* move httpbin and hello-world charts outside.

* expose kind to 443 port
* make helm optional
* rename folder to kubernetes
This commit is contained in:
Evgeni Gordeev 2020-06-16 16:39:11 -05:00
parent 9a495e996b
commit 11c033e2c8
25 changed files with 660 additions and 636 deletions

View File

@ -55,7 +55,7 @@
## Changes since v5.1.1
- [#615](https://github.com/oauth2-proxy/oauth2-proxy/pull/615) Helm Example based on Kind cluster and Nginx ingress (@EvgeniGordeev)
- [#615](https://github.com/oauth2-proxy/oauth2-proxy/pull/615) Kubernetes example based on Kind cluster and Nginx ingress (@EvgeniGordeev)
- [#604](https://github.com/oauth2-proxy/oauth2-proxy/pull/604) Add Keycloak local testing environment (@EvgeniGordeev)
- [#539](https://github.com/oauth2-proxy/oauth2-proxy/pull/539) Refactor encryption ciphers and add AES-GCM support (@NickMeves)
- [#601](https://github.com/oauth2-proxy/oauth2-proxy/pull/601) Ensure decrypted user/email are valid UTF8 (@JoelSpeed)

View File

@ -1,15 +0,0 @@
dependencies:
- name: dex
repository: https://kubernetes-charts.storage.googleapis.com
version: 2.11.0
- name: oauth2-proxy
repository: https://kubernetes-charts.storage.googleapis.com
version: 3.1.0
- name: httpbin
repository: file://./httpbin
version: 0.6.1
- name: hello-world
repository: file://./hello-world
version: 0.0.1
digest: sha256:b5fe4db7a523b28321708a12ae0d2608ea32836b322ae7941c820b626a180af2
generated: "2020-06-12T13:10:21.718689-05:00"

View File

@ -1,23 +0,0 @@
apiVersion: v2
name: hello-world
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.0.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 0.0.1

View File

@ -1,63 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "helloWorld.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "helloWorld.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "helloWorld.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "helloWorld.labels" -}}
helm.sh/chart: {{ include "helloWorld.chart" . }}
{{ include "helloWorld.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "helloWorld.selectorLabels" -}}
app.kubernetes.io/name: {{ include "helloWorld.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "helloWorld.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "helloWorld.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -1,61 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "helloWorld.fullname" . }}
labels:
{{- include "helloWorld.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "helloWorld.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "helloWorld.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "helloWorld.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -1,41 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "helloWorld.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "helloWorld.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "helloWorld.fullname" . }}
labels:
{{- include "helloWorld.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "helloWorld.selectorLabels" . | nindent 4 }}

View File

@ -1,12 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "helloWorld.serviceAccountName" . }}
labels:
{{- include "helloWorld.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -1,79 +0,0 @@
# Default values for helloWorld.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: tutum/hello-world
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart version.
tag: latest
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

View File

@ -1,23 +0,0 @@
apiVersion: v2
name: httpbin
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.6.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 0.6.1

View File

@ -1,63 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "httpbin.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "httpbin.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "httpbin.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "httpbin.labels" -}}
helm.sh/chart: {{ include "httpbin.chart" . }}
{{ include "httpbin.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "httpbin.selectorLabels" -}}
app.kubernetes.io/name: {{ include "httpbin.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "httpbin.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "httpbin.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -1,61 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "httpbin.fullname" . }}
labels:
{{- include "httpbin.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "httpbin.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "httpbin.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "httpbin.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -1,41 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "httpbin.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "httpbin.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "httpbin.fullname" . }}
labels:
{{- include "httpbin.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "httpbin.selectorLabels" . | nindent 4 }}

View File

@ -1,12 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "httpbin.serviceAccountName" . }}
labels:
{{- include "httpbin.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -1,79 +0,0 @@
# Default values for httpbin.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: kennethreitz/httpbin
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart version.
tag: latest
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

View File

View File

@ -1,6 +1,6 @@
apiVersion: v2
description: K8S example based on https://kind.sigs.k8s.io and https://helm.sh.
name: helm
description: K8S example based on https://kind.sigs.k8s.io
name: kubernetes
version: 5.1.1
appVersion: 5.1.1
dependencies:
@ -10,10 +10,10 @@ dependencies:
- name: oauth2-proxy
version: 3.1.0
repository: https://kubernetes-charts.storage.googleapis.com
# https://github.com/postmanlabs/httpbin/issues/549 is still in progress, for now creating our own chart
# https://github.com/postmanlabs/httpbin/issues/549 is still in progress, for now using a non-official chart
- name: httpbin
version: 0.6.1
repository: file://./httpbin
version: 1.0.0
repository: https://conservis.github.io/helm-charts
- name: hello-world
version: 0.0.1
repository: file://./hello-world
version: 1.0.0
repository: https://conservis.github.io/helm-charts

View File

@ -1,3 +1,8 @@
all:
@echo "Usage:"
@echo " make create-cluster"
@echo " make deploy"
# create kind cluster with nginx-ingress as the most popular ingress controller for K8S
.PHONY: deploy
create-cluster:
@ -8,11 +13,9 @@ create-cluster:
.PHONY: setup-ingress
setup-ingress:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/kind/deploy.yaml
sleep 5 # because of https://github.com/kubernetes/kubernetes/issues/83242
kubectl --namespace ingress-nginx wait --for=condition=available --timeout=30s deployment/ingress-nginx-controller
kubectl --namespace ingress-nginx rollout status --timeout 90s deployment/ingress-nginx-controller
kubectl --namespace ingress-nginx rollout status --timeout 5m deployment/ingress-nginx-controller
# default Pod CIDR is 10.244.0.0/16 https://github.com/kubernetes-sigs/kind/blob/master/pkg/apis/config/v1alpha4/default.go
# default Pod CIDR is 10.244.0.0/16 https://github.com/kubernetes-sigs/kind/blob/a6e8108025bc7a9440beedb8ef7714aec84fe87e/pkg/apis/config/v1alpha4/default.go#L52
# what makes cluster host IP equal to 10.244.0.1
# thus we add dex.localtest.me and oauth2-proxy.localtest.me stub hosts pointing to this IP
# NOT NEEDED IN REAL LIFE!
@ -20,25 +23,44 @@ setup-ingress:
setup-dns:
kubectl apply -f custom-dns.yaml
kubectl -n kube-system rollout restart deployment/coredns
kubectl -n kube-system rollout status --timeout 60s deployment/coredns
kubectl -n kube-system rollout status --timeout 5m deployment/coredns
.PHONY: undeploy
.PHONY: delete-cluster
delete-cluster:
kind delete cluster --name oauth2-proxy
.PHONY: helm-init
helm-init:
helm dep update
.PHONY: undeploy
deploy: helm-init
helm upgrade --wait --debug --install --render-subchart-notes oauth2-proxy-example .
.PHONY: deploy
deploy:
kubectl apply -f oauth2-proxy-example-full.yaml
kubectl rollout status --timeout 5m deployment/oauth2-proxy-example-oauth2-proxy-sample
kubectl rollout status --timeout 1m deployment/oauth2-proxy-example-httpbin
kubectl rollout status --timeout 1m deployment/oauth2-proxy-example-hello-world
.PHONY: undeploy
undeploy:
helm del oauth2-proxy-example
kubectl delete -f oauth2-proxy-example-full.yaml
######################
###### HELM CMDs #####
######################
.PHONY: helm-init
helm-init:
helm dep update
# unpacking is useful to be able to explore underlying helm charts
.PHONY: helm-unpack
helm-unpack:
cd charts; for f in *.tgz; do tar -zxf "$$f"; done
.PHONY: helm-deploy
helm-deploy: helm-init
helm upgrade --wait --debug --install --render-subchart-notes oauth2-proxy-example .
.PHONY: helm-undeploy
helm-undeploy:
helm del oauth2-proxy-example
# creates K8S manifest from helm chart
.PHONY: helm-create-manifest
helm-create-manifest:
helm template --namespace default oauth2-proxy-example . > oauth2-proxy-example-full.yaml

View File

@ -1,6 +1,5 @@
# Kubernetes example
Based on [kind](https://kind.sigs.k8s.io) as a local Kubernetes cluster and the package manager [helm](https://helm.sh).
Based on [kind](https://kind.sigs.k8s.io) as a local Kubernetes cluster.
## Quick start
@ -8,16 +7,18 @@ Before you start:
_Required_
* install [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
* install [helm 3](https://helm.sh/docs/intro/quickstart/#install-helm).
* install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
_Optional_
* install [helm 3](https://helm.sh/docs/intro/quickstart/#install-helm).
Then:
* `make create-cluster`
* `make deploy`
* `make deploy` OR `make helm-deploy` for helm
Visit http://httpbin.localtest.me or http://hello-world.localtest.me/
## Uninstall
* `make delete-cluster`
* `make delete-cluster` OR `make helm-undeploy` for helm

View File

@ -12,3 +12,6 @@ nodes:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP

View File

@ -0,0 +1,605 @@
---
# Source: kubernetes/charts/dex/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
name: oauth2-proxy-example-dex
---
# Source: kubernetes/charts/hello-world/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: oauth2-proxy-example-hello-world
labels:
helm.sh/chart: hello-world-1.0.0
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
---
# Source: kubernetes/charts/httpbin/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: oauth2-proxy-example-httpbin
labels:
helm.sh/chart: httpbin-1.0.0
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
---
# Source: kubernetes/charts/oauth2-proxy/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: oauth2-proxy-sample
chart: oauth2-proxy-3.1.0
release: oauth2-proxy-example
heritage: Helm
name: oauth2-proxy-example-oauth2-proxy-sample
---
# Source: kubernetes/charts/dex/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
name: oauth2-proxy-example-dex
stringData:
config.yaml: |-
issuer: http://dex.localtest.me
storage:
config:
inCluster: true
type: kubernetes
logger:
level: debug
web:
http: 0.0.0.0:5556
oauth2:
alwaysShowLoginScreen: false
skipApprovalScreen: true
staticClients:
- id: oauth2-proxy
name: OAuth2 Proxy
redirectURIs:
- http://oauth2-proxy.localtest.me/oauth2/callback
secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
enablePasswordDB: true
staticPasswords:
- email: admin@example.com
hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W
userID: 08a8684b-db88-4b73-90a9-3cd1661f5466
username: admin
expiry:
idTokens: 1h
signingKeys: 4h
---
# Source: kubernetes/charts/oauth2-proxy/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: oauth2-proxy-sample
chart: oauth2-proxy-3.1.0
heritage: Helm
release: oauth2-proxy-example
name: oauth2-proxy-example-oauth2-proxy-sample
data:
oauth2_proxy.cfg: "cookie_secret=\"OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w=\"\ncookie_domain=\".localtest.me\"\nwhitelist_domains=[\".localtest.me\"]\n# only users with this domain will be let in\nemail_domains=[\"example.com\"]\n\nclient_id=\"oauth2-proxy\"\nclient_secret=\"b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK\"\ncookie_secure=\"false\"\n\nredirect_url=\"http://oauth2-proxy.localtest.me/oauth2/callback\"\n\n# we don't want to proxy anything so pick a non-existent directory\nupstreams = [ \"file:///dev/null\" ]\n\n# return authenticated user to nginx\nset_xauthrequest = true\n# using http://dex.localtest.me/.well-known/openid-configuration oauth2-proxy will populate\n# login_url, redeem_url, and oidc_jwks_url\nprovider=\"oidc\"\noidc_issuer_url=\"http://dex.localtest.me\""
---
# Source: kubernetes/charts/dex/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
name: oauth2-proxy-example-dex
rules:
- apiGroups: ["dex.coreos.com"] # API group created by dex
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions
---
# Source: kubernetes/charts/dex/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
name: oauth2-proxy-example-dex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: oauth2-proxy-example-dex
subjects:
- kind: ServiceAccount
name: oauth2-proxy-example-dex
namespace: default
---
# Source: kubernetes/charts/dex/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-example-dex
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
sessionAffinity: None
ports:
- name: http
targetPort: http
port: 32000
selector:
app.kubernetes.io/name: dex
app.kubernetes.io/instance: oauth2-proxy-example
---
# Source: kubernetes/charts/hello-world/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-example-hello-world
labels:
helm.sh/chart: hello-world-1.0.0
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 9080
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
---
# Source: kubernetes/charts/httpbin/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-example-httpbin
labels:
helm.sh/chart: httpbin-1.0.0
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
---
# Source: kubernetes/charts/oauth2-proxy/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: oauth2-proxy-sample
chart: oauth2-proxy-3.1.0
release: oauth2-proxy-example
heritage: Helm
name: oauth2-proxy-example-oauth2-proxy-sample
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: oauth2-proxy-sample
release: oauth2-proxy-example
---
# Source: kubernetes/charts/dex/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-example-dex
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: dex
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: dex
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/component: dex
template:
metadata:
labels:
app.kubernetes.io/name: dex
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/component: dex
annotations:
checksum/config: 185f32cfabdf4f7467868dc301d4bd33e68951e12eddeb69f23ebc1d0f91ba28
spec:
serviceAccountName: oauth2-proxy-example-dex
nodeSelector:
{}
containers:
- name: main
image: "quay.io/dexidp/dex:v2.23.0"
imagePullPolicy: IfNotPresent
command:
- /usr/local/bin/dex
- serve
- /etc/dex/cfg/config.yaml
resources:
null
ports:
- name: http
containerPort: 5556
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 1
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 1
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 1
env:
[]
volumeMounts:
- mountPath: /etc/dex/cfg
name: config
volumes:
- secret:
defaultMode: 420
items:
- key: config.yaml
path: config.yaml
secretName: oauth2-proxy-example-dex
name: config
---
# Source: kubernetes/charts/hello-world/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-example-hello-world
labels:
helm.sh/chart: hello-world-1.0.0
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
template:
metadata:
labels:
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
spec:
serviceAccountName: oauth2-proxy-example-hello-world
securityContext:
{}
containers:
- name: hello-world
securityContext:
{}
image: "conservis/hello-world:1.0.0"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 9080
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{}
---
# Source: kubernetes/charts/httpbin/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-example-httpbin
labels:
helm.sh/chart: httpbin-1.0.0
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
template:
metadata:
labels:
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
spec:
serviceAccountName: oauth2-proxy-example-httpbin
securityContext:
{}
containers:
- name: httpbin
securityContext:
{}
image: "kennethreitz/httpbin:latest"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{}
---
# Source: kubernetes/charts/oauth2-proxy/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: oauth2-proxy-sample
chart: oauth2-proxy-3.1.0
heritage: Helm
release: oauth2-proxy-example
name: oauth2-proxy-example-oauth2-proxy-sample
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy-sample
release: oauth2-proxy-example
template:
metadata:
annotations:
checksum/config: 5d8892a7b1d9eb03f9d59b787ce339b374fa2be51991e4e7533cb0a541984fac
checksum/config-emails: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
checksum/secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/google-secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
labels:
app: oauth2-proxy-sample
release: "oauth2-proxy-example"
spec:
serviceAccountName: oauth2-proxy-example-oauth2-proxy-sample
containers:
- name: oauth2-proxy
image: "quay.io/pusher/oauth2_proxy:v5.1.0"
imagePullPolicy: IfNotPresent
args:
- --http-address=0.0.0.0:4180
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
ports:
- containerPort: 4180
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: http
scheme: HTTP
initialDelaySeconds: 0
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /ping
port: http
scheme: HTTP
initialDelaySeconds: 0
timeoutSeconds: 1
successThreshold: 1
periodSeconds: 10
resources:
{}
volumeMounts:
- mountPath: /etc/oauth2_proxy
name: configmain
volumes:
- configMap:
defaultMode: 420
name: oauth2-proxy-example-oauth2-proxy-sample
name: configmain
tolerations:
[]
---
# Source: kubernetes/charts/dex/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy-example-dex
labels:
app.kubernetes.io/name: dex
helm.sh/chart: dex-2.11.0
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "2.23.0"
app.kubernetes.io/managed-by: Helm
spec:
rules:
- host: "dex.localtest.me"
http:
paths:
- path: /
backend:
serviceName: oauth2-proxy-example-dex
servicePort: 32000
---
# Source: kubernetes/charts/hello-world/templates/ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy-example-hello-world
labels:
helm.sh/chart: hello-world-1.0.0
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email
nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy-example-oauth2-proxy-sample.default.svc.cluster.local/oauth2/auth
spec:
rules:
- host: hello-world.localtest.me
http:
paths:
- path: /
backend:
serviceName: oauth2-proxy-example-hello-world
servicePort: 9080
---
# Source: kubernetes/charts/httpbin/templates/ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy-example-httpbin
labels:
helm.sh/chart: httpbin-1.0.0
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email
nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy-example-oauth2-proxy-sample.default.svc.cluster.local/oauth2/auth
spec:
rules:
- host: httpbin.localtest.me
http:
paths:
- path: /
backend:
serviceName: oauth2-proxy-example-httpbin
servicePort: 80
---
# Source: kubernetes/charts/oauth2-proxy/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
labels:
app: oauth2-proxy-sample
chart: oauth2-proxy-3.1.0
heritage: Helm
release: oauth2-proxy-example
name: oauth2-proxy-example-oauth2-proxy-sample
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
large_client_header_buffers 4 32k;
spec:
rules:
- host: oauth2-proxy.localtest.me
http:
paths:
- path: /
backend:
serviceName: oauth2-proxy-example-oauth2-proxy-sample
servicePort: 80
---
# Source: kubernetes/charts/hello-world/templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
name: "oauth2-proxy-example-hello-world-test-connection"
labels:
helm.sh/chart: hello-world-1.0.0
app.kubernetes.io/name: hello-world
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['oauth2-proxy-example-hello-world:9080']
restartPolicy: Never
---
# Source: kubernetes/charts/httpbin/templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
name: "oauth2-proxy-example-httpbin-test-connection"
labels:
helm.sh/chart: httpbin-1.0.0
app.kubernetes.io/name: httpbin
app.kubernetes.io/instance: oauth2-proxy-example
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['oauth2-proxy-example-httpbin:80']
restartPolicy: Never

View File

@ -68,9 +68,7 @@ httpbin:
ingress:
enabled: true
hosts:
- host: httpbin.localtest.me
paths:
- /
- httpbin.localtest.me
annotations:
nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
# That's what will be used in REAL LIFE
@ -83,9 +81,7 @@ hello-world:
ingress:
enabled: true
hosts:
- host: hello-world.localtest.me
paths:
- /
- hello-world.localtest.me
annotations:
nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
# That's what will be used in REAL LIFE