diff --git a/main.tf b/main.tf index 2b6b185d..b376bfdb 100644 --- a/main.tf +++ b/main.tf @@ -30,6 +30,9 @@ variable "drone_github_client_id" {} variable "drone_github_client_secret" {} variable "drone_rpc_secret" {} # variable "dockerhub_password" {} +variable "oauth_client_id" {} +variable "oauth_client_secret" {} +variable "webhook_handler_fb_verify_token" {} variable "ansible_prefix" { default = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup" @@ -176,11 +179,14 @@ module "kubernetes_cluster" { mailserver_aliases = var.mailserver_aliases mailserver_opendkim_key = var.mailserver_opendkim_key pihole_web_password = var.pihole_web_password - webhook_handler_secret = var.webhook_handler_secret - wireguard_wg_0_conf = var.wireguard_wg_0_conf - wireguard_wg_0_key = var.wireguard_wg_0_key - wireguard_firewall_sh = var.wireguard_firewall_sh - hackmd_db_password = var.hackmd_db_password + + webhook_handler_secret = var.webhook_handler_secret + webhook_handler_fb_verify_token = var.webhook_handler_fb_verify_token + + wireguard_wg_0_conf = var.wireguard_wg_0_conf + wireguard_wg_0_key = var.wireguard_wg_0_key + wireguard_firewall_sh = var.wireguard_firewall_sh + hackmd_db_password = var.hackmd_db_password bind_db_viktorbarzin_me = var.bind_db_viktorbarzin_me bind_db_viktorbarzin_lan = var.bind_db_viktorbarzin_lan @@ -193,5 +199,8 @@ module "kubernetes_cluster" { drone_github_client_secret = var.drone_github_client_secret drone_rpc_secret = var.drone_rpc_secret + # Oauth proxy + oauth_client_id = var.oauth_client_id + oauth_client_secret = var.oauth_client_secret # depends_on = [module.k8s_master, module.k8s_node1, module.k8s_node2] # wait until master and at least 2 nodes are up } diff --git a/modules/kubernetes/k8s-dashboard/main.tf b/modules/kubernetes/k8s-dashboard/main.tf index d7be1d38..37a2c4fd 100644 --- a/modules/kubernetes/k8s-dashboard/main.tf +++ b/modules/kubernetes/k8s-dashboard/main.tf @@ -51,6 +51,9 @@ resource "kubernetes_ingress" "kubernetes-dashboard" { "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" "nginx.ingress.kubernetes.io/auth-tls-secret" = var.client_certificate_secret_name + + # "nginx.ingress.kubernetes.io/auth-url" = "https://$host/oauth2/auth" + # "nginx.ingress.kubernetes.io/auth-signin" = "https://$host/oauth2/start?rd=$escaped_request_uri" } } @@ -92,3 +95,35 @@ resource "kubernetes_cluster_role_binding" "kubernetes-dashboard" { } depends_on = [module.dashboard] } + +# resource "kubernetes_ingress" "oauth" { +# metadata { +# name = "kubernetes-dashboard" +# namespace = "oauth" +# annotations = { +# "kubernetes.io/ingress.class" = "nginx" +# "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + +# } +# } + +# spec { +# tls { +# hosts = ["k8s.viktorbarzin.me"] +# secret_name = var.tls_secret_name +# } +# rule { +# host = "k8s.viktorbarzin.me" +# http { +# path { +# path = "/oauth2" +# backend { +# service_name = "oauth-proxy" +# service_port = "80" +# } +# } +# } +# } +# } +# depends_on = [module.dashboard] +# } diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index b4062947..104665a4 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -17,6 +17,9 @@ variable "drone_github_client_id" {} variable "drone_github_client_secret" {} variable "drone_rpc_secret" {} # variable "dockerhub_password" {} +variable "oauth_client_id" {} +variable "oauth_client_secret" {} +variable "webhook_handler_fb_verify_token" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -113,6 +116,15 @@ module "monitoring" { depends_on = [null_resource.core_services] } +module "oauth" { + source = "./oauth-proxy" + tls_secret_name = var.tls_secret_name + client_id = var.oauth_client_id + client_secret = var.oauth_client_secret + + depends_on = [null_resource.core_services] +} + module "openid_help_page" { source = "./openid_help_page" tls_secret_name = var.tls_secret_name @@ -145,6 +157,7 @@ module "webhook_handler" { source = "./webhook_handler" tls_secret_name = var.tls_secret_name webhook_secret = var.webhook_handler_secret + fb_verify_token = var.webhook_handler_fb_verify_token depends_on = [null_resource.core_services] } diff --git a/modules/kubernetes/oauth-proxy/main.tf b/modules/kubernetes/oauth-proxy/main.tf new file mode 100644 index 00000000..fc3145f6 --- /dev/null +++ b/modules/kubernetes/oauth-proxy/main.tf @@ -0,0 +1,187 @@ +variable "tls_secret_name" {} +variable "client_id" {} +variable "client_secret" {} + +resource "kubernetes_namespace" "oauth" { + metadata { + name = "oauth" + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "oauth" + tls_secret_name = var.tls_secret_name +} + +resource "random_password" "cookie" { + length = 16 + special = true + override_special = "_%@" +} + +resource "kubernetes_deployment" "oauth_proxy" { + metadata { + name = "oauth-proxy" + namespace = "oauth" + labels = { + run = "oauth-proxy" + } + } + spec { + replicas = 1 + selector { + match_labels = { + run = "oauth-proxy" + } + } + template { + metadata { + labels = { + run = "oauth-proxy" + } + } + spec { + container { + image = "quay.io/oauth2-proxy/oauth2-proxy:latest" + args = ["--provider=github", "--email-domain=*", "upstream=file:///dev/null", "--http-address=0.0.0.0:4180"] + name = "oauth-proxy" + image_pull_policy = "IfNotPresent" + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + port { + container_port = 4180 + } + env { + name = "OAUTH2_PROXY_CLIENT_ID" + value = var.client_id + } + env { + name = "OAUTH2_PROXY_CLIENT_SECRET" + value = var.client_secret + } + env { + name = "OAUTH2_PROXY_COOKIE_SECRET" + value = random_password.cookie.result + } + } + } + } + } +} + +resource "kubernetes_service" "oauth_proxy" { + metadata { + name = "oauth-proxy" + namespace = "oauth" + labels = { + run = "oauth-proxy" + } + } + + spec { + selector = { + run = "oauth-proxy" + } + port { + name = "http" + port = "80" + target_port = "4180" + } + } +} + +resource "kubernetes_ingress" "oauth" { + metadata { + name = "oauth-ingress" + namespace = "oauth" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + tls { + hosts = ["oauth.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "oauth.viktorbarzin.me" + http { + path { + path = "/" + backend { + service_name = "oauth-proxy" + service_port = "80" + } + } + } + } + } +} + +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# labels: +# k8s-app: oauth2-proxy +# name: oauth2-proxy +# namespace: kube-system +# spec: +# replicas: 1 +# selector: +# matchLabels: +# k8s-app: oauth2-proxy +# template: +# metadata: +# labels: +# k8s-app: oauth2-proxy +# spec: +# containers: +# - args: +# - --provider=github +# - --email-domain=* +# - --upstream=file:///dev/null +# - --http-address=0.0.0.0:4180 +# # Register a new application +# # https://github.com/settings/applications/new +# env: +# - name: OAUTH2_PROXY_CLIENT_ID +# value: +# - name: OAUTH2_PROXY_CLIENT_SECRET +# value: +# # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' +# - name: OAUTH2_PROXY_COOKIE_SECRET +# value: SECRET +# image: quay.io/oauth2-proxy/oauth2-proxy:latest +# imagePullPolicy: Always +# name: oauth2-proxy +# ports: +# - containerPort: 4180 +# protocol: TCP + +# --- + +# apiVersion: v1 +# kind: Service +# metadata: +# labels: +# k8s-app: oauth2-proxy +# name: oauth2-proxy +# namespace: kube-system +# spec: +# ports: +# - name: http +# port: 4180 +# protocol: TCP +# targetPort: 4180 +# selector: +# k8s-app: oauth2-proxy diff --git a/modules/kubernetes/webhook_handler/main.tf b/modules/kubernetes/webhook_handler/main.tf index 24b5163a..d26fbbf8 100644 --- a/modules/kubernetes/webhook_handler/main.tf +++ b/modules/kubernetes/webhook_handler/main.tf @@ -1,6 +1,7 @@ variable "tls_secret_name" {} variable "webhook_secret" {} +variable "fb_verify_token" {} resource "kubernetes_namespace" "webhook-handler" { metadata { @@ -86,6 +87,10 @@ resource "kubernetes_deployment" "webhook_handler" { name = "WEBHOOKSECRET" value = var.webhook_secret } + env { + name = "FBVerifyToken" + value = var.fb_verify_token + } } } } diff --git a/terraform.tfstate b/terraform.tfstate index 637e0d4b..12592536 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 5635ada3..290b05ae 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ