diff --git a/kustomization.yaml b/kustomization.yaml index 3bdcfdd..d3fc823 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -7,6 +7,10 @@ images: newName: docker.io/docuseal/docuseal digest: sha256:0e38d295c72f415ec647e8bfb52263703beb78ca725b2b67e52d0eb8e2bf1586 +- name: fobsvr + newName: ghcr.io/thelab-ms/fobsvr + newTag: "main-fb4208c" + - name: frigate newName: ghcr.io/blakeblackshear/frigate newTag: "0.12.1" @@ -61,6 +65,7 @@ resources: - manifests/cert-manager.yaml - manifests/contour.ext.yaml - manifests/docuseal.yaml + - manifests/fobsvr.yaml - manifests/frigate.yaml - manifests/gliderbot.yaml - manifests/grafana.yaml diff --git a/manifests/cert-manager.yaml b/manifests/cert-manager.yaml index 0cf2a50..848053d 100644 --- a/manifests/cert-manager.yaml +++ b/manifests/cert-manager.yaml @@ -54,3 +54,41 @@ spec: commonName: "*.apps.thelab.ms" dnsNames: - "*.apps.thelab.ms" + +--- + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: internal-ca +spec: + selfSigned: {} + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: internal-ca +spec: + isCA: true + commonName: thelab-internal-ca + secretName: internal-ca + duration: 927100h + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: internal-ca + kind: Issuer + group: cert-manager.io + +--- + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: internal +spec: + ca: + secretName: internal-ca diff --git a/manifests/fobsvr.yaml b/manifests/fobsvr.yaml new file mode 100644 index 0000000..88f7d27 --- /dev/null +++ b/manifests/fobsvr.yaml @@ -0,0 +1,119 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fobsvr + labels: + app: fobsvr +spec: + replicas: 1 + selector: + matchLabels: + app: fobsvr + template: + metadata: + labels: + app: fobsvr + spec: + containers: + - name: svc + image: fobsvr + args: + - --callback-url=http://fobsvr.default.svc.cluster.local + - --keycloak-url=https://keycloak.apps.thelab.ms + - --keycloak-group-id=4eea9c17-f9b1-41eb-8f25-721ae04b66f6 + volumeMounts: + - name: keycloak-creds + mountPath: /var/lib/keycloak + - name: root-ca + mountPath: /etc/ssl/certs + readinessProbe: + initialDelaySeconds: 2 + periodSeconds: 5 + httpGet: + path: /healthz + port: 8080 + + volumes: + - name: keycloak-creds + csi: + driver: identity.keycloak.org + volumeAttributes: + clientID: access-controller + - name: root-ca + hostPath: + path: /etc/ssl/certs/ + type: Directory + +--- + +apiVersion: v1 +kind: Service +metadata: + name: fobsvr +spec: + type: ClusterIP + selector: + app: fobsvr + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 8080 + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: fobsvr +spec: + secretName: fobsvr-cert + duration: 927100h + issuerRef: + name: internal + kind: Issuer + group: cert-manager.io + commonName: "fobs.apps.thelab.ms" + dnsNames: + +--- + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: fobsvr-client +spec: + secretName: fobsvr-client-cert + duration: 927100h + issuerRef: + name: internal + kind: Issuer + group: cert-manager.io + commonName: "fobsvr-client" + usages: + - client auth + +--- + +apiVersion: projectcontour.io/v1 +kind: HTTPProxy +metadata: + name: fobsvr +spec: + virtualhost: + fqdn: fobs.apps.thelab.ms + rateLimitPolicy: + local: + requests: 50 + unit: second + burst: 50 + tls: + secretName: fobsvr-cert + clientValidation: + caSecret: internal-ca + routes: + - conditions: + - prefix: / + services: + - name: fobsvr + port: 80