-queue" # This is the topic to which all events are send # RabbitMQ can be installed in the same cluster using a helm chart, or you can # use a service on cloud provider like AWS, GCP, Azure, etc. rabbitmq: - host: "rabbitmq.rabbitmq:5672" # can be internal dns name or external + host: "" # can be internal dns name or external #host: "amqps://b-xxx-xxx-xxx-xxx-xxx.mq.eu-central-1.amazonaws.com:5671" - username: "yourusername" - password: "yourpassword" + username: "" + password: "" exchange: "" # If you already have a Kafka cluster you might use this instead of RabbitMQ. kafka: - broker: "kafka1.yourdomain.com:9094" # can be internal dns name or external - username: "yourusername" - password: "yourpassword" + broker: "" # can be internal dns name or external + username: "" + password: "" mechanism: "PLAIN" security: "SASL_PLAINTEXT" @@ -150,8 +151,6 @@ email: # Kerberos hub properly working. kerberoshub: - # Enables the support environment. - support: false api: repository: kerberos/hub-api pullPolicy: IfNotPresent @@ -178,37 +177,37 @@ kerberoshub: #legacyUrl: "api.legacy.yourdomain.com" # MFA issuer name - mfaIssuer: "Kerberos.io" + mfaIssuer: "" # Admin API's are made available for automation of Kerberos Hub. # To access those API's (e.g. creation of owner users), an API key needs to be provided. - apiKey: "a-random-admin-api-key" + apiKey: "" ## Certificates tls: - hosts: - - "api.yourdomain.com" + - "" secretName: kerberoshub-api #- hosts: # - "api.legacy.yourdomain.com" # secretName: kerberoshub-api-legacy - hosts: - - "admin.api.yourdomain.com" + - "" secretName: kerberoshub-admin language: "english" fallbackLanguage: "english" # Legacy (reseller) it is possible to link to AWS S3 and IAM (however Kerberos Vault is now the recommended option). # This is primarily used for creation of subscriptions, and not needed if you are using mainly Kerberos Vault. aws: - region: "xxx" - bucket: "xxx" - accessKey: "xxx" - secretKey: "xxx" + region: "" + bucket: "" + accessKey: "" + secretKey: "" stripe: # We use stripe for billing, so it's possible to resell Kerberos Hub if agreed. - privateKey: "xxx" + privateKey: "" slack: # Slack is used in the api, to send logs to a specific Slack channel. enabled: "true" - hook: "yourslackhook" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ + hook: "" # https://hooks.slack.com/services/T08Q2Q9V5/xxKT/JALxxAk26bHtuqTfZ username: "Kerberos Hub" # The slack username elasticsearch: # Logs of the kerberos hub will be send to an elastic search cluster. enabled: "false" @@ -347,6 +346,18 @@ kerberoshub: navigationLinkTitle5: "" navigationLinkUrl5: "" + support: + enabled: false + + oauth2Proxy: + enabled: false + github: + clientId: "" + clientSecret: "" + cookieSecret: "" + organization: "" + team: "" + cleanup: repository: kerberos/hub-cleanup pullPolicy: IfNotPresent From 95ca1689dc8a3b60448937ff2d5db7cb2d0f6ed2 Mon Sep 17 00:00:00 2001 From: Cedric Verstraeten Date: Fri, 4 Oct 2024 08:58:59 +0200 Subject: [PATCH 2/3] Create pr-description.yml --- .github/workflows/pr-description.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/pr-description.yml diff --git a/.github/workflows/pr-description.yml b/.github/workflows/pr-description.yml new file mode 100644 index 0000000..d0bfdb4 --- /dev/null +++ b/.github/workflows/pr-description.yml @@ -0,0 +1,19 @@ +name: Autofill PR description + +on: pull_request + +jobs: + openai-pr-description: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v4 + - name: Autofill PR description if empty using OpenAI + uses: cedricve/azureopenai-pr-description@master + with: + github_token: ${{ secrets.TOKEN }} + openai_api_key: ${{ secrets.OPENAI_API_KEY }} + azure_openai_api_key: ${{ secrets.AZURE_OPENAI_API_KEY }} + azure_openai_endpoint: ${{ secrets.AZURE_OPENAI_ENDPOINT }} + azure_openai_version: ${{ secrets.AZURE_OPENAI_VERSION }} + overwrite_description: true From ea3c96b4f90571d1044cccc3fa07652b23c79e27 Mon Sep 17 00:00:00 2001 From: Cedric Verstraeten Date: Fri, 4 Oct 2024 14:24:58 +0200 Subject: [PATCH 3/3] Update Chart.yaml --- charts/hub/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/hub/Chart.yaml b/charts/hub/Chart.yaml index a429211..7413fc5 100644 --- a/charts/hub/Chart.yaml +++ b/charts/hub/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.56.0 +version: 0.57.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to