replace tls client cert auth with oauth and add localai stub [ci skip]

main.tf

@@ -34,6 +34,7 @@ variable "drone_rpc_secret" {}
 # variable "dockerhub_password" {}
 variable "oauth2_proxy_client_id" {}
 variable "oauth2_proxy_client_secret" {}
+variable "oauth2_proxy_authenticated_emails" {}
 variable "url_shortener_mysql_password" {}
 variable "url_shortener_geolite_license_key" {}
 variable "url_shortener_api_key" {}
@@ -253,8 +254,9 @@ module "kubernetes_cluster" {
   drone_rpc_secret           = var.drone_rpc_secret
 
   # Oauth proxy
-  oauth2_proxy_client_id = var.oauth2_proxy_client_id
-  oauth2_proxy_client_secret = var.oauth2_proxy_client_secret
+  oauth2_proxy_client_id            = var.oauth2_proxy_client_id
+  oauth2_proxy_client_secret        = var.oauth2_proxy_client_secret
+  oauth2_proxy_authenticated_emails = var.oauth2_proxy_authenticated_emails
   # oauth_client_id     = var.oauth_client_id
   # oauth_client_secret = var.oauth_client_secret
   # depends_on = [module.k8s_master, module.k8s_node1, module.k8s_node2] # wait until master and at least 2 nodes are up

modules/kubernetes/dbaas/main.tf

@@ -295,9 +295,11 @@ resource "kubernetes_ingress_v1" "phpmyadmin" {
     namespace = "dbaas"
 
     annotations = {
-      "kubernetes.io/ingress.class"                        = "nginx"
+      "kubernetes.io/ingress.class" = "nginx"
       # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
       # "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
     }
   }
   spec {

modules/kubernetes/localai/chart_values.tpl

@@ -0,0 +1,93 @@
+replicaCount: 1
+
+deployment:
+  image: quay.io/go-skynet/local-ai:latest
+  env:
+    threads: 4
+    context_size: 512
+  modelsPath: "/models"
+
+resources:
+  {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# Prompt templates to include
+# Note: the keys of this map will be the names of the prompt template files
+promptTemplates:
+  {}
+  # ggml-gpt4all-j.tmpl: |
+  #   The prompt below is a question to answer, a task to complete, or a conversation to respond to; decide which and write an appropriate response.
+  #   ### Prompt:
+  #   {{.Input}}
+  #   ### Response:
+
+# Models to download at runtime
+models:
+  # Whether to force download models even if they already exist
+  forceDownload: false
+
+  # The list of URLs to download models from
+  # Note: the name of the file will be the name of the loaded model
+  list:
+    - url:
+        "https://gpt4all.io/models/ggml-gpt4all-j.bin"
+        # basicAuth: base64EncodedCredentials
+
+  # Persistent storage for models and prompt templates.
+  # PVC and HostPath are mutually exclusive. If both are enabled,
+  # PVC configuration takes precedence. If neither are enabled, ephemeral
+  # storage is used.
+  persistence:
+    pvc:
+      enabled: false
+      size: 2Gi
+      accessModes:
+        - ReadWriteOnce
+
+      annotations: {}
+
+      # Optional
+      storageClass: ~
+
+    hostPath:
+      enabled: false
+      path: "/models"
+
+service:
+  type: ClusterIP
+  port: 80
+  annotations: {}
+  # If using an AWS load balancer, you'll need to override the default 60s load balancer idle timeout
+  # service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "1200"
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: ai.viktorbarzin.me
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: "${tls_secret}"
+      hosts:
+        - ai.viktorbarzin.me
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

modules/kubernetes/localai/main.tf

@@ -1,3 +1,5 @@
+variable "tls_secret_name" {}
+
 resource "helm_release" "prometheus" {
   namespace        = "localai"
   create_namespace = true
@@ -6,6 +8,14 @@ resource "helm_release" "prometheus" {
   repository = "https://go-skynet.github.io/helm-charts/"
   chart      = "local-ai"
   #   version    = "15.0.2"
+  #   atomic          = true
+  #   cleanup_on_fail = true
 
-  values = [templatefile("${path.module}/prometheus_chart_values.tpl", { alertmanager_mail_pass = var.alertmanager_account_password, alertmanager_slack_api_url = var.alertmanager_slack_api_url })]
+  values = [templatefile("${path.module}/chart_values.tpl", { tls_secret = var.tls_secret_name })]
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "localai"
+  tls_secret_name = var.tls_secret_name
 }

modules/kubernetes/main.tf

@@ -21,6 +21,7 @@ variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
 variable "oauth2_proxy_client_id" {}
 variable "oauth2_proxy_client_secret" {}
+variable "oauth2_proxy_authenticated_emails" {}
 variable "url_shortener_geolite_license_key" {}
 variable "url_shortener_api_key" {}
 variable "url_shortener_mysql_password" {}
@@ -167,10 +168,11 @@ module "monitoring" {
 }
 
 module "oauth" {
-  source          = "./oauth-proxy"
-  tls_secret_name = var.tls_secret_name
-oauth2_proxy_client_id = var.oauth2_proxy_client_id
-oauth2_proxy_client_secret = var.oauth2_proxy_client_secret
+  source                     = "./oauth-proxy"
+  tls_secret_name            = var.tls_secret_name
+  oauth2_proxy_client_id     = var.oauth2_proxy_client_id
+  oauth2_proxy_client_secret = var.oauth2_proxy_client_secret
+  authenticated_emails       = var.oauth2_proxy_authenticated_emails
 
   depends_on = [null_resource.core_services]
 }
@@ -315,3 +317,8 @@ module "dashy" {
   source          = "./dashy"
   tls_secret_name = var.tls_secret_name
 }
+
+# module "localai" {
+#   source          = "./localai"
+#   tls_secret_name = var.tls_secret_name
+# }

modules/kubernetes/monitoring/grafana_chart_values.yaml

@@ -1,5 +1,5 @@
 deploymentStrategy:
-    type: Recreate
+  type: Recreate
 persistence:
   # storageClassName: rook-cephfs
   enabled: true
@@ -8,9 +8,11 @@ ingress:
   enabled: "true"
   annotations:
     kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
-    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+    nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
   tls:
     - secretName: "tls-secret"
       hosts:
@@ -35,7 +37,7 @@ dashboardProviders:
     # editable: "true"
     options:
       path: "/var/lib/grafana/dashboards/default"
-grafana.ini: 
+grafana.ini:
   auth.anonymous:
     enabled: true
     org_role: Viewer
@@ -53,7 +55,7 @@ grafana.ini:
     plugins: "/var/lib/grafana/plugins"
     provisioning: "/etc/grafana/provisioning"
   security:
-    allow_embedding: true  # Allow to be iframed
+    allow_embedding: true # Allow to be iframed
 dashboards:
   default:
     node_exporter:

modules/kubernetes/monitoring/prometheus_chart_values.tpl

@@ -13,9 +13,11 @@ alertmanager:
       kubernetes.io/ingress.class: nginx
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       # Enable client certificate authentication
-      nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+      # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
       # Create the secret containing the trusted ca certificates
-      nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+      nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
     tls:
       - secretName: "tls-secret"
         hosts:
@@ -70,9 +72,11 @@ server:
       kubernetes.io/ingress.class: nginx
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       # Enable client certificate authentication
-      nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+      # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
       # Create the secret containing the trusted ca certificates
-      nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
+      nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
+      nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
     tls:
       - secretName: "tls-secret"
         hosts:

modules/kubernetes/oauth-proxy/main.tf

@@ -18,6 +18,10 @@ variable "oauth2_proxy_client_secret" {
 variable "oauth2_proxy_client_id" {
   type = string
 }
+variable "authenticated_emails" {
+  type    = string
+  default = ""
+}
 
 module "tls_secret" {
   source          = "../setup_tls_secret"
@@ -60,6 +64,21 @@ resource "kubernetes_config_map" "config" {
   }
 }
 
+resource "kubernetes_config_map" "authorized-emails" {
+  metadata {
+    name      = "authorized-emails"
+    namespace = "oauth2"
+
+    annotations = {
+      "reloader.stakater.com/match" = "true"
+    }
+  }
+
+  data = {
+    "authorized_emails.txt" = var.authenticated_emails
+  }
+}
+
 resource "random_password" "cookie" {
   length           = 16
   special          = true
@@ -114,7 +133,7 @@ resource "kubernetes_deployment" "oauth2-proxy" {
         container {
           image = "quay.io/pusher/oauth2_proxy:latest"
           name  = "oauth2-proxy"
-          args  = ["--provider=google", "--email-domain=*", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-"]
+          args  = ["--provider=google", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-", "--authenticated-emails-file=/etc/authorized_emails/authorized_emails.txt"]
           env {
             name  = "OAUTH2_PROXY_CLIENT_ID"
             value = var.oauth2_proxy_client_id
@@ -132,6 +151,10 @@ resource "kubernetes_deployment" "oauth2-proxy" {
             container_port = 4180
             protocol       = "TCP"
           }
+          volume_mount {
+            name       = "authorized-emails"
+            mount_path = "/etc/authorized_emails"
+          }
         }
         volume {
           name = "config"
@@ -139,6 +162,12 @@ resource "kubernetes_deployment" "oauth2-proxy" {
             name = "oauth2-proxy-nginx"
           }
         }
+        volume {
+          name = "authorized-emails"
+          config_map {
+            name = "authorized-emails"
+          }
+        }
       }
     }
   }

modules/kubernetes/technitium/main.tf

@@ -155,10 +155,12 @@ resource "kubernetes_ingress_v1" "technitium" {
     name      = "technitium-ingress"
     namespace = "technitium"
     annotations = {
-      "kubernetes.io/ingress.class"                        = "nginx"
-      "nginx.ingress.kubernetes.io/affinity"               = "cookie"
-      "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
-      "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "kubernetes.io/ingress.class"          = "nginx"
+      "nginx.ingress.kubernetes.io/affinity" = "cookie"
+      # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      # "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
     }
   }
 

modules/kubernetes/url-shortener/main.tf

@@ -311,9 +311,11 @@ resource "kubernetes_ingress_v1" "shlink-web" {
     name      = "shlink-web-ingress"
     namespace = "url"
     annotations = {
-      "kubernetes.io/ingress.class"                        = "nginx"
-      "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
-      "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "kubernetes.io/ingress.class" = "nginx"
+      # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      # "nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
     }
   }