From fea49be8d1ec7703c634ce4c5b450b41848f4957 Mon Sep 17 00:00:00 2001 From: uumas Date: Sun, 14 Sep 2025 03:10:20 +0300 Subject: [PATCH] Use service-specific oauth2-proxy instances --- roles/oauth2_proxy/README.md | 1 - roles/oauth2_proxy/meta/argument_specs.yml | 17 --------- roles/oauth2_proxy/tasks/main.yml | 24 ------------- .../templates/oauth2-proxy.cfg.j2 | 11 ------ roles/service/handlers/main.yaml | 9 ++++- roles/service/meta/argument_specs.yaml | 15 +++++++- roles/service/tasks/main.yaml | 3 ++ roles/service/tasks/oauth2_proxy.yaml | 36 +++++++++++++++++++ roles/service/tasks/proxy.yaml | 4 +++ roles/service/tasks/socat.yaml | 18 +++++----- roles/service/templates/socat.socket.j2 | 4 +-- roles/service/vars/main/proxy.yaml | 2 +- 12 files changed, 77 insertions(+), 67 deletions(-) delete mode 100644 roles/oauth2_proxy/README.md delete mode 100644 roles/oauth2_proxy/meta/argument_specs.yml delete mode 100644 roles/oauth2_proxy/tasks/main.yml delete mode 100644 roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2 create mode 100644 roles/service/tasks/oauth2_proxy.yaml diff --git a/roles/oauth2_proxy/README.md b/roles/oauth2_proxy/README.md deleted file mode 100644 index 16cb83d..0000000 --- a/roles/oauth2_proxy/README.md +++ /dev/null @@ -1 +0,0 @@ -Sets up a oauth2-proxy container diff --git a/roles/oauth2_proxy/meta/argument_specs.yml b/roles/oauth2_proxy/meta/argument_specs.yml deleted file mode 100644 index d949c0b..0000000 --- a/roles/oauth2_proxy/meta/argument_specs.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -argument_specs: - main: - description: "Sets up a oauth2-proxy container" - options: - oauth2_proxy_oidc_issuer_url: - description: the OpenID Connect issuer URL - type: str - required: true - oauth2_proxy_client_id: - description: the OAuth client ID - type: str - required: true - oauth2_proxy_client_secret: - description: the OAuth client secret - type: str - required: true diff --git a/roles/oauth2_proxy/tasks/main.yml b/roles/oauth2_proxy/tasks/main.yml deleted file mode 100644 index a318ff6..0000000 --- a/roles/oauth2_proxy/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: OAuth2 Proxy - ansible.builtin.import_role: - name: service - vars: - service_name: oauth2-proxy - service_container_image: "quay.io/oauth2-proxy/oauth2-proxy:latest-alpine" - service_container_http_port: 4180 - service_container_command: - - --config - - /oauth2-proxy.cfg - - --client-secret-file - - /run/secrets/client_secret - service_container_mounts: - - type: template - source: oauth2-proxy.cfg.j2 - destination: /oauth2-proxy.cfg - service_container_secrets: - - name: cookie_secret - length: 32 - type: env - target: OAUTH2_PROXY_COOKIE_SECRET - - name: client_secret - value: "{{ oauth2_proxy_client_secret }}" diff --git a/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2 b/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2 deleted file mode 100644 index 2702021..0000000 --- a/roles/oauth2_proxy/templates/oauth2-proxy.cfg.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# OAuth2 Proxy Configuration -http_address = "0.0.0.0:4180" - -# OIDC Provider Configuration -provider = "oidc" -oidc_issuer_url = "{{ oauth2_proxy_oidc_issuer_url }}" -client_id = "{{ oauth2_proxy_client_id }}" -code_challenge_method = "S256" -skip_provider_button = "true" - -email_domains = "*" diff --git a/roles/service/handlers/main.yaml b/roles/service/handlers/main.yaml index eecdb6e..fc6692d 100644 --- a/roles/service/handlers/main.yaml +++ b/roles/service/handlers/main.yaml @@ -1,7 +1,14 @@ --- -- name: "Restart socat socket for {{ service_name }}" +- name: Restart socat socket for {{ service_name }} ansible.builtin.systemd_service: name: "{{ service_name }}-socat.socket" state: restarted daemon_reload: true ignore_errors: '{{ ansible_check_mode }}' + +- name: Restart socat socket for {{ service_name ~ '-oauth2-proxy' }} + ansible.builtin.systemd_service: + name: "{{ service_name }}-oauth2-proxy-socat.socket" + state: restarted + daemon_reload: true + ignore_errors: '{{ ansible_check_mode }}' diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml index 9db2eef..6ac92a9 100644 --- a/roles/service/meta/argument_specs.yaml +++ b/roles/service/meta/argument_specs.yaml @@ -36,7 +36,6 @@ argument_specs: service_proxy_auth_type: description: >- Set to oauth2-proxy to use OAuth2 Proxy for vhost authentication. - The oauth2-proxy role must be run separately. type: str required: false default: none @@ -49,6 +48,20 @@ argument_specs: required: false default: [] + service_oauth2_proxy_issuer_url: + description: >- + OpenID Connect issuer URL. Required if service_proxy_auth_type is oauth2-proxy. + type: str + required: false + oauth2_proxy_client_id: + description: OAuth client ID. Required if service_proxy_auth_type is oauth2-proxy. + type: str + required: false + oauth2_proxy_client_secret: + description: OAuth client secret. Required if service_proxy_auth_type is oauth2-proxy. + type: str + required: false + service_container_image: description: "The image to run in the service container(s), in FQIN format (registry/imagename:tag)." type: str diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml index 2ee057f..7700fbd 100644 --- a/roles/service/tasks/main.yaml +++ b/roles/service/tasks/main.yaml @@ -44,6 +44,9 @@ - name: Socat for {{ service_name }} ansible.builtin.include_tasks: socat.yaml when: service_container_http_port > 0 + vars: + socat_service_name: "{{ service_name }}" + socat_target_http_port: "{{ service_container_http_port }}" - name: Reverse proxy for {{ service_name }} ansible.builtin.include_tasks: proxy.yaml diff --git a/roles/service/tasks/oauth2_proxy.yaml b/roles/service/tasks/oauth2_proxy.yaml new file mode 100644 index 0000000..6ba7a5d --- /dev/null +++ b/roles/service/tasks/oauth2_proxy.yaml @@ -0,0 +1,36 @@ +--- +- name: OAuth2 Proxy container for {{ service_name }} + ansible.builtin.import_role: + name: container + vars: + container_name: "{{ service_name }}-oauth2-proxy" + container_image: "quay.io/oauth2-proxy/oauth2-proxy:latest-alpine" + container_command: + - --client-secret-file + - /run/secrets/client-secret + - --cookie-secret-file + - /run/secrets/cookie-secret + container_networks: + - "{{ service_name }}-oauth2-proxy" + container_secrets: + - name: "{{ service_name }}-oauth2-proxy-cookie-secret" + length: 32 + target: cookie-secret + - name: "{{ service_name }}-oauth2-proxy-client-secret" + value: "{{ service_oauth2_proxy_client_secret }}" + target: client-secret + container_env: + OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 + OAUTH2_PROXY_PROVIDER: oidc + OAUTH2_PROXY_OIDC_ISSUER_URL: "{{ service_oauth2_proxy_issuer_url }}" + OAUTH2_PROXY_CLIENT_ID: "{{ service_oauth2_proxy_client_id }}" + OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256 + OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" + OAUTH2_PROXY_EMAIL_DOMAINS: "*" + container_auto_update: "{{ service_auto_update }}" + +- name: Socat for OAuth2 Proxy for {{ service_name }} + ansible.builtin.import_tasks: socat.yaml + vars: + socat_service_name: "{{ service_name }}-oauth2-proxy" + socat_target_http_port: 4180 diff --git a/roles/service/tasks/proxy.yaml b/roles/service/tasks/proxy.yaml index b031108..70730b2 100644 --- a/roles/service/tasks/proxy.yaml +++ b/roles/service/tasks/proxy.yaml @@ -1,4 +1,8 @@ --- +- name: OAuth2 proxy for {{ service_name }} + ansible.builtin.include_tasks: oauth2_proxy.yaml + when: _service_oauth2_proxy + - name: Reverse proxy for {{ service_name }} ansible.builtin.import_role: name: uumas.general.vhost diff --git a/roles/service/tasks/socat.yaml b/roles/service/tasks/socat.yaml index f9554e0..eea8e2d 100644 --- a/roles/service/tasks/socat.yaml +++ b/roles/service/tasks/socat.yaml @@ -1,25 +1,25 @@ --- -- name: Socat socket for {{ service_name }} +- name: Socat socket for {{ socat_service_name }} ansible.builtin.template: src: socat.socket.j2 - dest: /etc/systemd/system/{{ service_name }}-socat.socket + dest: /etc/systemd/system/{{ socat_service_name }}-socat.socket mode: "0644" - notify: Restart socat socket for {{ service_name }} + notify: Restart socat socket for {{ socat_service_name }} -- name: Socat container for {{ service_name }} +- name: Socat container for {{ socat_service_name }} ansible.builtin.import_role: name: container vars: - container_name: "{{ service_name }}-socat" + container_name: "{{ socat_service_name }}-socat" container_image: "docker.io/alpine/socat:latest" container_command: - "ACCEPT-FD:3,fork" - - "TCP:{{ service_name }}:{{ service_container_http_port }}" + - "TCP:{{ socat_service_name }}:{{ socat_target_http_port }}" container_user: nobody container_networks: - - "{{ service_name }}" + - "{{ socat_service_name }}" container_requires: - - "{{ service_name }}-socat.socket" - - "{{ service_name }}.service" + - "{{ socat_service_name }}-socat.socket" + - "{{ socat_service_name }}.service" container_auto_start: false container_auto_update: "{{ service_auto_update }}" diff --git a/roles/service/templates/socat.socket.j2 b/roles/service/templates/socat.socket.j2 index 7cfa659..9205afb 100644 --- a/roles/service/templates/socat.socket.j2 +++ b/roles/service/templates/socat.socket.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} [Unit] -Description={{ service_name }} socat socket +Description={{ socat_service_name }} socat socket [Socket] -ListenStream=/run/{{ service_name }}-socat.sock +ListenStream=/run/{{ socat_service_name }}-socat.sock diff --git a/roles/service/vars/main/proxy.yaml b/roles/service/vars/main/proxy.yaml index 99a7ee9..79cb9a4 100644 --- a/roles/service/vars/main/proxy.yaml +++ b/roles/service/vars/main/proxy.yaml @@ -5,7 +5,7 @@ _service_proxy_headers: "{{ _service_replacement_host_header if not service_prox _service_oauth2_proxy: "{{ service_proxy_auth_type == 'oauth2-proxy' }}" _service_oauth2_socket: >- - {{ '/run/oauth2-proxy-socat.sock' if _service_oauth2_proxy else '' }} + {{ '/run/' ~ service_name ~ '-oauth2-proxy-socat.sock' if _service_oauth2_proxy else '' }} _service_oauth2_proxy_location: path: /oauth2/* proxy_target_socket: "{{ _service_oauth2_socket }}"