add oauth and add webhook handler fb token

2021-02-27 19:31:40 +00:00 · 2021-02-27 19:31:40 +00:00 · a1c2618187
commit a1c2618187
parent 0472785095
7 changed files with 254 additions and 5 deletions
--- a/main.tf
+++ b/main.tf
@ -30,6 +30,9 @@ variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
 # variable "dockerhub_password" {}
+variable "oauth_client_id" {}
+variable "oauth_client_secret" {}
+variable "webhook_handler_fb_verify_token" {}

 variable "ansible_prefix" {
  default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@ -176,11 +179,14 @@ module "kubernetes_cluster" {
  mailserver_aliases             = var.mailserver_aliases
  mailserver_opendkim_key        = var.mailserver_opendkim_key
  pihole_web_password            = var.pihole_web_password
-  webhook_handler_secret         = var.webhook_handler_secret
-  wireguard_wg_0_conf            = var.wireguard_wg_0_conf
-  wireguard_wg_0_key             = var.wireguard_wg_0_key
-  wireguard_firewall_sh          = var.wireguard_firewall_sh
-  hackmd_db_password             = var.hackmd_db_password
+
+  webhook_handler_secret          = var.webhook_handler_secret
+  webhook_handler_fb_verify_token = var.webhook_handler_fb_verify_token
+
+  wireguard_wg_0_conf   = var.wireguard_wg_0_conf
+  wireguard_wg_0_key    = var.wireguard_wg_0_key
+  wireguard_firewall_sh = var.wireguard_firewall_sh
+  hackmd_db_password    = var.hackmd_db_password

  bind_db_viktorbarzin_me  = var.bind_db_viktorbarzin_me
  bind_db_viktorbarzin_lan = var.bind_db_viktorbarzin_lan
@ -193,5 +199,8 @@ module "kubernetes_cluster" {
  drone_github_client_secret = var.drone_github_client_secret
  drone_rpc_secret           = var.drone_rpc_secret

+  # Oauth proxy
+  oauth_client_id     = var.oauth_client_id
+  oauth_client_secret = var.oauth_client_secret
  # depends_on = [module.k8s_master, module.k8s_node1, module.k8s_node2] # wait until master and at least 2 nodes are up
 }
--- a/modules/kubernetes/k8s-dashboard/main.tf
+++ b/modules/kubernetes/k8s-dashboard/main.tf
@ -51,6 +51,9 @@ resource "kubernetes_ingress" "kubernetes-dashboard" {
      "nginx.ingress.kubernetes.io/force-ssl-redirect"     = "true"
      "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
      "nginx.ingress.kubernetes.io/auth-tls-secret"        = var.client_certificate_secret_name
+
+      # "nginx.ingress.kubernetes.io/auth-url"    = "https://$host/oauth2/auth"
+      # "nginx.ingress.kubernetes.io/auth-signin" = "https://$host/oauth2/start?rd=$escaped_request_uri"
    }
  }

@ -92,3 +95,35 @@ resource "kubernetes_cluster_role_binding" "kubernetes-dashboard" {
  }
  depends_on = [module.dashboard]
 }
+
+# resource "kubernetes_ingress" "oauth" {
+#   metadata {
+#     name      = "kubernetes-dashboard"
+#     namespace = "oauth"
+#     annotations = {
+#       "kubernetes.io/ingress.class"                    = "nginx"
+#       "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
+
+#     }
+#   }
+
+#   spec {
+#     tls {
+#       hosts       = ["k8s.viktorbarzin.me"]
+#       secret_name = var.tls_secret_name
+#     }
+#     rule {
+#       host = "k8s.viktorbarzin.me"
+#       http {
+#         path {
+#           path = "/oauth2"
+#           backend {
+#             service_name = "oauth-proxy"
+#             service_port = "80"
+#           }
+#         }
+#       }
+#     }
+#   }
+#   depends_on = [module.dashboard]
+# }
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -17,6 +17,9 @@ variable "drone_github_client_id" {}
 variable "drone_github_client_secret" {}
 variable "drone_rpc_secret" {}
 # variable "dockerhub_password" {}
+variable "oauth_client_id" {}
+variable "oauth_client_secret" {}
+variable "webhook_handler_fb_verify_token" {}

 resource "null_resource" "core_services" {
  # List all the core modules that must be provisioned first
@ -113,6 +116,15 @@ module "monitoring" {
  depends_on = [null_resource.core_services]
 }

+module "oauth" {
+  source          = "./oauth-proxy"
+  tls_secret_name = var.tls_secret_name
+  client_id       = var.oauth_client_id
+  client_secret   = var.oauth_client_secret
+
+  depends_on = [null_resource.core_services]
+}
+
 module "openid_help_page" {
  source          = "./openid_help_page"
  tls_secret_name = var.tls_secret_name
@ -145,6 +157,7 @@ module "webhook_handler" {
  source          = "./webhook_handler"
  tls_secret_name = var.tls_secret_name
  webhook_secret  = var.webhook_handler_secret
+  fb_verify_token = var.webhook_handler_fb_verify_token

  depends_on = [null_resource.core_services]
 }
--- a/modules/kubernetes/oauth-proxy/main.tf
+++ b/modules/kubernetes/oauth-proxy/main.tf
@ -0,0 +1,187 @@
+variable "tls_secret_name" {}
+variable "client_id" {}
+variable "client_secret" {}
+
+resource "kubernetes_namespace" "oauth" {
+  metadata {
+    name = "oauth"
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "oauth"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "random_password" "cookie" {
+  length           = 16
+  special          = true
+  override_special = "_%@"
+}
+
+resource "kubernetes_deployment" "oauth_proxy" {
+  metadata {
+    name      = "oauth-proxy"
+    namespace = "oauth"
+    labels = {
+      run = "oauth-proxy"
+    }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        run = "oauth-proxy"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          run = "oauth-proxy"
+        }
+      }
+      spec {
+        container {
+          image             = "quay.io/oauth2-proxy/oauth2-proxy:latest"
+          args              = ["--provider=github", "--email-domain=*", "upstream=file:///dev/null", "--http-address=0.0.0.0:4180"]
+          name              = "oauth-proxy"
+          image_pull_policy = "IfNotPresent"
+          resources {
+            limits = {
+              cpu    = "0.5"
+              memory = "512Mi"
+            }
+            requests = {
+              cpu    = "250m"
+              memory = "50Mi"
+            }
+          }
+          port {
+            container_port = 4180
+          }
+          env {
+            name  = "OAUTH2_PROXY_CLIENT_ID"
+            value = var.client_id
+          }
+          env {
+            name  = "OAUTH2_PROXY_CLIENT_SECRET"
+            value = var.client_secret
+          }
+          env {
+            name  = "OAUTH2_PROXY_COOKIE_SECRET"
+            value = random_password.cookie.result
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "oauth_proxy" {
+  metadata {
+    name      = "oauth-proxy"
+    namespace = "oauth"
+    labels = {
+      run = "oauth-proxy"
+    }
+  }
+
+  spec {
+    selector = {
+      run = "oauth-proxy"
+    }
+    port {
+      name        = "http"
+      port        = "80"
+      target_port = "4180"
+    }
+  }
+}
+
+resource "kubernetes_ingress" "oauth" {
+  metadata {
+    name      = "oauth-ingress"
+    namespace = "oauth"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["oauth.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "oauth.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service_name = "oauth-proxy"
+            service_port = "80"
+          }
+        }
+      }
+    }
+  }
+}
+
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   labels:
+#     k8s-app: oauth2-proxy
+#   name: oauth2-proxy
+#   namespace: kube-system
+# spec:
+#   replicas: 1
+#   selector:
+#     matchLabels:
+#       k8s-app: oauth2-proxy
+#   template:
+#     metadata:
+#       labels:
+#         k8s-app: oauth2-proxy
+#     spec:
+#       containers:
+#       - args:
+#         - --provider=github
+#         - --email-domain=*
+#         - --upstream=file:///dev/null
+#         - --http-address=0.0.0.0:4180
+#         # Register a new application
+#         # https://github.com/settings/applications/new
+#         env:
+#         - name: OAUTH2_PROXY_CLIENT_ID
+#           value: <Client ID>
+#         - name: OAUTH2_PROXY_CLIENT_SECRET
+#           value: <Client Secret>
+#         # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
+#         - name: OAUTH2_PROXY_COOKIE_SECRET
+#           value: SECRET
+#         image: quay.io/oauth2-proxy/oauth2-proxy:latest
+#         imagePullPolicy: Always
+#         name: oauth2-proxy
+#         ports:
+#         - containerPort: 4180
+#           protocol: TCP
+
+# ---
+
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   labels:
+#     k8s-app: oauth2-proxy
+#   name: oauth2-proxy
+#   namespace: kube-system
+# spec:
+#   ports:
+#   - name: http
+#     port: 4180
+#     protocol: TCP
+#     targetPort: 4180
+#   selector:
+#     k8s-app: oauth2-proxy
--- a/modules/kubernetes/webhook_handler/main.tf
+++ b/modules/kubernetes/webhook_handler/main.tf
@ -1,6 +1,7 @@

 variable "tls_secret_name" {}
 variable "webhook_secret" {}
+variable "fb_verify_token" {}

 resource "kubernetes_namespace" "webhook-handler" {
  metadata {
@ -86,6 +87,10 @@ resource "kubernetes_deployment" "webhook_handler" {
            name  = "WEBHOOKSECRET"
            value = var.webhook_secret
          }
+          env {
+            name  = "FBVerifyToken"
+            value = var.fb_verify_token
+          }
        }
      }
    }
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars