FEAT(velero): add oauth2-proxy

- for velero with Kanidm OIDC - Replace authelia middleware with oauth2-proxy - Configure OIDC authentication via Kanidm - Update ingress to route through oauth2-proxy
2025-12-31 00:13:23 +09:00
parent efa56d156e
commit 8545e1984b
3 changed files with 73 additions and 3 deletions
--- a/velero/ingress.yaml
+++ b/velero/ingress.yaml
@@ -5,7 +5,6 @@ metadata:
  namespace: velero
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
 spec:
  ingressClassName: traefik
  tls:
@@ -20,6 +19,6 @@ spec:
            pathType: Prefix
            backend:
              service:
-                name: velero-ui
+                name: oauth2-proxy
                port:
-                  number: 3000
+                  number: 4180
--- a/velero/kustomization.yaml
+++ b/velero/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - vault/velero-secrets.yaml
 - ingress.yaml
+- oauth2-proxy.yaml
--- a/velero/oauth2-proxy.yaml
+++ b/velero/oauth2-proxy.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oauth2-proxy-secret
+  namespace: velero
+type: Opaque
+stringData:
+  cookie-secret: "abcdefghijklmnopqrstuvwxyz123456"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  namespace: velero
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        args:
+        - --provider=oidc
+        - --oidc-issuer-url=https://auth.mayne.kro.kr/oauth2/openid/velero
+        - --client-id=velero
+        - --client-secret=b2GxS9Cswx5M33REUG7VWcMq0LdV760Y0P9H38cXZfMXGGv4
+        - --cookie-secret=abcdefghijklmnopqrstuvwxyz123456
+        - --email-domain=*
+        - --upstream=http://velero-ui:3000
+        - --http-address=0.0.0.0:4180
+        - --redirect-url=https://velero0213.kro.kr/oauth2/callback
+        - --cookie-secure=true
+        - --ssl-insecure-skip-verify=true
+        - --skip-provider-button=true
+        - --code-challenge-method=S256
+        ports:
+        - containerPort: 4180
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+          limits:
+            memory: 64Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy
+  namespace: velero
+spec:
+  selector:
+    app: oauth2-proxy
+  ports:
+  - port: 4180
+    targetPort: 4180