diff --git a/manifests/sillytavern/ingress.yaml b/manifests/sillytavern/ingress.yaml index 0b70c62..802dea1 100644 --- a/manifests/sillytavern/ingress.yaml +++ b/manifests/sillytavern/ingress.yaml @@ -11,6 +11,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-production traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.middlewares: sillytavern-oauth2-proxy@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/manifests/sillytavern/middleware.yaml b/manifests/sillytavern/middleware.yaml new file mode 100644 index 0000000..b7a4f93 --- /dev/null +++ b/manifests/sillytavern/middleware.yaml @@ -0,0 +1,11 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oauth2-proxy + namespace: sillytavern +spec: + forwardAuth: + address: http://oauth2-proxy.sillytavern.svc.cluster.local:4180/oauth2/auth + authResponseHeaders: + - X-Auth-Request-User + - X-Auth-Request-Email diff --git a/manifests/sillytavern/oauth2-proxy.yaml b/manifests/sillytavern/oauth2-proxy.yaml new file mode 100644 index 0000000..dd2244d --- /dev/null +++ b/manifests/sillytavern/oauth2-proxy.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy + namespace: sillytavern +spec: + replicas: 1 + selector: + matchLabels: + app: oauth2-proxy + template: + metadata: + labels: + app: oauth2-proxy + spec: + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2-amd64 + args: + - --provider=oidc + - --oidc-issuer-url=https://auth.t0rt1k.tech/ + - --redirect-url=https://sillytavern.mrt0rtikize.ru/oauth2/callback + - --upstream=http://sillytavern:8000 + - --http-address=0.0.0.0:4180 + - --email-domain=* + - --scope=openid email + - --pass-authorization-header=true + - --set-authorization-header=true + - --cookie-domain=.mrt0rtikize.ru + - --cookie-secure=true + - --cookie-samesite=lax + - --reverse-proxy=true + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy-secret + key: cookie-secret + ports: + - containerPort: 4180 + name: http + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi + livenessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 3 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: oauth2-proxy + namespace: sillytavern +spec: + selector: + app: oauth2-proxy + ports: + - port: 4180 + targetPort: 4180 + name: http