From 4f9d3fba78e7b13f74fb8313485449d181e30706 Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Mon, 13 Mar 2023 14:02:36 +0200 Subject: [PATCH] Right before big longhorn diff --- README.org | 4 ++++ templates/_definitions.yaml | 17 +++++++++++++++++ templates/auth.yaml | 37 +++++++++++++++++++----------------- templates/gitea.yaml | 33 +++++++++++++++++++++++++++++--- templates/ldap-auth.yaml | 38 ++++++++++++++++++++++++++++++++++++- templates/phpldapadmin.yaml | 2 +- 6 files changed, 109 insertions(+), 22 deletions(-) diff --git a/README.org b/README.org index c2b0794..668ae68 100644 --- a/README.org +++ b/README.org @@ -75,3 +75,7 @@ Email Attribute: mail * EVERYTHING https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect + +* DRONE AND GITEA +? +https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l diff --git a/templates/_definitions.yaml b/templates/_definitions.yaml index 924c55b..668d460 100644 --- a/templates/_definitions.yaml +++ b/templates/_definitions.yaml @@ -17,3 +17,20 @@ data: {{- $pass := (get $secretData "password") | default "UNDEFINED" -}} {{- $pass | quote -}} {{- end -}} + +{{- /* + Returns given number of random Hex characters. + - randNumeric 4 | atoi generates a random number in [0, 10^4) + This is a range range evenly divisble by 16, but even if off by one, + that last partial interval offsetting randomness is only 1 part in 625. + - mod N 16 maps to the range 0-15 + - printf "%x" represents a single number 0-15 as a single hex character +*/}} +{{- define "randHex" -}} + {{- $result := "" }} + {{- range $i := until . }} + {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }} + {{- $result = print $result $rand_hex_char }} + {{- end }} + {{- $result }} +{{- end }} diff --git a/templates/auth.yaml b/templates/auth.yaml index 87511b4..0762c5f 100644 --- a/templates/auth.yaml +++ b/templates/auth.yaml @@ -1,18 +1,25 @@ --- {{- define "homey.auth.ingress.annotations" }} - nginx.ingress.kubernetes.io/auth-url: "https://git.zakobar.com/oauth/authorize" - nginx.ingress.kubernetes.io/auth-signin: "https://git.zakobar.com/login" - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email - # nginx.ingress.kubernetes.io/configuration-snippet: |- - # proxy_set_header X-Ldap-URL "ldap://openldap"; - # proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - # proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - # proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; - # proxy_set_header X-CookieName "homey.auth.cookie"; - # proxy_set_header Cookie $cookie_homey.auth.cookie; - # proxy_set_header X-Remote-User $remote_user; - # proxy_set_header X-Forwarded-Method $request_method; - # proxy_set_header X-Ldap-Template "(uid=%(username)s)"; + # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com" + nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80" + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email + nginx.ingress.kubernetes.io/location-snippets: |- + auth_request /auth + nginx.ingress.kubernetes.io/configuration-snippet: |- + location /auth { + # proxy_pass http://ldap-auth-internal; + proxy_pass_request_body off; + proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80; + proxy_set_header X-Ldap-URL "ldap://openldap"; + proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; + proxy_set_header X-CookieName "homey.auth.cookie"; + proxy_set_header Cookie $cookie_homey.auth.cookie; + proxy_set_header X-Remote-User $remote_user; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Ldap-Template "(uid=%(username)s)"; + } {{- end }} --- {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }} @@ -21,10 +28,6 @@ # --- {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }} --- -# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-pass") $) }} ---- -# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-db-pass") $) }} ---- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/templates/gitea.yaml b/templates/gitea.yaml index 4b81ec4..60d7f85 100644 --- a/templates/gitea.yaml +++ b/templates/gitea.yaml @@ -7,9 +7,35 @@ metadata: "helm.sh/resource-policy": "keep" type: Opaque data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: drone-gitea-oauth2-key + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-key") | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: drone-gitea-oauth2-secret + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-secret") | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default (randHex 32 | b64enc) -}} password: {{ $pass | quote }} --- apiVersion: apps/v1 @@ -29,6 +55,7 @@ spec: containers: - name: gitea image: gitea/gitea:latest + ports: - containerPort: 3000 name: http volumeMounts: diff --git a/templates/ldap-auth.yaml b/templates/ldap-auth.yaml index ae77b1c..7b11b59 100644 --- a/templates/ldap-auth.yaml +++ b/templates/ldap-auth.yaml @@ -21,6 +21,7 @@ spec: image: linuxserver/ldap-auth imagePullPolicy: Always --- +#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap apiVersion: v1 kind: Service metadata: @@ -31,4 +32,39 @@ spec: ports: - port: 80 targetPort: 9000 - name: ldap-auth-port +--- +apiVersion: v1 +kind: Service +metadata: + name: ldap-auth-internal +spec: + selector: + app: ldap-auth + ports: + - port: 80 + targetPort: 8888 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ldap-auth-ingress + annotations: +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - auth.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: auth.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ldap-auth + port: + number: 80 +--- + diff --git a/templates/phpldapadmin.yaml b/templates/phpldapadmin.yaml index b24eccb..31e5309 100644 --- a/templates/phpldapadmin.yaml +++ b/templates/phpldapadmin.yaml @@ -44,7 +44,7 @@ kind: Ingress metadata: name: phpldapadmin annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" + {{ template "homey.auth.ingress.annotations" $ }} spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: