Skip to content
Snippets Groups Projects
Verified Commit 55966dce authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

fix(mastodon): Add oauth2-proxy to enforce user role restrictions

parent b75965ef
No related branches found
No related tags found
No related merge requests found
...@@ -12,6 +12,8 @@ resources: ...@@ -12,6 +12,8 @@ resources:
- ../../../shared/networkpolicies/allow-to-public-web.yaml - ../../../shared/networkpolicies/allow-to-public-web.yaml
- ../../../shared/networkpolicies/allow-to-database.yaml - ../../../shared/networkpolicies/allow-to-database.yaml
- ../../../shared/networkpolicies/allow-to-kubedns.yaml - ../../../shared/networkpolicies/allow-to-kubedns.yaml
- ../../../shared/applications/oauth2-proxy.yaml
- oauth2.yaml
patchesStrategicMerge: patchesStrategicMerge:
- database-override.yaml - database-override.yaml
- networkpolicy.yaml - networkpolicy.yaml
...@@ -5,5 +5,9 @@ metadata: ...@@ -5,5 +5,9 @@ metadata:
name: allow-to-public-web name: allow-to-public-web
spec: spec:
podSelector: podSelector:
matchLabels: matchExpressions:
app.kubernetes.io/name: mastodon - key: app.kubernetes.io/name
operator: In
values:
- mastodon
- oauth2-proxy
apiVersion: v1
kind: Secret
metadata:
name: oauth2-proxy-override-values
stringData:
values-overrides.yaml: ENC[AES256_GCM,data:TtTMKpFPESM06mrx3wERdR0R7BaC0UGpcIYduzyUn1YRwqUiEy1H9o7eb8v3lc/ShOnN0YjTvrioL6c0xs0hBYSN/L9clEFvc8eBqAkCbhUKYjPCpdaUCtGL4mG5lRzCHw2UBvrtW7kfSag7nqW05aQfOYbo9UpfpYToVEPlGE7rN71hDGBCYFYZ5Hi6DAiiKXqPqjBqCaqNg6QbrbQu391t3kqffx9TOa/BwMy8T8CWlOQbKSi5jYRG18/p9M68W1Wiqrc0JS8GTKAbp/Yrq1ATLx1De4PnduzV3KDIX0kWn9qcsR1BpK2G57gDeYk/Cz5+cj0Z4ijXsIxYqqb+XgyogAD4A3CSe6q8kul754kL3Uh8HMfRn1kzEWNw2/2CYSVlu3Zvkd7M/tPVo7WL9qXYqFXp7F6+anSWdCL+xQv0TNhHX6fJgoQLjhHWlWdwFwSJ0/urDZzFFPjhk5HFzMppG0kwcP/kBS9gyPyjt0pLExAmZ28EZeqqvW9RrXNAW3GButrdyiYiVJU827nOzNc3nm2qRabvblB16+mqIW1nQpe6DIcIg6S4IaZPMphOhBXr7bt851oeRYJ/b1QyIOVGDBESNZu2lgt5FEBYvwC3F7Z5sOU=,iv:HZdMaKnubOZnlkipShvT38/SeoSjM98ZWihlev9fyoQ=,tag:Lv/uj8x0h2UDahR1n2ItGg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-01-04T20:29:38Z"
mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
=BfVv
-----END PGP MESSAGE-----
fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- created_at: "2022-01-22T04:06:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
DzSX6Tguk9Ji
=dIZ4
-----END PGP MESSAGE-----
fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version: 3.7.3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud-oidc-app
namespace: mastodon
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:qvY9q/azyvEm04APWnSwKp027KEGJ1E2Fg==,iv:8Ceg8qs9qGV6E4sUrAAM8qyVcuONb+BnEm3Xs72uRdg=,tag:EHiIqPIxj+BjuIHYis8zUQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
spec:
rules:
- host: ENC[AES256_GCM,data:V5hDE86rHVMuBErNiKhvTLnYAhQpKQXWOMujWUU=,iv:co7GOlVJwTATyVIH62y9buZ12uTRzncd7wwr4t/McPo=,tag:1JA3m/HZ0m+pVh7nDoJM2Q==,type:str]
http:
paths:
- backend:
service:
name: mastodon-web
port:
number: 3000
path: /auth/auth/openid_connect
pathType: Prefix
tls:
- hosts:
- ENC[AES256_GCM,data:WK3dPHEyHMpoEeiy5fXQR70ZwFp/YpniZb5dyns=,iv:kxZydtCiDob6zto6ApT+Cutwh+pZ865pwx9yZ5xFTTA=,tag:CS6FQo5hNpFCEf4Qy6lRtA==,type:str]
secretName: ingress-mastodon-tls
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-01-04T20:29:38Z"
mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
=BfVv
-----END PGP MESSAGE-----
fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- created_at: "2022-01-22T04:06:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
DzSX6Tguk9Ji
=dIZ4
-----END PGP MESSAGE-----
fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version: 3.7.3
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment