Update configs

koba1t · Sep 9, 2020 · 9d3463b · 9d3463b
1 parent d6993e8
commit 9d3463b
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -8,16 +8,27 @@ This project can provide for many user.
 Set up [kubernetes](https://github.com/kubernetes/kubernetes) cluster and install [ESC](https://github.com/koba1t/ESC).
 
 ## Install
-Apply container template resource.
+First, Create Namespace.
+```
+kubectl apply -f config/namespace.yaml
+```
+
+Apply container template and proxy resource.
 ```
 kubectl apply -f config/esc/template.yaml
+kubectl apply -f config/esc/esc-proxy.yaml
 ```
 
-And, apply users resource.
+And setup config for `config/ingress/` resources.\
+Describe is [here](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth)
+
+Edit `config/ingress/external-auth-ingress.yaml`.Change `< YOUR_DOMAIN_NAME_HERE >` to your domain.\
+And set `ssl-secret` to SSL secret for your domain.\
+(I'm using [cert-manager](https://github.com/jetstack/cert-manager))
+
+Edit `config/ingress/oauth2-proxy.yaml` to set `OAUTH2_PROXY_CLIENT_ID`,`OAUTH2_PROXY_CLIENT_SECRET` for github oauth and generate `OAUTH2_PROXY_COOKIE_SECRET` and set it.
 
 ```
-kubectl apply -f config/esc/user1.yaml
-kubectl apply -f config/esc/user2.yaml
-kubectl apply -f config/esc/user3.yaml
+kubectl apply -f config/ingress/external-auth-ingress.yaml
+kubectl apply -f config/ingress/oauth2-proxy.yaml
 ```
-
diff --git a/config/esc/esc-proxy.yaml b/config/esc/esc-proxy.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: esc-proxy
-  namespace: default
+  namespace: code-editor
 ---
 # permissions to do edit userlands.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -42,14 +42,15 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: esc-proxy
-  namespace: default
+  namespace: code-editor
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: esc-proxy
   name: esc-proxy
+  namespace: code-editor
 spec:
   replicas: 1
   selector:
@@ -86,6 +87,7 @@ metadata:
   labels:
     app: esc-proxy
   name: esc-proxy
+  namespace: code-editor
 spec:
   ports:
   - name: http

diff --git a/config/esc/example-user.yaml b/config/esc/example-user.yaml
@@ -2,5 +2,6 @@ apiVersion: esc.k06.in/v1alpha1
 kind: Userland
 metadata:
   name: koba1t ##set github username
+  namespace: code-editor
 spec:
   templateName: vscode
diff --git a/config/esc/template.yaml b/config/esc/template.yaml
@@ -2,11 +2,12 @@ apiVersion: esc.k06.in/v1alpha1
 kind: Template
 metadata:
   name: vscode
+  namespace: code-editor
 spec:
   template:
     spec:
       containers:
-      - image: codercom/code-server:v2
+      - image: codercom/code-server:3.4.1
         name: code-server
         args: ["--auth","none"]
         volumeMounts:

diff --git a/config/ingress/external-auth-ingress.yaml b/config/ingress/external-auth-ingress.yaml
@@ -0,0 +1,37 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User, X-Auth-Request-Email, authorization"
+  name: external-auth-oauth2
+  namespace: code-editor
+spec:
+  rules:
+  - host: < YOUR_DOMAIN_NAME_HERE >
+    http:
+      paths:
+      - backend:
+          serviceName: esc-proxy
+          servicePort: 80
+        path: /
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: oauth2-proxy
+  namespace: code-editor
+spec:
+  rules:
+  - host: < YOUR_DOMAIN_NAME_HERE >
+    http:
+      paths:
+      - backend:
+          serviceName: oauth2-proxy
+          servicePort: 4180
+        path: /oauth2
+  tls:
+  - hosts:
+    - < YOUR_DOMAIN_NAME_HERE >
+    secretName: vscode-ssl-secret
diff --git a/config/ingress/oauth2-proxy.yaml b/config/ingress/oauth2-proxy.yaml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: code-editor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        k8s-app: oauth2-proxy
+    spec:
+      containers:
+      - args:
+        - --provider=github
+        - --email-domain=*
+        - --upstream=file:///dev/null
+        - --http-address=0.0.0.0:4180
+        - --set-xauthrequest
+        # Register a new application
+        # https://github.com/settings/applications/new
+        env:
+        - name: OAUTH2_PROXY_CLIENT_ID
+          value: <Client ID>
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          value: <Client Secret>
+        # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          value: SECRET
+        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.0
+        imagePullPolicy: Always
+        name: oauth2-proxy
+        ports:
+        - containerPort: 4180
+          protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: oauth2-proxy
+  name: oauth2-proxy
+  namespace: code-editor
+spec:
+  ports:
+  - name: http
+    port: 4180
+    protocol: TCP
+    targetPort: 4180
+  selector:
+    k8s-app: oauth2-proxy
diff --git a/config/namespace.yaml b/config/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: code-editor