guilhem/deploy.le.yaml

## deploy.le.yaml
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
  namespace: cert-manager
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: {myemail}@{MYDOMAIN}.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-production-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

## deploy.redis.yaml
---
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: Redis
metadata:
  name: oauth2-proxy-sessions-store
  namespace: oauth2-proxy
spec:
  kubernetesConfig:
    image: quay.io/opstree/redis:v7.2.3
    redisSecret:
      name: oauth2-proxy-sessions-store
      key: password
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000

## helmfile.yaml
repositories:
  - name: ingress-nginx
    url: https://kubernetes.github.io/ingress-nginx
  - name: oauth2-proxy
    url: https://oauth2-proxy.github.io/manifests
  - name: ot-helm
    url: https://ot-container-kit.github.io/helm-charts/
  - name: jetstack
    url: https://charts.jetstack.io

releases:
  - name: ingress-nginx
    namespace: ingress-nginx
    chart: ingress-nginx/ingress-nginx
    version: 4.10.0
    set:
      - name: controller.config.global-auth-url
        value: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth
      - name: controller.config.global-auth-signin
        value: https://auth.{MYDOMAIN}.com/oauth2/start
      - name: controller.config.global-auth-request-redirect
        value: $scheme://$host$request_uri
      - name: controller.config.global-auth-response-headers
        value: "X-Auth-Request-Email, X-Auth-Request-Name, Authorization, X-Auth-Request-Groups"
      - name: controller.service.externalTrafficPolicy
        value: Local
      # Default behavior
      # - name: controller.service.no-auth-locations
      #   value: /.well-known/acme-challenge
  - name: oauth2-proxy
    namespace: oauth2-proxy
    chart: oauth2-proxy/oauth2-proxy
    version: 7.4.1
    values:
      - values.oauth2-proxy.yaml
  - name: redis-operator
    namespace: redis-operator
    chart: ot-helm/redis-operator
    version: 0.15.9
    set:
      - name: certManager.enabled
        value: true

  - name: cert-manager
    namespace: cert-manager
    chart: jetstack/cert-manager
    version: v1.14.4
    wait: true
    set:
      - name: installCRDs
        value: true
      - name: prometheus.enabled
        value: false
      - name: ingressShim.defaultIssuerName
        value: letsencrypt-production
      - name: ingressShim.defaultIssuerKind
        value: ClusterIssuer

## values.oauth2-proxy.yaml
config:
  existingSecret: "oauth2-proxy-config"
# kubectl -n oauth2-proxy create secret generic oauth2-proxy-config --from-literal=client-id=UUID --from-literal=client-secret=UUID --from-literal=cookie-secret=$(openssl rand -base64 32 | head -c 32 | base64)
extraArgs:
  provider: "azure"
  azure-tenant: "{TENANT UUID}"
  oidc-issuer-url: "https://login.microsoftonline.com/{TENANT UUID}/v2.0"
  email-domain: "{MYDOMAIN}.com"
  prefer-email-to-user: true
  pass-user-headers: true
  whitelist-domain: ".{MYDOMAIN}.com"
  cookie-domain: ".{MYDOMAIN}.com"
  reverse-proxy: true
  set-xauthrequest: true
  set-authorization-header: true
  trusted-ip: "{POD_CIDR}"
ingress:
  enabled: true
  hosts:
    - auth.{MYDOMAIN}.com
  annotations:
    nginx.ingress.kubernetes.io/enable-global-auth: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-production"
  className: nginx
  tls:
    - secretName: oauth2-proxy-tls
      hosts:
        - auth.{MYDOMAIN}.com

sessionStorage:
  type: redis
  redis:
    existingSecret: "oauth2-proxy-sessions-store"
    passwordKey: password
    standalone:
      connectionUrl: "redis://oauth2-proxy-sessions-store:6379"
	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: letsencrypt-production
	namespace: cert-manager
	spec:
	acme:
	# You must replace this email address with your own.
	# Let's Encrypt will use this to contact you about expiring
	# certificates, and issues related to your account.
	email: {myemail}@{MYDOMAIN}.com
	server: https://acme-v02.api.letsencrypt.org/directory
	privateKeySecretRef:
	# Secret resource that will be used to store the account's private key.
	name: letsencrypt-production-key
	# Add a single challenge solver, HTTP01 using nginx
	solvers:
	- http01:
	ingress:
	ingressClassName: nginx
	---
	apiVersion: redis.redis.opstreelabs.in/v1beta2
	kind: Redis
	metadata:
	name: oauth2-proxy-sessions-store
	namespace: oauth2-proxy
	spec:
	kubernetesConfig:
	image: quay.io/opstree/redis:v7.2.3
	redisSecret:
	name: oauth2-proxy-sessions-store
	key: password
	podSecurityContext:
	runAsUser: 1000
	fsGroup: 1000
	repositories:
	- name: ingress-nginx
	url: https://kubernetes.github.io/ingress-nginx
	- name: oauth2-proxy
	url: https://oauth2-proxy.github.io/manifests
	- name: ot-helm
	url: https://ot-container-kit.github.io/helm-charts/
	- name: jetstack
	url: https://charts.jetstack.io

	releases:
	- name: ingress-nginx
	namespace: ingress-nginx
	chart: ingress-nginx/ingress-nginx
	version: 4.10.0
	set:
	- name: controller.config.global-auth-url
	value: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth
	- name: controller.config.global-auth-signin
	value: https://auth.{MYDOMAIN}.com/oauth2/start
	- name: controller.config.global-auth-request-redirect
	value: $scheme://$host$request_uri
	- name: controller.config.global-auth-response-headers
	value: "X-Auth-Request-Email, X-Auth-Request-Name, Authorization, X-Auth-Request-Groups"
	- name: controller.service.externalTrafficPolicy
	value: Local
	# Default behavior
	# - name: controller.service.no-auth-locations
	# value: /.well-known/acme-challenge
	- name: oauth2-proxy
	namespace: oauth2-proxy
	chart: oauth2-proxy/oauth2-proxy
	version: 7.4.1
	values:
	- values.oauth2-proxy.yaml
	- name: redis-operator
	namespace: redis-operator
	chart: ot-helm/redis-operator
	version: 0.15.9
	set:
	- name: certManager.enabled
	value: true

	- name: cert-manager
	namespace: cert-manager
	chart: jetstack/cert-manager
	version: v1.14.4
	wait: true
	set:
	- name: installCRDs
	value: true
	- name: prometheus.enabled
	value: false
	- name: ingressShim.defaultIssuerName
	value: letsencrypt-production
	- name: ingressShim.defaultIssuerKind
	value: ClusterIssuer
	config:
	existingSecret: "oauth2-proxy-config"
	# kubectl -n oauth2-proxy create secret generic oauth2-proxy-config --from-literal=client-id=UUID --from-literal=client-secret=UUID --from-literal=cookie-secret=$(openssl rand -base64 32 \| head -c 32 \| base64)
	extraArgs:
	provider: "azure"
	azure-tenant: "{TENANT UUID}"
	oidc-issuer-url: "https://login.microsoftonline.com/{TENANT UUID}/v2.0"
	email-domain: "{MYDOMAIN}.com"
	prefer-email-to-user: true
	pass-user-headers: true
	whitelist-domain: ".{MYDOMAIN}.com"
	cookie-domain: ".{MYDOMAIN}.com"
	reverse-proxy: true
	set-xauthrequest: true
	set-authorization-header: true
	trusted-ip: "{POD_CIDR}"
	ingress:
	enabled: true
	hosts:
	- auth.{MYDOMAIN}.com
	annotations:
	nginx.ingress.kubernetes.io/enable-global-auth: "false"
	cert-manager.io/cluster-issuer: "letsencrypt-production"
	className: nginx
	tls:
	- secretName: oauth2-proxy-tls
	hosts:
	- auth.{MYDOMAIN}.com

	sessionStorage:
	type: redis
	redis:
	existingSecret: "oauth2-proxy-sessions-store"
	passwordKey: password
	standalone:
	connectionUrl: "redis://oauth2-proxy-sessions-store:6379"