diff --git a/main.tf b/main.tf index 2d679dca..7f0dcd73 100644 --- a/main.tf +++ b/main.tf @@ -34,6 +34,7 @@ variable "drone_rpc_secret" {} # variable "dockerhub_password" {} variable "oauth2_proxy_client_id" {} variable "oauth2_proxy_client_secret" {} +variable "oauth2_proxy_authenticated_emails" {} variable "url_shortener_mysql_password" {} variable "url_shortener_geolite_license_key" {} variable "url_shortener_api_key" {} @@ -253,8 +254,9 @@ module "kubernetes_cluster" { drone_rpc_secret = var.drone_rpc_secret # Oauth proxy - oauth2_proxy_client_id = var.oauth2_proxy_client_id - oauth2_proxy_client_secret = var.oauth2_proxy_client_secret + oauth2_proxy_client_id = var.oauth2_proxy_client_id + oauth2_proxy_client_secret = var.oauth2_proxy_client_secret + oauth2_proxy_authenticated_emails = var.oauth2_proxy_authenticated_emails # oauth_client_id = var.oauth_client_id # oauth_client_secret = var.oauth_client_secret # depends_on = [module.k8s_master, module.k8s_node1, module.k8s_node2] # wait until master and at least 2 nodes are up diff --git a/modules/kubernetes/dbaas/main.tf b/modules/kubernetes/dbaas/main.tf index d7dbe483..666bb384 100644 --- a/modules/kubernetes/dbaas/main.tf +++ b/modules/kubernetes/dbaas/main.tf @@ -295,9 +295,11 @@ resource "kubernetes_ingress_v1" "phpmyadmin" { namespace = "dbaas" annotations = { - "kubernetes.io/ingress.class" = "nginx" + "kubernetes.io/ingress.class" = "nginx" # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" # "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" + "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" + "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" } } spec { diff --git a/modules/kubernetes/localai/chart_values.tpl b/modules/kubernetes/localai/chart_values.tpl new file mode 100644 index 00000000..7fb70512 --- /dev/null +++ b/modules/kubernetes/localai/chart_values.tpl @@ -0,0 +1,93 @@ +replicaCount: 1 + +deployment: + image: quay.io/go-skynet/local-ai:latest + env: + threads: 4 + context_size: 512 + modelsPath: "/models" + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# Prompt templates to include +# Note: the keys of this map will be the names of the prompt template files +promptTemplates: + {} + # ggml-gpt4all-j.tmpl: | + # The prompt below is a question to answer, a task to complete, or a conversation to respond to; decide which and write an appropriate response. + # ### Prompt: + # {{.Input}} + # ### Response: + +# Models to download at runtime +models: + # Whether to force download models even if they already exist + forceDownload: false + + # The list of URLs to download models from + # Note: the name of the file will be the name of the loaded model + list: + - url: + "https://gpt4all.io/models/ggml-gpt4all-j.bin" + # basicAuth: base64EncodedCredentials + + # Persistent storage for models and prompt templates. + # PVC and HostPath are mutually exclusive. If both are enabled, + # PVC configuration takes precedence. If neither are enabled, ephemeral + # storage is used. + persistence: + pvc: + enabled: false + size: 2Gi + accessModes: + - ReadWriteOnce + + annotations: {} + + # Optional + storageClass: ~ + + hostPath: + enabled: false + path: "/models" + +service: + type: ClusterIP + port: 80 + annotations: {} + # If using an AWS load balancer, you'll need to override the default 60s load balancer idle timeout + # service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "1200" + +ingress: + enabled: true + className: "nginx" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: ai.viktorbarzin.me + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: "${tls_secret}" + hosts: + - ai.viktorbarzin.me + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/modules/kubernetes/localai/main.tf b/modules/kubernetes/localai/main.tf index e10804d5..32f66e20 100644 --- a/modules/kubernetes/localai/main.tf +++ b/modules/kubernetes/localai/main.tf @@ -1,3 +1,5 @@ +variable "tls_secret_name" {} + resource "helm_release" "prometheus" { namespace = "localai" create_namespace = true @@ -6,6 +8,14 @@ resource "helm_release" "prometheus" { repository = "https://go-skynet.github.io/helm-charts/" chart = "local-ai" # version = "15.0.2" + # atomic = true + # cleanup_on_fail = true - values = [templatefile("${path.module}/prometheus_chart_values.tpl", { alertmanager_mail_pass = var.alertmanager_account_password, alertmanager_slack_api_url = var.alertmanager_slack_api_url })] + values = [templatefile("${path.module}/chart_values.tpl", { tls_secret = var.tls_secret_name })] +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "localai" + tls_secret_name = var.tls_secret_name } diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 7bd53cc2..01f1a249 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -21,6 +21,7 @@ variable "drone_github_client_secret" {} variable "drone_rpc_secret" {} variable "oauth2_proxy_client_id" {} variable "oauth2_proxy_client_secret" {} +variable "oauth2_proxy_authenticated_emails" {} variable "url_shortener_geolite_license_key" {} variable "url_shortener_api_key" {} variable "url_shortener_mysql_password" {} @@ -167,10 +168,11 @@ module "monitoring" { } module "oauth" { - source = "./oauth-proxy" - tls_secret_name = var.tls_secret_name -oauth2_proxy_client_id = var.oauth2_proxy_client_id -oauth2_proxy_client_secret = var.oauth2_proxy_client_secret + source = "./oauth-proxy" + tls_secret_name = var.tls_secret_name + oauth2_proxy_client_id = var.oauth2_proxy_client_id + oauth2_proxy_client_secret = var.oauth2_proxy_client_secret + authenticated_emails = var.oauth2_proxy_authenticated_emails depends_on = [null_resource.core_services] } @@ -315,3 +317,8 @@ module "dashy" { source = "./dashy" tls_secret_name = var.tls_secret_name } + +# module "localai" { +# source = "./localai" +# tls_secret_name = var.tls_secret_name +# } diff --git a/modules/kubernetes/monitoring/grafana_chart_values.yaml b/modules/kubernetes/monitoring/grafana_chart_values.yaml index de631e18..01b8af07 100644 --- a/modules/kubernetes/monitoring/grafana_chart_values.yaml +++ b/modules/kubernetes/monitoring/grafana_chart_values.yaml @@ -1,5 +1,5 @@ deploymentStrategy: - type: Recreate + type: Recreate persistence: # storageClassName: rook-cephfs enabled: true @@ -8,9 +8,11 @@ ingress: enabled: "true" annotations: kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" tls: - secretName: "tls-secret" hosts: @@ -35,7 +37,7 @@ dashboardProviders: # editable: "true" options: path: "/var/lib/grafana/dashboards/default" -grafana.ini: +grafana.ini: auth.anonymous: enabled: true org_role: Viewer @@ -53,7 +55,7 @@ grafana.ini: plugins: "/var/lib/grafana/plugins" provisioning: "/etc/grafana/provisioning" security: - allow_embedding: true # Allow to be iframed + allow_embedding: true # Allow to be iframed dashboards: default: node_exporter: diff --git a/modules/kubernetes/monitoring/prometheus_chart_values.tpl b/modules/kubernetes/monitoring/prometheus_chart_values.tpl index a5188bd7..b18cdd76 100644 --- a/modules/kubernetes/monitoring/prometheus_chart_values.tpl +++ b/modules/kubernetes/monitoring/prometheus_chart_values.tpl @@ -13,9 +13,11 @@ alertmanager: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # Enable client certificate authentication - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" # Create the secret containing the trusted ca certificates - nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" tls: - secretName: "tls-secret" hosts: @@ -70,9 +72,11 @@ server: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # Enable client certificate authentication - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" # Create the secret containing the trusted ca certificates - nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + # nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret" + nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" tls: - secretName: "tls-secret" hosts: diff --git a/modules/kubernetes/oauth-proxy/main.tf b/modules/kubernetes/oauth-proxy/main.tf index 4fd6c1ab..c17581aa 100644 --- a/modules/kubernetes/oauth-proxy/main.tf +++ b/modules/kubernetes/oauth-proxy/main.tf @@ -18,6 +18,10 @@ variable "oauth2_proxy_client_secret" { variable "oauth2_proxy_client_id" { type = string } +variable "authenticated_emails" { + type = string + default = "" +} module "tls_secret" { source = "../setup_tls_secret" @@ -60,6 +64,21 @@ resource "kubernetes_config_map" "config" { } } +resource "kubernetes_config_map" "authorized-emails" { + metadata { + name = "authorized-emails" + namespace = "oauth2" + + annotations = { + "reloader.stakater.com/match" = "true" + } + } + + data = { + "authorized_emails.txt" = var.authenticated_emails + } +} + resource "random_password" "cookie" { length = 16 special = true @@ -114,7 +133,7 @@ resource "kubernetes_deployment" "oauth2-proxy" { container { image = "quay.io/pusher/oauth2_proxy:latest" name = "oauth2-proxy" - args = ["--provider=google", "--email-domain=*", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-"] + args = ["--provider=google", "--upstream=file:///dev/null", "--upstream=http://localhost/redirect/", "--http-address=0.0.0.0:4180", "--cookie-domain=.viktorbarzin.me", "--footer=-", "--authenticated-emails-file=/etc/authorized_emails/authorized_emails.txt"] env { name = "OAUTH2_PROXY_CLIENT_ID" value = var.oauth2_proxy_client_id @@ -132,6 +151,10 @@ resource "kubernetes_deployment" "oauth2-proxy" { container_port = 4180 protocol = "TCP" } + volume_mount { + name = "authorized-emails" + mount_path = "/etc/authorized_emails" + } } volume { name = "config" @@ -139,6 +162,12 @@ resource "kubernetes_deployment" "oauth2-proxy" { name = "oauth2-proxy-nginx" } } + volume { + name = "authorized-emails" + config_map { + name = "authorized-emails" + } + } } } } diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf index 0b3a0fe5..80d39840 100644 --- a/modules/kubernetes/technitium/main.tf +++ b/modules/kubernetes/technitium/main.tf @@ -155,10 +155,12 @@ resource "kubernetes_ingress_v1" "technitium" { name = "technitium-ingress" namespace = "technitium" annotations = { - "kubernetes.io/ingress.class" = "nginx" - "nginx.ingress.kubernetes.io/affinity" = "cookie" - "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" - "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/affinity" = "cookie" + # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" + # "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" + "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" + "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" } } diff --git a/modules/kubernetes/url-shortener/main.tf b/modules/kubernetes/url-shortener/main.tf index f5334ae3..7dc81c8c 100644 --- a/modules/kubernetes/url-shortener/main.tf +++ b/modules/kubernetes/url-shortener/main.tf @@ -311,9 +311,11 @@ resource "kubernetes_ingress_v1" "shlink-web" { name = "shlink-web-ingress" namespace = "url" annotations = { - "kubernetes.io/ingress.class" = "nginx" - "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" - "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" + "kubernetes.io/ingress.class" = "nginx" + # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" + # "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" + "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" + "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" } } diff --git a/terraform.tfstate b/terraform.tfstate index 122efb0b..38d8a32d 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 07ba63b4..8ac2e99a 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ