k8s: apps: add oauth2-proxy with forge-dev overlay

Signed-off-by: Nicolas Froger <nico@cri.epita.fr>

.gitlab/CODEOWNERS

@@ -3,5 +3,6 @@ k8s/apps/postgres/overlays/prod-1_forge-dev/ @meta/cri-roots @meta/labo-labsi-ro
 k8s/apps/kafka/overlays/prod-1_forge-dev/ @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs
 k8s/apps/git-server/ @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs
 k8s/apps/forge-intranet/ @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs
+k8s/apps/oauth2-proxy/clusters/prod-1/overlays/forge-dev @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs
 k8s/clusters/apps/apps/pgadmin.yml @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs
 k8s/clusters/apps/apps/kafka-console.yml @meta/cri-roots @meta/labo-labsi-roots @meta/labo-labsi-devs

k8s/apps/oauth2-proxy/base/deployment.yml

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: oauth2-proxy
+  name: oauth2-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      containers:
+        - name: oauth2-proxy
+          image: quay.io/oauth2-proxy/oauth2-proxy
+          args:
+            - --email-domain=*
+          resources:
+            requests:
+              memory: 50Mi
+            limits:
+              memory: 50Mi
+          envFrom:
+            - configMapRef:
+                name: oauth2-proxy-config
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-oidc
+                  key: OPENID_CLIENT_ID
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-oidc
+                  key: OPENID_CLIENT_SECRET
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oauth2-proxy-session
+                  key: COOKIE_SECRET
+          ports:
+            - containerPort: 4180
+              protocol: TCP

k8s/apps/oauth2-proxy/base/kustomization.yml

+---
+kind: Kustomization
+
+resources:
+  - deployment.yml
+  - service.yml
+
+configMapGenerator:
+  - name: oauth2-proxy-config
+    literals:
+      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
+      - OAUTH2_PROXY_PROVIDER=oidc
+      - "OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Forge Auth"
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://cri.epita.fr
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=roles
+      - OAUTH2_PROXY_REVERSE_PROXY=true
+      - OAUTH2_PROXY_UPSTREAM=file:///dev/null
+      - OAUTH2_PROXY_SCOPE="openid email profile roles"
+
+images:
+  - name: quay.io/oauth2-proxy/oauth2-proxy
+    newTag: v7.4.0

k8s/apps/oauth2-proxy/base/service.yml

+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: oauth2-proxy
+  name: oauth2-proxy
+spec:
+  selector:
+    app: oauth2-proxy
+  ports:
+    - name: http
+      port: 4180
+      protocol: TCP
+      targetPort: 4180

k8s/apps/oauth2-proxy/clusters/prod-1/overlays/forge-dev/ingress.yml

+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: default-issuer
+    cert-manager.io/revision-history-limit: "1"
+spec:
+  ingressClassName: public
+  rules:
+    - host: auth-proxy-dev.prod-1.k8s.cri.epita.fr
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy
+                port:
+                  number: 4180
+  tls:
+    - hosts:
+        - auth-proxy-dev.prod-1.k8s.cri.epita.fr
+      secretName: oauth2-proxy-tls

k8s/apps/oauth2-proxy/clusters/prod-1/overlays/forge-dev/kustomization.yml

+---
+kind: Kustomization
+
+namespace: forge-dev-oauth2-proxy
+namePrefix: "forge-dev-"
+
+resources:
+  - ../../../../base
+  - secrets.yml
+  - ingress.yml
+
+configMapGenerator:
+  - name: oauth2-proxy-config
+    behavior: merge
+    literals:
+      - OAUTH2_PROXY_REDIRECT_URL=https://auth-proxy-dev.prod-1.k8s.cri.epita.fr/oauth2/callback
+      - OAUTH2_PROXY_COOKIE_DOMAIN=.prod-1.k8s.cri.epita.fr

k8s/apps/oauth2-proxy/clusters/prod-1/overlays/forge-dev/secrets.yml

+---
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: oauth2-proxy-oidc
+spec:
+  path: k8s-prod-1/forge-dev/oauth2-proxy-oidc
+  keys:
+    - OPENID_CLIENT_ID
+    - OPENID_CLIENT_SECRET
+  type: Opaque
+---
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  name: oauth2-proxy-session
+spec:
+  path: k8s-prod-1/forge-dev/oauth2-proxy-session
+  keys:
+    - COOKIE_SECRET
+  type: Opaque

k8s/apps/oauth2-proxy/clusters/prod-1/overlays/kustomization.yml

+---
+kind: Kustomization
+
+resources:
+  - forge-dev

k8s/clusters/apps/apps/kafka-console.yml

+# yamllint disable rule:line-length
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -32,8 +33,8 @@ spec:
           annotations:
             cert-manager.io/cluster-issuer: default-issuer
             cert-manager.io/revision-history-limit: "1"
-            nginx.ingress.kubernetes.io/auth-type: basic
-            nginx.ingress.kubernetes.io/auth-secret: basic-auth
+            nginx.ingress.kubernetes.io/auth-url: "https://auth-proxy-dev.prod-1.k8s.cri.epita.fr/oauth2/auth?allowed_groups=kafka-console-dev"
+            nginx.ingress.kubernetes.io/auth-signin: "https://auth-proxy-dev.prod-1.k8s.cri.epita.fr/oauth2/start?rd=$escaped_request_uri"
             nginx.ingress.kubernetes.io/proxy-body-size: "1G"
           hosts:
             - host: kafka-console-dev.prod-1.k8s.cri.epita.fr

k8s/clusters/apps/apps/kustomization.yml

@@ -29,6 +29,7 @@ resources:
   - maas.yml
   - minio.yml
   - netbox.yml
+  - oauth2-proxy.yml
   - pgadmin.yml
   - postgres-forge-dev.yml
   - postgres.yml

k8s/clusters/apps/apps/oauth2-proxy.yml

+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+spec:
+  generators:
+    - git:
+        repoURL: https://gitlab.cri.epita.fr/cri/iac/infrastructure.git
+        revision: HEAD
+        directories:
+          - path: k8s/apps/oauth2-proxy/clusters/*
+  template:
+    metadata:
+      name: "{{path.basename}}-oauth2-proxy"
+      labels:
+        app: oauth2-proxy
+    spec:
+      project: default
+      syncPolicy:
+        automated:
+          prune: true
+      destination:
+        name: "{{path.basename}}"
+        namespace: default
+      source:
+        repoURL: https://gitlab.cri.epita.fr/cri/iac/infrastructure.git
+        targetRevision: HEAD
+        path: "{{path}}"

k8s/clusters/apps/apps/pgadmin.yml

+# yamllint disable rule:line-length
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -39,8 +40,8 @@ spec:
           enabled: true
           annotations:
             cert-manager.io/cluster-issuer: default-issuer
-            nginx.ingress.kubernetes.io/auth-type: basic
-            nginx.ingress.kubernetes.io/auth-secret: basic-auth
+            nginx.ingress.kubernetes.io/auth-url: "https://auth-proxy-dev.prod-1.k8s.cri.epita.fr/oauth2/auth?allowed_groups=pgadmin-dev"
+            nginx.ingress.kubernetes.io/auth-signin: "https://auth-proxy-dev.prod-1.k8s.cri.epita.fr/oauth2/start?rd=$escaped_request_uri"
           hosts:
             - host: pgadmin-dev.prod-1.k8s.cri.epita.fr
               paths:

k8s/secrets/clusters/prod-1/.terraform.lock.hcl

@@ -76,6 +76,18 @@ provider "registry.terraform.io/hashicorp/tls" {
     "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=",
     "h1:zfM3dG7Vwu5WMGWKTZA2vMRJerafLyi3pI92/rwOt5M=",
     "h1:zuKFdcWuP98ajGTvCThCBncZnVCIcr2b0rRWXzFnZE8=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }
 

k8s/secrets/clusters/prod-1/oauth2-proxy.tf

+resource "random_password" "forge-dev-oauth2-proxy-session" {
+  length           = 32
+  override_special = "-_"
+}
+
+resource "vault_generic_secret" "forge-dev-oauth2-proxy-session" {
+  path = "k8s-${local.cluster_name}/forge-dev/oauth2-proxy-session"
+  data_json = jsonencode({
+    COOKIE_SECRET = random_password.forge-dev-oauth2-proxy-session.result
+  })
+}
+
+resource "vault_generic_secret" "forge-dev-oauth2-proxy-oidc" {
+  path         = "k8s-${local.cluster_name}/forge-dev/oauth2-proxy-oidc"
+  disable_read = true
+  data_json = jsonencode({
+    OPENID_CLIENT_ID     = "FIXME"
+    OPENID_CLIENT_SECRET = "FIXME"
+  })
+}