replace tls client cert auth with oauth and add localai stub [ci skip]

2023-10-22 14:07:14 +00:00 · 2023-10-22 14:07:14 +00:00 · 4efa47172c
commit 4efa47172c
parent 2554ecf0ec
8 changed files with 171 additions and 22 deletions
--- a/modules/kubernetes/oauth-proxy/main.tf
+++ b/modules/kubernetes/oauth-proxy/main.tf
@ -18,6 +18,10 @@ variable "oauth2_proxy_client_secret" {
 variable "oauth2_proxy_client_id" {
  type = string
 }
+variable "authenticated_emails" {
+  type    = string
+  default = ""
+}

 module "tls_secret" {
  source          = "../setup_tls_secret"
@ -60,6 +64,21 @@ resource "kubernetes_config_map" "config" {
  }
 }

+resource "kubernetes_config_map" "authorized-emails" {
+  metadata {
+    name      = "authorized-emails"
+    namespace = "oauth2"
+
+    annotations = {
+      "reloader.stakater.com/match" = "true"
+    }
+  }
+
+  data = {
+    "authorized_emails.txt" = var.authenticated_emails
+  }
+}
+
 resource "random_password" "cookie" {
  length           = 16
  special          = true
@ -114,7 +133,7 @@ resource "kubernetes_deployment" "oauth2-proxy" {
        container {
          image = "quay.io/pusher/oauth2_proxy:latest"
          name  = "oauth2-proxy"
-          args  = ["--provider=google", "--email-domain=*", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-"]
+          args  = ["--provider=google", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-", "--authenticated-emails-file=/etc/authorized_emails/authorized_emails.txt"]
          env {
            name  = "OAUTH2_PROXY_CLIENT_ID"
            value = var.oauth2_proxy_client_id
@ -132,6 +151,10 @@ resource "kubernetes_deployment" "oauth2-proxy" {
            container_port = 4180
            protocol       = "TCP"
          }
+          volume_mount {
+            name       = "authorized-emails"
+            mount_path = "/etc/authorized_emails"
+          }
        }
        volume {
          name = "config"
@ -139,6 +162,12 @@ resource "kubernetes_deployment" "oauth2-proxy" {
            name = "oauth2-proxy-nginx"
          }
        }
+        volume {
+          name = "authorized-emails"
+          config_map {
+            name = "authorized-emails"
+          }
+        }
      }
    }
  }