Created
November 18, 2016 04:16
-
-
Save jimmycuadra/e7535010c1b932fe47f517df8f6f1993 to your computer and use it in GitHub Desktop.
Exposing a Kubernetes service (in this example, AWS Elasticsearch Service + Kibana) with an ingress resource an oauth2_proxy.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
kind: "Template" | |
apiVersion: "v1" | |
metadata: | |
name: "kibana" | |
objects: | |
- kind: "Namespace" | |
apiVersion: "v1" | |
metadata: | |
name: "kibana" | |
- kind: "Secret" | |
apiVersion: "v1" | |
metadata: | |
name: "oauth2-proxy" | |
namespace: "kibana" | |
data: | |
client-id: "$(OAUTH2_PROXY_CLIENT_ID)" | |
client-secret: "$(OAUTH2_PROXY_CLIENT_SECRET)" | |
cookie-secret: "$(OAUTH2_PROXY_COOKIE_SECRET)" | |
type: "Opaque" | |
- kind: "Service" | |
apiVersion: "v1" | |
metadata: | |
name: "aws-proxy" | |
namespace: "kibana" | |
spec: | |
selector: | |
app: "kibana" | |
component: "aws-proxy" | |
ports: | |
- port: 80 | |
targetPort: 9200 | |
- kind: "Service" | |
apiVersion: "v1" | |
metadata: | |
name: "oauth2-proxy" | |
namespace: "kibana" | |
spec: | |
selector: | |
app: "kibana" | |
component: "oauth2-proxy" | |
ports: | |
- port: 80 | |
- kind: "Ingress" | |
apiVersion: "extensions/v1beta1" | |
metadata: | |
name: "kibana" | |
namespace: "kibana" | |
spec: | |
rules: | |
- host: "kibana.$(DOMAIN)" | |
http: | |
paths: | |
- backend: | |
serviceName: "oauth2-proxy" | |
servicePort: 80 | |
- kind: "Deployment" | |
apiVersion: "extensions/v1beta1" | |
metadata: | |
name: "aws-proxy" | |
namespace: "kibana" | |
spec: | |
replicas: 1 | |
template: | |
metadata: | |
name: "aws-proxy" | |
namespace: "kibana" | |
labels: | |
app: "kibana" | |
component: "aws-proxy" | |
spec: | |
containers: | |
- name: "aws-proxy" | |
image: "inquicker/aws-proxy" | |
args: | |
- "-b" | |
- "-p=9200" | |
- "-e=https://$(AWS_ES_ENDPOINT)" | |
ports: | |
- name: "http" | |
containerPort: 9200 | |
- kind: "Deployment" | |
apiVersion: "extensions/v1beta1" | |
metadata: | |
name: "oauth2-proxy" | |
namespace: "kibana" | |
spec: | |
replicas: 1 | |
template: | |
metadata: | |
name: "oauth2-proxy" | |
namespace: "kibana" | |
labels: | |
app: "kibana" | |
component: "oauth2-proxy" | |
spec: | |
containers: | |
- name: "oauth2-proxy" | |
image: "inquicker/oauth2_proxy" | |
args: | |
- "-cookie-domain=kibana.$(DOMAIN)" | |
- "-cookie-refresh=24h" | |
- "-email-domain=example.com" | |
- "-http-address=0.0.0.0:80" | |
- "-upstream=http://aws-proxy" | |
env: | |
- name: "OAUTH2_PROXY_CLIENT_ID" | |
valueFrom: | |
secretKeyRef: | |
name: "oauth2-proxy" | |
key: "client-id" | |
- name: "OAUTH2_PROXY_CLIENT_SECRET" | |
valueFrom: | |
secretKeyRef: | |
name: "oauth2-proxy" | |
key: "client-secret" | |
- name: "OAUTH2_PROXY_COOKIE_SECRET" | |
valueFrom: | |
secretKeyRef: | |
name: "oauth2-proxy" | |
key: "cookie-secret" | |
ports: | |
- name: "http" | |
containerPort: 80 | |
parameters: | |
- name: "AWS_ES_ENDPOINT" | |
description: "Endpoint for the Elasticsearch service (as a hostname, no protocol)" | |
required: true | |
parameterType: "string" | |
- name: "DOMAIN" | |
description: "Apex domain of the cluster, e.g. \"example.com\"" | |
required: true | |
parameterType: "string" | |
- name: "OAUTH2_PROXY_CLIENT_ID" | |
description: "Google OAuth2 client ID for oauth2-proxy." | |
required: true | |
parameterType: "base64" | |
- name: "OAUTH2_PROXY_CLIENT_SECRET" | |
description: "Google OAuth2 client secret for oauth2-proxy." | |
required: true | |
parameterType: "base64" | |
- name: "OAUTH2_PROXY_COOKIE_SECRET" | |
description: | | |
Based64-encoded seed value for oauth2_proxy's cookie. Note that the app expects a | |
Base64-encoded value, and the encoded value must be Base64-encoded again for the Kubernetes | |
secret object. In other words, use the --parameter flag with ktmpl even though the value is | |
already Base64-encoded. Generate a value with: | |
ruby -rsecurerandom -e 'puts SecureRandom.urlsafe_base64(32)' | |
required: true | |
parameterType: "base64" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment