OAuth2-proxy-bitbucket

oauth-proxy.yaml

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: oauth2-proxy-nginx
  namespace: oauth2-proxy
data:
  nginx.conf: |
    worker_processes 5;

    events {
    }

    http {
      server {
        listen 80 default_server;

        location = /healthcheck {
          add_header Content-Type text/plain;
          return 200 'ok';
        }

        location ~ /redirect/(.*) {
          return 307 https://$1$is_args$args;
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: oauth2-proxy
  template:
    metadata:
      labels:
        k8s-app: oauth2-proxy
    spec:
      volumes:
        - name: nginx
          configMap:
            name: oauth2-proxy-nginx
      containers:
        - name: nginx
          image: nginx:alpine
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 0.2
              memory: 512Mi
          ports:
            - name: nginx
              containerPort: 80
          volumeMounts:
            - name: nginx
              mountPath: /etc/nginx/
              readOnly: true
          livenessProbe:
            httpGet:
              path: /healthcheck
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
        - name: oauth2-proxy
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
          imagePullPolicy: Always
          args:
            - --upstream=http://localhost/redirect/
            - --http-address=0.0.0.0:4180
            - --https-address=0.0.0.0:44180
          # Register a new application - bitbucket
          env:
            - name: OAUTH2_PROXY_PROVIDER
              value: bitbucket
            - name: OAUTH2_PROXY_BITBUCKET_TEAM
              value: $BITBUCKET_TEAM
            - name: OAUTH2_PROXY_EMAIL_DOMAINS
              value: "*"
            - name: OAUTH2_PROXY_COOKIE_DOMAINS
              value: ".$DNS_ZONE_INTERNAL"
            - name: OAUTH2_PROXY_FOOTER
              value: "-"
            - name: OAUTH2_PROXY_CLIENT_ID
              value: "$CLIENT_ID"
            - name: OAUTH2_PROXY_CLIENT_SECRET
              value: "$CLIENT_SECRET"
            # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
            - name: OAUTH2_PROXY_COOKIE_SECRET
              value: "$RANDOM_SECRET"
          ports:
            - containerPort: 4180
              protocol: TCP
              name: http
            - containerPort: 44180
              protocol: TCP
              name: https
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  ports:
    - name: http
      protocol: TCP
      targetPort: http
      port: 80
    - name: https
      protocol: TCP
      targetPort: http
      port: 443
  selector:
    k8s-app: oauth2-proxy
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "nginx"
    # Add the below lines to 
    nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.$DNS_ZONE_INTERNAL/oauth2/start?rd=/redirect/$http_host$request_uri"
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  tls:
    - hosts:
        - oauth2.$DNS_ZONE_INTERNAL
      secretName: oauth2.$DNS_ZONE_INTERNAL-tls
  rules:
    - host: oauth2.$DNS_ZONE_INTERNAL
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: oauth2-proxy
                port:
                  name: http