Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Infrastructure GitOps
Manage
Activity
Members
Labels
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Operate
Terraform modules
Analyze
Contributor analytics
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Shivering-Isles
Infrastructure GitOps
Commits
55966dce
Verified
Commit
55966dce
authored
1 year ago
by
Sheogorath
Browse files
Options
Downloads
Patches
Plain Diff
fix(mastodon): Add oauth2-proxy to enforce user role restrictions
parent
b75965ef
No related branches found
No related tags found
No related merge requests found
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
apps/k8s01/mastodon/kustomization.yaml
+2
-0
2 additions, 0 deletions
apps/k8s01/mastodon/kustomization.yaml
apps/k8s01/mastodon/networkpolicy.yaml
+6
-2
6 additions, 2 deletions
apps/k8s01/mastodon/networkpolicy.yaml
apps/k8s01/mastodon/oauth2.yaml
+136
-0
136 additions, 0 deletions
apps/k8s01/mastodon/oauth2.yaml
with
144 additions
and
2 deletions
apps/k8s01/mastodon/kustomization.yaml
+
2
−
0
View file @
55966dce
...
@@ -12,6 +12,8 @@ resources:
...
@@ -12,6 +12,8 @@ resources:
-
../../../shared/networkpolicies/allow-to-public-web.yaml
-
../../../shared/networkpolicies/allow-to-public-web.yaml
-
../../../shared/networkpolicies/allow-to-database.yaml
-
../../../shared/networkpolicies/allow-to-database.yaml
-
../../../shared/networkpolicies/allow-to-kubedns.yaml
-
../../../shared/networkpolicies/allow-to-kubedns.yaml
-
../../../shared/applications/oauth2-proxy.yaml
-
oauth2.yaml
patchesStrategicMerge
:
patchesStrategicMerge
:
-
database-override.yaml
-
database-override.yaml
-
networkpolicy.yaml
-
networkpolicy.yaml
This diff is collapsed.
Click to expand it.
apps/k8s01/mastodon/networkpolicy.yaml
+
6
−
2
View file @
55966dce
...
@@ -5,5 +5,9 @@ metadata:
...
@@ -5,5 +5,9 @@ metadata:
name
:
allow-to-public-web
name
:
allow-to-public-web
spec
:
spec
:
podSelector
:
podSelector
:
matchLabels
:
matchExpressions
:
app.kubernetes.io/name
:
mastodon
-
key
:
app.kubernetes.io/name
operator
:
In
values
:
-
mastodon
-
oauth2-proxy
This diff is collapsed.
Click to expand it.
apps/k8s01/mastodon/oauth2.yaml
0 → 100644
+
136
−
0
View file @
55966dce
apiVersion
:
v1
kind
:
Secret
metadata
:
name
:
oauth2-proxy-override-values
stringData
:
values-overrides.yaml
:
ENC[AES256_GCM,data:TtTMKpFPESM06mrx3wERdR0R7BaC0UGpcIYduzyUn1YRwqUiEy1H9o7eb8v3lc/ShOnN0YjTvrioL6c0xs0hBYSN/L9clEFvc8eBqAkCbhUKYjPCpdaUCtGL4mG5lRzCHw2UBvrtW7kfSag7nqW05aQfOYbo9UpfpYToVEPlGE7rN71hDGBCYFYZ5Hi6DAiiKXqPqjBqCaqNg6QbrbQu391t3kqffx9TOa/BwMy8T8CWlOQbKSi5jYRG18/p9M68W1Wiqrc0JS8GTKAbp/Yrq1ATLx1De4PnduzV3KDIX0kWn9qcsR1BpK2G57gDeYk/Cz5+cj0Z4ijXsIxYqqb+XgyogAD4A3CSe6q8kul754kL3Uh8HMfRn1kzEWNw2/2CYSVlu3Zvkd7M/tPVo7WL9qXYqFXp7F6+anSWdCL+xQv0TNhHX6fJgoQLjhHWlWdwFwSJ0/urDZzFFPjhk5HFzMppG0kwcP/kBS9gyPyjt0pLExAmZ28EZeqqvW9RrXNAW3GButrdyiYiVJU827nOzNc3nm2qRabvblB16+mqIW1nQpe6DIcIg6S4IaZPMphOhBXr7bt851oeRYJ/b1QyIOVGDBESNZu2lgt5FEBYvwC3F7Z5sOU=,iv:HZdMaKnubOZnlkipShvT38/SeoSjM98ZWihlev9fyoQ=,tag:Lv/uj8x0h2UDahR1n2ItGg==,type:str]
sops
:
kms
:
[]
gcp_kms
:
[]
azure_kv
:
[]
hc_vault
:
[]
age
:
[]
lastmodified
:
"
2024-01-04T20:29:38Z"
mac
:
ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
pgp
:
-
created_at
:
"
2022-01-22T04:06:16Z"
enc
:
|-
-----BEGIN PGP MESSAGE-----
wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
=BfVv
-----END PGP MESSAGE-----
fp
:
286791FB6648539775DB31B8FCB98C2A3EC6F601
-
created_at
:
"
2022-01-22T04:06:16Z"
enc
:
|
-----BEGIN PGP MESSAGE-----
hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
DzSX6Tguk9Ji
=dIZ4
-----END PGP MESSAGE-----
fp
:
B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex
:
^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version
:
3.7.3
---
apiVersion
:
networking.k8s.io/v1
kind
:
Ingress
metadata
:
name
:
nextcloud-oidc-app
namespace
:
mastodon
annotations
:
nginx.ingress.kubernetes.io/auth-response-headers
:
Authorization
nginx.ingress.kubernetes.io/auth-url
:
ENC[AES256_GCM,data:qvY9q/azyvEm04APWnSwKp027KEGJ1E2Fg==,iv:8Ceg8qs9qGV6E4sUrAAM8qyVcuONb+BnEm3Xs72uRdg=,tag:EHiIqPIxj+BjuIHYis8zUQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin
:
https://$host/oauth2/start?rd=$escaped_request_uri
spec
:
rules
:
-
host
:
ENC[AES256_GCM,data:V5hDE86rHVMuBErNiKhvTLnYAhQpKQXWOMujWUU=,iv:co7GOlVJwTATyVIH62y9buZ12uTRzncd7wwr4t/McPo=,tag:1JA3m/HZ0m+pVh7nDoJM2Q==,type:str]
http
:
paths
:
-
backend
:
service
:
name
:
mastodon-web
port
:
number
:
3000
path
:
/auth/auth/openid_connect
pathType
:
Prefix
tls
:
-
hosts
:
-
ENC[AES256_GCM,data:WK3dPHEyHMpoEeiy5fXQR70ZwFp/YpniZb5dyns=,iv:kxZydtCiDob6zto6ApT+Cutwh+pZ865pwx9yZ5xFTTA=,tag:CS6FQo5hNpFCEf4Qy6lRtA==,type:str]
secretName
:
ingress-mastodon-tls
sops
:
kms
:
[]
gcp_kms
:
[]
azure_kv
:
[]
hc_vault
:
[]
age
:
[]
lastmodified
:
"
2024-01-04T20:29:38Z"
mac
:
ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str]
pgp
:
-
created_at
:
"
2022-01-22T04:06:16Z"
enc
:
|-
-----BEGIN PGP MESSAGE-----
wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV
UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D
8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn
FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II
emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z
Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe
zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS
te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do
EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y
yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW
1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS
UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7
uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw==
=BfVv
-----END PGP MESSAGE-----
fp
:
286791FB6648539775DB31B8FCB98C2A3EC6F601
-
created_at
:
"
2022-01-22T04:06:16Z"
enc
:
|
-----BEGIN PGP MESSAGE-----
hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL
Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk
Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA
mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ
QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV
Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG
rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g
fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN
MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb
z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b
G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU
aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp
zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT
DzSX6Tguk9Ji
=dIZ4
-----END PGP MESSAGE-----
fp
:
B137EE1549DFAF960DD1E2B15147025FB9F09E07
encrypted_regex
:
^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
version
:
3.7.3
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment