From 55966dced7fb075efb0ce4d495a7ea32cca0ab9d Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Thu, 4 Jan 2024 21:33:52 +0100 Subject: [PATCH] fix(mastodon): Add oauth2-proxy to enforce user role restrictions --- apps/k8s01/mastodon/kustomization.yaml | 2 + apps/k8s01/mastodon/networkpolicy.yaml | 8 +- apps/k8s01/mastodon/oauth2.yaml | 136 +++++++++++++++++++++++++ 3 files changed, 144 insertions(+), 2 deletions(-) create mode 100644 apps/k8s01/mastodon/oauth2.yaml diff --git a/apps/k8s01/mastodon/kustomization.yaml b/apps/k8s01/mastodon/kustomization.yaml index bbebcf66e..754a5a54e 100644 --- a/apps/k8s01/mastodon/kustomization.yaml +++ b/apps/k8s01/mastodon/kustomization.yaml @@ -12,6 +12,8 @@ resources: - ../../../shared/networkpolicies/allow-to-public-web.yaml - ../../../shared/networkpolicies/allow-to-database.yaml - ../../../shared/networkpolicies/allow-to-kubedns.yaml + - ../../../shared/applications/oauth2-proxy.yaml + - oauth2.yaml patchesStrategicMerge: - database-override.yaml - networkpolicy.yaml diff --git a/apps/k8s01/mastodon/networkpolicy.yaml b/apps/k8s01/mastodon/networkpolicy.yaml index a76579f1e..ff03dadb0 100644 --- a/apps/k8s01/mastodon/networkpolicy.yaml +++ b/apps/k8s01/mastodon/networkpolicy.yaml @@ -5,5 +5,9 @@ metadata: name: allow-to-public-web spec: podSelector: - matchLabels: - app.kubernetes.io/name: mastodon + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - mastodon + - oauth2-proxy diff --git a/apps/k8s01/mastodon/oauth2.yaml b/apps/k8s01/mastodon/oauth2.yaml new file mode 100644 index 000000000..82b86cb7b --- /dev/null +++ b/apps/k8s01/mastodon/oauth2.yaml @@ -0,0 +1,136 @@ +apiVersion: v1 +kind: Secret +metadata: + name: oauth2-proxy-override-values +stringData: + values-overrides.yaml: ENC[AES256_GCM,data:TtTMKpFPESM06mrx3wERdR0R7BaC0UGpcIYduzyUn1YRwqUiEy1H9o7eb8v3lc/ShOnN0YjTvrioL6c0xs0hBYSN/L9clEFvc8eBqAkCbhUKYjPCpdaUCtGL4mG5lRzCHw2UBvrtW7kfSag7nqW05aQfOYbo9UpfpYToVEPlGE7rN71hDGBCYFYZ5Hi6DAiiKXqPqjBqCaqNg6QbrbQu391t3kqffx9TOa/BwMy8T8CWlOQbKSi5jYRG18/p9M68W1Wiqrc0JS8GTKAbp/Yrq1ATLx1De4PnduzV3KDIX0kWn9qcsR1BpK2G57gDeYk/Cz5+cj0Z4ijXsIxYqqb+XgyogAD4A3CSe6q8kul754kL3Uh8HMfRn1kzEWNw2/2CYSVlu3Zvkd7M/tPVo7WL9qXYqFXp7F6+anSWdCL+xQv0TNhHX6fJgoQLjhHWlWdwFwSJ0/urDZzFFPjhk5HFzMppG0kwcP/kBS9gyPyjt0pLExAmZ28EZeqqvW9RrXNAW3GButrdyiYiVJU827nOzNc3nm2qRabvblB16+mqIW1nQpe6DIcIg6S4IaZPMphOhBXr7bt851oeRYJ/b1QyIOVGDBESNZu2lgt5FEBYvwC3F7Z5sOU=,iv:HZdMaKnubOZnlkipShvT38/SeoSjM98ZWihlev9fyoQ=,tag:Lv/uj8x0h2UDahR1n2ItGg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-01-04T20:29:38Z" + mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str] + pgp: + - created_at: "2022-01-22T04:06:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV + UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D + 8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn + FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II + emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z + Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe + zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS + te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do + EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y + yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW + 1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS + UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7 + uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw== + =BfVv + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-01-22T04:06:16Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL + Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk + Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA + mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ + QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV + Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG + rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g + fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN + MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb + z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b + G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU + aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp + zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT + DzSX6Tguk9Ji + =dIZ4 + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$ + version: 3.7.3 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nextcloud-oidc-app + namespace: mastodon + annotations: + nginx.ingress.kubernetes.io/auth-response-headers: Authorization + nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:qvY9q/azyvEm04APWnSwKp027KEGJ1E2Fg==,iv:8Ceg8qs9qGV6E4sUrAAM8qyVcuONb+BnEm3Xs72uRdg=,tag:EHiIqPIxj+BjuIHYis8zUQ==,type:str] + nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri +spec: + rules: + - host: ENC[AES256_GCM,data:V5hDE86rHVMuBErNiKhvTLnYAhQpKQXWOMujWUU=,iv:co7GOlVJwTATyVIH62y9buZ12uTRzncd7wwr4t/McPo=,tag:1JA3m/HZ0m+pVh7nDoJM2Q==,type:str] + http: + paths: + - backend: + service: + name: mastodon-web + port: + number: 3000 + path: /auth/auth/openid_connect + pathType: Prefix + tls: + - hosts: + - ENC[AES256_GCM,data:WK3dPHEyHMpoEeiy5fXQR70ZwFp/YpniZb5dyns=,iv:kxZydtCiDob6zto6ApT+Cutwh+pZ865pwx9yZ5xFTTA=,tag:CS6FQo5hNpFCEf4Qy6lRtA==,type:str] + secretName: ingress-mastodon-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-01-04T20:29:38Z" + mac: ENC[AES256_GCM,data:OKmeHmqHsM93afF411jpAXDt6Trt0K3XpNfqobUO59JsswD7//DTVwgeOMwR0oWnFdShLFzaLqt9HNqsuvvWimTR6BbbcMURyK8vSmlsukUY5fGy3MMn4VM7FpHxRWy3RQeTG3ZWvJvcaxUdHaOd+pRNAEs/2ZUxZUhrf85l6vM=,iv:gQbHfH6SMunxQHfZnpK3kxLdXV6NMmv4nCL6SLuj3Pw=,tag:YARrzFqqo5SfmamXxaWmdQ==,type:str] + pgp: + - created_at: "2022-01-22T04:06:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//Xnwm/1x0TUuOJXrX95U/zs2YUeaLuKgDb65E56NkdYHV + UgCMdGb85UylJ1RckOrjELt9NkoENOlXwjG4ErNe1jP8XCnkX568RF6oxdVCsw3D + 8SxijDrHhZP3h62HQ867P2BD663exAU3jYFey86tcU3zreO76SOJNM8BZQEuNWYn + FTjJF/cYMNRWwvRuXxQ7345lBqm5LUlGpx7QGZsWR9XDiOuKmS6KCx4o49hjg/II + emXUOAenIw2+iZMcM6eeYNUq8VM+LNComdUehQrcZ61IILewbf3sTAERU0LJ/U8Z + Z3vNfk/mrlDnMG97UEAca06t1KAhdpqToi74VAwwFat+OnYvGa3vtKUOSAgIS3oe + zRpGe81CRbxwvdZYKZrpx2ZPil+GmVaXW5SVJzvQ4lMmY/sG6MSVt/mqaKAuhVOS + te6QLGvG5mJYJx6O0WQs/wa8JYKlwAkFU+WSPdylgdhbPbT7c4UBpG9SaZ6dh2do + EUgda/M/6+qUgiYr9AMWXNszmsGZRuDxHRBxuiknA3uEqIn7LP2n+eZotaeZHb4y + yDyyoQIXCilccIVQM2v2k9qo59uwCmcmuGQQBe9ho17yQhFIGpLKq+GLz4PdnvxW + 1mbx/azahkB+zmeqOmnbJS1IuIy/9bkUW1wsPaSKBAo8xDaz4jHWa5FBFgQ42QzS + UQG3SdO7QA8KkjxNALw6oSBbf2J3u5U7ak3OE8wEsksT1z4z51nontQTbeP1P+y7 + uOJqnBWREkwPcsfxR1QRhf5G4shUya9X+y8MajJe7HF9Jw== + =BfVv + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-01-22T04:06:16Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAr9uq5Lp3NkYkYMDFQPNVgVf8NFaPTXAISMbEjbMyTHEL + Ozf4cTrjByQwc5eJT2iO5iH3n96qK+z3PDmpw2fWAiZOX4Rk0GiXGJ5e3XBFUWSk + Hfmv4dz9h51vGURFhknhlrzX+HPYQIVqnwsyvupArczdGRCa84hu66mysCqWS6tA + mCC7CzY3JSIprX13A1TnT3N4G2NpWeEWpRE7qLC8dBnNgNP8ktFSyEDnPfM6DXIZ + QhxAwl1M2RmfeVPkDZID4461XZpg4Dds8AghCSpFzRq5Yd57KnCCq9KX9GI0OQwV + Jk8+/f7ug7BNPoHbI4JpuBqJ7EdyA7wicVuSiCEFASY9N/zaqk49cyN5J08O0KyG + rDeMdSCH4Af73diBVETS1UWoE4yqRF9mITcyldarOLF8uWoSrL+442avdCodUq2g + fnMJkPEawboZ/fdJO6z+isn0gtdUV7rr+Cm5aD55mYgdyrAr+vIbhCBP+efQz5eN + MofUBobnCMu28eSfNHDTjfgdyoKWY2vHKoiQDWht6UWU5z/wQLjpWbqxELq53qdb + z5lj8nZ0fnmy6Cf8O7irKIQsx9BvKdEaRk0U2wQXKsg10uU2rAINV6ghcGR7QO3b + G0HKmPfuyJil5YXXP/EwPkNcUJf6aQCy7zT8XPjWob3HQ7ZwduTNNQEiG7LXWqTU + aAEJAhB/zqWuz8YBoXl138Ec2ywToS15uPfNpmzr4IIu2Vi9SnDQdmGJ0+/ffgzp + zPoIGCS6A1A6rDByNEVT4oavC56c5fzhJSqSqXeByzDpl910ad2JYlu4w4tGrVWT + DzSX6Tguk9Ji + =dIZ4 + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$ + version: 3.7.3 -- GitLab