fix(mastodon): Add oauth2-proxy to enforce user role restrictions

apps/k8s01/mastodon/kustomization.yaml

@@ -12,6 +12,8 @@ resources:
   - ../../../shared/networkpolicies/allow-to-public-web.yaml
   - ../../../shared/networkpolicies/allow-to-database.yaml
   - ../../../shared/networkpolicies/allow-to-kubedns.yaml
+  - ../../../shared/applications/oauth2-proxy.yaml
+  - oauth2.yaml
 patchesStrategicMerge:
   - database-override.yaml
   - networkpolicy.yaml

apps/k8s01/mastodon/networkpolicy.yaml

@@ -5,5 +5,9 @@ metadata:
   name: allow-to-public-web
 spec:
   podSelector:
-    matchLabels:
-      app.kubernetes.io/name: mastodon
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In 
+        values:
+          - mastodon
+          - oauth2-proxy

apps/k8s01/mastodon/oauth2.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+    name: oauth2-proxy-override-values
+stringData:
+    values-overrides.yaml: ENC[AES256_GCM,data:TtTMKpFPESM06mrx3wERdR0R7BaC0UGpcIYduzyUn1YRwqUiEy1H9o7eb8v3lc/ShOnN0YjTvrioL6c0xs0hBYSN/L9clEFvc8eBqAkCbhUKYjPCpdaUCtGL4mG5lRzCHw2UBvrtW7kfSag7nqW05aQfOYbo9UpfpYToVEPlGE7rN71hDGBCYFYZ5Hi6DAiiKXqPqjBqCaqNg6QbrbQu391t3kqffx9TOa/BwMy8T8CWlOQbKSi5jYRG18/p9M68W1Wiqrc0JS8GTKAbp/Yrq1ATLx1De4PnduzV3KDIX0kWn9qcsR1BpK2G57gDeYk/Cz5+cj0Z4ijXsIxYqqb+XgyogAD4A3CSe6q8kul754kL3Uh8HMfRn1kzEWNw2/2CYSVlu3Zvkd7M/tPVo7WL9qXYqFXp7F6+anSWdCL+xQv0TNhHX6fJgoQLjhHWlWdwFwSJ0/urDZzFFPjhk5HFzMppG0kwcP/kBS9gyPyjt0pLExAmZ28EZeqqvW9RrXNAW3GButrdyiYiVJU827nOzNc3nm2qRabvblB16+mqIW1nQpe6DIcIg6S4IaZPMphOhBXr7bt851oeRYJ/b1QyIOVGDBESNZu2lgt5FEBYvwC3F7Z5sOU=,iv:HZdMaKnubOZnlkipShvT38/SeoSjM98ZWihlev9fyoQ=,tag:Lv/uj8x0h2UDahR1n2ItGg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-04T20:29:38Z"
+    mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
+    pgp:
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
+            UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
+            8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
+            FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
+            emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
+            Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
+            zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
+            te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
+            EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
+            yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
+            1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
+            UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
+            uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
+            =BfVv
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
+            Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
+            Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
+            mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
+            QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
+            Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
+            rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
+            fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
+            MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
+            z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
+            G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
+            aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
+            zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
+            DzSX6Tguk9Ji
+            =dIZ4
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
+    version: 3.7.3
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: nextcloud-oidc-app
+    namespace: mastodon
+    annotations:
+        nginx.ingress.kubernetes.io/auth-response-headers: Authorization
+        nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:qvY9q/azyvEm04APWnSwKp027KEGJ1E2Fg==,iv:8Ceg8qs9qGV6E4sUrAAM8qyVcuONb+BnEm3Xs72uRdg=,tag:EHiIqPIxj+BjuIHYis8zUQ==,type:str]
+        nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+spec:
+    rules:
+        - host: ENC[AES256_GCM,data:V5hDE86rHVMuBErNiKhvTLnYAhQpKQXWOMujWUU=,iv:co7GOlVJwTATyVIH62y9buZ12uTRzncd7wwr4t/McPo=,tag:1JA3m/HZ0m+pVh7nDoJM2Q==,type:str]
+          http:
+            paths:
+                - backend:
+                    service:
+                        name: mastodon-web
+                        port:
+                            number: 3000
+                  path: /auth/auth/openid_connect
+                  pathType: Prefix
+    tls:
+        - hosts:
+            - ENC[AES256_GCM,data:WK3dPHEyHMpoEeiy5fXQR70ZwFp/YpniZb5dyns=,iv:kxZydtCiDob6zto6ApT+Cutwh+pZ865pwx9yZ5xFTTA=,tag:CS6FQo5hNpFCEf4Qy6lRtA==,type:str]
+          secretName: ingress-mastodon-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-01-04T20:29:38Z"
+    mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
+    pgp:
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
+            UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
+            8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
+            FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
+            emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
+            Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
+            zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
+            te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
+            EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
+            yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
+            1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
+            UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
+            uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
+            =BfVv
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-22T04:06:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
+            Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
+            Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
+            mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
+            QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
+            Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
+            rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
+            fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
+            MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
+            z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
+            G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
+            aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
+            zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
+            DzSX6Tguk9Ji
+            =dIZ4
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
+    version: 3.7.3