feat(oauth2-proxy) add oauth2-proxy module

2025-09-13 00:15:31 +09:00
parent cf28e427c2
commit 45aa5bd20e
6 changed files with 292 additions and 0 deletions
--- a/oauth2-proxy/oauth2-proxy-deployment.gomplate.yaml
+++ b/oauth2-proxy/oauth2-proxy-deployment.gomplate.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oauth2-proxy-{{ .Env.APP_NAME }}-config
+  namespace: {{ .Env.APP_NAMESPACE }}
+data:
+  config.cfg: |
+    http_address = "0.0.0.0:4180"
+    provider = "keycloak-oidc"
+    oidc_issuer_url = "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
+    redirect_url = "https://{{ .Env.APP_HOST }}/oauth2/callback"
+    email_domains = "*"
+    reverse_proxy = true
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy-{{ .Env.APP_NAME }}
+  namespace: {{ .Env.APP_NAMESPACE }}
+  labels:
+    app: {{ .Env.APP_NAME }}-oauth2-proxy
+    app.kubernetes.io/component: oauth2-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Env.APP_NAME }}-oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: {{ .Env.APP_NAME }}-oauth2-proxy
+        app.kubernetes.io/component: oauth2-proxy
+    spec:
+      containers:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+        args:
+        - --config=/etc/oauth2-proxy/config.cfg
+        - --upstream=http://{{ .Env.UPSTREAM_SERVICE }}
+        env:
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
+              key: client_id
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
+              key: client_secret
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
+              key: cookie_secret
+        ports:
+        - containerPort: 4180
+          name: http
+        volumeMounts:
+        - name: config
+          mountPath: /etc/oauth2-proxy/
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: 4180
+          initialDelaySeconds: 3
+          timeoutSeconds: 1
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 4180
+          initialDelaySeconds: 3
+          timeoutSeconds: 1
+      volumes:
+      - name: config
+        configMap:
+          name: oauth2-proxy-{{ .Env.APP_NAME }}-config