/
radixconfig.yaml
89 lines (89 loc) · 4.34 KB
/
radixconfig.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
apiVersion: radix.equinor.com/v1
kind: RadixApplication
metadata:
name: radix-web-console
spec:
build:
useBuildKit: true
environments:
- name: qa
build:
from: master
- name: prod
build:
from: release
components:
- name: web
readOnlyFileSystem: true
volumeMounts:
- name: tmp
path: /tmp
emptyDir:
sizeLimit: 1M
- name: nginxconfd
path: /etc/nginx/conf.d
emptyDir:
sizeLimit: 1M
- name: wwwconfig
path: /app/config
emptyDir:
sizeLimit: 1M
src: "."
ports:
- name: http
port: 8080
resources:
requests:
memory: "250Mi"
cpu: "30m"
limits:
memory: "250Mi"
cpu: "1000m"
environmentConfig:
- environment: prod
replicas: 2
variables:
CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development)
CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development)
OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read"
CLUSTER_OIDC_ISSUER_URL: ""
CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_spkg&sys_id={CIID}"
secrets:
- DYNATRACE_API_TOKEN # Token to use for display of availability metrics
- OAUTH2_CLIENT_ID # Azure Application ID
- name: auth
readOnlyFileSystem: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md
ports:
- name: http
port: 8000
publicPort: http
resources:
requests:
memory: "100Mi"
cpu: "100m"
limits:
memory: "100Mi"
cpu: "100m"
secrets:
- OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster
- OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'`
- OAUTH2_PROXY_REDIRECT_URL # Should be "https://<PUBLIC_URL>/oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access <UID>/user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret
- OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component)
variables:
OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m
OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted
OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID
OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true"
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component)
OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default
OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default
OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly
OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big)
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect
OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx)