--- apiVersion: v1 kind: ConfigMap metadata: name: oauth2-proxy-nginx namespace: kube-system data: nginx.conf: | worker_processes 5; events { } http { server { listen 80 default_server; location = /healthcheck { add_header Content-Type text/plain; return 200 'ok'; } location ~ /redirect/(.*) { return 307 https://$1$is_args$args; } } } --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: kube-system spec: replicas: 1 selector: matchLabels: k8s-app: oauth2-proxy template: metadata: labels: k8s-app: oauth2-proxy spec: volumes: - name: nginx configMap: name: oauth2-proxy-nginx containers: - name: nginx image: nginx:1.15.9-alpine imagePullPolicy: Always resources: limits: cpu: 0.2 memory: 512Mi ports: - name: nginx containerPort: 80 volumeMounts: - name: nginx mountPath: /etc/nginx/ readOnly: true livenessProbe: httpGet: path: /healthcheck port: 80 initialDelaySeconds: 3 timeoutSeconds: 2 failureThreshold: 2 - name: oauth2-proxy image: quay.io/pusher/oauth2_proxy:v3.1.0 imagePullPolicy: Always args: - --provider=github - --email-domain=* - --github-org=my-org - --upstream=file:///dev/null - --upstream=http://localhost/redirect/ - --http-address=0.0.0.0:4180 - --cookie-domain=.$DNS_ZONE_INTERNAL - --footer=- # Register a new application # https://github.com/settings/applications/new env: - name: OAUTH2_PROXY_CLIENT_ID value: $OAUTH2_CLIENT_ID - name: OAUTH2_PROXY_CLIENT_SECRET value: $OAUTH2_CLIENT_SECRET # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' - name: OAUTH2_PROXY_COOKIE_SECRET value: Y0FIOWpTSnlyTVlVN0VMeUZ6bXh3Zz09 ports: - containerPort: 4180 protocol: TCP name: http --- apiVersion: v1 kind: Service metadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: kube-system spec: ports: - name: http protocol: TCP targetPort: http port: 80 selector: k8s-app: oauth2-proxy --- apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "nginx-public" name: oauth2-proxy namespace: kube-system spec: rules: - host: "oauth2.$DNS_ZONE_INTERNAL" http: paths: - backend: serviceName: oauth2-proxy servicePort: http path: /