-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathradixconfig.yaml
130 lines (130 loc) · 5.56 KB
/
radixconfig.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
apiVersion: radix.equinor.com/v1
kind: RadixApplication
metadata:
name: radix-web-console
spec:
build:
useBuildKit: true
environments:
- name: qa
build:
from: master
- name: prod
build:
from: release
components:
- name: web
readOnlyFileSystem: true
volumeMounts:
- name: tmp
path: /tmp
emptyDir:
sizeLimit: 1M
- name: nginxconfd
path: /etc/nginx/conf.d
emptyDir:
sizeLimit: 1M
- name: wwwconfig
path: /app/config
emptyDir:
sizeLimit: 1M
src: "."
ports:
- name: http
port: 8080
runtime:
architecture: arm64
variables:
CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development)
CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development)
OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma
CLUSTER_OIDC_ISSUER_URL: ""
CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}"
secrets:
- OAUTH2_CLIENT_ID # Azure Application ID
environmentConfig:
- environment: qa
resources:
requests:
cpu: "20m"
memory: "50Mi"
limits:
cpu: "50m"
memory: "50Mi"
horizontalScaling:
maxReplicas: 1
minReplicas: 0
triggers:
- name: cron
cron:
timezone: Europe/Oslo
start: 0 7 * * 1-5 # 07:00 Monday - Friday
end: 0 17 * * 1-5 # 17:00 Monday - Friday
desiredReplicas: 1
- environment: prod
replicas: 2
resources:
requests:
cpu: "50m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
- name: auth
readOnlyFileSystem: true
image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 # see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md
ports:
- name: http
port: 8000
publicPort: http
runtime:
architecture: arm64
secrets:
- OAUTH2_PROXY_CLIENT_ID # ID of the "Web Console" AD app. This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_CLIENT_SECRET # Azure client secret for "Web Console frontend app" in the "Web Console" AD app for the appropriate cluster
- OAUTH2_PROXY_COOKIE_SECRET # Output of `python3 -c 'import os,base64; print(str(base64.urlsafe_b64encode(os.urandom(16)), "utf-8"))'`
- OAUTH2_PROXY_REDIRECT_URL # Should be "https://<PUBLIC_URL>/oauth2/callback". This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_SCOPE # Should be "openid profile offline_access <UID>/user_impersonation email". UID is the resource client ID for API (in Azure AD -> App registration). This is a secret so it can be configured per cluster, but it's not sensitive info
- OAUTH2_PROXY_REDIS_PASSWORD # Redis storage secret
- OAUTH2_PROXY_REDIS_CONNECTION_URL # Where to store session info (the auth-state component)
variables:
OAUTH2_PROXY_COOKIE_REFRESH: "60m" # How often should the token be refreshed. Default for azure ad is currently 60m
OAUTH2_PROXY_EMAIL_DOMAINS: "*" # Any email address registered in AD should be accepted
OAUTH2_PROXY_HTTP_ADDRESS: "http://:8000" # The port oauth2_proxy listens on
OAUTH2_PROXY_OIDC_ISSUER_URL: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/v2.0" # That's the Equinor tenant ID
OAUTH2_PROXY_SKIP_CLAIMS_FROM_PROFILE_URL: "true"
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" # Pass the access token upstream (to the proxy component)
OAUTH2_PROXY_PASS_BASIC_AUTH: "false" # Disable unused default
OAUTH2_PROXY_PASS_USER_HEADERS: "false" # Disable unused default
OAUTH2_PROXY_PROVIDER: "oidc" # The "azure" provider doesn't seem to work properly
OAUTH2_PROXY_SESSION_STORE_TYPE: "redis" # We're using Redis for storing session info instead of cookies (cookies would get too big)
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # We don't want a "click to login" page; just issue a redirect
OAUTH2_PROXY_UPSTREAMS: "http://web:8080" # Where authenticated requests are routed to: the web component (nginx)
environmentConfig:
- environment: qa
resources:
requests:
cpu: "30m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
horizontalScaling:
maxReplicas: 1
minReplicas: 0
triggers:
- name: cron
cron:
timezone: Europe/Oslo
start: 0 7 * * 1-5 # 07:00 Monday - Friday
end: 0 17 * * 1-5 # 17:00 Monday - Friday
desiredReplicas: 1
- environment: prod
resources:
requests:
cpu: "50m"
memory: "100Mi"
limits:
cpu: "100m"
memory: "100Mi"