diff --git a/README.md b/README.md index 204b4d9..b431959 100644 --- a/README.md +++ b/README.md @@ -8,16 +8,27 @@ This project can provide for many user. Set up [kubernetes](https://github.com/kubernetes/kubernetes) cluster and install [ESC](https://github.com/koba1t/ESC). ## Install -Apply container template resource. +First, Create Namespace. +``` +kubectl apply -f config/namespace.yaml +``` + +Apply container template and proxy resource. ``` kubectl apply -f config/esc/template.yaml +kubectl apply -f config/esc/esc-proxy.yaml ``` -And, apply users resource. +And setup config for `config/ingress/` resources.\ +Describe is [here](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth) + +Edit `config/ingress/external-auth-ingress.yaml`.Change `< YOUR_DOMAIN_NAME_HERE >` to your domain.\ +And set `ssl-secret` to SSL secret for your domain.\ +(I'm using [cert-manager](https://github.com/jetstack/cert-manager)) + +Edit `config/ingress/oauth2-proxy.yaml` to set `OAUTH2_PROXY_CLIENT_ID`,`OAUTH2_PROXY_CLIENT_SECRET` for github oauth and generate `OAUTH2_PROXY_COOKIE_SECRET` and set it. ``` -kubectl apply -f config/esc/user1.yaml -kubectl apply -f config/esc/user2.yaml -kubectl apply -f config/esc/user3.yaml +kubectl apply -f config/ingress/external-auth-ingress.yaml +kubectl apply -f config/ingress/oauth2-proxy.yaml ``` - diff --git a/config/esc/esc-proxy.yaml b/config/esc/esc-proxy.yaml index cd21175..7a326fa 100644 --- a/config/esc/esc-proxy.yaml +++ b/config/esc/esc-proxy.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: esc-proxy - namespace: default + namespace: code-editor --- # permissions to do edit userlands. apiVersion: rbac.authorization.k8s.io/v1 @@ -42,7 +42,7 @@ roleRef: subjects: - kind: ServiceAccount name: esc-proxy - namespace: default + namespace: code-editor --- apiVersion: apps/v1 kind: Deployment @@ -50,6 +50,7 @@ metadata: labels: app: esc-proxy name: esc-proxy + namespace: code-editor spec: replicas: 1 selector: @@ -86,6 +87,7 @@ metadata: labels: app: esc-proxy name: esc-proxy + namespace: code-editor spec: ports: - name: http diff --git a/config/esc/example-user.yaml b/config/esc/example-user.yaml index 0d19de1..d0bca73 100644 --- a/config/esc/example-user.yaml +++ b/config/esc/example-user.yaml @@ -2,5 +2,6 @@ apiVersion: esc.k06.in/v1alpha1 kind: Userland metadata: name: koba1t ##set github username + namespace: code-editor spec: templateName: vscode diff --git a/config/esc/template.yaml b/config/esc/template.yaml index e0a12ae..216f0a0 100644 --- a/config/esc/template.yaml +++ b/config/esc/template.yaml @@ -2,11 +2,12 @@ apiVersion: esc.k06.in/v1alpha1 kind: Template metadata: name: vscode + namespace: code-editor spec: template: spec: containers: - - image: codercom/code-server:v2 + - image: codercom/code-server:3.4.1 name: code-server args: ["--auth","none"] volumeMounts: diff --git a/config/ingress/external-auth-ingress.yaml b/config/ingress/external-auth-ingress.yaml new file mode 100644 index 0000000..f79a081 --- /dev/null +++ b/config/ingress/external-auth-ingress.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" + nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User, X-Auth-Request-Email, authorization" + name: external-auth-oauth2 + namespace: code-editor +spec: + rules: + - host: < YOUR_DOMAIN_NAME_HERE > + http: + paths: + - backend: + serviceName: esc-proxy + servicePort: 80 + path: / +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: oauth2-proxy + namespace: code-editor +spec: + rules: + - host: < YOUR_DOMAIN_NAME_HERE > + http: + paths: + - backend: + serviceName: oauth2-proxy + servicePort: 4180 + path: /oauth2 + tls: + - hosts: + - < YOUR_DOMAIN_NAME_HERE > + secretName: vscode-ssl-secret diff --git a/config/ingress/oauth2-proxy.yaml b/config/ingress/oauth2-proxy.yaml new file mode 100644 index 0000000..6625690 --- /dev/null +++ b/config/ingress/oauth2-proxy.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: oauth2-proxy + name: oauth2-proxy + namespace: code-editor +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: oauth2-proxy + template: + metadata: + labels: + k8s-app: oauth2-proxy + spec: + containers: + - args: + - --provider=github + - --email-domain=* + - --upstream=file:///dev/null + - --http-address=0.0.0.0:4180 + - --set-xauthrequest + # Register a new application + # https://github.com/settings/applications/new + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: + - name: OAUTH2_PROXY_CLIENT_SECRET + value: + # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' + - name: OAUTH2_PROXY_COOKIE_SECRET + value: SECRET + image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.0 + imagePullPolicy: Always + name: oauth2-proxy + ports: + - containerPort: 4180 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: oauth2-proxy + name: oauth2-proxy + namespace: code-editor +spec: + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + k8s-app: oauth2-proxy diff --git a/config/namespace.yaml b/config/namespace.yaml new file mode 100644 index 0000000..bd59885 --- /dev/null +++ b/config/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: code-editor