full oauth2 configuration for owntracks

2020-06-01 00:28:18 +02:00 · 2020-06-01 00:28:18 +02:00 · dcf89a0944
parent 78ae9d4e71
commit dcf89a0944
7 changed files with 98 additions and 26 deletions
--- a/owntracks/frontend/deployment.yaml
+++ b/owntracks/frontend/deployment.yaml
@ -45,14 +45,14 @@ spec:
          value: https://git.tbrnt.ch/api/v1
        envFrom:
        - secretRef:
-            name: oauth2-proxy
+            name: oauth2-proxy-frontend
        args:
        - --upstream
        - http://127.0.0.1
      - name: frontend
        env:
        - name: SERVER_HOST
-          value: owntracks
+          value: recorder
        - name: SERVER_PORT
          value: "8083"
        image: docker.io/owntracks/frontend:v2.3.1
--- a/owntracks/frontend/oauth2-secret.yaml
+++ b/owntracks/frontend/oauth2-secret.yaml
@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth2-proxy-frontend
+  namespace: owntracks
+spec:
+  encryptedData:
+    OAUTH2_PROXY_CLIENT_ID: AgAbUwgFpg6D5xeyhYXgr6B8c6l/EN15ie5AX/hBbrFtcWPG4iLwMWmu9Xrhm5w3FbCXBttXag/ZW/UpX8x8EK/EOKzA0OTkChUVhACCz9BsYOceQxS41nxk5GUhpng/Z47Ton/bT3xpLwHempWBjSM7v+elDmgYgAdjjs5eoN4yQ+7hyLNKkvDPSCZnXUfEyS+Rlx412C5q3BcA7VGHcXVOJp3oesNPhd7BUcPARAA7HUvz7bTivwSru2M0UEJ9JrpNpu7sShC0QaF6tP4UYOE9TFi+rIfxOcVJPmr6irLiqYGMRlnnwjxTsr+Z699WN26D17exzhbtXN9c8is0FJWCzQrIali6lNoCyLvbWPQyOSMKhXd/xmVkBfv8n8uYK4lK/pX/7YcjSdcBawVTouz+B8PWlW5drNcXHltH1NtZOJ1Nrv+d3uoHYxNjfisMGRaXJLcFNN9jI9eWHAZfj52h6jogk1Mnz3qSgsHNH1YPI1Nh4JDfRO3TcWRKgxGH2zJ/mMoIJzPe2TvfuugX0xVXLbDom7OT/g452AljVoofTyA195HzyXc8uP9JkIB179QuNS2nH3ZuonOWKyrhMyJXB2hs97w7qiWUr25s8bu8/+fHVMfQuD4wvFdKKedCH7wxmQ7eGbJRUr2Ihp5PVzlFkJ4JZXOKba5aZhtvrPz4nYzgqlTMR9+MdYO8MWnvzw+RO/VptMgKuW0SmgOQ9K3VbUjPQ7dNNhYUetXfpuhLXMtasMM=
+    OAUTH2_PROXY_CLIENT_SECRET: AgAUSp9/V2D08aGD3sQakxNJa6Zlynw5LzZA3p6BrDQRn1FVb20anPgOXOJCR1SSbYGAWTAMZNuk3jM0q4e3qMMDO/dgB2rxxxTzVMzHGgJP/BIfwkCZcbrOr0YjlKkGT+EHWtrF2itZAisSAIeMSkTmEbAq1WeJOhgVKmkYMbMudKyqhSvfkmpIiX7LOYVsouxmAOcMf34PnK/Fw+rkwg57o+a5dySSszRtk/e3Tn3T8pcDcx5OybGYQab0QY2hI7/FZzXyy1/jaGsO3+/FysgvHsIr8s+Ey10kTxvgtwBUi4WkkqOM1A8ubBhKQU478pwKW6tMYfZ7AaTafSm0ECd0b9SIi1kNSjMjyaej+PRICOxePhyFHmLlRiyTQgVYQu9VMfevo9A0poYjD2imnczokIxaBISP1TaBvtN/Zq0f/abc12ScewRQ3oe6hqnywCM3q7P/NEF8wUbKpz9GxG/LYTWd0jq9wMqI5CHTkViGzcxRkP84fjs4y55dhcZdHvFmh7hbs7fdM/9mCjh+Newyb6WWC8Gi9KfKsgsHHr1XZDDo7HXn1CCxFeoL5cpGTgJCCWraaDbZXCHbkpjlcx9waHcPc0nP5dWDpJlprTZ35GANyiUoxGo6qZp/20Sx8nCdBUVerX9gugYrNKvZhp5PRbRAhajngOn2WP2BLXKVNezzq25uVHl58FijSGwSUtaUMZznXYHIKOU3OYM0OoPpten9sp2KotbsZoyy1Tf/fErOF5+5dBWf2003lQ==
+    OAUTH2_PROXY_COOKIE_SECRET: AgBElq1y1iSOElfa/LU+QneYo/TeqOQo0cv95TBbnbYCuW4L9zA80ljLMsdb0TP/lSuBh3FzpGqxUbY7ln0glwjIQ9Kn1QD+Q4nv1g6uRyv/7urbEzXbNBCLBjnax6fETsZkJjwYsUmw8YEDJ3KXMyqI/FRK26cDab/bmeZW78laN10KZ6XvwmJWvDp/UML+L8RV1pzdlOH4ua+TmXKope/fQBkMpjV8MkaHRuY281liFW217vsNPXuKXtFXVuWLQ2meVlpaQpWt6+0hz09ytM3pAJcr0LVm2Ch+GLHuW5UlLKvU7aHq/t2LW9LiSW17eloVQgHV2gYqjye+135C4StfjbabiKaIiL26Z+O/pVh492BWW6/RuJhfzwROnOLTszbSYtvEOo6DSzW6a+WUGTHaBn48MOLc+bb2YQVSe27mG6tkBOjgEMH5Q14xfb7lm7Rgvq7qIH2FiADP2bIvJ3zllVoLB+3axV0h3+Sz+VK4PaTVDOE+z/cLdPmjHP1dJg9lmP2jQ5JfCorsf88dW076L47yzoflWUCfnoNKGm658JOoelu2MiP+enpGhQeDLzH7r1r4bCWQlNwCU98PafyAaQtYeQ22xPOtlq0mnJ3ohbl4Di84BxjsPwLVZZoq4rJieoOve7wQxB02sQ/BxUs7rrSSEXtVr69VfLuI3J8Fv2iHvbx/eTOiBGLJJo0IYkgdXT8Jr+kbexpxuQPSzGVPrNPBK3sXoyjqGKXJnQGq9A==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth2-proxy-frontend
+      namespace: owntracks
+status: {}
+
--- a/owntracks/oauth2-secret.yaml
+++ b/owntracks/oauth2-secret.yaml
@ -1,18 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: oauth2-proxy
-  namespace: owntracks
-spec:
-  encryptedData:
-    OAUTH2_PROXY_CLIENT_ID: AgBCu2Lpj6DGPF6r77OlPC9JstJnwOBin0l+eSfC977ve2rgV5PGkSl68/yBk+4+IicStcSMrIdR9jEIFRrmL+ThOWCXsxU10L/r0SMc9V0aNE85hCeUI/tT5sU5QCMtpO+wJtUidxvPT5+QblVsTpCDDODTmV9SJiC3+Ortty5rqMOPE64V/04yT4crG3383zhnNlEdpZGsXq0rzmsn9llosloG9E6LFvVUFKQkq40WGu33ljr4UaUcV8pZbAn2H9UB5wSBRpqCJijAJgvUD5SKjRVtGM8r/0MCDZFnMoJVSsvqBeCzJhBJRR2IgrkRgY1NagNjGvDCcDoFuUz4WxQbYeHFHv+YDSh3qYuROiEss0dhxXnMs0uJ0fOFEhwt+Vx/Ny8MNw9BQBCx4qzaDBp4zMmvZ9ViZJ/nobEYZPQuvvSfvL1SlMh3W+DhlepQ7F+2aKVKUakN+WRpy5f3tfao27zJZC0aO0PuREJ0dJlowt3aME9CH+xSwH5z3zmQDajoS5QWjmsuyw5nStWXfCsXnsh2knYn2ur0eYMlK9H7voScMysng7kLeWXMzy9R1esj3p862O628S0qf/eeM63TGUcxDCTTEz641Uovj6PnotZcZO4U1ndQgCF72cUnQkrEuiyjH2rT462Cbwcgxyyx9qVyhXZX+x1jAPaV8YbrPkx1/8xJ/KjULuRZaPU7l9UHkgSBIO+h9egi4q5hXhqLQ0ScTnuNM7ZgisvIP805BwZqc2M=
-    OAUTH2_PROXY_CLIENT_SECRET: AgAn8UTPLDHcgY80m5aIylyMjMvWl1d5wsGoZ5QjdPS8yRJxxBiqqK8/msXCIsjdtNtDeF9OBq2UxyRm2mdU9lYN5pCicMYYLt4cRlcYHkcNpOEwxH3WZYefMcWlEKQpFEeg+B+MG7jmfIKGoIAL1JfojF2Qrt3gD06caAOcigjjCLZM0a7Y9owP+8Z8xmc+1zG6x9Z2PH8ekOkbJTu5l1nAxgYQXpl14nwVCJV/o+3eVU+Ky+zfrhCJN/Cw4eJoNDsJXRw4pxXe0w6FXiy3yx/cXrU2y4qmOfvRVWPY75O9WLCfDWw2zEiHb9Ks60yYkknkdlv9ZlzzTE0lq2M8RMeEjRJVMVrRXLcARo3IHWm2r0L3RU46U8VDOkYJDsYEThT5c4nacK/PU1UYHwEnsrHormB3W2FGS0lI3boDY8gkXX4WaX4NvD2N66SYpFmyRfTZU1rtiC2JXrvprdjJefbM+N9ZGZxKcO72PQJ4cFRTyn5fEsClocGt4JSEzu29I6VP7nwmmGE+TgatHonCxgNCka+n/NJdgrJcz8LNjnihIbBuaT7x9/NmJ8rkGIG8TCGPh/iOJt9ZFIdVgqMneW2wKIQZcAD0wSFEy6U984YCOOvW00VkKqIRyJDPUwRLdjBJ8mK2E+tUlYpAknEXFMu9QB86zuP3oR/PwCGd/SauDKBQzChTh/zKqQpo2UbLV0ufOCasRefdqC/GORhVKgOYP5hijk1yv9ogjKTkmqKqlOtjYFJnoDuCYvX/Lw==
-    OAUTH2_PROXY_COOKIE_SECRET: AgCLepha3T61OQFK4lDoivgOX7fdVYVvMWZYk8x4ZXggSaJvcMSgmoUU5h+kmVLB73F1JGqE7Ck3wLtNHKnBzPAvAiNk6CxGItlE3QPImkz0ED7Ipf7K8MrK9G6TAW68w8+rI64bpGvVbcAW6GOjOKm/nMSAakgicXXWtA2JBRSmnqE6UVXYb770UxN82LKeIgriberb4rGAMNjAi7ziDmy7L2OyyPgzK1KRxI4WaitqaPP2q4PEQAuJPq+9w1hAWSHP9V4PR8VmPRpUmMwK9sd6M6oMrqc3fNqZc0CN7tHIDdx+lapwI5tXwGia++C5m/ku3TVZIib4khjfVSi3xvU0KbLv2mQBWI9tR8VwmpP1ALLeYuSMoI/3BtQ2QlQUZ6qy1dbYsdFgwPJZNPnsgb+QZbhjYXlSgLmEC7MrZf6Bho1AHmyoUKW25Wn6GZnz3Hm+0S9CYyGPvZCjQ8TY2px9mc2D8kyZdpqZeLVkW73LWQentAMIBVgkpC3mNccNXSyXghlbOGZCtwMZPLtiuKm6wsJmf5x7xirG7hihZGKOQ+NuYosT3sbiNGV2R9rO9gtdXYljHI2QyP/19HvFIH2dcTdaa5c/ktl77DdhvpvJZaUU2WZe6NzYQv9AAPbIsLqmJRfmMzKkKBUbj7tNmaIiYZc+T+IQx/Kw0pKXb0I2xMKHpR8zDkFSQwGjsrEe5VdwkIVf/fJRaMYZesmmbiKKFNGSS0Y+vIYdTF2FLE0w3g==
-  template:
-    metadata:
-      creationTimestamp: null
-      name: oauth2-proxy
-      namespace: owntracks
-status: {}
-
--- a/owntracks/recorder/deployment.yaml
+++ b/owntracks/recorder/deployment.yaml
@ -17,27 +17,65 @@ spec:
        app: recorder
    spec:
      containers:
-      - env:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+          name: http
+        env:
+        - name: OAUTH2_PROXY_HTTP_ADDRESS
+          value: :8080
+        - name: OAUTH2_PROXY_REVERSE_PROXY
+          value: "true"
+        - name: OAUTH2_PROXY_EMAIL_DOMAINS
+          value: tobru.ch
+        - name: OAUTH2_PROXY_PROVIDER
+          value: github
+        - name: OAUTH2_PROXY_REDIRECT_URL
+          value: https://owntracks.tobru.ch/oauth2/callback
+        - name: OAUTH2_PROXY_PROVIDER_DISPLAY_NAME
+          value: tbrnt Gitea
+        - name: OAUTH2_PROXY_LOGIN_URL
+          value: https://git.tbrnt.ch/login/oauth/authorize
+        - name: OAUTH2_PROXY_REDEEM_URL
+          value: https://git.tbrnt.ch/login/oauth/access_token
+        - name: OAUTH2_PROXY_VALIDATE_URL
+          value: https://git.tbrnt.ch/api/v1
+        - name: OAUTH2_PROXY_SKIP_AUTH_REGEX
+          value: ^\/(view|static)\/.*$
+        envFrom:
+        - secretRef:
+            name: oauth2-proxy-recorder
+        args:
+        - --upstream
+        - http://127.0.0.1:8083
+        securityContext:
+          runAsUser: 9999
+          runAsGroup: 9999
+      - name: recorder
+        env:
        - name: OTR_HOST
          value: mqtt-plain.mosquitto.svc.cluster.local
        - name: OTR_USER
          value: ot-recorder
        image: docker.io/owntracks/recorder:0.8.6-12
        imagePullPolicy: IfNotPresent
-        name: recorder
        command:
        - ot-recorder
        - --viewsdir
        - /htdocs/viewsjson
+        ports:
+        - containerPort: 8083
+          protocol: TCP
+          name: recorder
        livenessProbe:
          httpGet:
            path: /api/0/monitor
            port: 8083
          initialDelaySeconds: 1
          periodSeconds: 30
-        ports:
-        - containerPort: 8083
-          protocol: TCP
        volumeMounts:
        - name: data
          mountPath: /store
--- a/owntracks/recorder/ingress.yaml
+++ b/owntracks/recorder/ingress.yaml
@ -16,7 +16,7 @@ spec:
      - path: /
        backend:
          serviceName: owntracks
-          servicePort: 8083
+          servicePort: 8080
  tls:
  - hosts:
    - owntracks.tobru.ch
--- a/owntracks/recorder/oauth2-secret.yaml
+++ b/owntracks/recorder/oauth2-secret.yaml
@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth2-proxy-recorder
+  namespace: owntracks
+spec:
+  encryptedData:
+    OAUTH2_PROXY_CLIENT_ID: AgBaSfU6w/u0rUe+ooG6MfH18uKvkHm9W+UiI0dQrZ75nq3uGUR/5DpRtqvI2LX1AjaoDjUttummcm/NBtQSGFZ1AKalmFCN/39mEUrlN6tWIdDKvSS3zVKeounuq251eYCdWeaiTqBv3gMOFEdZp7JVauaBJNpCRASk/+sIesNVa4ilV9oL6Yppy5NOxPq8TIsXo8e/TSbu4VTKOkijdKfUPrl1GF/CbdcajwbkAIdTAX0g/2cvywfJZWM5LVJ9hjYipfODMIrRY5L/GIpXdVkXxDz24QRd8jhUcTS2i8jzesIb+os8Sz9i/DPg7bn+mwp66YnB4Q4Z+c3Y0QMLODqBNYJXb8x2vNL7BIuUKtDjYhdplC2fGEfcBHuJ7S3xBOlwZM3Z++o05vLnlMBRjXyFL//xiwZCppCVw5CsC7yR7+iY7dBrQy7mCmSK5OByb0Ydjh0iWl+bJTSN0u3xbYi27HGfMomCXtcwyBRUJV1iHjZWAhVa31ZqqUBb4MAVks6RwJCfrCM9i3bkTRQbVSGlNLgx/kjvtF+jFPy2LM0AVFWN2JMWMon+qDxmzRTNObinIRz14wCrxiqxTYON4wYCyEB6ZwykO2UlN6XKLFl+sWLp4/z24ZhfGsLIV95vt/Gtr8PiaoXIy5NfG85r0fPRRa/a3Yuvi2JhmY5lanuC4gp7bygicVmiVSTmgTlWts1tGbo8lmJh1ufaKjA/It07PDfzSgzY5tQ0uqNBnzwHhp9YxiI=
+    OAUTH2_PROXY_CLIENT_SECRET: AgBzwvWzjU1Kgwmvyzl/P79Mq76utpjIGQYHasDeQdy8zloFYlS/CGpmaqQnqTuxy1Guh7ivGKNYdZeTMRtp+DjToomwAie3UwJHZIoQWc3dHRJnEOaKM4vgQRLpFIPa7Dt9yuI64d3J9h+Q0W2CB0vxI4YaeuvLXaZJrAslauKZdC/n23Zx65ihR4EPneOt5XZ4IwHufYLYwupfte6MXD4TMHF7TFOzob3XuZO/6Kqs0JcNeGuTotVhEQr6XkBvD8x1pHEYPWpsWdhkY0wVXHxD6wfFLPXK2xrAuroep7155wyKPCr68F36obGAx+q3lIr4lGJglj+6APicz6rRUBA0RGbtwYdRIQBlAzvBE9G/ojLQwnO5WEgByvqrNYFpgNfLxes8eaSwwSoPOMYWP5Ey11VGq1xz16eVGvG2jwvfC5ULLsxKGTsuqIzllf5kS5ULR7XpxJNxPy3sCsDBauftx9FsJ7+FdI/IRKMhIn8Ys/7xLmtBP5gtATpqraHVu68ER5o97h6KiGtN2/JwyjpFZyj+fsIIvsNTZoMGm+1o2XTwpRXVOimjA1yEhTm0NmND6QfghAP0ExRgQPqPEP+i0jeffzd46Jh5qiYBYFx0XVfqjjfhqF3XzEvakTdyxi306xlmcWmebK3KbLw0RkwYfo6BbFdhUhnv3gzkeFnxl673EFG/+57ZSEylAzrMln3+LLDsylBHr2QNdcXaXkVvEEA+PlkHTnXIPy6e33oI1gH6t5opshEg1kgs4A==
+    OAUTH2_PROXY_COOKIE_SECRET: AgChQvcPnNkUbVwBM62v1Tfy9/zvEYltLvtb0xjWrUROKxbqnU8G/xMMw/xLfhjgLnkayQSUMlHS0yy8vFUMBdQKbs3zm9f4uydrW13K71zuX+3+aMsD9fbLLdmvnHnMETjI3BifIZiMVPbuqBaZH3R/ckp/g2w4Lzvu44rfLeDhminIqYpgHOiJ0zAhKU54NFmYkms4ngzgWgwWYLQNky6sz6fzMQ7GDKvHoGQP5NZiYGnBnECDqhTMoWcHgoq9XCL7dFIQqxeYnOMsRruPIW2a2FiYU6M768Z39E9bfi0BeLONx6zbe5RqKFU6md38mO7J3GHNrd8/IJ/Os7QE5Kq4KA3yjbD03o52TxV3tmTM4i85NACB6HH/zyV/VyOvbax9x0/YchClEuvPPOe2pAGzAbn3W/3nYfhO4ItBKuPuwUIvSEDMUpQYQve7ppz6RbQja8eVNinwrIly+DVuR/lHQpuaAc7/HPy6snbQN51vhtmy8R2iyiPMfY59VpSQpBbW+wVfwjFEoY4hDJZZkVJvrbOqo+cC/wMuyc5IZ1kKYSgIoUNJXZlPKdDTJ3d331FdX/RmG4R3bYicnQ1pO+7rcsqk7/XGDqmQ5nBHr20QI0PMkR1XcIhUspExLzycNi10WlxeTiOQygWBPScaXO4ufzgVwHv5ToZEYnc85OH8OKTHGUPyStFY7ukukowRYczcwyVJjZ+Q1VXnj12Ot+DMLsFiVixxjuHcrV4i88CeGA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth2-proxy-recorder
+      namespace: owntracks
+status: {}
+
--- a/owntracks/recorder/service.yaml
+++ b/owntracks/recorder/service.yaml
@ -5,6 +5,22 @@ metadata:
  namespace: owntracks
  labels:
    app: recorder
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: recorder
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: recorder
+  namespace: owntracks
+  labels:
+    app: recorder
 spec:
  ports:
  - port: 8083